bundle.yaml 1.8 MB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998899990009001900290039004900590069007900890099010901190129013901490159016901790189019902090219022902390249025902690279028902990309031903290339034903590369037903890399040904190429043904490459046904790489049905090519052905390549055905690579058905990609061906290639064906590669067906890699070907190729073907490759076907790789079908090819082908390849085908690879088908990909091909290939094909590969097909890999100910191029103910491059106910791089109911091119112911391149115911691179118911991209121912291239124912591269127912891299130913191329133913491359136913791389139914091419142914391449145914691479148914991509151915291539154915591569157915891599160916191629163916491659166916791689169917091719172917391749175917691779178917991809181918291839184918591869187918891899190919191929193919491959196919791989199920092019202920392049205920692079208920992109211921292139214921592169217921892199220922192229223922492259226922792289229923092319232923392349235923692379238923992409241924292439244924592469247924892499250925192529253925492559256925792589259926092619262926392649265926692679268926992709271927292739274927592769277927892799280928192829283928492859286928792889289929092919292929392949295929692979298929993009301930293039304930593069307930893099310931193129313931493159316931793189319932093219322932393249325932693279328932993309331933293339334933593369337933893399340934193429343934493459346934793489349935093519352935393549355935693579358935993609361936293639364936593669367936893699370937193729373937493759376937793789379938093819382938393849385938693879388938993909391939293939394939593969397939893999400940194029403940494059406940794089409941094119412941394149415941694179418941994209421942294239424942594269427942894299430943194329433943494359436943794389439944094419442944394449445944694479448944994509451945294539454945594569457945894599460946194629463946494659466946794689469947094719472947394749475947694779478947994809481948294839484948594869487948894899490949194929493949494959496949794989499950095019502950395049505950695079508950995109511951295139514951595169517951895199520952195229523952495259526952795289529953095319532953395349535953695379538953995409541954295439544954595469547954895499550955195529553955495559556955795589559956095619562956395649565956695679568956995709571957295739574957595769577957895799580958195829583958495859586958795889589959095919592959395949595959695979598959996009601960296039604960596069607960896099610961196129613961496159616961796189619962096219622962396249625962696279628962996309631963296339634963596369637963896399640964196429643964496459646964796489649965096519652965396549655965696579658965996609661966296639664966596669667966896699670967196729673967496759676967796789679968096819682968396849685968696879688968996909691969296939694969596969697969896999700970197029703970497059706970797089709971097119712971397149715971697179718971997209721972297239724972597269727972897299730973197329733973497359736973797389739974097419742974397449745974697479748974997509751975297539754975597569757975897599760976197629763976497659766976797689769977097719772977397749775977697779778977997809781978297839784978597869787978897899790979197929793979497959796979797989799980098019802980398049805980698079808980998109811981298139814981598169817981898199820982198229823982498259826982798289829983098319832983398349835983698379838983998409841984298439844984598469847984898499850985198529853985498559856985798589859986098619862986398649865986698679868986998709871987298739874987598769877987898799880988198829883988498859886988798889889989098919892989398949895989698979898989999009901990299039904990599069907990899099910991199129913991499159916991799189919992099219922992399249925992699279928992999309931993299339934993599369937993899399940994199429943994499459946994799489949995099519952995399549955995699579958995999609961996299639964996599669967996899699970997199729973997499759976997799789979998099819982998399849985998699879988998999909991999299939994999599969997999899991000010001100021000310004100051000610007100081000910010100111001210013100141001510016100171001810019100201002110022100231002410025100261002710028100291003010031100321003310034100351003610037100381003910040100411004210043100441004510046100471004810049100501005110052100531005410055100561005710058100591006010061100621006310064100651006610067100681006910070100711007210073100741007510076100771007810079100801008110082100831008410085100861008710088100891009010091100921009310094100951009610097100981009910100101011010210103101041010510106101071010810109101101011110112101131011410115101161011710118101191012010121101221012310124101251012610127101281012910130101311013210133101341013510136101371013810139101401014110142101431014410145101461014710148101491015010151101521015310154101551015610157101581015910160101611016210163101641016510166101671016810169101701017110172101731017410175101761017710178101791018010181101821018310184101851018610187101881018910190101911019210193101941019510196101971019810199102001020110202102031020410205102061020710208102091021010211102121021310214102151021610217102181021910220102211022210223102241022510226102271022810229102301023110232102331023410235102361023710238102391024010241102421024310244102451024610247102481024910250102511025210253102541025510256102571025810259102601026110262102631026410265102661026710268102691027010271102721027310274102751027610277102781027910280102811028210283102841028510286102871028810289102901029110292102931029410295102961029710298102991030010301103021030310304103051030610307103081030910310103111031210313103141031510316103171031810319103201032110322103231032410325103261032710328103291033010331103321033310334103351033610337103381033910340103411034210343103441034510346103471034810349103501035110352103531035410355103561035710358103591036010361103621036310364103651036610367103681036910370103711037210373103741037510376103771037810379103801038110382103831038410385103861038710388103891039010391103921039310394103951039610397103981039910400104011040210403104041040510406104071040810409104101041110412104131041410415104161041710418104191042010421104221042310424104251042610427104281042910430104311043210433104341043510436104371043810439104401044110442104431044410445104461044710448104491045010451104521045310454104551045610457104581045910460104611046210463104641046510466104671046810469104701047110472104731047410475104761047710478104791048010481104821048310484104851048610487104881048910490104911049210493104941049510496104971049810499105001050110502105031050410505105061050710508105091051010511105121051310514105151051610517105181051910520105211052210523105241052510526105271052810529105301053110532105331053410535105361053710538105391054010541105421054310544105451054610547105481054910550105511055210553105541055510556105571055810559105601056110562105631056410565105661056710568105691057010571105721057310574105751057610577105781057910580105811058210583105841058510586105871058810589105901059110592105931059410595105961059710598105991060010601106021060310604106051060610607106081060910610106111061210613106141061510616106171061810619106201062110622106231062410625106261062710628106291063010631106321063310634106351063610637106381063910640106411064210643106441064510646106471064810649106501065110652106531065410655106561065710658106591066010661106621066310664106651066610667106681066910670106711067210673106741067510676106771067810679106801068110682106831068410685106861068710688106891069010691106921069310694106951069610697106981069910700107011070210703107041070510706107071070810709107101071110712107131071410715107161071710718107191072010721107221072310724107251072610727107281072910730107311073210733107341073510736107371073810739107401074110742107431074410745107461074710748107491075010751107521075310754107551075610757107581075910760107611076210763107641076510766107671076810769107701077110772107731077410775107761077710778107791078010781107821078310784107851078610787107881078910790107911079210793107941079510796107971079810799108001080110802108031080410805108061080710808108091081010811108121081310814108151081610817108181081910820108211082210823108241082510826108271082810829108301083110832108331083410835108361083710838108391084010841108421084310844108451084610847108481084910850108511085210853108541085510856108571085810859108601086110862108631086410865108661086710868108691087010871108721087310874108751087610877108781087910880108811088210883108841088510886108871088810889108901089110892108931089410895108961089710898108991090010901109021090310904109051090610907109081090910910109111091210913109141091510916109171091810919109201092110922109231092410925109261092710928109291093010931109321093310934109351093610937109381093910940109411094210943109441094510946109471094810949109501095110952109531095410955109561095710958109591096010961109621096310964109651096610967109681096910970109711097210973109741097510976109771097810979109801098110982109831098410985109861098710988109891099010991109921099310994109951099610997109981099911000110011100211003110041100511006110071100811009110101101111012110131101411015110161101711018110191102011021110221102311024110251102611027110281102911030110311103211033110341103511036110371103811039110401104111042110431104411045110461104711048110491105011051110521105311054110551105611057110581105911060110611106211063110641106511066110671106811069110701107111072110731107411075110761107711078110791108011081110821108311084110851108611087110881108911090110911109211093110941109511096110971109811099111001110111102111031110411105111061110711108111091111011111111121111311114111151111611117111181111911120111211112211123111241112511126111271112811129111301113111132111331113411135111361113711138111391114011141111421114311144111451114611147111481114911150111511115211153111541115511156111571115811159111601116111162111631116411165111661116711168111691117011171111721117311174111751117611177111781117911180111811118211183111841118511186111871118811189111901119111192111931119411195111961119711198111991120011201112021120311204112051120611207112081120911210112111121211213112141121511216112171121811219112201122111222112231122411225112261122711228112291123011231112321123311234112351123611237112381123911240112411124211243112441124511246112471124811249112501125111252112531125411255112561125711258112591126011261112621126311264112651126611267112681126911270112711127211273112741127511276112771127811279112801128111282112831128411285112861128711288112891129011291112921129311294112951129611297112981129911300113011130211303113041130511306113071130811309113101131111312113131131411315113161131711318113191132011321113221132311324113251132611327113281132911330113311133211333113341133511336113371133811339113401134111342113431134411345113461134711348113491135011351113521135311354113551135611357113581135911360113611136211363113641136511366113671136811369113701137111372113731137411375113761137711378113791138011381113821138311384113851138611387113881138911390113911139211393113941139511396113971139811399114001140111402114031140411405114061140711408114091141011411114121141311414114151141611417114181141911420114211142211423114241142511426114271142811429114301143111432114331143411435114361143711438114391144011441114421144311444114451144611447114481144911450114511145211453114541145511456114571145811459114601146111462114631146411465114661146711468114691147011471114721147311474114751147611477114781147911480114811148211483114841148511486114871148811489114901149111492114931149411495114961149711498114991150011501115021150311504115051150611507115081150911510115111151211513115141151511516115171151811519115201152111522115231152411525115261152711528115291153011531115321153311534115351153611537115381153911540115411154211543115441154511546115471154811549115501155111552115531155411555115561155711558115591156011561115621156311564115651156611567115681156911570115711157211573115741157511576115771157811579115801158111582115831158411585115861158711588115891159011591115921159311594115951159611597115981159911600116011160211603116041160511606116071160811609116101161111612116131161411615116161161711618116191162011621116221162311624116251162611627116281162911630116311163211633116341163511636116371163811639116401164111642116431164411645116461164711648116491165011651116521165311654116551165611657116581165911660116611166211663116641166511666116671166811669116701167111672116731167411675116761167711678116791168011681116821168311684116851168611687116881168911690116911169211693116941169511696116971169811699117001170111702117031170411705117061170711708117091171011711117121171311714117151171611717117181171911720117211172211723117241172511726117271172811729117301173111732117331173411735117361173711738117391174011741117421174311744117451174611747117481174911750117511175211753117541175511756117571175811759117601176111762117631176411765117661176711768117691177011771117721177311774117751177611777117781177911780117811178211783117841178511786117871178811789117901179111792117931179411795117961179711798117991180011801118021180311804118051180611807118081180911810118111181211813118141181511816118171181811819118201182111822118231182411825118261182711828118291183011831118321183311834118351183611837118381183911840118411184211843118441184511846118471184811849118501185111852118531185411855118561185711858118591186011861118621186311864118651186611867118681186911870118711187211873118741187511876118771187811879118801188111882118831188411885118861188711888118891189011891118921189311894118951189611897118981189911900119011190211903119041190511906119071190811909119101191111912119131191411915119161191711918119191192011921119221192311924119251192611927119281192911930119311193211933119341193511936119371193811939119401194111942119431194411945119461194711948119491195011951119521195311954119551195611957119581195911960119611196211963119641196511966119671196811969119701197111972119731197411975119761197711978119791198011981119821198311984119851198611987119881198911990119911199211993119941199511996119971199811999120001200112002120031200412005120061200712008120091201012011120121201312014120151201612017120181201912020120211202212023120241202512026120271202812029120301203112032120331203412035120361203712038120391204012041120421204312044120451204612047120481204912050120511205212053120541205512056120571205812059120601206112062120631206412065120661206712068120691207012071120721207312074120751207612077120781207912080120811208212083120841208512086120871208812089120901209112092120931209412095120961209712098120991210012101121021210312104121051210612107121081210912110121111211212113121141211512116121171211812119121201212112122121231212412125121261212712128121291213012131121321213312134121351213612137121381213912140121411214212143121441214512146121471214812149121501215112152121531215412155121561215712158121591216012161121621216312164121651216612167121681216912170121711217212173121741217512176121771217812179121801218112182121831218412185121861218712188121891219012191121921219312194121951219612197121981219912200122011220212203122041220512206122071220812209122101221112212122131221412215122161221712218122191222012221122221222312224122251222612227122281222912230122311223212233122341223512236122371223812239122401224112242122431224412245122461224712248122491225012251122521225312254122551225612257122581225912260122611226212263122641226512266122671226812269122701227112272122731227412275122761227712278122791228012281122821228312284122851228612287122881228912290122911229212293122941229512296122971229812299123001230112302123031230412305123061230712308123091231012311123121231312314123151231612317123181231912320123211232212323123241232512326123271232812329123301233112332123331233412335123361233712338123391234012341123421234312344123451234612347123481234912350123511235212353123541235512356123571235812359123601236112362123631236412365123661236712368123691237012371123721237312374123751237612377123781237912380123811238212383123841238512386123871238812389123901239112392123931239412395123961239712398123991240012401124021240312404124051240612407124081240912410124111241212413124141241512416124171241812419124201242112422124231242412425124261242712428124291243012431124321243312434124351243612437124381243912440124411244212443124441244512446124471244812449124501245112452124531245412455124561245712458124591246012461124621246312464124651246612467124681246912470124711247212473124741247512476124771247812479124801248112482124831248412485124861248712488124891249012491124921249312494124951249612497124981249912500125011250212503125041250512506125071250812509125101251112512125131251412515125161251712518125191252012521125221252312524125251252612527125281252912530125311253212533125341253512536125371253812539125401254112542125431254412545125461254712548125491255012551125521255312554125551255612557125581255912560125611256212563125641256512566125671256812569125701257112572125731257412575125761257712578125791258012581125821258312584125851258612587125881258912590125911259212593125941259512596125971259812599126001260112602126031260412605126061260712608126091261012611126121261312614126151261612617126181261912620126211262212623126241262512626126271262812629126301263112632126331263412635126361263712638126391264012641126421264312644126451264612647126481264912650126511265212653126541265512656126571265812659126601266112662126631266412665126661266712668126691267012671126721267312674126751267612677126781267912680126811268212683126841268512686126871268812689126901269112692126931269412695126961269712698126991270012701127021270312704127051270612707127081270912710127111271212713127141271512716127171271812719127201272112722127231272412725127261272712728127291273012731127321273312734127351273612737127381273912740127411274212743127441274512746127471274812749127501275112752127531275412755127561275712758127591276012761127621276312764127651276612767127681276912770127711277212773127741277512776127771277812779127801278112782127831278412785127861278712788127891279012791127921279312794127951279612797127981279912800128011280212803128041280512806128071280812809128101281112812128131281412815128161281712818128191282012821128221282312824128251282612827128281282912830128311283212833128341283512836128371283812839128401284112842128431284412845128461284712848128491285012851128521285312854128551285612857128581285912860128611286212863128641286512866128671286812869128701287112872128731287412875128761287712878128791288012881128821288312884128851288612887128881288912890128911289212893128941289512896128971289812899129001290112902129031290412905129061290712908129091291012911129121291312914129151291612917129181291912920129211292212923129241292512926129271292812929129301293112932129331293412935129361293712938129391294012941129421294312944129451294612947129481294912950129511295212953129541295512956129571295812959129601296112962129631296412965129661296712968129691297012971129721297312974129751297612977129781297912980129811298212983129841298512986129871298812989129901299112992129931299412995129961299712998129991300013001130021300313004130051300613007130081300913010130111301213013130141301513016130171301813019130201302113022130231302413025130261302713028130291303013031130321303313034130351303613037130381303913040130411304213043130441304513046130471304813049130501305113052130531305413055130561305713058130591306013061130621306313064130651306613067130681306913070130711307213073130741307513076130771307813079130801308113082130831308413085130861308713088130891309013091130921309313094130951309613097130981309913100131011310213103131041310513106131071310813109131101311113112131131311413115131161311713118131191312013121131221312313124131251312613127131281312913130131311313213133131341313513136131371313813139131401314113142131431314413145131461314713148131491315013151131521315313154131551315613157131581315913160131611316213163131641316513166131671316813169131701317113172131731317413175131761317713178131791318013181131821318313184131851318613187131881318913190131911319213193131941319513196131971319813199132001320113202132031320413205132061320713208132091321013211132121321313214132151321613217132181321913220132211322213223132241322513226132271322813229132301323113232132331323413235132361323713238132391324013241132421324313244132451324613247132481324913250132511325213253132541325513256132571325813259132601326113262132631326413265132661326713268132691327013271132721327313274132751327613277132781327913280132811328213283132841328513286132871328813289132901329113292132931329413295132961329713298132991330013301133021330313304133051330613307133081330913310133111331213313133141331513316133171331813319133201332113322133231332413325133261332713328133291333013331133321333313334133351333613337133381333913340133411334213343133441334513346133471334813349133501335113352133531335413355133561335713358133591336013361133621336313364133651336613367133681336913370133711337213373133741337513376133771337813379133801338113382133831338413385133861338713388133891339013391133921339313394133951339613397133981339913400134011340213403134041340513406134071340813409134101341113412134131341413415134161341713418134191342013421134221342313424134251342613427134281342913430134311343213433134341343513436134371343813439134401344113442134431344413445134461344713448134491345013451134521345313454134551345613457134581345913460134611346213463134641346513466134671346813469134701347113472134731347413475134761347713478134791348013481134821348313484134851348613487134881348913490134911349213493134941349513496134971349813499135001350113502135031350413505135061350713508135091351013511135121351313514135151351613517135181351913520135211352213523135241352513526135271352813529135301353113532135331353413535135361353713538135391354013541135421354313544135451354613547135481354913550135511355213553135541355513556135571355813559135601356113562135631356413565135661356713568135691357013571135721357313574135751357613577135781357913580135811358213583135841358513586135871358813589135901359113592135931359413595135961359713598135991360013601136021360313604136051360613607136081360913610136111361213613136141361513616136171361813619136201362113622136231362413625136261362713628136291363013631136321363313634136351363613637136381363913640136411364213643136441364513646136471364813649136501365113652136531365413655136561365713658136591366013661136621366313664136651366613667136681366913670136711367213673136741367513676136771367813679136801368113682136831368413685136861368713688136891369013691136921369313694136951369613697136981369913700137011370213703137041370513706137071370813709137101371113712137131371413715137161371713718137191372013721137221372313724137251372613727137281372913730137311373213733137341373513736137371373813739137401374113742137431374413745137461374713748137491375013751137521375313754137551375613757137581375913760137611376213763137641376513766137671376813769137701377113772137731377413775137761377713778137791378013781137821378313784137851378613787137881378913790137911379213793137941379513796137971379813799138001380113802138031380413805138061380713808138091381013811138121381313814138151381613817138181381913820138211382213823138241382513826138271382813829138301383113832138331383413835138361383713838138391384013841138421384313844138451384613847138481384913850138511385213853138541385513856138571385813859138601386113862138631386413865138661386713868138691387013871138721387313874138751387613877138781387913880138811388213883138841388513886138871388813889138901389113892138931389413895138961389713898138991390013901139021390313904139051390613907139081390913910139111391213913139141391513916139171391813919139201392113922139231392413925139261392713928139291393013931139321393313934139351393613937139381393913940139411394213943139441394513946139471394813949139501395113952139531395413955139561395713958139591396013961139621396313964139651396613967139681396913970139711397213973139741397513976139771397813979139801398113982139831398413985139861398713988139891399013991139921399313994139951399613997139981399914000140011400214003140041400514006140071400814009140101401114012140131401414015140161401714018140191402014021140221402314024140251402614027140281402914030140311403214033140341403514036140371403814039140401404114042140431404414045140461404714048140491405014051140521405314054140551405614057140581405914060140611406214063140641406514066140671406814069140701407114072140731407414075140761407714078140791408014081140821408314084140851408614087140881408914090140911409214093140941409514096140971409814099141001410114102141031410414105141061410714108141091411014111141121411314114141151411614117141181411914120141211412214123141241412514126141271412814129141301413114132141331413414135141361413714138141391414014141141421414314144141451414614147141481414914150141511415214153141541415514156141571415814159141601416114162141631416414165141661416714168141691417014171141721417314174141751417614177141781417914180141811418214183141841418514186141871418814189141901419114192141931419414195141961419714198141991420014201142021420314204142051420614207142081420914210142111421214213142141421514216142171421814219142201422114222142231422414225142261422714228142291423014231142321423314234142351423614237142381423914240142411424214243142441424514246142471424814249142501425114252142531425414255142561425714258142591426014261142621426314264142651426614267142681426914270142711427214273142741427514276142771427814279142801428114282142831428414285142861428714288142891429014291142921429314294142951429614297142981429914300143011430214303143041430514306143071430814309143101431114312143131431414315143161431714318143191432014321143221432314324143251432614327143281432914330143311433214333143341433514336143371433814339143401434114342143431434414345143461434714348143491435014351143521435314354143551435614357143581435914360143611436214363143641436514366143671436814369143701437114372143731437414375143761437714378143791438014381143821438314384143851438614387143881438914390143911439214393143941439514396143971439814399144001440114402144031440414405144061440714408144091441014411144121441314414144151441614417144181441914420144211442214423144241442514426144271442814429144301443114432144331443414435144361443714438144391444014441144421444314444144451444614447144481444914450144511445214453144541445514456144571445814459144601446114462144631446414465144661446714468144691447014471144721447314474144751447614477144781447914480144811448214483144841448514486144871448814489144901449114492144931449414495144961449714498144991450014501145021450314504145051450614507145081450914510145111451214513145141451514516145171451814519145201452114522145231452414525145261452714528145291453014531145321453314534145351453614537145381453914540145411454214543145441454514546145471454814549145501455114552145531455414555145561455714558145591456014561145621456314564145651456614567145681456914570145711457214573145741457514576145771457814579145801458114582145831458414585145861458714588145891459014591145921459314594145951459614597145981459914600146011460214603146041460514606146071460814609146101461114612146131461414615146161461714618146191462014621146221462314624146251462614627146281462914630146311463214633146341463514636146371463814639146401464114642146431464414645146461464714648146491465014651146521465314654146551465614657146581465914660146611466214663146641466514666146671466814669146701467114672146731467414675146761467714678146791468014681146821468314684146851468614687146881468914690146911469214693146941469514696146971469814699147001470114702147031470414705147061470714708147091471014711147121471314714147151471614717147181471914720147211472214723147241472514726147271472814729147301473114732147331473414735147361473714738147391474014741147421474314744147451474614747147481474914750147511475214753147541475514756147571475814759147601476114762147631476414765147661476714768147691477014771147721477314774147751477614777147781477914780147811478214783147841478514786147871478814789147901479114792147931479414795147961479714798147991480014801148021480314804148051480614807148081480914810148111481214813148141481514816148171481814819148201482114822148231482414825148261482714828148291483014831148321483314834148351483614837148381483914840148411484214843148441484514846148471484814849148501485114852148531485414855148561485714858148591486014861148621486314864148651486614867148681486914870148711487214873148741487514876148771487814879148801488114882148831488414885148861488714888148891489014891148921489314894148951489614897148981489914900149011490214903149041490514906149071490814909149101491114912149131491414915149161491714918149191492014921149221492314924149251492614927149281492914930149311493214933149341493514936149371493814939149401494114942149431494414945149461494714948149491495014951149521495314954149551495614957149581495914960149611496214963149641496514966149671496814969149701497114972149731497414975149761497714978149791498014981149821498314984149851498614987149881498914990149911499214993149941499514996149971499814999150001500115002150031500415005150061500715008150091501015011150121501315014150151501615017150181501915020150211502215023150241502515026150271502815029150301503115032150331503415035150361503715038150391504015041150421504315044150451504615047150481504915050150511505215053150541505515056150571505815059150601506115062150631506415065150661506715068150691507015071150721507315074150751507615077150781507915080150811508215083150841508515086150871508815089150901509115092150931509415095150961509715098150991510015101151021510315104151051510615107151081510915110151111511215113151141511515116151171511815119151201512115122151231512415125151261512715128151291513015131151321513315134151351513615137151381513915140151411514215143151441514515146151471514815149151501515115152151531515415155151561515715158151591516015161151621516315164151651516615167151681516915170151711517215173151741517515176151771517815179151801518115182151831518415185151861518715188151891519015191151921519315194151951519615197151981519915200152011520215203152041520515206152071520815209152101521115212152131521415215152161521715218152191522015221152221522315224152251522615227152281522915230152311523215233152341523515236152371523815239152401524115242152431524415245152461524715248152491525015251152521525315254152551525615257152581525915260152611526215263152641526515266152671526815269152701527115272152731527415275152761527715278152791528015281152821528315284152851528615287152881528915290152911529215293152941529515296152971529815299153001530115302153031530415305153061530715308153091531015311153121531315314153151531615317153181531915320153211532215323153241532515326153271532815329153301533115332153331533415335153361533715338153391534015341153421534315344153451534615347153481534915350153511535215353153541535515356153571535815359153601536115362153631536415365153661536715368153691537015371153721537315374153751537615377153781537915380153811538215383153841538515386153871538815389153901539115392153931539415395153961539715398153991540015401154021540315404154051540615407154081540915410154111541215413154141541515416154171541815419154201542115422154231542415425154261542715428154291543015431154321543315434154351543615437154381543915440154411544215443154441544515446154471544815449154501545115452154531545415455154561545715458154591546015461154621546315464154651546615467154681546915470154711547215473154741547515476154771547815479154801548115482154831548415485154861548715488154891549015491154921549315494154951549615497154981549915500155011550215503155041550515506155071550815509155101551115512155131551415515155161551715518155191552015521155221552315524155251552615527155281552915530155311553215533155341553515536155371553815539155401554115542155431554415545155461554715548155491555015551155521555315554155551555615557155581555915560155611556215563155641556515566155671556815569155701557115572155731557415575155761557715578155791558015581155821558315584155851558615587155881558915590155911559215593155941559515596155971559815599156001560115602156031560415605156061560715608156091561015611156121561315614156151561615617156181561915620156211562215623156241562515626156271562815629156301563115632156331563415635156361563715638156391564015641156421564315644156451564615647156481564915650156511565215653156541565515656156571565815659156601566115662156631566415665156661566715668156691567015671156721567315674156751567615677156781567915680156811568215683156841568515686156871568815689156901569115692156931569415695156961569715698156991570015701157021570315704157051570615707157081570915710157111571215713157141571515716157171571815719157201572115722157231572415725157261572715728157291573015731157321573315734157351573615737157381573915740157411574215743157441574515746157471574815749157501575115752157531575415755157561575715758157591576015761157621576315764157651576615767157681576915770157711577215773157741577515776157771577815779157801578115782157831578415785157861578715788157891579015791157921579315794157951579615797157981579915800158011580215803158041580515806158071580815809158101581115812158131581415815158161581715818158191582015821158221582315824158251582615827158281582915830158311583215833158341583515836158371583815839158401584115842158431584415845158461584715848158491585015851158521585315854158551585615857158581585915860158611586215863158641586515866158671586815869158701587115872158731587415875158761587715878158791588015881158821588315884158851588615887158881588915890158911589215893158941589515896158971589815899159001590115902159031590415905159061590715908159091591015911159121591315914159151591615917159181591915920159211592215923159241592515926159271592815929159301593115932159331593415935159361593715938159391594015941159421594315944159451594615947159481594915950159511595215953159541595515956159571595815959159601596115962159631596415965159661596715968159691597015971159721597315974159751597615977159781597915980159811598215983159841598515986159871598815989159901599115992159931599415995159961599715998159991600016001160021600316004160051600616007160081600916010160111601216013160141601516016160171601816019160201602116022160231602416025160261602716028160291603016031160321603316034160351603616037160381603916040160411604216043160441604516046160471604816049160501605116052160531605416055160561605716058160591606016061160621606316064160651606616067160681606916070160711607216073160741607516076160771607816079160801608116082160831608416085160861608716088160891609016091160921609316094160951609616097160981609916100161011610216103161041610516106161071610816109161101611116112161131611416115161161611716118161191612016121161221612316124161251612616127161281612916130161311613216133161341613516136161371613816139161401614116142161431614416145161461614716148161491615016151161521615316154161551615616157161581615916160161611616216163161641616516166161671616816169161701617116172161731617416175161761617716178161791618016181161821618316184161851618616187161881618916190161911619216193161941619516196161971619816199162001620116202162031620416205162061620716208162091621016211162121621316214162151621616217162181621916220162211622216223162241622516226162271622816229162301623116232162331623416235162361623716238162391624016241162421624316244162451624616247162481624916250162511625216253162541625516256162571625816259162601626116262162631626416265162661626716268162691627016271162721627316274162751627616277162781627916280162811628216283162841628516286162871628816289162901629116292162931629416295162961629716298162991630016301163021630316304163051630616307163081630916310163111631216313163141631516316163171631816319163201632116322163231632416325163261632716328163291633016331163321633316334163351633616337163381633916340163411634216343163441634516346163471634816349163501635116352163531635416355163561635716358163591636016361163621636316364163651636616367163681636916370163711637216373163741637516376163771637816379163801638116382163831638416385163861638716388163891639016391163921639316394163951639616397163981639916400164011640216403164041640516406164071640816409164101641116412164131641416415164161641716418164191642016421164221642316424164251642616427164281642916430164311643216433164341643516436164371643816439164401644116442164431644416445164461644716448164491645016451164521645316454164551645616457164581645916460164611646216463164641646516466164671646816469164701647116472164731647416475164761647716478164791648016481164821648316484164851648616487164881648916490164911649216493164941649516496164971649816499165001650116502165031650416505165061650716508165091651016511165121651316514165151651616517165181651916520165211652216523165241652516526165271652816529165301653116532165331653416535165361653716538165391654016541165421654316544165451654616547165481654916550165511655216553165541655516556165571655816559165601656116562165631656416565165661656716568165691657016571165721657316574165751657616577165781657916580165811658216583165841658516586165871658816589165901659116592165931659416595165961659716598165991660016601166021660316604166051660616607166081660916610166111661216613166141661516616166171661816619166201662116622166231662416625166261662716628166291663016631166321663316634166351663616637166381663916640166411664216643166441664516646166471664816649166501665116652166531665416655166561665716658166591666016661166621666316664166651666616667166681666916670166711667216673166741667516676166771667816679166801668116682166831668416685166861668716688166891669016691166921669316694166951669616697166981669916700167011670216703167041670516706167071670816709167101671116712167131671416715167161671716718167191672016721167221672316724167251672616727167281672916730167311673216733167341673516736167371673816739167401674116742167431674416745167461674716748167491675016751167521675316754167551675616757167581675916760167611676216763167641676516766167671676816769167701677116772167731677416775167761677716778167791678016781167821678316784167851678616787167881678916790167911679216793167941679516796167971679816799168001680116802168031680416805168061680716808168091681016811168121681316814168151681616817168181681916820168211682216823168241682516826168271682816829168301683116832168331683416835168361683716838168391684016841168421684316844168451684616847168481684916850168511685216853168541685516856168571685816859168601686116862168631686416865168661686716868168691687016871168721687316874168751687616877168781687916880168811688216883168841688516886168871688816889168901689116892168931689416895168961689716898168991690016901169021690316904169051690616907169081690916910169111691216913169141691516916169171691816919169201692116922169231692416925169261692716928169291693016931169321693316934169351693616937169381693916940169411694216943169441694516946169471694816949169501695116952169531695416955169561695716958169591696016961169621696316964169651696616967169681696916970169711697216973169741697516976169771697816979169801698116982169831698416985169861698716988169891699016991169921699316994169951699616997169981699917000170011700217003170041700517006170071700817009170101701117012170131701417015170161701717018170191702017021170221702317024170251702617027170281702917030170311703217033170341703517036170371703817039170401704117042170431704417045170461704717048170491705017051170521705317054170551705617057170581705917060170611706217063170641706517066170671706817069170701707117072170731707417075170761707717078170791708017081170821708317084170851708617087170881708917090170911709217093170941709517096170971709817099171001710117102171031710417105171061710717108171091711017111171121711317114171151711617117171181711917120171211712217123171241712517126171271712817129171301713117132171331713417135171361713717138171391714017141171421714317144171451714617147171481714917150171511715217153171541715517156171571715817159171601716117162171631716417165171661716717168171691717017171171721717317174171751717617177171781717917180171811718217183171841718517186171871718817189171901719117192171931719417195171961719717198171991720017201172021720317204172051720617207172081720917210172111721217213172141721517216172171721817219172201722117222172231722417225172261722717228172291723017231172321723317234172351723617237172381723917240172411724217243172441724517246172471724817249172501725117252172531725417255172561725717258172591726017261172621726317264172651726617267172681726917270172711727217273172741727517276172771727817279172801728117282172831728417285172861728717288172891729017291172921729317294172951729617297172981729917300173011730217303173041730517306173071730817309173101731117312173131731417315173161731717318173191732017321173221732317324173251732617327173281732917330173311733217333173341733517336173371733817339173401734117342173431734417345173461734717348173491735017351173521735317354173551735617357173581735917360173611736217363173641736517366173671736817369173701737117372173731737417375173761737717378173791738017381173821738317384173851738617387173881738917390173911739217393173941739517396173971739817399174001740117402174031740417405174061740717408174091741017411174121741317414174151741617417174181741917420174211742217423174241742517426174271742817429174301743117432174331743417435174361743717438174391744017441174421744317444174451744617447174481744917450174511745217453174541745517456174571745817459174601746117462174631746417465174661746717468174691747017471174721747317474174751747617477174781747917480174811748217483174841748517486174871748817489174901749117492174931749417495174961749717498174991750017501175021750317504175051750617507175081750917510175111751217513175141751517516175171751817519175201752117522175231752417525175261752717528175291753017531175321753317534175351753617537175381753917540175411754217543175441754517546175471754817549175501755117552175531755417555175561755717558175591756017561175621756317564175651756617567175681756917570175711757217573175741757517576175771757817579175801758117582175831758417585175861758717588175891759017591175921759317594175951759617597175981759917600176011760217603176041760517606176071760817609176101761117612176131761417615176161761717618176191762017621176221762317624176251762617627176281762917630176311763217633176341763517636176371763817639176401764117642176431764417645176461764717648176491765017651176521765317654176551765617657176581765917660176611766217663176641766517666176671766817669176701767117672176731767417675176761767717678176791768017681176821768317684176851768617687176881768917690176911769217693176941769517696176971769817699177001770117702177031770417705177061770717708177091771017711177121771317714177151771617717177181771917720177211772217723177241772517726177271772817729177301773117732177331773417735177361773717738177391774017741177421774317744177451774617747177481774917750177511775217753177541775517756177571775817759177601776117762177631776417765177661776717768177691777017771177721777317774177751777617777177781777917780177811778217783177841778517786177871778817789177901779117792177931779417795177961779717798177991780017801178021780317804178051780617807178081780917810178111781217813178141781517816178171781817819178201782117822178231782417825178261782717828178291783017831178321783317834178351783617837178381783917840178411784217843178441784517846178471784817849178501785117852178531785417855178561785717858178591786017861178621786317864178651786617867178681786917870178711787217873178741787517876178771787817879178801788117882178831788417885178861788717888178891789017891178921789317894178951789617897178981789917900179011790217903179041790517906179071790817909179101791117912179131791417915179161791717918179191792017921179221792317924179251792617927179281792917930179311793217933179341793517936179371793817939179401794117942179431794417945179461794717948179491795017951179521795317954179551795617957179581795917960179611796217963179641796517966179671796817969179701797117972179731797417975179761797717978179791798017981179821798317984179851798617987179881798917990179911799217993179941799517996179971799817999180001800118002180031800418005180061800718008180091801018011180121801318014180151801618017180181801918020180211802218023180241802518026180271802818029180301803118032180331803418035180361803718038180391804018041180421804318044180451804618047180481804918050180511805218053180541805518056180571805818059180601806118062180631806418065180661806718068180691807018071180721807318074180751807618077180781807918080180811808218083180841808518086180871808818089180901809118092180931809418095180961809718098180991810018101181021810318104181051810618107181081810918110181111811218113181141811518116181171811818119181201812118122181231812418125181261812718128181291813018131181321813318134181351813618137181381813918140181411814218143181441814518146181471814818149181501815118152181531815418155181561815718158181591816018161181621816318164181651816618167181681816918170181711817218173181741817518176181771817818179181801818118182181831818418185181861818718188181891819018191181921819318194181951819618197181981819918200182011820218203182041820518206182071820818209182101821118212182131821418215182161821718218182191822018221182221822318224182251822618227182281822918230182311823218233182341823518236182371823818239182401824118242182431824418245182461824718248182491825018251182521825318254182551825618257182581825918260182611826218263182641826518266182671826818269182701827118272182731827418275182761827718278182791828018281182821828318284182851828618287182881828918290182911829218293182941829518296182971829818299183001830118302183031830418305183061830718308183091831018311183121831318314183151831618317183181831918320183211832218323183241832518326183271832818329183301833118332183331833418335183361833718338183391834018341183421834318344183451834618347183481834918350183511835218353183541835518356183571835818359183601836118362183631836418365183661836718368183691837018371183721837318374183751837618377183781837918380183811838218383183841838518386183871838818389183901839118392183931839418395183961839718398183991840018401184021840318404184051840618407184081840918410184111841218413184141841518416184171841818419184201842118422184231842418425184261842718428184291843018431184321843318434184351843618437184381843918440184411844218443184441844518446184471844818449184501845118452184531845418455184561845718458184591846018461184621846318464184651846618467184681846918470184711847218473184741847518476184771847818479184801848118482184831848418485184861848718488184891849018491184921849318494184951849618497184981849918500185011850218503185041850518506185071850818509185101851118512185131851418515185161851718518185191852018521185221852318524185251852618527185281852918530185311853218533185341853518536185371853818539185401854118542185431854418545185461854718548185491855018551185521855318554185551855618557185581855918560185611856218563185641856518566185671856818569185701857118572185731857418575185761857718578185791858018581185821858318584185851858618587185881858918590185911859218593185941859518596185971859818599186001860118602186031860418605186061860718608186091861018611186121861318614186151861618617186181861918620186211862218623186241862518626186271862818629186301863118632186331863418635186361863718638186391864018641186421864318644186451864618647186481864918650186511865218653186541865518656186571865818659186601866118662186631866418665186661866718668186691867018671186721867318674186751867618677186781867918680186811868218683186841868518686186871868818689186901869118692186931869418695186961869718698186991870018701187021870318704187051870618707187081870918710187111871218713187141871518716187171871818719187201872118722187231872418725187261872718728187291873018731187321873318734187351873618737187381873918740187411874218743187441874518746187471874818749187501875118752187531875418755187561875718758187591876018761187621876318764187651876618767187681876918770187711877218773187741877518776187771877818779187801878118782187831878418785187861878718788187891879018791187921879318794187951879618797187981879918800188011880218803188041880518806188071880818809188101881118812188131881418815188161881718818188191882018821188221882318824188251882618827188281882918830188311883218833188341883518836188371883818839188401884118842188431884418845188461884718848188491885018851188521885318854188551885618857188581885918860188611886218863188641886518866188671886818869188701887118872188731887418875188761887718878188791888018881188821888318884188851888618887188881888918890188911889218893188941889518896188971889818899189001890118902189031890418905189061890718908189091891018911189121891318914189151891618917189181891918920189211892218923189241892518926189271892818929189301893118932189331893418935189361893718938189391894018941189421894318944189451894618947189481894918950189511895218953189541895518956189571895818959189601896118962189631896418965189661896718968189691897018971189721897318974189751897618977189781897918980189811898218983189841898518986189871898818989189901899118992189931899418995189961899718998189991900019001190021900319004190051900619007190081900919010190111901219013190141901519016190171901819019190201902119022190231902419025190261902719028190291903019031190321903319034190351903619037190381903919040190411904219043190441904519046190471904819049190501905119052190531905419055190561905719058190591906019061190621906319064190651906619067190681906919070190711907219073190741907519076190771907819079190801908119082190831908419085190861908719088190891909019091190921909319094190951909619097190981909919100191011910219103191041910519106191071910819109191101911119112191131911419115191161911719118191191912019121191221912319124191251912619127191281912919130191311913219133191341913519136191371913819139191401914119142191431914419145191461914719148191491915019151191521915319154191551915619157191581915919160191611916219163191641916519166191671916819169191701917119172191731917419175191761917719178191791918019181191821918319184191851918619187191881918919190191911919219193191941919519196191971919819199192001920119202192031920419205192061920719208192091921019211192121921319214192151921619217192181921919220192211922219223192241922519226192271922819229192301923119232192331923419235192361923719238192391924019241192421924319244192451924619247192481924919250192511925219253192541925519256192571925819259192601926119262192631926419265192661926719268192691927019271192721927319274192751927619277192781927919280192811928219283192841928519286192871928819289192901929119292192931929419295192961929719298192991930019301193021930319304193051930619307193081930919310193111931219313193141931519316193171931819319193201932119322193231932419325193261932719328193291933019331193321933319334193351933619337193381933919340193411934219343193441934519346193471934819349193501935119352193531935419355193561935719358193591936019361193621936319364193651936619367193681936919370193711937219373193741937519376193771937819379193801938119382193831938419385193861938719388193891939019391193921939319394193951939619397193981939919400194011940219403194041940519406194071940819409194101941119412194131941419415194161941719418194191942019421194221942319424194251942619427194281942919430194311943219433194341943519436194371943819439194401944119442194431944419445194461944719448194491945019451194521945319454194551945619457194581945919460194611946219463194641946519466194671946819469194701947119472194731947419475194761947719478194791948019481194821948319484194851948619487194881948919490194911949219493194941949519496194971949819499195001950119502195031950419505195061950719508195091951019511195121951319514195151951619517195181951919520195211952219523195241952519526195271952819529195301953119532195331953419535195361953719538195391954019541195421954319544195451954619547195481954919550195511955219553195541955519556195571955819559195601956119562195631956419565195661956719568195691957019571195721957319574195751957619577195781957919580195811958219583195841958519586195871958819589195901959119592195931959419595195961959719598195991960019601196021960319604196051960619607196081960919610196111961219613196141961519616196171961819619196201962119622196231962419625196261962719628196291963019631196321963319634196351963619637196381963919640196411964219643196441964519646196471964819649196501965119652196531965419655196561965719658196591966019661196621966319664196651966619667196681966919670196711967219673196741967519676196771967819679196801968119682196831968419685196861968719688196891969019691196921969319694196951969619697196981969919700197011970219703197041970519706197071970819709197101971119712197131971419715197161971719718197191972019721197221972319724197251972619727197281972919730197311973219733197341973519736197371973819739197401974119742197431974419745197461974719748197491975019751197521975319754197551975619757197581975919760197611976219763197641976519766197671976819769197701977119772197731977419775197761977719778197791978019781197821978319784197851978619787197881978919790197911979219793197941979519796197971979819799198001980119802198031980419805198061980719808198091981019811198121981319814198151981619817198181981919820198211982219823198241982519826198271982819829198301983119832198331983419835198361983719838198391984019841198421984319844198451984619847198481984919850198511985219853198541985519856198571985819859198601986119862198631986419865198661986719868198691987019871198721987319874198751987619877198781987919880198811988219883198841988519886198871988819889198901989119892198931989419895198961989719898198991990019901199021990319904199051990619907199081990919910199111991219913199141991519916199171991819919199201992119922199231992419925199261992719928199291993019931199321993319934199351993619937199381993919940199411994219943199441994519946199471994819949199501995119952199531995419955199561995719958199591996019961199621996319964199651996619967199681996919970199711997219973199741997519976199771997819979199801998119982199831998419985199861998719988199891999019991199921999319994199951999619997199981999920000200012000220003200042000520006200072000820009200102001120012200132001420015200162001720018200192002020021200222002320024200252002620027200282002920030200312003220033200342003520036200372003820039200402004120042200432004420045200462004720048200492005020051200522005320054200552005620057200582005920060200612006220063200642006520066200672006820069200702007120072200732007420075200762007720078200792008020081200822008320084200852008620087200882008920090200912009220093200942009520096200972009820099201002010120102201032010420105201062010720108201092011020111201122011320114201152011620117201182011920120201212012220123201242012520126201272012820129201302013120132201332013420135201362013720138201392014020141201422014320144201452014620147201482014920150201512015220153201542015520156201572015820159201602016120162201632016420165201662016720168201692017020171201722017320174201752017620177201782017920180201812018220183201842018520186201872018820189201902019120192201932019420195201962019720198201992020020201202022020320204202052020620207202082020920210202112021220213202142021520216202172021820219202202022120222202232022420225202262022720228202292023020231202322023320234202352023620237202382023920240202412024220243202442024520246202472024820249202502025120252202532025420255202562025720258202592026020261202622026320264202652026620267202682026920270202712027220273202742027520276202772027820279202802028120282202832028420285202862028720288202892029020291202922029320294202952029620297202982029920300203012030220303203042030520306203072030820309203102031120312203132031420315203162031720318203192032020321203222032320324203252032620327203282032920330203312033220333203342033520336203372033820339203402034120342203432034420345203462034720348203492035020351203522035320354203552035620357203582035920360203612036220363203642036520366203672036820369203702037120372203732037420375203762037720378203792038020381203822038320384203852038620387203882038920390203912039220393203942039520396203972039820399204002040120402204032040420405204062040720408204092041020411204122041320414204152041620417204182041920420204212042220423204242042520426204272042820429204302043120432204332043420435204362043720438204392044020441204422044320444204452044620447204482044920450204512045220453204542045520456204572045820459204602046120462204632046420465204662046720468204692047020471204722047320474204752047620477204782047920480204812048220483204842048520486204872048820489204902049120492204932049420495204962049720498204992050020501205022050320504205052050620507205082050920510205112051220513205142051520516205172051820519205202052120522205232052420525205262052720528205292053020531205322053320534205352053620537205382053920540205412054220543205442054520546205472054820549205502055120552205532055420555205562055720558205592056020561205622056320564205652056620567205682056920570205712057220573205742057520576205772057820579205802058120582205832058420585205862058720588205892059020591205922059320594205952059620597205982059920600206012060220603206042060520606206072060820609206102061120612206132061420615206162061720618206192062020621206222062320624206252062620627206282062920630206312063220633206342063520636206372063820639206402064120642206432064420645206462064720648206492065020651206522065320654206552065620657206582065920660206612066220663206642066520666206672066820669206702067120672206732067420675206762067720678206792068020681206822068320684206852068620687206882068920690206912069220693206942069520696206972069820699207002070120702207032070420705207062070720708207092071020711207122071320714207152071620717207182071920720207212072220723207242072520726207272072820729207302073120732207332073420735207362073720738207392074020741207422074320744207452074620747207482074920750207512075220753207542075520756207572075820759207602076120762207632076420765207662076720768207692077020771207722077320774207752077620777207782077920780207812078220783207842078520786207872078820789207902079120792207932079420795207962079720798207992080020801208022080320804208052080620807208082080920810208112081220813208142081520816208172081820819208202082120822208232082420825208262082720828208292083020831208322083320834208352083620837208382083920840208412084220843208442084520846208472084820849208502085120852208532085420855208562085720858208592086020861208622086320864208652086620867208682086920870208712087220873208742087520876208772087820879208802088120882208832088420885208862088720888208892089020891208922089320894208952089620897208982089920900209012090220903209042090520906209072090820909209102091120912209132091420915209162091720918209192092020921209222092320924209252092620927209282092920930209312093220933209342093520936209372093820939209402094120942209432094420945209462094720948209492095020951209522095320954209552095620957209582095920960209612096220963209642096520966209672096820969209702097120972209732097420975209762097720978209792098020981209822098320984209852098620987209882098920990209912099220993209942099520996209972099820999210002100121002210032100421005210062100721008210092101021011210122101321014210152101621017210182101921020210212102221023210242102521026210272102821029210302103121032210332103421035210362103721038210392104021041210422104321044210452104621047210482104921050210512105221053210542105521056210572105821059210602106121062210632106421065210662106721068210692107021071210722107321074210752107621077210782107921080210812108221083210842108521086210872108821089210902109121092210932109421095210962109721098210992110021101211022110321104211052110621107211082110921110211112111221113211142111521116211172111821119211202112121122211232112421125211262112721128211292113021131211322113321134211352113621137211382113921140211412114221143211442114521146211472114821149211502115121152211532115421155211562115721158211592116021161211622116321164211652116621167211682116921170211712117221173211742117521176211772117821179211802118121182211832118421185211862118721188211892119021191211922119321194211952119621197211982119921200212012120221203212042120521206212072120821209212102121121212212132121421215212162121721218212192122021221212222122321224212252122621227212282122921230212312123221233212342123521236212372123821239212402124121242212432124421245212462124721248212492125021251212522125321254212552125621257212582125921260212612126221263212642126521266212672126821269212702127121272212732127421275212762127721278212792128021281212822128321284212852128621287212882128921290212912129221293212942129521296212972129821299213002130121302213032130421305213062130721308213092131021311213122131321314213152131621317213182131921320213212132221323213242132521326213272132821329213302133121332213332133421335213362133721338213392134021341213422134321344213452134621347213482134921350213512135221353213542135521356213572135821359213602136121362213632136421365213662136721368213692137021371213722137321374213752137621377213782137921380213812138221383213842138521386213872138821389213902139121392213932139421395213962139721398213992140021401214022140321404214052140621407214082140921410214112141221413214142141521416214172141821419214202142121422214232142421425214262142721428214292143021431214322143321434214352143621437214382143921440214412144221443214442144521446214472144821449214502145121452214532145421455214562145721458214592146021461214622146321464214652146621467214682146921470214712147221473214742147521476214772147821479214802148121482214832148421485214862148721488214892149021491214922149321494214952149621497214982149921500215012150221503215042150521506215072150821509215102151121512215132151421515215162151721518215192152021521215222152321524215252152621527215282152921530215312153221533215342153521536215372153821539215402154121542215432154421545215462154721548215492155021551215522155321554215552155621557215582155921560215612156221563215642156521566215672156821569215702157121572215732157421575215762157721578215792158021581215822158321584215852158621587215882158921590215912159221593215942159521596215972159821599216002160121602216032160421605216062160721608216092161021611216122161321614216152161621617216182161921620216212162221623216242162521626216272162821629216302163121632216332163421635216362163721638216392164021641216422164321644216452164621647216482164921650216512165221653216542165521656216572165821659216602166121662216632166421665216662166721668216692167021671216722167321674216752167621677216782167921680216812168221683216842168521686216872168821689216902169121692216932169421695216962169721698216992170021701217022170321704217052170621707217082170921710217112171221713217142171521716217172171821719217202172121722217232172421725217262172721728217292173021731217322173321734217352173621737217382173921740217412174221743217442174521746217472174821749217502175121752217532175421755217562175721758217592176021761217622176321764217652176621767217682176921770217712177221773217742177521776217772177821779217802178121782217832178421785217862178721788217892179021791217922179321794217952179621797217982179921800218012180221803218042180521806218072180821809218102181121812218132181421815218162181721818218192182021821218222182321824218252182621827218282182921830218312183221833218342183521836218372183821839218402184121842218432184421845218462184721848218492185021851218522185321854218552185621857218582185921860218612186221863218642186521866218672186821869218702187121872218732187421875218762187721878218792188021881218822188321884218852188621887218882188921890218912189221893218942189521896218972189821899219002190121902219032190421905219062190721908219092191021911219122191321914219152191621917219182191921920219212192221923219242192521926219272192821929219302193121932219332193421935219362193721938219392194021941219422194321944219452194621947219482194921950219512195221953219542195521956219572195821959219602196121962219632196421965219662196721968219692197021971219722197321974219752197621977219782197921980219812198221983219842198521986219872198821989219902199121992219932199421995219962199721998219992200022001220022200322004220052200622007220082200922010220112201222013220142201522016220172201822019220202202122022220232202422025220262202722028220292203022031220322203322034220352203622037220382203922040220412204222043220442204522046220472204822049220502205122052220532205422055220562205722058220592206022061220622206322064220652206622067220682206922070220712207222073220742207522076220772207822079220802208122082220832208422085220862208722088220892209022091220922209322094220952209622097220982209922100221012210222103221042210522106221072210822109221102211122112221132211422115221162211722118221192212022121221222212322124221252212622127221282212922130221312213222133221342213522136221372213822139221402214122142221432214422145221462214722148221492215022151221522215322154221552215622157221582215922160221612216222163221642216522166221672216822169221702217122172221732217422175221762217722178221792218022181221822218322184221852218622187221882218922190221912219222193221942219522196221972219822199222002220122202222032220422205222062220722208222092221022211222122221322214222152221622217222182221922220222212222222223222242222522226222272222822229222302223122232222332223422235222362223722238222392224022241222422224322244222452224622247222482224922250222512225222253222542225522256222572225822259222602226122262222632226422265222662226722268222692227022271222722227322274222752227622277222782227922280222812228222283222842228522286222872228822289222902229122292222932229422295222962229722298222992230022301223022230322304223052230622307223082230922310223112231222313223142231522316223172231822319223202232122322223232232422325223262232722328223292233022331223322233322334223352233622337223382233922340223412234222343223442234522346223472234822349223502235122352223532235422355223562235722358223592236022361223622236322364223652236622367223682236922370223712237222373223742237522376223772237822379223802238122382223832238422385223862238722388223892239022391223922239322394223952239622397223982239922400224012240222403224042240522406224072240822409224102241122412224132241422415224162241722418224192242022421224222242322424224252242622427224282242922430224312243222433224342243522436224372243822439224402244122442224432244422445224462244722448224492245022451224522245322454224552245622457224582245922460224612246222463224642246522466224672246822469224702247122472224732247422475224762247722478224792248022481224822248322484224852248622487224882248922490224912249222493224942249522496224972249822499225002250122502225032250422505225062250722508225092251022511225122251322514225152251622517225182251922520225212252222523225242252522526225272252822529225302253122532225332253422535225362253722538225392254022541225422254322544225452254622547225482254922550225512255222553225542255522556225572255822559225602256122562225632256422565225662256722568225692257022571225722257322574225752257622577225782257922580225812258222583225842258522586225872258822589225902259122592225932259422595225962259722598225992260022601226022260322604226052260622607226082260922610226112261222613226142261522616226172261822619226202262122622226232262422625226262262722628226292263022631226322263322634226352263622637226382263922640226412264222643226442264522646226472264822649226502265122652226532265422655226562265722658226592266022661226622266322664226652266622667226682266922670226712267222673226742267522676226772267822679226802268122682226832268422685226862268722688226892269022691226922269322694226952269622697226982269922700227012270222703227042270522706227072270822709227102271122712227132271422715227162271722718227192272022721227222272322724227252272622727227282272922730227312273222733227342273522736227372273822739227402274122742227432274422745227462274722748227492275022751227522275322754227552275622757227582275922760227612276222763227642276522766227672276822769227702277122772227732277422775227762277722778227792278022781227822278322784227852278622787227882278922790227912279222793227942279522796227972279822799228002280122802228032280422805228062280722808228092281022811228122281322814228152281622817228182281922820228212282222823228242282522826228272282822829228302283122832228332283422835228362283722838228392284022841228422284322844228452284622847228482284922850228512285222853228542285522856228572285822859228602286122862228632286422865228662286722868228692287022871228722287322874228752287622877228782287922880228812288222883228842288522886228872288822889228902289122892228932289422895228962289722898228992290022901229022290322904229052290622907229082290922910229112291222913229142291522916229172291822919229202292122922229232292422925229262292722928229292293022931229322293322934229352293622937229382293922940229412294222943229442294522946229472294822949229502295122952229532295422955229562295722958229592296022961229622296322964229652296622967229682296922970229712297222973229742297522976229772297822979229802298122982229832298422985229862298722988229892299022991229922299322994229952299622997229982299923000230012300223003230042300523006230072300823009230102301123012230132301423015230162301723018230192302023021230222302323024230252302623027230282302923030230312303223033230342303523036230372303823039230402304123042230432304423045230462304723048230492305023051230522305323054230552305623057230582305923060230612306223063230642306523066230672306823069230702307123072230732307423075230762307723078230792308023081230822308323084230852308623087230882308923090230912309223093230942309523096230972309823099231002310123102231032310423105231062310723108231092311023111231122311323114231152311623117231182311923120231212312223123231242312523126231272312823129231302313123132231332313423135231362313723138231392314023141231422314323144231452314623147231482314923150231512315223153231542315523156231572315823159231602316123162231632316423165231662316723168231692317023171231722317323174231752317623177231782317923180231812318223183231842318523186231872318823189231902319123192231932319423195231962319723198231992320023201232022320323204232052320623207232082320923210232112321223213232142321523216232172321823219232202322123222232232322423225232262322723228232292323023231232322323323234232352323623237232382323923240232412324223243232442324523246232472324823249232502325123252232532325423255232562325723258232592326023261232622326323264232652326623267232682326923270232712327223273232742327523276232772327823279232802328123282232832328423285232862328723288232892329023291232922329323294232952329623297232982329923300233012330223303233042330523306233072330823309233102331123312233132331423315233162331723318233192332023321233222332323324233252332623327233282332923330233312333223333233342333523336233372333823339233402334123342233432334423345233462334723348233492335023351233522335323354233552335623357233582335923360233612336223363233642336523366233672336823369233702337123372233732337423375233762337723378233792338023381233822338323384233852338623387233882338923390233912339223393233942339523396233972339823399234002340123402234032340423405234062340723408234092341023411234122341323414234152341623417234182341923420234212342223423234242342523426234272342823429234302343123432234332343423435234362343723438234392344023441234422344323444234452344623447234482344923450234512345223453234542345523456234572345823459234602346123462234632346423465234662346723468234692347023471234722347323474234752347623477234782347923480234812348223483234842348523486234872348823489234902349123492234932349423495234962349723498234992350023501235022350323504235052350623507235082350923510235112351223513235142351523516235172351823519235202352123522235232352423525235262352723528235292353023531235322353323534235352353623537235382353923540235412354223543235442354523546235472354823549235502355123552235532355423555235562355723558235592356023561235622356323564235652356623567235682356923570235712357223573235742357523576235772357823579235802358123582235832358423585235862358723588235892359023591235922359323594235952359623597235982359923600236012360223603236042360523606236072360823609236102361123612236132361423615236162361723618236192362023621236222362323624236252362623627236282362923630236312363223633236342363523636236372363823639236402364123642236432364423645236462364723648236492365023651236522365323654236552365623657236582365923660236612366223663236642366523666236672366823669236702367123672236732367423675236762367723678236792368023681236822368323684236852368623687236882368923690236912369223693236942369523696236972369823699237002370123702237032370423705237062370723708237092371023711237122371323714237152371623717237182371923720237212372223723237242372523726237272372823729237302373123732237332373423735237362373723738237392374023741237422374323744237452374623747237482374923750237512375223753237542375523756237572375823759237602376123762237632376423765237662376723768237692377023771237722377323774237752377623777237782377923780237812378223783237842378523786237872378823789237902379123792237932379423795237962379723798237992380023801238022380323804238052380623807238082380923810238112381223813238142381523816238172381823819238202382123822238232382423825238262382723828238292383023831238322383323834238352383623837238382383923840238412384223843238442384523846238472384823849238502385123852238532385423855238562385723858238592386023861238622386323864238652386623867238682386923870238712387223873238742387523876238772387823879238802388123882238832388423885238862388723888238892389023891238922389323894238952389623897238982389923900239012390223903239042390523906239072390823909239102391123912239132391423915239162391723918239192392023921239222392323924239252392623927239282392923930239312393223933239342393523936239372393823939239402394123942239432394423945239462394723948239492395023951239522395323954239552395623957239582395923960239612396223963239642396523966239672396823969239702397123972239732397423975239762397723978239792398023981239822398323984239852398623987239882398923990239912399223993239942399523996239972399823999240002400124002240032400424005240062400724008240092401024011240122401324014240152401624017240182401924020240212402224023240242402524026240272402824029240302403124032240332403424035240362403724038240392404024041240422404324044240452404624047240482404924050240512405224053240542405524056240572405824059240602406124062240632406424065240662406724068240692407024071240722407324074240752407624077240782407924080240812408224083240842408524086240872408824089240902409124092240932409424095240962409724098240992410024101241022410324104241052410624107241082410924110241112411224113241142411524116241172411824119241202412124122241232412424125241262412724128241292413024131241322413324134241352413624137241382413924140241412414224143241442414524146241472414824149241502415124152241532415424155241562415724158241592416024161241622416324164241652416624167241682416924170241712417224173241742417524176241772417824179241802418124182241832418424185241862418724188241892419024191241922419324194241952419624197241982419924200242012420224203242042420524206242072420824209242102421124212242132421424215242162421724218242192422024221242222422324224242252422624227242282422924230242312423224233242342423524236242372423824239242402424124242242432424424245242462424724248242492425024251242522425324254242552425624257242582425924260242612426224263242642426524266242672426824269242702427124272242732427424275242762427724278242792428024281242822428324284242852428624287242882428924290242912429224293242942429524296242972429824299243002430124302243032430424305243062430724308243092431024311243122431324314243152431624317243182431924320243212432224323243242432524326243272432824329243302433124332243332433424335243362433724338243392434024341243422434324344243452434624347243482434924350243512435224353243542435524356243572435824359243602436124362243632436424365243662436724368243692437024371243722437324374243752437624377243782437924380243812438224383243842438524386243872438824389243902439124392243932439424395243962439724398243992440024401244022440324404244052440624407244082440924410244112441224413244142441524416244172441824419244202442124422244232442424425244262442724428244292443024431244322443324434244352443624437244382443924440244412444224443244442444524446244472444824449244502445124452244532445424455244562445724458244592446024461244622446324464244652446624467244682446924470244712447224473244742447524476244772447824479244802448124482244832448424485244862448724488244892449024491244922449324494244952449624497244982449924500245012450224503245042450524506245072450824509245102451124512245132451424515245162451724518245192452024521245222452324524245252452624527245282452924530245312453224533245342453524536245372453824539245402454124542245432454424545245462454724548245492455024551245522455324554245552455624557245582455924560245612456224563245642456524566245672456824569245702457124572245732457424575245762457724578245792458024581245822458324584245852458624587245882458924590245912459224593245942459524596245972459824599246002460124602246032460424605246062460724608246092461024611246122461324614246152461624617246182461924620246212462224623246242462524626246272462824629246302463124632246332463424635246362463724638246392464024641246422464324644246452464624647246482464924650246512465224653246542465524656246572465824659246602466124662246632466424665246662466724668246692467024671246722467324674246752467624677246782467924680246812468224683246842468524686246872468824689246902469124692246932469424695246962469724698246992470024701247022470324704247052470624707247082470924710247112471224713247142471524716247172471824719247202472124722247232472424725247262472724728247292473024731247322473324734247352473624737247382473924740247412474224743247442474524746247472474824749247502475124752247532475424755247562475724758247592476024761247622476324764247652476624767247682476924770247712477224773247742477524776247772477824779247802478124782247832478424785247862478724788247892479024791247922479324794247952479624797247982479924800248012480224803248042480524806248072480824809248102481124812248132481424815248162481724818248192482024821248222482324824248252482624827248282482924830248312483224833248342483524836248372483824839248402484124842248432484424845248462484724848248492485024851248522485324854248552485624857248582485924860248612486224863248642486524866248672486824869248702487124872248732487424875248762487724878248792488024881248822488324884248852488624887248882488924890248912489224893248942489524896248972489824899249002490124902249032490424905249062490724908249092491024911249122491324914249152491624917249182491924920249212492224923249242492524926249272492824929249302493124932249332493424935249362493724938249392494024941249422494324944249452494624947249482494924950249512495224953249542495524956249572495824959249602496124962249632496424965249662496724968249692497024971249722497324974249752497624977249782497924980249812498224983249842498524986249872498824989249902499124992249932499424995249962499724998249992500025001250022500325004250052500625007250082500925010250112501225013250142501525016250172501825019250202502125022250232502425025250262502725028250292503025031250322503325034250352503625037250382503925040250412504225043250442504525046250472504825049250502505125052250532505425055250562505725058250592506025061250622506325064250652506625067250682506925070250712507225073250742507525076250772507825079250802508125082250832508425085250862508725088250892509025091250922509325094250952509625097250982509925100251012510225103251042510525106251072510825109251102511125112251132511425115251162511725118251192512025121251222512325124251252512625127251282512925130251312513225133251342513525136251372513825139251402514125142251432514425145251462514725148251492515025151251522515325154251552515625157251582515925160251612516225163251642516525166251672516825169251702517125172251732517425175251762517725178251792518025181251822518325184251852518625187251882518925190251912519225193251942519525196251972519825199252002520125202252032520425205252062520725208252092521025211252122521325214252152521625217252182521925220252212522225223252242522525226252272522825229252302523125232252332523425235252362523725238252392524025241252422524325244252452524625247252482524925250252512525225253252542525525256252572525825259252602526125262252632526425265252662526725268252692527025271252722527325274252752527625277252782527925280252812528225283252842528525286252872528825289252902529125292252932529425295252962529725298252992530025301253022530325304253052530625307253082530925310253112531225313253142531525316253172531825319253202532125322253232532425325253262532725328253292533025331253322533325334253352533625337253382533925340253412534225343253442534525346253472534825349253502535125352253532535425355253562535725358253592536025361253622536325364253652536625367253682536925370253712537225373253742537525376253772537825379253802538125382253832538425385253862538725388253892539025391253922539325394253952539625397253982539925400254012540225403254042540525406254072540825409254102541125412254132541425415254162541725418254192542025421254222542325424254252542625427254282542925430254312543225433254342543525436254372543825439254402544125442254432544425445254462544725448254492545025451254522545325454254552545625457254582545925460254612546225463254642546525466254672546825469254702547125472254732547425475254762547725478254792548025481254822548325484254852548625487254882548925490254912549225493254942549525496254972549825499255002550125502255032550425505255062550725508255092551025511255122551325514255152551625517255182551925520255212552225523255242552525526255272552825529255302553125532255332553425535255362553725538255392554025541255422554325544255452554625547255482554925550255512555225553255542555525556255572555825559255602556125562255632556425565255662556725568255692557025571255722557325574255752557625577255782557925580255812558225583255842558525586255872558825589255902559125592255932559425595255962559725598255992560025601256022560325604256052560625607256082560925610256112561225613256142561525616256172561825619256202562125622256232562425625256262562725628256292563025631256322563325634256352563625637256382563925640256412564225643256442564525646256472564825649256502565125652256532565425655256562565725658256592566025661256622566325664256652566625667256682566925670256712567225673256742567525676256772567825679256802568125682256832568425685256862568725688256892569025691256922569325694256952569625697256982569925700257012570225703257042570525706257072570825709257102571125712257132571425715257162571725718257192572025721257222572325724257252572625727257282572925730257312573225733257342573525736257372573825739257402574125742257432574425745257462574725748257492575025751257522575325754257552575625757257582575925760257612576225763257642576525766257672576825769257702577125772257732577425775257762577725778257792578025781257822578325784257852578625787257882578925790257912579225793257942579525796257972579825799258002580125802258032580425805258062580725808258092581025811258122581325814258152581625817258182581925820258212582225823258242582525826258272582825829258302583125832258332583425835258362583725838258392584025841258422584325844258452584625847258482584925850258512585225853258542585525856258572585825859258602586125862258632586425865258662586725868258692587025871258722587325874258752587625877258782587925880258812588225883258842588525886258872588825889258902589125892258932589425895258962589725898258992590025901259022590325904259052590625907259082590925910259112591225913259142591525916259172591825919259202592125922259232592425925259262592725928259292593025931259322593325934259352593625937259382593925940259412594225943259442594525946259472594825949259502595125952259532595425955259562595725958259592596025961259622596325964259652596625967259682596925970259712597225973259742597525976259772597825979259802598125982259832598425985259862598725988259892599025991259922599325994259952599625997259982599926000260012600226003260042600526006260072600826009260102601126012260132601426015260162601726018260192602026021260222602326024260252602626027260282602926030260312603226033260342603526036260372603826039260402604126042260432604426045260462604726048260492605026051260522605326054260552605626057260582605926060260612606226063260642606526066260672606826069260702607126072260732607426075260762607726078260792608026081260822608326084260852608626087260882608926090260912609226093260942609526096260972609826099261002610126102261032610426105261062610726108261092611026111261122611326114261152611626117261182611926120261212612226123261242612526126261272612826129261302613126132261332613426135261362613726138261392614026141261422614326144261452614626147261482614926150261512615226153261542615526156261572615826159261602616126162261632616426165261662616726168261692617026171261722617326174261752617626177261782617926180261812618226183261842618526186261872618826189261902619126192261932619426195261962619726198261992620026201262022620326204262052620626207262082620926210262112621226213262142621526216262172621826219262202622126222262232622426225262262622726228262292623026231262322623326234262352623626237262382623926240262412624226243262442624526246262472624826249262502625126252262532625426255262562625726258262592626026261262622626326264262652626626267262682626926270262712627226273262742627526276262772627826279262802628126282262832628426285262862628726288262892629026291262922629326294262952629626297262982629926300263012630226303263042630526306263072630826309263102631126312263132631426315263162631726318263192632026321263222632326324263252632626327263282632926330263312633226333263342633526336263372633826339263402634126342263432634426345263462634726348263492635026351263522635326354263552635626357263582635926360263612636226363263642636526366263672636826369263702637126372263732637426375263762637726378263792638026381263822638326384263852638626387263882638926390263912639226393263942639526396263972639826399264002640126402264032640426405264062640726408264092641026411264122641326414264152641626417264182641926420264212642226423264242642526426264272642826429264302643126432264332643426435264362643726438264392644026441264422644326444264452644626447264482644926450264512645226453264542645526456264572645826459264602646126462264632646426465264662646726468264692647026471264722647326474264752647626477264782647926480264812648226483264842648526486264872648826489264902649126492264932649426495264962649726498264992650026501265022650326504265052650626507265082650926510265112651226513265142651526516265172651826519265202652126522265232652426525265262652726528265292653026531265322653326534265352653626537265382653926540265412654226543265442654526546265472654826549265502655126552265532655426555265562655726558265592656026561265622656326564265652656626567265682656926570265712657226573265742657526576265772657826579265802658126582265832658426585265862658726588265892659026591265922659326594265952659626597265982659926600266012660226603266042660526606266072660826609266102661126612266132661426615266162661726618266192662026621266222662326624266252662626627266282662926630266312663226633266342663526636266372663826639266402664126642266432664426645266462664726648266492665026651266522665326654266552665626657266582665926660266612666226663266642666526666266672666826669266702667126672266732667426675266762667726678266792668026681266822668326684266852668626687266882668926690266912669226693266942669526696266972669826699267002670126702267032670426705267062670726708267092671026711267122671326714267152671626717267182671926720267212672226723267242672526726267272672826729267302673126732267332673426735267362673726738267392674026741267422674326744267452674626747267482674926750267512675226753267542675526756267572675826759267602676126762267632676426765267662676726768267692677026771267722677326774267752677626777267782677926780267812678226783267842678526786267872678826789267902679126792267932679426795267962679726798267992680026801268022680326804268052680626807268082680926810268112681226813268142681526816268172681826819268202682126822268232682426825268262682726828268292683026831268322683326834268352683626837268382683926840268412684226843268442684526846268472684826849268502685126852268532685426855268562685726858268592686026861268622686326864268652686626867268682686926870268712687226873268742687526876268772687826879268802688126882268832688426885268862688726888268892689026891268922689326894268952689626897268982689926900269012690226903269042690526906269072690826909269102691126912269132691426915269162691726918269192692026921269222692326924269252692626927269282692926930269312693226933269342693526936269372693826939269402694126942269432694426945269462694726948269492695026951269522695326954269552695626957269582695926960269612696226963269642696526966269672696826969269702697126972269732697426975269762697726978269792698026981269822698326984269852698626987269882698926990269912699226993269942699526996269972699826999270002700127002270032700427005270062700727008270092701027011270122701327014270152701627017270182701927020270212702227023270242702527026270272702827029270302703127032270332703427035270362703727038270392704027041270422704327044270452704627047270482704927050270512705227053270542705527056270572705827059270602706127062270632706427065270662706727068270692707027071270722707327074270752707627077270782707927080270812708227083270842708527086270872708827089270902709127092270932709427095270962709727098270992710027101271022710327104271052710627107271082710927110271112711227113271142711527116271172711827119271202712127122271232712427125271262712727128271292713027131271322713327134271352713627137271382713927140271412714227143271442714527146271472714827149271502715127152271532715427155271562715727158271592716027161271622716327164271652716627167271682716927170271712717227173271742717527176271772717827179271802718127182271832718427185271862718727188271892719027191271922719327194271952719627197271982719927200272012720227203272042720527206272072720827209272102721127212272132721427215272162721727218272192722027221272222722327224272252722627227272282722927230272312723227233272342723527236272372723827239272402724127242272432724427245272462724727248272492725027251272522725327254272552725627257272582725927260272612726227263272642726527266272672726827269272702727127272272732727427275272762727727278272792728027281272822728327284272852728627287272882728927290272912729227293272942729527296272972729827299273002730127302273032730427305273062730727308273092731027311273122731327314273152731627317273182731927320273212732227323273242732527326273272732827329273302733127332273332733427335273362733727338273392734027341273422734327344273452734627347273482734927350273512735227353273542735527356273572735827359273602736127362273632736427365273662736727368273692737027371273722737327374273752737627377273782737927380273812738227383273842738527386273872738827389273902739127392273932739427395273962739727398273992740027401274022740327404274052740627407274082740927410274112741227413274142741527416274172741827419274202742127422274232742427425274262742727428274292743027431274322743327434274352743627437274382743927440274412744227443274442744527446274472744827449274502745127452274532745427455274562745727458274592746027461274622746327464274652746627467274682746927470274712747227473274742747527476274772747827479274802748127482274832748427485274862748727488274892749027491274922749327494274952749627497274982749927500275012750227503275042750527506275072750827509275102751127512275132751427515275162751727518275192752027521275222752327524275252752627527275282752927530275312753227533275342753527536275372753827539275402754127542275432754427545275462754727548275492755027551275522755327554275552755627557275582755927560275612756227563275642756527566275672756827569275702757127572275732757427575275762757727578275792758027581275822758327584275852758627587275882758927590275912759227593275942759527596275972759827599276002760127602276032760427605276062760727608276092761027611276122761327614276152761627617276182761927620276212762227623276242762527626276272762827629276302763127632276332763427635276362763727638276392764027641276422764327644276452764627647276482764927650276512765227653276542765527656276572765827659276602766127662276632766427665276662766727668276692767027671276722767327674276752767627677276782767927680276812768227683276842768527686276872768827689276902769127692276932769427695276962769727698276992770027701277022770327704277052770627707277082770927710277112771227713277142771527716277172771827719277202772127722277232772427725277262772727728277292773027731277322773327734277352773627737277382773927740277412774227743277442774527746277472774827749277502775127752277532775427755277562775727758277592776027761277622776327764277652776627767277682776927770277712777227773277742777527776277772777827779277802778127782277832778427785277862778727788277892779027791277922779327794277952779627797277982779927800278012780227803278042780527806278072780827809278102781127812278132781427815278162781727818278192782027821278222782327824278252782627827278282782927830278312783227833278342783527836278372783827839278402784127842278432784427845278462784727848278492785027851278522785327854278552785627857278582785927860278612786227863278642786527866278672786827869278702787127872278732787427875278762787727878278792788027881278822788327884278852788627887278882788927890278912789227893278942789527896278972789827899279002790127902279032790427905279062790727908279092791027911279122791327914279152791627917279182791927920279212792227923279242792527926279272792827929279302793127932279332793427935279362793727938279392794027941279422794327944279452794627947279482794927950279512795227953279542795527956279572795827959279602796127962279632796427965279662796727968279692797027971279722797327974279752797627977279782797927980279812798227983279842798527986279872798827989279902799127992279932799427995279962799727998279992800028001280022800328004280052800628007280082800928010280112801228013280142801528016280172801828019280202802128022280232802428025280262802728028280292803028031280322803328034280352803628037280382803928040280412804228043280442804528046280472804828049280502805128052280532805428055280562805728058280592806028061280622806328064280652806628067280682806928070280712807228073280742807528076280772807828079280802808128082280832808428085280862808728088280892809028091280922809328094280952809628097280982809928100281012810228103281042810528106281072810828109281102811128112281132811428115281162811728118281192812028121281222812328124281252812628127281282812928130281312813228133281342813528136281372813828139281402814128142281432814428145281462814728148281492815028151281522815328154281552815628157281582815928160281612816228163281642816528166281672816828169281702817128172281732817428175281762817728178281792818028181281822818328184281852818628187281882818928190281912819228193281942819528196281972819828199282002820128202282032820428205282062820728208282092821028211282122821328214282152821628217282182821928220282212822228223282242822528226282272822828229282302823128232282332823428235282362823728238282392824028241282422824328244282452824628247282482824928250282512825228253282542825528256282572825828259282602826128262282632826428265282662826728268282692827028271282722827328274282752827628277282782827928280282812828228283282842828528286282872828828289282902829128292282932829428295282962829728298282992830028301283022830328304283052830628307283082830928310283112831228313283142831528316283172831828319283202832128322283232832428325283262832728328283292833028331283322833328334283352833628337283382833928340283412834228343283442834528346283472834828349283502835128352283532835428355283562835728358283592836028361283622836328364283652836628367283682836928370283712837228373283742837528376283772837828379283802838128382283832838428385283862838728388283892839028391283922839328394283952839628397283982839928400284012840228403284042840528406284072840828409284102841128412284132841428415284162841728418284192842028421284222842328424284252842628427284282842928430284312843228433284342843528436284372843828439284402844128442284432844428445284462844728448284492845028451284522845328454284552845628457284582845928460284612846228463284642846528466284672846828469284702847128472284732847428475284762847728478284792848028481284822848328484284852848628487284882848928490284912849228493284942849528496284972849828499285002850128502285032850428505285062850728508285092851028511285122851328514285152851628517285182851928520285212852228523285242852528526285272852828529285302853128532285332853428535285362853728538285392854028541285422854328544285452854628547285482854928550285512855228553285542855528556285572855828559285602856128562285632856428565285662856728568285692857028571285722857328574285752857628577285782857928580285812858228583285842858528586285872858828589285902859128592285932859428595285962859728598285992860028601286022860328604286052860628607286082860928610286112861228613286142861528616286172861828619286202862128622286232862428625286262862728628286292863028631286322863328634286352863628637286382863928640286412864228643286442864528646286472864828649286502865128652286532865428655286562865728658286592866028661286622866328664286652866628667286682866928670286712867228673286742867528676286772867828679286802868128682286832868428685286862868728688286892869028691286922869328694286952869628697286982869928700287012870228703287042870528706287072870828709287102871128712287132871428715287162871728718287192872028721287222872328724287252872628727287282872928730287312873228733287342873528736287372873828739287402874128742287432874428745287462874728748287492875028751287522875328754287552875628757287582875928760287612876228763287642876528766287672876828769287702877128772287732877428775287762877728778287792878028781287822878328784287852878628787287882878928790287912879228793287942879528796287972879828799288002880128802288032880428805288062880728808288092881028811288122881328814288152881628817288182881928820288212882228823288242882528826288272882828829288302883128832288332883428835288362883728838288392884028841288422884328844288452884628847288482884928850288512885228853288542885528856288572885828859288602886128862288632886428865288662886728868288692887028871288722887328874288752887628877288782887928880288812888228883288842888528886288872888828889288902889128892288932889428895288962889728898288992890028901289022890328904289052890628907289082890928910289112891228913289142891528916289172891828919289202892128922289232892428925289262892728928289292893028931289322893328934289352893628937289382893928940289412894228943289442894528946289472894828949289502895128952289532895428955289562895728958289592896028961289622896328964289652896628967289682896928970289712897228973289742897528976289772897828979289802898128982289832898428985289862898728988289892899028991289922899328994289952899628997289982899929000290012900229003290042900529006290072900829009290102901129012290132901429015290162901729018290192902029021290222902329024290252902629027290282902929030290312903229033290342903529036290372903829039290402904129042290432904429045290462904729048290492905029051290522905329054290552905629057290582905929060290612906229063290642906529066290672906829069290702907129072290732907429075290762907729078290792908029081290822908329084290852908629087290882908929090290912909229093290942909529096290972909829099291002910129102291032910429105291062910729108291092911029111291122911329114291152911629117291182911929120291212912229123291242912529126291272912829129291302913129132291332913429135291362913729138291392914029141291422914329144291452914629147291482914929150291512915229153291542915529156291572915829159291602916129162291632916429165291662916729168291692917029171291722917329174291752917629177291782917929180291812918229183291842918529186291872918829189291902919129192291932919429195291962919729198291992920029201292022920329204292052920629207292082920929210292112921229213292142921529216292172921829219292202922129222292232922429225292262922729228292292923029231292322923329234292352923629237292382923929240292412924229243292442924529246292472924829249292502925129252292532925429255292562925729258292592926029261292622926329264292652926629267292682926929270292712927229273292742927529276292772927829279292802928129282292832928429285292862928729288292892929029291292922929329294292952929629297292982929929300293012930229303293042930529306293072930829309293102931129312293132931429315293162931729318293192932029321293222932329324293252932629327293282932929330293312933229333293342933529336293372933829339293402934129342293432934429345293462934729348293492935029351293522935329354293552935629357293582935929360293612936229363293642936529366293672936829369293702937129372293732937429375293762937729378293792938029381293822938329384293852938629387293882938929390293912939229393293942939529396293972939829399294002940129402294032940429405294062940729408294092941029411294122941329414294152941629417294182941929420294212942229423294242942529426294272942829429294302943129432294332943429435294362943729438294392944029441294422944329444294452944629447294482944929450294512945229453294542945529456294572945829459294602946129462294632946429465294662946729468294692947029471294722947329474294752947629477294782947929480294812948229483294842948529486294872948829489294902949129492294932949429495294962949729498294992950029501295022950329504295052950629507295082950929510295112951229513295142951529516295172951829519295202952129522295232952429525295262952729528295292953029531295322953329534295352953629537295382953929540295412954229543295442954529546295472954829549295502955129552295532955429555295562955729558295592956029561295622956329564295652956629567295682956929570295712957229573295742957529576295772957829579295802958129582295832958429585295862958729588295892959029591295922959329594295952959629597295982959929600296012960229603296042960529606296072960829609296102961129612296132961429615296162961729618296192962029621296222962329624296252962629627296282962929630296312963229633296342963529636296372963829639296402964129642296432964429645296462964729648296492965029651296522965329654296552965629657296582965929660296612966229663296642966529666296672966829669296702967129672296732967429675296762967729678296792968029681296822968329684296852968629687296882968929690296912969229693296942969529696296972969829699297002970129702297032970429705297062970729708297092971029711297122971329714297152971629717297182971929720297212972229723297242972529726297272972829729297302973129732297332973429735297362973729738297392974029741297422974329744297452974629747297482974929750297512975229753297542975529756297572975829759297602976129762297632976429765297662976729768297692977029771297722977329774297752977629777297782977929780297812978229783297842978529786297872978829789297902979129792297932979429795297962979729798297992980029801298022980329804298052980629807298082980929810298112981229813298142981529816298172981829819298202982129822298232982429825298262982729828298292983029831298322983329834298352983629837298382983929840298412984229843298442984529846298472984829849298502985129852298532985429855298562985729858298592986029861298622986329864298652986629867298682986929870298712987229873298742987529876298772987829879298802988129882298832988429885298862988729888298892989029891298922989329894298952989629897298982989929900299012990229903299042990529906299072990829909299102991129912299132991429915299162991729918299192992029921299222992329924299252992629927299282992929930299312993229933299342993529936299372993829939299402994129942299432994429945299462994729948299492995029951299522995329954299552995629957299582995929960299612996229963299642996529966299672996829969299702997129972299732997429975299762997729978299792998029981299822998329984299852998629987299882998929990299912999229993299942999529996299972999829999300003000130002300033000430005300063000730008300093001030011300123001330014300153001630017300183001930020300213002230023300243002530026300273002830029300303003130032300333003430035300363003730038300393004030041300423004330044300453004630047300483004930050300513005230053300543005530056300573005830059300603006130062300633006430065300663006730068300693007030071300723007330074300753007630077300783007930080300813008230083300843008530086300873008830089300903009130092300933009430095300963009730098300993010030101301023010330104301053010630107301083010930110301113011230113301143011530116301173011830119301203012130122301233012430125301263012730128301293013030131301323013330134301353013630137301383013930140301413014230143301443014530146301473014830149301503015130152301533015430155301563015730158301593016030161301623016330164301653016630167301683016930170301713017230173301743017530176301773017830179301803018130182301833018430185301863018730188301893019030191301923019330194301953019630197301983019930200302013020230203302043020530206302073020830209302103021130212302133021430215302163021730218302193022030221302223022330224302253022630227302283022930230302313023230233302343023530236302373023830239302403024130242302433024430245302463024730248302493025030251302523025330254302553025630257302583025930260302613026230263302643026530266302673026830269302703027130272302733027430275302763027730278302793028030281302823028330284302853028630287302883028930290302913029230293302943029530296302973029830299303003030130302303033030430305303063030730308303093031030311303123031330314303153031630317303183031930320303213032230323303243032530326303273032830329303303033130332303333033430335303363033730338303393034030341303423034330344303453034630347303483034930350303513035230353303543035530356303573035830359303603036130362303633036430365303663036730368303693037030371303723037330374303753037630377303783037930380303813038230383303843038530386303873038830389303903039130392303933039430395303963039730398303993040030401304023040330404304053040630407304083040930410304113041230413304143041530416304173041830419304203042130422304233042430425304263042730428304293043030431304323043330434304353043630437304383043930440304413044230443304443044530446304473044830449304503045130452304533045430455304563045730458304593046030461304623046330464304653046630467304683046930470304713047230473304743047530476304773047830479304803048130482304833048430485304863048730488304893049030491304923049330494304953049630497304983049930500305013050230503305043050530506305073050830509305103051130512305133051430515305163051730518305193052030521305223052330524305253052630527305283052930530305313053230533305343053530536305373053830539305403054130542305433054430545305463054730548305493055030551305523055330554305553055630557305583055930560305613056230563305643056530566305673056830569305703057130572305733057430575305763057730578305793058030581305823058330584305853058630587305883058930590305913059230593305943059530596305973059830599306003060130602306033060430605306063060730608306093061030611306123061330614306153061630617306183061930620306213062230623306243062530626306273062830629306303063130632306333063430635306363063730638306393064030641306423064330644306453064630647306483064930650306513065230653306543065530656306573065830659306603066130662306633066430665306663066730668306693067030671306723067330674306753067630677306783067930680306813068230683306843068530686306873068830689306903069130692306933069430695306963069730698306993070030701307023070330704307053070630707307083070930710307113071230713307143071530716307173071830719307203072130722307233072430725307263072730728307293073030731307323073330734307353073630737307383073930740307413074230743307443074530746307473074830749307503075130752307533075430755307563075730758307593076030761307623076330764307653076630767307683076930770307713077230773307743077530776307773077830779307803078130782307833078430785307863078730788307893079030791307923079330794307953079630797307983079930800308013080230803308043080530806308073080830809308103081130812308133081430815308163081730818308193082030821308223082330824308253082630827308283082930830308313083230833308343083530836308373083830839308403084130842308433084430845308463084730848308493085030851308523085330854308553085630857308583085930860308613086230863308643086530866308673086830869308703087130872308733087430875308763087730878308793088030881308823088330884308853088630887308883088930890308913089230893308943089530896308973089830899309003090130902309033090430905309063090730908309093091030911309123091330914309153091630917309183091930920309213092230923309243092530926309273092830929309303093130932309333093430935309363093730938309393094030941309423094330944309453094630947309483094930950309513095230953309543095530956309573095830959309603096130962309633096430965309663096730968309693097030971309723097330974309753097630977309783097930980309813098230983309843098530986309873098830989309903099130992309933099430995309963099730998309993100031001310023100331004310053100631007310083100931010310113101231013310143101531016310173101831019310203102131022310233102431025310263102731028310293103031031310323103331034310353103631037310383103931040310413104231043310443104531046310473104831049310503105131052310533105431055310563105731058310593106031061310623106331064310653106631067310683106931070310713107231073310743107531076310773107831079310803108131082310833108431085310863108731088310893109031091310923109331094310953109631097310983109931100311013110231103311043110531106311073110831109311103111131112311133111431115311163111731118311193112031121311223112331124311253112631127311283112931130311313113231133311343113531136311373113831139311403114131142311433114431145311463114731148311493115031151311523115331154311553115631157311583115931160311613116231163311643116531166311673116831169311703117131172311733117431175311763117731178311793118031181311823118331184311853118631187311883118931190311913119231193311943119531196311973119831199312003120131202312033120431205312063120731208312093121031211312123121331214312153121631217312183121931220312213122231223312243122531226312273122831229312303123131232312333123431235312363123731238312393124031241312423124331244312453124631247312483124931250312513125231253312543125531256312573125831259312603126131262312633126431265312663126731268312693127031271312723127331274312753127631277312783127931280312813128231283312843128531286312873128831289312903129131292312933129431295312963129731298312993130031301313023130331304313053130631307313083130931310313113131231313313143131531316313173131831319313203132131322313233132431325313263132731328313293133031331313323133331334313353133631337313383133931340313413134231343313443134531346313473134831349313503135131352313533135431355313563135731358313593136031361313623136331364313653136631367313683136931370313713137231373313743137531376313773137831379313803138131382313833138431385313863138731388313893139031391313923139331394313953139631397313983139931400314013140231403314043140531406314073140831409314103141131412314133141431415314163141731418314193142031421314223142331424
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  118. enum:
  119. - Ignore
  120. - Fail
  121. type: string
  122. property:
  123. description: Used to select a specific property of the Provider value (if a map), if supported
  124. type: string
  125. version:
  126. description: Used to select a specific version of the Provider value, if supported
  127. type: string
  128. required:
  129. - key
  130. type: object
  131. secretKey:
  132. description: The key in the Kubernetes Secret to store the value.
  133. maxLength: 253
  134. minLength: 1
  135. pattern: ^[-._a-zA-Z0-9]+$
  136. type: string
  137. sourceRef:
  138. description: |-
  139. SourceRef allows you to override the source
  140. from which the value will be pulled.
  141. maxProperties: 1
  142. minProperties: 1
  143. properties:
  144. generatorRef:
  145. description: |-
  146. GeneratorRef points to a generator custom resource.
  147. Deprecated: The generatorRef is not implemented in .data[].
  148. this will be removed with v1.
  149. properties:
  150. apiVersion:
  151. default: generators.external-secrets.io/v1alpha1
  152. description: Specify the apiVersion of the generator resource
  153. type: string
  154. kind:
  155. description: Specify the Kind of the generator resource
  156. enum:
  157. - ACRAccessToken
  158. - BeyondtrustWorkloadCredentialsDynamicSecret
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - QuayAccessToken
  166. - Password
  167. - SSHKey
  168. - STSSessionToken
  169. - UUID
  170. - VaultDynamicSecret
  171. - Webhook
  172. - Grafana
  173. - MFA
  174. type: string
  175. name:
  176. description: Specify the name of the generator resource
  177. maxLength: 253
  178. minLength: 1
  179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  180. type: string
  181. required:
  182. - kind
  183. - name
  184. type: object
  185. storeRef:
  186. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  187. properties:
  188. kind:
  189. description: |-
  190. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  191. Defaults to `SecretStore`
  192. enum:
  193. - SecretStore
  194. - ClusterSecretStore
  195. type: string
  196. name:
  197. description: Name of the SecretStore resource
  198. maxLength: 253
  199. minLength: 1
  200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  201. type: string
  202. type: object
  203. type: object
  204. required:
  205. - remoteRef
  206. - secretKey
  207. type: object
  208. type: array
  209. dataFrom:
  210. description: |-
  211. DataFrom is used to fetch all properties from a specific Provider data
  212. If multiple entries are specified, the Secret keys are merged in the specified order
  213. items:
  214. description: |-
  215. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  216. when using DataFrom to fetch multiple values from a Provider.
  217. properties:
  218. extract:
  219. description: |-
  220. Used to extract multiple key/value pairs from one secret
  221. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  222. properties:
  223. conversionStrategy:
  224. default: Default
  225. description: Used to define a conversion Strategy
  226. enum:
  227. - Default
  228. - Unicode
  229. type: string
  230. decodingStrategy:
  231. default: None
  232. description: Used to define a decoding Strategy
  233. enum:
  234. - Auto
  235. - Base64
  236. - Base64URL
  237. - None
  238. type: string
  239. key:
  240. description: Key is the key used in the Provider, mandatory
  241. type: string
  242. metadataPolicy:
  243. default: None
  244. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  245. enum:
  246. - None
  247. - Fetch
  248. type: string
  249. nullBytePolicy:
  250. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  251. enum:
  252. - Ignore
  253. - Fail
  254. type: string
  255. property:
  256. description: Used to select a specific property of the Provider value (if a map), if supported
  257. type: string
  258. version:
  259. description: Used to select a specific version of the Provider value, if supported
  260. type: string
  261. required:
  262. - key
  263. type: object
  264. find:
  265. description: |-
  266. Used to find secrets based on tags or regular expressions
  267. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  268. properties:
  269. conversionStrategy:
  270. default: Default
  271. description: Used to define a conversion Strategy
  272. enum:
  273. - Default
  274. - Unicode
  275. type: string
  276. decodingStrategy:
  277. default: None
  278. description: Used to define a decoding Strategy
  279. enum:
  280. - Auto
  281. - Base64
  282. - Base64URL
  283. - None
  284. type: string
  285. name:
  286. description: Finds secrets based on the name.
  287. properties:
  288. regexp:
  289. description: Finds secrets base
  290. type: string
  291. type: object
  292. nullBytePolicy:
  293. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  294. enum:
  295. - Ignore
  296. - Fail
  297. type: string
  298. path:
  299. description: A root path to start the find operations.
  300. type: string
  301. tags:
  302. additionalProperties:
  303. type: string
  304. description: Find secrets based on tags.
  305. type: object
  306. type: object
  307. rewrite:
  308. description: |-
  309. Used to rewrite secret Keys after getting them from the secret Provider
  310. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  311. items:
  312. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  313. maxProperties: 1
  314. minProperties: 1
  315. properties:
  316. merge:
  317. description: |-
  318. Used to merge key/values in one single Secret
  319. The resulting key will contain all values from the specified secrets
  320. properties:
  321. conflictPolicy:
  322. default: Error
  323. description: Used to define the policy to use in conflict resolution.
  324. enum:
  325. - Ignore
  326. - Error
  327. type: string
  328. into:
  329. default: ""
  330. description: |-
  331. Used to define the target key of the merge operation.
  332. Required if strategy is JSON. Ignored otherwise.
  333. type: string
  334. priority:
  335. description: Used to define key priority in conflict resolution.
  336. items:
  337. type: string
  338. type: array
  339. priorityPolicy:
  340. default: Strict
  341. description: Used to define the policy when a key in the priority list does not exist in the input.
  342. enum:
  343. - IgnoreNotFound
  344. - Strict
  345. type: string
  346. strategy:
  347. default: Extract
  348. description: Used to define the strategy to use in the merge operation.
  349. enum:
  350. - Extract
  351. - JSON
  352. type: string
  353. type: object
  354. regexp:
  355. description: |-
  356. Used to rewrite with regular expressions.
  357. The resulting key will be the output of a regexp.ReplaceAll operation.
  358. properties:
  359. source:
  360. description: Used to define the regular expression of a re.Compiler.
  361. type: string
  362. target:
  363. description: Used to define the target pattern of a ReplaceAll operation.
  364. type: string
  365. required:
  366. - source
  367. - target
  368. type: object
  369. transform:
  370. description: |-
  371. Used to apply string transformation on the secrets.
  372. The resulting key will be the output of the template applied by the operation.
  373. properties:
  374. template:
  375. description: |-
  376. Used to define the template to apply on the secret name.
  377. `.value ` will specify the secret name in the template.
  378. type: string
  379. required:
  380. - template
  381. type: object
  382. type: object
  383. type: array
  384. sourceRef:
  385. description: |-
  386. SourceRef points to a store or generator
  387. which contains secret values ready to use.
  388. Use this in combination with Extract or Find pull values out of
  389. a specific SecretStore.
  390. When sourceRef points to a generator Extract or Find is not supported.
  391. The generator returns a static map of values
  392. maxProperties: 1
  393. minProperties: 1
  394. properties:
  395. generatorRef:
  396. description: GeneratorRef points to a generator custom resource.
  397. properties:
  398. apiVersion:
  399. default: generators.external-secrets.io/v1alpha1
  400. description: Specify the apiVersion of the generator resource
  401. type: string
  402. kind:
  403. description: Specify the Kind of the generator resource
  404. enum:
  405. - ACRAccessToken
  406. - BeyondtrustWorkloadCredentialsDynamicSecret
  407. - ClusterGenerator
  408. - CloudsmithAccessToken
  409. - ECRAuthorizationToken
  410. - Fake
  411. - GCRAccessToken
  412. - GithubAccessToken
  413. - QuayAccessToken
  414. - Password
  415. - SSHKey
  416. - STSSessionToken
  417. - UUID
  418. - VaultDynamicSecret
  419. - Webhook
  420. - Grafana
  421. - MFA
  422. type: string
  423. name:
  424. description: Specify the name of the generator resource
  425. maxLength: 253
  426. minLength: 1
  427. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  428. type: string
  429. required:
  430. - kind
  431. - name
  432. type: object
  433. storeRef:
  434. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  435. properties:
  436. kind:
  437. description: |-
  438. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  439. Defaults to `SecretStore`
  440. enum:
  441. - SecretStore
  442. - ClusterSecretStore
  443. type: string
  444. name:
  445. description: Name of the SecretStore resource
  446. maxLength: 253
  447. minLength: 1
  448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  449. type: string
  450. type: object
  451. type: object
  452. type: object
  453. type: array
  454. refreshInterval:
  455. default: 1h0m0s
  456. description: |-
  457. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  458. specified as Golang Duration strings.
  459. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  460. Example values: "1h0m0s", "2h30m0s", "10m0s"
  461. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  462. type: string
  463. refreshPolicy:
  464. description: |-
  465. RefreshPolicy determines how the ExternalSecret should be refreshed:
  466. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  467. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  468. No periodic updates occur if refreshInterval is 0.
  469. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  470. enum:
  471. - CreatedOnce
  472. - Periodic
  473. - OnChange
  474. type: string
  475. secretStoreRef:
  476. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  477. properties:
  478. kind:
  479. description: |-
  480. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  481. Defaults to `SecretStore`
  482. enum:
  483. - SecretStore
  484. - ClusterSecretStore
  485. type: string
  486. name:
  487. description: Name of the SecretStore resource
  488. maxLength: 253
  489. minLength: 1
  490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  491. type: string
  492. type: object
  493. syncWindows:
  494. description: |-
  495. SyncWindows optionally restricts when periodic refreshes may occur.
  496. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  497. properties:
  498. kind:
  499. description: |-
  500. Kind applies to every window in the list.
  501. "allow" -- syncs are permitted only while at least one window is active;
  502. all other times are blocked.
  503. "deny" -- syncs are blocked while any window is active;
  504. all other times are permitted.
  505. enum:
  506. - allow
  507. - deny
  508. type: string
  509. windows:
  510. description: Windows is the list of schedule+duration pairs.
  511. items:
  512. description: |-
  513. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  514. within a SyncWindows block.
  515. properties:
  516. duration:
  517. description: |-
  518. Duration specifies how long the window stays open after each Schedule
  519. firing. Example: "8h".
  520. type: string
  521. schedule:
  522. description: |-
  523. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  524. named shorthand such as @daily or @every 1h. It marks the start time of
  525. each window occurrence.
  526. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  527. minLength: 1
  528. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  529. type: string
  530. required:
  531. - duration
  532. - schedule
  533. type: object
  534. minItems: 1
  535. type: array
  536. required:
  537. - kind
  538. - windows
  539. type: object
  540. target:
  541. default:
  542. creationPolicy: Owner
  543. deletionPolicy: Retain
  544. description: |-
  545. ExternalSecretTarget defines the Kubernetes Secret to be created,
  546. there can be only one target per ExternalSecret.
  547. properties:
  548. creationPolicy:
  549. default: Owner
  550. description: |-
  551. CreationPolicy defines rules on how to create the resulting Secret.
  552. Defaults to "Owner"
  553. enum:
  554. - Owner
  555. - Orphan
  556. - Merge
  557. - None
  558. type: string
  559. deletionPolicy:
  560. default: Retain
  561. description: |-
  562. DeletionPolicy defines rules on how to delete the resulting Secret.
  563. Defaults to "Retain"
  564. enum:
  565. - Delete
  566. - Merge
  567. - Retain
  568. type: string
  569. immutable:
  570. description: Immutable defines if the final secret will be immutable
  571. type: boolean
  572. manifest:
  573. description: |-
  574. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  575. When specified, ExternalSecret will create the resource type defined here
  576. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  577. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  578. properties:
  579. apiVersion:
  580. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  581. minLength: 1
  582. type: string
  583. kind:
  584. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  585. minLength: 1
  586. type: string
  587. required:
  588. - apiVersion
  589. - kind
  590. type: object
  591. name:
  592. description: |-
  593. The name of the Secret resource to be managed.
  594. Defaults to the .metadata.name of the ExternalSecret resource
  595. maxLength: 253
  596. minLength: 1
  597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  598. type: string
  599. template:
  600. description: Template defines a blueprint for the created Secret resource.
  601. properties:
  602. data:
  603. additionalProperties:
  604. type: string
  605. type: object
  606. engineVersion:
  607. default: v2
  608. description: |-
  609. EngineVersion specifies the template engine version
  610. that should be used to compile/execute the
  611. template specified in .data and .templateFrom[].
  612. enum:
  613. - v2
  614. type: string
  615. mergePolicy:
  616. default: Replace
  617. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  618. enum:
  619. - Replace
  620. - Merge
  621. type: string
  622. metadata:
  623. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  624. properties:
  625. annotations:
  626. additionalProperties:
  627. type: string
  628. type: object
  629. finalizers:
  630. items:
  631. type: string
  632. type: array
  633. labels:
  634. additionalProperties:
  635. type: string
  636. type: object
  637. type: object
  638. templateFrom:
  639. items:
  640. description: |-
  641. TemplateFrom specifies a source for templates.
  642. Each item in the list can either reference a ConfigMap or a Secret resource.
  643. properties:
  644. configMap:
  645. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  646. properties:
  647. items:
  648. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  649. items:
  650. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  651. properties:
  652. key:
  653. description: A key in the ConfigMap/Secret
  654. maxLength: 253
  655. minLength: 1
  656. pattern: ^[-._a-zA-Z0-9]+$
  657. type: string
  658. templateAs:
  659. default: Values
  660. description: TemplateScope specifies how the template keys should be interpreted.
  661. enum:
  662. - Values
  663. - KeysAndValues
  664. type: string
  665. required:
  666. - key
  667. type: object
  668. type: array
  669. name:
  670. description: The name of the ConfigMap/Secret resource
  671. maxLength: 253
  672. minLength: 1
  673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  674. type: string
  675. required:
  676. - items
  677. - name
  678. type: object
  679. literal:
  680. type: string
  681. secret:
  682. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  683. properties:
  684. items:
  685. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  686. items:
  687. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  688. properties:
  689. key:
  690. description: A key in the ConfigMap/Secret
  691. maxLength: 253
  692. minLength: 1
  693. pattern: ^[-._a-zA-Z0-9]+$
  694. type: string
  695. templateAs:
  696. default: Values
  697. description: TemplateScope specifies how the template keys should be interpreted.
  698. enum:
  699. - Values
  700. - KeysAndValues
  701. type: string
  702. required:
  703. - key
  704. type: object
  705. type: array
  706. name:
  707. description: The name of the ConfigMap/Secret resource
  708. maxLength: 253
  709. minLength: 1
  710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  711. type: string
  712. required:
  713. - items
  714. - name
  715. type: object
  716. target:
  717. default: Data
  718. description: |-
  719. Target specifies where to place the template result.
  720. For Secret resources, common values are: "Data", "Annotations", "Labels".
  721. For custom resources (when spec.target.manifest is set), this supports
  722. nested paths like "spec.database.config" or "data".
  723. type: string
  724. valuesDecodingStrategy:
  725. default: None
  726. description: Used to define a decoding Strategy for the rendered template values.
  727. enum:
  728. - Auto
  729. - Base64
  730. - Base64URL
  731. - None
  732. type: string
  733. type: object
  734. type: array
  735. type:
  736. type: string
  737. type: object
  738. type: object
  739. type: object
  740. namespaceSelector:
  741. description: |-
  742. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  743. Deprecated: Use NamespaceSelectors instead.
  744. properties:
  745. matchExpressions:
  746. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  747. items:
  748. description: |-
  749. A label selector requirement is a selector that contains values, a key, and an operator that
  750. relates the key and values.
  751. properties:
  752. key:
  753. description: key is the label key that the selector applies to.
  754. type: string
  755. operator:
  756. description: |-
  757. operator represents a key's relationship to a set of values.
  758. Valid operators are In, NotIn, Exists and DoesNotExist.
  759. type: string
  760. values:
  761. description: |-
  762. values is an array of string values. If the operator is In or NotIn,
  763. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  764. the values array must be empty. This array is replaced during a strategic
  765. merge patch.
  766. items:
  767. type: string
  768. type: array
  769. x-kubernetes-list-type: atomic
  770. required:
  771. - key
  772. - operator
  773. type: object
  774. type: array
  775. x-kubernetes-list-type: atomic
  776. matchLabels:
  777. additionalProperties:
  778. type: string
  779. description: |-
  780. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  781. map is equivalent to an element of matchExpressions, whose key field is "key", the
  782. operator is "In", and the values array contains only "value". The requirements are ANDed.
  783. type: object
  784. type: object
  785. x-kubernetes-map-type: atomic
  786. namespaceSelectors:
  787. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  788. items:
  789. description: |-
  790. A label selector is a label query over a set of resources. The result of matchLabels and
  791. matchExpressions are ANDed. An empty label selector matches all objects. A null
  792. label selector matches no objects.
  793. properties:
  794. matchExpressions:
  795. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  796. items:
  797. description: |-
  798. A label selector requirement is a selector that contains values, a key, and an operator that
  799. relates the key and values.
  800. properties:
  801. key:
  802. description: key is the label key that the selector applies to.
  803. type: string
  804. operator:
  805. description: |-
  806. operator represents a key's relationship to a set of values.
  807. Valid operators are In, NotIn, Exists and DoesNotExist.
  808. type: string
  809. values:
  810. description: |-
  811. values is an array of string values. If the operator is In or NotIn,
  812. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  813. the values array must be empty. This array is replaced during a strategic
  814. merge patch.
  815. items:
  816. type: string
  817. type: array
  818. x-kubernetes-list-type: atomic
  819. required:
  820. - key
  821. - operator
  822. type: object
  823. type: array
  824. x-kubernetes-list-type: atomic
  825. matchLabels:
  826. additionalProperties:
  827. type: string
  828. description: |-
  829. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  830. map is equivalent to an element of matchExpressions, whose key field is "key", the
  831. operator is "In", and the values array contains only "value". The requirements are ANDed.
  832. type: object
  833. type: object
  834. x-kubernetes-map-type: atomic
  835. type: array
  836. namespaces:
  837. description: |-
  838. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  839. Deprecated: Use NamespaceSelectors instead.
  840. items:
  841. maxLength: 63
  842. minLength: 1
  843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  844. type: string
  845. type: array
  846. refreshTime:
  847. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  848. type: string
  849. required:
  850. - externalSecretSpec
  851. type: object
  852. status:
  853. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  854. properties:
  855. conditions:
  856. items:
  857. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  858. properties:
  859. message:
  860. type: string
  861. status:
  862. type: string
  863. type:
  864. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  865. type: string
  866. required:
  867. - status
  868. - type
  869. type: object
  870. type: array
  871. externalSecretName:
  872. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  873. type: string
  874. failedNamespaces:
  875. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  876. items:
  877. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  878. properties:
  879. namespace:
  880. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  881. type: string
  882. reason:
  883. description: Reason is why the ExternalSecret failed to apply to the namespace
  884. type: string
  885. required:
  886. - namespace
  887. type: object
  888. type: array
  889. provisionedNamespaces:
  890. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  891. items:
  892. type: string
  893. type: array
  894. type: object
  895. type: object
  896. served: true
  897. storage: true
  898. subresources:
  899. status: {}
  900. - additionalPrinterColumns:
  901. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  902. name: Store
  903. type: string
  904. - jsonPath: .spec.refreshTime
  905. name: Refresh Interval
  906. type: string
  907. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  908. name: Ready
  909. type: string
  910. deprecated: true
  911. name: v1beta1
  912. schema:
  913. openAPIV3Schema:
  914. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  915. properties:
  916. apiVersion:
  917. description: |-
  918. APIVersion defines the versioned schema of this representation of an object.
  919. Servers should convert recognized schemas to the latest internal value, and
  920. may reject unrecognized values.
  921. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  922. type: string
  923. kind:
  924. description: |-
  925. Kind is a string value representing the REST resource this object represents.
  926. Servers may infer this from the endpoint the client submits requests to.
  927. Cannot be updated.
  928. In CamelCase.
  929. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  930. type: string
  931. metadata:
  932. type: object
  933. spec:
  934. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  935. properties:
  936. externalSecretMetadata:
  937. description: The metadata of the external secrets to be created
  938. properties:
  939. annotations:
  940. additionalProperties:
  941. type: string
  942. type: object
  943. labels:
  944. additionalProperties:
  945. type: string
  946. type: object
  947. type: object
  948. externalSecretName:
  949. description: |-
  950. The name of the external secrets to be created.
  951. Defaults to the name of the ClusterExternalSecret
  952. maxLength: 253
  953. minLength: 1
  954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  955. type: string
  956. externalSecretSpec:
  957. description: The spec for the ExternalSecrets to be created
  958. properties:
  959. data:
  960. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  961. items:
  962. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  963. properties:
  964. remoteRef:
  965. description: |-
  966. RemoteRef points to the remote secret and defines
  967. which secret (version/property/..) to fetch.
  968. properties:
  969. conversionStrategy:
  970. default: Default
  971. description: Used to define a conversion Strategy
  972. enum:
  973. - Default
  974. - Unicode
  975. type: string
  976. decodingStrategy:
  977. default: None
  978. description: Used to define a decoding Strategy
  979. enum:
  980. - Auto
  981. - Base64
  982. - Base64URL
  983. - None
  984. type: string
  985. key:
  986. description: Key is the key used in the Provider, mandatory
  987. type: string
  988. metadataPolicy:
  989. default: None
  990. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  991. enum:
  992. - None
  993. - Fetch
  994. type: string
  995. property:
  996. description: Used to select a specific property of the Provider value (if a map), if supported
  997. type: string
  998. version:
  999. description: Used to select a specific version of the Provider value, if supported
  1000. type: string
  1001. required:
  1002. - key
  1003. type: object
  1004. secretKey:
  1005. description: The key in the Kubernetes Secret to store the value.
  1006. maxLength: 253
  1007. minLength: 1
  1008. pattern: ^[-._a-zA-Z0-9]+$
  1009. type: string
  1010. sourceRef:
  1011. description: |-
  1012. SourceRef allows you to override the source
  1013. from which the value will be pulled.
  1014. maxProperties: 1
  1015. minProperties: 1
  1016. properties:
  1017. generatorRef:
  1018. description: |-
  1019. GeneratorRef points to a generator custom resource.
  1020. Deprecated: The generatorRef is not implemented in .data[].
  1021. this will be removed with v1.
  1022. properties:
  1023. apiVersion:
  1024. default: generators.external-secrets.io/v1alpha1
  1025. description: Specify the apiVersion of the generator resource
  1026. type: string
  1027. kind:
  1028. description: Specify the Kind of the generator resource
  1029. enum:
  1030. - ACRAccessToken
  1031. - ClusterGenerator
  1032. - ECRAuthorizationToken
  1033. - Fake
  1034. - GCRAccessToken
  1035. - GithubAccessToken
  1036. - QuayAccessToken
  1037. - Password
  1038. - SSHKey
  1039. - STSSessionToken
  1040. - UUID
  1041. - VaultDynamicSecret
  1042. - Webhook
  1043. - Grafana
  1044. type: string
  1045. name:
  1046. description: Specify the name of the generator resource
  1047. maxLength: 253
  1048. minLength: 1
  1049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1050. type: string
  1051. required:
  1052. - kind
  1053. - name
  1054. type: object
  1055. storeRef:
  1056. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1057. properties:
  1058. kind:
  1059. description: |-
  1060. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1061. Defaults to `SecretStore`
  1062. enum:
  1063. - SecretStore
  1064. - ClusterSecretStore
  1065. type: string
  1066. name:
  1067. description: Name of the SecretStore resource
  1068. maxLength: 253
  1069. minLength: 1
  1070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1071. type: string
  1072. type: object
  1073. type: object
  1074. required:
  1075. - remoteRef
  1076. - secretKey
  1077. type: object
  1078. type: array
  1079. dataFrom:
  1080. description: |-
  1081. DataFrom is used to fetch all properties from a specific Provider data
  1082. If multiple entries are specified, the Secret keys are merged in the specified order
  1083. items:
  1084. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1085. properties:
  1086. extract:
  1087. description: |-
  1088. Used to extract multiple key/value pairs from one secret
  1089. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1090. properties:
  1091. conversionStrategy:
  1092. default: Default
  1093. description: Used to define a conversion Strategy
  1094. enum:
  1095. - Default
  1096. - Unicode
  1097. type: string
  1098. decodingStrategy:
  1099. default: None
  1100. description: Used to define a decoding Strategy
  1101. enum:
  1102. - Auto
  1103. - Base64
  1104. - Base64URL
  1105. - None
  1106. type: string
  1107. key:
  1108. description: Key is the key used in the Provider, mandatory
  1109. type: string
  1110. metadataPolicy:
  1111. default: None
  1112. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1113. enum:
  1114. - None
  1115. - Fetch
  1116. type: string
  1117. property:
  1118. description: Used to select a specific property of the Provider value (if a map), if supported
  1119. type: string
  1120. version:
  1121. description: Used to select a specific version of the Provider value, if supported
  1122. type: string
  1123. required:
  1124. - key
  1125. type: object
  1126. find:
  1127. description: |-
  1128. Used to find secrets based on tags or regular expressions
  1129. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1130. properties:
  1131. conversionStrategy:
  1132. default: Default
  1133. description: Used to define a conversion Strategy
  1134. enum:
  1135. - Default
  1136. - Unicode
  1137. type: string
  1138. decodingStrategy:
  1139. default: None
  1140. description: Used to define a decoding Strategy
  1141. enum:
  1142. - Auto
  1143. - Base64
  1144. - Base64URL
  1145. - None
  1146. type: string
  1147. name:
  1148. description: Finds secrets based on the name.
  1149. properties:
  1150. regexp:
  1151. description: Finds secrets base
  1152. type: string
  1153. type: object
  1154. path:
  1155. description: A root path to start the find operations.
  1156. type: string
  1157. tags:
  1158. additionalProperties:
  1159. type: string
  1160. description: Find secrets based on tags.
  1161. type: object
  1162. type: object
  1163. rewrite:
  1164. description: |-
  1165. Used to rewrite secret Keys after getting them from the secret Provider
  1166. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1167. items:
  1168. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1169. maxProperties: 1
  1170. minProperties: 1
  1171. properties:
  1172. regexp:
  1173. description: |-
  1174. Used to rewrite with regular expressions.
  1175. The resulting key will be the output of a regexp.ReplaceAll operation.
  1176. properties:
  1177. source:
  1178. description: Used to define the regular expression of a re.Compiler.
  1179. type: string
  1180. target:
  1181. description: Used to define the target pattern of a ReplaceAll operation.
  1182. type: string
  1183. required:
  1184. - source
  1185. - target
  1186. type: object
  1187. transform:
  1188. description: |-
  1189. Used to apply string transformation on the secrets.
  1190. The resulting key will be the output of the template applied by the operation.
  1191. properties:
  1192. template:
  1193. description: |-
  1194. Used to define the template to apply on the secret name.
  1195. `.value ` will specify the secret name in the template.
  1196. type: string
  1197. required:
  1198. - template
  1199. type: object
  1200. type: object
  1201. type: array
  1202. sourceRef:
  1203. description: |-
  1204. SourceRef points to a store or generator
  1205. which contains secret values ready to use.
  1206. Use this in combination with Extract or Find pull values out of
  1207. a specific SecretStore.
  1208. When sourceRef points to a generator Extract or Find is not supported.
  1209. The generator returns a static map of values
  1210. maxProperties: 1
  1211. minProperties: 1
  1212. properties:
  1213. generatorRef:
  1214. description: GeneratorRef points to a generator custom resource.
  1215. properties:
  1216. apiVersion:
  1217. default: generators.external-secrets.io/v1alpha1
  1218. description: Specify the apiVersion of the generator resource
  1219. type: string
  1220. kind:
  1221. description: Specify the Kind of the generator resource
  1222. enum:
  1223. - ACRAccessToken
  1224. - ClusterGenerator
  1225. - ECRAuthorizationToken
  1226. - Fake
  1227. - GCRAccessToken
  1228. - GithubAccessToken
  1229. - QuayAccessToken
  1230. - Password
  1231. - SSHKey
  1232. - STSSessionToken
  1233. - UUID
  1234. - VaultDynamicSecret
  1235. - Webhook
  1236. - Grafana
  1237. type: string
  1238. name:
  1239. description: Specify the name of the generator resource
  1240. maxLength: 253
  1241. minLength: 1
  1242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1243. type: string
  1244. required:
  1245. - kind
  1246. - name
  1247. type: object
  1248. storeRef:
  1249. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1250. properties:
  1251. kind:
  1252. description: |-
  1253. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1254. Defaults to `SecretStore`
  1255. enum:
  1256. - SecretStore
  1257. - ClusterSecretStore
  1258. type: string
  1259. name:
  1260. description: Name of the SecretStore resource
  1261. maxLength: 253
  1262. minLength: 1
  1263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1264. type: string
  1265. type: object
  1266. type: object
  1267. type: object
  1268. type: array
  1269. refreshInterval:
  1270. default: 1h0m0s
  1271. description: |-
  1272. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1273. specified as Golang Duration strings.
  1274. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1275. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1276. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1277. type: string
  1278. refreshPolicy:
  1279. description: |-
  1280. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1281. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1282. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1283. No periodic updates occur if refreshInterval is 0.
  1284. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1285. enum:
  1286. - CreatedOnce
  1287. - Periodic
  1288. - OnChange
  1289. type: string
  1290. secretStoreRef:
  1291. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1292. properties:
  1293. kind:
  1294. description: |-
  1295. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1296. Defaults to `SecretStore`
  1297. enum:
  1298. - SecretStore
  1299. - ClusterSecretStore
  1300. type: string
  1301. name:
  1302. description: Name of the SecretStore resource
  1303. maxLength: 253
  1304. minLength: 1
  1305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1306. type: string
  1307. type: object
  1308. target:
  1309. default:
  1310. creationPolicy: Owner
  1311. deletionPolicy: Retain
  1312. description: |-
  1313. ExternalSecretTarget defines the Kubernetes Secret to be created
  1314. There can be only one target per ExternalSecret.
  1315. properties:
  1316. creationPolicy:
  1317. default: Owner
  1318. description: |-
  1319. CreationPolicy defines rules on how to create the resulting Secret.
  1320. Defaults to "Owner"
  1321. enum:
  1322. - Owner
  1323. - Orphan
  1324. - Merge
  1325. - None
  1326. type: string
  1327. deletionPolicy:
  1328. default: Retain
  1329. description: |-
  1330. DeletionPolicy defines rules on how to delete the resulting Secret.
  1331. Defaults to "Retain"
  1332. enum:
  1333. - Delete
  1334. - Merge
  1335. - Retain
  1336. type: string
  1337. immutable:
  1338. description: Immutable defines if the final secret will be immutable
  1339. type: boolean
  1340. name:
  1341. description: |-
  1342. The name of the Secret resource to be managed.
  1343. Defaults to the .metadata.name of the ExternalSecret resource
  1344. maxLength: 253
  1345. minLength: 1
  1346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1347. type: string
  1348. template:
  1349. description: Template defines a blueprint for the created Secret resource.
  1350. properties:
  1351. data:
  1352. additionalProperties:
  1353. type: string
  1354. type: object
  1355. engineVersion:
  1356. default: v2
  1357. description: |-
  1358. EngineVersion specifies the template engine version
  1359. that should be used to compile/execute the
  1360. template specified in .data and .templateFrom[].
  1361. enum:
  1362. - v2
  1363. type: string
  1364. mergePolicy:
  1365. default: Replace
  1366. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1367. enum:
  1368. - Replace
  1369. - Merge
  1370. type: string
  1371. metadata:
  1372. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1373. properties:
  1374. annotations:
  1375. additionalProperties:
  1376. type: string
  1377. type: object
  1378. labels:
  1379. additionalProperties:
  1380. type: string
  1381. type: object
  1382. type: object
  1383. templateFrom:
  1384. items:
  1385. description: TemplateFrom defines a source for template data.
  1386. properties:
  1387. configMap:
  1388. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1389. properties:
  1390. items:
  1391. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1392. items:
  1393. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1394. properties:
  1395. key:
  1396. description: A key in the ConfigMap/Secret
  1397. maxLength: 253
  1398. minLength: 1
  1399. pattern: ^[-._a-zA-Z0-9]+$
  1400. type: string
  1401. templateAs:
  1402. default: Values
  1403. description: TemplateScope defines the scope of the template when processing template data.
  1404. enum:
  1405. - Values
  1406. - KeysAndValues
  1407. type: string
  1408. required:
  1409. - key
  1410. type: object
  1411. type: array
  1412. name:
  1413. description: The name of the ConfigMap/Secret resource
  1414. maxLength: 253
  1415. minLength: 1
  1416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1417. type: string
  1418. required:
  1419. - items
  1420. - name
  1421. type: object
  1422. literal:
  1423. type: string
  1424. secret:
  1425. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1426. properties:
  1427. items:
  1428. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1429. items:
  1430. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1431. properties:
  1432. key:
  1433. description: A key in the ConfigMap/Secret
  1434. maxLength: 253
  1435. minLength: 1
  1436. pattern: ^[-._a-zA-Z0-9]+$
  1437. type: string
  1438. templateAs:
  1439. default: Values
  1440. description: TemplateScope defines the scope of the template when processing template data.
  1441. enum:
  1442. - Values
  1443. - KeysAndValues
  1444. type: string
  1445. required:
  1446. - key
  1447. type: object
  1448. type: array
  1449. name:
  1450. description: The name of the ConfigMap/Secret resource
  1451. maxLength: 253
  1452. minLength: 1
  1453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1454. type: string
  1455. required:
  1456. - items
  1457. - name
  1458. type: object
  1459. target:
  1460. default: Data
  1461. description: TemplateTarget defines the target field where the template result will be stored.
  1462. enum:
  1463. - Data
  1464. - Annotations
  1465. - Labels
  1466. type: string
  1467. type: object
  1468. type: array
  1469. type:
  1470. type: string
  1471. type: object
  1472. type: object
  1473. type: object
  1474. namespaceSelector:
  1475. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1476. properties:
  1477. matchExpressions:
  1478. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1479. items:
  1480. description: |-
  1481. A label selector requirement is a selector that contains values, a key, and an operator that
  1482. relates the key and values.
  1483. properties:
  1484. key:
  1485. description: key is the label key that the selector applies to.
  1486. type: string
  1487. operator:
  1488. description: |-
  1489. operator represents a key's relationship to a set of values.
  1490. Valid operators are In, NotIn, Exists and DoesNotExist.
  1491. type: string
  1492. values:
  1493. description: |-
  1494. values is an array of string values. If the operator is In or NotIn,
  1495. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1496. the values array must be empty. This array is replaced during a strategic
  1497. merge patch.
  1498. items:
  1499. type: string
  1500. type: array
  1501. x-kubernetes-list-type: atomic
  1502. required:
  1503. - key
  1504. - operator
  1505. type: object
  1506. type: array
  1507. x-kubernetes-list-type: atomic
  1508. matchLabels:
  1509. additionalProperties:
  1510. type: string
  1511. description: |-
  1512. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1513. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1514. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1515. type: object
  1516. type: object
  1517. x-kubernetes-map-type: atomic
  1518. namespaceSelectors:
  1519. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1520. items:
  1521. description: |-
  1522. A label selector is a label query over a set of resources. The result of matchLabels and
  1523. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1524. label selector matches no objects.
  1525. properties:
  1526. matchExpressions:
  1527. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1528. items:
  1529. description: |-
  1530. A label selector requirement is a selector that contains values, a key, and an operator that
  1531. relates the key and values.
  1532. properties:
  1533. key:
  1534. description: key is the label key that the selector applies to.
  1535. type: string
  1536. operator:
  1537. description: |-
  1538. operator represents a key's relationship to a set of values.
  1539. Valid operators are In, NotIn, Exists and DoesNotExist.
  1540. type: string
  1541. values:
  1542. description: |-
  1543. values is an array of string values. If the operator is In or NotIn,
  1544. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1545. the values array must be empty. This array is replaced during a strategic
  1546. merge patch.
  1547. items:
  1548. type: string
  1549. type: array
  1550. x-kubernetes-list-type: atomic
  1551. required:
  1552. - key
  1553. - operator
  1554. type: object
  1555. type: array
  1556. x-kubernetes-list-type: atomic
  1557. matchLabels:
  1558. additionalProperties:
  1559. type: string
  1560. description: |-
  1561. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1562. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1563. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1564. type: object
  1565. type: object
  1566. x-kubernetes-map-type: atomic
  1567. type: array
  1568. namespaces:
  1569. description: |-
  1570. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1571. Deprecated: Use NamespaceSelectors instead.
  1572. items:
  1573. maxLength: 63
  1574. minLength: 1
  1575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1576. type: string
  1577. type: array
  1578. refreshTime:
  1579. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1580. type: string
  1581. required:
  1582. - externalSecretSpec
  1583. type: object
  1584. status:
  1585. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1586. properties:
  1587. conditions:
  1588. items:
  1589. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1590. properties:
  1591. message:
  1592. type: string
  1593. status:
  1594. type: string
  1595. type:
  1596. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1597. type: string
  1598. required:
  1599. - status
  1600. - type
  1601. type: object
  1602. type: array
  1603. externalSecretName:
  1604. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1605. type: string
  1606. failedNamespaces:
  1607. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1608. items:
  1609. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1610. properties:
  1611. namespace:
  1612. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1613. type: string
  1614. reason:
  1615. description: Reason is why the ExternalSecret failed to apply to the namespace
  1616. type: string
  1617. required:
  1618. - namespace
  1619. type: object
  1620. type: array
  1621. provisionedNamespaces:
  1622. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1623. items:
  1624. type: string
  1625. type: array
  1626. type: object
  1627. type: object
  1628. served: false
  1629. storage: false
  1630. subresources:
  1631. status: {}
  1632. ---
  1633. apiVersion: apiextensions.k8s.io/v1
  1634. kind: CustomResourceDefinition
  1635. metadata:
  1636. annotations:
  1637. controller-gen.kubebuilder.io/version: v0.19.0
  1638. labels:
  1639. external-secrets.io/component: controller
  1640. name: clusterpushsecrets.external-secrets.io
  1641. spec:
  1642. group: external-secrets.io
  1643. names:
  1644. categories:
  1645. - external-secrets
  1646. kind: ClusterPushSecret
  1647. listKind: ClusterPushSecretList
  1648. plural: clusterpushsecrets
  1649. singular: clusterpushsecret
  1650. scope: Cluster
  1651. versions:
  1652. - additionalPrinterColumns:
  1653. - jsonPath: .metadata.creationTimestamp
  1654. name: AGE
  1655. type: date
  1656. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1657. name: Status
  1658. type: string
  1659. name: v1alpha1
  1660. schema:
  1661. openAPIV3Schema:
  1662. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1663. properties:
  1664. apiVersion:
  1665. description: |-
  1666. APIVersion defines the versioned schema of this representation of an object.
  1667. Servers should convert recognized schemas to the latest internal value, and
  1668. may reject unrecognized values.
  1669. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1670. type: string
  1671. kind:
  1672. description: |-
  1673. Kind is a string value representing the REST resource this object represents.
  1674. Servers may infer this from the endpoint the client submits requests to.
  1675. Cannot be updated.
  1676. In CamelCase.
  1677. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1678. type: string
  1679. metadata:
  1680. type: object
  1681. spec:
  1682. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1683. properties:
  1684. namespaceSelectors:
  1685. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1686. items:
  1687. description: |-
  1688. A label selector is a label query over a set of resources. The result of matchLabels and
  1689. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1690. label selector matches no objects.
  1691. properties:
  1692. matchExpressions:
  1693. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1694. items:
  1695. description: |-
  1696. A label selector requirement is a selector that contains values, a key, and an operator that
  1697. relates the key and values.
  1698. properties:
  1699. key:
  1700. description: key is the label key that the selector applies to.
  1701. type: string
  1702. operator:
  1703. description: |-
  1704. operator represents a key's relationship to a set of values.
  1705. Valid operators are In, NotIn, Exists and DoesNotExist.
  1706. type: string
  1707. values:
  1708. description: |-
  1709. values is an array of string values. If the operator is In or NotIn,
  1710. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1711. the values array must be empty. This array is replaced during a strategic
  1712. merge patch.
  1713. items:
  1714. type: string
  1715. type: array
  1716. x-kubernetes-list-type: atomic
  1717. required:
  1718. - key
  1719. - operator
  1720. type: object
  1721. type: array
  1722. x-kubernetes-list-type: atomic
  1723. matchLabels:
  1724. additionalProperties:
  1725. type: string
  1726. description: |-
  1727. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1728. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1729. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1730. type: object
  1731. type: object
  1732. x-kubernetes-map-type: atomic
  1733. type: array
  1734. pushSecretMetadata:
  1735. description: The metadata of the external secrets to be created
  1736. properties:
  1737. annotations:
  1738. additionalProperties:
  1739. type: string
  1740. type: object
  1741. labels:
  1742. additionalProperties:
  1743. type: string
  1744. type: object
  1745. type: object
  1746. pushSecretName:
  1747. description: |-
  1748. The name of the push secrets to be created.
  1749. Defaults to the name of the ClusterPushSecret
  1750. maxLength: 253
  1751. minLength: 1
  1752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1753. type: string
  1754. pushSecretSpec:
  1755. description: PushSecretSpec defines what to do with the secrets.
  1756. properties:
  1757. data:
  1758. description: Secret Data that should be pushed to providers
  1759. items:
  1760. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1761. properties:
  1762. conversionStrategy:
  1763. default: None
  1764. description: Used to define a conversion Strategy for the secret keys
  1765. enum:
  1766. - None
  1767. - ReverseUnicode
  1768. type: string
  1769. match:
  1770. description: Match a given Secret Key to be pushed to the provider.
  1771. properties:
  1772. remoteRef:
  1773. description: Remote Refs to push to providers.
  1774. properties:
  1775. property:
  1776. description: Name of the property in the resulting secret
  1777. type: string
  1778. remoteKey:
  1779. description: Name of the resulting provider secret.
  1780. type: string
  1781. required:
  1782. - remoteKey
  1783. type: object
  1784. secretKey:
  1785. description: Secret Key to be pushed
  1786. type: string
  1787. required:
  1788. - remoteRef
  1789. type: object
  1790. metadata:
  1791. description: |-
  1792. Metadata is metadata attached to the secret.
  1793. The structure of metadata is provider specific, please look it up in the provider documentation.
  1794. x-kubernetes-preserve-unknown-fields: true
  1795. required:
  1796. - match
  1797. type: object
  1798. type: array
  1799. dataTo:
  1800. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1801. items:
  1802. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1803. properties:
  1804. conversionStrategy:
  1805. default: None
  1806. description: Used to define a conversion Strategy for the secret keys
  1807. enum:
  1808. - None
  1809. - ReverseUnicode
  1810. type: string
  1811. match:
  1812. description: |-
  1813. Match pattern for selecting keys from the source Secret.
  1814. If not specified, all keys are selected.
  1815. properties:
  1816. regexp:
  1817. description: |-
  1818. Regexp matches keys by regular expression.
  1819. If not specified, all keys are matched.
  1820. type: string
  1821. type: object
  1822. metadata:
  1823. description: |-
  1824. Metadata is metadata attached to the secret.
  1825. The structure of metadata is provider specific, please look it up in the provider documentation.
  1826. x-kubernetes-preserve-unknown-fields: true
  1827. remoteKey:
  1828. description: |-
  1829. RemoteKey is the name of the single provider secret that will receive ALL
  1830. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1831. When set, per-key expansion is skipped and a single push is performed.
  1832. The provider's store prefix (if any) is still prepended to this value.
  1833. When not set, each matched key is pushed as its own individual provider secret.
  1834. type: string
  1835. rewrite:
  1836. description: |-
  1837. Rewrite operations to transform keys before pushing to the provider.
  1838. Operations are applied sequentially.
  1839. items:
  1840. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1841. properties:
  1842. regexp:
  1843. description: Used to rewrite with regular expressions.
  1844. properties:
  1845. source:
  1846. description: Used to define the regular expression of a re.Compiler.
  1847. type: string
  1848. target:
  1849. description: Used to define the target pattern of a ReplaceAll operation.
  1850. type: string
  1851. required:
  1852. - source
  1853. - target
  1854. type: object
  1855. transform:
  1856. description: Used to apply string transformation on the secrets.
  1857. properties:
  1858. template:
  1859. description: |-
  1860. Used to define the template to apply on the secret name.
  1861. `.value ` will specify the secret name in the template.
  1862. type: string
  1863. required:
  1864. - template
  1865. type: object
  1866. type: object
  1867. x-kubernetes-validations:
  1868. - message: exactly one of regexp or transform must be set
  1869. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1870. type: array
  1871. storeRef:
  1872. description: StoreRef specifies which SecretStore to push to. Required.
  1873. properties:
  1874. kind:
  1875. default: SecretStore
  1876. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1877. enum:
  1878. - SecretStore
  1879. - ClusterSecretStore
  1880. type: string
  1881. labelSelector:
  1882. description: Optionally, sync to secret stores with label selector
  1883. properties:
  1884. matchExpressions:
  1885. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1886. items:
  1887. description: |-
  1888. A label selector requirement is a selector that contains values, a key, and an operator that
  1889. relates the key and values.
  1890. properties:
  1891. key:
  1892. description: key is the label key that the selector applies to.
  1893. type: string
  1894. operator:
  1895. description: |-
  1896. operator represents a key's relationship to a set of values.
  1897. Valid operators are In, NotIn, Exists and DoesNotExist.
  1898. type: string
  1899. values:
  1900. description: |-
  1901. values is an array of string values. If the operator is In or NotIn,
  1902. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1903. the values array must be empty. This array is replaced during a strategic
  1904. merge patch.
  1905. items:
  1906. type: string
  1907. type: array
  1908. x-kubernetes-list-type: atomic
  1909. required:
  1910. - key
  1911. - operator
  1912. type: object
  1913. type: array
  1914. x-kubernetes-list-type: atomic
  1915. matchLabels:
  1916. additionalProperties:
  1917. type: string
  1918. description: |-
  1919. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1920. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1921. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1922. type: object
  1923. type: object
  1924. x-kubernetes-map-type: atomic
  1925. name:
  1926. description: Optionally, sync to the SecretStore of the given name
  1927. maxLength: 253
  1928. minLength: 1
  1929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1930. type: string
  1931. type: object
  1932. type: object
  1933. x-kubernetes-validations:
  1934. - message: storeRef must specify either name or labelSelector
  1935. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1936. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1937. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1938. type: array
  1939. deletionPolicy:
  1940. default: None
  1941. description: Deletion Policy to handle Secrets in the provider.
  1942. enum:
  1943. - Delete
  1944. - None
  1945. type: string
  1946. refreshInterval:
  1947. default: 1h0m0s
  1948. description: The Interval to which External Secrets will try to push a secret definition
  1949. type: string
  1950. secretStoreRefs:
  1951. items:
  1952. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1953. properties:
  1954. kind:
  1955. default: SecretStore
  1956. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1957. enum:
  1958. - SecretStore
  1959. - ClusterSecretStore
  1960. type: string
  1961. labelSelector:
  1962. description: Optionally, sync to secret stores with label selector
  1963. properties:
  1964. matchExpressions:
  1965. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1966. items:
  1967. description: |-
  1968. A label selector requirement is a selector that contains values, a key, and an operator that
  1969. relates the key and values.
  1970. properties:
  1971. key:
  1972. description: key is the label key that the selector applies to.
  1973. type: string
  1974. operator:
  1975. description: |-
  1976. operator represents a key's relationship to a set of values.
  1977. Valid operators are In, NotIn, Exists and DoesNotExist.
  1978. type: string
  1979. values:
  1980. description: |-
  1981. values is an array of string values. If the operator is In or NotIn,
  1982. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1983. the values array must be empty. This array is replaced during a strategic
  1984. merge patch.
  1985. items:
  1986. type: string
  1987. type: array
  1988. x-kubernetes-list-type: atomic
  1989. required:
  1990. - key
  1991. - operator
  1992. type: object
  1993. type: array
  1994. x-kubernetes-list-type: atomic
  1995. matchLabels:
  1996. additionalProperties:
  1997. type: string
  1998. description: |-
  1999. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2000. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2001. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2002. type: object
  2003. type: object
  2004. x-kubernetes-map-type: atomic
  2005. name:
  2006. description: Optionally, sync to the SecretStore of the given name
  2007. maxLength: 253
  2008. minLength: 1
  2009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2010. type: string
  2011. type: object
  2012. type: array
  2013. selector:
  2014. description: The Secret Selector (k8s source) for the Push Secret
  2015. maxProperties: 1
  2016. minProperties: 1
  2017. properties:
  2018. generatorRef:
  2019. description: Point to a generator to create a Secret.
  2020. properties:
  2021. apiVersion:
  2022. default: generators.external-secrets.io/v1alpha1
  2023. description: Specify the apiVersion of the generator resource
  2024. type: string
  2025. kind:
  2026. description: Specify the Kind of the generator resource
  2027. enum:
  2028. - ACRAccessToken
  2029. - BeyondtrustWorkloadCredentialsDynamicSecret
  2030. - ClusterGenerator
  2031. - CloudsmithAccessToken
  2032. - ECRAuthorizationToken
  2033. - Fake
  2034. - GCRAccessToken
  2035. - GithubAccessToken
  2036. - QuayAccessToken
  2037. - Password
  2038. - SSHKey
  2039. - STSSessionToken
  2040. - UUID
  2041. - VaultDynamicSecret
  2042. - Webhook
  2043. - Grafana
  2044. - MFA
  2045. type: string
  2046. name:
  2047. description: Specify the name of the generator resource
  2048. maxLength: 253
  2049. minLength: 1
  2050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2051. type: string
  2052. required:
  2053. - kind
  2054. - name
  2055. type: object
  2056. secret:
  2057. description: Select a Secret to Push.
  2058. properties:
  2059. name:
  2060. description: |-
  2061. Name of the Secret.
  2062. The Secret must exist in the same namespace as the PushSecret manifest.
  2063. maxLength: 253
  2064. minLength: 1
  2065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2066. type: string
  2067. selector:
  2068. description: Selector chooses secrets using a labelSelector.
  2069. properties:
  2070. matchExpressions:
  2071. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2072. items:
  2073. description: |-
  2074. A label selector requirement is a selector that contains values, a key, and an operator that
  2075. relates the key and values.
  2076. properties:
  2077. key:
  2078. description: key is the label key that the selector applies to.
  2079. type: string
  2080. operator:
  2081. description: |-
  2082. operator represents a key's relationship to a set of values.
  2083. Valid operators are In, NotIn, Exists and DoesNotExist.
  2084. type: string
  2085. values:
  2086. description: |-
  2087. values is an array of string values. If the operator is In or NotIn,
  2088. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2089. the values array must be empty. This array is replaced during a strategic
  2090. merge patch.
  2091. items:
  2092. type: string
  2093. type: array
  2094. x-kubernetes-list-type: atomic
  2095. required:
  2096. - key
  2097. - operator
  2098. type: object
  2099. type: array
  2100. x-kubernetes-list-type: atomic
  2101. matchLabels:
  2102. additionalProperties:
  2103. type: string
  2104. description: |-
  2105. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2106. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2107. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2108. type: object
  2109. type: object
  2110. x-kubernetes-map-type: atomic
  2111. type: object
  2112. type: object
  2113. template:
  2114. description: Template defines a blueprint for the created Secret resource.
  2115. properties:
  2116. data:
  2117. additionalProperties:
  2118. type: string
  2119. type: object
  2120. engineVersion:
  2121. default: v2
  2122. description: |-
  2123. EngineVersion specifies the template engine version
  2124. that should be used to compile/execute the
  2125. template specified in .data and .templateFrom[].
  2126. enum:
  2127. - v2
  2128. type: string
  2129. mergePolicy:
  2130. default: Replace
  2131. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2132. enum:
  2133. - Replace
  2134. - Merge
  2135. type: string
  2136. metadata:
  2137. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2138. properties:
  2139. annotations:
  2140. additionalProperties:
  2141. type: string
  2142. type: object
  2143. finalizers:
  2144. items:
  2145. type: string
  2146. type: array
  2147. labels:
  2148. additionalProperties:
  2149. type: string
  2150. type: object
  2151. type: object
  2152. templateFrom:
  2153. items:
  2154. description: |-
  2155. TemplateFrom specifies a source for templates.
  2156. Each item in the list can either reference a ConfigMap or a Secret resource.
  2157. properties:
  2158. configMap:
  2159. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2160. properties:
  2161. items:
  2162. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2163. items:
  2164. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2165. properties:
  2166. key:
  2167. description: A key in the ConfigMap/Secret
  2168. maxLength: 253
  2169. minLength: 1
  2170. pattern: ^[-._a-zA-Z0-9]+$
  2171. type: string
  2172. templateAs:
  2173. default: Values
  2174. description: TemplateScope specifies how the template keys should be interpreted.
  2175. enum:
  2176. - Values
  2177. - KeysAndValues
  2178. type: string
  2179. required:
  2180. - key
  2181. type: object
  2182. type: array
  2183. name:
  2184. description: The name of the ConfigMap/Secret resource
  2185. maxLength: 253
  2186. minLength: 1
  2187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2188. type: string
  2189. required:
  2190. - items
  2191. - name
  2192. type: object
  2193. literal:
  2194. type: string
  2195. secret:
  2196. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2197. properties:
  2198. items:
  2199. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2200. items:
  2201. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2202. properties:
  2203. key:
  2204. description: A key in the ConfigMap/Secret
  2205. maxLength: 253
  2206. minLength: 1
  2207. pattern: ^[-._a-zA-Z0-9]+$
  2208. type: string
  2209. templateAs:
  2210. default: Values
  2211. description: TemplateScope specifies how the template keys should be interpreted.
  2212. enum:
  2213. - Values
  2214. - KeysAndValues
  2215. type: string
  2216. required:
  2217. - key
  2218. type: object
  2219. type: array
  2220. name:
  2221. description: The name of the ConfigMap/Secret resource
  2222. maxLength: 253
  2223. minLength: 1
  2224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2225. type: string
  2226. required:
  2227. - items
  2228. - name
  2229. type: object
  2230. target:
  2231. default: Data
  2232. description: |-
  2233. Target specifies where to place the template result.
  2234. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2235. For custom resources (when spec.target.manifest is set), this supports
  2236. nested paths like "spec.database.config" or "data".
  2237. type: string
  2238. valuesDecodingStrategy:
  2239. default: None
  2240. description: Used to define a decoding Strategy for the rendered template values.
  2241. enum:
  2242. - Auto
  2243. - Base64
  2244. - Base64URL
  2245. - None
  2246. type: string
  2247. type: object
  2248. type: array
  2249. type:
  2250. type: string
  2251. type: object
  2252. updatePolicy:
  2253. default: Replace
  2254. description: UpdatePolicy to handle Secrets in the provider.
  2255. enum:
  2256. - Replace
  2257. - IfNotExists
  2258. type: string
  2259. required:
  2260. - secretStoreRefs
  2261. - selector
  2262. type: object
  2263. refreshTime:
  2264. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2265. type: string
  2266. required:
  2267. - pushSecretSpec
  2268. type: object
  2269. status:
  2270. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2271. properties:
  2272. conditions:
  2273. items:
  2274. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2275. properties:
  2276. lastTransitionTime:
  2277. format: date-time
  2278. type: string
  2279. message:
  2280. type: string
  2281. reason:
  2282. type: string
  2283. status:
  2284. type: string
  2285. type:
  2286. description: PushSecretConditionType indicates the condition of the PushSecret.
  2287. type: string
  2288. required:
  2289. - status
  2290. - type
  2291. type: object
  2292. type: array
  2293. failedNamespaces:
  2294. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2295. items:
  2296. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2297. properties:
  2298. namespace:
  2299. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2300. type: string
  2301. reason:
  2302. description: Reason is why the PushSecret failed to apply to the namespace
  2303. type: string
  2304. required:
  2305. - namespace
  2306. type: object
  2307. type: array
  2308. provisionedNamespaces:
  2309. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2310. items:
  2311. type: string
  2312. type: array
  2313. pushSecretName:
  2314. type: string
  2315. type: object
  2316. type: object
  2317. served: true
  2318. storage: true
  2319. subresources:
  2320. status: {}
  2321. ---
  2322. apiVersion: apiextensions.k8s.io/v1
  2323. kind: CustomResourceDefinition
  2324. metadata:
  2325. annotations:
  2326. controller-gen.kubebuilder.io/version: v0.19.0
  2327. labels:
  2328. external-secrets.io/component: controller
  2329. name: clustersecretstores.external-secrets.io
  2330. spec:
  2331. group: external-secrets.io
  2332. names:
  2333. categories:
  2334. - external-secrets
  2335. kind: ClusterSecretStore
  2336. listKind: ClusterSecretStoreList
  2337. plural: clustersecretstores
  2338. shortNames:
  2339. - css
  2340. singular: clustersecretstore
  2341. scope: Cluster
  2342. versions:
  2343. - additionalPrinterColumns:
  2344. - jsonPath: .metadata.creationTimestamp
  2345. name: AGE
  2346. type: date
  2347. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2348. name: Status
  2349. type: string
  2350. - jsonPath: .status.capabilities
  2351. name: Capabilities
  2352. type: string
  2353. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2354. name: Ready
  2355. type: string
  2356. name: v1
  2357. schema:
  2358. openAPIV3Schema:
  2359. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2360. properties:
  2361. apiVersion:
  2362. description: |-
  2363. APIVersion defines the versioned schema of this representation of an object.
  2364. Servers should convert recognized schemas to the latest internal value, and
  2365. may reject unrecognized values.
  2366. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2367. type: string
  2368. kind:
  2369. description: |-
  2370. Kind is a string value representing the REST resource this object represents.
  2371. Servers may infer this from the endpoint the client submits requests to.
  2372. Cannot be updated.
  2373. In CamelCase.
  2374. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2375. type: string
  2376. metadata:
  2377. type: object
  2378. spec:
  2379. description: SecretStoreSpec defines the desired state of SecretStore.
  2380. properties:
  2381. conditions:
  2382. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2383. items:
  2384. description: |-
  2385. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2386. for a ClusterSecretStore instance.
  2387. properties:
  2388. namespaceRegexes:
  2389. description: Choose namespaces by using regex matching
  2390. items:
  2391. type: string
  2392. type: array
  2393. namespaceSelector:
  2394. description: Choose namespace using a labelSelector
  2395. properties:
  2396. matchExpressions:
  2397. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2398. items:
  2399. description: |-
  2400. A label selector requirement is a selector that contains values, a key, and an operator that
  2401. relates the key and values.
  2402. properties:
  2403. key:
  2404. description: key is the label key that the selector applies to.
  2405. type: string
  2406. operator:
  2407. description: |-
  2408. operator represents a key's relationship to a set of values.
  2409. Valid operators are In, NotIn, Exists and DoesNotExist.
  2410. type: string
  2411. values:
  2412. description: |-
  2413. values is an array of string values. If the operator is In or NotIn,
  2414. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2415. the values array must be empty. This array is replaced during a strategic
  2416. merge patch.
  2417. items:
  2418. type: string
  2419. type: array
  2420. x-kubernetes-list-type: atomic
  2421. required:
  2422. - key
  2423. - operator
  2424. type: object
  2425. type: array
  2426. x-kubernetes-list-type: atomic
  2427. matchLabels:
  2428. additionalProperties:
  2429. type: string
  2430. description: |-
  2431. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2432. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2433. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2434. type: object
  2435. type: object
  2436. x-kubernetes-map-type: atomic
  2437. namespaces:
  2438. description: Choose namespaces by name
  2439. items:
  2440. maxLength: 63
  2441. minLength: 1
  2442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2443. type: string
  2444. type: array
  2445. type: object
  2446. type: array
  2447. controller:
  2448. description: |-
  2449. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2450. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2451. type: string
  2452. provider:
  2453. description: Used to configure the provider. Only one provider may be set
  2454. maxProperties: 1
  2455. minProperties: 1
  2456. properties:
  2457. akeyless:
  2458. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2459. properties:
  2460. akeylessGWApiURL:
  2461. description: Akeyless GW API Url from which the secrets to be fetched from.
  2462. type: string
  2463. authSecretRef:
  2464. description: Auth configures how the operator authenticates with Akeyless.
  2465. properties:
  2466. kubernetesAuth:
  2467. description: |-
  2468. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2469. token stored in the named Secret resource.
  2470. properties:
  2471. accessID:
  2472. description: the Akeyless Kubernetes auth-method access-id
  2473. type: string
  2474. k8sConfName:
  2475. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2476. type: string
  2477. secretRef:
  2478. description: |-
  2479. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2480. for authenticating with Akeyless. If a name is specified without a key,
  2481. `token` is the default. If one is not specified, the one bound to
  2482. the controller will be used.
  2483. properties:
  2484. key:
  2485. description: |-
  2486. A key in the referenced Secret.
  2487. Some instances of this field may be defaulted, in others it may be required.
  2488. maxLength: 253
  2489. minLength: 1
  2490. pattern: ^[-._a-zA-Z0-9]+$
  2491. type: string
  2492. name:
  2493. description: The name of the Secret resource being referred to.
  2494. maxLength: 253
  2495. minLength: 1
  2496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2497. type: string
  2498. namespace:
  2499. description: |-
  2500. The namespace of the Secret resource being referred to.
  2501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2502. maxLength: 63
  2503. minLength: 1
  2504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2505. type: string
  2506. type: object
  2507. serviceAccountRef:
  2508. description: |-
  2509. Optional service account field containing the name of a kubernetes ServiceAccount.
  2510. If the service account is specified, the service account secret token JWT will be used
  2511. for authenticating with Akeyless. If the service account selector is not supplied,
  2512. the secretRef will be used instead.
  2513. properties:
  2514. audiences:
  2515. description: |-
  2516. Audience specifies the `aud` claim for the service account token
  2517. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2518. then this audiences will be appended to the list
  2519. items:
  2520. type: string
  2521. type: array
  2522. name:
  2523. description: The name of the ServiceAccount resource being referred to.
  2524. maxLength: 253
  2525. minLength: 1
  2526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2527. type: string
  2528. namespace:
  2529. description: |-
  2530. Namespace of the resource being referred to.
  2531. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2532. maxLength: 63
  2533. minLength: 1
  2534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2535. type: string
  2536. required:
  2537. - name
  2538. type: object
  2539. required:
  2540. - accessID
  2541. - k8sConfName
  2542. type: object
  2543. secretRef:
  2544. description: |-
  2545. Reference to a Secret that contains the details
  2546. to authenticate with Akeyless.
  2547. properties:
  2548. accessID:
  2549. description: The SecretAccessID is used for authentication
  2550. properties:
  2551. key:
  2552. description: |-
  2553. A key in the referenced Secret.
  2554. Some instances of this field may be defaulted, in others it may be required.
  2555. maxLength: 253
  2556. minLength: 1
  2557. pattern: ^[-._a-zA-Z0-9]+$
  2558. type: string
  2559. name:
  2560. description: The name of the Secret resource being referred to.
  2561. maxLength: 253
  2562. minLength: 1
  2563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2564. type: string
  2565. namespace:
  2566. description: |-
  2567. The namespace of the Secret resource being referred to.
  2568. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2569. maxLength: 63
  2570. minLength: 1
  2571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2572. type: string
  2573. type: object
  2574. accessType:
  2575. description: |-
  2576. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2577. In some instances, `key` is a required field.
  2578. properties:
  2579. key:
  2580. description: |-
  2581. A key in the referenced Secret.
  2582. Some instances of this field may be defaulted, in others it may be required.
  2583. maxLength: 253
  2584. minLength: 1
  2585. pattern: ^[-._a-zA-Z0-9]+$
  2586. type: string
  2587. name:
  2588. description: The name of the Secret resource being referred to.
  2589. maxLength: 253
  2590. minLength: 1
  2591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2592. type: string
  2593. namespace:
  2594. description: |-
  2595. The namespace of the Secret resource being referred to.
  2596. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2597. maxLength: 63
  2598. minLength: 1
  2599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2600. type: string
  2601. type: object
  2602. accessTypeParam:
  2603. description: |-
  2604. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2605. In some instances, `key` is a required field.
  2606. properties:
  2607. key:
  2608. description: |-
  2609. A key in the referenced Secret.
  2610. Some instances of this field may be defaulted, in others it may be required.
  2611. maxLength: 253
  2612. minLength: 1
  2613. pattern: ^[-._a-zA-Z0-9]+$
  2614. type: string
  2615. name:
  2616. description: The name of the Secret resource being referred to.
  2617. maxLength: 253
  2618. minLength: 1
  2619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2620. type: string
  2621. namespace:
  2622. description: |-
  2623. The namespace of the Secret resource being referred to.
  2624. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2625. maxLength: 63
  2626. minLength: 1
  2627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2628. type: string
  2629. type: object
  2630. type: object
  2631. type: object
  2632. caBundle:
  2633. description: |-
  2634. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2635. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2636. are used to validate the TLS connection.
  2637. format: byte
  2638. type: string
  2639. caProvider:
  2640. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2641. properties:
  2642. key:
  2643. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2644. maxLength: 253
  2645. minLength: 1
  2646. pattern: ^[-._a-zA-Z0-9]+$
  2647. type: string
  2648. name:
  2649. description: The name of the object located at the provider type.
  2650. maxLength: 253
  2651. minLength: 1
  2652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2653. type: string
  2654. namespace:
  2655. description: |-
  2656. The namespace the Provider type is in.
  2657. Can only be defined when used in a ClusterSecretStore.
  2658. maxLength: 63
  2659. minLength: 1
  2660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2661. type: string
  2662. type:
  2663. description: The type of provider to use such as "Secret", or "ConfigMap".
  2664. enum:
  2665. - Secret
  2666. - ConfigMap
  2667. type: string
  2668. required:
  2669. - name
  2670. - type
  2671. type: object
  2672. required:
  2673. - akeylessGWApiURL
  2674. - authSecretRef
  2675. type: object
  2676. aws:
  2677. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2678. properties:
  2679. additionalRoles:
  2680. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2681. items:
  2682. type: string
  2683. type: array
  2684. auth:
  2685. description: |-
  2686. Auth defines the information necessary to authenticate against AWS
  2687. if not set aws sdk will infer credentials from your environment
  2688. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2689. properties:
  2690. jwt:
  2691. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2692. properties:
  2693. serviceAccountRef:
  2694. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2695. properties:
  2696. audiences:
  2697. description: |-
  2698. Audience specifies the `aud` claim for the service account token
  2699. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2700. then this audiences will be appended to the list
  2701. items:
  2702. type: string
  2703. type: array
  2704. name:
  2705. description: The name of the ServiceAccount resource being referred to.
  2706. maxLength: 253
  2707. minLength: 1
  2708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2709. type: string
  2710. namespace:
  2711. description: |-
  2712. Namespace of the resource being referred to.
  2713. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2714. maxLength: 63
  2715. minLength: 1
  2716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2717. type: string
  2718. required:
  2719. - name
  2720. type: object
  2721. type: object
  2722. secretRef:
  2723. description: |-
  2724. AWSAuthSecretRef holds secret references for AWS credentials
  2725. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2726. properties:
  2727. accessKeyIDSecretRef:
  2728. description: The AccessKeyID is used for authentication
  2729. properties:
  2730. key:
  2731. description: |-
  2732. A key in the referenced Secret.
  2733. Some instances of this field may be defaulted, in others it may be required.
  2734. maxLength: 253
  2735. minLength: 1
  2736. pattern: ^[-._a-zA-Z0-9]+$
  2737. type: string
  2738. name:
  2739. description: The name of the Secret resource being referred to.
  2740. maxLength: 253
  2741. minLength: 1
  2742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2743. type: string
  2744. namespace:
  2745. description: |-
  2746. The namespace of the Secret resource being referred to.
  2747. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2748. maxLength: 63
  2749. minLength: 1
  2750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2751. type: string
  2752. type: object
  2753. secretAccessKeySecretRef:
  2754. description: The SecretAccessKey is used for authentication
  2755. properties:
  2756. key:
  2757. description: |-
  2758. A key in the referenced Secret.
  2759. Some instances of this field may be defaulted, in others it may be required.
  2760. maxLength: 253
  2761. minLength: 1
  2762. pattern: ^[-._a-zA-Z0-9]+$
  2763. type: string
  2764. name:
  2765. description: The name of the Secret resource being referred to.
  2766. maxLength: 253
  2767. minLength: 1
  2768. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2769. type: string
  2770. namespace:
  2771. description: |-
  2772. The namespace of the Secret resource being referred to.
  2773. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2774. maxLength: 63
  2775. minLength: 1
  2776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2777. type: string
  2778. type: object
  2779. sessionTokenSecretRef:
  2780. description: |-
  2781. The SessionToken used for authentication
  2782. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2783. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2784. properties:
  2785. key:
  2786. description: |-
  2787. A key in the referenced Secret.
  2788. Some instances of this field may be defaulted, in others it may be required.
  2789. maxLength: 253
  2790. minLength: 1
  2791. pattern: ^[-._a-zA-Z0-9]+$
  2792. type: string
  2793. name:
  2794. description: The name of the Secret resource being referred to.
  2795. maxLength: 253
  2796. minLength: 1
  2797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2798. type: string
  2799. namespace:
  2800. description: |-
  2801. The namespace of the Secret resource being referred to.
  2802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2803. maxLength: 63
  2804. minLength: 1
  2805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2806. type: string
  2807. type: object
  2808. type: object
  2809. type: object
  2810. customSessionTags:
  2811. additionalProperties:
  2812. type: string
  2813. description: |-
  2814. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2815. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2816. type: object
  2817. x-kubernetes-validations:
  2818. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2819. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2820. externalID:
  2821. description: AWS External ID set on assumed IAM roles
  2822. type: string
  2823. prefix:
  2824. description: Prefix adds a prefix to all retrieved values.
  2825. type: string
  2826. region:
  2827. description: AWS Region to be used for the provider
  2828. type: string
  2829. role:
  2830. description: Role is a Role ARN which the provider will assume
  2831. type: string
  2832. secretsManager:
  2833. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2834. properties:
  2835. forceDeleteWithoutRecovery:
  2836. description: |-
  2837. Specifies whether to delete the secret without any recovery window. You
  2838. can't use both this parameter and RecoveryWindowInDays in the same call.
  2839. If you don't use either, then by default Secrets Manager uses a 30 day
  2840. recovery window.
  2841. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2842. type: boolean
  2843. recoveryWindowInDays:
  2844. description: |-
  2845. The number of days from 7 to 30 that Secrets Manager waits before
  2846. permanently deleting the secret. You can't use both this parameter and
  2847. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2848. then by default Secrets Manager uses a 30-day recovery window.
  2849. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2850. format: int64
  2851. type: integer
  2852. type: object
  2853. service:
  2854. description: Service defines which service should be used to fetch the secrets
  2855. enum:
  2856. - SecretsManager
  2857. - ParameterStore
  2858. type: string
  2859. sessionTags:
  2860. description: AWS STS assume role session tags
  2861. items:
  2862. description: |-
  2863. Tag is a key-value pair that can be attached to an AWS resource.
  2864. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2865. properties:
  2866. key:
  2867. type: string
  2868. value:
  2869. type: string
  2870. required:
  2871. - key
  2872. - value
  2873. type: object
  2874. type: array
  2875. sessionTagsPolicy:
  2876. default: None
  2877. description: |-
  2878. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2879. None (default): no tags are added.
  2880. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2881. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2882. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2883. enum:
  2884. - None
  2885. - Simple
  2886. - Custom
  2887. type: string
  2888. transitiveTagKeys:
  2889. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2890. items:
  2891. type: string
  2892. type: array
  2893. required:
  2894. - region
  2895. - service
  2896. type: object
  2897. azurekv:
  2898. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2899. properties:
  2900. authSecretRef:
  2901. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2902. properties:
  2903. clientCertificate:
  2904. description: The Azure ClientCertificate of the service principle used for authentication.
  2905. properties:
  2906. key:
  2907. description: |-
  2908. A key in the referenced Secret.
  2909. Some instances of this field may be defaulted, in others it may be required.
  2910. maxLength: 253
  2911. minLength: 1
  2912. pattern: ^[-._a-zA-Z0-9]+$
  2913. type: string
  2914. name:
  2915. description: The name of the Secret resource being referred to.
  2916. maxLength: 253
  2917. minLength: 1
  2918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2919. type: string
  2920. namespace:
  2921. description: |-
  2922. The namespace of the Secret resource being referred to.
  2923. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2924. maxLength: 63
  2925. minLength: 1
  2926. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2927. type: string
  2928. type: object
  2929. clientId:
  2930. description: The Azure clientId of the service principle or managed identity used for authentication.
  2931. properties:
  2932. key:
  2933. description: |-
  2934. A key in the referenced Secret.
  2935. Some instances of this field may be defaulted, in others it may be required.
  2936. maxLength: 253
  2937. minLength: 1
  2938. pattern: ^[-._a-zA-Z0-9]+$
  2939. type: string
  2940. name:
  2941. description: The name of the Secret resource being referred to.
  2942. maxLength: 253
  2943. minLength: 1
  2944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2945. type: string
  2946. namespace:
  2947. description: |-
  2948. The namespace of the Secret resource being referred to.
  2949. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2950. maxLength: 63
  2951. minLength: 1
  2952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2953. type: string
  2954. type: object
  2955. clientSecret:
  2956. description: The Azure ClientSecret of the service principle used for authentication.
  2957. properties:
  2958. key:
  2959. description: |-
  2960. A key in the referenced Secret.
  2961. Some instances of this field may be defaulted, in others it may be required.
  2962. maxLength: 253
  2963. minLength: 1
  2964. pattern: ^[-._a-zA-Z0-9]+$
  2965. type: string
  2966. name:
  2967. description: The name of the Secret resource being referred to.
  2968. maxLength: 253
  2969. minLength: 1
  2970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2971. type: string
  2972. namespace:
  2973. description: |-
  2974. The namespace of the Secret resource being referred to.
  2975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2976. maxLength: 63
  2977. minLength: 1
  2978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2979. type: string
  2980. type: object
  2981. tenantId:
  2982. description: The Azure tenantId of the managed identity used for authentication.
  2983. properties:
  2984. key:
  2985. description: |-
  2986. A key in the referenced Secret.
  2987. Some instances of this field may be defaulted, in others it may be required.
  2988. maxLength: 253
  2989. minLength: 1
  2990. pattern: ^[-._a-zA-Z0-9]+$
  2991. type: string
  2992. name:
  2993. description: The name of the Secret resource being referred to.
  2994. maxLength: 253
  2995. minLength: 1
  2996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2997. type: string
  2998. namespace:
  2999. description: |-
  3000. The namespace of the Secret resource being referred to.
  3001. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3002. maxLength: 63
  3003. minLength: 1
  3004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3005. type: string
  3006. type: object
  3007. type: object
  3008. authType:
  3009. default: ServicePrincipal
  3010. description: |-
  3011. Auth type defines how to authenticate to the keyvault service.
  3012. Valid values are:
  3013. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  3014. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  3015. enum:
  3016. - ServicePrincipal
  3017. - ManagedIdentity
  3018. - WorkloadIdentity
  3019. type: string
  3020. customCloudConfig:
  3021. description: |-
  3022. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  3023. Required when EnvironmentType is AzureStackCloud.
  3024. Optional for other environment types - useful for Azure China when using Workload Identity
  3025. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  3026. standard China Cloud endpoint (login.chinacloudapi.cn).
  3027. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  3028. configuration is not supported with the legacy go-autorest SDK.
  3029. properties:
  3030. activeDirectoryEndpoint:
  3031. description: |-
  3032. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  3033. Required when using custom cloud configuration
  3034. type: string
  3035. keyVaultDNSSuffix:
  3036. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  3037. type: string
  3038. keyVaultEndpoint:
  3039. description: KeyVaultEndpoint is the Key Vault service endpoint
  3040. type: string
  3041. resourceManagerEndpoint:
  3042. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  3043. type: string
  3044. required:
  3045. - activeDirectoryEndpoint
  3046. type: object
  3047. environmentType:
  3048. default: PublicCloud
  3049. description: |-
  3050. EnvironmentType specifies the Azure cloud environment endpoints to use for
  3051. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  3052. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  3053. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  3054. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  3055. enum:
  3056. - PublicCloud
  3057. - USGovernmentCloud
  3058. - ChinaCloud
  3059. - GermanCloud
  3060. - AzureStackCloud
  3061. type: string
  3062. identityId:
  3063. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3064. type: string
  3065. serviceAccountRef:
  3066. description: |-
  3067. ServiceAccountRef specified the service account
  3068. that should be used when authenticating with WorkloadIdentity.
  3069. properties:
  3070. audiences:
  3071. description: |-
  3072. Audience specifies the `aud` claim for the service account token
  3073. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3074. then this audiences will be appended to the list
  3075. items:
  3076. type: string
  3077. type: array
  3078. name:
  3079. description: The name of the ServiceAccount resource being referred to.
  3080. maxLength: 253
  3081. minLength: 1
  3082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3083. type: string
  3084. namespace:
  3085. description: |-
  3086. Namespace of the resource being referred to.
  3087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3088. maxLength: 63
  3089. minLength: 1
  3090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3091. type: string
  3092. required:
  3093. - name
  3094. type: object
  3095. tenantId:
  3096. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3097. type: string
  3098. useAzureSDK:
  3099. default: false
  3100. description: |-
  3101. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3102. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3103. type: boolean
  3104. vaultUrl:
  3105. description: Vault Url from which the secrets to be fetched from.
  3106. type: string
  3107. required:
  3108. - vaultUrl
  3109. type: object
  3110. barbican:
  3111. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3112. properties:
  3113. auth:
  3114. description: BarbicanAuth contains the authentication information for Barbican.
  3115. properties:
  3116. password:
  3117. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3118. properties:
  3119. secretRef:
  3120. description: |-
  3121. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3122. In some instances, `key` is a required field.
  3123. properties:
  3124. key:
  3125. description: |-
  3126. A key in the referenced Secret.
  3127. Some instances of this field may be defaulted, in others it may be required.
  3128. maxLength: 253
  3129. minLength: 1
  3130. pattern: ^[-._a-zA-Z0-9]+$
  3131. type: string
  3132. name:
  3133. description: The name of the Secret resource being referred to.
  3134. maxLength: 253
  3135. minLength: 1
  3136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3137. type: string
  3138. namespace:
  3139. description: |-
  3140. The namespace of the Secret resource being referred to.
  3141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3142. maxLength: 63
  3143. minLength: 1
  3144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3145. type: string
  3146. type: object
  3147. required:
  3148. - secretRef
  3149. type: object
  3150. username:
  3151. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3152. maxProperties: 1
  3153. minProperties: 1
  3154. properties:
  3155. secretRef:
  3156. description: |-
  3157. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3158. In some instances, `key` is a required field.
  3159. properties:
  3160. key:
  3161. description: |-
  3162. A key in the referenced Secret.
  3163. Some instances of this field may be defaulted, in others it may be required.
  3164. maxLength: 253
  3165. minLength: 1
  3166. pattern: ^[-._a-zA-Z0-9]+$
  3167. type: string
  3168. name:
  3169. description: The name of the Secret resource being referred to.
  3170. maxLength: 253
  3171. minLength: 1
  3172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3173. type: string
  3174. namespace:
  3175. description: |-
  3176. The namespace of the Secret resource being referred to.
  3177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3178. maxLength: 63
  3179. minLength: 1
  3180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3181. type: string
  3182. type: object
  3183. value:
  3184. type: string
  3185. type: object
  3186. required:
  3187. - password
  3188. - username
  3189. type: object
  3190. authURL:
  3191. type: string
  3192. domainName:
  3193. type: string
  3194. region:
  3195. type: string
  3196. tenantName:
  3197. type: string
  3198. required:
  3199. - auth
  3200. type: object
  3201. beyondtrust:
  3202. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3203. properties:
  3204. auth:
  3205. description: Auth configures how the operator authenticates with Beyondtrust.
  3206. properties:
  3207. apiKey:
  3208. description: APIKey If not provided then ClientID/ClientSecret become required.
  3209. properties:
  3210. secretRef:
  3211. description: SecretRef references a key in a secret that will be used as value.
  3212. properties:
  3213. key:
  3214. description: |-
  3215. A key in the referenced Secret.
  3216. Some instances of this field may be defaulted, in others it may be required.
  3217. maxLength: 253
  3218. minLength: 1
  3219. pattern: ^[-._a-zA-Z0-9]+$
  3220. type: string
  3221. name:
  3222. description: The name of the Secret resource being referred to.
  3223. maxLength: 253
  3224. minLength: 1
  3225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3226. type: string
  3227. namespace:
  3228. description: |-
  3229. The namespace of the Secret resource being referred to.
  3230. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3231. maxLength: 63
  3232. minLength: 1
  3233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3234. type: string
  3235. type: object
  3236. value:
  3237. description: Value can be specified directly to set a value without using a secret.
  3238. type: string
  3239. type: object
  3240. certificate:
  3241. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3242. properties:
  3243. secretRef:
  3244. description: SecretRef references a key in a secret that will be used as value.
  3245. properties:
  3246. key:
  3247. description: |-
  3248. A key in the referenced Secret.
  3249. Some instances of this field may be defaulted, in others it may be required.
  3250. maxLength: 253
  3251. minLength: 1
  3252. pattern: ^[-._a-zA-Z0-9]+$
  3253. type: string
  3254. name:
  3255. description: The name of the Secret resource being referred to.
  3256. maxLength: 253
  3257. minLength: 1
  3258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3259. type: string
  3260. namespace:
  3261. description: |-
  3262. The namespace of the Secret resource being referred to.
  3263. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3264. maxLength: 63
  3265. minLength: 1
  3266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3267. type: string
  3268. type: object
  3269. value:
  3270. description: Value can be specified directly to set a value without using a secret.
  3271. type: string
  3272. type: object
  3273. certificateKey:
  3274. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3275. properties:
  3276. secretRef:
  3277. description: SecretRef references a key in a secret that will be used as value.
  3278. properties:
  3279. key:
  3280. description: |-
  3281. A key in the referenced Secret.
  3282. Some instances of this field may be defaulted, in others it may be required.
  3283. maxLength: 253
  3284. minLength: 1
  3285. pattern: ^[-._a-zA-Z0-9]+$
  3286. type: string
  3287. name:
  3288. description: The name of the Secret resource being referred to.
  3289. maxLength: 253
  3290. minLength: 1
  3291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3292. type: string
  3293. namespace:
  3294. description: |-
  3295. The namespace of the Secret resource being referred to.
  3296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3297. maxLength: 63
  3298. minLength: 1
  3299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3300. type: string
  3301. type: object
  3302. value:
  3303. description: Value can be specified directly to set a value without using a secret.
  3304. type: string
  3305. type: object
  3306. clientId:
  3307. description: ClientID is the API OAuth Client ID.
  3308. properties:
  3309. secretRef:
  3310. description: SecretRef references a key in a secret that will be used as value.
  3311. properties:
  3312. key:
  3313. description: |-
  3314. A key in the referenced Secret.
  3315. Some instances of this field may be defaulted, in others it may be required.
  3316. maxLength: 253
  3317. minLength: 1
  3318. pattern: ^[-._a-zA-Z0-9]+$
  3319. type: string
  3320. name:
  3321. description: The name of the Secret resource being referred to.
  3322. maxLength: 253
  3323. minLength: 1
  3324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3325. type: string
  3326. namespace:
  3327. description: |-
  3328. The namespace of the Secret resource being referred to.
  3329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3330. maxLength: 63
  3331. minLength: 1
  3332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3333. type: string
  3334. type: object
  3335. value:
  3336. description: Value can be specified directly to set a value without using a secret.
  3337. type: string
  3338. type: object
  3339. clientSecret:
  3340. description: ClientSecret is the API OAuth Client Secret.
  3341. properties:
  3342. secretRef:
  3343. description: SecretRef references a key in a secret that will be used as value.
  3344. properties:
  3345. key:
  3346. description: |-
  3347. A key in the referenced Secret.
  3348. Some instances of this field may be defaulted, in others it may be required.
  3349. maxLength: 253
  3350. minLength: 1
  3351. pattern: ^[-._a-zA-Z0-9]+$
  3352. type: string
  3353. name:
  3354. description: The name of the Secret resource being referred to.
  3355. maxLength: 253
  3356. minLength: 1
  3357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3358. type: string
  3359. namespace:
  3360. description: |-
  3361. The namespace of the Secret resource being referred to.
  3362. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3363. maxLength: 63
  3364. minLength: 1
  3365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3366. type: string
  3367. type: object
  3368. value:
  3369. description: Value can be specified directly to set a value without using a secret.
  3370. type: string
  3371. type: object
  3372. type: object
  3373. server:
  3374. description: Auth configures how API server works.
  3375. properties:
  3376. apiUrl:
  3377. type: string
  3378. apiVersion:
  3379. type: string
  3380. clientTimeOutSeconds:
  3381. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3382. type: integer
  3383. decrypt:
  3384. default: true
  3385. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3386. type: boolean
  3387. retrievalType:
  3388. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3389. type: string
  3390. separator:
  3391. description: A character that separates the folder names.
  3392. type: string
  3393. verifyCA:
  3394. type: boolean
  3395. required:
  3396. - apiUrl
  3397. - verifyCA
  3398. type: object
  3399. required:
  3400. - auth
  3401. - server
  3402. type: object
  3403. beyondtrustworkloadcredentials:
  3404. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3405. properties:
  3406. auth:
  3407. description: |-
  3408. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3409. Currently supports API key authentication via Kubernetes secret reference.
  3410. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3411. properties:
  3412. apikey:
  3413. description: |-
  3414. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3415. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3416. properties:
  3417. token:
  3418. description: |-
  3419. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3420. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3421. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3422. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3423. properties:
  3424. key:
  3425. description: |-
  3426. A key in the referenced Secret.
  3427. Some instances of this field may be defaulted, in others it may be required.
  3428. maxLength: 253
  3429. minLength: 1
  3430. pattern: ^[-._a-zA-Z0-9]+$
  3431. type: string
  3432. name:
  3433. description: The name of the Secret resource being referred to.
  3434. maxLength: 253
  3435. minLength: 1
  3436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3437. type: string
  3438. namespace:
  3439. description: |-
  3440. The namespace of the Secret resource being referred to.
  3441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3442. maxLength: 63
  3443. minLength: 1
  3444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3445. type: string
  3446. type: object
  3447. required:
  3448. - token
  3449. type: object
  3450. required:
  3451. - apikey
  3452. type: object
  3453. caBundle:
  3454. description: |-
  3455. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3456. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3457. If not set, the system's trusted root certificates are used.
  3458. format: byte
  3459. type: string
  3460. caProvider:
  3461. description: |-
  3462. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3463. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3464. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3465. properties:
  3466. key:
  3467. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3468. maxLength: 253
  3469. minLength: 1
  3470. pattern: ^[-._a-zA-Z0-9]+$
  3471. type: string
  3472. name:
  3473. description: The name of the object located at the provider type.
  3474. maxLength: 253
  3475. minLength: 1
  3476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3477. type: string
  3478. namespace:
  3479. description: |-
  3480. The namespace the Provider type is in.
  3481. Can only be defined when used in a ClusterSecretStore.
  3482. maxLength: 63
  3483. minLength: 1
  3484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3485. type: string
  3486. type:
  3487. description: The type of provider to use such as "Secret", or "ConfigMap".
  3488. enum:
  3489. - Secret
  3490. - ConfigMap
  3491. type: string
  3492. required:
  3493. - name
  3494. - type
  3495. type: object
  3496. folderPath:
  3497. description: |-
  3498. FolderPath specifies the default folder path for secret retrieval.
  3499. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3500. Example: "production/database" or "dev/api-keys"
  3501. Leave empty to retrieve secrets from the root folder.
  3502. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3503. type: string
  3504. server:
  3505. description: |-
  3506. Server configures the BeyondTrust Workload Credentials server connection details.
  3507. Includes the API URL and Site ID for your BeyondTrust instance.
  3508. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3509. properties:
  3510. apiUrl:
  3511. description: |-
  3512. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3513. This should be the full URL to your BeyondTrust instance.
  3514. Example: https://api.beyondtrust.io/siie
  3515. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3516. type: string
  3517. siteId:
  3518. description: |-
  3519. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3520. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3521. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3522. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3523. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3524. type: string
  3525. required:
  3526. - apiUrl
  3527. - siteId
  3528. type: object
  3529. required:
  3530. - auth
  3531. - server
  3532. type: object
  3533. bitwardensecretsmanager:
  3534. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3535. properties:
  3536. apiURL:
  3537. type: string
  3538. auth:
  3539. description: |-
  3540. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3541. Make sure that the token being used has permissions on the given secret.
  3542. properties:
  3543. secretRef:
  3544. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3545. properties:
  3546. credentials:
  3547. description: AccessToken used for the bitwarden instance.
  3548. properties:
  3549. key:
  3550. description: |-
  3551. A key in the referenced Secret.
  3552. Some instances of this field may be defaulted, in others it may be required.
  3553. maxLength: 253
  3554. minLength: 1
  3555. pattern: ^[-._a-zA-Z0-9]+$
  3556. type: string
  3557. name:
  3558. description: The name of the Secret resource being referred to.
  3559. maxLength: 253
  3560. minLength: 1
  3561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3562. type: string
  3563. namespace:
  3564. description: |-
  3565. The namespace of the Secret resource being referred to.
  3566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3567. maxLength: 63
  3568. minLength: 1
  3569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3570. type: string
  3571. type: object
  3572. required:
  3573. - credentials
  3574. type: object
  3575. required:
  3576. - secretRef
  3577. type: object
  3578. bitwardenServerSDKURL:
  3579. type: string
  3580. caBundle:
  3581. description: |-
  3582. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3583. can be performed.
  3584. type: string
  3585. caProvider:
  3586. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3587. properties:
  3588. key:
  3589. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3590. maxLength: 253
  3591. minLength: 1
  3592. pattern: ^[-._a-zA-Z0-9]+$
  3593. type: string
  3594. name:
  3595. description: The name of the object located at the provider type.
  3596. maxLength: 253
  3597. minLength: 1
  3598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3599. type: string
  3600. namespace:
  3601. description: |-
  3602. The namespace the Provider type is in.
  3603. Can only be defined when used in a ClusterSecretStore.
  3604. maxLength: 63
  3605. minLength: 1
  3606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3607. type: string
  3608. type:
  3609. description: The type of provider to use such as "Secret", or "ConfigMap".
  3610. enum:
  3611. - Secret
  3612. - ConfigMap
  3613. type: string
  3614. required:
  3615. - name
  3616. - type
  3617. type: object
  3618. identityURL:
  3619. type: string
  3620. organizationID:
  3621. description: OrganizationID determines which organization this secret store manages.
  3622. type: string
  3623. projectID:
  3624. description: ProjectID determines which project this secret store manages.
  3625. type: string
  3626. required:
  3627. - auth
  3628. - organizationID
  3629. - projectID
  3630. type: object
  3631. chef:
  3632. description: Chef configures this store to sync secrets with chef server
  3633. properties:
  3634. auth:
  3635. description: Auth defines the information necessary to authenticate against chef Server
  3636. properties:
  3637. secretRef:
  3638. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3639. properties:
  3640. privateKeySecretRef:
  3641. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3642. properties:
  3643. key:
  3644. description: |-
  3645. A key in the referenced Secret.
  3646. Some instances of this field may be defaulted, in others it may be required.
  3647. maxLength: 253
  3648. minLength: 1
  3649. pattern: ^[-._a-zA-Z0-9]+$
  3650. type: string
  3651. name:
  3652. description: The name of the Secret resource being referred to.
  3653. maxLength: 253
  3654. minLength: 1
  3655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3656. type: string
  3657. namespace:
  3658. description: |-
  3659. The namespace of the Secret resource being referred to.
  3660. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3661. maxLength: 63
  3662. minLength: 1
  3663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3664. type: string
  3665. type: object
  3666. required:
  3667. - privateKeySecretRef
  3668. type: object
  3669. required:
  3670. - secretRef
  3671. type: object
  3672. serverUrl:
  3673. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3674. type: string
  3675. username:
  3676. description: UserName should be the user ID on the chef server
  3677. type: string
  3678. required:
  3679. - auth
  3680. - serverUrl
  3681. - username
  3682. type: object
  3683. cloudrusm:
  3684. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3685. properties:
  3686. auth:
  3687. description: CSMAuth contains a secretRef for credentials.
  3688. properties:
  3689. secretRef:
  3690. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3691. properties:
  3692. accessKeyIDSecretRef:
  3693. description: The AccessKeyID is used for authentication
  3694. properties:
  3695. key:
  3696. description: |-
  3697. A key in the referenced Secret.
  3698. Some instances of this field may be defaulted, in others it may be required.
  3699. maxLength: 253
  3700. minLength: 1
  3701. pattern: ^[-._a-zA-Z0-9]+$
  3702. type: string
  3703. name:
  3704. description: The name of the Secret resource being referred to.
  3705. maxLength: 253
  3706. minLength: 1
  3707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3708. type: string
  3709. namespace:
  3710. description: |-
  3711. The namespace of the Secret resource being referred to.
  3712. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3713. maxLength: 63
  3714. minLength: 1
  3715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3716. type: string
  3717. type: object
  3718. accessKeySecretSecretRef:
  3719. description: The AccessKeySecret is used for authentication
  3720. properties:
  3721. key:
  3722. description: |-
  3723. A key in the referenced Secret.
  3724. Some instances of this field may be defaulted, in others it may be required.
  3725. maxLength: 253
  3726. minLength: 1
  3727. pattern: ^[-._a-zA-Z0-9]+$
  3728. type: string
  3729. name:
  3730. description: The name of the Secret resource being referred to.
  3731. maxLength: 253
  3732. minLength: 1
  3733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3734. type: string
  3735. namespace:
  3736. description: |-
  3737. The namespace of the Secret resource being referred to.
  3738. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3739. maxLength: 63
  3740. minLength: 1
  3741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3742. type: string
  3743. type: object
  3744. required:
  3745. - accessKeyIDSecretRef
  3746. - accessKeySecretSecretRef
  3747. type: object
  3748. type: object
  3749. projectID:
  3750. description: ProjectID is the project, which the secrets are stored in.
  3751. type: string
  3752. required:
  3753. - auth
  3754. type: object
  3755. conjur:
  3756. description: Conjur configures this store to sync secrets using conjur provider
  3757. properties:
  3758. auth:
  3759. description: Defines authentication settings for connecting to Conjur.
  3760. properties:
  3761. apikey:
  3762. description: Authenticates with Conjur using an API key.
  3763. properties:
  3764. account:
  3765. description: Account is the Conjur organization account name.
  3766. type: string
  3767. apiKeyRef:
  3768. description: |-
  3769. A reference to a specific 'key' containing the Conjur API key
  3770. within a Secret resource. In some instances, `key` is a required field.
  3771. properties:
  3772. key:
  3773. description: |-
  3774. A key in the referenced Secret.
  3775. Some instances of this field may be defaulted, in others it may be required.
  3776. maxLength: 253
  3777. minLength: 1
  3778. pattern: ^[-._a-zA-Z0-9]+$
  3779. type: string
  3780. name:
  3781. description: The name of the Secret resource being referred to.
  3782. maxLength: 253
  3783. minLength: 1
  3784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3785. type: string
  3786. namespace:
  3787. description: |-
  3788. The namespace of the Secret resource being referred to.
  3789. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3790. maxLength: 63
  3791. minLength: 1
  3792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3793. type: string
  3794. type: object
  3795. userRef:
  3796. description: |-
  3797. A reference to a specific 'key' containing the Conjur username
  3798. within a Secret resource. In some instances, `key` is a required field.
  3799. properties:
  3800. key:
  3801. description: |-
  3802. A key in the referenced Secret.
  3803. Some instances of this field may be defaulted, in others it may be required.
  3804. maxLength: 253
  3805. minLength: 1
  3806. pattern: ^[-._a-zA-Z0-9]+$
  3807. type: string
  3808. name:
  3809. description: The name of the Secret resource being referred to.
  3810. maxLength: 253
  3811. minLength: 1
  3812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3813. type: string
  3814. namespace:
  3815. description: |-
  3816. The namespace of the Secret resource being referred to.
  3817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3818. maxLength: 63
  3819. minLength: 1
  3820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3821. type: string
  3822. type: object
  3823. required:
  3824. - account
  3825. - apiKeyRef
  3826. - userRef
  3827. type: object
  3828. jwt:
  3829. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3830. properties:
  3831. account:
  3832. description: Account is the Conjur organization account name.
  3833. type: string
  3834. hostId:
  3835. description: |-
  3836. Optional HostID for JWT authentication. This may be used depending
  3837. on how the Conjur JWT authenticator policy is configured.
  3838. type: string
  3839. secretRef:
  3840. description: |-
  3841. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3842. authenticate with Conjur using the JWT authentication method.
  3843. properties:
  3844. key:
  3845. description: |-
  3846. A key in the referenced Secret.
  3847. Some instances of this field may be defaulted, in others it may be required.
  3848. maxLength: 253
  3849. minLength: 1
  3850. pattern: ^[-._a-zA-Z0-9]+$
  3851. type: string
  3852. name:
  3853. description: The name of the Secret resource being referred to.
  3854. maxLength: 253
  3855. minLength: 1
  3856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3857. type: string
  3858. namespace:
  3859. description: |-
  3860. The namespace of the Secret resource being referred to.
  3861. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3862. maxLength: 63
  3863. minLength: 1
  3864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3865. type: string
  3866. type: object
  3867. serviceAccountRef:
  3868. description: |-
  3869. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3870. a token for with the `TokenRequest` API.
  3871. properties:
  3872. audiences:
  3873. description: |-
  3874. Audience specifies the `aud` claim for the service account token
  3875. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3876. then this audiences will be appended to the list
  3877. items:
  3878. type: string
  3879. type: array
  3880. name:
  3881. description: The name of the ServiceAccount resource being referred to.
  3882. maxLength: 253
  3883. minLength: 1
  3884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3885. type: string
  3886. namespace:
  3887. description: |-
  3888. Namespace of the resource being referred to.
  3889. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3890. maxLength: 63
  3891. minLength: 1
  3892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3893. type: string
  3894. required:
  3895. - name
  3896. type: object
  3897. serviceID:
  3898. description: The conjur authn jwt webservice id
  3899. type: string
  3900. required:
  3901. - account
  3902. - serviceID
  3903. type: object
  3904. type: object
  3905. caBundle:
  3906. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3907. type: string
  3908. caProvider:
  3909. description: |-
  3910. Used to provide custom certificate authority (CA) certificates
  3911. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3912. that contains a PEM-encoded certificate.
  3913. properties:
  3914. key:
  3915. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3916. maxLength: 253
  3917. minLength: 1
  3918. pattern: ^[-._a-zA-Z0-9]+$
  3919. type: string
  3920. name:
  3921. description: The name of the object located at the provider type.
  3922. maxLength: 253
  3923. minLength: 1
  3924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3925. type: string
  3926. namespace:
  3927. description: |-
  3928. The namespace the Provider type is in.
  3929. Can only be defined when used in a ClusterSecretStore.
  3930. maxLength: 63
  3931. minLength: 1
  3932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3933. type: string
  3934. type:
  3935. description: The type of provider to use such as "Secret", or "ConfigMap".
  3936. enum:
  3937. - Secret
  3938. - ConfigMap
  3939. type: string
  3940. required:
  3941. - name
  3942. - type
  3943. type: object
  3944. url:
  3945. description: URL is the endpoint of the Conjur instance.
  3946. type: string
  3947. required:
  3948. - auth
  3949. - url
  3950. type: object
  3951. delinea:
  3952. description: |-
  3953. Delinea DevOps Secrets Vault
  3954. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3955. properties:
  3956. clientId:
  3957. description: ClientID is the non-secret part of the credential.
  3958. properties:
  3959. secretRef:
  3960. description: SecretRef references a key in a secret that will be used as value.
  3961. properties:
  3962. key:
  3963. description: |-
  3964. A key in the referenced Secret.
  3965. Some instances of this field may be defaulted, in others it may be required.
  3966. maxLength: 253
  3967. minLength: 1
  3968. pattern: ^[-._a-zA-Z0-9]+$
  3969. type: string
  3970. name:
  3971. description: The name of the Secret resource being referred to.
  3972. maxLength: 253
  3973. minLength: 1
  3974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3975. type: string
  3976. namespace:
  3977. description: |-
  3978. The namespace of the Secret resource being referred to.
  3979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3980. maxLength: 63
  3981. minLength: 1
  3982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3983. type: string
  3984. type: object
  3985. value:
  3986. description: Value can be specified directly to set a value without using a secret.
  3987. type: string
  3988. type: object
  3989. clientSecret:
  3990. description: ClientSecret is the secret part of the credential.
  3991. properties:
  3992. secretRef:
  3993. description: SecretRef references a key in a secret that will be used as value.
  3994. properties:
  3995. key:
  3996. description: |-
  3997. A key in the referenced Secret.
  3998. Some instances of this field may be defaulted, in others it may be required.
  3999. maxLength: 253
  4000. minLength: 1
  4001. pattern: ^[-._a-zA-Z0-9]+$
  4002. type: string
  4003. name:
  4004. description: The name of the Secret resource being referred to.
  4005. maxLength: 253
  4006. minLength: 1
  4007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4008. type: string
  4009. namespace:
  4010. description: |-
  4011. The namespace of the Secret resource being referred to.
  4012. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4013. maxLength: 63
  4014. minLength: 1
  4015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4016. type: string
  4017. type: object
  4018. value:
  4019. description: Value can be specified directly to set a value without using a secret.
  4020. type: string
  4021. type: object
  4022. tenant:
  4023. description: Tenant is the chosen hostname / site name.
  4024. type: string
  4025. tld:
  4026. description: |-
  4027. TLD is based on the server location that was chosen during provisioning.
  4028. If unset, defaults to "com".
  4029. type: string
  4030. urlTemplate:
  4031. description: |-
  4032. URLTemplate
  4033. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  4034. type: string
  4035. required:
  4036. - clientId
  4037. - clientSecret
  4038. - tenant
  4039. type: object
  4040. doppler:
  4041. description: Doppler configures this store to sync secrets using the Doppler provider
  4042. properties:
  4043. auth:
  4044. description: Auth configures how the Operator authenticates with the Doppler API
  4045. properties:
  4046. oidcConfig:
  4047. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  4048. properties:
  4049. expirationSeconds:
  4050. default: 600
  4051. description: |-
  4052. ExpirationSeconds sets the ServiceAccount token validity duration.
  4053. Defaults to 10 minutes.
  4054. format: int64
  4055. type: integer
  4056. identity:
  4057. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  4058. type: string
  4059. serviceAccountRef:
  4060. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  4061. properties:
  4062. audiences:
  4063. description: |-
  4064. Audience specifies the `aud` claim for the service account token
  4065. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4066. then this audiences will be appended to the list
  4067. items:
  4068. type: string
  4069. type: array
  4070. name:
  4071. description: The name of the ServiceAccount resource being referred to.
  4072. maxLength: 253
  4073. minLength: 1
  4074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4075. type: string
  4076. namespace:
  4077. description: |-
  4078. Namespace of the resource being referred to.
  4079. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4080. maxLength: 63
  4081. minLength: 1
  4082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4083. type: string
  4084. required:
  4085. - name
  4086. type: object
  4087. required:
  4088. - identity
  4089. - serviceAccountRef
  4090. type: object
  4091. secretRef:
  4092. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4093. properties:
  4094. dopplerToken:
  4095. description: |-
  4096. The DopplerToken is used for authentication.
  4097. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4098. The Key attribute defaults to dopplerToken if not specified.
  4099. properties:
  4100. key:
  4101. description: |-
  4102. A key in the referenced Secret.
  4103. Some instances of this field may be defaulted, in others it may be required.
  4104. maxLength: 253
  4105. minLength: 1
  4106. pattern: ^[-._a-zA-Z0-9]+$
  4107. type: string
  4108. name:
  4109. description: The name of the Secret resource being referred to.
  4110. maxLength: 253
  4111. minLength: 1
  4112. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4113. type: string
  4114. namespace:
  4115. description: |-
  4116. The namespace of the Secret resource being referred to.
  4117. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4118. maxLength: 63
  4119. minLength: 1
  4120. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4121. type: string
  4122. type: object
  4123. required:
  4124. - dopplerToken
  4125. type: object
  4126. type: object
  4127. x-kubernetes-validations:
  4128. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4129. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4130. config:
  4131. description: Doppler config (required if not using a Service Token)
  4132. type: string
  4133. format:
  4134. description: Format enables the downloading of secrets as a file (string)
  4135. enum:
  4136. - json
  4137. - dotnet-json
  4138. - env
  4139. - yaml
  4140. - docker
  4141. type: string
  4142. nameTransformer:
  4143. description: Environment variable compatible name transforms that change secret names to a different format
  4144. enum:
  4145. - upper-camel
  4146. - camel
  4147. - lower-snake
  4148. - tf-var
  4149. - dotnet-env
  4150. - lower-kebab
  4151. type: string
  4152. project:
  4153. description: Doppler project (required if not using a Service Token)
  4154. type: string
  4155. required:
  4156. - auth
  4157. type: object
  4158. dvls:
  4159. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4160. properties:
  4161. auth:
  4162. description: Auth defines the authentication method to use.
  4163. properties:
  4164. secretRef:
  4165. description: SecretRef contains the Application ID and Application Secret for authentication.
  4166. properties:
  4167. appId:
  4168. description: AppID is the reference to the secret containing the Application ID.
  4169. properties:
  4170. key:
  4171. description: |-
  4172. A key in the referenced Secret.
  4173. Some instances of this field may be defaulted, in others it may be required.
  4174. maxLength: 253
  4175. minLength: 1
  4176. pattern: ^[-._a-zA-Z0-9]+$
  4177. type: string
  4178. name:
  4179. description: The name of the Secret resource being referred to.
  4180. maxLength: 253
  4181. minLength: 1
  4182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4183. type: string
  4184. namespace:
  4185. description: |-
  4186. The namespace of the Secret resource being referred to.
  4187. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4188. maxLength: 63
  4189. minLength: 1
  4190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4191. type: string
  4192. type: object
  4193. appSecret:
  4194. description: AppSecret is the reference to the secret containing the Application Secret.
  4195. properties:
  4196. key:
  4197. description: |-
  4198. A key in the referenced Secret.
  4199. Some instances of this field may be defaulted, in others it may be required.
  4200. maxLength: 253
  4201. minLength: 1
  4202. pattern: ^[-._a-zA-Z0-9]+$
  4203. type: string
  4204. name:
  4205. description: The name of the Secret resource being referred to.
  4206. maxLength: 253
  4207. minLength: 1
  4208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4209. type: string
  4210. namespace:
  4211. description: |-
  4212. The namespace of the Secret resource being referred to.
  4213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4214. maxLength: 63
  4215. minLength: 1
  4216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4217. type: string
  4218. type: object
  4219. required:
  4220. - appId
  4221. - appSecret
  4222. type: object
  4223. required:
  4224. - secretRef
  4225. type: object
  4226. insecure:
  4227. description: |-
  4228. Insecure allows connecting to DVLS over plain HTTP.
  4229. This is NOT RECOMMENDED for production use.
  4230. Set to true only if you understand the security implications.
  4231. type: boolean
  4232. serverUrl:
  4233. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4234. type: string
  4235. vault:
  4236. description: |-
  4237. Vault is the name or UUID of the vault to fetch secrets from.
  4238. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4239. type: string
  4240. required:
  4241. - auth
  4242. - serverUrl
  4243. type: object
  4244. fake:
  4245. description: Fake configures a store with static key/value pairs
  4246. properties:
  4247. data:
  4248. items:
  4249. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4250. properties:
  4251. key:
  4252. type: string
  4253. value:
  4254. type: string
  4255. version:
  4256. type: string
  4257. required:
  4258. - key
  4259. - value
  4260. type: object
  4261. type: array
  4262. validationResult:
  4263. description: ValidationResult is defined type for the number of validation results.
  4264. type: integer
  4265. required:
  4266. - data
  4267. type: object
  4268. fortanix:
  4269. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4270. properties:
  4271. apiKey:
  4272. description: APIKey is the API token to access SDKMS Applications.
  4273. properties:
  4274. secretRef:
  4275. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4276. properties:
  4277. key:
  4278. description: |-
  4279. A key in the referenced Secret.
  4280. Some instances of this field may be defaulted, in others it may be required.
  4281. maxLength: 253
  4282. minLength: 1
  4283. pattern: ^[-._a-zA-Z0-9]+$
  4284. type: string
  4285. name:
  4286. description: The name of the Secret resource being referred to.
  4287. maxLength: 253
  4288. minLength: 1
  4289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4290. type: string
  4291. namespace:
  4292. description: |-
  4293. The namespace of the Secret resource being referred to.
  4294. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4295. maxLength: 63
  4296. minLength: 1
  4297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4298. type: string
  4299. type: object
  4300. type: object
  4301. apiUrl:
  4302. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4303. type: string
  4304. type: object
  4305. gcpsm:
  4306. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4307. properties:
  4308. auth:
  4309. description: Auth defines the information necessary to authenticate against GCP
  4310. properties:
  4311. secretRef:
  4312. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4313. properties:
  4314. secretAccessKeySecretRef:
  4315. description: The SecretAccessKey is used for authentication
  4316. properties:
  4317. key:
  4318. description: |-
  4319. A key in the referenced Secret.
  4320. Some instances of this field may be defaulted, in others it may be required.
  4321. maxLength: 253
  4322. minLength: 1
  4323. pattern: ^[-._a-zA-Z0-9]+$
  4324. type: string
  4325. name:
  4326. description: The name of the Secret resource being referred to.
  4327. maxLength: 253
  4328. minLength: 1
  4329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4330. type: string
  4331. namespace:
  4332. description: |-
  4333. The namespace of the Secret resource being referred to.
  4334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4335. maxLength: 63
  4336. minLength: 1
  4337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4338. type: string
  4339. type: object
  4340. type: object
  4341. workloadIdentity:
  4342. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4343. properties:
  4344. clusterLocation:
  4345. description: |-
  4346. ClusterLocation is the location of the cluster
  4347. If not specified, it fetches information from the metadata server
  4348. type: string
  4349. clusterName:
  4350. description: |-
  4351. ClusterName is the name of the cluster
  4352. If not specified, it fetches information from the metadata server
  4353. type: string
  4354. clusterProjectID:
  4355. description: |-
  4356. ClusterProjectID is the project ID of the cluster
  4357. If not specified, it fetches information from the metadata server
  4358. type: string
  4359. serviceAccountRef:
  4360. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4361. properties:
  4362. audiences:
  4363. description: |-
  4364. Audience specifies the `aud` claim for the service account token
  4365. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4366. then this audiences will be appended to the list
  4367. items:
  4368. type: string
  4369. type: array
  4370. name:
  4371. description: The name of the ServiceAccount resource being referred to.
  4372. maxLength: 253
  4373. minLength: 1
  4374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4375. type: string
  4376. namespace:
  4377. description: |-
  4378. Namespace of the resource being referred to.
  4379. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4380. maxLength: 63
  4381. minLength: 1
  4382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4383. type: string
  4384. required:
  4385. - name
  4386. type: object
  4387. required:
  4388. - serviceAccountRef
  4389. type: object
  4390. workloadIdentityFederation:
  4391. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4392. properties:
  4393. audience:
  4394. description: |-
  4395. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4396. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4397. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4398. type: string
  4399. awsSecurityCredentials:
  4400. description: |-
  4401. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4402. when using the AWS metadata server is not an option.
  4403. properties:
  4404. awsCredentialsSecretRef:
  4405. description: |-
  4406. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4407. Secret should be created with below names for keys
  4408. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4409. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4410. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4411. properties:
  4412. name:
  4413. description: name of the secret.
  4414. maxLength: 253
  4415. minLength: 1
  4416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4417. type: string
  4418. namespace:
  4419. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4420. maxLength: 63
  4421. minLength: 1
  4422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4423. type: string
  4424. required:
  4425. - name
  4426. type: object
  4427. region:
  4428. description: region is for configuring the AWS region to be used.
  4429. example: ap-south-1
  4430. maxLength: 50
  4431. minLength: 1
  4432. pattern: ^[a-z0-9-]+$
  4433. type: string
  4434. required:
  4435. - awsCredentialsSecretRef
  4436. - region
  4437. type: object
  4438. credConfig:
  4439. description: |-
  4440. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4441. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4442. serviceAccountRef must be used by providing operators service account details.
  4443. properties:
  4444. key:
  4445. description: key name holding the external account credential config.
  4446. maxLength: 253
  4447. minLength: 1
  4448. pattern: ^[-._a-zA-Z0-9]+$
  4449. type: string
  4450. name:
  4451. description: name of the configmap.
  4452. maxLength: 253
  4453. minLength: 1
  4454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4455. type: string
  4456. namespace:
  4457. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4458. maxLength: 63
  4459. minLength: 1
  4460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4461. type: string
  4462. required:
  4463. - key
  4464. - name
  4465. type: object
  4466. externalTokenEndpoint:
  4467. description: |-
  4468. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4469. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4470. URL is having the expected value.
  4471. type: string
  4472. gcpServiceAccountEmail:
  4473. description: |-
  4474. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4475. after Workload Identity Federation. Use this to grant access through the service account's
  4476. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4477. service_account_impersonation_url in the external account JSON from credConfig;
  4478. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4479. on that ServiceAccount.
  4480. example: my-gsa@my-project.iam.gserviceaccount.com
  4481. minLength: 1
  4482. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4483. type: string
  4484. serviceAccountRef:
  4485. description: |-
  4486. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4487. when Kubernetes is configured as provider in workload identity pool.
  4488. properties:
  4489. audiences:
  4490. description: |-
  4491. Audience specifies the `aud` claim for the service account token
  4492. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4493. then this audiences will be appended to the list
  4494. items:
  4495. type: string
  4496. type: array
  4497. name:
  4498. description: The name of the ServiceAccount resource being referred to.
  4499. maxLength: 253
  4500. minLength: 1
  4501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4502. type: string
  4503. namespace:
  4504. description: |-
  4505. Namespace of the resource being referred to.
  4506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4507. maxLength: 63
  4508. minLength: 1
  4509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4510. type: string
  4511. required:
  4512. - name
  4513. type: object
  4514. type: object
  4515. type: object
  4516. location:
  4517. description: Location optionally defines a location for a secret
  4518. type: string
  4519. projectID:
  4520. description: ProjectID project where secret is located
  4521. type: string
  4522. secretVersionSelectionPolicy:
  4523. default: LatestOrFail
  4524. description: |-
  4525. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4526. when "latest" is disabled or destroyed.
  4527. Possible values are:
  4528. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4529. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4530. type: string
  4531. type: object
  4532. github:
  4533. description: |-
  4534. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4535. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4536. properties:
  4537. appID:
  4538. description: appID specifies the Github APP that will be used to authenticate the client
  4539. format: int64
  4540. type: integer
  4541. auth:
  4542. description: auth configures how secret-manager authenticates with a Github instance.
  4543. properties:
  4544. privateKey:
  4545. description: |-
  4546. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4547. In some instances, `key` is a required field.
  4548. properties:
  4549. key:
  4550. description: |-
  4551. A key in the referenced Secret.
  4552. Some instances of this field may be defaulted, in others it may be required.
  4553. maxLength: 253
  4554. minLength: 1
  4555. pattern: ^[-._a-zA-Z0-9]+$
  4556. type: string
  4557. name:
  4558. description: The name of the Secret resource being referred to.
  4559. maxLength: 253
  4560. minLength: 1
  4561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4562. type: string
  4563. namespace:
  4564. description: |-
  4565. The namespace of the Secret resource being referred to.
  4566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4567. maxLength: 63
  4568. minLength: 1
  4569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4570. type: string
  4571. type: object
  4572. required:
  4573. - privateKey
  4574. type: object
  4575. environment:
  4576. description: environment will be used to fetch secrets from a particular environment within a github repository
  4577. type: string
  4578. installationID:
  4579. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4580. format: int64
  4581. type: integer
  4582. orgSecretVisibility:
  4583. description: |-
  4584. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4585. Valid values are "all" or "private".
  4586. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4587. whatever visibility they already have in GitHub.
  4588. enum:
  4589. - all
  4590. - private
  4591. type: string
  4592. organization:
  4593. description: organization will be used to fetch secrets from the Github organization
  4594. type: string
  4595. repository:
  4596. description: repository will be used to fetch secrets from the Github repository within an organization
  4597. type: string
  4598. uploadURL:
  4599. description: Upload URL for enterprise instances. Default to URL.
  4600. type: string
  4601. url:
  4602. default: https://github.com/
  4603. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4604. type: string
  4605. required:
  4606. - appID
  4607. - auth
  4608. - installationID
  4609. - organization
  4610. type: object
  4611. gitlab:
  4612. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4613. properties:
  4614. auth:
  4615. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4616. properties:
  4617. SecretRef:
  4618. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4619. properties:
  4620. accessToken:
  4621. description: AccessToken is used for authentication.
  4622. properties:
  4623. key:
  4624. description: |-
  4625. A key in the referenced Secret.
  4626. Some instances of this field may be defaulted, in others it may be required.
  4627. maxLength: 253
  4628. minLength: 1
  4629. pattern: ^[-._a-zA-Z0-9]+$
  4630. type: string
  4631. name:
  4632. description: The name of the Secret resource being referred to.
  4633. maxLength: 253
  4634. minLength: 1
  4635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4636. type: string
  4637. namespace:
  4638. description: |-
  4639. The namespace of the Secret resource being referred to.
  4640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4641. maxLength: 63
  4642. minLength: 1
  4643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4644. type: string
  4645. type: object
  4646. type: object
  4647. required:
  4648. - SecretRef
  4649. type: object
  4650. caBundle:
  4651. description: |-
  4652. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4653. can be performed.
  4654. format: byte
  4655. type: string
  4656. caProvider:
  4657. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4658. properties:
  4659. key:
  4660. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4661. maxLength: 253
  4662. minLength: 1
  4663. pattern: ^[-._a-zA-Z0-9]+$
  4664. type: string
  4665. name:
  4666. description: The name of the object located at the provider type.
  4667. maxLength: 253
  4668. minLength: 1
  4669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4670. type: string
  4671. namespace:
  4672. description: |-
  4673. The namespace the Provider type is in.
  4674. Can only be defined when used in a ClusterSecretStore.
  4675. maxLength: 63
  4676. minLength: 1
  4677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4678. type: string
  4679. type:
  4680. description: The type of provider to use such as "Secret", or "ConfigMap".
  4681. enum:
  4682. - Secret
  4683. - ConfigMap
  4684. type: string
  4685. required:
  4686. - name
  4687. - type
  4688. type: object
  4689. environment:
  4690. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4691. type: string
  4692. groupIDs:
  4693. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4694. items:
  4695. type: string
  4696. type: array
  4697. inheritFromGroups:
  4698. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4699. type: boolean
  4700. projectID:
  4701. description: ProjectID specifies a project where secrets are located.
  4702. type: string
  4703. url:
  4704. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4705. type: string
  4706. required:
  4707. - auth
  4708. type: object
  4709. ibm:
  4710. description: IBM configures this store to sync secrets using IBM Cloud provider
  4711. properties:
  4712. auth:
  4713. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4714. maxProperties: 1
  4715. minProperties: 1
  4716. properties:
  4717. containerAuth:
  4718. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4719. properties:
  4720. iamEndpoint:
  4721. type: string
  4722. profile:
  4723. description: the IBM Trusted Profile
  4724. type: string
  4725. tokenLocation:
  4726. description: Location the token is mounted on the pod
  4727. type: string
  4728. required:
  4729. - profile
  4730. type: object
  4731. secretRef:
  4732. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4733. properties:
  4734. iamEndpoint:
  4735. description: The IAM endpoint used to obain a token
  4736. type: string
  4737. secretApiKeySecretRef:
  4738. description: The SecretAccessKey is used for authentication
  4739. properties:
  4740. key:
  4741. description: |-
  4742. A key in the referenced Secret.
  4743. Some instances of this field may be defaulted, in others it may be required.
  4744. maxLength: 253
  4745. minLength: 1
  4746. pattern: ^[-._a-zA-Z0-9]+$
  4747. type: string
  4748. name:
  4749. description: The name of the Secret resource being referred to.
  4750. maxLength: 253
  4751. minLength: 1
  4752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4753. type: string
  4754. namespace:
  4755. description: |-
  4756. The namespace of the Secret resource being referred to.
  4757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4758. maxLength: 63
  4759. minLength: 1
  4760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4761. type: string
  4762. type: object
  4763. type: object
  4764. type: object
  4765. serviceUrl:
  4766. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4767. type: string
  4768. required:
  4769. - auth
  4770. type: object
  4771. infisical:
  4772. description: Infisical configures this store to sync secrets using the Infisical provider
  4773. properties:
  4774. auth:
  4775. description: Auth configures how the Operator authenticates with the Infisical API
  4776. properties:
  4777. awsAuthCredentials:
  4778. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4779. properties:
  4780. identityId:
  4781. description: |-
  4782. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4783. In some instances, `key` is a required field.
  4784. properties:
  4785. key:
  4786. description: |-
  4787. A key in the referenced Secret.
  4788. Some instances of this field may be defaulted, in others it may be required.
  4789. maxLength: 253
  4790. minLength: 1
  4791. pattern: ^[-._a-zA-Z0-9]+$
  4792. type: string
  4793. name:
  4794. description: The name of the Secret resource being referred to.
  4795. maxLength: 253
  4796. minLength: 1
  4797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4798. type: string
  4799. namespace:
  4800. description: |-
  4801. The namespace of the Secret resource being referred to.
  4802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4803. maxLength: 63
  4804. minLength: 1
  4805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4806. type: string
  4807. type: object
  4808. required:
  4809. - identityId
  4810. type: object
  4811. azureAuthCredentials:
  4812. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4813. properties:
  4814. identityId:
  4815. description: |-
  4816. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4817. In some instances, `key` is a required field.
  4818. properties:
  4819. key:
  4820. description: |-
  4821. A key in the referenced Secret.
  4822. Some instances of this field may be defaulted, in others it may be required.
  4823. maxLength: 253
  4824. minLength: 1
  4825. pattern: ^[-._a-zA-Z0-9]+$
  4826. type: string
  4827. name:
  4828. description: The name of the Secret resource being referred to.
  4829. maxLength: 253
  4830. minLength: 1
  4831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4832. type: string
  4833. namespace:
  4834. description: |-
  4835. The namespace of the Secret resource being referred to.
  4836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4837. maxLength: 63
  4838. minLength: 1
  4839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4840. type: string
  4841. type: object
  4842. resource:
  4843. description: |-
  4844. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4845. In some instances, `key` is a required field.
  4846. properties:
  4847. key:
  4848. description: |-
  4849. A key in the referenced Secret.
  4850. Some instances of this field may be defaulted, in others it may be required.
  4851. maxLength: 253
  4852. minLength: 1
  4853. pattern: ^[-._a-zA-Z0-9]+$
  4854. type: string
  4855. name:
  4856. description: The name of the Secret resource being referred to.
  4857. maxLength: 253
  4858. minLength: 1
  4859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4860. type: string
  4861. namespace:
  4862. description: |-
  4863. The namespace of the Secret resource being referred to.
  4864. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4865. maxLength: 63
  4866. minLength: 1
  4867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4868. type: string
  4869. type: object
  4870. required:
  4871. - identityId
  4872. type: object
  4873. gcpIamAuthCredentials:
  4874. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4875. properties:
  4876. identityId:
  4877. description: |-
  4878. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4879. In some instances, `key` is a required field.
  4880. properties:
  4881. key:
  4882. description: |-
  4883. A key in the referenced Secret.
  4884. Some instances of this field may be defaulted, in others it may be required.
  4885. maxLength: 253
  4886. minLength: 1
  4887. pattern: ^[-._a-zA-Z0-9]+$
  4888. type: string
  4889. name:
  4890. description: The name of the Secret resource being referred to.
  4891. maxLength: 253
  4892. minLength: 1
  4893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4894. type: string
  4895. namespace:
  4896. description: |-
  4897. The namespace of the Secret resource being referred to.
  4898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4899. maxLength: 63
  4900. minLength: 1
  4901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4902. type: string
  4903. type: object
  4904. serviceAccountKeyFilePath:
  4905. description: |-
  4906. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4907. In some instances, `key` is a required field.
  4908. properties:
  4909. key:
  4910. description: |-
  4911. A key in the referenced Secret.
  4912. Some instances of this field may be defaulted, in others it may be required.
  4913. maxLength: 253
  4914. minLength: 1
  4915. pattern: ^[-._a-zA-Z0-9]+$
  4916. type: string
  4917. name:
  4918. description: The name of the Secret resource being referred to.
  4919. maxLength: 253
  4920. minLength: 1
  4921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4922. type: string
  4923. namespace:
  4924. description: |-
  4925. The namespace of the Secret resource being referred to.
  4926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4927. maxLength: 63
  4928. minLength: 1
  4929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4930. type: string
  4931. type: object
  4932. required:
  4933. - identityId
  4934. - serviceAccountKeyFilePath
  4935. type: object
  4936. gcpIdTokenAuthCredentials:
  4937. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4938. properties:
  4939. identityId:
  4940. description: |-
  4941. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4942. In some instances, `key` is a required field.
  4943. properties:
  4944. key:
  4945. description: |-
  4946. A key in the referenced Secret.
  4947. Some instances of this field may be defaulted, in others it may be required.
  4948. maxLength: 253
  4949. minLength: 1
  4950. pattern: ^[-._a-zA-Z0-9]+$
  4951. type: string
  4952. name:
  4953. description: The name of the Secret resource being referred to.
  4954. maxLength: 253
  4955. minLength: 1
  4956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4957. type: string
  4958. namespace:
  4959. description: |-
  4960. The namespace of the Secret resource being referred to.
  4961. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4962. maxLength: 63
  4963. minLength: 1
  4964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4965. type: string
  4966. type: object
  4967. required:
  4968. - identityId
  4969. type: object
  4970. jwtAuthCredentials:
  4971. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4972. properties:
  4973. identityId:
  4974. description: |-
  4975. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4976. In some instances, `key` is a required field.
  4977. properties:
  4978. key:
  4979. description: |-
  4980. A key in the referenced Secret.
  4981. Some instances of this field may be defaulted, in others it may be required.
  4982. maxLength: 253
  4983. minLength: 1
  4984. pattern: ^[-._a-zA-Z0-9]+$
  4985. type: string
  4986. name:
  4987. description: The name of the Secret resource being referred to.
  4988. maxLength: 253
  4989. minLength: 1
  4990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4991. type: string
  4992. namespace:
  4993. description: |-
  4994. The namespace of the Secret resource being referred to.
  4995. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4996. maxLength: 63
  4997. minLength: 1
  4998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4999. type: string
  5000. type: object
  5001. jwt:
  5002. description: |-
  5003. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5004. In some instances, `key` is a required field.
  5005. properties:
  5006. key:
  5007. description: |-
  5008. A key in the referenced Secret.
  5009. Some instances of this field may be defaulted, in others it may be required.
  5010. maxLength: 253
  5011. minLength: 1
  5012. pattern: ^[-._a-zA-Z0-9]+$
  5013. type: string
  5014. name:
  5015. description: The name of the Secret resource being referred to.
  5016. maxLength: 253
  5017. minLength: 1
  5018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5019. type: string
  5020. namespace:
  5021. description: |-
  5022. The namespace of the Secret resource being referred to.
  5023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5024. maxLength: 63
  5025. minLength: 1
  5026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5027. type: string
  5028. type: object
  5029. required:
  5030. - identityId
  5031. - jwt
  5032. type: object
  5033. kubernetesAuthCredentials:
  5034. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  5035. properties:
  5036. identityId:
  5037. description: |-
  5038. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5039. In some instances, `key` is a required field.
  5040. properties:
  5041. key:
  5042. description: |-
  5043. A key in the referenced Secret.
  5044. Some instances of this field may be defaulted, in others it may be required.
  5045. maxLength: 253
  5046. minLength: 1
  5047. pattern: ^[-._a-zA-Z0-9]+$
  5048. type: string
  5049. name:
  5050. description: The name of the Secret resource being referred to.
  5051. maxLength: 253
  5052. minLength: 1
  5053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5054. type: string
  5055. namespace:
  5056. description: |-
  5057. The namespace of the Secret resource being referred to.
  5058. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5059. maxLength: 63
  5060. minLength: 1
  5061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5062. type: string
  5063. type: object
  5064. serviceAccountTokenPath:
  5065. description: |-
  5066. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5067. In some instances, `key` is a required field.
  5068. properties:
  5069. key:
  5070. description: |-
  5071. A key in the referenced Secret.
  5072. Some instances of this field may be defaulted, in others it may be required.
  5073. maxLength: 253
  5074. minLength: 1
  5075. pattern: ^[-._a-zA-Z0-9]+$
  5076. type: string
  5077. name:
  5078. description: The name of the Secret resource being referred to.
  5079. maxLength: 253
  5080. minLength: 1
  5081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5082. type: string
  5083. namespace:
  5084. description: |-
  5085. The namespace of the Secret resource being referred to.
  5086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5087. maxLength: 63
  5088. minLength: 1
  5089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5090. type: string
  5091. type: object
  5092. required:
  5093. - identityId
  5094. type: object
  5095. ldapAuthCredentials:
  5096. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5097. properties:
  5098. identityId:
  5099. description: |-
  5100. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5101. In some instances, `key` is a required field.
  5102. properties:
  5103. key:
  5104. description: |-
  5105. A key in the referenced Secret.
  5106. Some instances of this field may be defaulted, in others it may be required.
  5107. maxLength: 253
  5108. minLength: 1
  5109. pattern: ^[-._a-zA-Z0-9]+$
  5110. type: string
  5111. name:
  5112. description: The name of the Secret resource being referred to.
  5113. maxLength: 253
  5114. minLength: 1
  5115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5116. type: string
  5117. namespace:
  5118. description: |-
  5119. The namespace of the Secret resource being referred to.
  5120. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5121. maxLength: 63
  5122. minLength: 1
  5123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5124. type: string
  5125. type: object
  5126. ldapPassword:
  5127. description: |-
  5128. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5129. In some instances, `key` is a required field.
  5130. properties:
  5131. key:
  5132. description: |-
  5133. A key in the referenced Secret.
  5134. Some instances of this field may be defaulted, in others it may be required.
  5135. maxLength: 253
  5136. minLength: 1
  5137. pattern: ^[-._a-zA-Z0-9]+$
  5138. type: string
  5139. name:
  5140. description: The name of the Secret resource being referred to.
  5141. maxLength: 253
  5142. minLength: 1
  5143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5144. type: string
  5145. namespace:
  5146. description: |-
  5147. The namespace of the Secret resource being referred to.
  5148. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5149. maxLength: 63
  5150. minLength: 1
  5151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5152. type: string
  5153. type: object
  5154. ldapUsername:
  5155. description: |-
  5156. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5157. In some instances, `key` is a required field.
  5158. properties:
  5159. key:
  5160. description: |-
  5161. A key in the referenced Secret.
  5162. Some instances of this field may be defaulted, in others it may be required.
  5163. maxLength: 253
  5164. minLength: 1
  5165. pattern: ^[-._a-zA-Z0-9]+$
  5166. type: string
  5167. name:
  5168. description: The name of the Secret resource being referred to.
  5169. maxLength: 253
  5170. minLength: 1
  5171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5172. type: string
  5173. namespace:
  5174. description: |-
  5175. The namespace of the Secret resource being referred to.
  5176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5177. maxLength: 63
  5178. minLength: 1
  5179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5180. type: string
  5181. type: object
  5182. required:
  5183. - identityId
  5184. - ldapPassword
  5185. - ldapUsername
  5186. type: object
  5187. ociAuthCredentials:
  5188. description: OciAuthCredentials represents the credentials for OCI authentication.
  5189. properties:
  5190. fingerprint:
  5191. description: |-
  5192. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5193. In some instances, `key` is a required field.
  5194. properties:
  5195. key:
  5196. description: |-
  5197. A key in the referenced Secret.
  5198. Some instances of this field may be defaulted, in others it may be required.
  5199. maxLength: 253
  5200. minLength: 1
  5201. pattern: ^[-._a-zA-Z0-9]+$
  5202. type: string
  5203. name:
  5204. description: The name of the Secret resource being referred to.
  5205. maxLength: 253
  5206. minLength: 1
  5207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5208. type: string
  5209. namespace:
  5210. description: |-
  5211. The namespace of the Secret resource being referred to.
  5212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5213. maxLength: 63
  5214. minLength: 1
  5215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5216. type: string
  5217. type: object
  5218. identityId:
  5219. description: |-
  5220. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5221. In some instances, `key` is a required field.
  5222. properties:
  5223. key:
  5224. description: |-
  5225. A key in the referenced Secret.
  5226. Some instances of this field may be defaulted, in others it may be required.
  5227. maxLength: 253
  5228. minLength: 1
  5229. pattern: ^[-._a-zA-Z0-9]+$
  5230. type: string
  5231. name:
  5232. description: The name of the Secret resource being referred to.
  5233. maxLength: 253
  5234. minLength: 1
  5235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5236. type: string
  5237. namespace:
  5238. description: |-
  5239. The namespace of the Secret resource being referred to.
  5240. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5241. maxLength: 63
  5242. minLength: 1
  5243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5244. type: string
  5245. type: object
  5246. privateKey:
  5247. description: |-
  5248. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5249. In some instances, `key` is a required field.
  5250. properties:
  5251. key:
  5252. description: |-
  5253. A key in the referenced Secret.
  5254. Some instances of this field may be defaulted, in others it may be required.
  5255. maxLength: 253
  5256. minLength: 1
  5257. pattern: ^[-._a-zA-Z0-9]+$
  5258. type: string
  5259. name:
  5260. description: The name of the Secret resource being referred to.
  5261. maxLength: 253
  5262. minLength: 1
  5263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5264. type: string
  5265. namespace:
  5266. description: |-
  5267. The namespace of the Secret resource being referred to.
  5268. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5269. maxLength: 63
  5270. minLength: 1
  5271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5272. type: string
  5273. type: object
  5274. privateKeyPassphrase:
  5275. description: |-
  5276. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5277. In some instances, `key` is a required field.
  5278. properties:
  5279. key:
  5280. description: |-
  5281. A key in the referenced Secret.
  5282. Some instances of this field may be defaulted, in others it may be required.
  5283. maxLength: 253
  5284. minLength: 1
  5285. pattern: ^[-._a-zA-Z0-9]+$
  5286. type: string
  5287. name:
  5288. description: The name of the Secret resource being referred to.
  5289. maxLength: 253
  5290. minLength: 1
  5291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5292. type: string
  5293. namespace:
  5294. description: |-
  5295. The namespace of the Secret resource being referred to.
  5296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5297. maxLength: 63
  5298. minLength: 1
  5299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5300. type: string
  5301. type: object
  5302. region:
  5303. description: |-
  5304. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5305. In some instances, `key` is a required field.
  5306. properties:
  5307. key:
  5308. description: |-
  5309. A key in the referenced Secret.
  5310. Some instances of this field may be defaulted, in others it may be required.
  5311. maxLength: 253
  5312. minLength: 1
  5313. pattern: ^[-._a-zA-Z0-9]+$
  5314. type: string
  5315. name:
  5316. description: The name of the Secret resource being referred to.
  5317. maxLength: 253
  5318. minLength: 1
  5319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5320. type: string
  5321. namespace:
  5322. description: |-
  5323. The namespace of the Secret resource being referred to.
  5324. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5325. maxLength: 63
  5326. minLength: 1
  5327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5328. type: string
  5329. type: object
  5330. tenancyId:
  5331. description: |-
  5332. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5333. In some instances, `key` is a required field.
  5334. properties:
  5335. key:
  5336. description: |-
  5337. A key in the referenced Secret.
  5338. Some instances of this field may be defaulted, in others it may be required.
  5339. maxLength: 253
  5340. minLength: 1
  5341. pattern: ^[-._a-zA-Z0-9]+$
  5342. type: string
  5343. name:
  5344. description: The name of the Secret resource being referred to.
  5345. maxLength: 253
  5346. minLength: 1
  5347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5348. type: string
  5349. namespace:
  5350. description: |-
  5351. The namespace of the Secret resource being referred to.
  5352. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5353. maxLength: 63
  5354. minLength: 1
  5355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5356. type: string
  5357. type: object
  5358. userId:
  5359. description: |-
  5360. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5361. In some instances, `key` is a required field.
  5362. properties:
  5363. key:
  5364. description: |-
  5365. A key in the referenced Secret.
  5366. Some instances of this field may be defaulted, in others it may be required.
  5367. maxLength: 253
  5368. minLength: 1
  5369. pattern: ^[-._a-zA-Z0-9]+$
  5370. type: string
  5371. name:
  5372. description: The name of the Secret resource being referred to.
  5373. maxLength: 253
  5374. minLength: 1
  5375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5376. type: string
  5377. namespace:
  5378. description: |-
  5379. The namespace of the Secret resource being referred to.
  5380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5381. maxLength: 63
  5382. minLength: 1
  5383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5384. type: string
  5385. type: object
  5386. required:
  5387. - fingerprint
  5388. - identityId
  5389. - privateKey
  5390. - region
  5391. - tenancyId
  5392. - userId
  5393. type: object
  5394. tokenAuthCredentials:
  5395. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5396. properties:
  5397. accessToken:
  5398. description: |-
  5399. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5400. In some instances, `key` is a required field.
  5401. properties:
  5402. key:
  5403. description: |-
  5404. A key in the referenced Secret.
  5405. Some instances of this field may be defaulted, in others it may be required.
  5406. maxLength: 253
  5407. minLength: 1
  5408. pattern: ^[-._a-zA-Z0-9]+$
  5409. type: string
  5410. name:
  5411. description: The name of the Secret resource being referred to.
  5412. maxLength: 253
  5413. minLength: 1
  5414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5415. type: string
  5416. namespace:
  5417. description: |-
  5418. The namespace of the Secret resource being referred to.
  5419. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5420. maxLength: 63
  5421. minLength: 1
  5422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5423. type: string
  5424. type: object
  5425. required:
  5426. - accessToken
  5427. type: object
  5428. universalAuthCredentials:
  5429. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5430. properties:
  5431. clientId:
  5432. description: |-
  5433. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5434. In some instances, `key` is a required field.
  5435. properties:
  5436. key:
  5437. description: |-
  5438. A key in the referenced Secret.
  5439. Some instances of this field may be defaulted, in others it may be required.
  5440. maxLength: 253
  5441. minLength: 1
  5442. pattern: ^[-._a-zA-Z0-9]+$
  5443. type: string
  5444. name:
  5445. description: The name of the Secret resource being referred to.
  5446. maxLength: 253
  5447. minLength: 1
  5448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5449. type: string
  5450. namespace:
  5451. description: |-
  5452. The namespace of the Secret resource being referred to.
  5453. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5454. maxLength: 63
  5455. minLength: 1
  5456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5457. type: string
  5458. type: object
  5459. clientSecret:
  5460. description: |-
  5461. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5462. In some instances, `key` is a required field.
  5463. properties:
  5464. key:
  5465. description: |-
  5466. A key in the referenced Secret.
  5467. Some instances of this field may be defaulted, in others it may be required.
  5468. maxLength: 253
  5469. minLength: 1
  5470. pattern: ^[-._a-zA-Z0-9]+$
  5471. type: string
  5472. name:
  5473. description: The name of the Secret resource being referred to.
  5474. maxLength: 253
  5475. minLength: 1
  5476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5477. type: string
  5478. namespace:
  5479. description: |-
  5480. The namespace of the Secret resource being referred to.
  5481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5482. maxLength: 63
  5483. minLength: 1
  5484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5485. type: string
  5486. type: object
  5487. required:
  5488. - clientId
  5489. - clientSecret
  5490. type: object
  5491. type: object
  5492. caBundle:
  5493. description: |-
  5494. CABundle is a PEM-encoded CA certificate bundle used to validate
  5495. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5496. format: byte
  5497. type: string
  5498. caProvider:
  5499. description: |-
  5500. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5501. The certificate is used to validate the Infisical server's TLS certificate.
  5502. Mutually exclusive with CABundle.
  5503. properties:
  5504. key:
  5505. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5506. maxLength: 253
  5507. minLength: 1
  5508. pattern: ^[-._a-zA-Z0-9]+$
  5509. type: string
  5510. name:
  5511. description: The name of the object located at the provider type.
  5512. maxLength: 253
  5513. minLength: 1
  5514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5515. type: string
  5516. namespace:
  5517. description: |-
  5518. The namespace the Provider type is in.
  5519. Can only be defined when used in a ClusterSecretStore.
  5520. maxLength: 63
  5521. minLength: 1
  5522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5523. type: string
  5524. type:
  5525. description: The type of provider to use such as "Secret", or "ConfigMap".
  5526. enum:
  5527. - Secret
  5528. - ConfigMap
  5529. type: string
  5530. required:
  5531. - name
  5532. - type
  5533. type: object
  5534. hostAPI:
  5535. default: https://app.infisical.com/api
  5536. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5537. type: string
  5538. secretsScope:
  5539. description: SecretsScope defines the scope of the secrets within the workspace
  5540. properties:
  5541. environmentSlug:
  5542. description: EnvironmentSlug is the required slug identifier for the environment.
  5543. type: string
  5544. expandSecretReferences:
  5545. default: true
  5546. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5547. type: boolean
  5548. organizationSlug:
  5549. description: |-
  5550. OrganizationSlug is the optional slug that identifies the organization that will be used
  5551. during authentication. Useful for sub-organization setups
  5552. type: string
  5553. projectSlug:
  5554. description: ProjectSlug is the required slug identifier for the project.
  5555. type: string
  5556. recursive:
  5557. default: false
  5558. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5559. type: boolean
  5560. secretsPath:
  5561. default: /
  5562. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5563. type: string
  5564. required:
  5565. - environmentSlug
  5566. - projectSlug
  5567. type: object
  5568. required:
  5569. - auth
  5570. - secretsScope
  5571. type: object
  5572. keepersecurity:
  5573. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5574. properties:
  5575. authRef:
  5576. description: |-
  5577. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5578. In some instances, `key` is a required field.
  5579. properties:
  5580. key:
  5581. description: |-
  5582. A key in the referenced Secret.
  5583. Some instances of this field may be defaulted, in others it may be required.
  5584. maxLength: 253
  5585. minLength: 1
  5586. pattern: ^[-._a-zA-Z0-9]+$
  5587. type: string
  5588. name:
  5589. description: The name of the Secret resource being referred to.
  5590. maxLength: 253
  5591. minLength: 1
  5592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5593. type: string
  5594. namespace:
  5595. description: |-
  5596. The namespace of the Secret resource being referred to.
  5597. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5598. maxLength: 63
  5599. minLength: 1
  5600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5601. type: string
  5602. type: object
  5603. folderID:
  5604. type: string
  5605. getByTitleFallback:
  5606. type: boolean
  5607. required:
  5608. - authRef
  5609. - folderID
  5610. type: object
  5611. kubernetes:
  5612. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5613. properties:
  5614. auth:
  5615. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5616. maxProperties: 1
  5617. minProperties: 1
  5618. properties:
  5619. cert:
  5620. description: has both clientCert and clientKey as secretKeySelector
  5621. properties:
  5622. clientCert:
  5623. description: |-
  5624. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5625. In some instances, `key` is a required field.
  5626. properties:
  5627. key:
  5628. description: |-
  5629. A key in the referenced Secret.
  5630. Some instances of this field may be defaulted, in others it may be required.
  5631. maxLength: 253
  5632. minLength: 1
  5633. pattern: ^[-._a-zA-Z0-9]+$
  5634. type: string
  5635. name:
  5636. description: The name of the Secret resource being referred to.
  5637. maxLength: 253
  5638. minLength: 1
  5639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5640. type: string
  5641. namespace:
  5642. description: |-
  5643. The namespace of the Secret resource being referred to.
  5644. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5645. maxLength: 63
  5646. minLength: 1
  5647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5648. type: string
  5649. type: object
  5650. clientKey:
  5651. description: |-
  5652. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5653. In some instances, `key` is a required field.
  5654. properties:
  5655. key:
  5656. description: |-
  5657. A key in the referenced Secret.
  5658. Some instances of this field may be defaulted, in others it may be required.
  5659. maxLength: 253
  5660. minLength: 1
  5661. pattern: ^[-._a-zA-Z0-9]+$
  5662. type: string
  5663. name:
  5664. description: The name of the Secret resource being referred to.
  5665. maxLength: 253
  5666. minLength: 1
  5667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5668. type: string
  5669. namespace:
  5670. description: |-
  5671. The namespace of the Secret resource being referred to.
  5672. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5673. maxLength: 63
  5674. minLength: 1
  5675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5676. type: string
  5677. type: object
  5678. type: object
  5679. serviceAccount:
  5680. description: points to a service account that should be used for authentication
  5681. properties:
  5682. audiences:
  5683. description: |-
  5684. Audience specifies the `aud` claim for the service account token
  5685. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5686. then this audiences will be appended to the list
  5687. items:
  5688. type: string
  5689. type: array
  5690. name:
  5691. description: The name of the ServiceAccount resource being referred to.
  5692. maxLength: 253
  5693. minLength: 1
  5694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5695. type: string
  5696. namespace:
  5697. description: |-
  5698. Namespace of the resource being referred to.
  5699. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5700. maxLength: 63
  5701. minLength: 1
  5702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5703. type: string
  5704. required:
  5705. - name
  5706. type: object
  5707. token:
  5708. description: use static token to authenticate with
  5709. properties:
  5710. bearerToken:
  5711. description: |-
  5712. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5713. In some instances, `key` is a required field.
  5714. properties:
  5715. key:
  5716. description: |-
  5717. A key in the referenced Secret.
  5718. Some instances of this field may be defaulted, in others it may be required.
  5719. maxLength: 253
  5720. minLength: 1
  5721. pattern: ^[-._a-zA-Z0-9]+$
  5722. type: string
  5723. name:
  5724. description: The name of the Secret resource being referred to.
  5725. maxLength: 253
  5726. minLength: 1
  5727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5728. type: string
  5729. namespace:
  5730. description: |-
  5731. The namespace of the Secret resource being referred to.
  5732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5733. maxLength: 63
  5734. minLength: 1
  5735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5736. type: string
  5737. type: object
  5738. type: object
  5739. type: object
  5740. authRef:
  5741. description: A reference to a secret that contains the auth information.
  5742. properties:
  5743. key:
  5744. description: |-
  5745. A key in the referenced Secret.
  5746. Some instances of this field may be defaulted, in others it may be required.
  5747. maxLength: 253
  5748. minLength: 1
  5749. pattern: ^[-._a-zA-Z0-9]+$
  5750. type: string
  5751. name:
  5752. description: The name of the Secret resource being referred to.
  5753. maxLength: 253
  5754. minLength: 1
  5755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5756. type: string
  5757. namespace:
  5758. description: |-
  5759. The namespace of the Secret resource being referred to.
  5760. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5761. maxLength: 63
  5762. minLength: 1
  5763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5764. type: string
  5765. type: object
  5766. remoteNamespace:
  5767. default: default
  5768. description: Remote namespace to fetch the secrets from
  5769. maxLength: 63
  5770. minLength: 1
  5771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5772. type: string
  5773. server:
  5774. description: configures the Kubernetes server Address.
  5775. properties:
  5776. caBundle:
  5777. description: CABundle is a base64-encoded CA certificate
  5778. format: byte
  5779. type: string
  5780. caProvider:
  5781. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5782. properties:
  5783. key:
  5784. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5785. maxLength: 253
  5786. minLength: 1
  5787. pattern: ^[-._a-zA-Z0-9]+$
  5788. type: string
  5789. name:
  5790. description: The name of the object located at the provider type.
  5791. maxLength: 253
  5792. minLength: 1
  5793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5794. type: string
  5795. namespace:
  5796. description: |-
  5797. The namespace the Provider type is in.
  5798. Can only be defined when used in a ClusterSecretStore.
  5799. maxLength: 63
  5800. minLength: 1
  5801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5802. type: string
  5803. type:
  5804. description: The type of provider to use such as "Secret", or "ConfigMap".
  5805. enum:
  5806. - Secret
  5807. - ConfigMap
  5808. type: string
  5809. required:
  5810. - name
  5811. - type
  5812. type: object
  5813. url:
  5814. default: kubernetes.default
  5815. description: configures the Kubernetes server Address.
  5816. type: string
  5817. type: object
  5818. type: object
  5819. nebiusmysterybox:
  5820. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5821. properties:
  5822. apiDomain:
  5823. description: NebiusMysterybox API endpoint
  5824. type: string
  5825. auth:
  5826. description: Auth defines parameters to authenticate in MysteryBox
  5827. properties:
  5828. serviceAccountCredsSecretRef:
  5829. description: |-
  5830. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5831. document with service account credentials used to get an IAM token.
  5832. Expected JSON structure:
  5833. {
  5834. "subject-credentials": {
  5835. "alg": "RS256",
  5836. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5837. "kid": "<public-key-id>",
  5838. "iss": "<issuer-service-account-id>",
  5839. "sub": "<subject-service-account-id>"
  5840. }
  5841. }
  5842. properties:
  5843. key:
  5844. description: |-
  5845. A key in the referenced Secret.
  5846. Some instances of this field may be defaulted, in others it may be required.
  5847. maxLength: 253
  5848. minLength: 1
  5849. pattern: ^[-._a-zA-Z0-9]+$
  5850. type: string
  5851. name:
  5852. description: The name of the Secret resource being referred to.
  5853. maxLength: 253
  5854. minLength: 1
  5855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5856. type: string
  5857. namespace:
  5858. description: |-
  5859. The namespace of the Secret resource being referred to.
  5860. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5861. maxLength: 63
  5862. minLength: 1
  5863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5864. type: string
  5865. type: object
  5866. tokenSecretRef:
  5867. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5868. properties:
  5869. key:
  5870. description: |-
  5871. A key in the referenced Secret.
  5872. Some instances of this field may be defaulted, in others it may be required.
  5873. maxLength: 253
  5874. minLength: 1
  5875. pattern: ^[-._a-zA-Z0-9]+$
  5876. type: string
  5877. name:
  5878. description: The name of the Secret resource being referred to.
  5879. maxLength: 253
  5880. minLength: 1
  5881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5882. type: string
  5883. namespace:
  5884. description: |-
  5885. The namespace of the Secret resource being referred to.
  5886. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5887. maxLength: 63
  5888. minLength: 1
  5889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5890. type: string
  5891. type: object
  5892. type: object
  5893. x-kubernetes-validations:
  5894. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5895. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5896. caProvider:
  5897. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5898. properties:
  5899. certSecretRef:
  5900. description: |-
  5901. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5902. In some instances, `key` is a required field.
  5903. properties:
  5904. key:
  5905. description: |-
  5906. A key in the referenced Secret.
  5907. Some instances of this field may be defaulted, in others it may be required.
  5908. maxLength: 253
  5909. minLength: 1
  5910. pattern: ^[-._a-zA-Z0-9]+$
  5911. type: string
  5912. name:
  5913. description: The name of the Secret resource being referred to.
  5914. maxLength: 253
  5915. minLength: 1
  5916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5917. type: string
  5918. namespace:
  5919. description: |-
  5920. The namespace of the Secret resource being referred to.
  5921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5922. maxLength: 63
  5923. minLength: 1
  5924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5925. type: string
  5926. type: object
  5927. type: object
  5928. required:
  5929. - apiDomain
  5930. - auth
  5931. type: object
  5932. ngrok:
  5933. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5934. properties:
  5935. apiUrl:
  5936. default: https://api.ngrok.com
  5937. description: APIURL is the URL of the ngrok API.
  5938. type: string
  5939. auth:
  5940. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5941. maxProperties: 1
  5942. minProperties: 1
  5943. properties:
  5944. apiKey:
  5945. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5946. properties:
  5947. secretRef:
  5948. description: SecretRef is a reference to a secret containing the ngrok API key.
  5949. properties:
  5950. key:
  5951. description: |-
  5952. A key in the referenced Secret.
  5953. Some instances of this field may be defaulted, in others it may be required.
  5954. maxLength: 253
  5955. minLength: 1
  5956. pattern: ^[-._a-zA-Z0-9]+$
  5957. type: string
  5958. name:
  5959. description: The name of the Secret resource being referred to.
  5960. maxLength: 253
  5961. minLength: 1
  5962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5963. type: string
  5964. namespace:
  5965. description: |-
  5966. The namespace of the Secret resource being referred to.
  5967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5968. maxLength: 63
  5969. minLength: 1
  5970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5971. type: string
  5972. type: object
  5973. type: object
  5974. type: object
  5975. vault:
  5976. description: Vault configures the ngrok vault to sync secrets with.
  5977. properties:
  5978. name:
  5979. description: Name is the name of the ngrok vault to sync secrets with.
  5980. type: string
  5981. required:
  5982. - name
  5983. type: object
  5984. required:
  5985. - auth
  5986. - vault
  5987. type: object
  5988. onboardbase:
  5989. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5990. properties:
  5991. apiHost:
  5992. default: https://public.onboardbase.com/api/v1/
  5993. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5994. type: string
  5995. auth:
  5996. description: Auth configures how the Operator authenticates with the Onboardbase API
  5997. properties:
  5998. apiKeyRef:
  5999. description: |-
  6000. OnboardbaseAPIKey is the APIKey generated by an admin account.
  6001. It is used to recognize and authorize access to a project and environment within onboardbase
  6002. properties:
  6003. key:
  6004. description: |-
  6005. A key in the referenced Secret.
  6006. Some instances of this field may be defaulted, in others it may be required.
  6007. maxLength: 253
  6008. minLength: 1
  6009. pattern: ^[-._a-zA-Z0-9]+$
  6010. type: string
  6011. name:
  6012. description: The name of the Secret resource being referred to.
  6013. maxLength: 253
  6014. minLength: 1
  6015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6016. type: string
  6017. namespace:
  6018. description: |-
  6019. The namespace of the Secret resource being referred to.
  6020. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6021. maxLength: 63
  6022. minLength: 1
  6023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6024. type: string
  6025. type: object
  6026. passcodeRef:
  6027. description: OnboardbasePasscode is the passcode attached to the API Key
  6028. properties:
  6029. key:
  6030. description: |-
  6031. A key in the referenced Secret.
  6032. Some instances of this field may be defaulted, in others it may be required.
  6033. maxLength: 253
  6034. minLength: 1
  6035. pattern: ^[-._a-zA-Z0-9]+$
  6036. type: string
  6037. name:
  6038. description: The name of the Secret resource being referred to.
  6039. maxLength: 253
  6040. minLength: 1
  6041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6042. type: string
  6043. namespace:
  6044. description: |-
  6045. The namespace of the Secret resource being referred to.
  6046. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6047. maxLength: 63
  6048. minLength: 1
  6049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6050. type: string
  6051. type: object
  6052. required:
  6053. - apiKeyRef
  6054. - passcodeRef
  6055. type: object
  6056. environment:
  6057. default: development
  6058. description: Environment is the name of an environmnent within a project to pull the secrets from
  6059. type: string
  6060. project:
  6061. default: development
  6062. description: Project is an onboardbase project that the secrets should be pulled from
  6063. type: string
  6064. required:
  6065. - apiHost
  6066. - auth
  6067. - environment
  6068. - project
  6069. type: object
  6070. onepassword:
  6071. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6072. properties:
  6073. auth:
  6074. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6075. properties:
  6076. secretRef:
  6077. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6078. properties:
  6079. connectTokenSecretRef:
  6080. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6081. properties:
  6082. key:
  6083. description: |-
  6084. A key in the referenced Secret.
  6085. Some instances of this field may be defaulted, in others it may be required.
  6086. maxLength: 253
  6087. minLength: 1
  6088. pattern: ^[-._a-zA-Z0-9]+$
  6089. type: string
  6090. name:
  6091. description: The name of the Secret resource being referred to.
  6092. maxLength: 253
  6093. minLength: 1
  6094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6095. type: string
  6096. namespace:
  6097. description: |-
  6098. The namespace of the Secret resource being referred to.
  6099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6100. maxLength: 63
  6101. minLength: 1
  6102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6103. type: string
  6104. type: object
  6105. required:
  6106. - connectTokenSecretRef
  6107. type: object
  6108. required:
  6109. - secretRef
  6110. type: object
  6111. connectHost:
  6112. description: ConnectHost defines the OnePassword Connect Server to connect to
  6113. type: string
  6114. vaults:
  6115. additionalProperties:
  6116. type: integer
  6117. description: Vaults defines which OnePassword vaults to search in which order
  6118. type: object
  6119. required:
  6120. - auth
  6121. - connectHost
  6122. - vaults
  6123. type: object
  6124. onepasswordSDK:
  6125. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6126. properties:
  6127. auth:
  6128. description: Auth defines the information necessary to authenticate against OnePassword API.
  6129. properties:
  6130. serviceAccountSecretRef:
  6131. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6132. properties:
  6133. key:
  6134. description: |-
  6135. A key in the referenced Secret.
  6136. Some instances of this field may be defaulted, in others it may be required.
  6137. maxLength: 253
  6138. minLength: 1
  6139. pattern: ^[-._a-zA-Z0-9]+$
  6140. type: string
  6141. name:
  6142. description: The name of the Secret resource being referred to.
  6143. maxLength: 253
  6144. minLength: 1
  6145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6146. type: string
  6147. namespace:
  6148. description: |-
  6149. The namespace of the Secret resource being referred to.
  6150. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6151. maxLength: 63
  6152. minLength: 1
  6153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6154. type: string
  6155. type: object
  6156. required:
  6157. - serviceAccountSecretRef
  6158. type: object
  6159. cache:
  6160. description: |-
  6161. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6162. When enabled, secrets are cached with the specified TTL.
  6163. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6164. If omitted, caching is disabled (default).
  6165. cache: {} is a valid option to set.
  6166. properties:
  6167. maxSize:
  6168. default: 100
  6169. description: |-
  6170. MaxSize is the maximum number of secrets to cache.
  6171. When the cache is full, least-recently-used entries are evicted.
  6172. minimum: 1
  6173. type: integer
  6174. ttl:
  6175. default: 5m
  6176. description: |-
  6177. TTL is the time-to-live for cached secrets.
  6178. Format: duration string (e.g., "5m", "1h", "30s")
  6179. type: string
  6180. type: object
  6181. integrationInfo:
  6182. description: |-
  6183. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6184. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6185. properties:
  6186. name:
  6187. default: 1Password SDK
  6188. description: Name defaults to "1Password SDK".
  6189. type: string
  6190. version:
  6191. default: v1.0.0
  6192. description: Version defaults to "v1.0.0".
  6193. type: string
  6194. type: object
  6195. vault:
  6196. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6197. type: string
  6198. required:
  6199. - auth
  6200. - vault
  6201. type: object
  6202. openBao:
  6203. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6204. properties:
  6205. auth:
  6206. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6207. properties:
  6208. appRole:
  6209. description: |-
  6210. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  6211. with the role and secret stored in a Kubernetes Secret resource.
  6212. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  6213. properties:
  6214. path:
  6215. default: approle
  6216. description: |-
  6217. Path where the App Role authentication backend is mounted
  6218. in OpenBao, e.g: "approle"
  6219. type: string
  6220. roleId:
  6221. description: |-
  6222. RoleID configured in the App Role authentication backend when setting
  6223. up the authentication backend in OpenBao.
  6224. minLength: 1
  6225. type: string
  6226. roleRef:
  6227. description: |-
  6228. Reference to a key in a Secret that contains the App Role ID used
  6229. to authenticate with OpenBao.
  6230. The `key` field must be specified and denotes which entry within the Secret
  6231. resource is used as the app role id.
  6232. properties:
  6233. key:
  6234. description: |-
  6235. A key in the referenced Secret.
  6236. Some instances of this field may be defaulted, in others it may be required.
  6237. maxLength: 253
  6238. minLength: 1
  6239. pattern: ^[-._a-zA-Z0-9]+$
  6240. type: string
  6241. name:
  6242. description: The name of the Secret resource being referred to.
  6243. maxLength: 253
  6244. minLength: 1
  6245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6246. type: string
  6247. namespace:
  6248. description: |-
  6249. The namespace of the Secret resource being referred to.
  6250. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6251. maxLength: 63
  6252. minLength: 1
  6253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6254. type: string
  6255. type: object
  6256. secretRef:
  6257. description: |-
  6258. Reference to a key in a Secret that contains the App Role secret used
  6259. to authenticate with OpenBao.
  6260. The `key` field must be specified and denotes which entry within the Secret
  6261. resource is used as the app role secret.
  6262. properties:
  6263. key:
  6264. description: |-
  6265. A key in the referenced Secret.
  6266. Some instances of this field may be defaulted, in others it may be required.
  6267. maxLength: 253
  6268. minLength: 1
  6269. pattern: ^[-._a-zA-Z0-9]+$
  6270. type: string
  6271. name:
  6272. description: The name of the Secret resource being referred to.
  6273. maxLength: 253
  6274. minLength: 1
  6275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6276. type: string
  6277. namespace:
  6278. description: |-
  6279. The namespace of the Secret resource being referred to.
  6280. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6281. maxLength: 63
  6282. minLength: 1
  6283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6284. type: string
  6285. type: object
  6286. required:
  6287. - path
  6288. - secretRef
  6289. type: object
  6290. x-kubernetes-validations:
  6291. - message: exactly one of the fields in [roleId roleRef] must be set
  6292. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  6293. namespace:
  6294. description: |-
  6295. Name of the [OpenBao Namespace] to authenticate to. This can be different
  6296. than the namespace your secret is in. Namespaces is a set of features
  6297. within OpenBao that allows OpenBao environments to support secure
  6298. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  6299. if set, or empty otherwise
  6300. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6301. type: string
  6302. tokenSecretRef:
  6303. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6304. properties:
  6305. key:
  6306. description: |-
  6307. A key in the referenced Secret.
  6308. Some instances of this field may be defaulted, in others it may be required.
  6309. maxLength: 253
  6310. minLength: 1
  6311. pattern: ^[-._a-zA-Z0-9]+$
  6312. type: string
  6313. name:
  6314. description: The name of the Secret resource being referred to.
  6315. maxLength: 253
  6316. minLength: 1
  6317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6318. type: string
  6319. namespace:
  6320. description: |-
  6321. The namespace of the Secret resource being referred to.
  6322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6323. maxLength: 63
  6324. minLength: 1
  6325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6326. type: string
  6327. type: object
  6328. userPass:
  6329. description: UserPass authenticates with OpenBao by passing a username/password pair
  6330. properties:
  6331. path:
  6332. default: userpass
  6333. description: |-
  6334. Path where the UserPassword authentication backend is mounted
  6335. in OpenBao, e.g: "userpass"
  6336. type: string
  6337. secretRef:
  6338. description: |-
  6339. SecretRef to a key in a Secret resource containing password for the user
  6340. used to authenticate with OpenBao using the [UserPass authentication
  6341. method]
  6342. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6343. properties:
  6344. key:
  6345. description: |-
  6346. A key in the referenced Secret.
  6347. Some instances of this field may be defaulted, in others it may be required.
  6348. maxLength: 253
  6349. minLength: 1
  6350. pattern: ^[-._a-zA-Z0-9]+$
  6351. type: string
  6352. name:
  6353. description: The name of the Secret resource being referred to.
  6354. maxLength: 253
  6355. minLength: 1
  6356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6357. type: string
  6358. namespace:
  6359. description: |-
  6360. The namespace of the Secret resource being referred to.
  6361. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6362. maxLength: 63
  6363. minLength: 1
  6364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6365. type: string
  6366. type: object
  6367. username:
  6368. description: |-
  6369. Username is a username used to authenticate using the [UserPass
  6370. authentication method]
  6371. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6372. type: string
  6373. required:
  6374. - path
  6375. - username
  6376. type: object
  6377. type: object
  6378. x-kubernetes-validations:
  6379. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  6380. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  6381. caBundle:
  6382. description: |-
  6383. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  6384. this and `caProvider` are not set the system root certificates are used
  6385. to validate the TLS connection.
  6386. format: byte
  6387. type: string
  6388. caProvider:
  6389. description: |-
  6390. The provider for the CA bundle to use to validate OpenBao server
  6391. certificate. If this and `caBundle` are not set the system root
  6392. certificates are used to validate the TLS connection.
  6393. properties:
  6394. key:
  6395. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6396. maxLength: 253
  6397. minLength: 1
  6398. pattern: ^[-._a-zA-Z0-9]+$
  6399. type: string
  6400. name:
  6401. description: The name of the object located at the provider type.
  6402. maxLength: 253
  6403. minLength: 1
  6404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6405. type: string
  6406. namespace:
  6407. description: |-
  6408. The namespace the Provider type is in.
  6409. Can only be defined when used in a ClusterSecretStore.
  6410. maxLength: 63
  6411. minLength: 1
  6412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6413. type: string
  6414. type:
  6415. description: The type of provider to use such as "Secret", or "ConfigMap".
  6416. enum:
  6417. - Secret
  6418. - ConfigMap
  6419. type: string
  6420. required:
  6421. - name
  6422. - type
  6423. type: object
  6424. namespace:
  6425. description: |-
  6426. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  6427. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  6428. e.g: "ns1".
  6429. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6430. type: string
  6431. path:
  6432. description: |-
  6433. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6434. "secret". The v2 KV secret engine version specific "/data" path suffix
  6435. for fetching secrets from OpenBao is optional and will be appended
  6436. if not present in specified path.
  6437. type: string
  6438. server:
  6439. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6440. type: string
  6441. version:
  6442. default: v2
  6443. description: |-
  6444. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6445. "v2". Version defaults to "v2".
  6446. enum:
  6447. - v1
  6448. - v2
  6449. type: string
  6450. required:
  6451. - server
  6452. type: object
  6453. x-kubernetes-validations:
  6454. - message: at most one of the fields in [caBundle caProvider] may be set
  6455. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  6456. oracle:
  6457. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6458. properties:
  6459. auth:
  6460. description: |-
  6461. Auth configures how secret-manager authenticates with the Oracle Vault.
  6462. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6463. properties:
  6464. secretRef:
  6465. description: SecretRef to pass through sensitive information.
  6466. properties:
  6467. fingerprint:
  6468. description: Fingerprint is the fingerprint of the API private key.
  6469. properties:
  6470. key:
  6471. description: |-
  6472. A key in the referenced Secret.
  6473. Some instances of this field may be defaulted, in others it may be required.
  6474. maxLength: 253
  6475. minLength: 1
  6476. pattern: ^[-._a-zA-Z0-9]+$
  6477. type: string
  6478. name:
  6479. description: The name of the Secret resource being referred to.
  6480. maxLength: 253
  6481. minLength: 1
  6482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6483. type: string
  6484. namespace:
  6485. description: |-
  6486. The namespace of the Secret resource being referred to.
  6487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6488. maxLength: 63
  6489. minLength: 1
  6490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6491. type: string
  6492. type: object
  6493. privatekey:
  6494. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6495. properties:
  6496. key:
  6497. description: |-
  6498. A key in the referenced Secret.
  6499. Some instances of this field may be defaulted, in others it may be required.
  6500. maxLength: 253
  6501. minLength: 1
  6502. pattern: ^[-._a-zA-Z0-9]+$
  6503. type: string
  6504. name:
  6505. description: The name of the Secret resource being referred to.
  6506. maxLength: 253
  6507. minLength: 1
  6508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6509. type: string
  6510. namespace:
  6511. description: |-
  6512. The namespace of the Secret resource being referred to.
  6513. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6514. maxLength: 63
  6515. minLength: 1
  6516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6517. type: string
  6518. type: object
  6519. required:
  6520. - fingerprint
  6521. - privatekey
  6522. type: object
  6523. tenancy:
  6524. description: Tenancy is the tenancy OCID where user is located.
  6525. type: string
  6526. user:
  6527. description: User is an access OCID specific to the account.
  6528. type: string
  6529. required:
  6530. - secretRef
  6531. - tenancy
  6532. - user
  6533. type: object
  6534. compartment:
  6535. description: |-
  6536. Compartment is the vault compartment OCID.
  6537. Required for PushSecret
  6538. type: string
  6539. encryptionKey:
  6540. description: |-
  6541. EncryptionKey is the OCID of the encryption key within the vault.
  6542. Required for PushSecret
  6543. type: string
  6544. principalType:
  6545. description: |-
  6546. The type of principal to use for authentication. If left blank, the Auth struct will
  6547. determine the principal type. This optional field must be specified if using
  6548. workload identity.
  6549. enum:
  6550. - ""
  6551. - UserPrincipal
  6552. - InstancePrincipal
  6553. - Workload
  6554. type: string
  6555. region:
  6556. description: Region is the region where vault is located.
  6557. type: string
  6558. serviceAccountRef:
  6559. description: |-
  6560. ServiceAccountRef specified the service account
  6561. that should be used when authenticating with WorkloadIdentity.
  6562. properties:
  6563. audiences:
  6564. description: |-
  6565. Audience specifies the `aud` claim for the service account token
  6566. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6567. then this audiences will be appended to the list
  6568. items:
  6569. type: string
  6570. type: array
  6571. name:
  6572. description: The name of the ServiceAccount resource being referred to.
  6573. maxLength: 253
  6574. minLength: 1
  6575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6576. type: string
  6577. namespace:
  6578. description: |-
  6579. Namespace of the resource being referred to.
  6580. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6581. maxLength: 63
  6582. minLength: 1
  6583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6584. type: string
  6585. required:
  6586. - name
  6587. type: object
  6588. vault:
  6589. description: Vault is the vault's OCID of the specific vault where secret is located.
  6590. type: string
  6591. required:
  6592. - region
  6593. - vault
  6594. type: object
  6595. ovh:
  6596. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6597. properties:
  6598. auth:
  6599. description: Authentication method (mtls or token).
  6600. properties:
  6601. mtls:
  6602. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6603. properties:
  6604. caBundle:
  6605. format: byte
  6606. type: string
  6607. caProvider:
  6608. description: |-
  6609. CAProvider provides a custom certificate authority for accessing the provider's store.
  6610. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6611. properties:
  6612. key:
  6613. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6614. maxLength: 253
  6615. minLength: 1
  6616. pattern: ^[-._a-zA-Z0-9]+$
  6617. type: string
  6618. name:
  6619. description: The name of the object located at the provider type.
  6620. maxLength: 253
  6621. minLength: 1
  6622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6623. type: string
  6624. namespace:
  6625. description: |-
  6626. The namespace the Provider type is in.
  6627. Can only be defined when used in a ClusterSecretStore.
  6628. maxLength: 63
  6629. minLength: 1
  6630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6631. type: string
  6632. type:
  6633. description: The type of provider to use such as "Secret", or "ConfigMap".
  6634. enum:
  6635. - Secret
  6636. - ConfigMap
  6637. type: string
  6638. required:
  6639. - name
  6640. - type
  6641. type: object
  6642. certSecretRef:
  6643. description: |-
  6644. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6645. In some instances, `key` is a required field.
  6646. properties:
  6647. key:
  6648. description: |-
  6649. A key in the referenced Secret.
  6650. Some instances of this field may be defaulted, in others it may be required.
  6651. maxLength: 253
  6652. minLength: 1
  6653. pattern: ^[-._a-zA-Z0-9]+$
  6654. type: string
  6655. name:
  6656. description: The name of the Secret resource being referred to.
  6657. maxLength: 253
  6658. minLength: 1
  6659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6660. type: string
  6661. namespace:
  6662. description: |-
  6663. The namespace of the Secret resource being referred to.
  6664. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6665. maxLength: 63
  6666. minLength: 1
  6667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6668. type: string
  6669. type: object
  6670. keySecretRef:
  6671. description: |-
  6672. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6673. In some instances, `key` is a required field.
  6674. properties:
  6675. key:
  6676. description: |-
  6677. A key in the referenced Secret.
  6678. Some instances of this field may be defaulted, in others it may be required.
  6679. maxLength: 253
  6680. minLength: 1
  6681. pattern: ^[-._a-zA-Z0-9]+$
  6682. type: string
  6683. name:
  6684. description: The name of the Secret resource being referred to.
  6685. maxLength: 253
  6686. minLength: 1
  6687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6688. type: string
  6689. namespace:
  6690. description: |-
  6691. The namespace of the Secret resource being referred to.
  6692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6693. maxLength: 63
  6694. minLength: 1
  6695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6696. type: string
  6697. type: object
  6698. required:
  6699. - certSecretRef
  6700. - keySecretRef
  6701. type: object
  6702. token:
  6703. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6704. properties:
  6705. tokenSecretRef:
  6706. description: |-
  6707. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6708. In some instances, `key` is a required field.
  6709. properties:
  6710. key:
  6711. description: |-
  6712. A key in the referenced Secret.
  6713. Some instances of this field may be defaulted, in others it may be required.
  6714. maxLength: 253
  6715. minLength: 1
  6716. pattern: ^[-._a-zA-Z0-9]+$
  6717. type: string
  6718. name:
  6719. description: The name of the Secret resource being referred to.
  6720. maxLength: 253
  6721. minLength: 1
  6722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6723. type: string
  6724. namespace:
  6725. description: |-
  6726. The namespace of the Secret resource being referred to.
  6727. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6728. maxLength: 63
  6729. minLength: 1
  6730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6731. type: string
  6732. type: object
  6733. required:
  6734. - tokenSecretRef
  6735. type: object
  6736. type: object
  6737. casRequired:
  6738. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6739. type: boolean
  6740. okmsTimeout:
  6741. default: 30
  6742. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6743. format: int32
  6744. minimum: 1
  6745. type: integer
  6746. okmsid:
  6747. description: specifies the OKMS ID.
  6748. type: string
  6749. server:
  6750. description: specifies the OKMS server endpoint.
  6751. type: string
  6752. required:
  6753. - auth
  6754. - okmsid
  6755. - server
  6756. type: object
  6757. passbolt:
  6758. description: |-
  6759. PassboltProvider provides access to Passbolt secrets manager.
  6760. See: https://www.passbolt.com.
  6761. properties:
  6762. auth:
  6763. description: Auth defines the information necessary to authenticate against Passbolt Server
  6764. properties:
  6765. passwordSecretRef:
  6766. description: |-
  6767. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6768. In some instances, `key` is a required field.
  6769. properties:
  6770. key:
  6771. description: |-
  6772. A key in the referenced Secret.
  6773. Some instances of this field may be defaulted, in others it may be required.
  6774. maxLength: 253
  6775. minLength: 1
  6776. pattern: ^[-._a-zA-Z0-9]+$
  6777. type: string
  6778. name:
  6779. description: The name of the Secret resource being referred to.
  6780. maxLength: 253
  6781. minLength: 1
  6782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6783. type: string
  6784. namespace:
  6785. description: |-
  6786. The namespace of the Secret resource being referred to.
  6787. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6788. maxLength: 63
  6789. minLength: 1
  6790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6791. type: string
  6792. type: object
  6793. privateKeySecretRef:
  6794. description: |-
  6795. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6796. In some instances, `key` is a required field.
  6797. properties:
  6798. key:
  6799. description: |-
  6800. A key in the referenced Secret.
  6801. Some instances of this field may be defaulted, in others it may be required.
  6802. maxLength: 253
  6803. minLength: 1
  6804. pattern: ^[-._a-zA-Z0-9]+$
  6805. type: string
  6806. name:
  6807. description: The name of the Secret resource being referred to.
  6808. maxLength: 253
  6809. minLength: 1
  6810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6811. type: string
  6812. namespace:
  6813. description: |-
  6814. The namespace of the Secret resource being referred to.
  6815. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6816. maxLength: 63
  6817. minLength: 1
  6818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6819. type: string
  6820. type: object
  6821. required:
  6822. - passwordSecretRef
  6823. - privateKeySecretRef
  6824. type: object
  6825. caBundle:
  6826. description: |-
  6827. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6828. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6829. are used to validate the TLS connection.
  6830. format: byte
  6831. type: string
  6832. caProvider:
  6833. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6834. properties:
  6835. key:
  6836. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6837. maxLength: 253
  6838. minLength: 1
  6839. pattern: ^[-._a-zA-Z0-9]+$
  6840. type: string
  6841. name:
  6842. description: The name of the object located at the provider type.
  6843. maxLength: 253
  6844. minLength: 1
  6845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6846. type: string
  6847. namespace:
  6848. description: |-
  6849. The namespace the Provider type is in.
  6850. Can only be defined when used in a ClusterSecretStore.
  6851. maxLength: 63
  6852. minLength: 1
  6853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6854. type: string
  6855. type:
  6856. description: The type of provider to use such as "Secret", or "ConfigMap".
  6857. enum:
  6858. - Secret
  6859. - ConfigMap
  6860. type: string
  6861. required:
  6862. - name
  6863. - type
  6864. type: object
  6865. host:
  6866. description: Host defines the Passbolt Server to connect to
  6867. type: string
  6868. required:
  6869. - auth
  6870. - host
  6871. type: object
  6872. passworddepot:
  6873. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6874. properties:
  6875. auth:
  6876. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6877. properties:
  6878. secretRef:
  6879. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6880. properties:
  6881. credentials:
  6882. description: Username / Password is used for authentication.
  6883. properties:
  6884. key:
  6885. description: |-
  6886. A key in the referenced Secret.
  6887. Some instances of this field may be defaulted, in others it may be required.
  6888. maxLength: 253
  6889. minLength: 1
  6890. pattern: ^[-._a-zA-Z0-9]+$
  6891. type: string
  6892. name:
  6893. description: The name of the Secret resource being referred to.
  6894. maxLength: 253
  6895. minLength: 1
  6896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6897. type: string
  6898. namespace:
  6899. description: |-
  6900. The namespace of the Secret resource being referred to.
  6901. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6902. maxLength: 63
  6903. minLength: 1
  6904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6905. type: string
  6906. type: object
  6907. type: object
  6908. required:
  6909. - secretRef
  6910. type: object
  6911. database:
  6912. description: Database to use as source
  6913. type: string
  6914. host:
  6915. description: URL configures the Password Depot instance URL.
  6916. type: string
  6917. required:
  6918. - auth
  6919. - database
  6920. - host
  6921. type: object
  6922. previder:
  6923. description: Previder configures this store to sync secrets using the Previder provider
  6924. properties:
  6925. auth:
  6926. description: PreviderAuth contains a secretRef for credentials.
  6927. properties:
  6928. secretRef:
  6929. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6930. properties:
  6931. accessToken:
  6932. description: The AccessToken is used for authentication
  6933. properties:
  6934. key:
  6935. description: |-
  6936. A key in the referenced Secret.
  6937. Some instances of this field may be defaulted, in others it may be required.
  6938. maxLength: 253
  6939. minLength: 1
  6940. pattern: ^[-._a-zA-Z0-9]+$
  6941. type: string
  6942. name:
  6943. description: The name of the Secret resource being referred to.
  6944. maxLength: 253
  6945. minLength: 1
  6946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6947. type: string
  6948. namespace:
  6949. description: |-
  6950. The namespace of the Secret resource being referred to.
  6951. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6952. maxLength: 63
  6953. minLength: 1
  6954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6955. type: string
  6956. type: object
  6957. required:
  6958. - accessToken
  6959. type: object
  6960. type: object
  6961. baseUri:
  6962. type: string
  6963. required:
  6964. - auth
  6965. type: object
  6966. pulumi:
  6967. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6968. properties:
  6969. accessToken:
  6970. description: |-
  6971. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6972. Deprecated: Use auth.accessToken instead.
  6973. properties:
  6974. secretRef:
  6975. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6976. properties:
  6977. key:
  6978. description: |-
  6979. A key in the referenced Secret.
  6980. Some instances of this field may be defaulted, in others it may be required.
  6981. maxLength: 253
  6982. minLength: 1
  6983. pattern: ^[-._a-zA-Z0-9]+$
  6984. type: string
  6985. name:
  6986. description: The name of the Secret resource being referred to.
  6987. maxLength: 253
  6988. minLength: 1
  6989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6990. type: string
  6991. namespace:
  6992. description: |-
  6993. The namespace of the Secret resource being referred to.
  6994. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6995. maxLength: 63
  6996. minLength: 1
  6997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6998. type: string
  6999. type: object
  7000. type: object
  7001. apiUrl:
  7002. default: https://api.pulumi.com/api/esc
  7003. description: APIURL is the URL of the Pulumi API.
  7004. type: string
  7005. auth:
  7006. description: |-
  7007. Auth configures how the Operator authenticates with the Pulumi API.
  7008. Either auth or the deprecated accessToken field must be specified.
  7009. properties:
  7010. accessToken:
  7011. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  7012. properties:
  7013. secretRef:
  7014. description: SecretRef is a reference to a secret containing the Pulumi API token.
  7015. properties:
  7016. key:
  7017. description: |-
  7018. A key in the referenced Secret.
  7019. Some instances of this field may be defaulted, in others it may be required.
  7020. maxLength: 253
  7021. minLength: 1
  7022. pattern: ^[-._a-zA-Z0-9]+$
  7023. type: string
  7024. name:
  7025. description: The name of the Secret resource being referred to.
  7026. maxLength: 253
  7027. minLength: 1
  7028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7029. type: string
  7030. namespace:
  7031. description: |-
  7032. The namespace of the Secret resource being referred to.
  7033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7034. maxLength: 63
  7035. minLength: 1
  7036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7037. type: string
  7038. type: object
  7039. type: object
  7040. oidcConfig:
  7041. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  7042. properties:
  7043. expirationSeconds:
  7044. default: 600
  7045. description: |-
  7046. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  7047. Defaults to 10 minutes.
  7048. format: int64
  7049. minimum: 600
  7050. type: integer
  7051. organization:
  7052. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  7053. type: string
  7054. serviceAccountRef:
  7055. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  7056. properties:
  7057. audiences:
  7058. description: |-
  7059. Audience specifies the `aud` claim for the service account token
  7060. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7061. then this audiences will be appended to the list
  7062. items:
  7063. type: string
  7064. type: array
  7065. name:
  7066. description: The name of the ServiceAccount resource being referred to.
  7067. maxLength: 253
  7068. minLength: 1
  7069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7070. type: string
  7071. namespace:
  7072. description: |-
  7073. Namespace of the resource being referred to.
  7074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7075. maxLength: 63
  7076. minLength: 1
  7077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7078. type: string
  7079. required:
  7080. - name
  7081. type: object
  7082. required:
  7083. - organization
  7084. - serviceAccountRef
  7085. type: object
  7086. type: object
  7087. x-kubernetes-validations:
  7088. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  7089. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  7090. environment:
  7091. description: |-
  7092. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  7093. dynamically retrieved values from supported providers including all major clouds,
  7094. and other Pulumi ESC environments.
  7095. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  7096. type: string
  7097. organization:
  7098. description: |-
  7099. Organization are a space to collaborate on shared projects and stacks.
  7100. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  7101. type: string
  7102. project:
  7103. description: Project is the name of the Pulumi ESC project the environment belongs to.
  7104. type: string
  7105. required:
  7106. - environment
  7107. - organization
  7108. - project
  7109. type: object
  7110. x-kubernetes-validations:
  7111. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  7112. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  7113. scaleway:
  7114. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  7115. properties:
  7116. accessKey:
  7117. description: AccessKey is the non-secret part of the api key.
  7118. properties:
  7119. secretRef:
  7120. description: SecretRef references a key in a secret that will be used as value.
  7121. properties:
  7122. key:
  7123. description: |-
  7124. A key in the referenced Secret.
  7125. Some instances of this field may be defaulted, in others it may be required.
  7126. maxLength: 253
  7127. minLength: 1
  7128. pattern: ^[-._a-zA-Z0-9]+$
  7129. type: string
  7130. name:
  7131. description: The name of the Secret resource being referred to.
  7132. maxLength: 253
  7133. minLength: 1
  7134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7135. type: string
  7136. namespace:
  7137. description: |-
  7138. The namespace of the Secret resource being referred to.
  7139. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7140. maxLength: 63
  7141. minLength: 1
  7142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7143. type: string
  7144. type: object
  7145. value:
  7146. description: Value can be specified directly to set a value without using a secret.
  7147. type: string
  7148. type: object
  7149. apiUrl:
  7150. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  7151. type: string
  7152. projectId:
  7153. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  7154. type: string
  7155. region:
  7156. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  7157. type: string
  7158. secretKey:
  7159. description: SecretKey is the non-secret part of the api key.
  7160. properties:
  7161. secretRef:
  7162. description: SecretRef references a key in a secret that will be used as value.
  7163. properties:
  7164. key:
  7165. description: |-
  7166. A key in the referenced Secret.
  7167. Some instances of this field may be defaulted, in others it may be required.
  7168. maxLength: 253
  7169. minLength: 1
  7170. pattern: ^[-._a-zA-Z0-9]+$
  7171. type: string
  7172. name:
  7173. description: The name of the Secret resource being referred to.
  7174. maxLength: 253
  7175. minLength: 1
  7176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7177. type: string
  7178. namespace:
  7179. description: |-
  7180. The namespace of the Secret resource being referred to.
  7181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7182. maxLength: 63
  7183. minLength: 1
  7184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7185. type: string
  7186. type: object
  7187. value:
  7188. description: Value can be specified directly to set a value without using a secret.
  7189. type: string
  7190. type: object
  7191. required:
  7192. - accessKey
  7193. - projectId
  7194. - region
  7195. - secretKey
  7196. type: object
  7197. secretserver:
  7198. description: |-
  7199. SecretServer configures this store to sync secrets using SecretServer provider
  7200. https://docs.delinea.com/online-help/secret-server/start.htm
  7201. properties:
  7202. caBundle:
  7203. description: |-
  7204. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  7205. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  7206. are used to validate the TLS connection.
  7207. format: byte
  7208. type: string
  7209. caProvider:
  7210. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  7211. properties:
  7212. key:
  7213. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7214. maxLength: 253
  7215. minLength: 1
  7216. pattern: ^[-._a-zA-Z0-9]+$
  7217. type: string
  7218. name:
  7219. description: The name of the object located at the provider type.
  7220. maxLength: 253
  7221. minLength: 1
  7222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7223. type: string
  7224. namespace:
  7225. description: |-
  7226. The namespace the Provider type is in.
  7227. Can only be defined when used in a ClusterSecretStore.
  7228. maxLength: 63
  7229. minLength: 1
  7230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7231. type: string
  7232. type:
  7233. description: The type of provider to use such as "Secret", or "ConfigMap".
  7234. enum:
  7235. - Secret
  7236. - ConfigMap
  7237. type: string
  7238. required:
  7239. - name
  7240. - type
  7241. type: object
  7242. domain:
  7243. description: Domain is the secret server domain.
  7244. type: string
  7245. password:
  7246. description: Password is the secret server account password.
  7247. properties:
  7248. secretRef:
  7249. description: SecretRef references a key in a secret that will be used as value.
  7250. properties:
  7251. key:
  7252. description: |-
  7253. A key in the referenced Secret.
  7254. Some instances of this field may be defaulted, in others it may be required.
  7255. maxLength: 253
  7256. minLength: 1
  7257. pattern: ^[-._a-zA-Z0-9]+$
  7258. type: string
  7259. name:
  7260. description: The name of the Secret resource being referred to.
  7261. maxLength: 253
  7262. minLength: 1
  7263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7264. type: string
  7265. namespace:
  7266. description: |-
  7267. The namespace of the Secret resource being referred to.
  7268. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7269. maxLength: 63
  7270. minLength: 1
  7271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7272. type: string
  7273. type: object
  7274. value:
  7275. description: Value can be specified directly to set a value without using a secret.
  7276. type: string
  7277. type: object
  7278. serverURL:
  7279. description: |-
  7280. ServerURL
  7281. URL to your secret server installation
  7282. type: string
  7283. username:
  7284. description: Username is the secret server account username.
  7285. properties:
  7286. secretRef:
  7287. description: SecretRef references a key in a secret that will be used as value.
  7288. properties:
  7289. key:
  7290. description: |-
  7291. A key in the referenced Secret.
  7292. Some instances of this field may be defaulted, in others it may be required.
  7293. maxLength: 253
  7294. minLength: 1
  7295. pattern: ^[-._a-zA-Z0-9]+$
  7296. type: string
  7297. name:
  7298. description: The name of the Secret resource being referred to.
  7299. maxLength: 253
  7300. minLength: 1
  7301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7302. type: string
  7303. namespace:
  7304. description: |-
  7305. The namespace of the Secret resource being referred to.
  7306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7307. maxLength: 63
  7308. minLength: 1
  7309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7310. type: string
  7311. type: object
  7312. value:
  7313. description: Value can be specified directly to set a value without using a secret.
  7314. type: string
  7315. type: object
  7316. required:
  7317. - password
  7318. - serverURL
  7319. - username
  7320. type: object
  7321. senhasegura:
  7322. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7323. properties:
  7324. auth:
  7325. description: Auth defines parameters to authenticate in senhasegura
  7326. properties:
  7327. clientId:
  7328. type: string
  7329. clientSecretSecretRef:
  7330. description: |-
  7331. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7332. In some instances, `key` is a required field.
  7333. properties:
  7334. key:
  7335. description: |-
  7336. A key in the referenced Secret.
  7337. Some instances of this field may be defaulted, in others it may be required.
  7338. maxLength: 253
  7339. minLength: 1
  7340. pattern: ^[-._a-zA-Z0-9]+$
  7341. type: string
  7342. name:
  7343. description: The name of the Secret resource being referred to.
  7344. maxLength: 253
  7345. minLength: 1
  7346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7347. type: string
  7348. namespace:
  7349. description: |-
  7350. The namespace of the Secret resource being referred to.
  7351. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7352. maxLength: 63
  7353. minLength: 1
  7354. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7355. type: string
  7356. type: object
  7357. required:
  7358. - clientId
  7359. - clientSecretSecretRef
  7360. type: object
  7361. ignoreSslCertificate:
  7362. default: false
  7363. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7364. type: boolean
  7365. module:
  7366. description: Module defines which senhasegura module should be used to get secrets
  7367. type: string
  7368. url:
  7369. description: URL of senhasegura
  7370. type: string
  7371. required:
  7372. - auth
  7373. - module
  7374. - url
  7375. type: object
  7376. vault:
  7377. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7378. properties:
  7379. auth:
  7380. description: Auth configures how secret-manager authenticates with the Vault server.
  7381. properties:
  7382. appRole:
  7383. description: |-
  7384. AppRole authenticates with Vault using the App Role auth mechanism,
  7385. with the role and secret stored in a Kubernetes Secret resource.
  7386. properties:
  7387. path:
  7388. default: approle
  7389. description: |-
  7390. Path where the App Role authentication backend is mounted
  7391. in Vault, e.g: "approle"
  7392. type: string
  7393. roleId:
  7394. description: |-
  7395. RoleID configured in the App Role authentication backend when setting
  7396. up the authentication backend in Vault.
  7397. type: string
  7398. roleRef:
  7399. description: |-
  7400. Reference to a key in a Secret that contains the App Role ID used
  7401. to authenticate with Vault.
  7402. The `key` field must be specified and denotes which entry within the Secret
  7403. resource is used as the app role id.
  7404. properties:
  7405. key:
  7406. description: |-
  7407. A key in the referenced Secret.
  7408. Some instances of this field may be defaulted, in others it may be required.
  7409. maxLength: 253
  7410. minLength: 1
  7411. pattern: ^[-._a-zA-Z0-9]+$
  7412. type: string
  7413. name:
  7414. description: The name of the Secret resource being referred to.
  7415. maxLength: 253
  7416. minLength: 1
  7417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7418. type: string
  7419. namespace:
  7420. description: |-
  7421. The namespace of the Secret resource being referred to.
  7422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7423. maxLength: 63
  7424. minLength: 1
  7425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7426. type: string
  7427. type: object
  7428. secretRef:
  7429. description: |-
  7430. Reference to a key in a Secret that contains the App Role secret used
  7431. to authenticate with Vault.
  7432. The `key` field must be specified and denotes which entry within the Secret
  7433. resource is used as the app role secret.
  7434. properties:
  7435. key:
  7436. description: |-
  7437. A key in the referenced Secret.
  7438. Some instances of this field may be defaulted, in others it may be required.
  7439. maxLength: 253
  7440. minLength: 1
  7441. pattern: ^[-._a-zA-Z0-9]+$
  7442. type: string
  7443. name:
  7444. description: The name of the Secret resource being referred to.
  7445. maxLength: 253
  7446. minLength: 1
  7447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7448. type: string
  7449. namespace:
  7450. description: |-
  7451. The namespace of the Secret resource being referred to.
  7452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7453. maxLength: 63
  7454. minLength: 1
  7455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7456. type: string
  7457. type: object
  7458. required:
  7459. - path
  7460. - secretRef
  7461. type: object
  7462. cert:
  7463. description: |-
  7464. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7465. Cert authentication method
  7466. properties:
  7467. clientCert:
  7468. description: |-
  7469. ClientCert is a certificate to authenticate using the Cert Vault
  7470. authentication method
  7471. properties:
  7472. key:
  7473. description: |-
  7474. A key in the referenced Secret.
  7475. Some instances of this field may be defaulted, in others it may be required.
  7476. maxLength: 253
  7477. minLength: 1
  7478. pattern: ^[-._a-zA-Z0-9]+$
  7479. type: string
  7480. name:
  7481. description: The name of the Secret resource being referred to.
  7482. maxLength: 253
  7483. minLength: 1
  7484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7485. type: string
  7486. namespace:
  7487. description: |-
  7488. The namespace of the Secret resource being referred to.
  7489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7490. maxLength: 63
  7491. minLength: 1
  7492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7493. type: string
  7494. type: object
  7495. path:
  7496. default: cert
  7497. description: |-
  7498. Path where the Certificate authentication backend is mounted
  7499. in Vault, e.g: "cert"
  7500. type: string
  7501. secretRef:
  7502. description: |-
  7503. SecretRef to a key in a Secret resource containing client private key to
  7504. authenticate with Vault using the Cert authentication method
  7505. properties:
  7506. key:
  7507. description: |-
  7508. A key in the referenced Secret.
  7509. Some instances of this field may be defaulted, in others it may be required.
  7510. maxLength: 253
  7511. minLength: 1
  7512. pattern: ^[-._a-zA-Z0-9]+$
  7513. type: string
  7514. name:
  7515. description: The name of the Secret resource being referred to.
  7516. maxLength: 253
  7517. minLength: 1
  7518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7519. type: string
  7520. namespace:
  7521. description: |-
  7522. The namespace of the Secret resource being referred to.
  7523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7524. maxLength: 63
  7525. minLength: 1
  7526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7527. type: string
  7528. type: object
  7529. vaultRole:
  7530. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7531. type: string
  7532. type: object
  7533. gcp:
  7534. description: |-
  7535. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7536. GCP authentication method
  7537. properties:
  7538. location:
  7539. description: Location optionally defines a location/region for the secret
  7540. type: string
  7541. path:
  7542. default: gcp
  7543. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7544. type: string
  7545. projectID:
  7546. description: Project ID of the Google Cloud Platform project
  7547. type: string
  7548. role:
  7549. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7550. type: string
  7551. secretRef:
  7552. description: Specify credentials in a Secret object
  7553. properties:
  7554. secretAccessKeySecretRef:
  7555. description: The SecretAccessKey is used for authentication
  7556. properties:
  7557. key:
  7558. description: |-
  7559. A key in the referenced Secret.
  7560. Some instances of this field may be defaulted, in others it may be required.
  7561. maxLength: 253
  7562. minLength: 1
  7563. pattern: ^[-._a-zA-Z0-9]+$
  7564. type: string
  7565. name:
  7566. description: The name of the Secret resource being referred to.
  7567. maxLength: 253
  7568. minLength: 1
  7569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7570. type: string
  7571. namespace:
  7572. description: |-
  7573. The namespace of the Secret resource being referred to.
  7574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7575. maxLength: 63
  7576. minLength: 1
  7577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7578. type: string
  7579. type: object
  7580. type: object
  7581. serviceAccountRef:
  7582. description: ServiceAccountRef to a service account for impersonation
  7583. properties:
  7584. audiences:
  7585. description: |-
  7586. Audience specifies the `aud` claim for the service account token
  7587. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7588. then this audiences will be appended to the list
  7589. items:
  7590. type: string
  7591. type: array
  7592. name:
  7593. description: The name of the ServiceAccount resource being referred to.
  7594. maxLength: 253
  7595. minLength: 1
  7596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7597. type: string
  7598. namespace:
  7599. description: |-
  7600. Namespace of the resource being referred to.
  7601. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7602. maxLength: 63
  7603. minLength: 1
  7604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7605. type: string
  7606. required:
  7607. - name
  7608. type: object
  7609. workloadIdentity:
  7610. description: Specify a service account with Workload Identity
  7611. properties:
  7612. clusterLocation:
  7613. description: |-
  7614. ClusterLocation is the location of the cluster
  7615. If not specified, it fetches information from the metadata server
  7616. type: string
  7617. clusterName:
  7618. description: |-
  7619. ClusterName is the name of the cluster
  7620. If not specified, it fetches information from the metadata server
  7621. type: string
  7622. clusterProjectID:
  7623. description: |-
  7624. ClusterProjectID is the project ID of the cluster
  7625. If not specified, it fetches information from the metadata server
  7626. type: string
  7627. serviceAccountRef:
  7628. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7629. properties:
  7630. audiences:
  7631. description: |-
  7632. Audience specifies the `aud` claim for the service account token
  7633. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7634. then this audiences will be appended to the list
  7635. items:
  7636. type: string
  7637. type: array
  7638. name:
  7639. description: The name of the ServiceAccount resource being referred to.
  7640. maxLength: 253
  7641. minLength: 1
  7642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7643. type: string
  7644. namespace:
  7645. description: |-
  7646. Namespace of the resource being referred to.
  7647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7648. maxLength: 63
  7649. minLength: 1
  7650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7651. type: string
  7652. required:
  7653. - name
  7654. type: object
  7655. required:
  7656. - serviceAccountRef
  7657. type: object
  7658. required:
  7659. - role
  7660. type: object
  7661. iam:
  7662. description: |-
  7663. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7664. AWS IAM authentication method
  7665. properties:
  7666. externalID:
  7667. description: AWS External ID set on assumed IAM roles
  7668. type: string
  7669. jwt:
  7670. description: Specify a service account with IRSA enabled
  7671. properties:
  7672. serviceAccountRef:
  7673. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7674. properties:
  7675. audiences:
  7676. description: |-
  7677. Audience specifies the `aud` claim for the service account token
  7678. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7679. then this audiences will be appended to the list
  7680. items:
  7681. type: string
  7682. type: array
  7683. name:
  7684. description: The name of the ServiceAccount resource being referred to.
  7685. maxLength: 253
  7686. minLength: 1
  7687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7688. type: string
  7689. namespace:
  7690. description: |-
  7691. Namespace of the resource being referred to.
  7692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7693. maxLength: 63
  7694. minLength: 1
  7695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7696. type: string
  7697. required:
  7698. - name
  7699. type: object
  7700. type: object
  7701. path:
  7702. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7703. type: string
  7704. region:
  7705. description: AWS region
  7706. type: string
  7707. role:
  7708. description: This is the AWS role to be assumed before talking to vault
  7709. type: string
  7710. secretRef:
  7711. description: Specify credentials in a Secret object
  7712. properties:
  7713. accessKeyIDSecretRef:
  7714. description: The AccessKeyID is used for authentication
  7715. properties:
  7716. key:
  7717. description: |-
  7718. A key in the referenced Secret.
  7719. Some instances of this field may be defaulted, in others it may be required.
  7720. maxLength: 253
  7721. minLength: 1
  7722. pattern: ^[-._a-zA-Z0-9]+$
  7723. type: string
  7724. name:
  7725. description: The name of the Secret resource being referred to.
  7726. maxLength: 253
  7727. minLength: 1
  7728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7729. type: string
  7730. namespace:
  7731. description: |-
  7732. The namespace of the Secret resource being referred to.
  7733. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7734. maxLength: 63
  7735. minLength: 1
  7736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7737. type: string
  7738. type: object
  7739. secretAccessKeySecretRef:
  7740. description: The SecretAccessKey is used for authentication
  7741. properties:
  7742. key:
  7743. description: |-
  7744. A key in the referenced Secret.
  7745. Some instances of this field may be defaulted, in others it may be required.
  7746. maxLength: 253
  7747. minLength: 1
  7748. pattern: ^[-._a-zA-Z0-9]+$
  7749. type: string
  7750. name:
  7751. description: The name of the Secret resource being referred to.
  7752. maxLength: 253
  7753. minLength: 1
  7754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7755. type: string
  7756. namespace:
  7757. description: |-
  7758. The namespace of the Secret resource being referred to.
  7759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7760. maxLength: 63
  7761. minLength: 1
  7762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7763. type: string
  7764. type: object
  7765. sessionTokenSecretRef:
  7766. description: |-
  7767. The SessionToken used for authentication
  7768. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7769. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7770. properties:
  7771. key:
  7772. description: |-
  7773. A key in the referenced Secret.
  7774. Some instances of this field may be defaulted, in others it may be required.
  7775. maxLength: 253
  7776. minLength: 1
  7777. pattern: ^[-._a-zA-Z0-9]+$
  7778. type: string
  7779. name:
  7780. description: The name of the Secret resource being referred to.
  7781. maxLength: 253
  7782. minLength: 1
  7783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7784. type: string
  7785. namespace:
  7786. description: |-
  7787. The namespace of the Secret resource being referred to.
  7788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7789. maxLength: 63
  7790. minLength: 1
  7791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7792. type: string
  7793. type: object
  7794. type: object
  7795. vaultAwsIamServerID:
  7796. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7797. type: string
  7798. vaultRole:
  7799. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7800. type: string
  7801. required:
  7802. - vaultRole
  7803. type: object
  7804. jwt:
  7805. description: |-
  7806. Jwt authenticates with Vault by passing role and JWT token using the
  7807. JWT/OIDC authentication method
  7808. properties:
  7809. kubernetesServiceAccountToken:
  7810. description: |-
  7811. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7812. a token for with the `TokenRequest` API.
  7813. properties:
  7814. audiences:
  7815. description: |-
  7816. Optional audiences field that will be used to request a temporary Kubernetes service
  7817. account token for the service account referenced by `serviceAccountRef`.
  7818. Defaults to a single audience `vault` it not specified.
  7819. Deprecated: use serviceAccountRef.Audiences instead
  7820. items:
  7821. type: string
  7822. type: array
  7823. expirationSeconds:
  7824. description: |-
  7825. Optional expiration time in seconds that will be used to request a temporary
  7826. Kubernetes service account token for the service account referenced by
  7827. `serviceAccountRef`.
  7828. Deprecated: this will be removed in the future.
  7829. Defaults to 10 minutes.
  7830. format: int64
  7831. type: integer
  7832. serviceAccountRef:
  7833. description: Service account field containing the name of a kubernetes ServiceAccount.
  7834. properties:
  7835. audiences:
  7836. description: |-
  7837. Audience specifies the `aud` claim for the service account token
  7838. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7839. then this audiences will be appended to the list
  7840. items:
  7841. type: string
  7842. type: array
  7843. name:
  7844. description: The name of the ServiceAccount resource being referred to.
  7845. maxLength: 253
  7846. minLength: 1
  7847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7848. type: string
  7849. namespace:
  7850. description: |-
  7851. Namespace of the resource being referred to.
  7852. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7853. maxLength: 63
  7854. minLength: 1
  7855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7856. type: string
  7857. required:
  7858. - name
  7859. type: object
  7860. required:
  7861. - serviceAccountRef
  7862. type: object
  7863. path:
  7864. default: jwt
  7865. description: |-
  7866. Path where the JWT authentication backend is mounted
  7867. in Vault, e.g: "jwt"
  7868. type: string
  7869. role:
  7870. description: |-
  7871. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7872. authentication method
  7873. type: string
  7874. secretRef:
  7875. description: |-
  7876. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7877. authenticate with Vault using the JWT/OIDC authentication method.
  7878. properties:
  7879. key:
  7880. description: |-
  7881. A key in the referenced Secret.
  7882. Some instances of this field may be defaulted, in others it may be required.
  7883. maxLength: 253
  7884. minLength: 1
  7885. pattern: ^[-._a-zA-Z0-9]+$
  7886. type: string
  7887. name:
  7888. description: The name of the Secret resource being referred to.
  7889. maxLength: 253
  7890. minLength: 1
  7891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7892. type: string
  7893. namespace:
  7894. description: |-
  7895. The namespace of the Secret resource being referred to.
  7896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7897. maxLength: 63
  7898. minLength: 1
  7899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7900. type: string
  7901. type: object
  7902. required:
  7903. - path
  7904. type: object
  7905. kubernetes:
  7906. description: |-
  7907. Kubernetes authenticates with Vault by passing the ServiceAccount
  7908. token stored in the named Secret resource to the Vault server.
  7909. properties:
  7910. mountPath:
  7911. default: kubernetes
  7912. description: |-
  7913. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7914. "kubernetes"
  7915. type: string
  7916. role:
  7917. description: |-
  7918. A required field containing the Vault Role to assume. A Role binds a
  7919. Kubernetes ServiceAccount with a set of Vault policies.
  7920. type: string
  7921. secretRef:
  7922. description: |-
  7923. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7924. for authenticating with Vault. If a name is specified without a key,
  7925. `token` is the default. If one is not specified, the one bound to
  7926. the controller will be used.
  7927. properties:
  7928. key:
  7929. description: |-
  7930. A key in the referenced Secret.
  7931. Some instances of this field may be defaulted, in others it may be required.
  7932. maxLength: 253
  7933. minLength: 1
  7934. pattern: ^[-._a-zA-Z0-9]+$
  7935. type: string
  7936. name:
  7937. description: The name of the Secret resource being referred to.
  7938. maxLength: 253
  7939. minLength: 1
  7940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7941. type: string
  7942. namespace:
  7943. description: |-
  7944. The namespace of the Secret resource being referred to.
  7945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7946. maxLength: 63
  7947. minLength: 1
  7948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7949. type: string
  7950. type: object
  7951. serviceAccountRef:
  7952. description: |-
  7953. Optional service account field containing the name of a kubernetes ServiceAccount.
  7954. If the service account is specified, the service account secret token JWT will be used
  7955. for authenticating with Vault. If the service account selector is not supplied,
  7956. the secretRef will be used instead.
  7957. properties:
  7958. audiences:
  7959. description: |-
  7960. Audience specifies the `aud` claim for the service account token
  7961. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7962. then this audiences will be appended to the list
  7963. items:
  7964. type: string
  7965. type: array
  7966. name:
  7967. description: The name of the ServiceAccount resource being referred to.
  7968. maxLength: 253
  7969. minLength: 1
  7970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7971. type: string
  7972. namespace:
  7973. description: |-
  7974. Namespace of the resource being referred to.
  7975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7976. maxLength: 63
  7977. minLength: 1
  7978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7979. type: string
  7980. required:
  7981. - name
  7982. type: object
  7983. required:
  7984. - mountPath
  7985. - role
  7986. type: object
  7987. ldap:
  7988. description: |-
  7989. Ldap authenticates with Vault by passing username/password pair using
  7990. the LDAP authentication method
  7991. properties:
  7992. path:
  7993. default: ldap
  7994. description: |-
  7995. Path where the LDAP authentication backend is mounted
  7996. in Vault, e.g: "ldap"
  7997. type: string
  7998. secretRef:
  7999. description: |-
  8000. SecretRef to a key in a Secret resource containing password for the LDAP
  8001. user used to authenticate with Vault using the LDAP authentication
  8002. method
  8003. properties:
  8004. key:
  8005. description: |-
  8006. A key in the referenced Secret.
  8007. Some instances of this field may be defaulted, in others it may be required.
  8008. maxLength: 253
  8009. minLength: 1
  8010. pattern: ^[-._a-zA-Z0-9]+$
  8011. type: string
  8012. name:
  8013. description: The name of the Secret resource being referred to.
  8014. maxLength: 253
  8015. minLength: 1
  8016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8017. type: string
  8018. namespace:
  8019. description: |-
  8020. The namespace of the Secret resource being referred to.
  8021. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8022. maxLength: 63
  8023. minLength: 1
  8024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8025. type: string
  8026. type: object
  8027. username:
  8028. description: |-
  8029. Username is an LDAP username used to authenticate using the LDAP Vault
  8030. authentication method
  8031. type: string
  8032. required:
  8033. - path
  8034. - username
  8035. type: object
  8036. namespace:
  8037. description: |-
  8038. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  8039. Namespaces is a set of features within Vault Enterprise that allows
  8040. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8041. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8042. This will default to Vault.Namespace field if set, or empty otherwise
  8043. type: string
  8044. tokenSecretRef:
  8045. description: TokenSecretRef authenticates with Vault by presenting a token.
  8046. properties:
  8047. key:
  8048. description: |-
  8049. A key in the referenced Secret.
  8050. Some instances of this field may be defaulted, in others it may be required.
  8051. maxLength: 253
  8052. minLength: 1
  8053. pattern: ^[-._a-zA-Z0-9]+$
  8054. type: string
  8055. name:
  8056. description: The name of the Secret resource being referred to.
  8057. maxLength: 253
  8058. minLength: 1
  8059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8060. type: string
  8061. namespace:
  8062. description: |-
  8063. The namespace of the Secret resource being referred to.
  8064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8065. maxLength: 63
  8066. minLength: 1
  8067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8068. type: string
  8069. type: object
  8070. userPass:
  8071. description: UserPass authenticates with Vault by passing username/password pair
  8072. properties:
  8073. path:
  8074. default: userpass
  8075. description: |-
  8076. Path where the UserPassword authentication backend is mounted
  8077. in Vault, e.g: "userpass"
  8078. type: string
  8079. secretRef:
  8080. description: |-
  8081. SecretRef to a key in a Secret resource containing password for the
  8082. user used to authenticate with Vault using the UserPass authentication
  8083. method
  8084. properties:
  8085. key:
  8086. description: |-
  8087. A key in the referenced Secret.
  8088. Some instances of this field may be defaulted, in others it may be required.
  8089. maxLength: 253
  8090. minLength: 1
  8091. pattern: ^[-._a-zA-Z0-9]+$
  8092. type: string
  8093. name:
  8094. description: The name of the Secret resource being referred to.
  8095. maxLength: 253
  8096. minLength: 1
  8097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8098. type: string
  8099. namespace:
  8100. description: |-
  8101. The namespace of the Secret resource being referred to.
  8102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8103. maxLength: 63
  8104. minLength: 1
  8105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8106. type: string
  8107. type: object
  8108. username:
  8109. description: |-
  8110. Username is a username used to authenticate using the UserPass Vault
  8111. authentication method
  8112. type: string
  8113. required:
  8114. - path
  8115. - username
  8116. type: object
  8117. type: object
  8118. caBundle:
  8119. description: |-
  8120. PEM encoded CA bundle used to validate Vault server certificate. Only used
  8121. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8122. plain HTTP protocol connection. If not set the system root certificates
  8123. are used to validate the TLS connection.
  8124. format: byte
  8125. type: string
  8126. caProvider:
  8127. description: The provider for the CA bundle to use to validate Vault server certificate.
  8128. properties:
  8129. key:
  8130. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8131. maxLength: 253
  8132. minLength: 1
  8133. pattern: ^[-._a-zA-Z0-9]+$
  8134. type: string
  8135. name:
  8136. description: The name of the object located at the provider type.
  8137. maxLength: 253
  8138. minLength: 1
  8139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8140. type: string
  8141. namespace:
  8142. description: |-
  8143. The namespace the Provider type is in.
  8144. Can only be defined when used in a ClusterSecretStore.
  8145. maxLength: 63
  8146. minLength: 1
  8147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8148. type: string
  8149. type:
  8150. description: The type of provider to use such as "Secret", or "ConfigMap".
  8151. enum:
  8152. - Secret
  8153. - ConfigMap
  8154. type: string
  8155. required:
  8156. - name
  8157. - type
  8158. type: object
  8159. checkAndSet:
  8160. description: |-
  8161. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  8162. Only applies to Vault KV v2 stores. When enabled, write operations must include
  8163. the current version of the secret to prevent unintentional overwrites.
  8164. properties:
  8165. required:
  8166. description: |-
  8167. Required when true, all write operations must include a check-and-set parameter.
  8168. This helps prevent unintentional overwrites of secrets.
  8169. type: boolean
  8170. type: object
  8171. forwardInconsistent:
  8172. description: |-
  8173. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8174. leader instead of simply retrying within a loop. This can increase performance if
  8175. the option is enabled serverside.
  8176. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8177. type: boolean
  8178. headers:
  8179. additionalProperties:
  8180. type: string
  8181. description: Headers to be added in Vault request
  8182. type: object
  8183. namespace:
  8184. description: |-
  8185. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8186. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8187. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8188. type: string
  8189. path:
  8190. description: |-
  8191. Path is the mount path of the Vault KV backend endpoint, e.g:
  8192. "secret". The v2 KV secret engine version specific "/data" path suffix
  8193. for fetching secrets from Vault is optional and will be appended
  8194. if not present in specified path.
  8195. type: string
  8196. readYourWrites:
  8197. description: |-
  8198. ReadYourWrites ensures isolated read-after-write semantics by
  8199. providing discovered cluster replication states in each request.
  8200. More information about eventual consistency in Vault can be found here
  8201. https://www.vaultproject.io/docs/enterprise/consistency
  8202. type: boolean
  8203. server:
  8204. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8205. type: string
  8206. tls:
  8207. description: |-
  8208. The configuration used for client side related TLS communication, when the Vault server
  8209. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  8210. This parameter is ignored for plain HTTP protocol connection.
  8211. It's worth noting this configuration is different from the "TLS certificates auth method",
  8212. which is available under the `auth.cert` section.
  8213. properties:
  8214. certSecretRef:
  8215. description: |-
  8216. CertSecretRef is a certificate added to the transport layer
  8217. when communicating with the Vault server.
  8218. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  8219. properties:
  8220. key:
  8221. description: |-
  8222. A key in the referenced Secret.
  8223. Some instances of this field may be defaulted, in others it may be required.
  8224. maxLength: 253
  8225. minLength: 1
  8226. pattern: ^[-._a-zA-Z0-9]+$
  8227. type: string
  8228. name:
  8229. description: The name of the Secret resource being referred to.
  8230. maxLength: 253
  8231. minLength: 1
  8232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8233. type: string
  8234. namespace:
  8235. description: |-
  8236. The namespace of the Secret resource being referred to.
  8237. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8238. maxLength: 63
  8239. minLength: 1
  8240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8241. type: string
  8242. type: object
  8243. keySecretRef:
  8244. description: |-
  8245. KeySecretRef to a key in a Secret resource containing client private key
  8246. added to the transport layer when communicating with the Vault server.
  8247. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  8248. properties:
  8249. key:
  8250. description: |-
  8251. A key in the referenced Secret.
  8252. Some instances of this field may be defaulted, in others it may be required.
  8253. maxLength: 253
  8254. minLength: 1
  8255. pattern: ^[-._a-zA-Z0-9]+$
  8256. type: string
  8257. name:
  8258. description: The name of the Secret resource being referred to.
  8259. maxLength: 253
  8260. minLength: 1
  8261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8262. type: string
  8263. namespace:
  8264. description: |-
  8265. The namespace of the Secret resource being referred to.
  8266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8267. maxLength: 63
  8268. minLength: 1
  8269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8270. type: string
  8271. type: object
  8272. type: object
  8273. version:
  8274. default: v2
  8275. description: |-
  8276. Version is the Vault KV secret engine version. This can be either "v1" or
  8277. "v2". Version defaults to "v2".
  8278. enum:
  8279. - v1
  8280. - v2
  8281. type: string
  8282. required:
  8283. - server
  8284. type: object
  8285. volcengine:
  8286. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8287. properties:
  8288. auth:
  8289. description: |-
  8290. Auth defines the authentication method to use.
  8291. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8292. properties:
  8293. secretRef:
  8294. description: |-
  8295. SecretRef defines the static credentials to use for authentication.
  8296. If not set, IRSA is used.
  8297. properties:
  8298. accessKeyID:
  8299. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8300. properties:
  8301. key:
  8302. description: |-
  8303. A key in the referenced Secret.
  8304. Some instances of this field may be defaulted, in others it may be required.
  8305. maxLength: 253
  8306. minLength: 1
  8307. pattern: ^[-._a-zA-Z0-9]+$
  8308. type: string
  8309. name:
  8310. description: The name of the Secret resource being referred to.
  8311. maxLength: 253
  8312. minLength: 1
  8313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8314. type: string
  8315. namespace:
  8316. description: |-
  8317. The namespace of the Secret resource being referred to.
  8318. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8319. maxLength: 63
  8320. minLength: 1
  8321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8322. type: string
  8323. type: object
  8324. secretAccessKey:
  8325. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8326. properties:
  8327. key:
  8328. description: |-
  8329. A key in the referenced Secret.
  8330. Some instances of this field may be defaulted, in others it may be required.
  8331. maxLength: 253
  8332. minLength: 1
  8333. pattern: ^[-._a-zA-Z0-9]+$
  8334. type: string
  8335. name:
  8336. description: The name of the Secret resource being referred to.
  8337. maxLength: 253
  8338. minLength: 1
  8339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8340. type: string
  8341. namespace:
  8342. description: |-
  8343. The namespace of the Secret resource being referred to.
  8344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8345. maxLength: 63
  8346. minLength: 1
  8347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8348. type: string
  8349. type: object
  8350. token:
  8351. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8352. properties:
  8353. key:
  8354. description: |-
  8355. A key in the referenced Secret.
  8356. Some instances of this field may be defaulted, in others it may be required.
  8357. maxLength: 253
  8358. minLength: 1
  8359. pattern: ^[-._a-zA-Z0-9]+$
  8360. type: string
  8361. name:
  8362. description: The name of the Secret resource being referred to.
  8363. maxLength: 253
  8364. minLength: 1
  8365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8366. type: string
  8367. namespace:
  8368. description: |-
  8369. The namespace of the Secret resource being referred to.
  8370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8371. maxLength: 63
  8372. minLength: 1
  8373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8374. type: string
  8375. type: object
  8376. required:
  8377. - accessKeyID
  8378. - secretAccessKey
  8379. type: object
  8380. type: object
  8381. region:
  8382. description: Region specifies the Volcengine region to connect to.
  8383. type: string
  8384. required:
  8385. - region
  8386. type: object
  8387. webhook:
  8388. description: Webhook configures this store to sync secrets using a generic templated webhook
  8389. properties:
  8390. auth:
  8391. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8392. maxProperties: 1
  8393. minProperties: 1
  8394. properties:
  8395. ntlm:
  8396. description: NTLMProtocol configures the store to use NTLM for auth
  8397. properties:
  8398. passwordSecret:
  8399. description: |-
  8400. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8401. In some instances, `key` is a required field.
  8402. properties:
  8403. key:
  8404. description: |-
  8405. A key in the referenced Secret.
  8406. Some instances of this field may be defaulted, in others it may be required.
  8407. maxLength: 253
  8408. minLength: 1
  8409. pattern: ^[-._a-zA-Z0-9]+$
  8410. type: string
  8411. name:
  8412. description: The name of the Secret resource being referred to.
  8413. maxLength: 253
  8414. minLength: 1
  8415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8416. type: string
  8417. namespace:
  8418. description: |-
  8419. The namespace of the Secret resource being referred to.
  8420. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8421. maxLength: 63
  8422. minLength: 1
  8423. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8424. type: string
  8425. type: object
  8426. usernameSecret:
  8427. description: |-
  8428. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8429. In some instances, `key` is a required field.
  8430. properties:
  8431. key:
  8432. description: |-
  8433. A key in the referenced Secret.
  8434. Some instances of this field may be defaulted, in others it may be required.
  8435. maxLength: 253
  8436. minLength: 1
  8437. pattern: ^[-._a-zA-Z0-9]+$
  8438. type: string
  8439. name:
  8440. description: The name of the Secret resource being referred to.
  8441. maxLength: 253
  8442. minLength: 1
  8443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8444. type: string
  8445. namespace:
  8446. description: |-
  8447. The namespace of the Secret resource being referred to.
  8448. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8449. maxLength: 63
  8450. minLength: 1
  8451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8452. type: string
  8453. type: object
  8454. required:
  8455. - passwordSecret
  8456. - usernameSecret
  8457. type: object
  8458. type: object
  8459. body:
  8460. description: Body
  8461. type: string
  8462. caBundle:
  8463. description: |-
  8464. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8465. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8466. plain HTTP protocol connection. If not set the system root certificates
  8467. are used to validate the TLS connection.
  8468. format: byte
  8469. type: string
  8470. caProvider:
  8471. description: The provider for the CA bundle to use to validate webhook server certificate.
  8472. properties:
  8473. key:
  8474. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8475. maxLength: 253
  8476. minLength: 1
  8477. pattern: ^[-._a-zA-Z0-9]+$
  8478. type: string
  8479. name:
  8480. description: The name of the object located at the provider type.
  8481. maxLength: 253
  8482. minLength: 1
  8483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8484. type: string
  8485. namespace:
  8486. description: The namespace the Provider type is in.
  8487. maxLength: 63
  8488. minLength: 1
  8489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8490. type: string
  8491. type:
  8492. description: The type of provider to use such as "Secret", or "ConfigMap".
  8493. enum:
  8494. - Secret
  8495. - ConfigMap
  8496. type: string
  8497. required:
  8498. - name
  8499. - type
  8500. type: object
  8501. headers:
  8502. additionalProperties:
  8503. type: string
  8504. description: Headers
  8505. type: object
  8506. method:
  8507. description: Webhook Method
  8508. type: string
  8509. result:
  8510. description: Result formatting
  8511. properties:
  8512. jsonPath:
  8513. description: Json path of return value
  8514. type: string
  8515. type: object
  8516. secrets:
  8517. description: |-
  8518. Secrets to fill in templates
  8519. These secrets will be passed to the templating function as key value pairs under the given name
  8520. items:
  8521. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8522. properties:
  8523. name:
  8524. description: Name of this secret in templates
  8525. type: string
  8526. secretRef:
  8527. description: Secret ref to fill in credentials
  8528. properties:
  8529. key:
  8530. description: |-
  8531. A key in the referenced Secret.
  8532. Some instances of this field may be defaulted, in others it may be required.
  8533. maxLength: 253
  8534. minLength: 1
  8535. pattern: ^[-._a-zA-Z0-9]+$
  8536. type: string
  8537. name:
  8538. description: The name of the Secret resource being referred to.
  8539. maxLength: 253
  8540. minLength: 1
  8541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8542. type: string
  8543. namespace:
  8544. description: |-
  8545. The namespace of the Secret resource being referred to.
  8546. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8547. maxLength: 63
  8548. minLength: 1
  8549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8550. type: string
  8551. type: object
  8552. required:
  8553. - name
  8554. - secretRef
  8555. type: object
  8556. type: array
  8557. timeout:
  8558. description: Timeout
  8559. type: string
  8560. url:
  8561. description: Webhook url to call
  8562. type: string
  8563. required:
  8564. - url
  8565. type: object
  8566. yandexcertificatemanager:
  8567. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8568. properties:
  8569. apiEndpoint:
  8570. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8571. type: string
  8572. auth:
  8573. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8574. properties:
  8575. authorizedKeySecretRef:
  8576. description: The authorized key used for authentication
  8577. properties:
  8578. key:
  8579. description: |-
  8580. A key in the referenced Secret.
  8581. Some instances of this field may be defaulted, in others it may be required.
  8582. maxLength: 253
  8583. minLength: 1
  8584. pattern: ^[-._a-zA-Z0-9]+$
  8585. type: string
  8586. name:
  8587. description: The name of the Secret resource being referred to.
  8588. maxLength: 253
  8589. minLength: 1
  8590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8591. type: string
  8592. namespace:
  8593. description: |-
  8594. The namespace of the Secret resource being referred to.
  8595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8596. maxLength: 63
  8597. minLength: 1
  8598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8599. type: string
  8600. type: object
  8601. type: object
  8602. caProvider:
  8603. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8604. properties:
  8605. certSecretRef:
  8606. description: |-
  8607. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8608. In some instances, `key` is a required field.
  8609. properties:
  8610. key:
  8611. description: |-
  8612. A key in the referenced Secret.
  8613. Some instances of this field may be defaulted, in others it may be required.
  8614. maxLength: 253
  8615. minLength: 1
  8616. pattern: ^[-._a-zA-Z0-9]+$
  8617. type: string
  8618. name:
  8619. description: The name of the Secret resource being referred to.
  8620. maxLength: 253
  8621. minLength: 1
  8622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8623. type: string
  8624. namespace:
  8625. description: |-
  8626. The namespace of the Secret resource being referred to.
  8627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8628. maxLength: 63
  8629. minLength: 1
  8630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8631. type: string
  8632. type: object
  8633. type: object
  8634. fetching:
  8635. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8636. maxProperties: 1
  8637. minProperties: 1
  8638. properties:
  8639. byID:
  8640. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8641. type: object
  8642. byName:
  8643. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8644. properties:
  8645. folderID:
  8646. description: The folder to fetch secrets from
  8647. type: string
  8648. required:
  8649. - folderID
  8650. type: object
  8651. type: object
  8652. required:
  8653. - auth
  8654. type: object
  8655. yandexlockbox:
  8656. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8657. properties:
  8658. apiEndpoint:
  8659. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8660. type: string
  8661. auth:
  8662. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8663. properties:
  8664. authorizedKeySecretRef:
  8665. description: The authorized key used for authentication
  8666. properties:
  8667. key:
  8668. description: |-
  8669. A key in the referenced Secret.
  8670. Some instances of this field may be defaulted, in others it may be required.
  8671. maxLength: 253
  8672. minLength: 1
  8673. pattern: ^[-._a-zA-Z0-9]+$
  8674. type: string
  8675. name:
  8676. description: The name of the Secret resource being referred to.
  8677. maxLength: 253
  8678. minLength: 1
  8679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8680. type: string
  8681. namespace:
  8682. description: |-
  8683. The namespace of the Secret resource being referred to.
  8684. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8685. maxLength: 63
  8686. minLength: 1
  8687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8688. type: string
  8689. type: object
  8690. type: object
  8691. caProvider:
  8692. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8693. properties:
  8694. certSecretRef:
  8695. description: |-
  8696. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8697. In some instances, `key` is a required field.
  8698. properties:
  8699. key:
  8700. description: |-
  8701. A key in the referenced Secret.
  8702. Some instances of this field may be defaulted, in others it may be required.
  8703. maxLength: 253
  8704. minLength: 1
  8705. pattern: ^[-._a-zA-Z0-9]+$
  8706. type: string
  8707. name:
  8708. description: The name of the Secret resource being referred to.
  8709. maxLength: 253
  8710. minLength: 1
  8711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8712. type: string
  8713. namespace:
  8714. description: |-
  8715. The namespace of the Secret resource being referred to.
  8716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8717. maxLength: 63
  8718. minLength: 1
  8719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8720. type: string
  8721. type: object
  8722. type: object
  8723. fetching:
  8724. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8725. maxProperties: 1
  8726. minProperties: 1
  8727. properties:
  8728. byID:
  8729. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8730. type: object
  8731. byName:
  8732. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8733. properties:
  8734. folderID:
  8735. description: The folder to fetch secrets from
  8736. type: string
  8737. required:
  8738. - folderID
  8739. type: object
  8740. type: object
  8741. required:
  8742. - auth
  8743. type: object
  8744. type: object
  8745. refreshInterval:
  8746. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8747. type: integer
  8748. retrySettings:
  8749. description: Used to configure HTTP retries on failures.
  8750. properties:
  8751. maxRetries:
  8752. format: int32
  8753. type: integer
  8754. retryInterval:
  8755. type: string
  8756. type: object
  8757. required:
  8758. - provider
  8759. type: object
  8760. status:
  8761. description: SecretStoreStatus defines the observed state of the SecretStore.
  8762. properties:
  8763. capabilities:
  8764. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8765. type: string
  8766. conditions:
  8767. items:
  8768. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8769. properties:
  8770. lastTransitionTime:
  8771. format: date-time
  8772. type: string
  8773. message:
  8774. type: string
  8775. reason:
  8776. type: string
  8777. status:
  8778. type: string
  8779. type:
  8780. description: SecretStoreConditionType represents the condition of the SecretStore.
  8781. type: string
  8782. required:
  8783. - status
  8784. - type
  8785. type: object
  8786. type: array
  8787. type: object
  8788. type: object
  8789. served: true
  8790. storage: true
  8791. subresources:
  8792. status: {}
  8793. - additionalPrinterColumns:
  8794. - jsonPath: .metadata.creationTimestamp
  8795. name: AGE
  8796. type: date
  8797. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8798. name: Status
  8799. type: string
  8800. - jsonPath: .status.capabilities
  8801. name: Capabilities
  8802. type: string
  8803. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8804. name: Ready
  8805. type: string
  8806. deprecated: true
  8807. name: v1beta1
  8808. schema:
  8809. openAPIV3Schema:
  8810. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8811. properties:
  8812. apiVersion:
  8813. description: |-
  8814. APIVersion defines the versioned schema of this representation of an object.
  8815. Servers should convert recognized schemas to the latest internal value, and
  8816. may reject unrecognized values.
  8817. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8818. type: string
  8819. kind:
  8820. description: |-
  8821. Kind is a string value representing the REST resource this object represents.
  8822. Servers may infer this from the endpoint the client submits requests to.
  8823. Cannot be updated.
  8824. In CamelCase.
  8825. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8826. type: string
  8827. metadata:
  8828. type: object
  8829. spec:
  8830. description: SecretStoreSpec defines the desired state of SecretStore.
  8831. properties:
  8832. conditions:
  8833. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8834. items:
  8835. description: |-
  8836. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8837. for a ClusterSecretStore instance.
  8838. properties:
  8839. namespaceRegexes:
  8840. description: Choose namespaces by using regex matching
  8841. items:
  8842. type: string
  8843. type: array
  8844. namespaceSelector:
  8845. description: Choose namespace using a labelSelector
  8846. properties:
  8847. matchExpressions:
  8848. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8849. items:
  8850. description: |-
  8851. A label selector requirement is a selector that contains values, a key, and an operator that
  8852. relates the key and values.
  8853. properties:
  8854. key:
  8855. description: key is the label key that the selector applies to.
  8856. type: string
  8857. operator:
  8858. description: |-
  8859. operator represents a key's relationship to a set of values.
  8860. Valid operators are In, NotIn, Exists and DoesNotExist.
  8861. type: string
  8862. values:
  8863. description: |-
  8864. values is an array of string values. If the operator is In or NotIn,
  8865. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8866. the values array must be empty. This array is replaced during a strategic
  8867. merge patch.
  8868. items:
  8869. type: string
  8870. type: array
  8871. x-kubernetes-list-type: atomic
  8872. required:
  8873. - key
  8874. - operator
  8875. type: object
  8876. type: array
  8877. x-kubernetes-list-type: atomic
  8878. matchLabels:
  8879. additionalProperties:
  8880. type: string
  8881. description: |-
  8882. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8883. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8884. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8885. type: object
  8886. type: object
  8887. x-kubernetes-map-type: atomic
  8888. namespaces:
  8889. description: Choose namespaces by name
  8890. items:
  8891. maxLength: 63
  8892. minLength: 1
  8893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8894. type: string
  8895. type: array
  8896. type: object
  8897. type: array
  8898. controller:
  8899. description: |-
  8900. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8901. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8902. type: string
  8903. provider:
  8904. description: Used to configure the provider. Only one provider may be set
  8905. maxProperties: 1
  8906. minProperties: 1
  8907. properties:
  8908. akeyless:
  8909. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8910. properties:
  8911. akeylessGWApiURL:
  8912. description: Akeyless GW API Url from which the secrets to be fetched from.
  8913. type: string
  8914. authSecretRef:
  8915. description: Auth configures how the operator authenticates with Akeyless.
  8916. properties:
  8917. kubernetesAuth:
  8918. description: |-
  8919. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8920. token stored in the named Secret resource.
  8921. properties:
  8922. accessID:
  8923. description: the Akeyless Kubernetes auth-method access-id
  8924. type: string
  8925. k8sConfName:
  8926. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8927. type: string
  8928. secretRef:
  8929. description: |-
  8930. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8931. for authenticating with Akeyless. If a name is specified without a key,
  8932. `token` is the default. If one is not specified, the one bound to
  8933. the controller will be used.
  8934. properties:
  8935. key:
  8936. description: |-
  8937. A key in the referenced Secret.
  8938. Some instances of this field may be defaulted, in others it may be required.
  8939. maxLength: 253
  8940. minLength: 1
  8941. pattern: ^[-._a-zA-Z0-9]+$
  8942. type: string
  8943. name:
  8944. description: The name of the Secret resource being referred to.
  8945. maxLength: 253
  8946. minLength: 1
  8947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8948. type: string
  8949. namespace:
  8950. description: |-
  8951. The namespace of the Secret resource being referred to.
  8952. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8953. maxLength: 63
  8954. minLength: 1
  8955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8956. type: string
  8957. type: object
  8958. serviceAccountRef:
  8959. description: |-
  8960. Optional service account field containing the name of a kubernetes ServiceAccount.
  8961. If the service account is specified, the service account secret token JWT will be used
  8962. for authenticating with Akeyless. If the service account selector is not supplied,
  8963. the secretRef will be used instead.
  8964. properties:
  8965. audiences:
  8966. description: |-
  8967. Audience specifies the `aud` claim for the service account token
  8968. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8969. then this audiences will be appended to the list
  8970. items:
  8971. type: string
  8972. type: array
  8973. name:
  8974. description: The name of the ServiceAccount resource being referred to.
  8975. maxLength: 253
  8976. minLength: 1
  8977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8978. type: string
  8979. namespace:
  8980. description: |-
  8981. Namespace of the resource being referred to.
  8982. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8983. maxLength: 63
  8984. minLength: 1
  8985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8986. type: string
  8987. required:
  8988. - name
  8989. type: object
  8990. required:
  8991. - accessID
  8992. - k8sConfName
  8993. type: object
  8994. secretRef:
  8995. description: |-
  8996. Reference to a Secret that contains the details
  8997. to authenticate with Akeyless.
  8998. properties:
  8999. accessID:
  9000. description: The SecretAccessID is used for authentication
  9001. properties:
  9002. key:
  9003. description: |-
  9004. A key in the referenced Secret.
  9005. Some instances of this field may be defaulted, in others it may be required.
  9006. maxLength: 253
  9007. minLength: 1
  9008. pattern: ^[-._a-zA-Z0-9]+$
  9009. type: string
  9010. name:
  9011. description: The name of the Secret resource being referred to.
  9012. maxLength: 253
  9013. minLength: 1
  9014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9015. type: string
  9016. namespace:
  9017. description: |-
  9018. The namespace of the Secret resource being referred to.
  9019. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9020. maxLength: 63
  9021. minLength: 1
  9022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9023. type: string
  9024. type: object
  9025. accessType:
  9026. description: |-
  9027. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9028. In some instances, `key` is a required field.
  9029. properties:
  9030. key:
  9031. description: |-
  9032. A key in the referenced Secret.
  9033. Some instances of this field may be defaulted, in others it may be required.
  9034. maxLength: 253
  9035. minLength: 1
  9036. pattern: ^[-._a-zA-Z0-9]+$
  9037. type: string
  9038. name:
  9039. description: The name of the Secret resource being referred to.
  9040. maxLength: 253
  9041. minLength: 1
  9042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9043. type: string
  9044. namespace:
  9045. description: |-
  9046. The namespace of the Secret resource being referred to.
  9047. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9048. maxLength: 63
  9049. minLength: 1
  9050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9051. type: string
  9052. type: object
  9053. accessTypeParam:
  9054. description: |-
  9055. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9056. In some instances, `key` is a required field.
  9057. properties:
  9058. key:
  9059. description: |-
  9060. A key in the referenced Secret.
  9061. Some instances of this field may be defaulted, in others it may be required.
  9062. maxLength: 253
  9063. minLength: 1
  9064. pattern: ^[-._a-zA-Z0-9]+$
  9065. type: string
  9066. name:
  9067. description: The name of the Secret resource being referred to.
  9068. maxLength: 253
  9069. minLength: 1
  9070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9071. type: string
  9072. namespace:
  9073. description: |-
  9074. The namespace of the Secret resource being referred to.
  9075. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9076. maxLength: 63
  9077. minLength: 1
  9078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9079. type: string
  9080. type: object
  9081. type: object
  9082. type: object
  9083. caBundle:
  9084. description: |-
  9085. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  9086. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  9087. are used to validate the TLS connection.
  9088. format: byte
  9089. type: string
  9090. caProvider:
  9091. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  9092. properties:
  9093. key:
  9094. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9095. maxLength: 253
  9096. minLength: 1
  9097. pattern: ^[-._a-zA-Z0-9]+$
  9098. type: string
  9099. name:
  9100. description: The name of the object located at the provider type.
  9101. maxLength: 253
  9102. minLength: 1
  9103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9104. type: string
  9105. namespace:
  9106. description: |-
  9107. The namespace the Provider type is in.
  9108. Can only be defined when used in a ClusterSecretStore.
  9109. maxLength: 63
  9110. minLength: 1
  9111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9112. type: string
  9113. type:
  9114. description: The type of provider to use such as "Secret", or "ConfigMap".
  9115. enum:
  9116. - Secret
  9117. - ConfigMap
  9118. type: string
  9119. required:
  9120. - name
  9121. - type
  9122. type: object
  9123. required:
  9124. - akeylessGWApiURL
  9125. - authSecretRef
  9126. type: object
  9127. alibaba:
  9128. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  9129. properties:
  9130. auth:
  9131. description: AlibabaAuth contains a secretRef for credentials.
  9132. properties:
  9133. rrsa:
  9134. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  9135. properties:
  9136. oidcProviderArn:
  9137. type: string
  9138. oidcTokenFilePath:
  9139. type: string
  9140. roleArn:
  9141. type: string
  9142. sessionName:
  9143. type: string
  9144. required:
  9145. - oidcProviderArn
  9146. - oidcTokenFilePath
  9147. - roleArn
  9148. - sessionName
  9149. type: object
  9150. secretRef:
  9151. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  9152. properties:
  9153. accessKeyIDSecretRef:
  9154. description: The AccessKeyID is used for authentication
  9155. properties:
  9156. key:
  9157. description: |-
  9158. A key in the referenced Secret.
  9159. Some instances of this field may be defaulted, in others it may be required.
  9160. maxLength: 253
  9161. minLength: 1
  9162. pattern: ^[-._a-zA-Z0-9]+$
  9163. type: string
  9164. name:
  9165. description: The name of the Secret resource being referred to.
  9166. maxLength: 253
  9167. minLength: 1
  9168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9169. type: string
  9170. namespace:
  9171. description: |-
  9172. The namespace of the Secret resource being referred to.
  9173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9174. maxLength: 63
  9175. minLength: 1
  9176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9177. type: string
  9178. type: object
  9179. accessKeySecretSecretRef:
  9180. description: The AccessKeySecret is used for authentication
  9181. properties:
  9182. key:
  9183. description: |-
  9184. A key in the referenced Secret.
  9185. Some instances of this field may be defaulted, in others it may be required.
  9186. maxLength: 253
  9187. minLength: 1
  9188. pattern: ^[-._a-zA-Z0-9]+$
  9189. type: string
  9190. name:
  9191. description: The name of the Secret resource being referred to.
  9192. maxLength: 253
  9193. minLength: 1
  9194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9195. type: string
  9196. namespace:
  9197. description: |-
  9198. The namespace of the Secret resource being referred to.
  9199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9200. maxLength: 63
  9201. minLength: 1
  9202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9203. type: string
  9204. type: object
  9205. required:
  9206. - accessKeyIDSecretRef
  9207. - accessKeySecretSecretRef
  9208. type: object
  9209. type: object
  9210. regionID:
  9211. description: Alibaba Region to be used for the provider
  9212. type: string
  9213. required:
  9214. - auth
  9215. - regionID
  9216. type: object
  9217. aws:
  9218. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  9219. properties:
  9220. additionalRoles:
  9221. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  9222. items:
  9223. type: string
  9224. type: array
  9225. auth:
  9226. description: |-
  9227. Auth defines the information necessary to authenticate against AWS
  9228. if not set aws sdk will infer credentials from your environment
  9229. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  9230. properties:
  9231. jwt:
  9232. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  9233. properties:
  9234. serviceAccountRef:
  9235. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  9236. properties:
  9237. audiences:
  9238. description: |-
  9239. Audience specifies the `aud` claim for the service account token
  9240. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9241. then this audiences will be appended to the list
  9242. items:
  9243. type: string
  9244. type: array
  9245. name:
  9246. description: The name of the ServiceAccount resource being referred to.
  9247. maxLength: 253
  9248. minLength: 1
  9249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9250. type: string
  9251. namespace:
  9252. description: |-
  9253. Namespace of the resource being referred to.
  9254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9255. maxLength: 63
  9256. minLength: 1
  9257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9258. type: string
  9259. required:
  9260. - name
  9261. type: object
  9262. type: object
  9263. secretRef:
  9264. description: |-
  9265. AWSAuthSecretRef holds secret references for AWS credentials
  9266. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9267. properties:
  9268. accessKeyIDSecretRef:
  9269. description: The AccessKeyID is used for authentication
  9270. properties:
  9271. key:
  9272. description: |-
  9273. A key in the referenced Secret.
  9274. Some instances of this field may be defaulted, in others it may be required.
  9275. maxLength: 253
  9276. minLength: 1
  9277. pattern: ^[-._a-zA-Z0-9]+$
  9278. type: string
  9279. name:
  9280. description: The name of the Secret resource being referred to.
  9281. maxLength: 253
  9282. minLength: 1
  9283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9284. type: string
  9285. namespace:
  9286. description: |-
  9287. The namespace of the Secret resource being referred to.
  9288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9289. maxLength: 63
  9290. minLength: 1
  9291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9292. type: string
  9293. type: object
  9294. secretAccessKeySecretRef:
  9295. description: The SecretAccessKey is used for authentication
  9296. properties:
  9297. key:
  9298. description: |-
  9299. A key in the referenced Secret.
  9300. Some instances of this field may be defaulted, in others it may be required.
  9301. maxLength: 253
  9302. minLength: 1
  9303. pattern: ^[-._a-zA-Z0-9]+$
  9304. type: string
  9305. name:
  9306. description: The name of the Secret resource being referred to.
  9307. maxLength: 253
  9308. minLength: 1
  9309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9310. type: string
  9311. namespace:
  9312. description: |-
  9313. The namespace of the Secret resource being referred to.
  9314. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9315. maxLength: 63
  9316. minLength: 1
  9317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9318. type: string
  9319. type: object
  9320. sessionTokenSecretRef:
  9321. description: |-
  9322. The SessionToken used for authentication
  9323. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9324. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9325. properties:
  9326. key:
  9327. description: |-
  9328. A key in the referenced Secret.
  9329. Some instances of this field may be defaulted, in others it may be required.
  9330. maxLength: 253
  9331. minLength: 1
  9332. pattern: ^[-._a-zA-Z0-9]+$
  9333. type: string
  9334. name:
  9335. description: The name of the Secret resource being referred to.
  9336. maxLength: 253
  9337. minLength: 1
  9338. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9339. type: string
  9340. namespace:
  9341. description: |-
  9342. The namespace of the Secret resource being referred to.
  9343. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9344. maxLength: 63
  9345. minLength: 1
  9346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9347. type: string
  9348. type: object
  9349. type: object
  9350. type: object
  9351. externalID:
  9352. description: AWS External ID set on assumed IAM roles
  9353. type: string
  9354. prefix:
  9355. description: Prefix adds a prefix to all retrieved values.
  9356. type: string
  9357. region:
  9358. description: AWS Region to be used for the provider
  9359. type: string
  9360. role:
  9361. description: Role is a Role ARN which the provider will assume
  9362. type: string
  9363. secretsManager:
  9364. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9365. properties:
  9366. forceDeleteWithoutRecovery:
  9367. description: |-
  9368. Specifies whether to delete the secret without any recovery window. You
  9369. can't use both this parameter and RecoveryWindowInDays in the same call.
  9370. If you don't use either, then by default Secrets Manager uses a 30 day
  9371. recovery window.
  9372. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9373. type: boolean
  9374. recoveryWindowInDays:
  9375. description: |-
  9376. The number of days from 7 to 30 that Secrets Manager waits before
  9377. permanently deleting the secret. You can't use both this parameter and
  9378. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9379. then by default Secrets Manager uses a 30 day recovery window.
  9380. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9381. format: int64
  9382. type: integer
  9383. type: object
  9384. service:
  9385. description: Service defines which service should be used to fetch the secrets
  9386. enum:
  9387. - SecretsManager
  9388. - ParameterStore
  9389. type: string
  9390. sessionTags:
  9391. description: AWS STS assume role session tags
  9392. items:
  9393. description: Tag defines a tag key and value for AWS resources.
  9394. properties:
  9395. key:
  9396. type: string
  9397. value:
  9398. type: string
  9399. required:
  9400. - key
  9401. - value
  9402. type: object
  9403. type: array
  9404. transitiveTagKeys:
  9405. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9406. items:
  9407. type: string
  9408. type: array
  9409. required:
  9410. - region
  9411. - service
  9412. type: object
  9413. azurekv:
  9414. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9415. properties:
  9416. authSecretRef:
  9417. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9418. properties:
  9419. clientCertificate:
  9420. description: The Azure ClientCertificate of the service principle used for authentication.
  9421. properties:
  9422. key:
  9423. description: |-
  9424. A key in the referenced Secret.
  9425. Some instances of this field may be defaulted, in others it may be required.
  9426. maxLength: 253
  9427. minLength: 1
  9428. pattern: ^[-._a-zA-Z0-9]+$
  9429. type: string
  9430. name:
  9431. description: The name of the Secret resource being referred to.
  9432. maxLength: 253
  9433. minLength: 1
  9434. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9435. type: string
  9436. namespace:
  9437. description: |-
  9438. The namespace of the Secret resource being referred to.
  9439. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9440. maxLength: 63
  9441. minLength: 1
  9442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9443. type: string
  9444. type: object
  9445. clientId:
  9446. description: The Azure clientId of the service principle or managed identity used for authentication.
  9447. properties:
  9448. key:
  9449. description: |-
  9450. A key in the referenced Secret.
  9451. Some instances of this field may be defaulted, in others it may be required.
  9452. maxLength: 253
  9453. minLength: 1
  9454. pattern: ^[-._a-zA-Z0-9]+$
  9455. type: string
  9456. name:
  9457. description: The name of the Secret resource being referred to.
  9458. maxLength: 253
  9459. minLength: 1
  9460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9461. type: string
  9462. namespace:
  9463. description: |-
  9464. The namespace of the Secret resource being referred to.
  9465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9466. maxLength: 63
  9467. minLength: 1
  9468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9469. type: string
  9470. type: object
  9471. clientSecret:
  9472. description: The Azure ClientSecret of the service principle used for authentication.
  9473. properties:
  9474. key:
  9475. description: |-
  9476. A key in the referenced Secret.
  9477. Some instances of this field may be defaulted, in others it may be required.
  9478. maxLength: 253
  9479. minLength: 1
  9480. pattern: ^[-._a-zA-Z0-9]+$
  9481. type: string
  9482. name:
  9483. description: The name of the Secret resource being referred to.
  9484. maxLength: 253
  9485. minLength: 1
  9486. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9487. type: string
  9488. namespace:
  9489. description: |-
  9490. The namespace of the Secret resource being referred to.
  9491. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9492. maxLength: 63
  9493. minLength: 1
  9494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9495. type: string
  9496. type: object
  9497. tenantId:
  9498. description: The Azure tenantId of the managed identity used for authentication.
  9499. properties:
  9500. key:
  9501. description: |-
  9502. A key in the referenced Secret.
  9503. Some instances of this field may be defaulted, in others it may be required.
  9504. maxLength: 253
  9505. minLength: 1
  9506. pattern: ^[-._a-zA-Z0-9]+$
  9507. type: string
  9508. name:
  9509. description: The name of the Secret resource being referred to.
  9510. maxLength: 253
  9511. minLength: 1
  9512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9513. type: string
  9514. namespace:
  9515. description: |-
  9516. The namespace of the Secret resource being referred to.
  9517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9518. maxLength: 63
  9519. minLength: 1
  9520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9521. type: string
  9522. type: object
  9523. type: object
  9524. authType:
  9525. default: ServicePrincipal
  9526. description: |-
  9527. Auth type defines how to authenticate to the keyvault service.
  9528. Valid values are:
  9529. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9530. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9531. enum:
  9532. - ServicePrincipal
  9533. - ManagedIdentity
  9534. - WorkloadIdentity
  9535. type: string
  9536. environmentType:
  9537. default: PublicCloud
  9538. description: |-
  9539. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9540. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9541. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9542. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9543. enum:
  9544. - PublicCloud
  9545. - USGovernmentCloud
  9546. - ChinaCloud
  9547. - GermanCloud
  9548. type: string
  9549. identityId:
  9550. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9551. type: string
  9552. serviceAccountRef:
  9553. description: |-
  9554. ServiceAccountRef specified the service account
  9555. that should be used when authenticating with WorkloadIdentity.
  9556. properties:
  9557. audiences:
  9558. description: |-
  9559. Audience specifies the `aud` claim for the service account token
  9560. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9561. then this audiences will be appended to the list
  9562. items:
  9563. type: string
  9564. type: array
  9565. name:
  9566. description: The name of the ServiceAccount resource being referred to.
  9567. maxLength: 253
  9568. minLength: 1
  9569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9570. type: string
  9571. namespace:
  9572. description: |-
  9573. Namespace of the resource being referred to.
  9574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9575. maxLength: 63
  9576. minLength: 1
  9577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9578. type: string
  9579. required:
  9580. - name
  9581. type: object
  9582. tenantId:
  9583. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9584. type: string
  9585. vaultUrl:
  9586. description: Vault Url from which the secrets to be fetched from.
  9587. type: string
  9588. required:
  9589. - vaultUrl
  9590. type: object
  9591. beyondtrust:
  9592. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9593. properties:
  9594. auth:
  9595. description: Auth configures how the operator authenticates with Beyondtrust.
  9596. properties:
  9597. apiKey:
  9598. description: APIKey If not provided then ClientID/ClientSecret become required.
  9599. properties:
  9600. secretRef:
  9601. description: SecretRef references a key in a secret that will be used as value.
  9602. properties:
  9603. key:
  9604. description: |-
  9605. A key in the referenced Secret.
  9606. Some instances of this field may be defaulted, in others it may be required.
  9607. maxLength: 253
  9608. minLength: 1
  9609. pattern: ^[-._a-zA-Z0-9]+$
  9610. type: string
  9611. name:
  9612. description: The name of the Secret resource being referred to.
  9613. maxLength: 253
  9614. minLength: 1
  9615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9616. type: string
  9617. namespace:
  9618. description: |-
  9619. The namespace of the Secret resource being referred to.
  9620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9621. maxLength: 63
  9622. minLength: 1
  9623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9624. type: string
  9625. type: object
  9626. value:
  9627. description: Value can be specified directly to set a value without using a secret.
  9628. type: string
  9629. type: object
  9630. certificate:
  9631. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9632. properties:
  9633. secretRef:
  9634. description: SecretRef references a key in a secret that will be used as value.
  9635. properties:
  9636. key:
  9637. description: |-
  9638. A key in the referenced Secret.
  9639. Some instances of this field may be defaulted, in others it may be required.
  9640. maxLength: 253
  9641. minLength: 1
  9642. pattern: ^[-._a-zA-Z0-9]+$
  9643. type: string
  9644. name:
  9645. description: The name of the Secret resource being referred to.
  9646. maxLength: 253
  9647. minLength: 1
  9648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9649. type: string
  9650. namespace:
  9651. description: |-
  9652. The namespace of the Secret resource being referred to.
  9653. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9654. maxLength: 63
  9655. minLength: 1
  9656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9657. type: string
  9658. type: object
  9659. value:
  9660. description: Value can be specified directly to set a value without using a secret.
  9661. type: string
  9662. type: object
  9663. certificateKey:
  9664. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9665. properties:
  9666. secretRef:
  9667. description: SecretRef references a key in a secret that will be used as value.
  9668. properties:
  9669. key:
  9670. description: |-
  9671. A key in the referenced Secret.
  9672. Some instances of this field may be defaulted, in others it may be required.
  9673. maxLength: 253
  9674. minLength: 1
  9675. pattern: ^[-._a-zA-Z0-9]+$
  9676. type: string
  9677. name:
  9678. description: The name of the Secret resource being referred to.
  9679. maxLength: 253
  9680. minLength: 1
  9681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9682. type: string
  9683. namespace:
  9684. description: |-
  9685. The namespace of the Secret resource being referred to.
  9686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9687. maxLength: 63
  9688. minLength: 1
  9689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9690. type: string
  9691. type: object
  9692. value:
  9693. description: Value can be specified directly to set a value without using a secret.
  9694. type: string
  9695. type: object
  9696. clientId:
  9697. description: ClientID is the API OAuth Client ID.
  9698. properties:
  9699. secretRef:
  9700. description: SecretRef references a key in a secret that will be used as value.
  9701. properties:
  9702. key:
  9703. description: |-
  9704. A key in the referenced Secret.
  9705. Some instances of this field may be defaulted, in others it may be required.
  9706. maxLength: 253
  9707. minLength: 1
  9708. pattern: ^[-._a-zA-Z0-9]+$
  9709. type: string
  9710. name:
  9711. description: The name of the Secret resource being referred to.
  9712. maxLength: 253
  9713. minLength: 1
  9714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9715. type: string
  9716. namespace:
  9717. description: |-
  9718. The namespace of the Secret resource being referred to.
  9719. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9720. maxLength: 63
  9721. minLength: 1
  9722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9723. type: string
  9724. type: object
  9725. value:
  9726. description: Value can be specified directly to set a value without using a secret.
  9727. type: string
  9728. type: object
  9729. clientSecret:
  9730. description: ClientSecret is the API OAuth Client Secret.
  9731. properties:
  9732. secretRef:
  9733. description: SecretRef references a key in a secret that will be used as value.
  9734. properties:
  9735. key:
  9736. description: |-
  9737. A key in the referenced Secret.
  9738. Some instances of this field may be defaulted, in others it may be required.
  9739. maxLength: 253
  9740. minLength: 1
  9741. pattern: ^[-._a-zA-Z0-9]+$
  9742. type: string
  9743. name:
  9744. description: The name of the Secret resource being referred to.
  9745. maxLength: 253
  9746. minLength: 1
  9747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9748. type: string
  9749. namespace:
  9750. description: |-
  9751. The namespace of the Secret resource being referred to.
  9752. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9753. maxLength: 63
  9754. minLength: 1
  9755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9756. type: string
  9757. type: object
  9758. value:
  9759. description: Value can be specified directly to set a value without using a secret.
  9760. type: string
  9761. type: object
  9762. type: object
  9763. server:
  9764. description: Auth configures how API server works.
  9765. properties:
  9766. apiUrl:
  9767. type: string
  9768. apiVersion:
  9769. type: string
  9770. clientTimeOutSeconds:
  9771. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9772. type: integer
  9773. decrypt:
  9774. default: true
  9775. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9776. type: boolean
  9777. retrievalType:
  9778. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9779. type: string
  9780. separator:
  9781. description: A character that separates the folder names.
  9782. type: string
  9783. verifyCA:
  9784. type: boolean
  9785. required:
  9786. - apiUrl
  9787. - verifyCA
  9788. type: object
  9789. required:
  9790. - auth
  9791. - server
  9792. type: object
  9793. bitwardensecretsmanager:
  9794. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9795. properties:
  9796. apiURL:
  9797. type: string
  9798. auth:
  9799. description: |-
  9800. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9801. Make sure that the token being used has permissions on the given secret.
  9802. properties:
  9803. secretRef:
  9804. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9805. properties:
  9806. credentials:
  9807. description: AccessToken used for the bitwarden instance.
  9808. properties:
  9809. key:
  9810. description: |-
  9811. A key in the referenced Secret.
  9812. Some instances of this field may be defaulted, in others it may be required.
  9813. maxLength: 253
  9814. minLength: 1
  9815. pattern: ^[-._a-zA-Z0-9]+$
  9816. type: string
  9817. name:
  9818. description: The name of the Secret resource being referred to.
  9819. maxLength: 253
  9820. minLength: 1
  9821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9822. type: string
  9823. namespace:
  9824. description: |-
  9825. The namespace of the Secret resource being referred to.
  9826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9827. maxLength: 63
  9828. minLength: 1
  9829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9830. type: string
  9831. type: object
  9832. required:
  9833. - credentials
  9834. type: object
  9835. required:
  9836. - secretRef
  9837. type: object
  9838. bitwardenServerSDKURL:
  9839. type: string
  9840. caBundle:
  9841. description: |-
  9842. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9843. can be performed.
  9844. type: string
  9845. caProvider:
  9846. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9847. properties:
  9848. key:
  9849. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9850. maxLength: 253
  9851. minLength: 1
  9852. pattern: ^[-._a-zA-Z0-9]+$
  9853. type: string
  9854. name:
  9855. description: The name of the object located at the provider type.
  9856. maxLength: 253
  9857. minLength: 1
  9858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9859. type: string
  9860. namespace:
  9861. description: |-
  9862. The namespace the Provider type is in.
  9863. Can only be defined when used in a ClusterSecretStore.
  9864. maxLength: 63
  9865. minLength: 1
  9866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9867. type: string
  9868. type:
  9869. description: The type of provider to use such as "Secret", or "ConfigMap".
  9870. enum:
  9871. - Secret
  9872. - ConfigMap
  9873. type: string
  9874. required:
  9875. - name
  9876. - type
  9877. type: object
  9878. identityURL:
  9879. type: string
  9880. organizationID:
  9881. description: OrganizationID determines which organization this secret store manages.
  9882. type: string
  9883. projectID:
  9884. description: ProjectID determines which project this secret store manages.
  9885. type: string
  9886. required:
  9887. - auth
  9888. - organizationID
  9889. - projectID
  9890. type: object
  9891. chef:
  9892. description: Chef configures this store to sync secrets with chef server
  9893. properties:
  9894. auth:
  9895. description: Auth defines the information necessary to authenticate against chef Server
  9896. properties:
  9897. secretRef:
  9898. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9899. properties:
  9900. privateKeySecretRef:
  9901. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9902. properties:
  9903. key:
  9904. description: |-
  9905. A key in the referenced Secret.
  9906. Some instances of this field may be defaulted, in others it may be required.
  9907. maxLength: 253
  9908. minLength: 1
  9909. pattern: ^[-._a-zA-Z0-9]+$
  9910. type: string
  9911. name:
  9912. description: The name of the Secret resource being referred to.
  9913. maxLength: 253
  9914. minLength: 1
  9915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9916. type: string
  9917. namespace:
  9918. description: |-
  9919. The namespace of the Secret resource being referred to.
  9920. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9921. maxLength: 63
  9922. minLength: 1
  9923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9924. type: string
  9925. type: object
  9926. required:
  9927. - privateKeySecretRef
  9928. type: object
  9929. required:
  9930. - secretRef
  9931. type: object
  9932. serverUrl:
  9933. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9934. type: string
  9935. username:
  9936. description: UserName should be the user ID on the chef server
  9937. type: string
  9938. required:
  9939. - auth
  9940. - serverUrl
  9941. - username
  9942. type: object
  9943. cloudrusm:
  9944. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9945. properties:
  9946. auth:
  9947. description: CSMAuth contains a secretRef for credentials.
  9948. properties:
  9949. secretRef:
  9950. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9951. properties:
  9952. accessKeyIDSecretRef:
  9953. description: The AccessKeyID is used for authentication
  9954. properties:
  9955. key:
  9956. description: |-
  9957. A key in the referenced Secret.
  9958. Some instances of this field may be defaulted, in others it may be required.
  9959. maxLength: 253
  9960. minLength: 1
  9961. pattern: ^[-._a-zA-Z0-9]+$
  9962. type: string
  9963. name:
  9964. description: The name of the Secret resource being referred to.
  9965. maxLength: 253
  9966. minLength: 1
  9967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9968. type: string
  9969. namespace:
  9970. description: |-
  9971. The namespace of the Secret resource being referred to.
  9972. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9973. maxLength: 63
  9974. minLength: 1
  9975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9976. type: string
  9977. type: object
  9978. accessKeySecretSecretRef:
  9979. description: The AccessKeySecret is used for authentication
  9980. properties:
  9981. key:
  9982. description: |-
  9983. A key in the referenced Secret.
  9984. Some instances of this field may be defaulted, in others it may be required.
  9985. maxLength: 253
  9986. minLength: 1
  9987. pattern: ^[-._a-zA-Z0-9]+$
  9988. type: string
  9989. name:
  9990. description: The name of the Secret resource being referred to.
  9991. maxLength: 253
  9992. minLength: 1
  9993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9994. type: string
  9995. namespace:
  9996. description: |-
  9997. The namespace of the Secret resource being referred to.
  9998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9999. maxLength: 63
  10000. minLength: 1
  10001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10002. type: string
  10003. type: object
  10004. required:
  10005. - accessKeyIDSecretRef
  10006. - accessKeySecretSecretRef
  10007. type: object
  10008. type: object
  10009. projectID:
  10010. description: ProjectID is the project, which the secrets are stored in.
  10011. type: string
  10012. required:
  10013. - auth
  10014. type: object
  10015. conjur:
  10016. description: Conjur configures this store to sync secrets using conjur provider
  10017. properties:
  10018. auth:
  10019. description: Defines authentication settings for connecting to Conjur.
  10020. properties:
  10021. apikey:
  10022. description: Authenticates with Conjur using an API key.
  10023. properties:
  10024. account:
  10025. description: Account is the Conjur organization account name.
  10026. type: string
  10027. apiKeyRef:
  10028. description: |-
  10029. A reference to a specific 'key' containing the Conjur API key
  10030. within a Secret resource. In some instances, `key` is a required field.
  10031. properties:
  10032. key:
  10033. description: |-
  10034. A key in the referenced Secret.
  10035. Some instances of this field may be defaulted, in others it may be required.
  10036. maxLength: 253
  10037. minLength: 1
  10038. pattern: ^[-._a-zA-Z0-9]+$
  10039. type: string
  10040. name:
  10041. description: The name of the Secret resource being referred to.
  10042. maxLength: 253
  10043. minLength: 1
  10044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10045. type: string
  10046. namespace:
  10047. description: |-
  10048. The namespace of the Secret resource being referred to.
  10049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10050. maxLength: 63
  10051. minLength: 1
  10052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10053. type: string
  10054. type: object
  10055. userRef:
  10056. description: |-
  10057. A reference to a specific 'key' containing the Conjur username
  10058. within a Secret resource. In some instances, `key` is a required field.
  10059. properties:
  10060. key:
  10061. description: |-
  10062. A key in the referenced Secret.
  10063. Some instances of this field may be defaulted, in others it may be required.
  10064. maxLength: 253
  10065. minLength: 1
  10066. pattern: ^[-._a-zA-Z0-9]+$
  10067. type: string
  10068. name:
  10069. description: The name of the Secret resource being referred to.
  10070. maxLength: 253
  10071. minLength: 1
  10072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10073. type: string
  10074. namespace:
  10075. description: |-
  10076. The namespace of the Secret resource being referred to.
  10077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10078. maxLength: 63
  10079. minLength: 1
  10080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10081. type: string
  10082. type: object
  10083. required:
  10084. - account
  10085. - apiKeyRef
  10086. - userRef
  10087. type: object
  10088. jwt:
  10089. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  10090. properties:
  10091. account:
  10092. description: Account is the Conjur organization account name.
  10093. type: string
  10094. hostId:
  10095. description: |-
  10096. Optional HostID for JWT authentication. This may be used depending
  10097. on how the Conjur JWT authenticator policy is configured.
  10098. type: string
  10099. secretRef:
  10100. description: |-
  10101. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  10102. authenticate with Conjur using the JWT authentication method.
  10103. properties:
  10104. key:
  10105. description: |-
  10106. A key in the referenced Secret.
  10107. Some instances of this field may be defaulted, in others it may be required.
  10108. maxLength: 253
  10109. minLength: 1
  10110. pattern: ^[-._a-zA-Z0-9]+$
  10111. type: string
  10112. name:
  10113. description: The name of the Secret resource being referred to.
  10114. maxLength: 253
  10115. minLength: 1
  10116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10117. type: string
  10118. namespace:
  10119. description: |-
  10120. The namespace of the Secret resource being referred to.
  10121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10122. maxLength: 63
  10123. minLength: 1
  10124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10125. type: string
  10126. type: object
  10127. serviceAccountRef:
  10128. description: |-
  10129. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  10130. a token for with the `TokenRequest` API.
  10131. properties:
  10132. audiences:
  10133. description: |-
  10134. Audience specifies the `aud` claim for the service account token
  10135. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10136. then this audiences will be appended to the list
  10137. items:
  10138. type: string
  10139. type: array
  10140. name:
  10141. description: The name of the ServiceAccount resource being referred to.
  10142. maxLength: 253
  10143. minLength: 1
  10144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10145. type: string
  10146. namespace:
  10147. description: |-
  10148. Namespace of the resource being referred to.
  10149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10150. maxLength: 63
  10151. minLength: 1
  10152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10153. type: string
  10154. required:
  10155. - name
  10156. type: object
  10157. serviceID:
  10158. description: The conjur authn jwt webservice id
  10159. type: string
  10160. required:
  10161. - account
  10162. - serviceID
  10163. type: object
  10164. type: object
  10165. caBundle:
  10166. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  10167. type: string
  10168. caProvider:
  10169. description: |-
  10170. Used to provide custom certificate authority (CA) certificates
  10171. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  10172. that contains a PEM-encoded certificate.
  10173. properties:
  10174. key:
  10175. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10176. maxLength: 253
  10177. minLength: 1
  10178. pattern: ^[-._a-zA-Z0-9]+$
  10179. type: string
  10180. name:
  10181. description: The name of the object located at the provider type.
  10182. maxLength: 253
  10183. minLength: 1
  10184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10185. type: string
  10186. namespace:
  10187. description: |-
  10188. The namespace the Provider type is in.
  10189. Can only be defined when used in a ClusterSecretStore.
  10190. maxLength: 63
  10191. minLength: 1
  10192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10193. type: string
  10194. type:
  10195. description: The type of provider to use such as "Secret", or "ConfigMap".
  10196. enum:
  10197. - Secret
  10198. - ConfigMap
  10199. type: string
  10200. required:
  10201. - name
  10202. - type
  10203. type: object
  10204. url:
  10205. description: URL is the endpoint of the Conjur instance.
  10206. type: string
  10207. required:
  10208. - auth
  10209. - url
  10210. type: object
  10211. delinea:
  10212. description: |-
  10213. Delinea DevOps Secrets Vault
  10214. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  10215. properties:
  10216. clientId:
  10217. description: ClientID is the non-secret part of the credential.
  10218. properties:
  10219. secretRef:
  10220. description: SecretRef references a key in a secret that will be used as value.
  10221. properties:
  10222. key:
  10223. description: |-
  10224. A key in the referenced Secret.
  10225. Some instances of this field may be defaulted, in others it may be required.
  10226. maxLength: 253
  10227. minLength: 1
  10228. pattern: ^[-._a-zA-Z0-9]+$
  10229. type: string
  10230. name:
  10231. description: The name of the Secret resource being referred to.
  10232. maxLength: 253
  10233. minLength: 1
  10234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10235. type: string
  10236. namespace:
  10237. description: |-
  10238. The namespace of the Secret resource being referred to.
  10239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10240. maxLength: 63
  10241. minLength: 1
  10242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10243. type: string
  10244. type: object
  10245. value:
  10246. description: Value can be specified directly to set a value without using a secret.
  10247. type: string
  10248. type: object
  10249. clientSecret:
  10250. description: ClientSecret is the secret part of the credential.
  10251. properties:
  10252. secretRef:
  10253. description: SecretRef references a key in a secret that will be used as value.
  10254. properties:
  10255. key:
  10256. description: |-
  10257. A key in the referenced Secret.
  10258. Some instances of this field may be defaulted, in others it may be required.
  10259. maxLength: 253
  10260. minLength: 1
  10261. pattern: ^[-._a-zA-Z0-9]+$
  10262. type: string
  10263. name:
  10264. description: The name of the Secret resource being referred to.
  10265. maxLength: 253
  10266. minLength: 1
  10267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10268. type: string
  10269. namespace:
  10270. description: |-
  10271. The namespace of the Secret resource being referred to.
  10272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10273. maxLength: 63
  10274. minLength: 1
  10275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10276. type: string
  10277. type: object
  10278. value:
  10279. description: Value can be specified directly to set a value without using a secret.
  10280. type: string
  10281. type: object
  10282. tenant:
  10283. description: Tenant is the chosen hostname / site name.
  10284. type: string
  10285. tld:
  10286. description: |-
  10287. TLD is based on the server location that was chosen during provisioning.
  10288. If unset, defaults to "com".
  10289. type: string
  10290. urlTemplate:
  10291. description: |-
  10292. URLTemplate
  10293. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10294. type: string
  10295. required:
  10296. - clientId
  10297. - clientSecret
  10298. - tenant
  10299. type: object
  10300. device42:
  10301. description: Device42 configures this store to sync secrets using the Device42 provider
  10302. properties:
  10303. auth:
  10304. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10305. properties:
  10306. secretRef:
  10307. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10308. properties:
  10309. credentials:
  10310. description: Username / Password is used for authentication.
  10311. properties:
  10312. key:
  10313. description: |-
  10314. A key in the referenced Secret.
  10315. Some instances of this field may be defaulted, in others it may be required.
  10316. maxLength: 253
  10317. minLength: 1
  10318. pattern: ^[-._a-zA-Z0-9]+$
  10319. type: string
  10320. name:
  10321. description: The name of the Secret resource being referred to.
  10322. maxLength: 253
  10323. minLength: 1
  10324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10325. type: string
  10326. namespace:
  10327. description: |-
  10328. The namespace of the Secret resource being referred to.
  10329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10330. maxLength: 63
  10331. minLength: 1
  10332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10333. type: string
  10334. type: object
  10335. type: object
  10336. required:
  10337. - secretRef
  10338. type: object
  10339. host:
  10340. description: URL configures the Device42 instance URL.
  10341. type: string
  10342. required:
  10343. - auth
  10344. - host
  10345. type: object
  10346. doppler:
  10347. description: Doppler configures this store to sync secrets using the Doppler provider
  10348. properties:
  10349. auth:
  10350. description: Auth configures how the Operator authenticates with the Doppler API
  10351. properties:
  10352. secretRef:
  10353. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10354. properties:
  10355. dopplerToken:
  10356. description: |-
  10357. The DopplerToken is used for authentication.
  10358. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10359. The Key attribute defaults to dopplerToken if not specified.
  10360. properties:
  10361. key:
  10362. description: |-
  10363. A key in the referenced Secret.
  10364. Some instances of this field may be defaulted, in others it may be required.
  10365. maxLength: 253
  10366. minLength: 1
  10367. pattern: ^[-._a-zA-Z0-9]+$
  10368. type: string
  10369. name:
  10370. description: The name of the Secret resource being referred to.
  10371. maxLength: 253
  10372. minLength: 1
  10373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10374. type: string
  10375. namespace:
  10376. description: |-
  10377. The namespace of the Secret resource being referred to.
  10378. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10379. maxLength: 63
  10380. minLength: 1
  10381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10382. type: string
  10383. type: object
  10384. required:
  10385. - dopplerToken
  10386. type: object
  10387. required:
  10388. - secretRef
  10389. type: object
  10390. config:
  10391. description: Doppler config (required if not using a Service Token)
  10392. type: string
  10393. format:
  10394. description: Format enables the downloading of secrets as a file (string)
  10395. enum:
  10396. - json
  10397. - dotnet-json
  10398. - env
  10399. - yaml
  10400. - docker
  10401. type: string
  10402. nameTransformer:
  10403. description: Environment variable compatible name transforms that change secret names to a different format
  10404. enum:
  10405. - upper-camel
  10406. - camel
  10407. - lower-snake
  10408. - tf-var
  10409. - dotnet-env
  10410. - lower-kebab
  10411. type: string
  10412. project:
  10413. description: Doppler project (required if not using a Service Token)
  10414. type: string
  10415. required:
  10416. - auth
  10417. type: object
  10418. fake:
  10419. description: Fake configures a store with static key/value pairs
  10420. properties:
  10421. data:
  10422. items:
  10423. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10424. properties:
  10425. key:
  10426. type: string
  10427. value:
  10428. type: string
  10429. version:
  10430. type: string
  10431. required:
  10432. - key
  10433. - value
  10434. type: object
  10435. type: array
  10436. required:
  10437. - data
  10438. type: object
  10439. fortanix:
  10440. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10441. properties:
  10442. apiKey:
  10443. description: APIKey is the API token to access SDKMS Applications.
  10444. properties:
  10445. secretRef:
  10446. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10447. properties:
  10448. key:
  10449. description: |-
  10450. A key in the referenced Secret.
  10451. Some instances of this field may be defaulted, in others it may be required.
  10452. maxLength: 253
  10453. minLength: 1
  10454. pattern: ^[-._a-zA-Z0-9]+$
  10455. type: string
  10456. name:
  10457. description: The name of the Secret resource being referred to.
  10458. maxLength: 253
  10459. minLength: 1
  10460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10461. type: string
  10462. namespace:
  10463. description: |-
  10464. The namespace of the Secret resource being referred to.
  10465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10466. maxLength: 63
  10467. minLength: 1
  10468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10469. type: string
  10470. type: object
  10471. type: object
  10472. apiUrl:
  10473. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10474. type: string
  10475. type: object
  10476. gcpsm:
  10477. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10478. properties:
  10479. auth:
  10480. description: Auth defines the information necessary to authenticate against GCP
  10481. properties:
  10482. secretRef:
  10483. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10484. properties:
  10485. secretAccessKeySecretRef:
  10486. description: The SecretAccessKey is used for authentication
  10487. properties:
  10488. key:
  10489. description: |-
  10490. A key in the referenced Secret.
  10491. Some instances of this field may be defaulted, in others it may be required.
  10492. maxLength: 253
  10493. minLength: 1
  10494. pattern: ^[-._a-zA-Z0-9]+$
  10495. type: string
  10496. name:
  10497. description: The name of the Secret resource being referred to.
  10498. maxLength: 253
  10499. minLength: 1
  10500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10501. type: string
  10502. namespace:
  10503. description: |-
  10504. The namespace of the Secret resource being referred to.
  10505. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10506. maxLength: 63
  10507. minLength: 1
  10508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10509. type: string
  10510. type: object
  10511. type: object
  10512. workloadIdentity:
  10513. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10514. properties:
  10515. clusterLocation:
  10516. description: |-
  10517. ClusterLocation is the location of the cluster
  10518. If not specified, it fetches information from the metadata server
  10519. type: string
  10520. clusterName:
  10521. description: |-
  10522. ClusterName is the name of the cluster
  10523. If not specified, it fetches information from the metadata server
  10524. type: string
  10525. clusterProjectID:
  10526. description: |-
  10527. ClusterProjectID is the project ID of the cluster
  10528. If not specified, it fetches information from the metadata server
  10529. type: string
  10530. serviceAccountRef:
  10531. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10532. properties:
  10533. audiences:
  10534. description: |-
  10535. Audience specifies the `aud` claim for the service account token
  10536. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10537. then this audiences will be appended to the list
  10538. items:
  10539. type: string
  10540. type: array
  10541. name:
  10542. description: The name of the ServiceAccount resource being referred to.
  10543. maxLength: 253
  10544. minLength: 1
  10545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10546. type: string
  10547. namespace:
  10548. description: |-
  10549. Namespace of the resource being referred to.
  10550. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10551. maxLength: 63
  10552. minLength: 1
  10553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10554. type: string
  10555. required:
  10556. - name
  10557. type: object
  10558. required:
  10559. - serviceAccountRef
  10560. type: object
  10561. type: object
  10562. location:
  10563. description: Location optionally defines a location for a secret
  10564. type: string
  10565. projectID:
  10566. description: ProjectID project where secret is located
  10567. type: string
  10568. type: object
  10569. github:
  10570. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10571. properties:
  10572. appID:
  10573. description: appID specifies the Github APP that will be used to authenticate the client
  10574. format: int64
  10575. type: integer
  10576. auth:
  10577. description: auth configures how secret-manager authenticates with a Github instance.
  10578. properties:
  10579. privateKey:
  10580. description: |-
  10581. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10582. In some instances, `key` is a required field.
  10583. properties:
  10584. key:
  10585. description: |-
  10586. A key in the referenced Secret.
  10587. Some instances of this field may be defaulted, in others it may be required.
  10588. maxLength: 253
  10589. minLength: 1
  10590. pattern: ^[-._a-zA-Z0-9]+$
  10591. type: string
  10592. name:
  10593. description: The name of the Secret resource being referred to.
  10594. maxLength: 253
  10595. minLength: 1
  10596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10597. type: string
  10598. namespace:
  10599. description: |-
  10600. The namespace of the Secret resource being referred to.
  10601. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10602. maxLength: 63
  10603. minLength: 1
  10604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10605. type: string
  10606. type: object
  10607. required:
  10608. - privateKey
  10609. type: object
  10610. environment:
  10611. description: environment will be used to fetch secrets from a particular environment within a github repository
  10612. type: string
  10613. installationID:
  10614. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10615. format: int64
  10616. type: integer
  10617. organization:
  10618. description: organization will be used to fetch secrets from the Github organization
  10619. type: string
  10620. repository:
  10621. description: repository will be used to fetch secrets from the Github repository within an organization
  10622. type: string
  10623. uploadURL:
  10624. description: Upload URL for enterprise instances. Default to URL.
  10625. type: string
  10626. url:
  10627. default: https://github.com/
  10628. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10629. type: string
  10630. required:
  10631. - appID
  10632. - auth
  10633. - installationID
  10634. - organization
  10635. type: object
  10636. gitlab:
  10637. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10638. properties:
  10639. auth:
  10640. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10641. properties:
  10642. SecretRef:
  10643. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10644. properties:
  10645. accessToken:
  10646. description: AccessToken is used for authentication.
  10647. properties:
  10648. key:
  10649. description: |-
  10650. A key in the referenced Secret.
  10651. Some instances of this field may be defaulted, in others it may be required.
  10652. maxLength: 253
  10653. minLength: 1
  10654. pattern: ^[-._a-zA-Z0-9]+$
  10655. type: string
  10656. name:
  10657. description: The name of the Secret resource being referred to.
  10658. maxLength: 253
  10659. minLength: 1
  10660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10661. type: string
  10662. namespace:
  10663. description: |-
  10664. The namespace of the Secret resource being referred to.
  10665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10666. maxLength: 63
  10667. minLength: 1
  10668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10669. type: string
  10670. type: object
  10671. type: object
  10672. required:
  10673. - SecretRef
  10674. type: object
  10675. caBundle:
  10676. description: |-
  10677. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10678. can be performed.
  10679. format: byte
  10680. type: string
  10681. caProvider:
  10682. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10683. properties:
  10684. key:
  10685. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10686. maxLength: 253
  10687. minLength: 1
  10688. pattern: ^[-._a-zA-Z0-9]+$
  10689. type: string
  10690. name:
  10691. description: The name of the object located at the provider type.
  10692. maxLength: 253
  10693. minLength: 1
  10694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10695. type: string
  10696. namespace:
  10697. description: |-
  10698. The namespace the Provider type is in.
  10699. Can only be defined when used in a ClusterSecretStore.
  10700. maxLength: 63
  10701. minLength: 1
  10702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10703. type: string
  10704. type:
  10705. description: The type of provider to use such as "Secret", or "ConfigMap".
  10706. enum:
  10707. - Secret
  10708. - ConfigMap
  10709. type: string
  10710. required:
  10711. - name
  10712. - type
  10713. type: object
  10714. environment:
  10715. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10716. type: string
  10717. groupIDs:
  10718. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10719. items:
  10720. type: string
  10721. type: array
  10722. inheritFromGroups:
  10723. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10724. type: boolean
  10725. projectID:
  10726. description: ProjectID specifies a project where secrets are located.
  10727. type: string
  10728. url:
  10729. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10730. type: string
  10731. required:
  10732. - auth
  10733. type: object
  10734. ibm:
  10735. description: IBM configures this store to sync secrets using IBM Cloud provider
  10736. properties:
  10737. auth:
  10738. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10739. maxProperties: 1
  10740. minProperties: 1
  10741. properties:
  10742. containerAuth:
  10743. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10744. properties:
  10745. iamEndpoint:
  10746. type: string
  10747. profile:
  10748. description: the IBM Trusted Profile
  10749. type: string
  10750. tokenLocation:
  10751. description: Location the token is mounted on the pod
  10752. type: string
  10753. required:
  10754. - profile
  10755. type: object
  10756. secretRef:
  10757. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10758. properties:
  10759. secretApiKeySecretRef:
  10760. description: The SecretAccessKey is used for authentication
  10761. properties:
  10762. key:
  10763. description: |-
  10764. A key in the referenced Secret.
  10765. Some instances of this field may be defaulted, in others it may be required.
  10766. maxLength: 253
  10767. minLength: 1
  10768. pattern: ^[-._a-zA-Z0-9]+$
  10769. type: string
  10770. name:
  10771. description: The name of the Secret resource being referred to.
  10772. maxLength: 253
  10773. minLength: 1
  10774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10775. type: string
  10776. namespace:
  10777. description: |-
  10778. The namespace of the Secret resource being referred to.
  10779. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10780. maxLength: 63
  10781. minLength: 1
  10782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10783. type: string
  10784. type: object
  10785. type: object
  10786. type: object
  10787. serviceUrl:
  10788. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10789. type: string
  10790. required:
  10791. - auth
  10792. type: object
  10793. infisical:
  10794. description: Infisical configures this store to sync secrets using the Infisical provider
  10795. properties:
  10796. auth:
  10797. description: Auth configures how the Operator authenticates with the Infisical API
  10798. properties:
  10799. universalAuthCredentials:
  10800. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10801. properties:
  10802. clientId:
  10803. description: |-
  10804. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10805. In some instances, `key` is a required field.
  10806. properties:
  10807. key:
  10808. description: |-
  10809. A key in the referenced Secret.
  10810. Some instances of this field may be defaulted, in others it may be required.
  10811. maxLength: 253
  10812. minLength: 1
  10813. pattern: ^[-._a-zA-Z0-9]+$
  10814. type: string
  10815. name:
  10816. description: The name of the Secret resource being referred to.
  10817. maxLength: 253
  10818. minLength: 1
  10819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10820. type: string
  10821. namespace:
  10822. description: |-
  10823. The namespace of the Secret resource being referred to.
  10824. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10825. maxLength: 63
  10826. minLength: 1
  10827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10828. type: string
  10829. type: object
  10830. clientSecret:
  10831. description: |-
  10832. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10833. In some instances, `key` is a required field.
  10834. properties:
  10835. key:
  10836. description: |-
  10837. A key in the referenced Secret.
  10838. Some instances of this field may be defaulted, in others it may be required.
  10839. maxLength: 253
  10840. minLength: 1
  10841. pattern: ^[-._a-zA-Z0-9]+$
  10842. type: string
  10843. name:
  10844. description: The name of the Secret resource being referred to.
  10845. maxLength: 253
  10846. minLength: 1
  10847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10848. type: string
  10849. namespace:
  10850. description: |-
  10851. The namespace of the Secret resource being referred to.
  10852. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10853. maxLength: 63
  10854. minLength: 1
  10855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10856. type: string
  10857. type: object
  10858. required:
  10859. - clientId
  10860. - clientSecret
  10861. type: object
  10862. type: object
  10863. hostAPI:
  10864. default: https://app.infisical.com/api
  10865. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10866. type: string
  10867. secretsScope:
  10868. description: SecretsScope defines the scope of the secrets within the workspace
  10869. properties:
  10870. environmentSlug:
  10871. description: EnvironmentSlug is the required slug identifier for the environment.
  10872. type: string
  10873. expandSecretReferences:
  10874. default: true
  10875. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10876. type: boolean
  10877. projectSlug:
  10878. description: ProjectSlug is the required slug identifier for the project.
  10879. type: string
  10880. recursive:
  10881. default: false
  10882. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10883. type: boolean
  10884. secretsPath:
  10885. default: /
  10886. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10887. type: string
  10888. required:
  10889. - environmentSlug
  10890. - projectSlug
  10891. type: object
  10892. required:
  10893. - auth
  10894. - secretsScope
  10895. type: object
  10896. keepersecurity:
  10897. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10898. properties:
  10899. authRef:
  10900. description: |-
  10901. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10902. In some instances, `key` is a required field.
  10903. properties:
  10904. key:
  10905. description: |-
  10906. A key in the referenced Secret.
  10907. Some instances of this field may be defaulted, in others it may be required.
  10908. maxLength: 253
  10909. minLength: 1
  10910. pattern: ^[-._a-zA-Z0-9]+$
  10911. type: string
  10912. name:
  10913. description: The name of the Secret resource being referred to.
  10914. maxLength: 253
  10915. minLength: 1
  10916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10917. type: string
  10918. namespace:
  10919. description: |-
  10920. The namespace of the Secret resource being referred to.
  10921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10922. maxLength: 63
  10923. minLength: 1
  10924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10925. type: string
  10926. type: object
  10927. folderID:
  10928. type: string
  10929. required:
  10930. - authRef
  10931. - folderID
  10932. type: object
  10933. kubernetes:
  10934. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10935. properties:
  10936. auth:
  10937. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10938. maxProperties: 1
  10939. minProperties: 1
  10940. properties:
  10941. cert:
  10942. description: has both clientCert and clientKey as secretKeySelector
  10943. properties:
  10944. clientCert:
  10945. description: |-
  10946. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10947. In some instances, `key` is a required field.
  10948. properties:
  10949. key:
  10950. description: |-
  10951. A key in the referenced Secret.
  10952. Some instances of this field may be defaulted, in others it may be required.
  10953. maxLength: 253
  10954. minLength: 1
  10955. pattern: ^[-._a-zA-Z0-9]+$
  10956. type: string
  10957. name:
  10958. description: The name of the Secret resource being referred to.
  10959. maxLength: 253
  10960. minLength: 1
  10961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10962. type: string
  10963. namespace:
  10964. description: |-
  10965. The namespace of the Secret resource being referred to.
  10966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10967. maxLength: 63
  10968. minLength: 1
  10969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10970. type: string
  10971. type: object
  10972. clientKey:
  10973. description: |-
  10974. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10975. In some instances, `key` is a required field.
  10976. properties:
  10977. key:
  10978. description: |-
  10979. A key in the referenced Secret.
  10980. Some instances of this field may be defaulted, in others it may be required.
  10981. maxLength: 253
  10982. minLength: 1
  10983. pattern: ^[-._a-zA-Z0-9]+$
  10984. type: string
  10985. name:
  10986. description: The name of the Secret resource being referred to.
  10987. maxLength: 253
  10988. minLength: 1
  10989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10990. type: string
  10991. namespace:
  10992. description: |-
  10993. The namespace of the Secret resource being referred to.
  10994. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10995. maxLength: 63
  10996. minLength: 1
  10997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10998. type: string
  10999. type: object
  11000. type: object
  11001. serviceAccount:
  11002. description: points to a service account that should be used for authentication
  11003. properties:
  11004. audiences:
  11005. description: |-
  11006. Audience specifies the `aud` claim for the service account token
  11007. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11008. then this audiences will be appended to the list
  11009. items:
  11010. type: string
  11011. type: array
  11012. name:
  11013. description: The name of the ServiceAccount resource being referred to.
  11014. maxLength: 253
  11015. minLength: 1
  11016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11017. type: string
  11018. namespace:
  11019. description: |-
  11020. Namespace of the resource being referred to.
  11021. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11022. maxLength: 63
  11023. minLength: 1
  11024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11025. type: string
  11026. required:
  11027. - name
  11028. type: object
  11029. token:
  11030. description: use static token to authenticate with
  11031. properties:
  11032. bearerToken:
  11033. description: |-
  11034. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11035. In some instances, `key` is a required field.
  11036. properties:
  11037. key:
  11038. description: |-
  11039. A key in the referenced Secret.
  11040. Some instances of this field may be defaulted, in others it may be required.
  11041. maxLength: 253
  11042. minLength: 1
  11043. pattern: ^[-._a-zA-Z0-9]+$
  11044. type: string
  11045. name:
  11046. description: The name of the Secret resource being referred to.
  11047. maxLength: 253
  11048. minLength: 1
  11049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11050. type: string
  11051. namespace:
  11052. description: |-
  11053. The namespace of the Secret resource being referred to.
  11054. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11055. maxLength: 63
  11056. minLength: 1
  11057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11058. type: string
  11059. type: object
  11060. type: object
  11061. type: object
  11062. authRef:
  11063. description: A reference to a secret that contains the auth information.
  11064. properties:
  11065. key:
  11066. description: |-
  11067. A key in the referenced Secret.
  11068. Some instances of this field may be defaulted, in others it may be required.
  11069. maxLength: 253
  11070. minLength: 1
  11071. pattern: ^[-._a-zA-Z0-9]+$
  11072. type: string
  11073. name:
  11074. description: The name of the Secret resource being referred to.
  11075. maxLength: 253
  11076. minLength: 1
  11077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11078. type: string
  11079. namespace:
  11080. description: |-
  11081. The namespace of the Secret resource being referred to.
  11082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11083. maxLength: 63
  11084. minLength: 1
  11085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11086. type: string
  11087. type: object
  11088. remoteNamespace:
  11089. default: default
  11090. description: Remote namespace to fetch the secrets from
  11091. maxLength: 63
  11092. minLength: 1
  11093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11094. type: string
  11095. server:
  11096. description: configures the Kubernetes server Address.
  11097. properties:
  11098. caBundle:
  11099. description: CABundle is a base64-encoded CA certificate
  11100. format: byte
  11101. type: string
  11102. caProvider:
  11103. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  11104. properties:
  11105. key:
  11106. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11107. maxLength: 253
  11108. minLength: 1
  11109. pattern: ^[-._a-zA-Z0-9]+$
  11110. type: string
  11111. name:
  11112. description: The name of the object located at the provider type.
  11113. maxLength: 253
  11114. minLength: 1
  11115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11116. type: string
  11117. namespace:
  11118. description: |-
  11119. The namespace the Provider type is in.
  11120. Can only be defined when used in a ClusterSecretStore.
  11121. maxLength: 63
  11122. minLength: 1
  11123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11124. type: string
  11125. type:
  11126. description: The type of provider to use such as "Secret", or "ConfigMap".
  11127. enum:
  11128. - Secret
  11129. - ConfigMap
  11130. type: string
  11131. required:
  11132. - name
  11133. - type
  11134. type: object
  11135. url:
  11136. default: kubernetes.default
  11137. description: configures the Kubernetes server Address.
  11138. type: string
  11139. type: object
  11140. type: object
  11141. onboardbase:
  11142. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  11143. properties:
  11144. apiHost:
  11145. default: https://public.onboardbase.com/api/v1/
  11146. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  11147. type: string
  11148. auth:
  11149. description: Auth configures how the Operator authenticates with the Onboardbase API
  11150. properties:
  11151. apiKeyRef:
  11152. description: |-
  11153. OnboardbaseAPIKey is the APIKey generated by an admin account.
  11154. It is used to recognize and authorize access to a project and environment within onboardbase
  11155. properties:
  11156. key:
  11157. description: |-
  11158. A key in the referenced Secret.
  11159. Some instances of this field may be defaulted, in others it may be required.
  11160. maxLength: 253
  11161. minLength: 1
  11162. pattern: ^[-._a-zA-Z0-9]+$
  11163. type: string
  11164. name:
  11165. description: The name of the Secret resource being referred to.
  11166. maxLength: 253
  11167. minLength: 1
  11168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11169. type: string
  11170. namespace:
  11171. description: |-
  11172. The namespace of the Secret resource being referred to.
  11173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11174. maxLength: 63
  11175. minLength: 1
  11176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11177. type: string
  11178. type: object
  11179. passcodeRef:
  11180. description: OnboardbasePasscode is the passcode attached to the API Key
  11181. properties:
  11182. key:
  11183. description: |-
  11184. A key in the referenced Secret.
  11185. Some instances of this field may be defaulted, in others it may be required.
  11186. maxLength: 253
  11187. minLength: 1
  11188. pattern: ^[-._a-zA-Z0-9]+$
  11189. type: string
  11190. name:
  11191. description: The name of the Secret resource being referred to.
  11192. maxLength: 253
  11193. minLength: 1
  11194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11195. type: string
  11196. namespace:
  11197. description: |-
  11198. The namespace of the Secret resource being referred to.
  11199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11200. maxLength: 63
  11201. minLength: 1
  11202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11203. type: string
  11204. type: object
  11205. required:
  11206. - apiKeyRef
  11207. - passcodeRef
  11208. type: object
  11209. environment:
  11210. default: development
  11211. description: Environment is the name of an environmnent within a project to pull the secrets from
  11212. type: string
  11213. project:
  11214. default: development
  11215. description: Project is an onboardbase project that the secrets should be pulled from
  11216. type: string
  11217. required:
  11218. - apiHost
  11219. - auth
  11220. - environment
  11221. - project
  11222. type: object
  11223. onepassword:
  11224. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  11225. properties:
  11226. auth:
  11227. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  11228. properties:
  11229. secretRef:
  11230. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  11231. properties:
  11232. connectTokenSecretRef:
  11233. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  11234. properties:
  11235. key:
  11236. description: |-
  11237. A key in the referenced Secret.
  11238. Some instances of this field may be defaulted, in others it may be required.
  11239. maxLength: 253
  11240. minLength: 1
  11241. pattern: ^[-._a-zA-Z0-9]+$
  11242. type: string
  11243. name:
  11244. description: The name of the Secret resource being referred to.
  11245. maxLength: 253
  11246. minLength: 1
  11247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11248. type: string
  11249. namespace:
  11250. description: |-
  11251. The namespace of the Secret resource being referred to.
  11252. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11253. maxLength: 63
  11254. minLength: 1
  11255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11256. type: string
  11257. type: object
  11258. required:
  11259. - connectTokenSecretRef
  11260. type: object
  11261. required:
  11262. - secretRef
  11263. type: object
  11264. connectHost:
  11265. description: ConnectHost defines the OnePassword Connect Server to connect to
  11266. type: string
  11267. vaults:
  11268. additionalProperties:
  11269. type: integer
  11270. description: Vaults defines which OnePassword vaults to search in which order
  11271. type: object
  11272. required:
  11273. - auth
  11274. - connectHost
  11275. - vaults
  11276. type: object
  11277. oracle:
  11278. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11279. properties:
  11280. auth:
  11281. description: |-
  11282. Auth configures how secret-manager authenticates with the Oracle Vault.
  11283. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11284. properties:
  11285. secretRef:
  11286. description: SecretRef to pass through sensitive information.
  11287. properties:
  11288. fingerprint:
  11289. description: Fingerprint is the fingerprint of the API private key.
  11290. properties:
  11291. key:
  11292. description: |-
  11293. A key in the referenced Secret.
  11294. Some instances of this field may be defaulted, in others it may be required.
  11295. maxLength: 253
  11296. minLength: 1
  11297. pattern: ^[-._a-zA-Z0-9]+$
  11298. type: string
  11299. name:
  11300. description: The name of the Secret resource being referred to.
  11301. maxLength: 253
  11302. minLength: 1
  11303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11304. type: string
  11305. namespace:
  11306. description: |-
  11307. The namespace of the Secret resource being referred to.
  11308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11309. maxLength: 63
  11310. minLength: 1
  11311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11312. type: string
  11313. type: object
  11314. privatekey:
  11315. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11316. properties:
  11317. key:
  11318. description: |-
  11319. A key in the referenced Secret.
  11320. Some instances of this field may be defaulted, in others it may be required.
  11321. maxLength: 253
  11322. minLength: 1
  11323. pattern: ^[-._a-zA-Z0-9]+$
  11324. type: string
  11325. name:
  11326. description: The name of the Secret resource being referred to.
  11327. maxLength: 253
  11328. minLength: 1
  11329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11330. type: string
  11331. namespace:
  11332. description: |-
  11333. The namespace of the Secret resource being referred to.
  11334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11335. maxLength: 63
  11336. minLength: 1
  11337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11338. type: string
  11339. type: object
  11340. required:
  11341. - fingerprint
  11342. - privatekey
  11343. type: object
  11344. tenancy:
  11345. description: Tenancy is the tenancy OCID where user is located.
  11346. type: string
  11347. user:
  11348. description: User is an access OCID specific to the account.
  11349. type: string
  11350. required:
  11351. - secretRef
  11352. - tenancy
  11353. - user
  11354. type: object
  11355. compartment:
  11356. description: |-
  11357. Compartment is the vault compartment OCID.
  11358. Required for PushSecret
  11359. type: string
  11360. encryptionKey:
  11361. description: |-
  11362. EncryptionKey is the OCID of the encryption key within the vault.
  11363. Required for PushSecret
  11364. type: string
  11365. principalType:
  11366. description: |-
  11367. The type of principal to use for authentication. If left blank, the Auth struct will
  11368. determine the principal type. This optional field must be specified if using
  11369. workload identity.
  11370. enum:
  11371. - ""
  11372. - UserPrincipal
  11373. - InstancePrincipal
  11374. - Workload
  11375. type: string
  11376. region:
  11377. description: Region is the region where vault is located.
  11378. type: string
  11379. serviceAccountRef:
  11380. description: |-
  11381. ServiceAccountRef specified the service account
  11382. that should be used when authenticating with WorkloadIdentity.
  11383. properties:
  11384. audiences:
  11385. description: |-
  11386. Audience specifies the `aud` claim for the service account token
  11387. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11388. then this audiences will be appended to the list
  11389. items:
  11390. type: string
  11391. type: array
  11392. name:
  11393. description: The name of the ServiceAccount resource being referred to.
  11394. maxLength: 253
  11395. minLength: 1
  11396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11397. type: string
  11398. namespace:
  11399. description: |-
  11400. Namespace of the resource being referred to.
  11401. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11402. maxLength: 63
  11403. minLength: 1
  11404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11405. type: string
  11406. required:
  11407. - name
  11408. type: object
  11409. vault:
  11410. description: Vault is the vault's OCID of the specific vault where secret is located.
  11411. type: string
  11412. required:
  11413. - region
  11414. - vault
  11415. type: object
  11416. passbolt:
  11417. description: PassboltProvider defines configuration for the Passbolt provider.
  11418. properties:
  11419. auth:
  11420. description: Auth defines the information necessary to authenticate against Passbolt Server
  11421. properties:
  11422. passwordSecretRef:
  11423. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11424. properties:
  11425. key:
  11426. description: |-
  11427. A key in the referenced Secret.
  11428. Some instances of this field may be defaulted, in others it may be required.
  11429. maxLength: 253
  11430. minLength: 1
  11431. pattern: ^[-._a-zA-Z0-9]+$
  11432. type: string
  11433. name:
  11434. description: The name of the Secret resource being referred to.
  11435. maxLength: 253
  11436. minLength: 1
  11437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11438. type: string
  11439. namespace:
  11440. description: |-
  11441. The namespace of the Secret resource being referred to.
  11442. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11443. maxLength: 63
  11444. minLength: 1
  11445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11446. type: string
  11447. type: object
  11448. privateKeySecretRef:
  11449. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11450. properties:
  11451. key:
  11452. description: |-
  11453. A key in the referenced Secret.
  11454. Some instances of this field may be defaulted, in others it may be required.
  11455. maxLength: 253
  11456. minLength: 1
  11457. pattern: ^[-._a-zA-Z0-9]+$
  11458. type: string
  11459. name:
  11460. description: The name of the Secret resource being referred to.
  11461. maxLength: 253
  11462. minLength: 1
  11463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11464. type: string
  11465. namespace:
  11466. description: |-
  11467. The namespace of the Secret resource being referred to.
  11468. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11469. maxLength: 63
  11470. minLength: 1
  11471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11472. type: string
  11473. type: object
  11474. required:
  11475. - passwordSecretRef
  11476. - privateKeySecretRef
  11477. type: object
  11478. host:
  11479. description: Host defines the Passbolt Server to connect to
  11480. type: string
  11481. required:
  11482. - auth
  11483. - host
  11484. type: object
  11485. passworddepot:
  11486. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11487. properties:
  11488. auth:
  11489. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11490. properties:
  11491. secretRef:
  11492. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11493. properties:
  11494. credentials:
  11495. description: Username / Password is used for authentication.
  11496. properties:
  11497. key:
  11498. description: |-
  11499. A key in the referenced Secret.
  11500. Some instances of this field may be defaulted, in others it may be required.
  11501. maxLength: 253
  11502. minLength: 1
  11503. pattern: ^[-._a-zA-Z0-9]+$
  11504. type: string
  11505. name:
  11506. description: The name of the Secret resource being referred to.
  11507. maxLength: 253
  11508. minLength: 1
  11509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11510. type: string
  11511. namespace:
  11512. description: |-
  11513. The namespace of the Secret resource being referred to.
  11514. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11515. maxLength: 63
  11516. minLength: 1
  11517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11518. type: string
  11519. type: object
  11520. type: object
  11521. required:
  11522. - secretRef
  11523. type: object
  11524. database:
  11525. description: Database to use as source
  11526. type: string
  11527. host:
  11528. description: URL configures the Password Depot instance URL.
  11529. type: string
  11530. required:
  11531. - auth
  11532. - database
  11533. - host
  11534. type: object
  11535. previder:
  11536. description: Previder configures this store to sync secrets using the Previder provider
  11537. properties:
  11538. auth:
  11539. description: PreviderAuth contains a secretRef for credentials.
  11540. properties:
  11541. secretRef:
  11542. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11543. properties:
  11544. accessToken:
  11545. description: The AccessToken is used for authentication
  11546. properties:
  11547. key:
  11548. description: |-
  11549. A key in the referenced Secret.
  11550. Some instances of this field may be defaulted, in others it may be required.
  11551. maxLength: 253
  11552. minLength: 1
  11553. pattern: ^[-._a-zA-Z0-9]+$
  11554. type: string
  11555. name:
  11556. description: The name of the Secret resource being referred to.
  11557. maxLength: 253
  11558. minLength: 1
  11559. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11560. type: string
  11561. namespace:
  11562. description: |-
  11563. The namespace of the Secret resource being referred to.
  11564. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11565. maxLength: 63
  11566. minLength: 1
  11567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11568. type: string
  11569. type: object
  11570. required:
  11571. - accessToken
  11572. type: object
  11573. type: object
  11574. baseUri:
  11575. type: string
  11576. required:
  11577. - auth
  11578. type: object
  11579. pulumi:
  11580. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11581. properties:
  11582. accessToken:
  11583. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11584. properties:
  11585. secretRef:
  11586. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11587. properties:
  11588. key:
  11589. description: |-
  11590. A key in the referenced Secret.
  11591. Some instances of this field may be defaulted, in others it may be required.
  11592. maxLength: 253
  11593. minLength: 1
  11594. pattern: ^[-._a-zA-Z0-9]+$
  11595. type: string
  11596. name:
  11597. description: The name of the Secret resource being referred to.
  11598. maxLength: 253
  11599. minLength: 1
  11600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11601. type: string
  11602. namespace:
  11603. description: |-
  11604. The namespace of the Secret resource being referred to.
  11605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11606. maxLength: 63
  11607. minLength: 1
  11608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11609. type: string
  11610. type: object
  11611. type: object
  11612. apiUrl:
  11613. default: https://api.pulumi.com/api/esc
  11614. description: APIURL is the URL of the Pulumi API.
  11615. type: string
  11616. environment:
  11617. description: |-
  11618. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11619. dynamically retrieved values from supported providers including all major clouds,
  11620. and other Pulumi ESC environments.
  11621. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11622. type: string
  11623. organization:
  11624. description: |-
  11625. Organization are a space to collaborate on shared projects and stacks.
  11626. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11627. type: string
  11628. project:
  11629. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11630. type: string
  11631. required:
  11632. - accessToken
  11633. - environment
  11634. - organization
  11635. - project
  11636. type: object
  11637. scaleway:
  11638. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11639. properties:
  11640. accessKey:
  11641. description: AccessKey is the non-secret part of the api key.
  11642. properties:
  11643. secretRef:
  11644. description: SecretRef references a key in a secret that will be used as value.
  11645. properties:
  11646. key:
  11647. description: |-
  11648. A key in the referenced Secret.
  11649. Some instances of this field may be defaulted, in others it may be required.
  11650. maxLength: 253
  11651. minLength: 1
  11652. pattern: ^[-._a-zA-Z0-9]+$
  11653. type: string
  11654. name:
  11655. description: The name of the Secret resource being referred to.
  11656. maxLength: 253
  11657. minLength: 1
  11658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11659. type: string
  11660. namespace:
  11661. description: |-
  11662. The namespace of the Secret resource being referred to.
  11663. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11664. maxLength: 63
  11665. minLength: 1
  11666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11667. type: string
  11668. type: object
  11669. value:
  11670. description: Value can be specified directly to set a value without using a secret.
  11671. type: string
  11672. type: object
  11673. apiUrl:
  11674. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11675. type: string
  11676. projectId:
  11677. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11678. type: string
  11679. region:
  11680. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11681. type: string
  11682. secretKey:
  11683. description: SecretKey is the non-secret part of the api key.
  11684. properties:
  11685. secretRef:
  11686. description: SecretRef references a key in a secret that will be used as value.
  11687. properties:
  11688. key:
  11689. description: |-
  11690. A key in the referenced Secret.
  11691. Some instances of this field may be defaulted, in others it may be required.
  11692. maxLength: 253
  11693. minLength: 1
  11694. pattern: ^[-._a-zA-Z0-9]+$
  11695. type: string
  11696. name:
  11697. description: The name of the Secret resource being referred to.
  11698. maxLength: 253
  11699. minLength: 1
  11700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11701. type: string
  11702. namespace:
  11703. description: |-
  11704. The namespace of the Secret resource being referred to.
  11705. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11706. maxLength: 63
  11707. minLength: 1
  11708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11709. type: string
  11710. type: object
  11711. value:
  11712. description: Value can be specified directly to set a value without using a secret.
  11713. type: string
  11714. type: object
  11715. required:
  11716. - accessKey
  11717. - projectId
  11718. - region
  11719. - secretKey
  11720. type: object
  11721. secretserver:
  11722. description: |-
  11723. SecretServer configures this store to sync secrets using SecretServer provider
  11724. https://docs.delinea.com/online-help/secret-server/start.htm
  11725. properties:
  11726. password:
  11727. description: Password is the secret server account password.
  11728. properties:
  11729. secretRef:
  11730. description: SecretRef references a key in a secret that will be used as value.
  11731. properties:
  11732. key:
  11733. description: |-
  11734. A key in the referenced Secret.
  11735. Some instances of this field may be defaulted, in others it may be required.
  11736. maxLength: 253
  11737. minLength: 1
  11738. pattern: ^[-._a-zA-Z0-9]+$
  11739. type: string
  11740. name:
  11741. description: The name of the Secret resource being referred to.
  11742. maxLength: 253
  11743. minLength: 1
  11744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11745. type: string
  11746. namespace:
  11747. description: |-
  11748. The namespace of the Secret resource being referred to.
  11749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11750. maxLength: 63
  11751. minLength: 1
  11752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11753. type: string
  11754. type: object
  11755. value:
  11756. description: Value can be specified directly to set a value without using a secret.
  11757. type: string
  11758. type: object
  11759. serverURL:
  11760. description: |-
  11761. ServerURL
  11762. URL to your secret server installation
  11763. type: string
  11764. username:
  11765. description: Username is the secret server account username.
  11766. properties:
  11767. secretRef:
  11768. description: SecretRef references a key in a secret that will be used as value.
  11769. properties:
  11770. key:
  11771. description: |-
  11772. A key in the referenced Secret.
  11773. Some instances of this field may be defaulted, in others it may be required.
  11774. maxLength: 253
  11775. minLength: 1
  11776. pattern: ^[-._a-zA-Z0-9]+$
  11777. type: string
  11778. name:
  11779. description: The name of the Secret resource being referred to.
  11780. maxLength: 253
  11781. minLength: 1
  11782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11783. type: string
  11784. namespace:
  11785. description: |-
  11786. The namespace of the Secret resource being referred to.
  11787. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11788. maxLength: 63
  11789. minLength: 1
  11790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11791. type: string
  11792. type: object
  11793. value:
  11794. description: Value can be specified directly to set a value without using a secret.
  11795. type: string
  11796. type: object
  11797. required:
  11798. - password
  11799. - serverURL
  11800. - username
  11801. type: object
  11802. senhasegura:
  11803. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11804. properties:
  11805. auth:
  11806. description: Auth defines parameters to authenticate in senhasegura
  11807. properties:
  11808. clientId:
  11809. type: string
  11810. clientSecretSecretRef:
  11811. description: |-
  11812. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11813. In some instances, `key` is a required field.
  11814. properties:
  11815. key:
  11816. description: |-
  11817. A key in the referenced Secret.
  11818. Some instances of this field may be defaulted, in others it may be required.
  11819. maxLength: 253
  11820. minLength: 1
  11821. pattern: ^[-._a-zA-Z0-9]+$
  11822. type: string
  11823. name:
  11824. description: The name of the Secret resource being referred to.
  11825. maxLength: 253
  11826. minLength: 1
  11827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11828. type: string
  11829. namespace:
  11830. description: |-
  11831. The namespace of the Secret resource being referred to.
  11832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11833. maxLength: 63
  11834. minLength: 1
  11835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11836. type: string
  11837. type: object
  11838. required:
  11839. - clientId
  11840. - clientSecretSecretRef
  11841. type: object
  11842. ignoreSslCertificate:
  11843. default: false
  11844. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11845. type: boolean
  11846. module:
  11847. description: Module defines which senhasegura module should be used to get secrets
  11848. type: string
  11849. url:
  11850. description: URL of senhasegura
  11851. type: string
  11852. required:
  11853. - auth
  11854. - module
  11855. - url
  11856. type: object
  11857. vault:
  11858. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11859. properties:
  11860. auth:
  11861. description: Auth configures how secret-manager authenticates with the Vault server.
  11862. properties:
  11863. appRole:
  11864. description: |-
  11865. AppRole authenticates with Vault using the App Role auth mechanism,
  11866. with the role and secret stored in a Kubernetes Secret resource.
  11867. properties:
  11868. path:
  11869. default: approle
  11870. description: |-
  11871. Path where the App Role authentication backend is mounted
  11872. in Vault, e.g: "approle"
  11873. type: string
  11874. roleId:
  11875. description: |-
  11876. RoleID configured in the App Role authentication backend when setting
  11877. up the authentication backend in Vault.
  11878. type: string
  11879. roleRef:
  11880. description: |-
  11881. Reference to a key in a Secret that contains the App Role ID used
  11882. to authenticate with Vault.
  11883. The `key` field must be specified and denotes which entry within the Secret
  11884. resource is used as the app role id.
  11885. properties:
  11886. key:
  11887. description: |-
  11888. A key in the referenced Secret.
  11889. Some instances of this field may be defaulted, in others it may be required.
  11890. maxLength: 253
  11891. minLength: 1
  11892. pattern: ^[-._a-zA-Z0-9]+$
  11893. type: string
  11894. name:
  11895. description: The name of the Secret resource being referred to.
  11896. maxLength: 253
  11897. minLength: 1
  11898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11899. type: string
  11900. namespace:
  11901. description: |-
  11902. The namespace of the Secret resource being referred to.
  11903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11904. maxLength: 63
  11905. minLength: 1
  11906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11907. type: string
  11908. type: object
  11909. secretRef:
  11910. description: |-
  11911. Reference to a key in a Secret that contains the App Role secret used
  11912. to authenticate with Vault.
  11913. The `key` field must be specified and denotes which entry within the Secret
  11914. resource is used as the app role secret.
  11915. properties:
  11916. key:
  11917. description: |-
  11918. A key in the referenced Secret.
  11919. Some instances of this field may be defaulted, in others it may be required.
  11920. maxLength: 253
  11921. minLength: 1
  11922. pattern: ^[-._a-zA-Z0-9]+$
  11923. type: string
  11924. name:
  11925. description: The name of the Secret resource being referred to.
  11926. maxLength: 253
  11927. minLength: 1
  11928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11929. type: string
  11930. namespace:
  11931. description: |-
  11932. The namespace of the Secret resource being referred to.
  11933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11934. maxLength: 63
  11935. minLength: 1
  11936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11937. type: string
  11938. type: object
  11939. required:
  11940. - path
  11941. - secretRef
  11942. type: object
  11943. cert:
  11944. description: |-
  11945. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11946. Cert authentication method
  11947. properties:
  11948. clientCert:
  11949. description: |-
  11950. ClientCert is a certificate to authenticate using the Cert Vault
  11951. authentication method
  11952. properties:
  11953. key:
  11954. description: |-
  11955. A key in the referenced Secret.
  11956. Some instances of this field may be defaulted, in others it may be required.
  11957. maxLength: 253
  11958. minLength: 1
  11959. pattern: ^[-._a-zA-Z0-9]+$
  11960. type: string
  11961. name:
  11962. description: The name of the Secret resource being referred to.
  11963. maxLength: 253
  11964. minLength: 1
  11965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11966. type: string
  11967. namespace:
  11968. description: |-
  11969. The namespace of the Secret resource being referred to.
  11970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11971. maxLength: 63
  11972. minLength: 1
  11973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11974. type: string
  11975. type: object
  11976. secretRef:
  11977. description: |-
  11978. SecretRef to a key in a Secret resource containing client private key to
  11979. authenticate with Vault using the Cert authentication method
  11980. properties:
  11981. key:
  11982. description: |-
  11983. A key in the referenced Secret.
  11984. Some instances of this field may be defaulted, in others it may be required.
  11985. maxLength: 253
  11986. minLength: 1
  11987. pattern: ^[-._a-zA-Z0-9]+$
  11988. type: string
  11989. name:
  11990. description: The name of the Secret resource being referred to.
  11991. maxLength: 253
  11992. minLength: 1
  11993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11994. type: string
  11995. namespace:
  11996. description: |-
  11997. The namespace of the Secret resource being referred to.
  11998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11999. maxLength: 63
  12000. minLength: 1
  12001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12002. type: string
  12003. type: object
  12004. type: object
  12005. iam:
  12006. description: |-
  12007. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  12008. AWS IAM authentication method
  12009. properties:
  12010. externalID:
  12011. description: AWS External ID set on assumed IAM roles
  12012. type: string
  12013. jwt:
  12014. description: Specify a service account with IRSA enabled
  12015. properties:
  12016. serviceAccountRef:
  12017. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  12018. properties:
  12019. audiences:
  12020. description: |-
  12021. Audience specifies the `aud` claim for the service account token
  12022. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12023. then this audiences will be appended to the list
  12024. items:
  12025. type: string
  12026. type: array
  12027. name:
  12028. description: The name of the ServiceAccount resource being referred to.
  12029. maxLength: 253
  12030. minLength: 1
  12031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12032. type: string
  12033. namespace:
  12034. description: |-
  12035. Namespace of the resource being referred to.
  12036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12037. maxLength: 63
  12038. minLength: 1
  12039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12040. type: string
  12041. required:
  12042. - name
  12043. type: object
  12044. type: object
  12045. path:
  12046. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  12047. type: string
  12048. region:
  12049. description: AWS region
  12050. type: string
  12051. role:
  12052. description: This is the AWS role to be assumed before talking to vault
  12053. type: string
  12054. secretRef:
  12055. description: Specify credentials in a Secret object
  12056. properties:
  12057. accessKeyIDSecretRef:
  12058. description: The AccessKeyID is used for authentication
  12059. properties:
  12060. key:
  12061. description: |-
  12062. A key in the referenced Secret.
  12063. Some instances of this field may be defaulted, in others it may be required.
  12064. maxLength: 253
  12065. minLength: 1
  12066. pattern: ^[-._a-zA-Z0-9]+$
  12067. type: string
  12068. name:
  12069. description: The name of the Secret resource being referred to.
  12070. maxLength: 253
  12071. minLength: 1
  12072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12073. type: string
  12074. namespace:
  12075. description: |-
  12076. The namespace of the Secret resource being referred to.
  12077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12078. maxLength: 63
  12079. minLength: 1
  12080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12081. type: string
  12082. type: object
  12083. secretAccessKeySecretRef:
  12084. description: The SecretAccessKey is used for authentication
  12085. properties:
  12086. key:
  12087. description: |-
  12088. A key in the referenced Secret.
  12089. Some instances of this field may be defaulted, in others it may be required.
  12090. maxLength: 253
  12091. minLength: 1
  12092. pattern: ^[-._a-zA-Z0-9]+$
  12093. type: string
  12094. name:
  12095. description: The name of the Secret resource being referred to.
  12096. maxLength: 253
  12097. minLength: 1
  12098. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12099. type: string
  12100. namespace:
  12101. description: |-
  12102. The namespace of the Secret resource being referred to.
  12103. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12104. maxLength: 63
  12105. minLength: 1
  12106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12107. type: string
  12108. type: object
  12109. sessionTokenSecretRef:
  12110. description: |-
  12111. The SessionToken used for authentication
  12112. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  12113. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  12114. properties:
  12115. key:
  12116. description: |-
  12117. A key in the referenced Secret.
  12118. Some instances of this field may be defaulted, in others it may be required.
  12119. maxLength: 253
  12120. minLength: 1
  12121. pattern: ^[-._a-zA-Z0-9]+$
  12122. type: string
  12123. name:
  12124. description: The name of the Secret resource being referred to.
  12125. maxLength: 253
  12126. minLength: 1
  12127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12128. type: string
  12129. namespace:
  12130. description: |-
  12131. The namespace of the Secret resource being referred to.
  12132. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12133. maxLength: 63
  12134. minLength: 1
  12135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12136. type: string
  12137. type: object
  12138. type: object
  12139. vaultAwsIamServerID:
  12140. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  12141. type: string
  12142. vaultRole:
  12143. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  12144. type: string
  12145. required:
  12146. - vaultRole
  12147. type: object
  12148. jwt:
  12149. description: |-
  12150. Jwt authenticates with Vault by passing role and JWT token using the
  12151. JWT/OIDC authentication method
  12152. properties:
  12153. kubernetesServiceAccountToken:
  12154. description: |-
  12155. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  12156. a token for with the `TokenRequest` API.
  12157. properties:
  12158. audiences:
  12159. description: |-
  12160. Optional audiences field that will be used to request a temporary Kubernetes service
  12161. account token for the service account referenced by `serviceAccountRef`.
  12162. Defaults to a single audience `vault` it not specified.
  12163. Deprecated: use serviceAccountRef.Audiences instead
  12164. items:
  12165. type: string
  12166. type: array
  12167. expirationSeconds:
  12168. description: |-
  12169. Optional expiration time in seconds that will be used to request a temporary
  12170. Kubernetes service account token for the service account referenced by
  12171. `serviceAccountRef`.
  12172. Deprecated: this will be removed in the future.
  12173. Defaults to 10 minutes.
  12174. format: int64
  12175. type: integer
  12176. serviceAccountRef:
  12177. description: Service account field containing the name of a kubernetes ServiceAccount.
  12178. properties:
  12179. audiences:
  12180. description: |-
  12181. Audience specifies the `aud` claim for the service account token
  12182. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12183. then this audiences will be appended to the list
  12184. items:
  12185. type: string
  12186. type: array
  12187. name:
  12188. description: The name of the ServiceAccount resource being referred to.
  12189. maxLength: 253
  12190. minLength: 1
  12191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12192. type: string
  12193. namespace:
  12194. description: |-
  12195. Namespace of the resource being referred to.
  12196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12197. maxLength: 63
  12198. minLength: 1
  12199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12200. type: string
  12201. required:
  12202. - name
  12203. type: object
  12204. required:
  12205. - serviceAccountRef
  12206. type: object
  12207. path:
  12208. default: jwt
  12209. description: |-
  12210. Path where the JWT authentication backend is mounted
  12211. in Vault, e.g: "jwt"
  12212. type: string
  12213. role:
  12214. description: |-
  12215. Role is a JWT role to authenticate using the JWT/OIDC Vault
  12216. authentication method
  12217. type: string
  12218. secretRef:
  12219. description: |-
  12220. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  12221. authenticate with Vault using the JWT/OIDC authentication method.
  12222. properties:
  12223. key:
  12224. description: |-
  12225. A key in the referenced Secret.
  12226. Some instances of this field may be defaulted, in others it may be required.
  12227. maxLength: 253
  12228. minLength: 1
  12229. pattern: ^[-._a-zA-Z0-9]+$
  12230. type: string
  12231. name:
  12232. description: The name of the Secret resource being referred to.
  12233. maxLength: 253
  12234. minLength: 1
  12235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12236. type: string
  12237. namespace:
  12238. description: |-
  12239. The namespace of the Secret resource being referred to.
  12240. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12241. maxLength: 63
  12242. minLength: 1
  12243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12244. type: string
  12245. type: object
  12246. required:
  12247. - path
  12248. type: object
  12249. kubernetes:
  12250. description: |-
  12251. Kubernetes authenticates with Vault by passing the ServiceAccount
  12252. token stored in the named Secret resource to the Vault server.
  12253. properties:
  12254. mountPath:
  12255. default: kubernetes
  12256. description: |-
  12257. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  12258. "kubernetes"
  12259. type: string
  12260. role:
  12261. description: |-
  12262. A required field containing the Vault Role to assume. A Role binds a
  12263. Kubernetes ServiceAccount with a set of Vault policies.
  12264. type: string
  12265. secretRef:
  12266. description: |-
  12267. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12268. for authenticating with Vault. If a name is specified without a key,
  12269. `token` is the default. If one is not specified, the one bound to
  12270. the controller will be used.
  12271. properties:
  12272. key:
  12273. description: |-
  12274. A key in the referenced Secret.
  12275. Some instances of this field may be defaulted, in others it may be required.
  12276. maxLength: 253
  12277. minLength: 1
  12278. pattern: ^[-._a-zA-Z0-9]+$
  12279. type: string
  12280. name:
  12281. description: The name of the Secret resource being referred to.
  12282. maxLength: 253
  12283. minLength: 1
  12284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12285. type: string
  12286. namespace:
  12287. description: |-
  12288. The namespace of the Secret resource being referred to.
  12289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12290. maxLength: 63
  12291. minLength: 1
  12292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12293. type: string
  12294. type: object
  12295. serviceAccountRef:
  12296. description: |-
  12297. Optional service account field containing the name of a kubernetes ServiceAccount.
  12298. If the service account is specified, the service account secret token JWT will be used
  12299. for authenticating with Vault. If the service account selector is not supplied,
  12300. the secretRef will be used instead.
  12301. properties:
  12302. audiences:
  12303. description: |-
  12304. Audience specifies the `aud` claim for the service account token
  12305. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12306. then this audiences will be appended to the list
  12307. items:
  12308. type: string
  12309. type: array
  12310. name:
  12311. description: The name of the ServiceAccount resource being referred to.
  12312. maxLength: 253
  12313. minLength: 1
  12314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12315. type: string
  12316. namespace:
  12317. description: |-
  12318. Namespace of the resource being referred to.
  12319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12320. maxLength: 63
  12321. minLength: 1
  12322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12323. type: string
  12324. required:
  12325. - name
  12326. type: object
  12327. required:
  12328. - mountPath
  12329. - role
  12330. type: object
  12331. ldap:
  12332. description: |-
  12333. Ldap authenticates with Vault by passing username/password pair using
  12334. the LDAP authentication method
  12335. properties:
  12336. path:
  12337. default: ldap
  12338. description: |-
  12339. Path where the LDAP authentication backend is mounted
  12340. in Vault, e.g: "ldap"
  12341. type: string
  12342. secretRef:
  12343. description: |-
  12344. SecretRef to a key in a Secret resource containing password for the LDAP
  12345. user used to authenticate with Vault using the LDAP authentication
  12346. method
  12347. properties:
  12348. key:
  12349. description: |-
  12350. A key in the referenced Secret.
  12351. Some instances of this field may be defaulted, in others it may be required.
  12352. maxLength: 253
  12353. minLength: 1
  12354. pattern: ^[-._a-zA-Z0-9]+$
  12355. type: string
  12356. name:
  12357. description: The name of the Secret resource being referred to.
  12358. maxLength: 253
  12359. minLength: 1
  12360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12361. type: string
  12362. namespace:
  12363. description: |-
  12364. The namespace of the Secret resource being referred to.
  12365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12366. maxLength: 63
  12367. minLength: 1
  12368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12369. type: string
  12370. type: object
  12371. username:
  12372. description: |-
  12373. Username is an LDAP username used to authenticate using the LDAP Vault
  12374. authentication method
  12375. type: string
  12376. required:
  12377. - path
  12378. - username
  12379. type: object
  12380. namespace:
  12381. description: |-
  12382. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12383. Namespaces is a set of features within Vault Enterprise that allows
  12384. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12385. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12386. This will default to Vault.Namespace field if set, or empty otherwise
  12387. type: string
  12388. tokenSecretRef:
  12389. description: TokenSecretRef authenticates with Vault by presenting a token.
  12390. properties:
  12391. key:
  12392. description: |-
  12393. A key in the referenced Secret.
  12394. Some instances of this field may be defaulted, in others it may be required.
  12395. maxLength: 253
  12396. minLength: 1
  12397. pattern: ^[-._a-zA-Z0-9]+$
  12398. type: string
  12399. name:
  12400. description: The name of the Secret resource being referred to.
  12401. maxLength: 253
  12402. minLength: 1
  12403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12404. type: string
  12405. namespace:
  12406. description: |-
  12407. The namespace of the Secret resource being referred to.
  12408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12409. maxLength: 63
  12410. minLength: 1
  12411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12412. type: string
  12413. type: object
  12414. userPass:
  12415. description: UserPass authenticates with Vault by passing username/password pair
  12416. properties:
  12417. path:
  12418. default: userpass
  12419. description: |-
  12420. Path where the UserPassword authentication backend is mounted
  12421. in Vault, e.g: "userpass"
  12422. type: string
  12423. secretRef:
  12424. description: |-
  12425. SecretRef to a key in a Secret resource containing password for the
  12426. user used to authenticate with Vault using the UserPass authentication
  12427. method
  12428. properties:
  12429. key:
  12430. description: |-
  12431. A key in the referenced Secret.
  12432. Some instances of this field may be defaulted, in others it may be required.
  12433. maxLength: 253
  12434. minLength: 1
  12435. pattern: ^[-._a-zA-Z0-9]+$
  12436. type: string
  12437. name:
  12438. description: The name of the Secret resource being referred to.
  12439. maxLength: 253
  12440. minLength: 1
  12441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12442. type: string
  12443. namespace:
  12444. description: |-
  12445. The namespace of the Secret resource being referred to.
  12446. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12447. maxLength: 63
  12448. minLength: 1
  12449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12450. type: string
  12451. type: object
  12452. username:
  12453. description: |-
  12454. Username is a username used to authenticate using the UserPass Vault
  12455. authentication method
  12456. type: string
  12457. required:
  12458. - path
  12459. - username
  12460. type: object
  12461. type: object
  12462. caBundle:
  12463. description: |-
  12464. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12465. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12466. plain HTTP protocol connection. If not set the system root certificates
  12467. are used to validate the TLS connection.
  12468. format: byte
  12469. type: string
  12470. caProvider:
  12471. description: The provider for the CA bundle to use to validate Vault server certificate.
  12472. properties:
  12473. key:
  12474. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12475. maxLength: 253
  12476. minLength: 1
  12477. pattern: ^[-._a-zA-Z0-9]+$
  12478. type: string
  12479. name:
  12480. description: The name of the object located at the provider type.
  12481. maxLength: 253
  12482. minLength: 1
  12483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12484. type: string
  12485. namespace:
  12486. description: |-
  12487. The namespace the Provider type is in.
  12488. Can only be defined when used in a ClusterSecretStore.
  12489. maxLength: 63
  12490. minLength: 1
  12491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12492. type: string
  12493. type:
  12494. description: The type of provider to use such as "Secret", or "ConfigMap".
  12495. enum:
  12496. - Secret
  12497. - ConfigMap
  12498. type: string
  12499. required:
  12500. - name
  12501. - type
  12502. type: object
  12503. forwardInconsistent:
  12504. description: |-
  12505. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12506. leader instead of simply retrying within a loop. This can increase performance if
  12507. the option is enabled serverside.
  12508. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12509. type: boolean
  12510. headers:
  12511. additionalProperties:
  12512. type: string
  12513. description: Headers to be added in Vault request
  12514. type: object
  12515. namespace:
  12516. description: |-
  12517. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12518. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12519. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12520. type: string
  12521. path:
  12522. description: |-
  12523. Path is the mount path of the Vault KV backend endpoint, e.g:
  12524. "secret". The v2 KV secret engine version specific "/data" path suffix
  12525. for fetching secrets from Vault is optional and will be appended
  12526. if not present in specified path.
  12527. type: string
  12528. readYourWrites:
  12529. description: |-
  12530. ReadYourWrites ensures isolated read-after-write semantics by
  12531. providing discovered cluster replication states in each request.
  12532. More information about eventual consistency in Vault can be found here
  12533. https://www.vaultproject.io/docs/enterprise/consistency
  12534. type: boolean
  12535. server:
  12536. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12537. type: string
  12538. tls:
  12539. description: |-
  12540. The configuration used for client side related TLS communication, when the Vault server
  12541. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12542. This parameter is ignored for plain HTTP protocol connection.
  12543. It's worth noting this configuration is different from the "TLS certificates auth method",
  12544. which is available under the `auth.cert` section.
  12545. properties:
  12546. certSecretRef:
  12547. description: |-
  12548. CertSecretRef is a certificate added to the transport layer
  12549. when communicating with the Vault server.
  12550. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12551. properties:
  12552. key:
  12553. description: |-
  12554. A key in the referenced Secret.
  12555. Some instances of this field may be defaulted, in others it may be required.
  12556. maxLength: 253
  12557. minLength: 1
  12558. pattern: ^[-._a-zA-Z0-9]+$
  12559. type: string
  12560. name:
  12561. description: The name of the Secret resource being referred to.
  12562. maxLength: 253
  12563. minLength: 1
  12564. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12565. type: string
  12566. namespace:
  12567. description: |-
  12568. The namespace of the Secret resource being referred to.
  12569. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12570. maxLength: 63
  12571. minLength: 1
  12572. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12573. type: string
  12574. type: object
  12575. keySecretRef:
  12576. description: |-
  12577. KeySecretRef to a key in a Secret resource containing client private key
  12578. added to the transport layer when communicating with the Vault server.
  12579. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12580. properties:
  12581. key:
  12582. description: |-
  12583. A key in the referenced Secret.
  12584. Some instances of this field may be defaulted, in others it may be required.
  12585. maxLength: 253
  12586. minLength: 1
  12587. pattern: ^[-._a-zA-Z0-9]+$
  12588. type: string
  12589. name:
  12590. description: The name of the Secret resource being referred to.
  12591. maxLength: 253
  12592. minLength: 1
  12593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12594. type: string
  12595. namespace:
  12596. description: |-
  12597. The namespace of the Secret resource being referred to.
  12598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12599. maxLength: 63
  12600. minLength: 1
  12601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12602. type: string
  12603. type: object
  12604. type: object
  12605. version:
  12606. default: v2
  12607. description: |-
  12608. Version is the Vault KV secret engine version. This can be either "v1" or
  12609. "v2". Version defaults to "v2".
  12610. enum:
  12611. - v1
  12612. - v2
  12613. type: string
  12614. required:
  12615. - server
  12616. type: object
  12617. webhook:
  12618. description: Webhook configures this store to sync secrets using a generic templated webhook
  12619. properties:
  12620. auth:
  12621. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12622. maxProperties: 1
  12623. minProperties: 1
  12624. properties:
  12625. ntlm:
  12626. description: NTLMProtocol configures the store to use NTLM for auth
  12627. properties:
  12628. passwordSecret:
  12629. description: |-
  12630. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12631. In some instances, `key` is a required field.
  12632. properties:
  12633. key:
  12634. description: |-
  12635. A key in the referenced Secret.
  12636. Some instances of this field may be defaulted, in others it may be required.
  12637. maxLength: 253
  12638. minLength: 1
  12639. pattern: ^[-._a-zA-Z0-9]+$
  12640. type: string
  12641. name:
  12642. description: The name of the Secret resource being referred to.
  12643. maxLength: 253
  12644. minLength: 1
  12645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12646. type: string
  12647. namespace:
  12648. description: |-
  12649. The namespace of the Secret resource being referred to.
  12650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12651. maxLength: 63
  12652. minLength: 1
  12653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12654. type: string
  12655. type: object
  12656. usernameSecret:
  12657. description: |-
  12658. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12659. In some instances, `key` is a required field.
  12660. properties:
  12661. key:
  12662. description: |-
  12663. A key in the referenced Secret.
  12664. Some instances of this field may be defaulted, in others it may be required.
  12665. maxLength: 253
  12666. minLength: 1
  12667. pattern: ^[-._a-zA-Z0-9]+$
  12668. type: string
  12669. name:
  12670. description: The name of the Secret resource being referred to.
  12671. maxLength: 253
  12672. minLength: 1
  12673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12674. type: string
  12675. namespace:
  12676. description: |-
  12677. The namespace of the Secret resource being referred to.
  12678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12679. maxLength: 63
  12680. minLength: 1
  12681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12682. type: string
  12683. type: object
  12684. required:
  12685. - passwordSecret
  12686. - usernameSecret
  12687. type: object
  12688. type: object
  12689. body:
  12690. description: Body
  12691. type: string
  12692. caBundle:
  12693. description: |-
  12694. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12695. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12696. plain HTTP protocol connection. If not set the system root certificates
  12697. are used to validate the TLS connection.
  12698. format: byte
  12699. type: string
  12700. caProvider:
  12701. description: The provider for the CA bundle to use to validate webhook server certificate.
  12702. properties:
  12703. key:
  12704. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12705. maxLength: 253
  12706. minLength: 1
  12707. pattern: ^[-._a-zA-Z0-9]+$
  12708. type: string
  12709. name:
  12710. description: The name of the object located at the provider type.
  12711. maxLength: 253
  12712. minLength: 1
  12713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12714. type: string
  12715. namespace:
  12716. description: The namespace the Provider type is in.
  12717. maxLength: 63
  12718. minLength: 1
  12719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12720. type: string
  12721. type:
  12722. description: The type of provider to use such as "Secret", or "ConfigMap".
  12723. enum:
  12724. - Secret
  12725. - ConfigMap
  12726. type: string
  12727. required:
  12728. - name
  12729. - type
  12730. type: object
  12731. headers:
  12732. additionalProperties:
  12733. type: string
  12734. description: Headers
  12735. type: object
  12736. method:
  12737. description: Webhook Method
  12738. type: string
  12739. result:
  12740. description: Result formatting
  12741. properties:
  12742. jsonPath:
  12743. description: Json path of return value
  12744. type: string
  12745. type: object
  12746. secrets:
  12747. description: |-
  12748. Secrets to fill in templates
  12749. These secrets will be passed to the templating function as key value pairs under the given name
  12750. items:
  12751. description: WebhookSecret defines a secret to be used in webhook templates.
  12752. properties:
  12753. name:
  12754. description: Name of this secret in templates
  12755. type: string
  12756. secretRef:
  12757. description: Secret ref to fill in credentials
  12758. properties:
  12759. key:
  12760. description: |-
  12761. A key in the referenced Secret.
  12762. Some instances of this field may be defaulted, in others it may be required.
  12763. maxLength: 253
  12764. minLength: 1
  12765. pattern: ^[-._a-zA-Z0-9]+$
  12766. type: string
  12767. name:
  12768. description: The name of the Secret resource being referred to.
  12769. maxLength: 253
  12770. minLength: 1
  12771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12772. type: string
  12773. namespace:
  12774. description: |-
  12775. The namespace of the Secret resource being referred to.
  12776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12777. maxLength: 63
  12778. minLength: 1
  12779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12780. type: string
  12781. type: object
  12782. required:
  12783. - name
  12784. - secretRef
  12785. type: object
  12786. type: array
  12787. timeout:
  12788. description: Timeout
  12789. type: string
  12790. url:
  12791. description: Webhook url to call
  12792. type: string
  12793. required:
  12794. - result
  12795. - url
  12796. type: object
  12797. yandexcertificatemanager:
  12798. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12799. properties:
  12800. apiEndpoint:
  12801. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12802. type: string
  12803. auth:
  12804. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12805. properties:
  12806. authorizedKeySecretRef:
  12807. description: The authorized key used for authentication
  12808. properties:
  12809. key:
  12810. description: |-
  12811. A key in the referenced Secret.
  12812. Some instances of this field may be defaulted, in others it may be required.
  12813. maxLength: 253
  12814. minLength: 1
  12815. pattern: ^[-._a-zA-Z0-9]+$
  12816. type: string
  12817. name:
  12818. description: The name of the Secret resource being referred to.
  12819. maxLength: 253
  12820. minLength: 1
  12821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12822. type: string
  12823. namespace:
  12824. description: |-
  12825. The namespace of the Secret resource being referred to.
  12826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12827. maxLength: 63
  12828. minLength: 1
  12829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12830. type: string
  12831. type: object
  12832. type: object
  12833. caProvider:
  12834. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12835. properties:
  12836. certSecretRef:
  12837. description: |-
  12838. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12839. In some instances, `key` is a required field.
  12840. properties:
  12841. key:
  12842. description: |-
  12843. A key in the referenced Secret.
  12844. Some instances of this field may be defaulted, in others it may be required.
  12845. maxLength: 253
  12846. minLength: 1
  12847. pattern: ^[-._a-zA-Z0-9]+$
  12848. type: string
  12849. name:
  12850. description: The name of the Secret resource being referred to.
  12851. maxLength: 253
  12852. minLength: 1
  12853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12854. type: string
  12855. namespace:
  12856. description: |-
  12857. The namespace of the Secret resource being referred to.
  12858. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12859. maxLength: 63
  12860. minLength: 1
  12861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12862. type: string
  12863. type: object
  12864. type: object
  12865. required:
  12866. - auth
  12867. type: object
  12868. yandexlockbox:
  12869. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12870. properties:
  12871. apiEndpoint:
  12872. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12873. type: string
  12874. auth:
  12875. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12876. properties:
  12877. authorizedKeySecretRef:
  12878. description: The authorized key used for authentication
  12879. properties:
  12880. key:
  12881. description: |-
  12882. A key in the referenced Secret.
  12883. Some instances of this field may be defaulted, in others it may be required.
  12884. maxLength: 253
  12885. minLength: 1
  12886. pattern: ^[-._a-zA-Z0-9]+$
  12887. type: string
  12888. name:
  12889. description: The name of the Secret resource being referred to.
  12890. maxLength: 253
  12891. minLength: 1
  12892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12893. type: string
  12894. namespace:
  12895. description: |-
  12896. The namespace of the Secret resource being referred to.
  12897. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12898. maxLength: 63
  12899. minLength: 1
  12900. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12901. type: string
  12902. type: object
  12903. type: object
  12904. caProvider:
  12905. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12906. properties:
  12907. certSecretRef:
  12908. description: |-
  12909. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12910. In some instances, `key` is a required field.
  12911. properties:
  12912. key:
  12913. description: |-
  12914. A key in the referenced Secret.
  12915. Some instances of this field may be defaulted, in others it may be required.
  12916. maxLength: 253
  12917. minLength: 1
  12918. pattern: ^[-._a-zA-Z0-9]+$
  12919. type: string
  12920. name:
  12921. description: The name of the Secret resource being referred to.
  12922. maxLength: 253
  12923. minLength: 1
  12924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12925. type: string
  12926. namespace:
  12927. description: |-
  12928. The namespace of the Secret resource being referred to.
  12929. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12930. maxLength: 63
  12931. minLength: 1
  12932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12933. type: string
  12934. type: object
  12935. type: object
  12936. required:
  12937. - auth
  12938. type: object
  12939. type: object
  12940. refreshInterval:
  12941. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12942. type: integer
  12943. retrySettings:
  12944. description: Used to configure HTTP retries on failures.
  12945. properties:
  12946. maxRetries:
  12947. description: MaxRetries is the maximum number of retry attempts.
  12948. format: int32
  12949. type: integer
  12950. retryInterval:
  12951. description: RetryInterval is the interval between retry attempts.
  12952. type: string
  12953. type: object
  12954. required:
  12955. - provider
  12956. type: object
  12957. status:
  12958. description: SecretStoreStatus defines the observed state of the SecretStore.
  12959. properties:
  12960. capabilities:
  12961. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12962. type: string
  12963. conditions:
  12964. items:
  12965. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12966. properties:
  12967. lastTransitionTime:
  12968. format: date-time
  12969. type: string
  12970. message:
  12971. type: string
  12972. reason:
  12973. type: string
  12974. status:
  12975. type: string
  12976. type:
  12977. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12978. type: string
  12979. required:
  12980. - status
  12981. - type
  12982. type: object
  12983. type: array
  12984. type: object
  12985. type: object
  12986. served: false
  12987. storage: false
  12988. subresources:
  12989. status: {}
  12990. ---
  12991. apiVersion: apiextensions.k8s.io/v1
  12992. kind: CustomResourceDefinition
  12993. metadata:
  12994. annotations:
  12995. controller-gen.kubebuilder.io/version: v0.19.0
  12996. labels:
  12997. external-secrets.io/component: controller
  12998. name: externalsecrets.external-secrets.io
  12999. spec:
  13000. group: external-secrets.io
  13001. names:
  13002. categories:
  13003. - external-secrets
  13004. kind: ExternalSecret
  13005. listKind: ExternalSecretList
  13006. plural: externalsecrets
  13007. shortNames:
  13008. - es
  13009. singular: externalsecret
  13010. scope: Namespaced
  13011. versions:
  13012. - additionalPrinterColumns:
  13013. - jsonPath: .spec.secretStoreRef.kind
  13014. name: StoreType
  13015. type: string
  13016. - jsonPath: .spec.secretStoreRef.name
  13017. name: Store
  13018. type: string
  13019. - jsonPath: .spec.refreshInterval
  13020. name: Refresh Interval
  13021. type: string
  13022. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13023. name: Status
  13024. type: string
  13025. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13026. name: Ready
  13027. type: string
  13028. - jsonPath: .status.refreshTime
  13029. name: Last Sync
  13030. type: date
  13031. name: v1
  13032. schema:
  13033. openAPIV3Schema:
  13034. description: |-
  13035. ExternalSecret is the Schema for the external-secrets API.
  13036. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  13037. properties:
  13038. apiVersion:
  13039. description: |-
  13040. APIVersion defines the versioned schema of this representation of an object.
  13041. Servers should convert recognized schemas to the latest internal value, and
  13042. may reject unrecognized values.
  13043. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13044. type: string
  13045. kind:
  13046. description: |-
  13047. Kind is a string value representing the REST resource this object represents.
  13048. Servers may infer this from the endpoint the client submits requests to.
  13049. Cannot be updated.
  13050. In CamelCase.
  13051. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13052. type: string
  13053. metadata:
  13054. type: object
  13055. spec:
  13056. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13057. properties:
  13058. data:
  13059. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13060. items:
  13061. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13062. properties:
  13063. remoteRef:
  13064. description: |-
  13065. RemoteRef points to the remote secret and defines
  13066. which secret (version/property/..) to fetch.
  13067. properties:
  13068. conversionStrategy:
  13069. default: Default
  13070. description: Used to define a conversion Strategy
  13071. enum:
  13072. - Default
  13073. - Unicode
  13074. type: string
  13075. decodingStrategy:
  13076. default: None
  13077. description: Used to define a decoding Strategy
  13078. enum:
  13079. - Auto
  13080. - Base64
  13081. - Base64URL
  13082. - None
  13083. type: string
  13084. key:
  13085. description: Key is the key used in the Provider, mandatory
  13086. type: string
  13087. metadataPolicy:
  13088. default: None
  13089. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13090. enum:
  13091. - None
  13092. - Fetch
  13093. type: string
  13094. nullBytePolicy:
  13095. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13096. enum:
  13097. - Ignore
  13098. - Fail
  13099. type: string
  13100. property:
  13101. description: Used to select a specific property of the Provider value (if a map), if supported
  13102. type: string
  13103. version:
  13104. description: Used to select a specific version of the Provider value, if supported
  13105. type: string
  13106. required:
  13107. - key
  13108. type: object
  13109. secretKey:
  13110. description: The key in the Kubernetes Secret to store the value.
  13111. maxLength: 253
  13112. minLength: 1
  13113. pattern: ^[-._a-zA-Z0-9]+$
  13114. type: string
  13115. sourceRef:
  13116. description: |-
  13117. SourceRef allows you to override the source
  13118. from which the value will be pulled.
  13119. maxProperties: 1
  13120. minProperties: 1
  13121. properties:
  13122. generatorRef:
  13123. description: |-
  13124. GeneratorRef points to a generator custom resource.
  13125. Deprecated: The generatorRef is not implemented in .data[].
  13126. this will be removed with v1.
  13127. properties:
  13128. apiVersion:
  13129. default: generators.external-secrets.io/v1alpha1
  13130. description: Specify the apiVersion of the generator resource
  13131. type: string
  13132. kind:
  13133. description: Specify the Kind of the generator resource
  13134. enum:
  13135. - ACRAccessToken
  13136. - BeyondtrustWorkloadCredentialsDynamicSecret
  13137. - ClusterGenerator
  13138. - CloudsmithAccessToken
  13139. - ECRAuthorizationToken
  13140. - Fake
  13141. - GCRAccessToken
  13142. - GithubAccessToken
  13143. - QuayAccessToken
  13144. - Password
  13145. - SSHKey
  13146. - STSSessionToken
  13147. - UUID
  13148. - VaultDynamicSecret
  13149. - Webhook
  13150. - Grafana
  13151. - MFA
  13152. type: string
  13153. name:
  13154. description: Specify the name of the generator resource
  13155. maxLength: 253
  13156. minLength: 1
  13157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13158. type: string
  13159. required:
  13160. - kind
  13161. - name
  13162. type: object
  13163. storeRef:
  13164. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13165. properties:
  13166. kind:
  13167. description: |-
  13168. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13169. Defaults to `SecretStore`
  13170. enum:
  13171. - SecretStore
  13172. - ClusterSecretStore
  13173. type: string
  13174. name:
  13175. description: Name of the SecretStore resource
  13176. maxLength: 253
  13177. minLength: 1
  13178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13179. type: string
  13180. type: object
  13181. type: object
  13182. required:
  13183. - remoteRef
  13184. - secretKey
  13185. type: object
  13186. type: array
  13187. dataFrom:
  13188. description: |-
  13189. DataFrom is used to fetch all properties from a specific Provider data
  13190. If multiple entries are specified, the Secret keys are merged in the specified order
  13191. items:
  13192. description: |-
  13193. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  13194. when using DataFrom to fetch multiple values from a Provider.
  13195. properties:
  13196. extract:
  13197. description: |-
  13198. Used to extract multiple key/value pairs from one secret
  13199. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13200. properties:
  13201. conversionStrategy:
  13202. default: Default
  13203. description: Used to define a conversion Strategy
  13204. enum:
  13205. - Default
  13206. - Unicode
  13207. type: string
  13208. decodingStrategy:
  13209. default: None
  13210. description: Used to define a decoding Strategy
  13211. enum:
  13212. - Auto
  13213. - Base64
  13214. - Base64URL
  13215. - None
  13216. type: string
  13217. key:
  13218. description: Key is the key used in the Provider, mandatory
  13219. type: string
  13220. metadataPolicy:
  13221. default: None
  13222. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13223. enum:
  13224. - None
  13225. - Fetch
  13226. type: string
  13227. nullBytePolicy:
  13228. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13229. enum:
  13230. - Ignore
  13231. - Fail
  13232. type: string
  13233. property:
  13234. description: Used to select a specific property of the Provider value (if a map), if supported
  13235. type: string
  13236. version:
  13237. description: Used to select a specific version of the Provider value, if supported
  13238. type: string
  13239. required:
  13240. - key
  13241. type: object
  13242. find:
  13243. description: |-
  13244. Used to find secrets based on tags or regular expressions
  13245. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13246. properties:
  13247. conversionStrategy:
  13248. default: Default
  13249. description: Used to define a conversion Strategy
  13250. enum:
  13251. - Default
  13252. - Unicode
  13253. type: string
  13254. decodingStrategy:
  13255. default: None
  13256. description: Used to define a decoding Strategy
  13257. enum:
  13258. - Auto
  13259. - Base64
  13260. - Base64URL
  13261. - None
  13262. type: string
  13263. name:
  13264. description: Finds secrets based on the name.
  13265. properties:
  13266. regexp:
  13267. description: Finds secrets base
  13268. type: string
  13269. type: object
  13270. nullBytePolicy:
  13271. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13272. enum:
  13273. - Ignore
  13274. - Fail
  13275. type: string
  13276. path:
  13277. description: A root path to start the find operations.
  13278. type: string
  13279. tags:
  13280. additionalProperties:
  13281. type: string
  13282. description: Find secrets based on tags.
  13283. type: object
  13284. type: object
  13285. rewrite:
  13286. description: |-
  13287. Used to rewrite secret Keys after getting them from the secret Provider
  13288. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13289. items:
  13290. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13291. maxProperties: 1
  13292. minProperties: 1
  13293. properties:
  13294. merge:
  13295. description: |-
  13296. Used to merge key/values in one single Secret
  13297. The resulting key will contain all values from the specified secrets
  13298. properties:
  13299. conflictPolicy:
  13300. default: Error
  13301. description: Used to define the policy to use in conflict resolution.
  13302. enum:
  13303. - Ignore
  13304. - Error
  13305. type: string
  13306. into:
  13307. default: ""
  13308. description: |-
  13309. Used to define the target key of the merge operation.
  13310. Required if strategy is JSON. Ignored otherwise.
  13311. type: string
  13312. priority:
  13313. description: Used to define key priority in conflict resolution.
  13314. items:
  13315. type: string
  13316. type: array
  13317. priorityPolicy:
  13318. default: Strict
  13319. description: Used to define the policy when a key in the priority list does not exist in the input.
  13320. enum:
  13321. - IgnoreNotFound
  13322. - Strict
  13323. type: string
  13324. strategy:
  13325. default: Extract
  13326. description: Used to define the strategy to use in the merge operation.
  13327. enum:
  13328. - Extract
  13329. - JSON
  13330. type: string
  13331. type: object
  13332. regexp:
  13333. description: |-
  13334. Used to rewrite with regular expressions.
  13335. The resulting key will be the output of a regexp.ReplaceAll operation.
  13336. properties:
  13337. source:
  13338. description: Used to define the regular expression of a re.Compiler.
  13339. type: string
  13340. target:
  13341. description: Used to define the target pattern of a ReplaceAll operation.
  13342. type: string
  13343. required:
  13344. - source
  13345. - target
  13346. type: object
  13347. transform:
  13348. description: |-
  13349. Used to apply string transformation on the secrets.
  13350. The resulting key will be the output of the template applied by the operation.
  13351. properties:
  13352. template:
  13353. description: |-
  13354. Used to define the template to apply on the secret name.
  13355. `.value ` will specify the secret name in the template.
  13356. type: string
  13357. required:
  13358. - template
  13359. type: object
  13360. type: object
  13361. type: array
  13362. sourceRef:
  13363. description: |-
  13364. SourceRef points to a store or generator
  13365. which contains secret values ready to use.
  13366. Use this in combination with Extract or Find pull values out of
  13367. a specific SecretStore.
  13368. When sourceRef points to a generator Extract or Find is not supported.
  13369. The generator returns a static map of values
  13370. maxProperties: 1
  13371. minProperties: 1
  13372. properties:
  13373. generatorRef:
  13374. description: GeneratorRef points to a generator custom resource.
  13375. properties:
  13376. apiVersion:
  13377. default: generators.external-secrets.io/v1alpha1
  13378. description: Specify the apiVersion of the generator resource
  13379. type: string
  13380. kind:
  13381. description: Specify the Kind of the generator resource
  13382. enum:
  13383. - ACRAccessToken
  13384. - BeyondtrustWorkloadCredentialsDynamicSecret
  13385. - ClusterGenerator
  13386. - CloudsmithAccessToken
  13387. - ECRAuthorizationToken
  13388. - Fake
  13389. - GCRAccessToken
  13390. - GithubAccessToken
  13391. - QuayAccessToken
  13392. - Password
  13393. - SSHKey
  13394. - STSSessionToken
  13395. - UUID
  13396. - VaultDynamicSecret
  13397. - Webhook
  13398. - Grafana
  13399. - MFA
  13400. type: string
  13401. name:
  13402. description: Specify the name of the generator resource
  13403. maxLength: 253
  13404. minLength: 1
  13405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13406. type: string
  13407. required:
  13408. - kind
  13409. - name
  13410. type: object
  13411. storeRef:
  13412. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13413. properties:
  13414. kind:
  13415. description: |-
  13416. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13417. Defaults to `SecretStore`
  13418. enum:
  13419. - SecretStore
  13420. - ClusterSecretStore
  13421. type: string
  13422. name:
  13423. description: Name of the SecretStore resource
  13424. maxLength: 253
  13425. minLength: 1
  13426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13427. type: string
  13428. type: object
  13429. type: object
  13430. type: object
  13431. type: array
  13432. refreshInterval:
  13433. default: 1h0m0s
  13434. description: |-
  13435. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13436. specified as Golang Duration strings.
  13437. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13438. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13439. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13440. type: string
  13441. refreshPolicy:
  13442. description: |-
  13443. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13444. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13445. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13446. No periodic updates occur if refreshInterval is 0.
  13447. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13448. enum:
  13449. - CreatedOnce
  13450. - Periodic
  13451. - OnChange
  13452. type: string
  13453. secretStoreRef:
  13454. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13455. properties:
  13456. kind:
  13457. description: |-
  13458. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13459. Defaults to `SecretStore`
  13460. enum:
  13461. - SecretStore
  13462. - ClusterSecretStore
  13463. type: string
  13464. name:
  13465. description: Name of the SecretStore resource
  13466. maxLength: 253
  13467. minLength: 1
  13468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13469. type: string
  13470. type: object
  13471. syncWindows:
  13472. description: |-
  13473. SyncWindows optionally restricts when periodic refreshes may occur.
  13474. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  13475. properties:
  13476. kind:
  13477. description: |-
  13478. Kind applies to every window in the list.
  13479. "allow" -- syncs are permitted only while at least one window is active;
  13480. all other times are blocked.
  13481. "deny" -- syncs are blocked while any window is active;
  13482. all other times are permitted.
  13483. enum:
  13484. - allow
  13485. - deny
  13486. type: string
  13487. windows:
  13488. description: Windows is the list of schedule+duration pairs.
  13489. items:
  13490. description: |-
  13491. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  13492. within a SyncWindows block.
  13493. properties:
  13494. duration:
  13495. description: |-
  13496. Duration specifies how long the window stays open after each Schedule
  13497. firing. Example: "8h".
  13498. type: string
  13499. schedule:
  13500. description: |-
  13501. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  13502. named shorthand such as @daily or @every 1h. It marks the start time of
  13503. each window occurrence.
  13504. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  13505. minLength: 1
  13506. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  13507. type: string
  13508. required:
  13509. - duration
  13510. - schedule
  13511. type: object
  13512. minItems: 1
  13513. type: array
  13514. required:
  13515. - kind
  13516. - windows
  13517. type: object
  13518. target:
  13519. default:
  13520. creationPolicy: Owner
  13521. deletionPolicy: Retain
  13522. description: |-
  13523. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13524. there can be only one target per ExternalSecret.
  13525. properties:
  13526. creationPolicy:
  13527. default: Owner
  13528. description: |-
  13529. CreationPolicy defines rules on how to create the resulting Secret.
  13530. Defaults to "Owner"
  13531. enum:
  13532. - Owner
  13533. - Orphan
  13534. - Merge
  13535. - None
  13536. type: string
  13537. deletionPolicy:
  13538. default: Retain
  13539. description: |-
  13540. DeletionPolicy defines rules on how to delete the resulting Secret.
  13541. Defaults to "Retain"
  13542. enum:
  13543. - Delete
  13544. - Merge
  13545. - Retain
  13546. type: string
  13547. immutable:
  13548. description: Immutable defines if the final secret will be immutable
  13549. type: boolean
  13550. manifest:
  13551. description: |-
  13552. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13553. When specified, ExternalSecret will create the resource type defined here
  13554. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13555. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13556. properties:
  13557. apiVersion:
  13558. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13559. minLength: 1
  13560. type: string
  13561. kind:
  13562. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13563. minLength: 1
  13564. type: string
  13565. required:
  13566. - apiVersion
  13567. - kind
  13568. type: object
  13569. name:
  13570. description: |-
  13571. The name of the Secret resource to be managed.
  13572. Defaults to the .metadata.name of the ExternalSecret resource
  13573. maxLength: 253
  13574. minLength: 1
  13575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13576. type: string
  13577. template:
  13578. description: Template defines a blueprint for the created Secret resource.
  13579. properties:
  13580. data:
  13581. additionalProperties:
  13582. type: string
  13583. type: object
  13584. engineVersion:
  13585. default: v2
  13586. description: |-
  13587. EngineVersion specifies the template engine version
  13588. that should be used to compile/execute the
  13589. template specified in .data and .templateFrom[].
  13590. enum:
  13591. - v2
  13592. type: string
  13593. mergePolicy:
  13594. default: Replace
  13595. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13596. enum:
  13597. - Replace
  13598. - Merge
  13599. type: string
  13600. metadata:
  13601. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13602. properties:
  13603. annotations:
  13604. additionalProperties:
  13605. type: string
  13606. type: object
  13607. finalizers:
  13608. items:
  13609. type: string
  13610. type: array
  13611. labels:
  13612. additionalProperties:
  13613. type: string
  13614. type: object
  13615. type: object
  13616. templateFrom:
  13617. items:
  13618. description: |-
  13619. TemplateFrom specifies a source for templates.
  13620. Each item in the list can either reference a ConfigMap or a Secret resource.
  13621. properties:
  13622. configMap:
  13623. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13624. properties:
  13625. items:
  13626. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13627. items:
  13628. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13629. properties:
  13630. key:
  13631. description: A key in the ConfigMap/Secret
  13632. maxLength: 253
  13633. minLength: 1
  13634. pattern: ^[-._a-zA-Z0-9]+$
  13635. type: string
  13636. templateAs:
  13637. default: Values
  13638. description: TemplateScope specifies how the template keys should be interpreted.
  13639. enum:
  13640. - Values
  13641. - KeysAndValues
  13642. type: string
  13643. required:
  13644. - key
  13645. type: object
  13646. type: array
  13647. name:
  13648. description: The name of the ConfigMap/Secret resource
  13649. maxLength: 253
  13650. minLength: 1
  13651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13652. type: string
  13653. required:
  13654. - items
  13655. - name
  13656. type: object
  13657. literal:
  13658. type: string
  13659. secret:
  13660. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13661. properties:
  13662. items:
  13663. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13664. items:
  13665. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13666. properties:
  13667. key:
  13668. description: A key in the ConfigMap/Secret
  13669. maxLength: 253
  13670. minLength: 1
  13671. pattern: ^[-._a-zA-Z0-9]+$
  13672. type: string
  13673. templateAs:
  13674. default: Values
  13675. description: TemplateScope specifies how the template keys should be interpreted.
  13676. enum:
  13677. - Values
  13678. - KeysAndValues
  13679. type: string
  13680. required:
  13681. - key
  13682. type: object
  13683. type: array
  13684. name:
  13685. description: The name of the ConfigMap/Secret resource
  13686. maxLength: 253
  13687. minLength: 1
  13688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13689. type: string
  13690. required:
  13691. - items
  13692. - name
  13693. type: object
  13694. target:
  13695. default: Data
  13696. description: |-
  13697. Target specifies where to place the template result.
  13698. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13699. For custom resources (when spec.target.manifest is set), this supports
  13700. nested paths like "spec.database.config" or "data".
  13701. type: string
  13702. valuesDecodingStrategy:
  13703. default: None
  13704. description: Used to define a decoding Strategy for the rendered template values.
  13705. enum:
  13706. - Auto
  13707. - Base64
  13708. - Base64URL
  13709. - None
  13710. type: string
  13711. type: object
  13712. type: array
  13713. type:
  13714. type: string
  13715. type: object
  13716. type: object
  13717. type: object
  13718. status:
  13719. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13720. properties:
  13721. binding:
  13722. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13723. properties:
  13724. name:
  13725. default: ""
  13726. description: |-
  13727. Name of the referent.
  13728. This field is effectively required, but due to backwards compatibility is
  13729. allowed to be empty. Instances of this type with an empty value here are
  13730. almost certainly wrong.
  13731. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13732. type: string
  13733. type: object
  13734. x-kubernetes-map-type: atomic
  13735. conditions:
  13736. items:
  13737. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13738. properties:
  13739. lastTransitionTime:
  13740. format: date-time
  13741. type: string
  13742. message:
  13743. type: string
  13744. reason:
  13745. type: string
  13746. status:
  13747. type: string
  13748. type:
  13749. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13750. enum:
  13751. - Ready
  13752. - Deleted
  13753. type: string
  13754. required:
  13755. - status
  13756. - type
  13757. type: object
  13758. type: array
  13759. refreshTime:
  13760. description: |-
  13761. refreshTime is the time and date the external secret was fetched and
  13762. the target secret updated
  13763. format: date-time
  13764. nullable: true
  13765. type: string
  13766. syncedResourceVersion:
  13767. description: SyncedResourceVersion keeps track of the last synced version
  13768. type: string
  13769. type: object
  13770. type: object
  13771. selectableFields:
  13772. - jsonPath: .spec.secretStoreRef.name
  13773. - jsonPath: .spec.secretStoreRef.kind
  13774. - jsonPath: .spec.target.name
  13775. - jsonPath: .spec.refreshInterval
  13776. served: true
  13777. storage: true
  13778. subresources:
  13779. status: {}
  13780. - additionalPrinterColumns:
  13781. - jsonPath: .spec.secretStoreRef.kind
  13782. name: StoreType
  13783. type: string
  13784. - jsonPath: .spec.secretStoreRef.name
  13785. name: Store
  13786. type: string
  13787. - jsonPath: .spec.refreshInterval
  13788. name: Refresh Interval
  13789. type: string
  13790. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13791. name: Status
  13792. type: string
  13793. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13794. name: Ready
  13795. type: string
  13796. - jsonPath: .status.refreshTime
  13797. name: Last Sync
  13798. type: date
  13799. deprecated: true
  13800. name: v1beta1
  13801. schema:
  13802. openAPIV3Schema:
  13803. description: ExternalSecret is the schema for the external-secrets API.
  13804. properties:
  13805. apiVersion:
  13806. description: |-
  13807. APIVersion defines the versioned schema of this representation of an object.
  13808. Servers should convert recognized schemas to the latest internal value, and
  13809. may reject unrecognized values.
  13810. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13811. type: string
  13812. kind:
  13813. description: |-
  13814. Kind is a string value representing the REST resource this object represents.
  13815. Servers may infer this from the endpoint the client submits requests to.
  13816. Cannot be updated.
  13817. In CamelCase.
  13818. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13819. type: string
  13820. metadata:
  13821. type: object
  13822. spec:
  13823. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13824. properties:
  13825. data:
  13826. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13827. items:
  13828. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13829. properties:
  13830. remoteRef:
  13831. description: |-
  13832. RemoteRef points to the remote secret and defines
  13833. which secret (version/property/..) to fetch.
  13834. properties:
  13835. conversionStrategy:
  13836. default: Default
  13837. description: Used to define a conversion Strategy
  13838. enum:
  13839. - Default
  13840. - Unicode
  13841. type: string
  13842. decodingStrategy:
  13843. default: None
  13844. description: Used to define a decoding Strategy
  13845. enum:
  13846. - Auto
  13847. - Base64
  13848. - Base64URL
  13849. - None
  13850. type: string
  13851. key:
  13852. description: Key is the key used in the Provider, mandatory
  13853. type: string
  13854. metadataPolicy:
  13855. default: None
  13856. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13857. enum:
  13858. - None
  13859. - Fetch
  13860. type: string
  13861. property:
  13862. description: Used to select a specific property of the Provider value (if a map), if supported
  13863. type: string
  13864. version:
  13865. description: Used to select a specific version of the Provider value, if supported
  13866. type: string
  13867. required:
  13868. - key
  13869. type: object
  13870. secretKey:
  13871. description: The key in the Kubernetes Secret to store the value.
  13872. maxLength: 253
  13873. minLength: 1
  13874. pattern: ^[-._a-zA-Z0-9]+$
  13875. type: string
  13876. sourceRef:
  13877. description: |-
  13878. SourceRef allows you to override the source
  13879. from which the value will be pulled.
  13880. maxProperties: 1
  13881. minProperties: 1
  13882. properties:
  13883. generatorRef:
  13884. description: |-
  13885. GeneratorRef points to a generator custom resource.
  13886. Deprecated: The generatorRef is not implemented in .data[].
  13887. this will be removed with v1.
  13888. properties:
  13889. apiVersion:
  13890. default: generators.external-secrets.io/v1alpha1
  13891. description: Specify the apiVersion of the generator resource
  13892. type: string
  13893. kind:
  13894. description: Specify the Kind of the generator resource
  13895. enum:
  13896. - ACRAccessToken
  13897. - ClusterGenerator
  13898. - ECRAuthorizationToken
  13899. - Fake
  13900. - GCRAccessToken
  13901. - GithubAccessToken
  13902. - QuayAccessToken
  13903. - Password
  13904. - SSHKey
  13905. - STSSessionToken
  13906. - UUID
  13907. - VaultDynamicSecret
  13908. - Webhook
  13909. - Grafana
  13910. type: string
  13911. name:
  13912. description: Specify the name of the generator resource
  13913. maxLength: 253
  13914. minLength: 1
  13915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13916. type: string
  13917. required:
  13918. - kind
  13919. - name
  13920. type: object
  13921. storeRef:
  13922. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13923. properties:
  13924. kind:
  13925. description: |-
  13926. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13927. Defaults to `SecretStore`
  13928. enum:
  13929. - SecretStore
  13930. - ClusterSecretStore
  13931. type: string
  13932. name:
  13933. description: Name of the SecretStore resource
  13934. maxLength: 253
  13935. minLength: 1
  13936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13937. type: string
  13938. type: object
  13939. type: object
  13940. required:
  13941. - remoteRef
  13942. - secretKey
  13943. type: object
  13944. type: array
  13945. dataFrom:
  13946. description: |-
  13947. DataFrom is used to fetch all properties from a specific Provider data
  13948. If multiple entries are specified, the Secret keys are merged in the specified order
  13949. items:
  13950. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13951. properties:
  13952. extract:
  13953. description: |-
  13954. Used to extract multiple key/value pairs from one secret
  13955. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13956. properties:
  13957. conversionStrategy:
  13958. default: Default
  13959. description: Used to define a conversion Strategy
  13960. enum:
  13961. - Default
  13962. - Unicode
  13963. type: string
  13964. decodingStrategy:
  13965. default: None
  13966. description: Used to define a decoding Strategy
  13967. enum:
  13968. - Auto
  13969. - Base64
  13970. - Base64URL
  13971. - None
  13972. type: string
  13973. key:
  13974. description: Key is the key used in the Provider, mandatory
  13975. type: string
  13976. metadataPolicy:
  13977. default: None
  13978. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13979. enum:
  13980. - None
  13981. - Fetch
  13982. type: string
  13983. property:
  13984. description: Used to select a specific property of the Provider value (if a map), if supported
  13985. type: string
  13986. version:
  13987. description: Used to select a specific version of the Provider value, if supported
  13988. type: string
  13989. required:
  13990. - key
  13991. type: object
  13992. find:
  13993. description: |-
  13994. Used to find secrets based on tags or regular expressions
  13995. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13996. properties:
  13997. conversionStrategy:
  13998. default: Default
  13999. description: Used to define a conversion Strategy
  14000. enum:
  14001. - Default
  14002. - Unicode
  14003. type: string
  14004. decodingStrategy:
  14005. default: None
  14006. description: Used to define a decoding Strategy
  14007. enum:
  14008. - Auto
  14009. - Base64
  14010. - Base64URL
  14011. - None
  14012. type: string
  14013. name:
  14014. description: Finds secrets based on the name.
  14015. properties:
  14016. regexp:
  14017. description: Finds secrets base
  14018. type: string
  14019. type: object
  14020. path:
  14021. description: A root path to start the find operations.
  14022. type: string
  14023. tags:
  14024. additionalProperties:
  14025. type: string
  14026. description: Find secrets based on tags.
  14027. type: object
  14028. type: object
  14029. rewrite:
  14030. description: |-
  14031. Used to rewrite secret Keys after getting them from the secret Provider
  14032. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  14033. items:
  14034. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  14035. maxProperties: 1
  14036. minProperties: 1
  14037. properties:
  14038. regexp:
  14039. description: |-
  14040. Used to rewrite with regular expressions.
  14041. The resulting key will be the output of a regexp.ReplaceAll operation.
  14042. properties:
  14043. source:
  14044. description: Used to define the regular expression of a re.Compiler.
  14045. type: string
  14046. target:
  14047. description: Used to define the target pattern of a ReplaceAll operation.
  14048. type: string
  14049. required:
  14050. - source
  14051. - target
  14052. type: object
  14053. transform:
  14054. description: |-
  14055. Used to apply string transformation on the secrets.
  14056. The resulting key will be the output of the template applied by the operation.
  14057. properties:
  14058. template:
  14059. description: |-
  14060. Used to define the template to apply on the secret name.
  14061. `.value ` will specify the secret name in the template.
  14062. type: string
  14063. required:
  14064. - template
  14065. type: object
  14066. type: object
  14067. type: array
  14068. sourceRef:
  14069. description: |-
  14070. SourceRef points to a store or generator
  14071. which contains secret values ready to use.
  14072. Use this in combination with Extract or Find pull values out of
  14073. a specific SecretStore.
  14074. When sourceRef points to a generator Extract or Find is not supported.
  14075. The generator returns a static map of values
  14076. maxProperties: 1
  14077. minProperties: 1
  14078. properties:
  14079. generatorRef:
  14080. description: GeneratorRef points to a generator custom resource.
  14081. properties:
  14082. apiVersion:
  14083. default: generators.external-secrets.io/v1alpha1
  14084. description: Specify the apiVersion of the generator resource
  14085. type: string
  14086. kind:
  14087. description: Specify the Kind of the generator resource
  14088. enum:
  14089. - ACRAccessToken
  14090. - ClusterGenerator
  14091. - ECRAuthorizationToken
  14092. - Fake
  14093. - GCRAccessToken
  14094. - GithubAccessToken
  14095. - QuayAccessToken
  14096. - Password
  14097. - SSHKey
  14098. - STSSessionToken
  14099. - UUID
  14100. - VaultDynamicSecret
  14101. - Webhook
  14102. - Grafana
  14103. type: string
  14104. name:
  14105. description: Specify the name of the generator resource
  14106. maxLength: 253
  14107. minLength: 1
  14108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14109. type: string
  14110. required:
  14111. - kind
  14112. - name
  14113. type: object
  14114. storeRef:
  14115. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14116. properties:
  14117. kind:
  14118. description: |-
  14119. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14120. Defaults to `SecretStore`
  14121. enum:
  14122. - SecretStore
  14123. - ClusterSecretStore
  14124. type: string
  14125. name:
  14126. description: Name of the SecretStore resource
  14127. maxLength: 253
  14128. minLength: 1
  14129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14130. type: string
  14131. type: object
  14132. type: object
  14133. type: object
  14134. type: array
  14135. refreshInterval:
  14136. default: 1h0m0s
  14137. description: |-
  14138. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  14139. specified as Golang Duration strings.
  14140. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  14141. Example values: "1h0m0s", "2h30m0s", "10m0s"
  14142. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  14143. type: string
  14144. refreshPolicy:
  14145. description: |-
  14146. RefreshPolicy determines how the ExternalSecret should be refreshed:
  14147. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  14148. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  14149. No periodic updates occur if refreshInterval is 0.
  14150. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  14151. enum:
  14152. - CreatedOnce
  14153. - Periodic
  14154. - OnChange
  14155. type: string
  14156. secretStoreRef:
  14157. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14158. properties:
  14159. kind:
  14160. description: |-
  14161. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14162. Defaults to `SecretStore`
  14163. enum:
  14164. - SecretStore
  14165. - ClusterSecretStore
  14166. type: string
  14167. name:
  14168. description: Name of the SecretStore resource
  14169. maxLength: 253
  14170. minLength: 1
  14171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14172. type: string
  14173. type: object
  14174. target:
  14175. default:
  14176. creationPolicy: Owner
  14177. deletionPolicy: Retain
  14178. description: |-
  14179. ExternalSecretTarget defines the Kubernetes Secret to be created
  14180. There can be only one target per ExternalSecret.
  14181. properties:
  14182. creationPolicy:
  14183. default: Owner
  14184. description: |-
  14185. CreationPolicy defines rules on how to create the resulting Secret.
  14186. Defaults to "Owner"
  14187. enum:
  14188. - Owner
  14189. - Orphan
  14190. - Merge
  14191. - None
  14192. type: string
  14193. deletionPolicy:
  14194. default: Retain
  14195. description: |-
  14196. DeletionPolicy defines rules on how to delete the resulting Secret.
  14197. Defaults to "Retain"
  14198. enum:
  14199. - Delete
  14200. - Merge
  14201. - Retain
  14202. type: string
  14203. immutable:
  14204. description: Immutable defines if the final secret will be immutable
  14205. type: boolean
  14206. name:
  14207. description: |-
  14208. The name of the Secret resource to be managed.
  14209. Defaults to the .metadata.name of the ExternalSecret resource
  14210. maxLength: 253
  14211. minLength: 1
  14212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14213. type: string
  14214. template:
  14215. description: Template defines a blueprint for the created Secret resource.
  14216. properties:
  14217. data:
  14218. additionalProperties:
  14219. type: string
  14220. type: object
  14221. engineVersion:
  14222. default: v2
  14223. description: |-
  14224. EngineVersion specifies the template engine version
  14225. that should be used to compile/execute the
  14226. template specified in .data and .templateFrom[].
  14227. enum:
  14228. - v2
  14229. type: string
  14230. mergePolicy:
  14231. default: Replace
  14232. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  14233. enum:
  14234. - Replace
  14235. - Merge
  14236. type: string
  14237. metadata:
  14238. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14239. properties:
  14240. annotations:
  14241. additionalProperties:
  14242. type: string
  14243. type: object
  14244. labels:
  14245. additionalProperties:
  14246. type: string
  14247. type: object
  14248. type: object
  14249. templateFrom:
  14250. items:
  14251. description: TemplateFrom defines a source for template data.
  14252. properties:
  14253. configMap:
  14254. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14255. properties:
  14256. items:
  14257. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14258. items:
  14259. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14260. properties:
  14261. key:
  14262. description: A key in the ConfigMap/Secret
  14263. maxLength: 253
  14264. minLength: 1
  14265. pattern: ^[-._a-zA-Z0-9]+$
  14266. type: string
  14267. templateAs:
  14268. default: Values
  14269. description: TemplateScope defines the scope of the template when processing template data.
  14270. enum:
  14271. - Values
  14272. - KeysAndValues
  14273. type: string
  14274. required:
  14275. - key
  14276. type: object
  14277. type: array
  14278. name:
  14279. description: The name of the ConfigMap/Secret resource
  14280. maxLength: 253
  14281. minLength: 1
  14282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14283. type: string
  14284. required:
  14285. - items
  14286. - name
  14287. type: object
  14288. literal:
  14289. type: string
  14290. secret:
  14291. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14292. properties:
  14293. items:
  14294. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14295. items:
  14296. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14297. properties:
  14298. key:
  14299. description: A key in the ConfigMap/Secret
  14300. maxLength: 253
  14301. minLength: 1
  14302. pattern: ^[-._a-zA-Z0-9]+$
  14303. type: string
  14304. templateAs:
  14305. default: Values
  14306. description: TemplateScope defines the scope of the template when processing template data.
  14307. enum:
  14308. - Values
  14309. - KeysAndValues
  14310. type: string
  14311. required:
  14312. - key
  14313. type: object
  14314. type: array
  14315. name:
  14316. description: The name of the ConfigMap/Secret resource
  14317. maxLength: 253
  14318. minLength: 1
  14319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14320. type: string
  14321. required:
  14322. - items
  14323. - name
  14324. type: object
  14325. target:
  14326. default: Data
  14327. description: TemplateTarget defines the target field where the template result will be stored.
  14328. enum:
  14329. - Data
  14330. - Annotations
  14331. - Labels
  14332. type: string
  14333. type: object
  14334. type: array
  14335. type:
  14336. type: string
  14337. type: object
  14338. type: object
  14339. type: object
  14340. status:
  14341. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14342. properties:
  14343. binding:
  14344. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14345. properties:
  14346. name:
  14347. default: ""
  14348. description: |-
  14349. Name of the referent.
  14350. This field is effectively required, but due to backwards compatibility is
  14351. allowed to be empty. Instances of this type with an empty value here are
  14352. almost certainly wrong.
  14353. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14354. type: string
  14355. type: object
  14356. x-kubernetes-map-type: atomic
  14357. conditions:
  14358. items:
  14359. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14360. properties:
  14361. lastTransitionTime:
  14362. format: date-time
  14363. type: string
  14364. message:
  14365. type: string
  14366. reason:
  14367. type: string
  14368. status:
  14369. type: string
  14370. type:
  14371. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14372. type: string
  14373. required:
  14374. - status
  14375. - type
  14376. type: object
  14377. type: array
  14378. refreshTime:
  14379. description: |-
  14380. refreshTime is the time and date the external secret was fetched and
  14381. the target secret updated
  14382. format: date-time
  14383. nullable: true
  14384. type: string
  14385. syncedResourceVersion:
  14386. description: SyncedResourceVersion keeps track of the last synced version
  14387. type: string
  14388. type: object
  14389. type: object
  14390. served: false
  14391. storage: false
  14392. subresources:
  14393. status: {}
  14394. ---
  14395. apiVersion: apiextensions.k8s.io/v1
  14396. kind: CustomResourceDefinition
  14397. metadata:
  14398. annotations:
  14399. controller-gen.kubebuilder.io/version: v0.19.0
  14400. labels:
  14401. external-secrets.io/component: controller
  14402. name: pushsecrets.external-secrets.io
  14403. spec:
  14404. group: external-secrets.io
  14405. names:
  14406. categories:
  14407. - external-secrets
  14408. kind: PushSecret
  14409. listKind: PushSecretList
  14410. plural: pushsecrets
  14411. shortNames:
  14412. - ps
  14413. singular: pushsecret
  14414. scope: Namespaced
  14415. versions:
  14416. - additionalPrinterColumns:
  14417. - jsonPath: .metadata.creationTimestamp
  14418. name: AGE
  14419. type: date
  14420. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14421. name: Status
  14422. type: string
  14423. - jsonPath: .status.refreshTime
  14424. name: Last Sync
  14425. type: date
  14426. name: v1alpha1
  14427. schema:
  14428. openAPIV3Schema:
  14429. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14430. properties:
  14431. apiVersion:
  14432. description: |-
  14433. APIVersion defines the versioned schema of this representation of an object.
  14434. Servers should convert recognized schemas to the latest internal value, and
  14435. may reject unrecognized values.
  14436. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14437. type: string
  14438. kind:
  14439. description: |-
  14440. Kind is a string value representing the REST resource this object represents.
  14441. Servers may infer this from the endpoint the client submits requests to.
  14442. Cannot be updated.
  14443. In CamelCase.
  14444. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14445. type: string
  14446. metadata:
  14447. type: object
  14448. spec:
  14449. description: PushSecretSpec configures the behavior of the PushSecret.
  14450. properties:
  14451. data:
  14452. description: Secret Data that should be pushed to providers
  14453. items:
  14454. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14455. properties:
  14456. conversionStrategy:
  14457. default: None
  14458. description: Used to define a conversion Strategy for the secret keys
  14459. enum:
  14460. - None
  14461. - ReverseUnicode
  14462. type: string
  14463. match:
  14464. description: Match a given Secret Key to be pushed to the provider.
  14465. properties:
  14466. remoteRef:
  14467. description: Remote Refs to push to providers.
  14468. properties:
  14469. property:
  14470. description: Name of the property in the resulting secret
  14471. type: string
  14472. remoteKey:
  14473. description: Name of the resulting provider secret.
  14474. type: string
  14475. required:
  14476. - remoteKey
  14477. type: object
  14478. secretKey:
  14479. description: Secret Key to be pushed
  14480. type: string
  14481. required:
  14482. - remoteRef
  14483. type: object
  14484. metadata:
  14485. description: |-
  14486. Metadata is metadata attached to the secret.
  14487. The structure of metadata is provider specific, please look it up in the provider documentation.
  14488. x-kubernetes-preserve-unknown-fields: true
  14489. required:
  14490. - match
  14491. type: object
  14492. type: array
  14493. dataTo:
  14494. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14495. items:
  14496. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14497. properties:
  14498. conversionStrategy:
  14499. default: None
  14500. description: Used to define a conversion Strategy for the secret keys
  14501. enum:
  14502. - None
  14503. - ReverseUnicode
  14504. type: string
  14505. match:
  14506. description: |-
  14507. Match pattern for selecting keys from the source Secret.
  14508. If not specified, all keys are selected.
  14509. properties:
  14510. regexp:
  14511. description: |-
  14512. Regexp matches keys by regular expression.
  14513. If not specified, all keys are matched.
  14514. type: string
  14515. type: object
  14516. metadata:
  14517. description: |-
  14518. Metadata is metadata attached to the secret.
  14519. The structure of metadata is provider specific, please look it up in the provider documentation.
  14520. x-kubernetes-preserve-unknown-fields: true
  14521. remoteKey:
  14522. description: |-
  14523. RemoteKey is the name of the single provider secret that will receive ALL
  14524. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14525. When set, per-key expansion is skipped and a single push is performed.
  14526. The provider's store prefix (if any) is still prepended to this value.
  14527. When not set, each matched key is pushed as its own individual provider secret.
  14528. type: string
  14529. rewrite:
  14530. description: |-
  14531. Rewrite operations to transform keys before pushing to the provider.
  14532. Operations are applied sequentially.
  14533. items:
  14534. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14535. properties:
  14536. regexp:
  14537. description: Used to rewrite with regular expressions.
  14538. properties:
  14539. source:
  14540. description: Used to define the regular expression of a re.Compiler.
  14541. type: string
  14542. target:
  14543. description: Used to define the target pattern of a ReplaceAll operation.
  14544. type: string
  14545. required:
  14546. - source
  14547. - target
  14548. type: object
  14549. transform:
  14550. description: Used to apply string transformation on the secrets.
  14551. properties:
  14552. template:
  14553. description: |-
  14554. Used to define the template to apply on the secret name.
  14555. `.value ` will specify the secret name in the template.
  14556. type: string
  14557. required:
  14558. - template
  14559. type: object
  14560. type: object
  14561. x-kubernetes-validations:
  14562. - message: exactly one of regexp or transform must be set
  14563. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14564. type: array
  14565. storeRef:
  14566. description: StoreRef specifies which SecretStore to push to. Required.
  14567. properties:
  14568. kind:
  14569. default: SecretStore
  14570. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14571. enum:
  14572. - SecretStore
  14573. - ClusterSecretStore
  14574. type: string
  14575. labelSelector:
  14576. description: Optionally, sync to secret stores with label selector
  14577. properties:
  14578. matchExpressions:
  14579. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14580. items:
  14581. description: |-
  14582. A label selector requirement is a selector that contains values, a key, and an operator that
  14583. relates the key and values.
  14584. properties:
  14585. key:
  14586. description: key is the label key that the selector applies to.
  14587. type: string
  14588. operator:
  14589. description: |-
  14590. operator represents a key's relationship to a set of values.
  14591. Valid operators are In, NotIn, Exists and DoesNotExist.
  14592. type: string
  14593. values:
  14594. description: |-
  14595. values is an array of string values. If the operator is In or NotIn,
  14596. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14597. the values array must be empty. This array is replaced during a strategic
  14598. merge patch.
  14599. items:
  14600. type: string
  14601. type: array
  14602. x-kubernetes-list-type: atomic
  14603. required:
  14604. - key
  14605. - operator
  14606. type: object
  14607. type: array
  14608. x-kubernetes-list-type: atomic
  14609. matchLabels:
  14610. additionalProperties:
  14611. type: string
  14612. description: |-
  14613. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14614. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14615. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14616. type: object
  14617. type: object
  14618. x-kubernetes-map-type: atomic
  14619. name:
  14620. description: Optionally, sync to the SecretStore of the given name
  14621. maxLength: 253
  14622. minLength: 1
  14623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14624. type: string
  14625. type: object
  14626. type: object
  14627. x-kubernetes-validations:
  14628. - message: storeRef must specify either name or labelSelector
  14629. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14630. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14631. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14632. type: array
  14633. deletionPolicy:
  14634. default: None
  14635. description: Deletion Policy to handle Secrets in the provider.
  14636. enum:
  14637. - Delete
  14638. - None
  14639. type: string
  14640. refreshInterval:
  14641. default: 1h0m0s
  14642. description: The Interval to which External Secrets will try to push a secret definition
  14643. type: string
  14644. secretStoreRefs:
  14645. items:
  14646. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14647. properties:
  14648. kind:
  14649. default: SecretStore
  14650. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14651. enum:
  14652. - SecretStore
  14653. - ClusterSecretStore
  14654. type: string
  14655. labelSelector:
  14656. description: Optionally, sync to secret stores with label selector
  14657. properties:
  14658. matchExpressions:
  14659. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14660. items:
  14661. description: |-
  14662. A label selector requirement is a selector that contains values, a key, and an operator that
  14663. relates the key and values.
  14664. properties:
  14665. key:
  14666. description: key is the label key that the selector applies to.
  14667. type: string
  14668. operator:
  14669. description: |-
  14670. operator represents a key's relationship to a set of values.
  14671. Valid operators are In, NotIn, Exists and DoesNotExist.
  14672. type: string
  14673. values:
  14674. description: |-
  14675. values is an array of string values. If the operator is In or NotIn,
  14676. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14677. the values array must be empty. This array is replaced during a strategic
  14678. merge patch.
  14679. items:
  14680. type: string
  14681. type: array
  14682. x-kubernetes-list-type: atomic
  14683. required:
  14684. - key
  14685. - operator
  14686. type: object
  14687. type: array
  14688. x-kubernetes-list-type: atomic
  14689. matchLabels:
  14690. additionalProperties:
  14691. type: string
  14692. description: |-
  14693. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14694. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14695. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14696. type: object
  14697. type: object
  14698. x-kubernetes-map-type: atomic
  14699. name:
  14700. description: Optionally, sync to the SecretStore of the given name
  14701. maxLength: 253
  14702. minLength: 1
  14703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14704. type: string
  14705. type: object
  14706. type: array
  14707. selector:
  14708. description: The Secret Selector (k8s source) for the Push Secret
  14709. maxProperties: 1
  14710. minProperties: 1
  14711. properties:
  14712. generatorRef:
  14713. description: Point to a generator to create a Secret.
  14714. properties:
  14715. apiVersion:
  14716. default: generators.external-secrets.io/v1alpha1
  14717. description: Specify the apiVersion of the generator resource
  14718. type: string
  14719. kind:
  14720. description: Specify the Kind of the generator resource
  14721. enum:
  14722. - ACRAccessToken
  14723. - BeyondtrustWorkloadCredentialsDynamicSecret
  14724. - ClusterGenerator
  14725. - CloudsmithAccessToken
  14726. - ECRAuthorizationToken
  14727. - Fake
  14728. - GCRAccessToken
  14729. - GithubAccessToken
  14730. - QuayAccessToken
  14731. - Password
  14732. - SSHKey
  14733. - STSSessionToken
  14734. - UUID
  14735. - VaultDynamicSecret
  14736. - Webhook
  14737. - Grafana
  14738. - MFA
  14739. type: string
  14740. name:
  14741. description: Specify the name of the generator resource
  14742. maxLength: 253
  14743. minLength: 1
  14744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14745. type: string
  14746. required:
  14747. - kind
  14748. - name
  14749. type: object
  14750. secret:
  14751. description: Select a Secret to Push.
  14752. properties:
  14753. name:
  14754. description: |-
  14755. Name of the Secret.
  14756. The Secret must exist in the same namespace as the PushSecret manifest.
  14757. maxLength: 253
  14758. minLength: 1
  14759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14760. type: string
  14761. selector:
  14762. description: Selector chooses secrets using a labelSelector.
  14763. properties:
  14764. matchExpressions:
  14765. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14766. items:
  14767. description: |-
  14768. A label selector requirement is a selector that contains values, a key, and an operator that
  14769. relates the key and values.
  14770. properties:
  14771. key:
  14772. description: key is the label key that the selector applies to.
  14773. type: string
  14774. operator:
  14775. description: |-
  14776. operator represents a key's relationship to a set of values.
  14777. Valid operators are In, NotIn, Exists and DoesNotExist.
  14778. type: string
  14779. values:
  14780. description: |-
  14781. values is an array of string values. If the operator is In or NotIn,
  14782. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14783. the values array must be empty. This array is replaced during a strategic
  14784. merge patch.
  14785. items:
  14786. type: string
  14787. type: array
  14788. x-kubernetes-list-type: atomic
  14789. required:
  14790. - key
  14791. - operator
  14792. type: object
  14793. type: array
  14794. x-kubernetes-list-type: atomic
  14795. matchLabels:
  14796. additionalProperties:
  14797. type: string
  14798. description: |-
  14799. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14800. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14801. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14802. type: object
  14803. type: object
  14804. x-kubernetes-map-type: atomic
  14805. type: object
  14806. type: object
  14807. template:
  14808. description: Template defines a blueprint for the created Secret resource.
  14809. properties:
  14810. data:
  14811. additionalProperties:
  14812. type: string
  14813. type: object
  14814. engineVersion:
  14815. default: v2
  14816. description: |-
  14817. EngineVersion specifies the template engine version
  14818. that should be used to compile/execute the
  14819. template specified in .data and .templateFrom[].
  14820. enum:
  14821. - v2
  14822. type: string
  14823. mergePolicy:
  14824. default: Replace
  14825. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14826. enum:
  14827. - Replace
  14828. - Merge
  14829. type: string
  14830. metadata:
  14831. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14832. properties:
  14833. annotations:
  14834. additionalProperties:
  14835. type: string
  14836. type: object
  14837. finalizers:
  14838. items:
  14839. type: string
  14840. type: array
  14841. labels:
  14842. additionalProperties:
  14843. type: string
  14844. type: object
  14845. type: object
  14846. templateFrom:
  14847. items:
  14848. description: |-
  14849. TemplateFrom specifies a source for templates.
  14850. Each item in the list can either reference a ConfigMap or a Secret resource.
  14851. properties:
  14852. configMap:
  14853. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14854. properties:
  14855. items:
  14856. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14857. items:
  14858. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14859. properties:
  14860. key:
  14861. description: A key in the ConfigMap/Secret
  14862. maxLength: 253
  14863. minLength: 1
  14864. pattern: ^[-._a-zA-Z0-9]+$
  14865. type: string
  14866. templateAs:
  14867. default: Values
  14868. description: TemplateScope specifies how the template keys should be interpreted.
  14869. enum:
  14870. - Values
  14871. - KeysAndValues
  14872. type: string
  14873. required:
  14874. - key
  14875. type: object
  14876. type: array
  14877. name:
  14878. description: The name of the ConfigMap/Secret resource
  14879. maxLength: 253
  14880. minLength: 1
  14881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14882. type: string
  14883. required:
  14884. - items
  14885. - name
  14886. type: object
  14887. literal:
  14888. type: string
  14889. secret:
  14890. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14891. properties:
  14892. items:
  14893. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14894. items:
  14895. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14896. properties:
  14897. key:
  14898. description: A key in the ConfigMap/Secret
  14899. maxLength: 253
  14900. minLength: 1
  14901. pattern: ^[-._a-zA-Z0-9]+$
  14902. type: string
  14903. templateAs:
  14904. default: Values
  14905. description: TemplateScope specifies how the template keys should be interpreted.
  14906. enum:
  14907. - Values
  14908. - KeysAndValues
  14909. type: string
  14910. required:
  14911. - key
  14912. type: object
  14913. type: array
  14914. name:
  14915. description: The name of the ConfigMap/Secret resource
  14916. maxLength: 253
  14917. minLength: 1
  14918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14919. type: string
  14920. required:
  14921. - items
  14922. - name
  14923. type: object
  14924. target:
  14925. default: Data
  14926. description: |-
  14927. Target specifies where to place the template result.
  14928. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14929. For custom resources (when spec.target.manifest is set), this supports
  14930. nested paths like "spec.database.config" or "data".
  14931. type: string
  14932. valuesDecodingStrategy:
  14933. default: None
  14934. description: Used to define a decoding Strategy for the rendered template values.
  14935. enum:
  14936. - Auto
  14937. - Base64
  14938. - Base64URL
  14939. - None
  14940. type: string
  14941. type: object
  14942. type: array
  14943. type:
  14944. type: string
  14945. type: object
  14946. updatePolicy:
  14947. default: Replace
  14948. description: UpdatePolicy to handle Secrets in the provider.
  14949. enum:
  14950. - Replace
  14951. - IfNotExists
  14952. type: string
  14953. required:
  14954. - secretStoreRefs
  14955. - selector
  14956. type: object
  14957. status:
  14958. description: PushSecretStatus indicates the history of the status of PushSecret.
  14959. properties:
  14960. conditions:
  14961. items:
  14962. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14963. properties:
  14964. lastTransitionTime:
  14965. format: date-time
  14966. type: string
  14967. message:
  14968. type: string
  14969. reason:
  14970. type: string
  14971. status:
  14972. type: string
  14973. type:
  14974. description: PushSecretConditionType indicates the condition of the PushSecret.
  14975. type: string
  14976. required:
  14977. - status
  14978. - type
  14979. type: object
  14980. type: array
  14981. refreshTime:
  14982. description: |-
  14983. refreshTime is the time and date the external secret was fetched and
  14984. the target secret updated
  14985. format: date-time
  14986. nullable: true
  14987. type: string
  14988. syncedPushSecrets:
  14989. additionalProperties:
  14990. additionalProperties:
  14991. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14992. properties:
  14993. conversionStrategy:
  14994. default: None
  14995. description: Used to define a conversion Strategy for the secret keys
  14996. enum:
  14997. - None
  14998. - ReverseUnicode
  14999. type: string
  15000. match:
  15001. description: Match a given Secret Key to be pushed to the provider.
  15002. properties:
  15003. remoteRef:
  15004. description: Remote Refs to push to providers.
  15005. properties:
  15006. property:
  15007. description: Name of the property in the resulting secret
  15008. type: string
  15009. remoteKey:
  15010. description: Name of the resulting provider secret.
  15011. type: string
  15012. required:
  15013. - remoteKey
  15014. type: object
  15015. secretKey:
  15016. description: Secret Key to be pushed
  15017. type: string
  15018. required:
  15019. - remoteRef
  15020. type: object
  15021. metadata:
  15022. description: |-
  15023. Metadata is metadata attached to the secret.
  15024. The structure of metadata is provider specific, please look it up in the provider documentation.
  15025. x-kubernetes-preserve-unknown-fields: true
  15026. required:
  15027. - match
  15028. type: object
  15029. type: object
  15030. description: |-
  15031. Synced PushSecrets, including secrets that already exist in provider.
  15032. Matches secret stores to PushSecretData that was stored to that secret store.
  15033. type: object
  15034. syncedResourceVersion:
  15035. description: SyncedResourceVersion keeps track of the last synced version.
  15036. type: string
  15037. type: object
  15038. type: object
  15039. served: true
  15040. storage: true
  15041. subresources:
  15042. status: {}
  15043. ---
  15044. apiVersion: apiextensions.k8s.io/v1
  15045. kind: CustomResourceDefinition
  15046. metadata:
  15047. annotations:
  15048. controller-gen.kubebuilder.io/version: v0.19.0
  15049. labels:
  15050. external-secrets.io/component: controller
  15051. name: secretstores.external-secrets.io
  15052. spec:
  15053. group: external-secrets.io
  15054. names:
  15055. categories:
  15056. - external-secrets
  15057. kind: SecretStore
  15058. listKind: SecretStoreList
  15059. plural: secretstores
  15060. shortNames:
  15061. - ss
  15062. singular: secretstore
  15063. scope: Namespaced
  15064. versions:
  15065. - additionalPrinterColumns:
  15066. - jsonPath: .metadata.creationTimestamp
  15067. name: AGE
  15068. type: date
  15069. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  15070. name: Status
  15071. type: string
  15072. - jsonPath: .status.capabilities
  15073. name: Capabilities
  15074. type: string
  15075. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  15076. name: Ready
  15077. type: string
  15078. name: v1
  15079. schema:
  15080. openAPIV3Schema:
  15081. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  15082. properties:
  15083. apiVersion:
  15084. description: |-
  15085. APIVersion defines the versioned schema of this representation of an object.
  15086. Servers should convert recognized schemas to the latest internal value, and
  15087. may reject unrecognized values.
  15088. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  15089. type: string
  15090. kind:
  15091. description: |-
  15092. Kind is a string value representing the REST resource this object represents.
  15093. Servers may infer this from the endpoint the client submits requests to.
  15094. Cannot be updated.
  15095. In CamelCase.
  15096. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  15097. type: string
  15098. metadata:
  15099. type: object
  15100. spec:
  15101. description: SecretStoreSpec defines the desired state of SecretStore.
  15102. properties:
  15103. conditions:
  15104. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  15105. items:
  15106. description: |-
  15107. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  15108. for a ClusterSecretStore instance.
  15109. properties:
  15110. namespaceRegexes:
  15111. description: Choose namespaces by using regex matching
  15112. items:
  15113. type: string
  15114. type: array
  15115. namespaceSelector:
  15116. description: Choose namespace using a labelSelector
  15117. properties:
  15118. matchExpressions:
  15119. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  15120. items:
  15121. description: |-
  15122. A label selector requirement is a selector that contains values, a key, and an operator that
  15123. relates the key and values.
  15124. properties:
  15125. key:
  15126. description: key is the label key that the selector applies to.
  15127. type: string
  15128. operator:
  15129. description: |-
  15130. operator represents a key's relationship to a set of values.
  15131. Valid operators are In, NotIn, Exists and DoesNotExist.
  15132. type: string
  15133. values:
  15134. description: |-
  15135. values is an array of string values. If the operator is In or NotIn,
  15136. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  15137. the values array must be empty. This array is replaced during a strategic
  15138. merge patch.
  15139. items:
  15140. type: string
  15141. type: array
  15142. x-kubernetes-list-type: atomic
  15143. required:
  15144. - key
  15145. - operator
  15146. type: object
  15147. type: array
  15148. x-kubernetes-list-type: atomic
  15149. matchLabels:
  15150. additionalProperties:
  15151. type: string
  15152. description: |-
  15153. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  15154. map is equivalent to an element of matchExpressions, whose key field is "key", the
  15155. operator is "In", and the values array contains only "value". The requirements are ANDed.
  15156. type: object
  15157. type: object
  15158. x-kubernetes-map-type: atomic
  15159. namespaces:
  15160. description: Choose namespaces by name
  15161. items:
  15162. maxLength: 63
  15163. minLength: 1
  15164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15165. type: string
  15166. type: array
  15167. type: object
  15168. type: array
  15169. controller:
  15170. description: |-
  15171. Used to select the correct ESO controller (think: ingress.ingressClassName)
  15172. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  15173. type: string
  15174. provider:
  15175. description: Used to configure the provider. Only one provider may be set
  15176. maxProperties: 1
  15177. minProperties: 1
  15178. properties:
  15179. akeyless:
  15180. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  15181. properties:
  15182. akeylessGWApiURL:
  15183. description: Akeyless GW API Url from which the secrets to be fetched from.
  15184. type: string
  15185. authSecretRef:
  15186. description: Auth configures how the operator authenticates with Akeyless.
  15187. properties:
  15188. kubernetesAuth:
  15189. description: |-
  15190. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  15191. token stored in the named Secret resource.
  15192. properties:
  15193. accessID:
  15194. description: the Akeyless Kubernetes auth-method access-id
  15195. type: string
  15196. k8sConfName:
  15197. description: Kubernetes-auth configuration name in Akeyless-Gateway
  15198. type: string
  15199. secretRef:
  15200. description: |-
  15201. Optional secret field containing a Kubernetes ServiceAccount JWT used
  15202. for authenticating with Akeyless. If a name is specified without a key,
  15203. `token` is the default. If one is not specified, the one bound to
  15204. the controller will be used.
  15205. properties:
  15206. key:
  15207. description: |-
  15208. A key in the referenced Secret.
  15209. Some instances of this field may be defaulted, in others it may be required.
  15210. maxLength: 253
  15211. minLength: 1
  15212. pattern: ^[-._a-zA-Z0-9]+$
  15213. type: string
  15214. name:
  15215. description: The name of the Secret resource being referred to.
  15216. maxLength: 253
  15217. minLength: 1
  15218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15219. type: string
  15220. namespace:
  15221. description: |-
  15222. The namespace of the Secret resource being referred to.
  15223. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15224. maxLength: 63
  15225. minLength: 1
  15226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15227. type: string
  15228. type: object
  15229. serviceAccountRef:
  15230. description: |-
  15231. Optional service account field containing the name of a kubernetes ServiceAccount.
  15232. If the service account is specified, the service account secret token JWT will be used
  15233. for authenticating with Akeyless. If the service account selector is not supplied,
  15234. the secretRef will be used instead.
  15235. properties:
  15236. audiences:
  15237. description: |-
  15238. Audience specifies the `aud` claim for the service account token
  15239. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15240. then this audiences will be appended to the list
  15241. items:
  15242. type: string
  15243. type: array
  15244. name:
  15245. description: The name of the ServiceAccount resource being referred to.
  15246. maxLength: 253
  15247. minLength: 1
  15248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15249. type: string
  15250. namespace:
  15251. description: |-
  15252. Namespace of the resource being referred to.
  15253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15254. maxLength: 63
  15255. minLength: 1
  15256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15257. type: string
  15258. required:
  15259. - name
  15260. type: object
  15261. required:
  15262. - accessID
  15263. - k8sConfName
  15264. type: object
  15265. secretRef:
  15266. description: |-
  15267. Reference to a Secret that contains the details
  15268. to authenticate with Akeyless.
  15269. properties:
  15270. accessID:
  15271. description: The SecretAccessID is used for authentication
  15272. properties:
  15273. key:
  15274. description: |-
  15275. A key in the referenced Secret.
  15276. Some instances of this field may be defaulted, in others it may be required.
  15277. maxLength: 253
  15278. minLength: 1
  15279. pattern: ^[-._a-zA-Z0-9]+$
  15280. type: string
  15281. name:
  15282. description: The name of the Secret resource being referred to.
  15283. maxLength: 253
  15284. minLength: 1
  15285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15286. type: string
  15287. namespace:
  15288. description: |-
  15289. The namespace of the Secret resource being referred to.
  15290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15291. maxLength: 63
  15292. minLength: 1
  15293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15294. type: string
  15295. type: object
  15296. accessType:
  15297. description: |-
  15298. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15299. In some instances, `key` is a required field.
  15300. properties:
  15301. key:
  15302. description: |-
  15303. A key in the referenced Secret.
  15304. Some instances of this field may be defaulted, in others it may be required.
  15305. maxLength: 253
  15306. minLength: 1
  15307. pattern: ^[-._a-zA-Z0-9]+$
  15308. type: string
  15309. name:
  15310. description: The name of the Secret resource being referred to.
  15311. maxLength: 253
  15312. minLength: 1
  15313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15314. type: string
  15315. namespace:
  15316. description: |-
  15317. The namespace of the Secret resource being referred to.
  15318. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15319. maxLength: 63
  15320. minLength: 1
  15321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15322. type: string
  15323. type: object
  15324. accessTypeParam:
  15325. description: |-
  15326. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15327. In some instances, `key` is a required field.
  15328. properties:
  15329. key:
  15330. description: |-
  15331. A key in the referenced Secret.
  15332. Some instances of this field may be defaulted, in others it may be required.
  15333. maxLength: 253
  15334. minLength: 1
  15335. pattern: ^[-._a-zA-Z0-9]+$
  15336. type: string
  15337. name:
  15338. description: The name of the Secret resource being referred to.
  15339. maxLength: 253
  15340. minLength: 1
  15341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15342. type: string
  15343. namespace:
  15344. description: |-
  15345. The namespace of the Secret resource being referred to.
  15346. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15347. maxLength: 63
  15348. minLength: 1
  15349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15350. type: string
  15351. type: object
  15352. type: object
  15353. type: object
  15354. caBundle:
  15355. description: |-
  15356. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15357. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15358. are used to validate the TLS connection.
  15359. format: byte
  15360. type: string
  15361. caProvider:
  15362. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15363. properties:
  15364. key:
  15365. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15366. maxLength: 253
  15367. minLength: 1
  15368. pattern: ^[-._a-zA-Z0-9]+$
  15369. type: string
  15370. name:
  15371. description: The name of the object located at the provider type.
  15372. maxLength: 253
  15373. minLength: 1
  15374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15375. type: string
  15376. namespace:
  15377. description: |-
  15378. The namespace the Provider type is in.
  15379. Can only be defined when used in a ClusterSecretStore.
  15380. maxLength: 63
  15381. minLength: 1
  15382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15383. type: string
  15384. type:
  15385. description: The type of provider to use such as "Secret", or "ConfigMap".
  15386. enum:
  15387. - Secret
  15388. - ConfigMap
  15389. type: string
  15390. required:
  15391. - name
  15392. - type
  15393. type: object
  15394. required:
  15395. - akeylessGWApiURL
  15396. - authSecretRef
  15397. type: object
  15398. aws:
  15399. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15400. properties:
  15401. additionalRoles:
  15402. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15403. items:
  15404. type: string
  15405. type: array
  15406. auth:
  15407. description: |-
  15408. Auth defines the information necessary to authenticate against AWS
  15409. if not set aws sdk will infer credentials from your environment
  15410. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15411. properties:
  15412. jwt:
  15413. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15414. properties:
  15415. serviceAccountRef:
  15416. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15417. properties:
  15418. audiences:
  15419. description: |-
  15420. Audience specifies the `aud` claim for the service account token
  15421. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15422. then this audiences will be appended to the list
  15423. items:
  15424. type: string
  15425. type: array
  15426. name:
  15427. description: The name of the ServiceAccount resource being referred to.
  15428. maxLength: 253
  15429. minLength: 1
  15430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15431. type: string
  15432. namespace:
  15433. description: |-
  15434. Namespace of the resource being referred to.
  15435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15436. maxLength: 63
  15437. minLength: 1
  15438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15439. type: string
  15440. required:
  15441. - name
  15442. type: object
  15443. type: object
  15444. secretRef:
  15445. description: |-
  15446. AWSAuthSecretRef holds secret references for AWS credentials
  15447. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15448. properties:
  15449. accessKeyIDSecretRef:
  15450. description: The AccessKeyID is used for authentication
  15451. properties:
  15452. key:
  15453. description: |-
  15454. A key in the referenced Secret.
  15455. Some instances of this field may be defaulted, in others it may be required.
  15456. maxLength: 253
  15457. minLength: 1
  15458. pattern: ^[-._a-zA-Z0-9]+$
  15459. type: string
  15460. name:
  15461. description: The name of the Secret resource being referred to.
  15462. maxLength: 253
  15463. minLength: 1
  15464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15465. type: string
  15466. namespace:
  15467. description: |-
  15468. The namespace of the Secret resource being referred to.
  15469. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15470. maxLength: 63
  15471. minLength: 1
  15472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15473. type: string
  15474. type: object
  15475. secretAccessKeySecretRef:
  15476. description: The SecretAccessKey is used for authentication
  15477. properties:
  15478. key:
  15479. description: |-
  15480. A key in the referenced Secret.
  15481. Some instances of this field may be defaulted, in others it may be required.
  15482. maxLength: 253
  15483. minLength: 1
  15484. pattern: ^[-._a-zA-Z0-9]+$
  15485. type: string
  15486. name:
  15487. description: The name of the Secret resource being referred to.
  15488. maxLength: 253
  15489. minLength: 1
  15490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15491. type: string
  15492. namespace:
  15493. description: |-
  15494. The namespace of the Secret resource being referred to.
  15495. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15496. maxLength: 63
  15497. minLength: 1
  15498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15499. type: string
  15500. type: object
  15501. sessionTokenSecretRef:
  15502. description: |-
  15503. The SessionToken used for authentication
  15504. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15505. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15506. properties:
  15507. key:
  15508. description: |-
  15509. A key in the referenced Secret.
  15510. Some instances of this field may be defaulted, in others it may be required.
  15511. maxLength: 253
  15512. minLength: 1
  15513. pattern: ^[-._a-zA-Z0-9]+$
  15514. type: string
  15515. name:
  15516. description: The name of the Secret resource being referred to.
  15517. maxLength: 253
  15518. minLength: 1
  15519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15520. type: string
  15521. namespace:
  15522. description: |-
  15523. The namespace of the Secret resource being referred to.
  15524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15525. maxLength: 63
  15526. minLength: 1
  15527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15528. type: string
  15529. type: object
  15530. type: object
  15531. type: object
  15532. customSessionTags:
  15533. additionalProperties:
  15534. type: string
  15535. description: |-
  15536. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15537. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15538. type: object
  15539. x-kubernetes-validations:
  15540. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15541. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15542. externalID:
  15543. description: AWS External ID set on assumed IAM roles
  15544. type: string
  15545. prefix:
  15546. description: Prefix adds a prefix to all retrieved values.
  15547. type: string
  15548. region:
  15549. description: AWS Region to be used for the provider
  15550. type: string
  15551. role:
  15552. description: Role is a Role ARN which the provider will assume
  15553. type: string
  15554. secretsManager:
  15555. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15556. properties:
  15557. forceDeleteWithoutRecovery:
  15558. description: |-
  15559. Specifies whether to delete the secret without any recovery window. You
  15560. can't use both this parameter and RecoveryWindowInDays in the same call.
  15561. If you don't use either, then by default Secrets Manager uses a 30 day
  15562. recovery window.
  15563. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15564. type: boolean
  15565. recoveryWindowInDays:
  15566. description: |-
  15567. The number of days from 7 to 30 that Secrets Manager waits before
  15568. permanently deleting the secret. You can't use both this parameter and
  15569. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15570. then by default Secrets Manager uses a 30-day recovery window.
  15571. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15572. format: int64
  15573. type: integer
  15574. type: object
  15575. service:
  15576. description: Service defines which service should be used to fetch the secrets
  15577. enum:
  15578. - SecretsManager
  15579. - ParameterStore
  15580. type: string
  15581. sessionTags:
  15582. description: AWS STS assume role session tags
  15583. items:
  15584. description: |-
  15585. Tag is a key-value pair that can be attached to an AWS resource.
  15586. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15587. properties:
  15588. key:
  15589. type: string
  15590. value:
  15591. type: string
  15592. required:
  15593. - key
  15594. - value
  15595. type: object
  15596. type: array
  15597. sessionTagsPolicy:
  15598. default: None
  15599. description: |-
  15600. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15601. None (default): no tags are added.
  15602. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15603. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15604. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15605. enum:
  15606. - None
  15607. - Simple
  15608. - Custom
  15609. type: string
  15610. transitiveTagKeys:
  15611. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15612. items:
  15613. type: string
  15614. type: array
  15615. required:
  15616. - region
  15617. - service
  15618. type: object
  15619. azurekv:
  15620. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15621. properties:
  15622. authSecretRef:
  15623. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15624. properties:
  15625. clientCertificate:
  15626. description: The Azure ClientCertificate of the service principle used for authentication.
  15627. properties:
  15628. key:
  15629. description: |-
  15630. A key in the referenced Secret.
  15631. Some instances of this field may be defaulted, in others it may be required.
  15632. maxLength: 253
  15633. minLength: 1
  15634. pattern: ^[-._a-zA-Z0-9]+$
  15635. type: string
  15636. name:
  15637. description: The name of the Secret resource being referred to.
  15638. maxLength: 253
  15639. minLength: 1
  15640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15641. type: string
  15642. namespace:
  15643. description: |-
  15644. The namespace of the Secret resource being referred to.
  15645. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15646. maxLength: 63
  15647. minLength: 1
  15648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15649. type: string
  15650. type: object
  15651. clientId:
  15652. description: The Azure clientId of the service principle or managed identity used for authentication.
  15653. properties:
  15654. key:
  15655. description: |-
  15656. A key in the referenced Secret.
  15657. Some instances of this field may be defaulted, in others it may be required.
  15658. maxLength: 253
  15659. minLength: 1
  15660. pattern: ^[-._a-zA-Z0-9]+$
  15661. type: string
  15662. name:
  15663. description: The name of the Secret resource being referred to.
  15664. maxLength: 253
  15665. minLength: 1
  15666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15667. type: string
  15668. namespace:
  15669. description: |-
  15670. The namespace of the Secret resource being referred to.
  15671. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15672. maxLength: 63
  15673. minLength: 1
  15674. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15675. type: string
  15676. type: object
  15677. clientSecret:
  15678. description: The Azure ClientSecret of the service principle used for authentication.
  15679. properties:
  15680. key:
  15681. description: |-
  15682. A key in the referenced Secret.
  15683. Some instances of this field may be defaulted, in others it may be required.
  15684. maxLength: 253
  15685. minLength: 1
  15686. pattern: ^[-._a-zA-Z0-9]+$
  15687. type: string
  15688. name:
  15689. description: The name of the Secret resource being referred to.
  15690. maxLength: 253
  15691. minLength: 1
  15692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15693. type: string
  15694. namespace:
  15695. description: |-
  15696. The namespace of the Secret resource being referred to.
  15697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15698. maxLength: 63
  15699. minLength: 1
  15700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15701. type: string
  15702. type: object
  15703. tenantId:
  15704. description: The Azure tenantId of the managed identity used for authentication.
  15705. properties:
  15706. key:
  15707. description: |-
  15708. A key in the referenced Secret.
  15709. Some instances of this field may be defaulted, in others it may be required.
  15710. maxLength: 253
  15711. minLength: 1
  15712. pattern: ^[-._a-zA-Z0-9]+$
  15713. type: string
  15714. name:
  15715. description: The name of the Secret resource being referred to.
  15716. maxLength: 253
  15717. minLength: 1
  15718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15719. type: string
  15720. namespace:
  15721. description: |-
  15722. The namespace of the Secret resource being referred to.
  15723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15724. maxLength: 63
  15725. minLength: 1
  15726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15727. type: string
  15728. type: object
  15729. type: object
  15730. authType:
  15731. default: ServicePrincipal
  15732. description: |-
  15733. Auth type defines how to authenticate to the keyvault service.
  15734. Valid values are:
  15735. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15736. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15737. enum:
  15738. - ServicePrincipal
  15739. - ManagedIdentity
  15740. - WorkloadIdentity
  15741. type: string
  15742. customCloudConfig:
  15743. description: |-
  15744. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15745. Required when EnvironmentType is AzureStackCloud.
  15746. Optional for other environment types - useful for Azure China when using Workload Identity
  15747. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15748. standard China Cloud endpoint (login.chinacloudapi.cn).
  15749. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15750. configuration is not supported with the legacy go-autorest SDK.
  15751. properties:
  15752. activeDirectoryEndpoint:
  15753. description: |-
  15754. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15755. Required when using custom cloud configuration
  15756. type: string
  15757. keyVaultDNSSuffix:
  15758. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15759. type: string
  15760. keyVaultEndpoint:
  15761. description: KeyVaultEndpoint is the Key Vault service endpoint
  15762. type: string
  15763. resourceManagerEndpoint:
  15764. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15765. type: string
  15766. required:
  15767. - activeDirectoryEndpoint
  15768. type: object
  15769. environmentType:
  15770. default: PublicCloud
  15771. description: |-
  15772. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15773. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15774. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15775. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15776. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15777. enum:
  15778. - PublicCloud
  15779. - USGovernmentCloud
  15780. - ChinaCloud
  15781. - GermanCloud
  15782. - AzureStackCloud
  15783. type: string
  15784. identityId:
  15785. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15786. type: string
  15787. serviceAccountRef:
  15788. description: |-
  15789. ServiceAccountRef specified the service account
  15790. that should be used when authenticating with WorkloadIdentity.
  15791. properties:
  15792. audiences:
  15793. description: |-
  15794. Audience specifies the `aud` claim for the service account token
  15795. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15796. then this audiences will be appended to the list
  15797. items:
  15798. type: string
  15799. type: array
  15800. name:
  15801. description: The name of the ServiceAccount resource being referred to.
  15802. maxLength: 253
  15803. minLength: 1
  15804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15805. type: string
  15806. namespace:
  15807. description: |-
  15808. Namespace of the resource being referred to.
  15809. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15810. maxLength: 63
  15811. minLength: 1
  15812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15813. type: string
  15814. required:
  15815. - name
  15816. type: object
  15817. tenantId:
  15818. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15819. type: string
  15820. useAzureSDK:
  15821. default: false
  15822. description: |-
  15823. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15824. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15825. type: boolean
  15826. vaultUrl:
  15827. description: Vault Url from which the secrets to be fetched from.
  15828. type: string
  15829. required:
  15830. - vaultUrl
  15831. type: object
  15832. barbican:
  15833. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15834. properties:
  15835. auth:
  15836. description: BarbicanAuth contains the authentication information for Barbican.
  15837. properties:
  15838. password:
  15839. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15840. properties:
  15841. secretRef:
  15842. description: |-
  15843. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15844. In some instances, `key` is a required field.
  15845. properties:
  15846. key:
  15847. description: |-
  15848. A key in the referenced Secret.
  15849. Some instances of this field may be defaulted, in others it may be required.
  15850. maxLength: 253
  15851. minLength: 1
  15852. pattern: ^[-._a-zA-Z0-9]+$
  15853. type: string
  15854. name:
  15855. description: The name of the Secret resource being referred to.
  15856. maxLength: 253
  15857. minLength: 1
  15858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15859. type: string
  15860. namespace:
  15861. description: |-
  15862. The namespace of the Secret resource being referred to.
  15863. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15864. maxLength: 63
  15865. minLength: 1
  15866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15867. type: string
  15868. type: object
  15869. required:
  15870. - secretRef
  15871. type: object
  15872. username:
  15873. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15874. maxProperties: 1
  15875. minProperties: 1
  15876. properties:
  15877. secretRef:
  15878. description: |-
  15879. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15880. In some instances, `key` is a required field.
  15881. properties:
  15882. key:
  15883. description: |-
  15884. A key in the referenced Secret.
  15885. Some instances of this field may be defaulted, in others it may be required.
  15886. maxLength: 253
  15887. minLength: 1
  15888. pattern: ^[-._a-zA-Z0-9]+$
  15889. type: string
  15890. name:
  15891. description: The name of the Secret resource being referred to.
  15892. maxLength: 253
  15893. minLength: 1
  15894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15895. type: string
  15896. namespace:
  15897. description: |-
  15898. The namespace of the Secret resource being referred to.
  15899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15900. maxLength: 63
  15901. minLength: 1
  15902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15903. type: string
  15904. type: object
  15905. value:
  15906. type: string
  15907. type: object
  15908. required:
  15909. - password
  15910. - username
  15911. type: object
  15912. authURL:
  15913. type: string
  15914. domainName:
  15915. type: string
  15916. region:
  15917. type: string
  15918. tenantName:
  15919. type: string
  15920. required:
  15921. - auth
  15922. type: object
  15923. beyondtrust:
  15924. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15925. properties:
  15926. auth:
  15927. description: Auth configures how the operator authenticates with Beyondtrust.
  15928. properties:
  15929. apiKey:
  15930. description: APIKey If not provided then ClientID/ClientSecret become required.
  15931. properties:
  15932. secretRef:
  15933. description: SecretRef references a key in a secret that will be used as value.
  15934. properties:
  15935. key:
  15936. description: |-
  15937. A key in the referenced Secret.
  15938. Some instances of this field may be defaulted, in others it may be required.
  15939. maxLength: 253
  15940. minLength: 1
  15941. pattern: ^[-._a-zA-Z0-9]+$
  15942. type: string
  15943. name:
  15944. description: The name of the Secret resource being referred to.
  15945. maxLength: 253
  15946. minLength: 1
  15947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15948. type: string
  15949. namespace:
  15950. description: |-
  15951. The namespace of the Secret resource being referred to.
  15952. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15953. maxLength: 63
  15954. minLength: 1
  15955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15956. type: string
  15957. type: object
  15958. value:
  15959. description: Value can be specified directly to set a value without using a secret.
  15960. type: string
  15961. type: object
  15962. certificate:
  15963. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15964. properties:
  15965. secretRef:
  15966. description: SecretRef references a key in a secret that will be used as value.
  15967. properties:
  15968. key:
  15969. description: |-
  15970. A key in the referenced Secret.
  15971. Some instances of this field may be defaulted, in others it may be required.
  15972. maxLength: 253
  15973. minLength: 1
  15974. pattern: ^[-._a-zA-Z0-9]+$
  15975. type: string
  15976. name:
  15977. description: The name of the Secret resource being referred to.
  15978. maxLength: 253
  15979. minLength: 1
  15980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15981. type: string
  15982. namespace:
  15983. description: |-
  15984. The namespace of the Secret resource being referred to.
  15985. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15986. maxLength: 63
  15987. minLength: 1
  15988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15989. type: string
  15990. type: object
  15991. value:
  15992. description: Value can be specified directly to set a value without using a secret.
  15993. type: string
  15994. type: object
  15995. certificateKey:
  15996. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  15997. properties:
  15998. secretRef:
  15999. description: SecretRef references a key in a secret that will be used as value.
  16000. properties:
  16001. key:
  16002. description: |-
  16003. A key in the referenced Secret.
  16004. Some instances of this field may be defaulted, in others it may be required.
  16005. maxLength: 253
  16006. minLength: 1
  16007. pattern: ^[-._a-zA-Z0-9]+$
  16008. type: string
  16009. name:
  16010. description: The name of the Secret resource being referred to.
  16011. maxLength: 253
  16012. minLength: 1
  16013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16014. type: string
  16015. namespace:
  16016. description: |-
  16017. The namespace of the Secret resource being referred to.
  16018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16019. maxLength: 63
  16020. minLength: 1
  16021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16022. type: string
  16023. type: object
  16024. value:
  16025. description: Value can be specified directly to set a value without using a secret.
  16026. type: string
  16027. type: object
  16028. clientId:
  16029. description: ClientID is the API OAuth Client ID.
  16030. properties:
  16031. secretRef:
  16032. description: SecretRef references a key in a secret that will be used as value.
  16033. properties:
  16034. key:
  16035. description: |-
  16036. A key in the referenced Secret.
  16037. Some instances of this field may be defaulted, in others it may be required.
  16038. maxLength: 253
  16039. minLength: 1
  16040. pattern: ^[-._a-zA-Z0-9]+$
  16041. type: string
  16042. name:
  16043. description: The name of the Secret resource being referred to.
  16044. maxLength: 253
  16045. minLength: 1
  16046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16047. type: string
  16048. namespace:
  16049. description: |-
  16050. The namespace of the Secret resource being referred to.
  16051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16052. maxLength: 63
  16053. minLength: 1
  16054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16055. type: string
  16056. type: object
  16057. value:
  16058. description: Value can be specified directly to set a value without using a secret.
  16059. type: string
  16060. type: object
  16061. clientSecret:
  16062. description: ClientSecret is the API OAuth Client Secret.
  16063. properties:
  16064. secretRef:
  16065. description: SecretRef references a key in a secret that will be used as value.
  16066. properties:
  16067. key:
  16068. description: |-
  16069. A key in the referenced Secret.
  16070. Some instances of this field may be defaulted, in others it may be required.
  16071. maxLength: 253
  16072. minLength: 1
  16073. pattern: ^[-._a-zA-Z0-9]+$
  16074. type: string
  16075. name:
  16076. description: The name of the Secret resource being referred to.
  16077. maxLength: 253
  16078. minLength: 1
  16079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16080. type: string
  16081. namespace:
  16082. description: |-
  16083. The namespace of the Secret resource being referred to.
  16084. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16085. maxLength: 63
  16086. minLength: 1
  16087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16088. type: string
  16089. type: object
  16090. value:
  16091. description: Value can be specified directly to set a value without using a secret.
  16092. type: string
  16093. type: object
  16094. type: object
  16095. server:
  16096. description: Auth configures how API server works.
  16097. properties:
  16098. apiUrl:
  16099. type: string
  16100. apiVersion:
  16101. type: string
  16102. clientTimeOutSeconds:
  16103. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  16104. type: integer
  16105. decrypt:
  16106. default: true
  16107. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  16108. type: boolean
  16109. retrievalType:
  16110. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  16111. type: string
  16112. separator:
  16113. description: A character that separates the folder names.
  16114. type: string
  16115. verifyCA:
  16116. type: boolean
  16117. required:
  16118. - apiUrl
  16119. - verifyCA
  16120. type: object
  16121. required:
  16122. - auth
  16123. - server
  16124. type: object
  16125. beyondtrustworkloadcredentials:
  16126. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  16127. properties:
  16128. auth:
  16129. description: |-
  16130. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  16131. Currently supports API key authentication via Kubernetes secret reference.
  16132. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16133. properties:
  16134. apikey:
  16135. description: |-
  16136. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  16137. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  16138. properties:
  16139. token:
  16140. description: |-
  16141. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  16142. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  16143. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  16144. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16145. properties:
  16146. key:
  16147. description: |-
  16148. A key in the referenced Secret.
  16149. Some instances of this field may be defaulted, in others it may be required.
  16150. maxLength: 253
  16151. minLength: 1
  16152. pattern: ^[-._a-zA-Z0-9]+$
  16153. type: string
  16154. name:
  16155. description: The name of the Secret resource being referred to.
  16156. maxLength: 253
  16157. minLength: 1
  16158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16159. type: string
  16160. namespace:
  16161. description: |-
  16162. The namespace of the Secret resource being referred to.
  16163. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16164. maxLength: 63
  16165. minLength: 1
  16166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16167. type: string
  16168. type: object
  16169. required:
  16170. - token
  16171. type: object
  16172. required:
  16173. - apikey
  16174. type: object
  16175. caBundle:
  16176. description: |-
  16177. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16178. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  16179. If not set, the system's trusted root certificates are used.
  16180. format: byte
  16181. type: string
  16182. caProvider:
  16183. description: |-
  16184. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  16185. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16186. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  16187. properties:
  16188. key:
  16189. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16190. maxLength: 253
  16191. minLength: 1
  16192. pattern: ^[-._a-zA-Z0-9]+$
  16193. type: string
  16194. name:
  16195. description: The name of the object located at the provider type.
  16196. maxLength: 253
  16197. minLength: 1
  16198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16199. type: string
  16200. namespace:
  16201. description: |-
  16202. The namespace the Provider type is in.
  16203. Can only be defined when used in a ClusterSecretStore.
  16204. maxLength: 63
  16205. minLength: 1
  16206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16207. type: string
  16208. type:
  16209. description: The type of provider to use such as "Secret", or "ConfigMap".
  16210. enum:
  16211. - Secret
  16212. - ConfigMap
  16213. type: string
  16214. required:
  16215. - name
  16216. - type
  16217. type: object
  16218. folderPath:
  16219. description: |-
  16220. FolderPath specifies the default folder path for secret retrieval.
  16221. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  16222. Example: "production/database" or "dev/api-keys"
  16223. Leave empty to retrieve secrets from the root folder.
  16224. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  16225. type: string
  16226. server:
  16227. description: |-
  16228. Server configures the BeyondTrust Workload Credentials server connection details.
  16229. Includes the API URL and Site ID for your BeyondTrust instance.
  16230. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16231. properties:
  16232. apiUrl:
  16233. description: |-
  16234. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  16235. This should be the full URL to your BeyondTrust instance.
  16236. Example: https://api.beyondtrust.io/siie
  16237. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  16238. type: string
  16239. siteId:
  16240. description: |-
  16241. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  16242. This identifier is unique to your BeyondTrust Workload Credentials instance.
  16243. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  16244. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  16245. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16246. type: string
  16247. required:
  16248. - apiUrl
  16249. - siteId
  16250. type: object
  16251. required:
  16252. - auth
  16253. - server
  16254. type: object
  16255. bitwardensecretsmanager:
  16256. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16257. properties:
  16258. apiURL:
  16259. type: string
  16260. auth:
  16261. description: |-
  16262. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16263. Make sure that the token being used has permissions on the given secret.
  16264. properties:
  16265. secretRef:
  16266. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16267. properties:
  16268. credentials:
  16269. description: AccessToken used for the bitwarden instance.
  16270. properties:
  16271. key:
  16272. description: |-
  16273. A key in the referenced Secret.
  16274. Some instances of this field may be defaulted, in others it may be required.
  16275. maxLength: 253
  16276. minLength: 1
  16277. pattern: ^[-._a-zA-Z0-9]+$
  16278. type: string
  16279. name:
  16280. description: The name of the Secret resource being referred to.
  16281. maxLength: 253
  16282. minLength: 1
  16283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16284. type: string
  16285. namespace:
  16286. description: |-
  16287. The namespace of the Secret resource being referred to.
  16288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16289. maxLength: 63
  16290. minLength: 1
  16291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16292. type: string
  16293. type: object
  16294. required:
  16295. - credentials
  16296. type: object
  16297. required:
  16298. - secretRef
  16299. type: object
  16300. bitwardenServerSDKURL:
  16301. type: string
  16302. caBundle:
  16303. description: |-
  16304. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16305. can be performed.
  16306. type: string
  16307. caProvider:
  16308. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16309. properties:
  16310. key:
  16311. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16312. maxLength: 253
  16313. minLength: 1
  16314. pattern: ^[-._a-zA-Z0-9]+$
  16315. type: string
  16316. name:
  16317. description: The name of the object located at the provider type.
  16318. maxLength: 253
  16319. minLength: 1
  16320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16321. type: string
  16322. namespace:
  16323. description: |-
  16324. The namespace the Provider type is in.
  16325. Can only be defined when used in a ClusterSecretStore.
  16326. maxLength: 63
  16327. minLength: 1
  16328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16329. type: string
  16330. type:
  16331. description: The type of provider to use such as "Secret", or "ConfigMap".
  16332. enum:
  16333. - Secret
  16334. - ConfigMap
  16335. type: string
  16336. required:
  16337. - name
  16338. - type
  16339. type: object
  16340. identityURL:
  16341. type: string
  16342. organizationID:
  16343. description: OrganizationID determines which organization this secret store manages.
  16344. type: string
  16345. projectID:
  16346. description: ProjectID determines which project this secret store manages.
  16347. type: string
  16348. required:
  16349. - auth
  16350. - organizationID
  16351. - projectID
  16352. type: object
  16353. chef:
  16354. description: Chef configures this store to sync secrets with chef server
  16355. properties:
  16356. auth:
  16357. description: Auth defines the information necessary to authenticate against chef Server
  16358. properties:
  16359. secretRef:
  16360. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16361. properties:
  16362. privateKeySecretRef:
  16363. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16364. properties:
  16365. key:
  16366. description: |-
  16367. A key in the referenced Secret.
  16368. Some instances of this field may be defaulted, in others it may be required.
  16369. maxLength: 253
  16370. minLength: 1
  16371. pattern: ^[-._a-zA-Z0-9]+$
  16372. type: string
  16373. name:
  16374. description: The name of the Secret resource being referred to.
  16375. maxLength: 253
  16376. minLength: 1
  16377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16378. type: string
  16379. namespace:
  16380. description: |-
  16381. The namespace of the Secret resource being referred to.
  16382. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16383. maxLength: 63
  16384. minLength: 1
  16385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16386. type: string
  16387. type: object
  16388. required:
  16389. - privateKeySecretRef
  16390. type: object
  16391. required:
  16392. - secretRef
  16393. type: object
  16394. serverUrl:
  16395. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16396. type: string
  16397. username:
  16398. description: UserName should be the user ID on the chef server
  16399. type: string
  16400. required:
  16401. - auth
  16402. - serverUrl
  16403. - username
  16404. type: object
  16405. cloudrusm:
  16406. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16407. properties:
  16408. auth:
  16409. description: CSMAuth contains a secretRef for credentials.
  16410. properties:
  16411. secretRef:
  16412. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16413. properties:
  16414. accessKeyIDSecretRef:
  16415. description: The AccessKeyID is used for authentication
  16416. properties:
  16417. key:
  16418. description: |-
  16419. A key in the referenced Secret.
  16420. Some instances of this field may be defaulted, in others it may be required.
  16421. maxLength: 253
  16422. minLength: 1
  16423. pattern: ^[-._a-zA-Z0-9]+$
  16424. type: string
  16425. name:
  16426. description: The name of the Secret resource being referred to.
  16427. maxLength: 253
  16428. minLength: 1
  16429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16430. type: string
  16431. namespace:
  16432. description: |-
  16433. The namespace of the Secret resource being referred to.
  16434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16435. maxLength: 63
  16436. minLength: 1
  16437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16438. type: string
  16439. type: object
  16440. accessKeySecretSecretRef:
  16441. description: The AccessKeySecret is used for authentication
  16442. properties:
  16443. key:
  16444. description: |-
  16445. A key in the referenced Secret.
  16446. Some instances of this field may be defaulted, in others it may be required.
  16447. maxLength: 253
  16448. minLength: 1
  16449. pattern: ^[-._a-zA-Z0-9]+$
  16450. type: string
  16451. name:
  16452. description: The name of the Secret resource being referred to.
  16453. maxLength: 253
  16454. minLength: 1
  16455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16456. type: string
  16457. namespace:
  16458. description: |-
  16459. The namespace of the Secret resource being referred to.
  16460. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16461. maxLength: 63
  16462. minLength: 1
  16463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16464. type: string
  16465. type: object
  16466. required:
  16467. - accessKeyIDSecretRef
  16468. - accessKeySecretSecretRef
  16469. type: object
  16470. type: object
  16471. projectID:
  16472. description: ProjectID is the project, which the secrets are stored in.
  16473. type: string
  16474. required:
  16475. - auth
  16476. type: object
  16477. conjur:
  16478. description: Conjur configures this store to sync secrets using conjur provider
  16479. properties:
  16480. auth:
  16481. description: Defines authentication settings for connecting to Conjur.
  16482. properties:
  16483. apikey:
  16484. description: Authenticates with Conjur using an API key.
  16485. properties:
  16486. account:
  16487. description: Account is the Conjur organization account name.
  16488. type: string
  16489. apiKeyRef:
  16490. description: |-
  16491. A reference to a specific 'key' containing the Conjur API key
  16492. within a Secret resource. In some instances, `key` is a required field.
  16493. properties:
  16494. key:
  16495. description: |-
  16496. A key in the referenced Secret.
  16497. Some instances of this field may be defaulted, in others it may be required.
  16498. maxLength: 253
  16499. minLength: 1
  16500. pattern: ^[-._a-zA-Z0-9]+$
  16501. type: string
  16502. name:
  16503. description: The name of the Secret resource being referred to.
  16504. maxLength: 253
  16505. minLength: 1
  16506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16507. type: string
  16508. namespace:
  16509. description: |-
  16510. The namespace of the Secret resource being referred to.
  16511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16512. maxLength: 63
  16513. minLength: 1
  16514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16515. type: string
  16516. type: object
  16517. userRef:
  16518. description: |-
  16519. A reference to a specific 'key' containing the Conjur username
  16520. within a Secret resource. In some instances, `key` is a required field.
  16521. properties:
  16522. key:
  16523. description: |-
  16524. A key in the referenced Secret.
  16525. Some instances of this field may be defaulted, in others it may be required.
  16526. maxLength: 253
  16527. minLength: 1
  16528. pattern: ^[-._a-zA-Z0-9]+$
  16529. type: string
  16530. name:
  16531. description: The name of the Secret resource being referred to.
  16532. maxLength: 253
  16533. minLength: 1
  16534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16535. type: string
  16536. namespace:
  16537. description: |-
  16538. The namespace of the Secret resource being referred to.
  16539. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16540. maxLength: 63
  16541. minLength: 1
  16542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16543. type: string
  16544. type: object
  16545. required:
  16546. - account
  16547. - apiKeyRef
  16548. - userRef
  16549. type: object
  16550. jwt:
  16551. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16552. properties:
  16553. account:
  16554. description: Account is the Conjur organization account name.
  16555. type: string
  16556. hostId:
  16557. description: |-
  16558. Optional HostID for JWT authentication. This may be used depending
  16559. on how the Conjur JWT authenticator policy is configured.
  16560. type: string
  16561. secretRef:
  16562. description: |-
  16563. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16564. authenticate with Conjur using the JWT authentication method.
  16565. properties:
  16566. key:
  16567. description: |-
  16568. A key in the referenced Secret.
  16569. Some instances of this field may be defaulted, in others it may be required.
  16570. maxLength: 253
  16571. minLength: 1
  16572. pattern: ^[-._a-zA-Z0-9]+$
  16573. type: string
  16574. name:
  16575. description: The name of the Secret resource being referred to.
  16576. maxLength: 253
  16577. minLength: 1
  16578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16579. type: string
  16580. namespace:
  16581. description: |-
  16582. The namespace of the Secret resource being referred to.
  16583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16584. maxLength: 63
  16585. minLength: 1
  16586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16587. type: string
  16588. type: object
  16589. serviceAccountRef:
  16590. description: |-
  16591. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16592. a token for with the `TokenRequest` API.
  16593. properties:
  16594. audiences:
  16595. description: |-
  16596. Audience specifies the `aud` claim for the service account token
  16597. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16598. then this audiences will be appended to the list
  16599. items:
  16600. type: string
  16601. type: array
  16602. name:
  16603. description: The name of the ServiceAccount resource being referred to.
  16604. maxLength: 253
  16605. minLength: 1
  16606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16607. type: string
  16608. namespace:
  16609. description: |-
  16610. Namespace of the resource being referred to.
  16611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16612. maxLength: 63
  16613. minLength: 1
  16614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16615. type: string
  16616. required:
  16617. - name
  16618. type: object
  16619. serviceID:
  16620. description: The conjur authn jwt webservice id
  16621. type: string
  16622. required:
  16623. - account
  16624. - serviceID
  16625. type: object
  16626. type: object
  16627. caBundle:
  16628. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16629. type: string
  16630. caProvider:
  16631. description: |-
  16632. Used to provide custom certificate authority (CA) certificates
  16633. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16634. that contains a PEM-encoded certificate.
  16635. properties:
  16636. key:
  16637. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16638. maxLength: 253
  16639. minLength: 1
  16640. pattern: ^[-._a-zA-Z0-9]+$
  16641. type: string
  16642. name:
  16643. description: The name of the object located at the provider type.
  16644. maxLength: 253
  16645. minLength: 1
  16646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16647. type: string
  16648. namespace:
  16649. description: |-
  16650. The namespace the Provider type is in.
  16651. Can only be defined when used in a ClusterSecretStore.
  16652. maxLength: 63
  16653. minLength: 1
  16654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16655. type: string
  16656. type:
  16657. description: The type of provider to use such as "Secret", or "ConfigMap".
  16658. enum:
  16659. - Secret
  16660. - ConfigMap
  16661. type: string
  16662. required:
  16663. - name
  16664. - type
  16665. type: object
  16666. url:
  16667. description: URL is the endpoint of the Conjur instance.
  16668. type: string
  16669. required:
  16670. - auth
  16671. - url
  16672. type: object
  16673. delinea:
  16674. description: |-
  16675. Delinea DevOps Secrets Vault
  16676. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16677. properties:
  16678. clientId:
  16679. description: ClientID is the non-secret part of the credential.
  16680. properties:
  16681. secretRef:
  16682. description: SecretRef references a key in a secret that will be used as value.
  16683. properties:
  16684. key:
  16685. description: |-
  16686. A key in the referenced Secret.
  16687. Some instances of this field may be defaulted, in others it may be required.
  16688. maxLength: 253
  16689. minLength: 1
  16690. pattern: ^[-._a-zA-Z0-9]+$
  16691. type: string
  16692. name:
  16693. description: The name of the Secret resource being referred to.
  16694. maxLength: 253
  16695. minLength: 1
  16696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16697. type: string
  16698. namespace:
  16699. description: |-
  16700. The namespace of the Secret resource being referred to.
  16701. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16702. maxLength: 63
  16703. minLength: 1
  16704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16705. type: string
  16706. type: object
  16707. value:
  16708. description: Value can be specified directly to set a value without using a secret.
  16709. type: string
  16710. type: object
  16711. clientSecret:
  16712. description: ClientSecret is the secret part of the credential.
  16713. properties:
  16714. secretRef:
  16715. description: SecretRef references a key in a secret that will be used as value.
  16716. properties:
  16717. key:
  16718. description: |-
  16719. A key in the referenced Secret.
  16720. Some instances of this field may be defaulted, in others it may be required.
  16721. maxLength: 253
  16722. minLength: 1
  16723. pattern: ^[-._a-zA-Z0-9]+$
  16724. type: string
  16725. name:
  16726. description: The name of the Secret resource being referred to.
  16727. maxLength: 253
  16728. minLength: 1
  16729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16730. type: string
  16731. namespace:
  16732. description: |-
  16733. The namespace of the Secret resource being referred to.
  16734. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16735. maxLength: 63
  16736. minLength: 1
  16737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16738. type: string
  16739. type: object
  16740. value:
  16741. description: Value can be specified directly to set a value without using a secret.
  16742. type: string
  16743. type: object
  16744. tenant:
  16745. description: Tenant is the chosen hostname / site name.
  16746. type: string
  16747. tld:
  16748. description: |-
  16749. TLD is based on the server location that was chosen during provisioning.
  16750. If unset, defaults to "com".
  16751. type: string
  16752. urlTemplate:
  16753. description: |-
  16754. URLTemplate
  16755. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16756. type: string
  16757. required:
  16758. - clientId
  16759. - clientSecret
  16760. - tenant
  16761. type: object
  16762. doppler:
  16763. description: Doppler configures this store to sync secrets using the Doppler provider
  16764. properties:
  16765. auth:
  16766. description: Auth configures how the Operator authenticates with the Doppler API
  16767. properties:
  16768. oidcConfig:
  16769. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16770. properties:
  16771. expirationSeconds:
  16772. default: 600
  16773. description: |-
  16774. ExpirationSeconds sets the ServiceAccount token validity duration.
  16775. Defaults to 10 minutes.
  16776. format: int64
  16777. type: integer
  16778. identity:
  16779. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16780. type: string
  16781. serviceAccountRef:
  16782. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16783. properties:
  16784. audiences:
  16785. description: |-
  16786. Audience specifies the `aud` claim for the service account token
  16787. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16788. then this audiences will be appended to the list
  16789. items:
  16790. type: string
  16791. type: array
  16792. name:
  16793. description: The name of the ServiceAccount resource being referred to.
  16794. maxLength: 253
  16795. minLength: 1
  16796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16797. type: string
  16798. namespace:
  16799. description: |-
  16800. Namespace of the resource being referred to.
  16801. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16802. maxLength: 63
  16803. minLength: 1
  16804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16805. type: string
  16806. required:
  16807. - name
  16808. type: object
  16809. required:
  16810. - identity
  16811. - serviceAccountRef
  16812. type: object
  16813. secretRef:
  16814. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16815. properties:
  16816. dopplerToken:
  16817. description: |-
  16818. The DopplerToken is used for authentication.
  16819. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16820. The Key attribute defaults to dopplerToken if not specified.
  16821. properties:
  16822. key:
  16823. description: |-
  16824. A key in the referenced Secret.
  16825. Some instances of this field may be defaulted, in others it may be required.
  16826. maxLength: 253
  16827. minLength: 1
  16828. pattern: ^[-._a-zA-Z0-9]+$
  16829. type: string
  16830. name:
  16831. description: The name of the Secret resource being referred to.
  16832. maxLength: 253
  16833. minLength: 1
  16834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16835. type: string
  16836. namespace:
  16837. description: |-
  16838. The namespace of the Secret resource being referred to.
  16839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16840. maxLength: 63
  16841. minLength: 1
  16842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16843. type: string
  16844. type: object
  16845. required:
  16846. - dopplerToken
  16847. type: object
  16848. type: object
  16849. x-kubernetes-validations:
  16850. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16851. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16852. config:
  16853. description: Doppler config (required if not using a Service Token)
  16854. type: string
  16855. format:
  16856. description: Format enables the downloading of secrets as a file (string)
  16857. enum:
  16858. - json
  16859. - dotnet-json
  16860. - env
  16861. - yaml
  16862. - docker
  16863. type: string
  16864. nameTransformer:
  16865. description: Environment variable compatible name transforms that change secret names to a different format
  16866. enum:
  16867. - upper-camel
  16868. - camel
  16869. - lower-snake
  16870. - tf-var
  16871. - dotnet-env
  16872. - lower-kebab
  16873. type: string
  16874. project:
  16875. description: Doppler project (required if not using a Service Token)
  16876. type: string
  16877. required:
  16878. - auth
  16879. type: object
  16880. dvls:
  16881. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16882. properties:
  16883. auth:
  16884. description: Auth defines the authentication method to use.
  16885. properties:
  16886. secretRef:
  16887. description: SecretRef contains the Application ID and Application Secret for authentication.
  16888. properties:
  16889. appId:
  16890. description: AppID is the reference to the secret containing the Application ID.
  16891. properties:
  16892. key:
  16893. description: |-
  16894. A key in the referenced Secret.
  16895. Some instances of this field may be defaulted, in others it may be required.
  16896. maxLength: 253
  16897. minLength: 1
  16898. pattern: ^[-._a-zA-Z0-9]+$
  16899. type: string
  16900. name:
  16901. description: The name of the Secret resource being referred to.
  16902. maxLength: 253
  16903. minLength: 1
  16904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16905. type: string
  16906. namespace:
  16907. description: |-
  16908. The namespace of the Secret resource being referred to.
  16909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16910. maxLength: 63
  16911. minLength: 1
  16912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16913. type: string
  16914. type: object
  16915. appSecret:
  16916. description: AppSecret is the reference to the secret containing the Application Secret.
  16917. properties:
  16918. key:
  16919. description: |-
  16920. A key in the referenced Secret.
  16921. Some instances of this field may be defaulted, in others it may be required.
  16922. maxLength: 253
  16923. minLength: 1
  16924. pattern: ^[-._a-zA-Z0-9]+$
  16925. type: string
  16926. name:
  16927. description: The name of the Secret resource being referred to.
  16928. maxLength: 253
  16929. minLength: 1
  16930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16931. type: string
  16932. namespace:
  16933. description: |-
  16934. The namespace of the Secret resource being referred to.
  16935. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16936. maxLength: 63
  16937. minLength: 1
  16938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16939. type: string
  16940. type: object
  16941. required:
  16942. - appId
  16943. - appSecret
  16944. type: object
  16945. required:
  16946. - secretRef
  16947. type: object
  16948. insecure:
  16949. description: |-
  16950. Insecure allows connecting to DVLS over plain HTTP.
  16951. This is NOT RECOMMENDED for production use.
  16952. Set to true only if you understand the security implications.
  16953. type: boolean
  16954. serverUrl:
  16955. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16956. type: string
  16957. vault:
  16958. description: |-
  16959. Vault is the name or UUID of the vault to fetch secrets from.
  16960. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16961. type: string
  16962. required:
  16963. - auth
  16964. - serverUrl
  16965. type: object
  16966. fake:
  16967. description: Fake configures a store with static key/value pairs
  16968. properties:
  16969. data:
  16970. items:
  16971. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16972. properties:
  16973. key:
  16974. type: string
  16975. value:
  16976. type: string
  16977. version:
  16978. type: string
  16979. required:
  16980. - key
  16981. - value
  16982. type: object
  16983. type: array
  16984. validationResult:
  16985. description: ValidationResult is defined type for the number of validation results.
  16986. type: integer
  16987. required:
  16988. - data
  16989. type: object
  16990. fortanix:
  16991. description: Fortanix configures this store to sync secrets using the Fortanix provider
  16992. properties:
  16993. apiKey:
  16994. description: APIKey is the API token to access SDKMS Applications.
  16995. properties:
  16996. secretRef:
  16997. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  16998. properties:
  16999. key:
  17000. description: |-
  17001. A key in the referenced Secret.
  17002. Some instances of this field may be defaulted, in others it may be required.
  17003. maxLength: 253
  17004. minLength: 1
  17005. pattern: ^[-._a-zA-Z0-9]+$
  17006. type: string
  17007. name:
  17008. description: The name of the Secret resource being referred to.
  17009. maxLength: 253
  17010. minLength: 1
  17011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17012. type: string
  17013. namespace:
  17014. description: |-
  17015. The namespace of the Secret resource being referred to.
  17016. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17017. maxLength: 63
  17018. minLength: 1
  17019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17020. type: string
  17021. type: object
  17022. type: object
  17023. apiUrl:
  17024. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  17025. type: string
  17026. type: object
  17027. gcpsm:
  17028. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  17029. properties:
  17030. auth:
  17031. description: Auth defines the information necessary to authenticate against GCP
  17032. properties:
  17033. secretRef:
  17034. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  17035. properties:
  17036. secretAccessKeySecretRef:
  17037. description: The SecretAccessKey is used for authentication
  17038. properties:
  17039. key:
  17040. description: |-
  17041. A key in the referenced Secret.
  17042. Some instances of this field may be defaulted, in others it may be required.
  17043. maxLength: 253
  17044. minLength: 1
  17045. pattern: ^[-._a-zA-Z0-9]+$
  17046. type: string
  17047. name:
  17048. description: The name of the Secret resource being referred to.
  17049. maxLength: 253
  17050. minLength: 1
  17051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17052. type: string
  17053. namespace:
  17054. description: |-
  17055. The namespace of the Secret resource being referred to.
  17056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17057. maxLength: 63
  17058. minLength: 1
  17059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17060. type: string
  17061. type: object
  17062. type: object
  17063. workloadIdentity:
  17064. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  17065. properties:
  17066. clusterLocation:
  17067. description: |-
  17068. ClusterLocation is the location of the cluster
  17069. If not specified, it fetches information from the metadata server
  17070. type: string
  17071. clusterName:
  17072. description: |-
  17073. ClusterName is the name of the cluster
  17074. If not specified, it fetches information from the metadata server
  17075. type: string
  17076. clusterProjectID:
  17077. description: |-
  17078. ClusterProjectID is the project ID of the cluster
  17079. If not specified, it fetches information from the metadata server
  17080. type: string
  17081. serviceAccountRef:
  17082. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  17083. properties:
  17084. audiences:
  17085. description: |-
  17086. Audience specifies the `aud` claim for the service account token
  17087. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17088. then this audiences will be appended to the list
  17089. items:
  17090. type: string
  17091. type: array
  17092. name:
  17093. description: The name of the ServiceAccount resource being referred to.
  17094. maxLength: 253
  17095. minLength: 1
  17096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17097. type: string
  17098. namespace:
  17099. description: |-
  17100. Namespace of the resource being referred to.
  17101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17102. maxLength: 63
  17103. minLength: 1
  17104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17105. type: string
  17106. required:
  17107. - name
  17108. type: object
  17109. required:
  17110. - serviceAccountRef
  17111. type: object
  17112. workloadIdentityFederation:
  17113. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  17114. properties:
  17115. audience:
  17116. description: |-
  17117. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  17118. If specified, Audience found in the external account credential config will be overridden with the configured value.
  17119. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  17120. type: string
  17121. awsSecurityCredentials:
  17122. description: |-
  17123. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  17124. when using the AWS metadata server is not an option.
  17125. properties:
  17126. awsCredentialsSecretRef:
  17127. description: |-
  17128. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  17129. Secret should be created with below names for keys
  17130. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  17131. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  17132. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  17133. properties:
  17134. name:
  17135. description: name of the secret.
  17136. maxLength: 253
  17137. minLength: 1
  17138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17139. type: string
  17140. namespace:
  17141. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  17142. maxLength: 63
  17143. minLength: 1
  17144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17145. type: string
  17146. required:
  17147. - name
  17148. type: object
  17149. region:
  17150. description: region is for configuring the AWS region to be used.
  17151. example: ap-south-1
  17152. maxLength: 50
  17153. minLength: 1
  17154. pattern: ^[a-z0-9-]+$
  17155. type: string
  17156. required:
  17157. - awsCredentialsSecretRef
  17158. - region
  17159. type: object
  17160. credConfig:
  17161. description: |-
  17162. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  17163. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  17164. serviceAccountRef must be used by providing operators service account details.
  17165. properties:
  17166. key:
  17167. description: key name holding the external account credential config.
  17168. maxLength: 253
  17169. minLength: 1
  17170. pattern: ^[-._a-zA-Z0-9]+$
  17171. type: string
  17172. name:
  17173. description: name of the configmap.
  17174. maxLength: 253
  17175. minLength: 1
  17176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17177. type: string
  17178. namespace:
  17179. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  17180. maxLength: 63
  17181. minLength: 1
  17182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17183. type: string
  17184. required:
  17185. - key
  17186. - name
  17187. type: object
  17188. externalTokenEndpoint:
  17189. description: |-
  17190. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  17191. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  17192. URL is having the expected value.
  17193. type: string
  17194. gcpServiceAccountEmail:
  17195. description: |-
  17196. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  17197. after Workload Identity Federation. Use this to grant access through the service account's
  17198. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  17199. service_account_impersonation_url in the external account JSON from credConfig;
  17200. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  17201. on that ServiceAccount.
  17202. example: my-gsa@my-project.iam.gserviceaccount.com
  17203. minLength: 1
  17204. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  17205. type: string
  17206. serviceAccountRef:
  17207. description: |-
  17208. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  17209. when Kubernetes is configured as provider in workload identity pool.
  17210. properties:
  17211. audiences:
  17212. description: |-
  17213. Audience specifies the `aud` claim for the service account token
  17214. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17215. then this audiences will be appended to the list
  17216. items:
  17217. type: string
  17218. type: array
  17219. name:
  17220. description: The name of the ServiceAccount resource being referred to.
  17221. maxLength: 253
  17222. minLength: 1
  17223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17224. type: string
  17225. namespace:
  17226. description: |-
  17227. Namespace of the resource being referred to.
  17228. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17229. maxLength: 63
  17230. minLength: 1
  17231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17232. type: string
  17233. required:
  17234. - name
  17235. type: object
  17236. type: object
  17237. type: object
  17238. location:
  17239. description: Location optionally defines a location for a secret
  17240. type: string
  17241. projectID:
  17242. description: ProjectID project where secret is located
  17243. type: string
  17244. secretVersionSelectionPolicy:
  17245. default: LatestOrFail
  17246. description: |-
  17247. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  17248. when "latest" is disabled or destroyed.
  17249. Possible values are:
  17250. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  17251. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  17252. type: string
  17253. type: object
  17254. github:
  17255. description: |-
  17256. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  17257. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  17258. properties:
  17259. appID:
  17260. description: appID specifies the Github APP that will be used to authenticate the client
  17261. format: int64
  17262. type: integer
  17263. auth:
  17264. description: auth configures how secret-manager authenticates with a Github instance.
  17265. properties:
  17266. privateKey:
  17267. description: |-
  17268. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17269. In some instances, `key` is a required field.
  17270. properties:
  17271. key:
  17272. description: |-
  17273. A key in the referenced Secret.
  17274. Some instances of this field may be defaulted, in others it may be required.
  17275. maxLength: 253
  17276. minLength: 1
  17277. pattern: ^[-._a-zA-Z0-9]+$
  17278. type: string
  17279. name:
  17280. description: The name of the Secret resource being referred to.
  17281. maxLength: 253
  17282. minLength: 1
  17283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17284. type: string
  17285. namespace:
  17286. description: |-
  17287. The namespace of the Secret resource being referred to.
  17288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17289. maxLength: 63
  17290. minLength: 1
  17291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17292. type: string
  17293. type: object
  17294. required:
  17295. - privateKey
  17296. type: object
  17297. environment:
  17298. description: environment will be used to fetch secrets from a particular environment within a github repository
  17299. type: string
  17300. installationID:
  17301. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17302. format: int64
  17303. type: integer
  17304. orgSecretVisibility:
  17305. description: |-
  17306. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  17307. Valid values are "all" or "private".
  17308. When unset, new secrets are created with visibility "all" and existing secrets preserve
  17309. whatever visibility they already have in GitHub.
  17310. enum:
  17311. - all
  17312. - private
  17313. type: string
  17314. organization:
  17315. description: organization will be used to fetch secrets from the Github organization
  17316. type: string
  17317. repository:
  17318. description: repository will be used to fetch secrets from the Github repository within an organization
  17319. type: string
  17320. uploadURL:
  17321. description: Upload URL for enterprise instances. Default to URL.
  17322. type: string
  17323. url:
  17324. default: https://github.com/
  17325. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17326. type: string
  17327. required:
  17328. - appID
  17329. - auth
  17330. - installationID
  17331. - organization
  17332. type: object
  17333. gitlab:
  17334. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17335. properties:
  17336. auth:
  17337. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17338. properties:
  17339. SecretRef:
  17340. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17341. properties:
  17342. accessToken:
  17343. description: AccessToken is used for authentication.
  17344. properties:
  17345. key:
  17346. description: |-
  17347. A key in the referenced Secret.
  17348. Some instances of this field may be defaulted, in others it may be required.
  17349. maxLength: 253
  17350. minLength: 1
  17351. pattern: ^[-._a-zA-Z0-9]+$
  17352. type: string
  17353. name:
  17354. description: The name of the Secret resource being referred to.
  17355. maxLength: 253
  17356. minLength: 1
  17357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17358. type: string
  17359. namespace:
  17360. description: |-
  17361. The namespace of the Secret resource being referred to.
  17362. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17363. maxLength: 63
  17364. minLength: 1
  17365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17366. type: string
  17367. type: object
  17368. type: object
  17369. required:
  17370. - SecretRef
  17371. type: object
  17372. caBundle:
  17373. description: |-
  17374. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17375. can be performed.
  17376. format: byte
  17377. type: string
  17378. caProvider:
  17379. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17380. properties:
  17381. key:
  17382. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17383. maxLength: 253
  17384. minLength: 1
  17385. pattern: ^[-._a-zA-Z0-9]+$
  17386. type: string
  17387. name:
  17388. description: The name of the object located at the provider type.
  17389. maxLength: 253
  17390. minLength: 1
  17391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17392. type: string
  17393. namespace:
  17394. description: |-
  17395. The namespace the Provider type is in.
  17396. Can only be defined when used in a ClusterSecretStore.
  17397. maxLength: 63
  17398. minLength: 1
  17399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17400. type: string
  17401. type:
  17402. description: The type of provider to use such as "Secret", or "ConfigMap".
  17403. enum:
  17404. - Secret
  17405. - ConfigMap
  17406. type: string
  17407. required:
  17408. - name
  17409. - type
  17410. type: object
  17411. environment:
  17412. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17413. type: string
  17414. groupIDs:
  17415. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17416. items:
  17417. type: string
  17418. type: array
  17419. inheritFromGroups:
  17420. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17421. type: boolean
  17422. projectID:
  17423. description: ProjectID specifies a project where secrets are located.
  17424. type: string
  17425. url:
  17426. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17427. type: string
  17428. required:
  17429. - auth
  17430. type: object
  17431. ibm:
  17432. description: IBM configures this store to sync secrets using IBM Cloud provider
  17433. properties:
  17434. auth:
  17435. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17436. maxProperties: 1
  17437. minProperties: 1
  17438. properties:
  17439. containerAuth:
  17440. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17441. properties:
  17442. iamEndpoint:
  17443. type: string
  17444. profile:
  17445. description: the IBM Trusted Profile
  17446. type: string
  17447. tokenLocation:
  17448. description: Location the token is mounted on the pod
  17449. type: string
  17450. required:
  17451. - profile
  17452. type: object
  17453. secretRef:
  17454. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17455. properties:
  17456. iamEndpoint:
  17457. description: The IAM endpoint used to obain a token
  17458. type: string
  17459. secretApiKeySecretRef:
  17460. description: The SecretAccessKey is used for authentication
  17461. properties:
  17462. key:
  17463. description: |-
  17464. A key in the referenced Secret.
  17465. Some instances of this field may be defaulted, in others it may be required.
  17466. maxLength: 253
  17467. minLength: 1
  17468. pattern: ^[-._a-zA-Z0-9]+$
  17469. type: string
  17470. name:
  17471. description: The name of the Secret resource being referred to.
  17472. maxLength: 253
  17473. minLength: 1
  17474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17475. type: string
  17476. namespace:
  17477. description: |-
  17478. The namespace of the Secret resource being referred to.
  17479. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17480. maxLength: 63
  17481. minLength: 1
  17482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17483. type: string
  17484. type: object
  17485. type: object
  17486. type: object
  17487. serviceUrl:
  17488. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17489. type: string
  17490. required:
  17491. - auth
  17492. type: object
  17493. infisical:
  17494. description: Infisical configures this store to sync secrets using the Infisical provider
  17495. properties:
  17496. auth:
  17497. description: Auth configures how the Operator authenticates with the Infisical API
  17498. properties:
  17499. awsAuthCredentials:
  17500. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17501. properties:
  17502. identityId:
  17503. description: |-
  17504. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17505. In some instances, `key` is a required field.
  17506. properties:
  17507. key:
  17508. description: |-
  17509. A key in the referenced Secret.
  17510. Some instances of this field may be defaulted, in others it may be required.
  17511. maxLength: 253
  17512. minLength: 1
  17513. pattern: ^[-._a-zA-Z0-9]+$
  17514. type: string
  17515. name:
  17516. description: The name of the Secret resource being referred to.
  17517. maxLength: 253
  17518. minLength: 1
  17519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17520. type: string
  17521. namespace:
  17522. description: |-
  17523. The namespace of the Secret resource being referred to.
  17524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17525. maxLength: 63
  17526. minLength: 1
  17527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17528. type: string
  17529. type: object
  17530. required:
  17531. - identityId
  17532. type: object
  17533. azureAuthCredentials:
  17534. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17535. properties:
  17536. identityId:
  17537. description: |-
  17538. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17539. In some instances, `key` is a required field.
  17540. properties:
  17541. key:
  17542. description: |-
  17543. A key in the referenced Secret.
  17544. Some instances of this field may be defaulted, in others it may be required.
  17545. maxLength: 253
  17546. minLength: 1
  17547. pattern: ^[-._a-zA-Z0-9]+$
  17548. type: string
  17549. name:
  17550. description: The name of the Secret resource being referred to.
  17551. maxLength: 253
  17552. minLength: 1
  17553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17554. type: string
  17555. namespace:
  17556. description: |-
  17557. The namespace of the Secret resource being referred to.
  17558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17559. maxLength: 63
  17560. minLength: 1
  17561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17562. type: string
  17563. type: object
  17564. resource:
  17565. description: |-
  17566. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17567. In some instances, `key` is a required field.
  17568. properties:
  17569. key:
  17570. description: |-
  17571. A key in the referenced Secret.
  17572. Some instances of this field may be defaulted, in others it may be required.
  17573. maxLength: 253
  17574. minLength: 1
  17575. pattern: ^[-._a-zA-Z0-9]+$
  17576. type: string
  17577. name:
  17578. description: The name of the Secret resource being referred to.
  17579. maxLength: 253
  17580. minLength: 1
  17581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17582. type: string
  17583. namespace:
  17584. description: |-
  17585. The namespace of the Secret resource being referred to.
  17586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17587. maxLength: 63
  17588. minLength: 1
  17589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17590. type: string
  17591. type: object
  17592. required:
  17593. - identityId
  17594. type: object
  17595. gcpIamAuthCredentials:
  17596. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17597. properties:
  17598. identityId:
  17599. description: |-
  17600. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17601. In some instances, `key` is a required field.
  17602. properties:
  17603. key:
  17604. description: |-
  17605. A key in the referenced Secret.
  17606. Some instances of this field may be defaulted, in others it may be required.
  17607. maxLength: 253
  17608. minLength: 1
  17609. pattern: ^[-._a-zA-Z0-9]+$
  17610. type: string
  17611. name:
  17612. description: The name of the Secret resource being referred to.
  17613. maxLength: 253
  17614. minLength: 1
  17615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17616. type: string
  17617. namespace:
  17618. description: |-
  17619. The namespace of the Secret resource being referred to.
  17620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17621. maxLength: 63
  17622. minLength: 1
  17623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17624. type: string
  17625. type: object
  17626. serviceAccountKeyFilePath:
  17627. description: |-
  17628. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17629. In some instances, `key` is a required field.
  17630. properties:
  17631. key:
  17632. description: |-
  17633. A key in the referenced Secret.
  17634. Some instances of this field may be defaulted, in others it may be required.
  17635. maxLength: 253
  17636. minLength: 1
  17637. pattern: ^[-._a-zA-Z0-9]+$
  17638. type: string
  17639. name:
  17640. description: The name of the Secret resource being referred to.
  17641. maxLength: 253
  17642. minLength: 1
  17643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17644. type: string
  17645. namespace:
  17646. description: |-
  17647. The namespace of the Secret resource being referred to.
  17648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17649. maxLength: 63
  17650. minLength: 1
  17651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17652. type: string
  17653. type: object
  17654. required:
  17655. - identityId
  17656. - serviceAccountKeyFilePath
  17657. type: object
  17658. gcpIdTokenAuthCredentials:
  17659. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17660. properties:
  17661. identityId:
  17662. description: |-
  17663. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17664. In some instances, `key` is a required field.
  17665. properties:
  17666. key:
  17667. description: |-
  17668. A key in the referenced Secret.
  17669. Some instances of this field may be defaulted, in others it may be required.
  17670. maxLength: 253
  17671. minLength: 1
  17672. pattern: ^[-._a-zA-Z0-9]+$
  17673. type: string
  17674. name:
  17675. description: The name of the Secret resource being referred to.
  17676. maxLength: 253
  17677. minLength: 1
  17678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17679. type: string
  17680. namespace:
  17681. description: |-
  17682. The namespace of the Secret resource being referred to.
  17683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17684. maxLength: 63
  17685. minLength: 1
  17686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17687. type: string
  17688. type: object
  17689. required:
  17690. - identityId
  17691. type: object
  17692. jwtAuthCredentials:
  17693. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17694. properties:
  17695. identityId:
  17696. description: |-
  17697. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17698. In some instances, `key` is a required field.
  17699. properties:
  17700. key:
  17701. description: |-
  17702. A key in the referenced Secret.
  17703. Some instances of this field may be defaulted, in others it may be required.
  17704. maxLength: 253
  17705. minLength: 1
  17706. pattern: ^[-._a-zA-Z0-9]+$
  17707. type: string
  17708. name:
  17709. description: The name of the Secret resource being referred to.
  17710. maxLength: 253
  17711. minLength: 1
  17712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17713. type: string
  17714. namespace:
  17715. description: |-
  17716. The namespace of the Secret resource being referred to.
  17717. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17718. maxLength: 63
  17719. minLength: 1
  17720. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17721. type: string
  17722. type: object
  17723. jwt:
  17724. description: |-
  17725. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17726. In some instances, `key` is a required field.
  17727. properties:
  17728. key:
  17729. description: |-
  17730. A key in the referenced Secret.
  17731. Some instances of this field may be defaulted, in others it may be required.
  17732. maxLength: 253
  17733. minLength: 1
  17734. pattern: ^[-._a-zA-Z0-9]+$
  17735. type: string
  17736. name:
  17737. description: The name of the Secret resource being referred to.
  17738. maxLength: 253
  17739. minLength: 1
  17740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17741. type: string
  17742. namespace:
  17743. description: |-
  17744. The namespace of the Secret resource being referred to.
  17745. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17746. maxLength: 63
  17747. minLength: 1
  17748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17749. type: string
  17750. type: object
  17751. required:
  17752. - identityId
  17753. - jwt
  17754. type: object
  17755. kubernetesAuthCredentials:
  17756. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17757. properties:
  17758. identityId:
  17759. description: |-
  17760. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17761. In some instances, `key` is a required field.
  17762. properties:
  17763. key:
  17764. description: |-
  17765. A key in the referenced Secret.
  17766. Some instances of this field may be defaulted, in others it may be required.
  17767. maxLength: 253
  17768. minLength: 1
  17769. pattern: ^[-._a-zA-Z0-9]+$
  17770. type: string
  17771. name:
  17772. description: The name of the Secret resource being referred to.
  17773. maxLength: 253
  17774. minLength: 1
  17775. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17776. type: string
  17777. namespace:
  17778. description: |-
  17779. The namespace of the Secret resource being referred to.
  17780. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17781. maxLength: 63
  17782. minLength: 1
  17783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17784. type: string
  17785. type: object
  17786. serviceAccountTokenPath:
  17787. description: |-
  17788. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17789. In some instances, `key` is a required field.
  17790. properties:
  17791. key:
  17792. description: |-
  17793. A key in the referenced Secret.
  17794. Some instances of this field may be defaulted, in others it may be required.
  17795. maxLength: 253
  17796. minLength: 1
  17797. pattern: ^[-._a-zA-Z0-9]+$
  17798. type: string
  17799. name:
  17800. description: The name of the Secret resource being referred to.
  17801. maxLength: 253
  17802. minLength: 1
  17803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17804. type: string
  17805. namespace:
  17806. description: |-
  17807. The namespace of the Secret resource being referred to.
  17808. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17809. maxLength: 63
  17810. minLength: 1
  17811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17812. type: string
  17813. type: object
  17814. required:
  17815. - identityId
  17816. type: object
  17817. ldapAuthCredentials:
  17818. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17819. properties:
  17820. identityId:
  17821. description: |-
  17822. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17823. In some instances, `key` is a required field.
  17824. properties:
  17825. key:
  17826. description: |-
  17827. A key in the referenced Secret.
  17828. Some instances of this field may be defaulted, in others it may be required.
  17829. maxLength: 253
  17830. minLength: 1
  17831. pattern: ^[-._a-zA-Z0-9]+$
  17832. type: string
  17833. name:
  17834. description: The name of the Secret resource being referred to.
  17835. maxLength: 253
  17836. minLength: 1
  17837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17838. type: string
  17839. namespace:
  17840. description: |-
  17841. The namespace of the Secret resource being referred to.
  17842. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17843. maxLength: 63
  17844. minLength: 1
  17845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17846. type: string
  17847. type: object
  17848. ldapPassword:
  17849. description: |-
  17850. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17851. In some instances, `key` is a required field.
  17852. properties:
  17853. key:
  17854. description: |-
  17855. A key in the referenced Secret.
  17856. Some instances of this field may be defaulted, in others it may be required.
  17857. maxLength: 253
  17858. minLength: 1
  17859. pattern: ^[-._a-zA-Z0-9]+$
  17860. type: string
  17861. name:
  17862. description: The name of the Secret resource being referred to.
  17863. maxLength: 253
  17864. minLength: 1
  17865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17866. type: string
  17867. namespace:
  17868. description: |-
  17869. The namespace of the Secret resource being referred to.
  17870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17871. maxLength: 63
  17872. minLength: 1
  17873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17874. type: string
  17875. type: object
  17876. ldapUsername:
  17877. description: |-
  17878. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17879. In some instances, `key` is a required field.
  17880. properties:
  17881. key:
  17882. description: |-
  17883. A key in the referenced Secret.
  17884. Some instances of this field may be defaulted, in others it may be required.
  17885. maxLength: 253
  17886. minLength: 1
  17887. pattern: ^[-._a-zA-Z0-9]+$
  17888. type: string
  17889. name:
  17890. description: The name of the Secret resource being referred to.
  17891. maxLength: 253
  17892. minLength: 1
  17893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17894. type: string
  17895. namespace:
  17896. description: |-
  17897. The namespace of the Secret resource being referred to.
  17898. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17899. maxLength: 63
  17900. minLength: 1
  17901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17902. type: string
  17903. type: object
  17904. required:
  17905. - identityId
  17906. - ldapPassword
  17907. - ldapUsername
  17908. type: object
  17909. ociAuthCredentials:
  17910. description: OciAuthCredentials represents the credentials for OCI authentication.
  17911. properties:
  17912. fingerprint:
  17913. description: |-
  17914. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17915. In some instances, `key` is a required field.
  17916. properties:
  17917. key:
  17918. description: |-
  17919. A key in the referenced Secret.
  17920. Some instances of this field may be defaulted, in others it may be required.
  17921. maxLength: 253
  17922. minLength: 1
  17923. pattern: ^[-._a-zA-Z0-9]+$
  17924. type: string
  17925. name:
  17926. description: The name of the Secret resource being referred to.
  17927. maxLength: 253
  17928. minLength: 1
  17929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17930. type: string
  17931. namespace:
  17932. description: |-
  17933. The namespace of the Secret resource being referred to.
  17934. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17935. maxLength: 63
  17936. minLength: 1
  17937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17938. type: string
  17939. type: object
  17940. identityId:
  17941. description: |-
  17942. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17943. In some instances, `key` is a required field.
  17944. properties:
  17945. key:
  17946. description: |-
  17947. A key in the referenced Secret.
  17948. Some instances of this field may be defaulted, in others it may be required.
  17949. maxLength: 253
  17950. minLength: 1
  17951. pattern: ^[-._a-zA-Z0-9]+$
  17952. type: string
  17953. name:
  17954. description: The name of the Secret resource being referred to.
  17955. maxLength: 253
  17956. minLength: 1
  17957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17958. type: string
  17959. namespace:
  17960. description: |-
  17961. The namespace of the Secret resource being referred to.
  17962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17963. maxLength: 63
  17964. minLength: 1
  17965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17966. type: string
  17967. type: object
  17968. privateKey:
  17969. description: |-
  17970. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17971. In some instances, `key` is a required field.
  17972. properties:
  17973. key:
  17974. description: |-
  17975. A key in the referenced Secret.
  17976. Some instances of this field may be defaulted, in others it may be required.
  17977. maxLength: 253
  17978. minLength: 1
  17979. pattern: ^[-._a-zA-Z0-9]+$
  17980. type: string
  17981. name:
  17982. description: The name of the Secret resource being referred to.
  17983. maxLength: 253
  17984. minLength: 1
  17985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17986. type: string
  17987. namespace:
  17988. description: |-
  17989. The namespace of the Secret resource being referred to.
  17990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17991. maxLength: 63
  17992. minLength: 1
  17993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17994. type: string
  17995. type: object
  17996. privateKeyPassphrase:
  17997. description: |-
  17998. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17999. In some instances, `key` is a required field.
  18000. properties:
  18001. key:
  18002. description: |-
  18003. A key in the referenced Secret.
  18004. Some instances of this field may be defaulted, in others it may be required.
  18005. maxLength: 253
  18006. minLength: 1
  18007. pattern: ^[-._a-zA-Z0-9]+$
  18008. type: string
  18009. name:
  18010. description: The name of the Secret resource being referred to.
  18011. maxLength: 253
  18012. minLength: 1
  18013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18014. type: string
  18015. namespace:
  18016. description: |-
  18017. The namespace of the Secret resource being referred to.
  18018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18019. maxLength: 63
  18020. minLength: 1
  18021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18022. type: string
  18023. type: object
  18024. region:
  18025. description: |-
  18026. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18027. In some instances, `key` is a required field.
  18028. properties:
  18029. key:
  18030. description: |-
  18031. A key in the referenced Secret.
  18032. Some instances of this field may be defaulted, in others it may be required.
  18033. maxLength: 253
  18034. minLength: 1
  18035. pattern: ^[-._a-zA-Z0-9]+$
  18036. type: string
  18037. name:
  18038. description: The name of the Secret resource being referred to.
  18039. maxLength: 253
  18040. minLength: 1
  18041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18042. type: string
  18043. namespace:
  18044. description: |-
  18045. The namespace of the Secret resource being referred to.
  18046. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18047. maxLength: 63
  18048. minLength: 1
  18049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18050. type: string
  18051. type: object
  18052. tenancyId:
  18053. description: |-
  18054. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18055. In some instances, `key` is a required field.
  18056. properties:
  18057. key:
  18058. description: |-
  18059. A key in the referenced Secret.
  18060. Some instances of this field may be defaulted, in others it may be required.
  18061. maxLength: 253
  18062. minLength: 1
  18063. pattern: ^[-._a-zA-Z0-9]+$
  18064. type: string
  18065. name:
  18066. description: The name of the Secret resource being referred to.
  18067. maxLength: 253
  18068. minLength: 1
  18069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18070. type: string
  18071. namespace:
  18072. description: |-
  18073. The namespace of the Secret resource being referred to.
  18074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18075. maxLength: 63
  18076. minLength: 1
  18077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18078. type: string
  18079. type: object
  18080. userId:
  18081. description: |-
  18082. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18083. In some instances, `key` is a required field.
  18084. properties:
  18085. key:
  18086. description: |-
  18087. A key in the referenced Secret.
  18088. Some instances of this field may be defaulted, in others it may be required.
  18089. maxLength: 253
  18090. minLength: 1
  18091. pattern: ^[-._a-zA-Z0-9]+$
  18092. type: string
  18093. name:
  18094. description: The name of the Secret resource being referred to.
  18095. maxLength: 253
  18096. minLength: 1
  18097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18098. type: string
  18099. namespace:
  18100. description: |-
  18101. The namespace of the Secret resource being referred to.
  18102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18103. maxLength: 63
  18104. minLength: 1
  18105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18106. type: string
  18107. type: object
  18108. required:
  18109. - fingerprint
  18110. - identityId
  18111. - privateKey
  18112. - region
  18113. - tenancyId
  18114. - userId
  18115. type: object
  18116. tokenAuthCredentials:
  18117. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  18118. properties:
  18119. accessToken:
  18120. description: |-
  18121. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18122. In some instances, `key` is a required field.
  18123. properties:
  18124. key:
  18125. description: |-
  18126. A key in the referenced Secret.
  18127. Some instances of this field may be defaulted, in others it may be required.
  18128. maxLength: 253
  18129. minLength: 1
  18130. pattern: ^[-._a-zA-Z0-9]+$
  18131. type: string
  18132. name:
  18133. description: The name of the Secret resource being referred to.
  18134. maxLength: 253
  18135. minLength: 1
  18136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18137. type: string
  18138. namespace:
  18139. description: |-
  18140. The namespace of the Secret resource being referred to.
  18141. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18142. maxLength: 63
  18143. minLength: 1
  18144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18145. type: string
  18146. type: object
  18147. required:
  18148. - accessToken
  18149. type: object
  18150. universalAuthCredentials:
  18151. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  18152. properties:
  18153. clientId:
  18154. description: |-
  18155. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18156. In some instances, `key` is a required field.
  18157. properties:
  18158. key:
  18159. description: |-
  18160. A key in the referenced Secret.
  18161. Some instances of this field may be defaulted, in others it may be required.
  18162. maxLength: 253
  18163. minLength: 1
  18164. pattern: ^[-._a-zA-Z0-9]+$
  18165. type: string
  18166. name:
  18167. description: The name of the Secret resource being referred to.
  18168. maxLength: 253
  18169. minLength: 1
  18170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18171. type: string
  18172. namespace:
  18173. description: |-
  18174. The namespace of the Secret resource being referred to.
  18175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18176. maxLength: 63
  18177. minLength: 1
  18178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18179. type: string
  18180. type: object
  18181. clientSecret:
  18182. description: |-
  18183. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18184. In some instances, `key` is a required field.
  18185. properties:
  18186. key:
  18187. description: |-
  18188. A key in the referenced Secret.
  18189. Some instances of this field may be defaulted, in others it may be required.
  18190. maxLength: 253
  18191. minLength: 1
  18192. pattern: ^[-._a-zA-Z0-9]+$
  18193. type: string
  18194. name:
  18195. description: The name of the Secret resource being referred to.
  18196. maxLength: 253
  18197. minLength: 1
  18198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18199. type: string
  18200. namespace:
  18201. description: |-
  18202. The namespace of the Secret resource being referred to.
  18203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18204. maxLength: 63
  18205. minLength: 1
  18206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18207. type: string
  18208. type: object
  18209. required:
  18210. - clientId
  18211. - clientSecret
  18212. type: object
  18213. type: object
  18214. caBundle:
  18215. description: |-
  18216. CABundle is a PEM-encoded CA certificate bundle used to validate
  18217. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  18218. format: byte
  18219. type: string
  18220. caProvider:
  18221. description: |-
  18222. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  18223. The certificate is used to validate the Infisical server's TLS certificate.
  18224. Mutually exclusive with CABundle.
  18225. properties:
  18226. key:
  18227. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18228. maxLength: 253
  18229. minLength: 1
  18230. pattern: ^[-._a-zA-Z0-9]+$
  18231. type: string
  18232. name:
  18233. description: The name of the object located at the provider type.
  18234. maxLength: 253
  18235. minLength: 1
  18236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18237. type: string
  18238. namespace:
  18239. description: |-
  18240. The namespace the Provider type is in.
  18241. Can only be defined when used in a ClusterSecretStore.
  18242. maxLength: 63
  18243. minLength: 1
  18244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18245. type: string
  18246. type:
  18247. description: The type of provider to use such as "Secret", or "ConfigMap".
  18248. enum:
  18249. - Secret
  18250. - ConfigMap
  18251. type: string
  18252. required:
  18253. - name
  18254. - type
  18255. type: object
  18256. hostAPI:
  18257. default: https://app.infisical.com/api
  18258. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  18259. type: string
  18260. secretsScope:
  18261. description: SecretsScope defines the scope of the secrets within the workspace
  18262. properties:
  18263. environmentSlug:
  18264. description: EnvironmentSlug is the required slug identifier for the environment.
  18265. type: string
  18266. expandSecretReferences:
  18267. default: true
  18268. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  18269. type: boolean
  18270. organizationSlug:
  18271. description: |-
  18272. OrganizationSlug is the optional slug that identifies the organization that will be used
  18273. during authentication. Useful for sub-organization setups
  18274. type: string
  18275. projectSlug:
  18276. description: ProjectSlug is the required slug identifier for the project.
  18277. type: string
  18278. recursive:
  18279. default: false
  18280. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  18281. type: boolean
  18282. secretsPath:
  18283. default: /
  18284. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18285. type: string
  18286. required:
  18287. - environmentSlug
  18288. - projectSlug
  18289. type: object
  18290. required:
  18291. - auth
  18292. - secretsScope
  18293. type: object
  18294. keepersecurity:
  18295. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18296. properties:
  18297. authRef:
  18298. description: |-
  18299. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18300. In some instances, `key` is a required field.
  18301. properties:
  18302. key:
  18303. description: |-
  18304. A key in the referenced Secret.
  18305. Some instances of this field may be defaulted, in others it may be required.
  18306. maxLength: 253
  18307. minLength: 1
  18308. pattern: ^[-._a-zA-Z0-9]+$
  18309. type: string
  18310. name:
  18311. description: The name of the Secret resource being referred to.
  18312. maxLength: 253
  18313. minLength: 1
  18314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18315. type: string
  18316. namespace:
  18317. description: |-
  18318. The namespace of the Secret resource being referred to.
  18319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18320. maxLength: 63
  18321. minLength: 1
  18322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18323. type: string
  18324. type: object
  18325. folderID:
  18326. type: string
  18327. getByTitleFallback:
  18328. type: boolean
  18329. required:
  18330. - authRef
  18331. - folderID
  18332. type: object
  18333. kubernetes:
  18334. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18335. properties:
  18336. auth:
  18337. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18338. maxProperties: 1
  18339. minProperties: 1
  18340. properties:
  18341. cert:
  18342. description: has both clientCert and clientKey as secretKeySelector
  18343. properties:
  18344. clientCert:
  18345. description: |-
  18346. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18347. In some instances, `key` is a required field.
  18348. properties:
  18349. key:
  18350. description: |-
  18351. A key in the referenced Secret.
  18352. Some instances of this field may be defaulted, in others it may be required.
  18353. maxLength: 253
  18354. minLength: 1
  18355. pattern: ^[-._a-zA-Z0-9]+$
  18356. type: string
  18357. name:
  18358. description: The name of the Secret resource being referred to.
  18359. maxLength: 253
  18360. minLength: 1
  18361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18362. type: string
  18363. namespace:
  18364. description: |-
  18365. The namespace of the Secret resource being referred to.
  18366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18367. maxLength: 63
  18368. minLength: 1
  18369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18370. type: string
  18371. type: object
  18372. clientKey:
  18373. description: |-
  18374. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18375. In some instances, `key` is a required field.
  18376. properties:
  18377. key:
  18378. description: |-
  18379. A key in the referenced Secret.
  18380. Some instances of this field may be defaulted, in others it may be required.
  18381. maxLength: 253
  18382. minLength: 1
  18383. pattern: ^[-._a-zA-Z0-9]+$
  18384. type: string
  18385. name:
  18386. description: The name of the Secret resource being referred to.
  18387. maxLength: 253
  18388. minLength: 1
  18389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18390. type: string
  18391. namespace:
  18392. description: |-
  18393. The namespace of the Secret resource being referred to.
  18394. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18395. maxLength: 63
  18396. minLength: 1
  18397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18398. type: string
  18399. type: object
  18400. type: object
  18401. serviceAccount:
  18402. description: points to a service account that should be used for authentication
  18403. properties:
  18404. audiences:
  18405. description: |-
  18406. Audience specifies the `aud` claim for the service account token
  18407. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18408. then this audiences will be appended to the list
  18409. items:
  18410. type: string
  18411. type: array
  18412. name:
  18413. description: The name of the ServiceAccount resource being referred to.
  18414. maxLength: 253
  18415. minLength: 1
  18416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18417. type: string
  18418. namespace:
  18419. description: |-
  18420. Namespace of the resource being referred to.
  18421. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18422. maxLength: 63
  18423. minLength: 1
  18424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18425. type: string
  18426. required:
  18427. - name
  18428. type: object
  18429. token:
  18430. description: use static token to authenticate with
  18431. properties:
  18432. bearerToken:
  18433. description: |-
  18434. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18435. In some instances, `key` is a required field.
  18436. properties:
  18437. key:
  18438. description: |-
  18439. A key in the referenced Secret.
  18440. Some instances of this field may be defaulted, in others it may be required.
  18441. maxLength: 253
  18442. minLength: 1
  18443. pattern: ^[-._a-zA-Z0-9]+$
  18444. type: string
  18445. name:
  18446. description: The name of the Secret resource being referred to.
  18447. maxLength: 253
  18448. minLength: 1
  18449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18450. type: string
  18451. namespace:
  18452. description: |-
  18453. The namespace of the Secret resource being referred to.
  18454. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18455. maxLength: 63
  18456. minLength: 1
  18457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18458. type: string
  18459. type: object
  18460. type: object
  18461. type: object
  18462. authRef:
  18463. description: A reference to a secret that contains the auth information.
  18464. properties:
  18465. key:
  18466. description: |-
  18467. A key in the referenced Secret.
  18468. Some instances of this field may be defaulted, in others it may be required.
  18469. maxLength: 253
  18470. minLength: 1
  18471. pattern: ^[-._a-zA-Z0-9]+$
  18472. type: string
  18473. name:
  18474. description: The name of the Secret resource being referred to.
  18475. maxLength: 253
  18476. minLength: 1
  18477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18478. type: string
  18479. namespace:
  18480. description: |-
  18481. The namespace of the Secret resource being referred to.
  18482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18483. maxLength: 63
  18484. minLength: 1
  18485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18486. type: string
  18487. type: object
  18488. remoteNamespace:
  18489. default: default
  18490. description: Remote namespace to fetch the secrets from
  18491. maxLength: 63
  18492. minLength: 1
  18493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18494. type: string
  18495. server:
  18496. description: configures the Kubernetes server Address.
  18497. properties:
  18498. caBundle:
  18499. description: CABundle is a base64-encoded CA certificate
  18500. format: byte
  18501. type: string
  18502. caProvider:
  18503. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18504. properties:
  18505. key:
  18506. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18507. maxLength: 253
  18508. minLength: 1
  18509. pattern: ^[-._a-zA-Z0-9]+$
  18510. type: string
  18511. name:
  18512. description: The name of the object located at the provider type.
  18513. maxLength: 253
  18514. minLength: 1
  18515. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18516. type: string
  18517. namespace:
  18518. description: |-
  18519. The namespace the Provider type is in.
  18520. Can only be defined when used in a ClusterSecretStore.
  18521. maxLength: 63
  18522. minLength: 1
  18523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18524. type: string
  18525. type:
  18526. description: The type of provider to use such as "Secret", or "ConfigMap".
  18527. enum:
  18528. - Secret
  18529. - ConfigMap
  18530. type: string
  18531. required:
  18532. - name
  18533. - type
  18534. type: object
  18535. url:
  18536. default: kubernetes.default
  18537. description: configures the Kubernetes server Address.
  18538. type: string
  18539. type: object
  18540. type: object
  18541. nebiusmysterybox:
  18542. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18543. properties:
  18544. apiDomain:
  18545. description: NebiusMysterybox API endpoint
  18546. type: string
  18547. auth:
  18548. description: Auth defines parameters to authenticate in MysteryBox
  18549. properties:
  18550. serviceAccountCredsSecretRef:
  18551. description: |-
  18552. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18553. document with service account credentials used to get an IAM token.
  18554. Expected JSON structure:
  18555. {
  18556. "subject-credentials": {
  18557. "alg": "RS256",
  18558. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18559. "kid": "<public-key-id>",
  18560. "iss": "<issuer-service-account-id>",
  18561. "sub": "<subject-service-account-id>"
  18562. }
  18563. }
  18564. properties:
  18565. key:
  18566. description: |-
  18567. A key in the referenced Secret.
  18568. Some instances of this field may be defaulted, in others it may be required.
  18569. maxLength: 253
  18570. minLength: 1
  18571. pattern: ^[-._a-zA-Z0-9]+$
  18572. type: string
  18573. name:
  18574. description: The name of the Secret resource being referred to.
  18575. maxLength: 253
  18576. minLength: 1
  18577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18578. type: string
  18579. namespace:
  18580. description: |-
  18581. The namespace of the Secret resource being referred to.
  18582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18583. maxLength: 63
  18584. minLength: 1
  18585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18586. type: string
  18587. type: object
  18588. tokenSecretRef:
  18589. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18590. properties:
  18591. key:
  18592. description: |-
  18593. A key in the referenced Secret.
  18594. Some instances of this field may be defaulted, in others it may be required.
  18595. maxLength: 253
  18596. minLength: 1
  18597. pattern: ^[-._a-zA-Z0-9]+$
  18598. type: string
  18599. name:
  18600. description: The name of the Secret resource being referred to.
  18601. maxLength: 253
  18602. minLength: 1
  18603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18604. type: string
  18605. namespace:
  18606. description: |-
  18607. The namespace of the Secret resource being referred to.
  18608. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18609. maxLength: 63
  18610. minLength: 1
  18611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18612. type: string
  18613. type: object
  18614. type: object
  18615. x-kubernetes-validations:
  18616. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18617. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18618. caProvider:
  18619. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18620. properties:
  18621. certSecretRef:
  18622. description: |-
  18623. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18624. In some instances, `key` is a required field.
  18625. properties:
  18626. key:
  18627. description: |-
  18628. A key in the referenced Secret.
  18629. Some instances of this field may be defaulted, in others it may be required.
  18630. maxLength: 253
  18631. minLength: 1
  18632. pattern: ^[-._a-zA-Z0-9]+$
  18633. type: string
  18634. name:
  18635. description: The name of the Secret resource being referred to.
  18636. maxLength: 253
  18637. minLength: 1
  18638. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18639. type: string
  18640. namespace:
  18641. description: |-
  18642. The namespace of the Secret resource being referred to.
  18643. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18644. maxLength: 63
  18645. minLength: 1
  18646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18647. type: string
  18648. type: object
  18649. type: object
  18650. required:
  18651. - apiDomain
  18652. - auth
  18653. type: object
  18654. ngrok:
  18655. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18656. properties:
  18657. apiUrl:
  18658. default: https://api.ngrok.com
  18659. description: APIURL is the URL of the ngrok API.
  18660. type: string
  18661. auth:
  18662. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18663. maxProperties: 1
  18664. minProperties: 1
  18665. properties:
  18666. apiKey:
  18667. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18668. properties:
  18669. secretRef:
  18670. description: SecretRef is a reference to a secret containing the ngrok API key.
  18671. properties:
  18672. key:
  18673. description: |-
  18674. A key in the referenced Secret.
  18675. Some instances of this field may be defaulted, in others it may be required.
  18676. maxLength: 253
  18677. minLength: 1
  18678. pattern: ^[-._a-zA-Z0-9]+$
  18679. type: string
  18680. name:
  18681. description: The name of the Secret resource being referred to.
  18682. maxLength: 253
  18683. minLength: 1
  18684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18685. type: string
  18686. namespace:
  18687. description: |-
  18688. The namespace of the Secret resource being referred to.
  18689. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18690. maxLength: 63
  18691. minLength: 1
  18692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18693. type: string
  18694. type: object
  18695. type: object
  18696. type: object
  18697. vault:
  18698. description: Vault configures the ngrok vault to sync secrets with.
  18699. properties:
  18700. name:
  18701. description: Name is the name of the ngrok vault to sync secrets with.
  18702. type: string
  18703. required:
  18704. - name
  18705. type: object
  18706. required:
  18707. - auth
  18708. - vault
  18709. type: object
  18710. onboardbase:
  18711. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18712. properties:
  18713. apiHost:
  18714. default: https://public.onboardbase.com/api/v1/
  18715. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18716. type: string
  18717. auth:
  18718. description: Auth configures how the Operator authenticates with the Onboardbase API
  18719. properties:
  18720. apiKeyRef:
  18721. description: |-
  18722. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18723. It is used to recognize and authorize access to a project and environment within onboardbase
  18724. properties:
  18725. key:
  18726. description: |-
  18727. A key in the referenced Secret.
  18728. Some instances of this field may be defaulted, in others it may be required.
  18729. maxLength: 253
  18730. minLength: 1
  18731. pattern: ^[-._a-zA-Z0-9]+$
  18732. type: string
  18733. name:
  18734. description: The name of the Secret resource being referred to.
  18735. maxLength: 253
  18736. minLength: 1
  18737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18738. type: string
  18739. namespace:
  18740. description: |-
  18741. The namespace of the Secret resource being referred to.
  18742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18743. maxLength: 63
  18744. minLength: 1
  18745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18746. type: string
  18747. type: object
  18748. passcodeRef:
  18749. description: OnboardbasePasscode is the passcode attached to the API Key
  18750. properties:
  18751. key:
  18752. description: |-
  18753. A key in the referenced Secret.
  18754. Some instances of this field may be defaulted, in others it may be required.
  18755. maxLength: 253
  18756. minLength: 1
  18757. pattern: ^[-._a-zA-Z0-9]+$
  18758. type: string
  18759. name:
  18760. description: The name of the Secret resource being referred to.
  18761. maxLength: 253
  18762. minLength: 1
  18763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18764. type: string
  18765. namespace:
  18766. description: |-
  18767. The namespace of the Secret resource being referred to.
  18768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18769. maxLength: 63
  18770. minLength: 1
  18771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18772. type: string
  18773. type: object
  18774. required:
  18775. - apiKeyRef
  18776. - passcodeRef
  18777. type: object
  18778. environment:
  18779. default: development
  18780. description: Environment is the name of an environmnent within a project to pull the secrets from
  18781. type: string
  18782. project:
  18783. default: development
  18784. description: Project is an onboardbase project that the secrets should be pulled from
  18785. type: string
  18786. required:
  18787. - apiHost
  18788. - auth
  18789. - environment
  18790. - project
  18791. type: object
  18792. onepassword:
  18793. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18794. properties:
  18795. auth:
  18796. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18797. properties:
  18798. secretRef:
  18799. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18800. properties:
  18801. connectTokenSecretRef:
  18802. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18803. properties:
  18804. key:
  18805. description: |-
  18806. A key in the referenced Secret.
  18807. Some instances of this field may be defaulted, in others it may be required.
  18808. maxLength: 253
  18809. minLength: 1
  18810. pattern: ^[-._a-zA-Z0-9]+$
  18811. type: string
  18812. name:
  18813. description: The name of the Secret resource being referred to.
  18814. maxLength: 253
  18815. minLength: 1
  18816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18817. type: string
  18818. namespace:
  18819. description: |-
  18820. The namespace of the Secret resource being referred to.
  18821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18822. maxLength: 63
  18823. minLength: 1
  18824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18825. type: string
  18826. type: object
  18827. required:
  18828. - connectTokenSecretRef
  18829. type: object
  18830. required:
  18831. - secretRef
  18832. type: object
  18833. connectHost:
  18834. description: ConnectHost defines the OnePassword Connect Server to connect to
  18835. type: string
  18836. vaults:
  18837. additionalProperties:
  18838. type: integer
  18839. description: Vaults defines which OnePassword vaults to search in which order
  18840. type: object
  18841. required:
  18842. - auth
  18843. - connectHost
  18844. - vaults
  18845. type: object
  18846. onepasswordSDK:
  18847. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18848. properties:
  18849. auth:
  18850. description: Auth defines the information necessary to authenticate against OnePassword API.
  18851. properties:
  18852. serviceAccountSecretRef:
  18853. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18854. properties:
  18855. key:
  18856. description: |-
  18857. A key in the referenced Secret.
  18858. Some instances of this field may be defaulted, in others it may be required.
  18859. maxLength: 253
  18860. minLength: 1
  18861. pattern: ^[-._a-zA-Z0-9]+$
  18862. type: string
  18863. name:
  18864. description: The name of the Secret resource being referred to.
  18865. maxLength: 253
  18866. minLength: 1
  18867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18868. type: string
  18869. namespace:
  18870. description: |-
  18871. The namespace of the Secret resource being referred to.
  18872. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18873. maxLength: 63
  18874. minLength: 1
  18875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18876. type: string
  18877. type: object
  18878. required:
  18879. - serviceAccountSecretRef
  18880. type: object
  18881. cache:
  18882. description: |-
  18883. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18884. When enabled, secrets are cached with the specified TTL.
  18885. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18886. If omitted, caching is disabled (default).
  18887. cache: {} is a valid option to set.
  18888. properties:
  18889. maxSize:
  18890. default: 100
  18891. description: |-
  18892. MaxSize is the maximum number of secrets to cache.
  18893. When the cache is full, least-recently-used entries are evicted.
  18894. minimum: 1
  18895. type: integer
  18896. ttl:
  18897. default: 5m
  18898. description: |-
  18899. TTL is the time-to-live for cached secrets.
  18900. Format: duration string (e.g., "5m", "1h", "30s")
  18901. type: string
  18902. type: object
  18903. integrationInfo:
  18904. description: |-
  18905. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18906. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18907. properties:
  18908. name:
  18909. default: 1Password SDK
  18910. description: Name defaults to "1Password SDK".
  18911. type: string
  18912. version:
  18913. default: v1.0.0
  18914. description: Version defaults to "v1.0.0".
  18915. type: string
  18916. type: object
  18917. vault:
  18918. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18919. type: string
  18920. required:
  18921. - auth
  18922. - vault
  18923. type: object
  18924. openBao:
  18925. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18926. properties:
  18927. auth:
  18928. description: Auth configures how secret-manager authenticates with the OpenBao server.
  18929. properties:
  18930. appRole:
  18931. description: |-
  18932. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  18933. with the role and secret stored in a Kubernetes Secret resource.
  18934. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  18935. properties:
  18936. path:
  18937. default: approle
  18938. description: |-
  18939. Path where the App Role authentication backend is mounted
  18940. in OpenBao, e.g: "approle"
  18941. type: string
  18942. roleId:
  18943. description: |-
  18944. RoleID configured in the App Role authentication backend when setting
  18945. up the authentication backend in OpenBao.
  18946. minLength: 1
  18947. type: string
  18948. roleRef:
  18949. description: |-
  18950. Reference to a key in a Secret that contains the App Role ID used
  18951. to authenticate with OpenBao.
  18952. The `key` field must be specified and denotes which entry within the Secret
  18953. resource is used as the app role id.
  18954. properties:
  18955. key:
  18956. description: |-
  18957. A key in the referenced Secret.
  18958. Some instances of this field may be defaulted, in others it may be required.
  18959. maxLength: 253
  18960. minLength: 1
  18961. pattern: ^[-._a-zA-Z0-9]+$
  18962. type: string
  18963. name:
  18964. description: The name of the Secret resource being referred to.
  18965. maxLength: 253
  18966. minLength: 1
  18967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18968. type: string
  18969. namespace:
  18970. description: |-
  18971. The namespace of the Secret resource being referred to.
  18972. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18973. maxLength: 63
  18974. minLength: 1
  18975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18976. type: string
  18977. type: object
  18978. secretRef:
  18979. description: |-
  18980. Reference to a key in a Secret that contains the App Role secret used
  18981. to authenticate with OpenBao.
  18982. The `key` field must be specified and denotes which entry within the Secret
  18983. resource is used as the app role secret.
  18984. properties:
  18985. key:
  18986. description: |-
  18987. A key in the referenced Secret.
  18988. Some instances of this field may be defaulted, in others it may be required.
  18989. maxLength: 253
  18990. minLength: 1
  18991. pattern: ^[-._a-zA-Z0-9]+$
  18992. type: string
  18993. name:
  18994. description: The name of the Secret resource being referred to.
  18995. maxLength: 253
  18996. minLength: 1
  18997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18998. type: string
  18999. namespace:
  19000. description: |-
  19001. The namespace of the Secret resource being referred to.
  19002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19003. maxLength: 63
  19004. minLength: 1
  19005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19006. type: string
  19007. type: object
  19008. required:
  19009. - path
  19010. - secretRef
  19011. type: object
  19012. x-kubernetes-validations:
  19013. - message: exactly one of the fields in [roleId roleRef] must be set
  19014. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  19015. namespace:
  19016. description: |-
  19017. Name of the [OpenBao Namespace] to authenticate to. This can be different
  19018. than the namespace your secret is in. Namespaces is a set of features
  19019. within OpenBao that allows OpenBao environments to support secure
  19020. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  19021. if set, or empty otherwise
  19022. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19023. type: string
  19024. tokenSecretRef:
  19025. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  19026. properties:
  19027. key:
  19028. description: |-
  19029. A key in the referenced Secret.
  19030. Some instances of this field may be defaulted, in others it may be required.
  19031. maxLength: 253
  19032. minLength: 1
  19033. pattern: ^[-._a-zA-Z0-9]+$
  19034. type: string
  19035. name:
  19036. description: The name of the Secret resource being referred to.
  19037. maxLength: 253
  19038. minLength: 1
  19039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19040. type: string
  19041. namespace:
  19042. description: |-
  19043. The namespace of the Secret resource being referred to.
  19044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19045. maxLength: 63
  19046. minLength: 1
  19047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19048. type: string
  19049. type: object
  19050. userPass:
  19051. description: UserPass authenticates with OpenBao by passing a username/password pair
  19052. properties:
  19053. path:
  19054. default: userpass
  19055. description: |-
  19056. Path where the UserPassword authentication backend is mounted
  19057. in OpenBao, e.g: "userpass"
  19058. type: string
  19059. secretRef:
  19060. description: |-
  19061. SecretRef to a key in a Secret resource containing password for the user
  19062. used to authenticate with OpenBao using the [UserPass authentication
  19063. method]
  19064. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19065. properties:
  19066. key:
  19067. description: |-
  19068. A key in the referenced Secret.
  19069. Some instances of this field may be defaulted, in others it may be required.
  19070. maxLength: 253
  19071. minLength: 1
  19072. pattern: ^[-._a-zA-Z0-9]+$
  19073. type: string
  19074. name:
  19075. description: The name of the Secret resource being referred to.
  19076. maxLength: 253
  19077. minLength: 1
  19078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19079. type: string
  19080. namespace:
  19081. description: |-
  19082. The namespace of the Secret resource being referred to.
  19083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19084. maxLength: 63
  19085. minLength: 1
  19086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19087. type: string
  19088. type: object
  19089. username:
  19090. description: |-
  19091. Username is a username used to authenticate using the [UserPass
  19092. authentication method]
  19093. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19094. type: string
  19095. required:
  19096. - path
  19097. - username
  19098. type: object
  19099. type: object
  19100. x-kubernetes-validations:
  19101. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  19102. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  19103. caBundle:
  19104. description: |-
  19105. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  19106. this and `caProvider` are not set the system root certificates are used
  19107. to validate the TLS connection.
  19108. format: byte
  19109. type: string
  19110. caProvider:
  19111. description: |-
  19112. The provider for the CA bundle to use to validate OpenBao server
  19113. certificate. If this and `caBundle` are not set the system root
  19114. certificates are used to validate the TLS connection.
  19115. properties:
  19116. key:
  19117. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19118. maxLength: 253
  19119. minLength: 1
  19120. pattern: ^[-._a-zA-Z0-9]+$
  19121. type: string
  19122. name:
  19123. description: The name of the object located at the provider type.
  19124. maxLength: 253
  19125. minLength: 1
  19126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19127. type: string
  19128. namespace:
  19129. description: |-
  19130. The namespace the Provider type is in.
  19131. Can only be defined when used in a ClusterSecretStore.
  19132. maxLength: 63
  19133. minLength: 1
  19134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19135. type: string
  19136. type:
  19137. description: The type of provider to use such as "Secret", or "ConfigMap".
  19138. enum:
  19139. - Secret
  19140. - ConfigMap
  19141. type: string
  19142. required:
  19143. - name
  19144. - type
  19145. type: object
  19146. namespace:
  19147. description: |-
  19148. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  19149. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  19150. e.g: "ns1".
  19151. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19152. type: string
  19153. path:
  19154. description: |-
  19155. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  19156. "secret". The v2 KV secret engine version specific "/data" path suffix
  19157. for fetching secrets from OpenBao is optional and will be appended
  19158. if not present in specified path.
  19159. type: string
  19160. server:
  19161. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  19162. type: string
  19163. version:
  19164. default: v2
  19165. description: |-
  19166. Version is the OpenBao KV secret engine version. This can be either "v1" or
  19167. "v2". Version defaults to "v2".
  19168. enum:
  19169. - v1
  19170. - v2
  19171. type: string
  19172. required:
  19173. - server
  19174. type: object
  19175. x-kubernetes-validations:
  19176. - message: at most one of the fields in [caBundle caProvider] may be set
  19177. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  19178. oracle:
  19179. description: Oracle configures this store to sync secrets using Oracle Vault provider
  19180. properties:
  19181. auth:
  19182. description: |-
  19183. Auth configures how secret-manager authenticates with the Oracle Vault.
  19184. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  19185. properties:
  19186. secretRef:
  19187. description: SecretRef to pass through sensitive information.
  19188. properties:
  19189. fingerprint:
  19190. description: Fingerprint is the fingerprint of the API private key.
  19191. properties:
  19192. key:
  19193. description: |-
  19194. A key in the referenced Secret.
  19195. Some instances of this field may be defaulted, in others it may be required.
  19196. maxLength: 253
  19197. minLength: 1
  19198. pattern: ^[-._a-zA-Z0-9]+$
  19199. type: string
  19200. name:
  19201. description: The name of the Secret resource being referred to.
  19202. maxLength: 253
  19203. minLength: 1
  19204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19205. type: string
  19206. namespace:
  19207. description: |-
  19208. The namespace of the Secret resource being referred to.
  19209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19210. maxLength: 63
  19211. minLength: 1
  19212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19213. type: string
  19214. type: object
  19215. privatekey:
  19216. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  19217. properties:
  19218. key:
  19219. description: |-
  19220. A key in the referenced Secret.
  19221. Some instances of this field may be defaulted, in others it may be required.
  19222. maxLength: 253
  19223. minLength: 1
  19224. pattern: ^[-._a-zA-Z0-9]+$
  19225. type: string
  19226. name:
  19227. description: The name of the Secret resource being referred to.
  19228. maxLength: 253
  19229. minLength: 1
  19230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19231. type: string
  19232. namespace:
  19233. description: |-
  19234. The namespace of the Secret resource being referred to.
  19235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19236. maxLength: 63
  19237. minLength: 1
  19238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19239. type: string
  19240. type: object
  19241. required:
  19242. - fingerprint
  19243. - privatekey
  19244. type: object
  19245. tenancy:
  19246. description: Tenancy is the tenancy OCID where user is located.
  19247. type: string
  19248. user:
  19249. description: User is an access OCID specific to the account.
  19250. type: string
  19251. required:
  19252. - secretRef
  19253. - tenancy
  19254. - user
  19255. type: object
  19256. compartment:
  19257. description: |-
  19258. Compartment is the vault compartment OCID.
  19259. Required for PushSecret
  19260. type: string
  19261. encryptionKey:
  19262. description: |-
  19263. EncryptionKey is the OCID of the encryption key within the vault.
  19264. Required for PushSecret
  19265. type: string
  19266. principalType:
  19267. description: |-
  19268. The type of principal to use for authentication. If left blank, the Auth struct will
  19269. determine the principal type. This optional field must be specified if using
  19270. workload identity.
  19271. enum:
  19272. - ""
  19273. - UserPrincipal
  19274. - InstancePrincipal
  19275. - Workload
  19276. type: string
  19277. region:
  19278. description: Region is the region where vault is located.
  19279. type: string
  19280. serviceAccountRef:
  19281. description: |-
  19282. ServiceAccountRef specified the service account
  19283. that should be used when authenticating with WorkloadIdentity.
  19284. properties:
  19285. audiences:
  19286. description: |-
  19287. Audience specifies the `aud` claim for the service account token
  19288. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19289. then this audiences will be appended to the list
  19290. items:
  19291. type: string
  19292. type: array
  19293. name:
  19294. description: The name of the ServiceAccount resource being referred to.
  19295. maxLength: 253
  19296. minLength: 1
  19297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19298. type: string
  19299. namespace:
  19300. description: |-
  19301. Namespace of the resource being referred to.
  19302. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19303. maxLength: 63
  19304. minLength: 1
  19305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19306. type: string
  19307. required:
  19308. - name
  19309. type: object
  19310. vault:
  19311. description: Vault is the vault's OCID of the specific vault where secret is located.
  19312. type: string
  19313. required:
  19314. - region
  19315. - vault
  19316. type: object
  19317. ovh:
  19318. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  19319. properties:
  19320. auth:
  19321. description: Authentication method (mtls or token).
  19322. properties:
  19323. mtls:
  19324. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  19325. properties:
  19326. caBundle:
  19327. format: byte
  19328. type: string
  19329. caProvider:
  19330. description: |-
  19331. CAProvider provides a custom certificate authority for accessing the provider's store.
  19332. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  19333. properties:
  19334. key:
  19335. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19336. maxLength: 253
  19337. minLength: 1
  19338. pattern: ^[-._a-zA-Z0-9]+$
  19339. type: string
  19340. name:
  19341. description: The name of the object located at the provider type.
  19342. maxLength: 253
  19343. minLength: 1
  19344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19345. type: string
  19346. namespace:
  19347. description: |-
  19348. The namespace the Provider type is in.
  19349. Can only be defined when used in a ClusterSecretStore.
  19350. maxLength: 63
  19351. minLength: 1
  19352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19353. type: string
  19354. type:
  19355. description: The type of provider to use such as "Secret", or "ConfigMap".
  19356. enum:
  19357. - Secret
  19358. - ConfigMap
  19359. type: string
  19360. required:
  19361. - name
  19362. - type
  19363. type: object
  19364. certSecretRef:
  19365. description: |-
  19366. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19367. In some instances, `key` is a required field.
  19368. properties:
  19369. key:
  19370. description: |-
  19371. A key in the referenced Secret.
  19372. Some instances of this field may be defaulted, in others it may be required.
  19373. maxLength: 253
  19374. minLength: 1
  19375. pattern: ^[-._a-zA-Z0-9]+$
  19376. type: string
  19377. name:
  19378. description: The name of the Secret resource being referred to.
  19379. maxLength: 253
  19380. minLength: 1
  19381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19382. type: string
  19383. namespace:
  19384. description: |-
  19385. The namespace of the Secret resource being referred to.
  19386. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19387. maxLength: 63
  19388. minLength: 1
  19389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19390. type: string
  19391. type: object
  19392. keySecretRef:
  19393. description: |-
  19394. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19395. In some instances, `key` is a required field.
  19396. properties:
  19397. key:
  19398. description: |-
  19399. A key in the referenced Secret.
  19400. Some instances of this field may be defaulted, in others it may be required.
  19401. maxLength: 253
  19402. minLength: 1
  19403. pattern: ^[-._a-zA-Z0-9]+$
  19404. type: string
  19405. name:
  19406. description: The name of the Secret resource being referred to.
  19407. maxLength: 253
  19408. minLength: 1
  19409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19410. type: string
  19411. namespace:
  19412. description: |-
  19413. The namespace of the Secret resource being referred to.
  19414. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19415. maxLength: 63
  19416. minLength: 1
  19417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19418. type: string
  19419. type: object
  19420. required:
  19421. - certSecretRef
  19422. - keySecretRef
  19423. type: object
  19424. token:
  19425. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  19426. properties:
  19427. tokenSecretRef:
  19428. description: |-
  19429. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19430. In some instances, `key` is a required field.
  19431. properties:
  19432. key:
  19433. description: |-
  19434. A key in the referenced Secret.
  19435. Some instances of this field may be defaulted, in others it may be required.
  19436. maxLength: 253
  19437. minLength: 1
  19438. pattern: ^[-._a-zA-Z0-9]+$
  19439. type: string
  19440. name:
  19441. description: The name of the Secret resource being referred to.
  19442. maxLength: 253
  19443. minLength: 1
  19444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19445. type: string
  19446. namespace:
  19447. description: |-
  19448. The namespace of the Secret resource being referred to.
  19449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19450. maxLength: 63
  19451. minLength: 1
  19452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19453. type: string
  19454. type: object
  19455. required:
  19456. - tokenSecretRef
  19457. type: object
  19458. type: object
  19459. casRequired:
  19460. description: 'Enables or disables check-and-set (CAS) (default: false).'
  19461. type: boolean
  19462. okmsTimeout:
  19463. default: 30
  19464. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  19465. format: int32
  19466. minimum: 1
  19467. type: integer
  19468. okmsid:
  19469. description: specifies the OKMS ID.
  19470. type: string
  19471. server:
  19472. description: specifies the OKMS server endpoint.
  19473. type: string
  19474. required:
  19475. - auth
  19476. - okmsid
  19477. - server
  19478. type: object
  19479. passbolt:
  19480. description: |-
  19481. PassboltProvider provides access to Passbolt secrets manager.
  19482. See: https://www.passbolt.com.
  19483. properties:
  19484. auth:
  19485. description: Auth defines the information necessary to authenticate against Passbolt Server
  19486. properties:
  19487. passwordSecretRef:
  19488. description: |-
  19489. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19490. In some instances, `key` is a required field.
  19491. properties:
  19492. key:
  19493. description: |-
  19494. A key in the referenced Secret.
  19495. Some instances of this field may be defaulted, in others it may be required.
  19496. maxLength: 253
  19497. minLength: 1
  19498. pattern: ^[-._a-zA-Z0-9]+$
  19499. type: string
  19500. name:
  19501. description: The name of the Secret resource being referred to.
  19502. maxLength: 253
  19503. minLength: 1
  19504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19505. type: string
  19506. namespace:
  19507. description: |-
  19508. The namespace of the Secret resource being referred to.
  19509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19510. maxLength: 63
  19511. minLength: 1
  19512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19513. type: string
  19514. type: object
  19515. privateKeySecretRef:
  19516. description: |-
  19517. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19518. In some instances, `key` is a required field.
  19519. properties:
  19520. key:
  19521. description: |-
  19522. A key in the referenced Secret.
  19523. Some instances of this field may be defaulted, in others it may be required.
  19524. maxLength: 253
  19525. minLength: 1
  19526. pattern: ^[-._a-zA-Z0-9]+$
  19527. type: string
  19528. name:
  19529. description: The name of the Secret resource being referred to.
  19530. maxLength: 253
  19531. minLength: 1
  19532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19533. type: string
  19534. namespace:
  19535. description: |-
  19536. The namespace of the Secret resource being referred to.
  19537. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19538. maxLength: 63
  19539. minLength: 1
  19540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19541. type: string
  19542. type: object
  19543. required:
  19544. - passwordSecretRef
  19545. - privateKeySecretRef
  19546. type: object
  19547. caBundle:
  19548. description: |-
  19549. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19550. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19551. are used to validate the TLS connection.
  19552. format: byte
  19553. type: string
  19554. caProvider:
  19555. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19556. properties:
  19557. key:
  19558. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19559. maxLength: 253
  19560. minLength: 1
  19561. pattern: ^[-._a-zA-Z0-9]+$
  19562. type: string
  19563. name:
  19564. description: The name of the object located at the provider type.
  19565. maxLength: 253
  19566. minLength: 1
  19567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19568. type: string
  19569. namespace:
  19570. description: |-
  19571. The namespace the Provider type is in.
  19572. Can only be defined when used in a ClusterSecretStore.
  19573. maxLength: 63
  19574. minLength: 1
  19575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19576. type: string
  19577. type:
  19578. description: The type of provider to use such as "Secret", or "ConfigMap".
  19579. enum:
  19580. - Secret
  19581. - ConfigMap
  19582. type: string
  19583. required:
  19584. - name
  19585. - type
  19586. type: object
  19587. host:
  19588. description: Host defines the Passbolt Server to connect to
  19589. type: string
  19590. required:
  19591. - auth
  19592. - host
  19593. type: object
  19594. passworddepot:
  19595. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19596. properties:
  19597. auth:
  19598. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19599. properties:
  19600. secretRef:
  19601. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19602. properties:
  19603. credentials:
  19604. description: Username / Password is used for authentication.
  19605. properties:
  19606. key:
  19607. description: |-
  19608. A key in the referenced Secret.
  19609. Some instances of this field may be defaulted, in others it may be required.
  19610. maxLength: 253
  19611. minLength: 1
  19612. pattern: ^[-._a-zA-Z0-9]+$
  19613. type: string
  19614. name:
  19615. description: The name of the Secret resource being referred to.
  19616. maxLength: 253
  19617. minLength: 1
  19618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19619. type: string
  19620. namespace:
  19621. description: |-
  19622. The namespace of the Secret resource being referred to.
  19623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19624. maxLength: 63
  19625. minLength: 1
  19626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19627. type: string
  19628. type: object
  19629. type: object
  19630. required:
  19631. - secretRef
  19632. type: object
  19633. database:
  19634. description: Database to use as source
  19635. type: string
  19636. host:
  19637. description: URL configures the Password Depot instance URL.
  19638. type: string
  19639. required:
  19640. - auth
  19641. - database
  19642. - host
  19643. type: object
  19644. previder:
  19645. description: Previder configures this store to sync secrets using the Previder provider
  19646. properties:
  19647. auth:
  19648. description: PreviderAuth contains a secretRef for credentials.
  19649. properties:
  19650. secretRef:
  19651. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19652. properties:
  19653. accessToken:
  19654. description: The AccessToken is used for authentication
  19655. properties:
  19656. key:
  19657. description: |-
  19658. A key in the referenced Secret.
  19659. Some instances of this field may be defaulted, in others it may be required.
  19660. maxLength: 253
  19661. minLength: 1
  19662. pattern: ^[-._a-zA-Z0-9]+$
  19663. type: string
  19664. name:
  19665. description: The name of the Secret resource being referred to.
  19666. maxLength: 253
  19667. minLength: 1
  19668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19669. type: string
  19670. namespace:
  19671. description: |-
  19672. The namespace of the Secret resource being referred to.
  19673. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19674. maxLength: 63
  19675. minLength: 1
  19676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19677. type: string
  19678. type: object
  19679. required:
  19680. - accessToken
  19681. type: object
  19682. type: object
  19683. baseUri:
  19684. type: string
  19685. required:
  19686. - auth
  19687. type: object
  19688. pulumi:
  19689. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19690. properties:
  19691. accessToken:
  19692. description: |-
  19693. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19694. Deprecated: Use auth.accessToken instead.
  19695. properties:
  19696. secretRef:
  19697. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19698. properties:
  19699. key:
  19700. description: |-
  19701. A key in the referenced Secret.
  19702. Some instances of this field may be defaulted, in others it may be required.
  19703. maxLength: 253
  19704. minLength: 1
  19705. pattern: ^[-._a-zA-Z0-9]+$
  19706. type: string
  19707. name:
  19708. description: The name of the Secret resource being referred to.
  19709. maxLength: 253
  19710. minLength: 1
  19711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19712. type: string
  19713. namespace:
  19714. description: |-
  19715. The namespace of the Secret resource being referred to.
  19716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19717. maxLength: 63
  19718. minLength: 1
  19719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19720. type: string
  19721. type: object
  19722. type: object
  19723. apiUrl:
  19724. default: https://api.pulumi.com/api/esc
  19725. description: APIURL is the URL of the Pulumi API.
  19726. type: string
  19727. auth:
  19728. description: |-
  19729. Auth configures how the Operator authenticates with the Pulumi API.
  19730. Either auth or the deprecated accessToken field must be specified.
  19731. properties:
  19732. accessToken:
  19733. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19734. properties:
  19735. secretRef:
  19736. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19737. properties:
  19738. key:
  19739. description: |-
  19740. A key in the referenced Secret.
  19741. Some instances of this field may be defaulted, in others it may be required.
  19742. maxLength: 253
  19743. minLength: 1
  19744. pattern: ^[-._a-zA-Z0-9]+$
  19745. type: string
  19746. name:
  19747. description: The name of the Secret resource being referred to.
  19748. maxLength: 253
  19749. minLength: 1
  19750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19751. type: string
  19752. namespace:
  19753. description: |-
  19754. The namespace of the Secret resource being referred to.
  19755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19756. maxLength: 63
  19757. minLength: 1
  19758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19759. type: string
  19760. type: object
  19761. type: object
  19762. oidcConfig:
  19763. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19764. properties:
  19765. expirationSeconds:
  19766. default: 600
  19767. description: |-
  19768. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19769. Defaults to 10 minutes.
  19770. format: int64
  19771. minimum: 600
  19772. type: integer
  19773. organization:
  19774. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19775. type: string
  19776. serviceAccountRef:
  19777. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19778. properties:
  19779. audiences:
  19780. description: |-
  19781. Audience specifies the `aud` claim for the service account token
  19782. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19783. then this audiences will be appended to the list
  19784. items:
  19785. type: string
  19786. type: array
  19787. name:
  19788. description: The name of the ServiceAccount resource being referred to.
  19789. maxLength: 253
  19790. minLength: 1
  19791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19792. type: string
  19793. namespace:
  19794. description: |-
  19795. Namespace of the resource being referred to.
  19796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19797. maxLength: 63
  19798. minLength: 1
  19799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19800. type: string
  19801. required:
  19802. - name
  19803. type: object
  19804. required:
  19805. - organization
  19806. - serviceAccountRef
  19807. type: object
  19808. type: object
  19809. x-kubernetes-validations:
  19810. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19811. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19812. environment:
  19813. description: |-
  19814. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19815. dynamically retrieved values from supported providers including all major clouds,
  19816. and other Pulumi ESC environments.
  19817. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19818. type: string
  19819. organization:
  19820. description: |-
  19821. Organization are a space to collaborate on shared projects and stacks.
  19822. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19823. type: string
  19824. project:
  19825. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19826. type: string
  19827. required:
  19828. - environment
  19829. - organization
  19830. - project
  19831. type: object
  19832. x-kubernetes-validations:
  19833. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19834. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19835. scaleway:
  19836. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19837. properties:
  19838. accessKey:
  19839. description: AccessKey is the non-secret part of the api key.
  19840. properties:
  19841. secretRef:
  19842. description: SecretRef references a key in a secret that will be used as value.
  19843. properties:
  19844. key:
  19845. description: |-
  19846. A key in the referenced Secret.
  19847. Some instances of this field may be defaulted, in others it may be required.
  19848. maxLength: 253
  19849. minLength: 1
  19850. pattern: ^[-._a-zA-Z0-9]+$
  19851. type: string
  19852. name:
  19853. description: The name of the Secret resource being referred to.
  19854. maxLength: 253
  19855. minLength: 1
  19856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19857. type: string
  19858. namespace:
  19859. description: |-
  19860. The namespace of the Secret resource being referred to.
  19861. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19862. maxLength: 63
  19863. minLength: 1
  19864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19865. type: string
  19866. type: object
  19867. value:
  19868. description: Value can be specified directly to set a value without using a secret.
  19869. type: string
  19870. type: object
  19871. apiUrl:
  19872. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19873. type: string
  19874. projectId:
  19875. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19876. type: string
  19877. region:
  19878. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19879. type: string
  19880. secretKey:
  19881. description: SecretKey is the non-secret part of the api key.
  19882. properties:
  19883. secretRef:
  19884. description: SecretRef references a key in a secret that will be used as value.
  19885. properties:
  19886. key:
  19887. description: |-
  19888. A key in the referenced Secret.
  19889. Some instances of this field may be defaulted, in others it may be required.
  19890. maxLength: 253
  19891. minLength: 1
  19892. pattern: ^[-._a-zA-Z0-9]+$
  19893. type: string
  19894. name:
  19895. description: The name of the Secret resource being referred to.
  19896. maxLength: 253
  19897. minLength: 1
  19898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19899. type: string
  19900. namespace:
  19901. description: |-
  19902. The namespace of the Secret resource being referred to.
  19903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19904. maxLength: 63
  19905. minLength: 1
  19906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19907. type: string
  19908. type: object
  19909. value:
  19910. description: Value can be specified directly to set a value without using a secret.
  19911. type: string
  19912. type: object
  19913. required:
  19914. - accessKey
  19915. - projectId
  19916. - region
  19917. - secretKey
  19918. type: object
  19919. secretserver:
  19920. description: |-
  19921. SecretServer configures this store to sync secrets using SecretServer provider
  19922. https://docs.delinea.com/online-help/secret-server/start.htm
  19923. properties:
  19924. caBundle:
  19925. description: |-
  19926. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19927. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19928. are used to validate the TLS connection.
  19929. format: byte
  19930. type: string
  19931. caProvider:
  19932. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19933. properties:
  19934. key:
  19935. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19936. maxLength: 253
  19937. minLength: 1
  19938. pattern: ^[-._a-zA-Z0-9]+$
  19939. type: string
  19940. name:
  19941. description: The name of the object located at the provider type.
  19942. maxLength: 253
  19943. minLength: 1
  19944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19945. type: string
  19946. namespace:
  19947. description: |-
  19948. The namespace the Provider type is in.
  19949. Can only be defined when used in a ClusterSecretStore.
  19950. maxLength: 63
  19951. minLength: 1
  19952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19953. type: string
  19954. type:
  19955. description: The type of provider to use such as "Secret", or "ConfigMap".
  19956. enum:
  19957. - Secret
  19958. - ConfigMap
  19959. type: string
  19960. required:
  19961. - name
  19962. - type
  19963. type: object
  19964. domain:
  19965. description: Domain is the secret server domain.
  19966. type: string
  19967. password:
  19968. description: Password is the secret server account password.
  19969. properties:
  19970. secretRef:
  19971. description: SecretRef references a key in a secret that will be used as value.
  19972. properties:
  19973. key:
  19974. description: |-
  19975. A key in the referenced Secret.
  19976. Some instances of this field may be defaulted, in others it may be required.
  19977. maxLength: 253
  19978. minLength: 1
  19979. pattern: ^[-._a-zA-Z0-9]+$
  19980. type: string
  19981. name:
  19982. description: The name of the Secret resource being referred to.
  19983. maxLength: 253
  19984. minLength: 1
  19985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19986. type: string
  19987. namespace:
  19988. description: |-
  19989. The namespace of the Secret resource being referred to.
  19990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19991. maxLength: 63
  19992. minLength: 1
  19993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19994. type: string
  19995. type: object
  19996. value:
  19997. description: Value can be specified directly to set a value without using a secret.
  19998. type: string
  19999. type: object
  20000. serverURL:
  20001. description: |-
  20002. ServerURL
  20003. URL to your secret server installation
  20004. type: string
  20005. username:
  20006. description: Username is the secret server account username.
  20007. properties:
  20008. secretRef:
  20009. description: SecretRef references a key in a secret that will be used as value.
  20010. properties:
  20011. key:
  20012. description: |-
  20013. A key in the referenced Secret.
  20014. Some instances of this field may be defaulted, in others it may be required.
  20015. maxLength: 253
  20016. minLength: 1
  20017. pattern: ^[-._a-zA-Z0-9]+$
  20018. type: string
  20019. name:
  20020. description: The name of the Secret resource being referred to.
  20021. maxLength: 253
  20022. minLength: 1
  20023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20024. type: string
  20025. namespace:
  20026. description: |-
  20027. The namespace of the Secret resource being referred to.
  20028. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20029. maxLength: 63
  20030. minLength: 1
  20031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20032. type: string
  20033. type: object
  20034. value:
  20035. description: Value can be specified directly to set a value without using a secret.
  20036. type: string
  20037. type: object
  20038. required:
  20039. - password
  20040. - serverURL
  20041. - username
  20042. type: object
  20043. senhasegura:
  20044. description: Senhasegura configures this store to sync secrets using senhasegura provider
  20045. properties:
  20046. auth:
  20047. description: Auth defines parameters to authenticate in senhasegura
  20048. properties:
  20049. clientId:
  20050. type: string
  20051. clientSecretSecretRef:
  20052. description: |-
  20053. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20054. In some instances, `key` is a required field.
  20055. properties:
  20056. key:
  20057. description: |-
  20058. A key in the referenced Secret.
  20059. Some instances of this field may be defaulted, in others it may be required.
  20060. maxLength: 253
  20061. minLength: 1
  20062. pattern: ^[-._a-zA-Z0-9]+$
  20063. type: string
  20064. name:
  20065. description: The name of the Secret resource being referred to.
  20066. maxLength: 253
  20067. minLength: 1
  20068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20069. type: string
  20070. namespace:
  20071. description: |-
  20072. The namespace of the Secret resource being referred to.
  20073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20074. maxLength: 63
  20075. minLength: 1
  20076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20077. type: string
  20078. type: object
  20079. required:
  20080. - clientId
  20081. - clientSecretSecretRef
  20082. type: object
  20083. ignoreSslCertificate:
  20084. default: false
  20085. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  20086. type: boolean
  20087. module:
  20088. description: Module defines which senhasegura module should be used to get secrets
  20089. type: string
  20090. url:
  20091. description: URL of senhasegura
  20092. type: string
  20093. required:
  20094. - auth
  20095. - module
  20096. - url
  20097. type: object
  20098. vault:
  20099. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  20100. properties:
  20101. auth:
  20102. description: Auth configures how secret-manager authenticates with the Vault server.
  20103. properties:
  20104. appRole:
  20105. description: |-
  20106. AppRole authenticates with Vault using the App Role auth mechanism,
  20107. with the role and secret stored in a Kubernetes Secret resource.
  20108. properties:
  20109. path:
  20110. default: approle
  20111. description: |-
  20112. Path where the App Role authentication backend is mounted
  20113. in Vault, e.g: "approle"
  20114. type: string
  20115. roleId:
  20116. description: |-
  20117. RoleID configured in the App Role authentication backend when setting
  20118. up the authentication backend in Vault.
  20119. type: string
  20120. roleRef:
  20121. description: |-
  20122. Reference to a key in a Secret that contains the App Role ID used
  20123. to authenticate with Vault.
  20124. The `key` field must be specified and denotes which entry within the Secret
  20125. resource is used as the app role id.
  20126. properties:
  20127. key:
  20128. description: |-
  20129. A key in the referenced Secret.
  20130. Some instances of this field may be defaulted, in others it may be required.
  20131. maxLength: 253
  20132. minLength: 1
  20133. pattern: ^[-._a-zA-Z0-9]+$
  20134. type: string
  20135. name:
  20136. description: The name of the Secret resource being referred to.
  20137. maxLength: 253
  20138. minLength: 1
  20139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20140. type: string
  20141. namespace:
  20142. description: |-
  20143. The namespace of the Secret resource being referred to.
  20144. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20145. maxLength: 63
  20146. minLength: 1
  20147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20148. type: string
  20149. type: object
  20150. secretRef:
  20151. description: |-
  20152. Reference to a key in a Secret that contains the App Role secret used
  20153. to authenticate with Vault.
  20154. The `key` field must be specified and denotes which entry within the Secret
  20155. resource is used as the app role secret.
  20156. properties:
  20157. key:
  20158. description: |-
  20159. A key in the referenced Secret.
  20160. Some instances of this field may be defaulted, in others it may be required.
  20161. maxLength: 253
  20162. minLength: 1
  20163. pattern: ^[-._a-zA-Z0-9]+$
  20164. type: string
  20165. name:
  20166. description: The name of the Secret resource being referred to.
  20167. maxLength: 253
  20168. minLength: 1
  20169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20170. type: string
  20171. namespace:
  20172. description: |-
  20173. The namespace of the Secret resource being referred to.
  20174. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20175. maxLength: 63
  20176. minLength: 1
  20177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20178. type: string
  20179. type: object
  20180. required:
  20181. - path
  20182. - secretRef
  20183. type: object
  20184. cert:
  20185. description: |-
  20186. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  20187. Cert authentication method
  20188. properties:
  20189. clientCert:
  20190. description: |-
  20191. ClientCert is a certificate to authenticate using the Cert Vault
  20192. authentication method
  20193. properties:
  20194. key:
  20195. description: |-
  20196. A key in the referenced Secret.
  20197. Some instances of this field may be defaulted, in others it may be required.
  20198. maxLength: 253
  20199. minLength: 1
  20200. pattern: ^[-._a-zA-Z0-9]+$
  20201. type: string
  20202. name:
  20203. description: The name of the Secret resource being referred to.
  20204. maxLength: 253
  20205. minLength: 1
  20206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20207. type: string
  20208. namespace:
  20209. description: |-
  20210. The namespace of the Secret resource being referred to.
  20211. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20212. maxLength: 63
  20213. minLength: 1
  20214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20215. type: string
  20216. type: object
  20217. path:
  20218. default: cert
  20219. description: |-
  20220. Path where the Certificate authentication backend is mounted
  20221. in Vault, e.g: "cert"
  20222. type: string
  20223. secretRef:
  20224. description: |-
  20225. SecretRef to a key in a Secret resource containing client private key to
  20226. authenticate with Vault using the Cert authentication method
  20227. properties:
  20228. key:
  20229. description: |-
  20230. A key in the referenced Secret.
  20231. Some instances of this field may be defaulted, in others it may be required.
  20232. maxLength: 253
  20233. minLength: 1
  20234. pattern: ^[-._a-zA-Z0-9]+$
  20235. type: string
  20236. name:
  20237. description: The name of the Secret resource being referred to.
  20238. maxLength: 253
  20239. minLength: 1
  20240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20241. type: string
  20242. namespace:
  20243. description: |-
  20244. The namespace of the Secret resource being referred to.
  20245. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20246. maxLength: 63
  20247. minLength: 1
  20248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20249. type: string
  20250. type: object
  20251. vaultRole:
  20252. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  20253. type: string
  20254. type: object
  20255. gcp:
  20256. description: |-
  20257. Gcp authenticates with Vault using Google Cloud Platform authentication method
  20258. GCP authentication method
  20259. properties:
  20260. location:
  20261. description: Location optionally defines a location/region for the secret
  20262. type: string
  20263. path:
  20264. default: gcp
  20265. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  20266. type: string
  20267. projectID:
  20268. description: Project ID of the Google Cloud Platform project
  20269. type: string
  20270. role:
  20271. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  20272. type: string
  20273. secretRef:
  20274. description: Specify credentials in a Secret object
  20275. properties:
  20276. secretAccessKeySecretRef:
  20277. description: The SecretAccessKey is used for authentication
  20278. properties:
  20279. key:
  20280. description: |-
  20281. A key in the referenced Secret.
  20282. Some instances of this field may be defaulted, in others it may be required.
  20283. maxLength: 253
  20284. minLength: 1
  20285. pattern: ^[-._a-zA-Z0-9]+$
  20286. type: string
  20287. name:
  20288. description: The name of the Secret resource being referred to.
  20289. maxLength: 253
  20290. minLength: 1
  20291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20292. type: string
  20293. namespace:
  20294. description: |-
  20295. The namespace of the Secret resource being referred to.
  20296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20297. maxLength: 63
  20298. minLength: 1
  20299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20300. type: string
  20301. type: object
  20302. type: object
  20303. serviceAccountRef:
  20304. description: ServiceAccountRef to a service account for impersonation
  20305. properties:
  20306. audiences:
  20307. description: |-
  20308. Audience specifies the `aud` claim for the service account token
  20309. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20310. then this audiences will be appended to the list
  20311. items:
  20312. type: string
  20313. type: array
  20314. name:
  20315. description: The name of the ServiceAccount resource being referred to.
  20316. maxLength: 253
  20317. minLength: 1
  20318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20319. type: string
  20320. namespace:
  20321. description: |-
  20322. Namespace of the resource being referred to.
  20323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20324. maxLength: 63
  20325. minLength: 1
  20326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20327. type: string
  20328. required:
  20329. - name
  20330. type: object
  20331. workloadIdentity:
  20332. description: Specify a service account with Workload Identity
  20333. properties:
  20334. clusterLocation:
  20335. description: |-
  20336. ClusterLocation is the location of the cluster
  20337. If not specified, it fetches information from the metadata server
  20338. type: string
  20339. clusterName:
  20340. description: |-
  20341. ClusterName is the name of the cluster
  20342. If not specified, it fetches information from the metadata server
  20343. type: string
  20344. clusterProjectID:
  20345. description: |-
  20346. ClusterProjectID is the project ID of the cluster
  20347. If not specified, it fetches information from the metadata server
  20348. type: string
  20349. serviceAccountRef:
  20350. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20351. properties:
  20352. audiences:
  20353. description: |-
  20354. Audience specifies the `aud` claim for the service account token
  20355. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20356. then this audiences will be appended to the list
  20357. items:
  20358. type: string
  20359. type: array
  20360. name:
  20361. description: The name of the ServiceAccount resource being referred to.
  20362. maxLength: 253
  20363. minLength: 1
  20364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20365. type: string
  20366. namespace:
  20367. description: |-
  20368. Namespace of the resource being referred to.
  20369. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20370. maxLength: 63
  20371. minLength: 1
  20372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20373. type: string
  20374. required:
  20375. - name
  20376. type: object
  20377. required:
  20378. - serviceAccountRef
  20379. type: object
  20380. required:
  20381. - role
  20382. type: object
  20383. iam:
  20384. description: |-
  20385. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  20386. AWS IAM authentication method
  20387. properties:
  20388. externalID:
  20389. description: AWS External ID set on assumed IAM roles
  20390. type: string
  20391. jwt:
  20392. description: Specify a service account with IRSA enabled
  20393. properties:
  20394. serviceAccountRef:
  20395. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20396. properties:
  20397. audiences:
  20398. description: |-
  20399. Audience specifies the `aud` claim for the service account token
  20400. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20401. then this audiences will be appended to the list
  20402. items:
  20403. type: string
  20404. type: array
  20405. name:
  20406. description: The name of the ServiceAccount resource being referred to.
  20407. maxLength: 253
  20408. minLength: 1
  20409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20410. type: string
  20411. namespace:
  20412. description: |-
  20413. Namespace of the resource being referred to.
  20414. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20415. maxLength: 63
  20416. minLength: 1
  20417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20418. type: string
  20419. required:
  20420. - name
  20421. type: object
  20422. type: object
  20423. path:
  20424. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  20425. type: string
  20426. region:
  20427. description: AWS region
  20428. type: string
  20429. role:
  20430. description: This is the AWS role to be assumed before talking to vault
  20431. type: string
  20432. secretRef:
  20433. description: Specify credentials in a Secret object
  20434. properties:
  20435. accessKeyIDSecretRef:
  20436. description: The AccessKeyID is used for authentication
  20437. properties:
  20438. key:
  20439. description: |-
  20440. A key in the referenced Secret.
  20441. Some instances of this field may be defaulted, in others it may be required.
  20442. maxLength: 253
  20443. minLength: 1
  20444. pattern: ^[-._a-zA-Z0-9]+$
  20445. type: string
  20446. name:
  20447. description: The name of the Secret resource being referred to.
  20448. maxLength: 253
  20449. minLength: 1
  20450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20451. type: string
  20452. namespace:
  20453. description: |-
  20454. The namespace of the Secret resource being referred to.
  20455. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20456. maxLength: 63
  20457. minLength: 1
  20458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20459. type: string
  20460. type: object
  20461. secretAccessKeySecretRef:
  20462. description: The SecretAccessKey is used for authentication
  20463. properties:
  20464. key:
  20465. description: |-
  20466. A key in the referenced Secret.
  20467. Some instances of this field may be defaulted, in others it may be required.
  20468. maxLength: 253
  20469. minLength: 1
  20470. pattern: ^[-._a-zA-Z0-9]+$
  20471. type: string
  20472. name:
  20473. description: The name of the Secret resource being referred to.
  20474. maxLength: 253
  20475. minLength: 1
  20476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20477. type: string
  20478. namespace:
  20479. description: |-
  20480. The namespace of the Secret resource being referred to.
  20481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20482. maxLength: 63
  20483. minLength: 1
  20484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20485. type: string
  20486. type: object
  20487. sessionTokenSecretRef:
  20488. description: |-
  20489. The SessionToken used for authentication
  20490. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20491. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20492. properties:
  20493. key:
  20494. description: |-
  20495. A key in the referenced Secret.
  20496. Some instances of this field may be defaulted, in others it may be required.
  20497. maxLength: 253
  20498. minLength: 1
  20499. pattern: ^[-._a-zA-Z0-9]+$
  20500. type: string
  20501. name:
  20502. description: The name of the Secret resource being referred to.
  20503. maxLength: 253
  20504. minLength: 1
  20505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20506. type: string
  20507. namespace:
  20508. description: |-
  20509. The namespace of the Secret resource being referred to.
  20510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20511. maxLength: 63
  20512. minLength: 1
  20513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20514. type: string
  20515. type: object
  20516. type: object
  20517. vaultAwsIamServerID:
  20518. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  20519. type: string
  20520. vaultRole:
  20521. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  20522. type: string
  20523. required:
  20524. - vaultRole
  20525. type: object
  20526. jwt:
  20527. description: |-
  20528. Jwt authenticates with Vault by passing role and JWT token using the
  20529. JWT/OIDC authentication method
  20530. properties:
  20531. kubernetesServiceAccountToken:
  20532. description: |-
  20533. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20534. a token for with the `TokenRequest` API.
  20535. properties:
  20536. audiences:
  20537. description: |-
  20538. Optional audiences field that will be used to request a temporary Kubernetes service
  20539. account token for the service account referenced by `serviceAccountRef`.
  20540. Defaults to a single audience `vault` it not specified.
  20541. Deprecated: use serviceAccountRef.Audiences instead
  20542. items:
  20543. type: string
  20544. type: array
  20545. expirationSeconds:
  20546. description: |-
  20547. Optional expiration time in seconds that will be used to request a temporary
  20548. Kubernetes service account token for the service account referenced by
  20549. `serviceAccountRef`.
  20550. Deprecated: this will be removed in the future.
  20551. Defaults to 10 minutes.
  20552. format: int64
  20553. type: integer
  20554. serviceAccountRef:
  20555. description: Service account field containing the name of a kubernetes ServiceAccount.
  20556. properties:
  20557. audiences:
  20558. description: |-
  20559. Audience specifies the `aud` claim for the service account token
  20560. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20561. then this audiences will be appended to the list
  20562. items:
  20563. type: string
  20564. type: array
  20565. name:
  20566. description: The name of the ServiceAccount resource being referred to.
  20567. maxLength: 253
  20568. minLength: 1
  20569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20570. type: string
  20571. namespace:
  20572. description: |-
  20573. Namespace of the resource being referred to.
  20574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20575. maxLength: 63
  20576. minLength: 1
  20577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20578. type: string
  20579. required:
  20580. - name
  20581. type: object
  20582. required:
  20583. - serviceAccountRef
  20584. type: object
  20585. path:
  20586. default: jwt
  20587. description: |-
  20588. Path where the JWT authentication backend is mounted
  20589. in Vault, e.g: "jwt"
  20590. type: string
  20591. role:
  20592. description: |-
  20593. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20594. authentication method
  20595. type: string
  20596. secretRef:
  20597. description: |-
  20598. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20599. authenticate with Vault using the JWT/OIDC authentication method.
  20600. properties:
  20601. key:
  20602. description: |-
  20603. A key in the referenced Secret.
  20604. Some instances of this field may be defaulted, in others it may be required.
  20605. maxLength: 253
  20606. minLength: 1
  20607. pattern: ^[-._a-zA-Z0-9]+$
  20608. type: string
  20609. name:
  20610. description: The name of the Secret resource being referred to.
  20611. maxLength: 253
  20612. minLength: 1
  20613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20614. type: string
  20615. namespace:
  20616. description: |-
  20617. The namespace of the Secret resource being referred to.
  20618. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20619. maxLength: 63
  20620. minLength: 1
  20621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20622. type: string
  20623. type: object
  20624. required:
  20625. - path
  20626. type: object
  20627. kubernetes:
  20628. description: |-
  20629. Kubernetes authenticates with Vault by passing the ServiceAccount
  20630. token stored in the named Secret resource to the Vault server.
  20631. properties:
  20632. mountPath:
  20633. default: kubernetes
  20634. description: |-
  20635. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20636. "kubernetes"
  20637. type: string
  20638. role:
  20639. description: |-
  20640. A required field containing the Vault Role to assume. A Role binds a
  20641. Kubernetes ServiceAccount with a set of Vault policies.
  20642. type: string
  20643. secretRef:
  20644. description: |-
  20645. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20646. for authenticating with Vault. If a name is specified without a key,
  20647. `token` is the default. If one is not specified, the one bound to
  20648. the controller will be used.
  20649. properties:
  20650. key:
  20651. description: |-
  20652. A key in the referenced Secret.
  20653. Some instances of this field may be defaulted, in others it may be required.
  20654. maxLength: 253
  20655. minLength: 1
  20656. pattern: ^[-._a-zA-Z0-9]+$
  20657. type: string
  20658. name:
  20659. description: The name of the Secret resource being referred to.
  20660. maxLength: 253
  20661. minLength: 1
  20662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20663. type: string
  20664. namespace:
  20665. description: |-
  20666. The namespace of the Secret resource being referred to.
  20667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20668. maxLength: 63
  20669. minLength: 1
  20670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20671. type: string
  20672. type: object
  20673. serviceAccountRef:
  20674. description: |-
  20675. Optional service account field containing the name of a kubernetes ServiceAccount.
  20676. If the service account is specified, the service account secret token JWT will be used
  20677. for authenticating with Vault. If the service account selector is not supplied,
  20678. the secretRef will be used instead.
  20679. properties:
  20680. audiences:
  20681. description: |-
  20682. Audience specifies the `aud` claim for the service account token
  20683. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20684. then this audiences will be appended to the list
  20685. items:
  20686. type: string
  20687. type: array
  20688. name:
  20689. description: The name of the ServiceAccount resource being referred to.
  20690. maxLength: 253
  20691. minLength: 1
  20692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20693. type: string
  20694. namespace:
  20695. description: |-
  20696. Namespace of the resource being referred to.
  20697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20698. maxLength: 63
  20699. minLength: 1
  20700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20701. type: string
  20702. required:
  20703. - name
  20704. type: object
  20705. required:
  20706. - mountPath
  20707. - role
  20708. type: object
  20709. ldap:
  20710. description: |-
  20711. Ldap authenticates with Vault by passing username/password pair using
  20712. the LDAP authentication method
  20713. properties:
  20714. path:
  20715. default: ldap
  20716. description: |-
  20717. Path where the LDAP authentication backend is mounted
  20718. in Vault, e.g: "ldap"
  20719. type: string
  20720. secretRef:
  20721. description: |-
  20722. SecretRef to a key in a Secret resource containing password for the LDAP
  20723. user used to authenticate with Vault using the LDAP authentication
  20724. method
  20725. properties:
  20726. key:
  20727. description: |-
  20728. A key in the referenced Secret.
  20729. Some instances of this field may be defaulted, in others it may be required.
  20730. maxLength: 253
  20731. minLength: 1
  20732. pattern: ^[-._a-zA-Z0-9]+$
  20733. type: string
  20734. name:
  20735. description: The name of the Secret resource being referred to.
  20736. maxLength: 253
  20737. minLength: 1
  20738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20739. type: string
  20740. namespace:
  20741. description: |-
  20742. The namespace of the Secret resource being referred to.
  20743. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20744. maxLength: 63
  20745. minLength: 1
  20746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20747. type: string
  20748. type: object
  20749. username:
  20750. description: |-
  20751. Username is an LDAP username used to authenticate using the LDAP Vault
  20752. authentication method
  20753. type: string
  20754. required:
  20755. - path
  20756. - username
  20757. type: object
  20758. namespace:
  20759. description: |-
  20760. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20761. Namespaces is a set of features within Vault Enterprise that allows
  20762. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20763. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20764. This will default to Vault.Namespace field if set, or empty otherwise
  20765. type: string
  20766. tokenSecretRef:
  20767. description: TokenSecretRef authenticates with Vault by presenting a token.
  20768. properties:
  20769. key:
  20770. description: |-
  20771. A key in the referenced Secret.
  20772. Some instances of this field may be defaulted, in others it may be required.
  20773. maxLength: 253
  20774. minLength: 1
  20775. pattern: ^[-._a-zA-Z0-9]+$
  20776. type: string
  20777. name:
  20778. description: The name of the Secret resource being referred to.
  20779. maxLength: 253
  20780. minLength: 1
  20781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20782. type: string
  20783. namespace:
  20784. description: |-
  20785. The namespace of the Secret resource being referred to.
  20786. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20787. maxLength: 63
  20788. minLength: 1
  20789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20790. type: string
  20791. type: object
  20792. userPass:
  20793. description: UserPass authenticates with Vault by passing username/password pair
  20794. properties:
  20795. path:
  20796. default: userpass
  20797. description: |-
  20798. Path where the UserPassword authentication backend is mounted
  20799. in Vault, e.g: "userpass"
  20800. type: string
  20801. secretRef:
  20802. description: |-
  20803. SecretRef to a key in a Secret resource containing password for the
  20804. user used to authenticate with Vault using the UserPass authentication
  20805. method
  20806. properties:
  20807. key:
  20808. description: |-
  20809. A key in the referenced Secret.
  20810. Some instances of this field may be defaulted, in others it may be required.
  20811. maxLength: 253
  20812. minLength: 1
  20813. pattern: ^[-._a-zA-Z0-9]+$
  20814. type: string
  20815. name:
  20816. description: The name of the Secret resource being referred to.
  20817. maxLength: 253
  20818. minLength: 1
  20819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20820. type: string
  20821. namespace:
  20822. description: |-
  20823. The namespace of the Secret resource being referred to.
  20824. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20825. maxLength: 63
  20826. minLength: 1
  20827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20828. type: string
  20829. type: object
  20830. username:
  20831. description: |-
  20832. Username is a username used to authenticate using the UserPass Vault
  20833. authentication method
  20834. type: string
  20835. required:
  20836. - path
  20837. - username
  20838. type: object
  20839. type: object
  20840. caBundle:
  20841. description: |-
  20842. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20843. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20844. plain HTTP protocol connection. If not set the system root certificates
  20845. are used to validate the TLS connection.
  20846. format: byte
  20847. type: string
  20848. caProvider:
  20849. description: The provider for the CA bundle to use to validate Vault server certificate.
  20850. properties:
  20851. key:
  20852. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20853. maxLength: 253
  20854. minLength: 1
  20855. pattern: ^[-._a-zA-Z0-9]+$
  20856. type: string
  20857. name:
  20858. description: The name of the object located at the provider type.
  20859. maxLength: 253
  20860. minLength: 1
  20861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20862. type: string
  20863. namespace:
  20864. description: |-
  20865. The namespace the Provider type is in.
  20866. Can only be defined when used in a ClusterSecretStore.
  20867. maxLength: 63
  20868. minLength: 1
  20869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20870. type: string
  20871. type:
  20872. description: The type of provider to use such as "Secret", or "ConfigMap".
  20873. enum:
  20874. - Secret
  20875. - ConfigMap
  20876. type: string
  20877. required:
  20878. - name
  20879. - type
  20880. type: object
  20881. checkAndSet:
  20882. description: |-
  20883. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20884. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20885. the current version of the secret to prevent unintentional overwrites.
  20886. properties:
  20887. required:
  20888. description: |-
  20889. Required when true, all write operations must include a check-and-set parameter.
  20890. This helps prevent unintentional overwrites of secrets.
  20891. type: boolean
  20892. type: object
  20893. forwardInconsistent:
  20894. description: |-
  20895. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20896. leader instead of simply retrying within a loop. This can increase performance if
  20897. the option is enabled serverside.
  20898. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20899. type: boolean
  20900. headers:
  20901. additionalProperties:
  20902. type: string
  20903. description: Headers to be added in Vault request
  20904. type: object
  20905. namespace:
  20906. description: |-
  20907. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20908. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20909. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20910. type: string
  20911. path:
  20912. description: |-
  20913. Path is the mount path of the Vault KV backend endpoint, e.g:
  20914. "secret". The v2 KV secret engine version specific "/data" path suffix
  20915. for fetching secrets from Vault is optional and will be appended
  20916. if not present in specified path.
  20917. type: string
  20918. readYourWrites:
  20919. description: |-
  20920. ReadYourWrites ensures isolated read-after-write semantics by
  20921. providing discovered cluster replication states in each request.
  20922. More information about eventual consistency in Vault can be found here
  20923. https://www.vaultproject.io/docs/enterprise/consistency
  20924. type: boolean
  20925. server:
  20926. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20927. type: string
  20928. tls:
  20929. description: |-
  20930. The configuration used for client side related TLS communication, when the Vault server
  20931. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20932. This parameter is ignored for plain HTTP protocol connection.
  20933. It's worth noting this configuration is different from the "TLS certificates auth method",
  20934. which is available under the `auth.cert` section.
  20935. properties:
  20936. certSecretRef:
  20937. description: |-
  20938. CertSecretRef is a certificate added to the transport layer
  20939. when communicating with the Vault server.
  20940. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20941. properties:
  20942. key:
  20943. description: |-
  20944. A key in the referenced Secret.
  20945. Some instances of this field may be defaulted, in others it may be required.
  20946. maxLength: 253
  20947. minLength: 1
  20948. pattern: ^[-._a-zA-Z0-9]+$
  20949. type: string
  20950. name:
  20951. description: The name of the Secret resource being referred to.
  20952. maxLength: 253
  20953. minLength: 1
  20954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20955. type: string
  20956. namespace:
  20957. description: |-
  20958. The namespace of the Secret resource being referred to.
  20959. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20960. maxLength: 63
  20961. minLength: 1
  20962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20963. type: string
  20964. type: object
  20965. keySecretRef:
  20966. description: |-
  20967. KeySecretRef to a key in a Secret resource containing client private key
  20968. added to the transport layer when communicating with the Vault server.
  20969. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20970. properties:
  20971. key:
  20972. description: |-
  20973. A key in the referenced Secret.
  20974. Some instances of this field may be defaulted, in others it may be required.
  20975. maxLength: 253
  20976. minLength: 1
  20977. pattern: ^[-._a-zA-Z0-9]+$
  20978. type: string
  20979. name:
  20980. description: The name of the Secret resource being referred to.
  20981. maxLength: 253
  20982. minLength: 1
  20983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20984. type: string
  20985. namespace:
  20986. description: |-
  20987. The namespace of the Secret resource being referred to.
  20988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20989. maxLength: 63
  20990. minLength: 1
  20991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20992. type: string
  20993. type: object
  20994. type: object
  20995. version:
  20996. default: v2
  20997. description: |-
  20998. Version is the Vault KV secret engine version. This can be either "v1" or
  20999. "v2". Version defaults to "v2".
  21000. enum:
  21001. - v1
  21002. - v2
  21003. type: string
  21004. required:
  21005. - server
  21006. type: object
  21007. volcengine:
  21008. description: Volcengine configures this store to sync secrets using the Volcengine provider
  21009. properties:
  21010. auth:
  21011. description: |-
  21012. Auth defines the authentication method to use.
  21013. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  21014. properties:
  21015. secretRef:
  21016. description: |-
  21017. SecretRef defines the static credentials to use for authentication.
  21018. If not set, IRSA is used.
  21019. properties:
  21020. accessKeyID:
  21021. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  21022. properties:
  21023. key:
  21024. description: |-
  21025. A key in the referenced Secret.
  21026. Some instances of this field may be defaulted, in others it may be required.
  21027. maxLength: 253
  21028. minLength: 1
  21029. pattern: ^[-._a-zA-Z0-9]+$
  21030. type: string
  21031. name:
  21032. description: The name of the Secret resource being referred to.
  21033. maxLength: 253
  21034. minLength: 1
  21035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21036. type: string
  21037. namespace:
  21038. description: |-
  21039. The namespace of the Secret resource being referred to.
  21040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21041. maxLength: 63
  21042. minLength: 1
  21043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21044. type: string
  21045. type: object
  21046. secretAccessKey:
  21047. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  21048. properties:
  21049. key:
  21050. description: |-
  21051. A key in the referenced Secret.
  21052. Some instances of this field may be defaulted, in others it may be required.
  21053. maxLength: 253
  21054. minLength: 1
  21055. pattern: ^[-._a-zA-Z0-9]+$
  21056. type: string
  21057. name:
  21058. description: The name of the Secret resource being referred to.
  21059. maxLength: 253
  21060. minLength: 1
  21061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21062. type: string
  21063. namespace:
  21064. description: |-
  21065. The namespace of the Secret resource being referred to.
  21066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21067. maxLength: 63
  21068. minLength: 1
  21069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21070. type: string
  21071. type: object
  21072. token:
  21073. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  21074. properties:
  21075. key:
  21076. description: |-
  21077. A key in the referenced Secret.
  21078. Some instances of this field may be defaulted, in others it may be required.
  21079. maxLength: 253
  21080. minLength: 1
  21081. pattern: ^[-._a-zA-Z0-9]+$
  21082. type: string
  21083. name:
  21084. description: The name of the Secret resource being referred to.
  21085. maxLength: 253
  21086. minLength: 1
  21087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21088. type: string
  21089. namespace:
  21090. description: |-
  21091. The namespace of the Secret resource being referred to.
  21092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21093. maxLength: 63
  21094. minLength: 1
  21095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21096. type: string
  21097. type: object
  21098. required:
  21099. - accessKeyID
  21100. - secretAccessKey
  21101. type: object
  21102. type: object
  21103. region:
  21104. description: Region specifies the Volcengine region to connect to.
  21105. type: string
  21106. required:
  21107. - region
  21108. type: object
  21109. webhook:
  21110. description: Webhook configures this store to sync secrets using a generic templated webhook
  21111. properties:
  21112. auth:
  21113. description: Auth specifies a authorization protocol. Only one protocol may be set.
  21114. maxProperties: 1
  21115. minProperties: 1
  21116. properties:
  21117. ntlm:
  21118. description: NTLMProtocol configures the store to use NTLM for auth
  21119. properties:
  21120. passwordSecret:
  21121. description: |-
  21122. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21123. In some instances, `key` is a required field.
  21124. properties:
  21125. key:
  21126. description: |-
  21127. A key in the referenced Secret.
  21128. Some instances of this field may be defaulted, in others it may be required.
  21129. maxLength: 253
  21130. minLength: 1
  21131. pattern: ^[-._a-zA-Z0-9]+$
  21132. type: string
  21133. name:
  21134. description: The name of the Secret resource being referred to.
  21135. maxLength: 253
  21136. minLength: 1
  21137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21138. type: string
  21139. namespace:
  21140. description: |-
  21141. The namespace of the Secret resource being referred to.
  21142. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21143. maxLength: 63
  21144. minLength: 1
  21145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21146. type: string
  21147. type: object
  21148. usernameSecret:
  21149. description: |-
  21150. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21151. In some instances, `key` is a required field.
  21152. properties:
  21153. key:
  21154. description: |-
  21155. A key in the referenced Secret.
  21156. Some instances of this field may be defaulted, in others it may be required.
  21157. maxLength: 253
  21158. minLength: 1
  21159. pattern: ^[-._a-zA-Z0-9]+$
  21160. type: string
  21161. name:
  21162. description: The name of the Secret resource being referred to.
  21163. maxLength: 253
  21164. minLength: 1
  21165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21166. type: string
  21167. namespace:
  21168. description: |-
  21169. The namespace of the Secret resource being referred to.
  21170. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21171. maxLength: 63
  21172. minLength: 1
  21173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21174. type: string
  21175. type: object
  21176. required:
  21177. - passwordSecret
  21178. - usernameSecret
  21179. type: object
  21180. type: object
  21181. body:
  21182. description: Body
  21183. type: string
  21184. caBundle:
  21185. description: |-
  21186. PEM encoded CA bundle used to validate webhook server certificate. Only used
  21187. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21188. plain HTTP protocol connection. If not set the system root certificates
  21189. are used to validate the TLS connection.
  21190. format: byte
  21191. type: string
  21192. caProvider:
  21193. description: The provider for the CA bundle to use to validate webhook server certificate.
  21194. properties:
  21195. key:
  21196. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21197. maxLength: 253
  21198. minLength: 1
  21199. pattern: ^[-._a-zA-Z0-9]+$
  21200. type: string
  21201. name:
  21202. description: The name of the object located at the provider type.
  21203. maxLength: 253
  21204. minLength: 1
  21205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21206. type: string
  21207. namespace:
  21208. description: The namespace the Provider type is in.
  21209. maxLength: 63
  21210. minLength: 1
  21211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21212. type: string
  21213. type:
  21214. description: The type of provider to use such as "Secret", or "ConfigMap".
  21215. enum:
  21216. - Secret
  21217. - ConfigMap
  21218. type: string
  21219. required:
  21220. - name
  21221. - type
  21222. type: object
  21223. headers:
  21224. additionalProperties:
  21225. type: string
  21226. description: Headers
  21227. type: object
  21228. method:
  21229. description: Webhook Method
  21230. type: string
  21231. result:
  21232. description: Result formatting
  21233. properties:
  21234. jsonPath:
  21235. description: Json path of return value
  21236. type: string
  21237. type: object
  21238. secrets:
  21239. description: |-
  21240. Secrets to fill in templates
  21241. These secrets will be passed to the templating function as key value pairs under the given name
  21242. items:
  21243. description: WebhookSecret defines a secret that will be passed to the webhook request.
  21244. properties:
  21245. name:
  21246. description: Name of this secret in templates
  21247. type: string
  21248. secretRef:
  21249. description: Secret ref to fill in credentials
  21250. properties:
  21251. key:
  21252. description: |-
  21253. A key in the referenced Secret.
  21254. Some instances of this field may be defaulted, in others it may be required.
  21255. maxLength: 253
  21256. minLength: 1
  21257. pattern: ^[-._a-zA-Z0-9]+$
  21258. type: string
  21259. name:
  21260. description: The name of the Secret resource being referred to.
  21261. maxLength: 253
  21262. minLength: 1
  21263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21264. type: string
  21265. namespace:
  21266. description: |-
  21267. The namespace of the Secret resource being referred to.
  21268. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21269. maxLength: 63
  21270. minLength: 1
  21271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21272. type: string
  21273. type: object
  21274. required:
  21275. - name
  21276. - secretRef
  21277. type: object
  21278. type: array
  21279. timeout:
  21280. description: Timeout
  21281. type: string
  21282. url:
  21283. description: Webhook url to call
  21284. type: string
  21285. required:
  21286. - url
  21287. type: object
  21288. yandexcertificatemanager:
  21289. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  21290. properties:
  21291. apiEndpoint:
  21292. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21293. type: string
  21294. auth:
  21295. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21296. properties:
  21297. authorizedKeySecretRef:
  21298. description: The authorized key used for authentication
  21299. properties:
  21300. key:
  21301. description: |-
  21302. A key in the referenced Secret.
  21303. Some instances of this field may be defaulted, in others it may be required.
  21304. maxLength: 253
  21305. minLength: 1
  21306. pattern: ^[-._a-zA-Z0-9]+$
  21307. type: string
  21308. name:
  21309. description: The name of the Secret resource being referred to.
  21310. maxLength: 253
  21311. minLength: 1
  21312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21313. type: string
  21314. namespace:
  21315. description: |-
  21316. The namespace of the Secret resource being referred to.
  21317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21318. maxLength: 63
  21319. minLength: 1
  21320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21321. type: string
  21322. type: object
  21323. type: object
  21324. caProvider:
  21325. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21326. properties:
  21327. certSecretRef:
  21328. description: |-
  21329. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21330. In some instances, `key` is a required field.
  21331. properties:
  21332. key:
  21333. description: |-
  21334. A key in the referenced Secret.
  21335. Some instances of this field may be defaulted, in others it may be required.
  21336. maxLength: 253
  21337. minLength: 1
  21338. pattern: ^[-._a-zA-Z0-9]+$
  21339. type: string
  21340. name:
  21341. description: The name of the Secret resource being referred to.
  21342. maxLength: 253
  21343. minLength: 1
  21344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21345. type: string
  21346. namespace:
  21347. description: |-
  21348. The namespace of the Secret resource being referred to.
  21349. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21350. maxLength: 63
  21351. minLength: 1
  21352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21353. type: string
  21354. type: object
  21355. type: object
  21356. fetching:
  21357. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  21358. maxProperties: 1
  21359. minProperties: 1
  21360. properties:
  21361. byID:
  21362. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21363. type: object
  21364. byName:
  21365. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21366. properties:
  21367. folderID:
  21368. description: The folder to fetch secrets from
  21369. type: string
  21370. required:
  21371. - folderID
  21372. type: object
  21373. type: object
  21374. required:
  21375. - auth
  21376. type: object
  21377. yandexlockbox:
  21378. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  21379. properties:
  21380. apiEndpoint:
  21381. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21382. type: string
  21383. auth:
  21384. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21385. properties:
  21386. authorizedKeySecretRef:
  21387. description: The authorized key used for authentication
  21388. properties:
  21389. key:
  21390. description: |-
  21391. A key in the referenced Secret.
  21392. Some instances of this field may be defaulted, in others it may be required.
  21393. maxLength: 253
  21394. minLength: 1
  21395. pattern: ^[-._a-zA-Z0-9]+$
  21396. type: string
  21397. name:
  21398. description: The name of the Secret resource being referred to.
  21399. maxLength: 253
  21400. minLength: 1
  21401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21402. type: string
  21403. namespace:
  21404. description: |-
  21405. The namespace of the Secret resource being referred to.
  21406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21407. maxLength: 63
  21408. minLength: 1
  21409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21410. type: string
  21411. type: object
  21412. type: object
  21413. caProvider:
  21414. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21415. properties:
  21416. certSecretRef:
  21417. description: |-
  21418. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21419. In some instances, `key` is a required field.
  21420. properties:
  21421. key:
  21422. description: |-
  21423. A key in the referenced Secret.
  21424. Some instances of this field may be defaulted, in others it may be required.
  21425. maxLength: 253
  21426. minLength: 1
  21427. pattern: ^[-._a-zA-Z0-9]+$
  21428. type: string
  21429. name:
  21430. description: The name of the Secret resource being referred to.
  21431. maxLength: 253
  21432. minLength: 1
  21433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21434. type: string
  21435. namespace:
  21436. description: |-
  21437. The namespace of the Secret resource being referred to.
  21438. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21439. maxLength: 63
  21440. minLength: 1
  21441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21442. type: string
  21443. type: object
  21444. type: object
  21445. fetching:
  21446. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  21447. maxProperties: 1
  21448. minProperties: 1
  21449. properties:
  21450. byID:
  21451. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21452. type: object
  21453. byName:
  21454. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21455. properties:
  21456. folderID:
  21457. description: The folder to fetch secrets from
  21458. type: string
  21459. required:
  21460. - folderID
  21461. type: object
  21462. type: object
  21463. required:
  21464. - auth
  21465. type: object
  21466. type: object
  21467. refreshInterval:
  21468. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  21469. type: integer
  21470. retrySettings:
  21471. description: Used to configure HTTP retries on failures.
  21472. properties:
  21473. maxRetries:
  21474. format: int32
  21475. type: integer
  21476. retryInterval:
  21477. type: string
  21478. type: object
  21479. required:
  21480. - provider
  21481. type: object
  21482. status:
  21483. description: SecretStoreStatus defines the observed state of the SecretStore.
  21484. properties:
  21485. capabilities:
  21486. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  21487. type: string
  21488. conditions:
  21489. items:
  21490. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  21491. properties:
  21492. lastTransitionTime:
  21493. format: date-time
  21494. type: string
  21495. message:
  21496. type: string
  21497. reason:
  21498. type: string
  21499. status:
  21500. type: string
  21501. type:
  21502. description: SecretStoreConditionType represents the condition of the SecretStore.
  21503. type: string
  21504. required:
  21505. - status
  21506. - type
  21507. type: object
  21508. type: array
  21509. type: object
  21510. type: object
  21511. served: true
  21512. storage: true
  21513. subresources:
  21514. status: {}
  21515. - additionalPrinterColumns:
  21516. - jsonPath: .metadata.creationTimestamp
  21517. name: AGE
  21518. type: date
  21519. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  21520. name: Status
  21521. type: string
  21522. - jsonPath: .status.capabilities
  21523. name: Capabilities
  21524. type: string
  21525. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  21526. name: Ready
  21527. type: string
  21528. deprecated: true
  21529. name: v1beta1
  21530. schema:
  21531. openAPIV3Schema:
  21532. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21533. properties:
  21534. apiVersion:
  21535. description: |-
  21536. APIVersion defines the versioned schema of this representation of an object.
  21537. Servers should convert recognized schemas to the latest internal value, and
  21538. may reject unrecognized values.
  21539. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21540. type: string
  21541. kind:
  21542. description: |-
  21543. Kind is a string value representing the REST resource this object represents.
  21544. Servers may infer this from the endpoint the client submits requests to.
  21545. Cannot be updated.
  21546. In CamelCase.
  21547. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21548. type: string
  21549. metadata:
  21550. type: object
  21551. spec:
  21552. description: SecretStoreSpec defines the desired state of SecretStore.
  21553. properties:
  21554. conditions:
  21555. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21556. items:
  21557. description: |-
  21558. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21559. for a ClusterSecretStore instance.
  21560. properties:
  21561. namespaceRegexes:
  21562. description: Choose namespaces by using regex matching
  21563. items:
  21564. type: string
  21565. type: array
  21566. namespaceSelector:
  21567. description: Choose namespace using a labelSelector
  21568. properties:
  21569. matchExpressions:
  21570. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21571. items:
  21572. description: |-
  21573. A label selector requirement is a selector that contains values, a key, and an operator that
  21574. relates the key and values.
  21575. properties:
  21576. key:
  21577. description: key is the label key that the selector applies to.
  21578. type: string
  21579. operator:
  21580. description: |-
  21581. operator represents a key's relationship to a set of values.
  21582. Valid operators are In, NotIn, Exists and DoesNotExist.
  21583. type: string
  21584. values:
  21585. description: |-
  21586. values is an array of string values. If the operator is In or NotIn,
  21587. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21588. the values array must be empty. This array is replaced during a strategic
  21589. merge patch.
  21590. items:
  21591. type: string
  21592. type: array
  21593. x-kubernetes-list-type: atomic
  21594. required:
  21595. - key
  21596. - operator
  21597. type: object
  21598. type: array
  21599. x-kubernetes-list-type: atomic
  21600. matchLabels:
  21601. additionalProperties:
  21602. type: string
  21603. description: |-
  21604. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21605. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21606. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21607. type: object
  21608. type: object
  21609. x-kubernetes-map-type: atomic
  21610. namespaces:
  21611. description: Choose namespaces by name
  21612. items:
  21613. maxLength: 63
  21614. minLength: 1
  21615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21616. type: string
  21617. type: array
  21618. type: object
  21619. type: array
  21620. controller:
  21621. description: |-
  21622. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21623. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21624. type: string
  21625. provider:
  21626. description: Used to configure the provider. Only one provider may be set
  21627. maxProperties: 1
  21628. minProperties: 1
  21629. properties:
  21630. akeyless:
  21631. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21632. properties:
  21633. akeylessGWApiURL:
  21634. description: Akeyless GW API Url from which the secrets to be fetched from.
  21635. type: string
  21636. authSecretRef:
  21637. description: Auth configures how the operator authenticates with Akeyless.
  21638. properties:
  21639. kubernetesAuth:
  21640. description: |-
  21641. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21642. token stored in the named Secret resource.
  21643. properties:
  21644. accessID:
  21645. description: the Akeyless Kubernetes auth-method access-id
  21646. type: string
  21647. k8sConfName:
  21648. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21649. type: string
  21650. secretRef:
  21651. description: |-
  21652. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21653. for authenticating with Akeyless. If a name is specified without a key,
  21654. `token` is the default. If one is not specified, the one bound to
  21655. the controller will be used.
  21656. properties:
  21657. key:
  21658. description: |-
  21659. A key in the referenced Secret.
  21660. Some instances of this field may be defaulted, in others it may be required.
  21661. maxLength: 253
  21662. minLength: 1
  21663. pattern: ^[-._a-zA-Z0-9]+$
  21664. type: string
  21665. name:
  21666. description: The name of the Secret resource being referred to.
  21667. maxLength: 253
  21668. minLength: 1
  21669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21670. type: string
  21671. namespace:
  21672. description: |-
  21673. The namespace of the Secret resource being referred to.
  21674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21675. maxLength: 63
  21676. minLength: 1
  21677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21678. type: string
  21679. type: object
  21680. serviceAccountRef:
  21681. description: |-
  21682. Optional service account field containing the name of a kubernetes ServiceAccount.
  21683. If the service account is specified, the service account secret token JWT will be used
  21684. for authenticating with Akeyless. If the service account selector is not supplied,
  21685. the secretRef will be used instead.
  21686. properties:
  21687. audiences:
  21688. description: |-
  21689. Audience specifies the `aud` claim for the service account token
  21690. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21691. then this audiences will be appended to the list
  21692. items:
  21693. type: string
  21694. type: array
  21695. name:
  21696. description: The name of the ServiceAccount resource being referred to.
  21697. maxLength: 253
  21698. minLength: 1
  21699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21700. type: string
  21701. namespace:
  21702. description: |-
  21703. Namespace of the resource being referred to.
  21704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21705. maxLength: 63
  21706. minLength: 1
  21707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21708. type: string
  21709. required:
  21710. - name
  21711. type: object
  21712. required:
  21713. - accessID
  21714. - k8sConfName
  21715. type: object
  21716. secretRef:
  21717. description: |-
  21718. Reference to a Secret that contains the details
  21719. to authenticate with Akeyless.
  21720. properties:
  21721. accessID:
  21722. description: The SecretAccessID is used for authentication
  21723. properties:
  21724. key:
  21725. description: |-
  21726. A key in the referenced Secret.
  21727. Some instances of this field may be defaulted, in others it may be required.
  21728. maxLength: 253
  21729. minLength: 1
  21730. pattern: ^[-._a-zA-Z0-9]+$
  21731. type: string
  21732. name:
  21733. description: The name of the Secret resource being referred to.
  21734. maxLength: 253
  21735. minLength: 1
  21736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21737. type: string
  21738. namespace:
  21739. description: |-
  21740. The namespace of the Secret resource being referred to.
  21741. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21742. maxLength: 63
  21743. minLength: 1
  21744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21745. type: string
  21746. type: object
  21747. accessType:
  21748. description: |-
  21749. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21750. In some instances, `key` is a required field.
  21751. properties:
  21752. key:
  21753. description: |-
  21754. A key in the referenced Secret.
  21755. Some instances of this field may be defaulted, in others it may be required.
  21756. maxLength: 253
  21757. minLength: 1
  21758. pattern: ^[-._a-zA-Z0-9]+$
  21759. type: string
  21760. name:
  21761. description: The name of the Secret resource being referred to.
  21762. maxLength: 253
  21763. minLength: 1
  21764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21765. type: string
  21766. namespace:
  21767. description: |-
  21768. The namespace of the Secret resource being referred to.
  21769. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21770. maxLength: 63
  21771. minLength: 1
  21772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21773. type: string
  21774. type: object
  21775. accessTypeParam:
  21776. description: |-
  21777. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21778. In some instances, `key` is a required field.
  21779. properties:
  21780. key:
  21781. description: |-
  21782. A key in the referenced Secret.
  21783. Some instances of this field may be defaulted, in others it may be required.
  21784. maxLength: 253
  21785. minLength: 1
  21786. pattern: ^[-._a-zA-Z0-9]+$
  21787. type: string
  21788. name:
  21789. description: The name of the Secret resource being referred to.
  21790. maxLength: 253
  21791. minLength: 1
  21792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21793. type: string
  21794. namespace:
  21795. description: |-
  21796. The namespace of the Secret resource being referred to.
  21797. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21798. maxLength: 63
  21799. minLength: 1
  21800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21801. type: string
  21802. type: object
  21803. type: object
  21804. type: object
  21805. caBundle:
  21806. description: |-
  21807. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21808. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21809. are used to validate the TLS connection.
  21810. format: byte
  21811. type: string
  21812. caProvider:
  21813. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21814. properties:
  21815. key:
  21816. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21817. maxLength: 253
  21818. minLength: 1
  21819. pattern: ^[-._a-zA-Z0-9]+$
  21820. type: string
  21821. name:
  21822. description: The name of the object located at the provider type.
  21823. maxLength: 253
  21824. minLength: 1
  21825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21826. type: string
  21827. namespace:
  21828. description: |-
  21829. The namespace the Provider type is in.
  21830. Can only be defined when used in a ClusterSecretStore.
  21831. maxLength: 63
  21832. minLength: 1
  21833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21834. type: string
  21835. type:
  21836. description: The type of provider to use such as "Secret", or "ConfigMap".
  21837. enum:
  21838. - Secret
  21839. - ConfigMap
  21840. type: string
  21841. required:
  21842. - name
  21843. - type
  21844. type: object
  21845. required:
  21846. - akeylessGWApiURL
  21847. - authSecretRef
  21848. type: object
  21849. alibaba:
  21850. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21851. properties:
  21852. auth:
  21853. description: AlibabaAuth contains a secretRef for credentials.
  21854. properties:
  21855. rrsa:
  21856. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21857. properties:
  21858. oidcProviderArn:
  21859. type: string
  21860. oidcTokenFilePath:
  21861. type: string
  21862. roleArn:
  21863. type: string
  21864. sessionName:
  21865. type: string
  21866. required:
  21867. - oidcProviderArn
  21868. - oidcTokenFilePath
  21869. - roleArn
  21870. - sessionName
  21871. type: object
  21872. secretRef:
  21873. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21874. properties:
  21875. accessKeyIDSecretRef:
  21876. description: The AccessKeyID is used for authentication
  21877. properties:
  21878. key:
  21879. description: |-
  21880. A key in the referenced Secret.
  21881. Some instances of this field may be defaulted, in others it may be required.
  21882. maxLength: 253
  21883. minLength: 1
  21884. pattern: ^[-._a-zA-Z0-9]+$
  21885. type: string
  21886. name:
  21887. description: The name of the Secret resource being referred to.
  21888. maxLength: 253
  21889. minLength: 1
  21890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21891. type: string
  21892. namespace:
  21893. description: |-
  21894. The namespace of the Secret resource being referred to.
  21895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21896. maxLength: 63
  21897. minLength: 1
  21898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21899. type: string
  21900. type: object
  21901. accessKeySecretSecretRef:
  21902. description: The AccessKeySecret is used for authentication
  21903. properties:
  21904. key:
  21905. description: |-
  21906. A key in the referenced Secret.
  21907. Some instances of this field may be defaulted, in others it may be required.
  21908. maxLength: 253
  21909. minLength: 1
  21910. pattern: ^[-._a-zA-Z0-9]+$
  21911. type: string
  21912. name:
  21913. description: The name of the Secret resource being referred to.
  21914. maxLength: 253
  21915. minLength: 1
  21916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21917. type: string
  21918. namespace:
  21919. description: |-
  21920. The namespace of the Secret resource being referred to.
  21921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21922. maxLength: 63
  21923. minLength: 1
  21924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21925. type: string
  21926. type: object
  21927. required:
  21928. - accessKeyIDSecretRef
  21929. - accessKeySecretSecretRef
  21930. type: object
  21931. type: object
  21932. regionID:
  21933. description: Alibaba Region to be used for the provider
  21934. type: string
  21935. required:
  21936. - auth
  21937. - regionID
  21938. type: object
  21939. aws:
  21940. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21941. properties:
  21942. additionalRoles:
  21943. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21944. items:
  21945. type: string
  21946. type: array
  21947. auth:
  21948. description: |-
  21949. Auth defines the information necessary to authenticate against AWS
  21950. if not set aws sdk will infer credentials from your environment
  21951. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21952. properties:
  21953. jwt:
  21954. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21955. properties:
  21956. serviceAccountRef:
  21957. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21958. properties:
  21959. audiences:
  21960. description: |-
  21961. Audience specifies the `aud` claim for the service account token
  21962. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21963. then this audiences will be appended to the list
  21964. items:
  21965. type: string
  21966. type: array
  21967. name:
  21968. description: The name of the ServiceAccount resource being referred to.
  21969. maxLength: 253
  21970. minLength: 1
  21971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21972. type: string
  21973. namespace:
  21974. description: |-
  21975. Namespace of the resource being referred to.
  21976. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21977. maxLength: 63
  21978. minLength: 1
  21979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21980. type: string
  21981. required:
  21982. - name
  21983. type: object
  21984. type: object
  21985. secretRef:
  21986. description: |-
  21987. AWSAuthSecretRef holds secret references for AWS credentials
  21988. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21989. properties:
  21990. accessKeyIDSecretRef:
  21991. description: The AccessKeyID is used for authentication
  21992. properties:
  21993. key:
  21994. description: |-
  21995. A key in the referenced Secret.
  21996. Some instances of this field may be defaulted, in others it may be required.
  21997. maxLength: 253
  21998. minLength: 1
  21999. pattern: ^[-._a-zA-Z0-9]+$
  22000. type: string
  22001. name:
  22002. description: The name of the Secret resource being referred to.
  22003. maxLength: 253
  22004. minLength: 1
  22005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22006. type: string
  22007. namespace:
  22008. description: |-
  22009. The namespace of the Secret resource being referred to.
  22010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22011. maxLength: 63
  22012. minLength: 1
  22013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22014. type: string
  22015. type: object
  22016. secretAccessKeySecretRef:
  22017. description: The SecretAccessKey is used for authentication
  22018. properties:
  22019. key:
  22020. description: |-
  22021. A key in the referenced Secret.
  22022. Some instances of this field may be defaulted, in others it may be required.
  22023. maxLength: 253
  22024. minLength: 1
  22025. pattern: ^[-._a-zA-Z0-9]+$
  22026. type: string
  22027. name:
  22028. description: The name of the Secret resource being referred to.
  22029. maxLength: 253
  22030. minLength: 1
  22031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22032. type: string
  22033. namespace:
  22034. description: |-
  22035. The namespace of the Secret resource being referred to.
  22036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22037. maxLength: 63
  22038. minLength: 1
  22039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22040. type: string
  22041. type: object
  22042. sessionTokenSecretRef:
  22043. description: |-
  22044. The SessionToken used for authentication
  22045. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  22046. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  22047. properties:
  22048. key:
  22049. description: |-
  22050. A key in the referenced Secret.
  22051. Some instances of this field may be defaulted, in others it may be required.
  22052. maxLength: 253
  22053. minLength: 1
  22054. pattern: ^[-._a-zA-Z0-9]+$
  22055. type: string
  22056. name:
  22057. description: The name of the Secret resource being referred to.
  22058. maxLength: 253
  22059. minLength: 1
  22060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22061. type: string
  22062. namespace:
  22063. description: |-
  22064. The namespace of the Secret resource being referred to.
  22065. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22066. maxLength: 63
  22067. minLength: 1
  22068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22069. type: string
  22070. type: object
  22071. type: object
  22072. type: object
  22073. externalID:
  22074. description: AWS External ID set on assumed IAM roles
  22075. type: string
  22076. prefix:
  22077. description: Prefix adds a prefix to all retrieved values.
  22078. type: string
  22079. region:
  22080. description: AWS Region to be used for the provider
  22081. type: string
  22082. role:
  22083. description: Role is a Role ARN which the provider will assume
  22084. type: string
  22085. secretsManager:
  22086. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  22087. properties:
  22088. forceDeleteWithoutRecovery:
  22089. description: |-
  22090. Specifies whether to delete the secret without any recovery window. You
  22091. can't use both this parameter and RecoveryWindowInDays in the same call.
  22092. If you don't use either, then by default Secrets Manager uses a 30 day
  22093. recovery window.
  22094. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  22095. type: boolean
  22096. recoveryWindowInDays:
  22097. description: |-
  22098. The number of days from 7 to 30 that Secrets Manager waits before
  22099. permanently deleting the secret. You can't use both this parameter and
  22100. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  22101. then by default Secrets Manager uses a 30 day recovery window.
  22102. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  22103. format: int64
  22104. type: integer
  22105. type: object
  22106. service:
  22107. description: Service defines which service should be used to fetch the secrets
  22108. enum:
  22109. - SecretsManager
  22110. - ParameterStore
  22111. type: string
  22112. sessionTags:
  22113. description: AWS STS assume role session tags
  22114. items:
  22115. description: Tag defines a tag key and value for AWS resources.
  22116. properties:
  22117. key:
  22118. type: string
  22119. value:
  22120. type: string
  22121. required:
  22122. - key
  22123. - value
  22124. type: object
  22125. type: array
  22126. transitiveTagKeys:
  22127. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  22128. items:
  22129. type: string
  22130. type: array
  22131. required:
  22132. - region
  22133. - service
  22134. type: object
  22135. azurekv:
  22136. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  22137. properties:
  22138. authSecretRef:
  22139. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22140. properties:
  22141. clientCertificate:
  22142. description: The Azure ClientCertificate of the service principle used for authentication.
  22143. properties:
  22144. key:
  22145. description: |-
  22146. A key in the referenced Secret.
  22147. Some instances of this field may be defaulted, in others it may be required.
  22148. maxLength: 253
  22149. minLength: 1
  22150. pattern: ^[-._a-zA-Z0-9]+$
  22151. type: string
  22152. name:
  22153. description: The name of the Secret resource being referred to.
  22154. maxLength: 253
  22155. minLength: 1
  22156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22157. type: string
  22158. namespace:
  22159. description: |-
  22160. The namespace of the Secret resource being referred to.
  22161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22162. maxLength: 63
  22163. minLength: 1
  22164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22165. type: string
  22166. type: object
  22167. clientId:
  22168. description: The Azure clientId of the service principle or managed identity used for authentication.
  22169. properties:
  22170. key:
  22171. description: |-
  22172. A key in the referenced Secret.
  22173. Some instances of this field may be defaulted, in others it may be required.
  22174. maxLength: 253
  22175. minLength: 1
  22176. pattern: ^[-._a-zA-Z0-9]+$
  22177. type: string
  22178. name:
  22179. description: The name of the Secret resource being referred to.
  22180. maxLength: 253
  22181. minLength: 1
  22182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22183. type: string
  22184. namespace:
  22185. description: |-
  22186. The namespace of the Secret resource being referred to.
  22187. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22188. maxLength: 63
  22189. minLength: 1
  22190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22191. type: string
  22192. type: object
  22193. clientSecret:
  22194. description: The Azure ClientSecret of the service principle used for authentication.
  22195. properties:
  22196. key:
  22197. description: |-
  22198. A key in the referenced Secret.
  22199. Some instances of this field may be defaulted, in others it may be required.
  22200. maxLength: 253
  22201. minLength: 1
  22202. pattern: ^[-._a-zA-Z0-9]+$
  22203. type: string
  22204. name:
  22205. description: The name of the Secret resource being referred to.
  22206. maxLength: 253
  22207. minLength: 1
  22208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22209. type: string
  22210. namespace:
  22211. description: |-
  22212. The namespace of the Secret resource being referred to.
  22213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22214. maxLength: 63
  22215. minLength: 1
  22216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22217. type: string
  22218. type: object
  22219. tenantId:
  22220. description: The Azure tenantId of the managed identity used for authentication.
  22221. properties:
  22222. key:
  22223. description: |-
  22224. A key in the referenced Secret.
  22225. Some instances of this field may be defaulted, in others it may be required.
  22226. maxLength: 253
  22227. minLength: 1
  22228. pattern: ^[-._a-zA-Z0-9]+$
  22229. type: string
  22230. name:
  22231. description: The name of the Secret resource being referred to.
  22232. maxLength: 253
  22233. minLength: 1
  22234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22235. type: string
  22236. namespace:
  22237. description: |-
  22238. The namespace of the Secret resource being referred to.
  22239. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22240. maxLength: 63
  22241. minLength: 1
  22242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22243. type: string
  22244. type: object
  22245. type: object
  22246. authType:
  22247. default: ServicePrincipal
  22248. description: |-
  22249. Auth type defines how to authenticate to the keyvault service.
  22250. Valid values are:
  22251. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  22252. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  22253. enum:
  22254. - ServicePrincipal
  22255. - ManagedIdentity
  22256. - WorkloadIdentity
  22257. type: string
  22258. environmentType:
  22259. default: PublicCloud
  22260. description: |-
  22261. EnvironmentType specifies the Azure cloud environment endpoints to use for
  22262. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  22263. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  22264. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  22265. enum:
  22266. - PublicCloud
  22267. - USGovernmentCloud
  22268. - ChinaCloud
  22269. - GermanCloud
  22270. type: string
  22271. identityId:
  22272. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  22273. type: string
  22274. serviceAccountRef:
  22275. description: |-
  22276. ServiceAccountRef specified the service account
  22277. that should be used when authenticating with WorkloadIdentity.
  22278. properties:
  22279. audiences:
  22280. description: |-
  22281. Audience specifies the `aud` claim for the service account token
  22282. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22283. then this audiences will be appended to the list
  22284. items:
  22285. type: string
  22286. type: array
  22287. name:
  22288. description: The name of the ServiceAccount resource being referred to.
  22289. maxLength: 253
  22290. minLength: 1
  22291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22292. type: string
  22293. namespace:
  22294. description: |-
  22295. Namespace of the resource being referred to.
  22296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22297. maxLength: 63
  22298. minLength: 1
  22299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22300. type: string
  22301. required:
  22302. - name
  22303. type: object
  22304. tenantId:
  22305. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22306. type: string
  22307. vaultUrl:
  22308. description: Vault Url from which the secrets to be fetched from.
  22309. type: string
  22310. required:
  22311. - vaultUrl
  22312. type: object
  22313. beyondtrust:
  22314. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  22315. properties:
  22316. auth:
  22317. description: Auth configures how the operator authenticates with Beyondtrust.
  22318. properties:
  22319. apiKey:
  22320. description: APIKey If not provided then ClientID/ClientSecret become required.
  22321. properties:
  22322. secretRef:
  22323. description: SecretRef references a key in a secret that will be used as value.
  22324. properties:
  22325. key:
  22326. description: |-
  22327. A key in the referenced Secret.
  22328. Some instances of this field may be defaulted, in others it may be required.
  22329. maxLength: 253
  22330. minLength: 1
  22331. pattern: ^[-._a-zA-Z0-9]+$
  22332. type: string
  22333. name:
  22334. description: The name of the Secret resource being referred to.
  22335. maxLength: 253
  22336. minLength: 1
  22337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22338. type: string
  22339. namespace:
  22340. description: |-
  22341. The namespace of the Secret resource being referred to.
  22342. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22343. maxLength: 63
  22344. minLength: 1
  22345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22346. type: string
  22347. type: object
  22348. value:
  22349. description: Value can be specified directly to set a value without using a secret.
  22350. type: string
  22351. type: object
  22352. certificate:
  22353. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  22354. properties:
  22355. secretRef:
  22356. description: SecretRef references a key in a secret that will be used as value.
  22357. properties:
  22358. key:
  22359. description: |-
  22360. A key in the referenced Secret.
  22361. Some instances of this field may be defaulted, in others it may be required.
  22362. maxLength: 253
  22363. minLength: 1
  22364. pattern: ^[-._a-zA-Z0-9]+$
  22365. type: string
  22366. name:
  22367. description: The name of the Secret resource being referred to.
  22368. maxLength: 253
  22369. minLength: 1
  22370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22371. type: string
  22372. namespace:
  22373. description: |-
  22374. The namespace of the Secret resource being referred to.
  22375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22376. maxLength: 63
  22377. minLength: 1
  22378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22379. type: string
  22380. type: object
  22381. value:
  22382. description: Value can be specified directly to set a value without using a secret.
  22383. type: string
  22384. type: object
  22385. certificateKey:
  22386. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  22387. properties:
  22388. secretRef:
  22389. description: SecretRef references a key in a secret that will be used as value.
  22390. properties:
  22391. key:
  22392. description: |-
  22393. A key in the referenced Secret.
  22394. Some instances of this field may be defaulted, in others it may be required.
  22395. maxLength: 253
  22396. minLength: 1
  22397. pattern: ^[-._a-zA-Z0-9]+$
  22398. type: string
  22399. name:
  22400. description: The name of the Secret resource being referred to.
  22401. maxLength: 253
  22402. minLength: 1
  22403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22404. type: string
  22405. namespace:
  22406. description: |-
  22407. The namespace of the Secret resource being referred to.
  22408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22409. maxLength: 63
  22410. minLength: 1
  22411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22412. type: string
  22413. type: object
  22414. value:
  22415. description: Value can be specified directly to set a value without using a secret.
  22416. type: string
  22417. type: object
  22418. clientId:
  22419. description: ClientID is the API OAuth Client ID.
  22420. properties:
  22421. secretRef:
  22422. description: SecretRef references a key in a secret that will be used as value.
  22423. properties:
  22424. key:
  22425. description: |-
  22426. A key in the referenced Secret.
  22427. Some instances of this field may be defaulted, in others it may be required.
  22428. maxLength: 253
  22429. minLength: 1
  22430. pattern: ^[-._a-zA-Z0-9]+$
  22431. type: string
  22432. name:
  22433. description: The name of the Secret resource being referred to.
  22434. maxLength: 253
  22435. minLength: 1
  22436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22437. type: string
  22438. namespace:
  22439. description: |-
  22440. The namespace of the Secret resource being referred to.
  22441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22442. maxLength: 63
  22443. minLength: 1
  22444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22445. type: string
  22446. type: object
  22447. value:
  22448. description: Value can be specified directly to set a value without using a secret.
  22449. type: string
  22450. type: object
  22451. clientSecret:
  22452. description: ClientSecret is the API OAuth Client Secret.
  22453. properties:
  22454. secretRef:
  22455. description: SecretRef references a key in a secret that will be used as value.
  22456. properties:
  22457. key:
  22458. description: |-
  22459. A key in the referenced Secret.
  22460. Some instances of this field may be defaulted, in others it may be required.
  22461. maxLength: 253
  22462. minLength: 1
  22463. pattern: ^[-._a-zA-Z0-9]+$
  22464. type: string
  22465. name:
  22466. description: The name of the Secret resource being referred to.
  22467. maxLength: 253
  22468. minLength: 1
  22469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22470. type: string
  22471. namespace:
  22472. description: |-
  22473. The namespace of the Secret resource being referred to.
  22474. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22475. maxLength: 63
  22476. minLength: 1
  22477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22478. type: string
  22479. type: object
  22480. value:
  22481. description: Value can be specified directly to set a value without using a secret.
  22482. type: string
  22483. type: object
  22484. type: object
  22485. server:
  22486. description: Auth configures how API server works.
  22487. properties:
  22488. apiUrl:
  22489. type: string
  22490. apiVersion:
  22491. type: string
  22492. clientTimeOutSeconds:
  22493. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  22494. type: integer
  22495. decrypt:
  22496. default: true
  22497. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  22498. type: boolean
  22499. retrievalType:
  22500. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  22501. type: string
  22502. separator:
  22503. description: A character that separates the folder names.
  22504. type: string
  22505. verifyCA:
  22506. type: boolean
  22507. required:
  22508. - apiUrl
  22509. - verifyCA
  22510. type: object
  22511. required:
  22512. - auth
  22513. - server
  22514. type: object
  22515. bitwardensecretsmanager:
  22516. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  22517. properties:
  22518. apiURL:
  22519. type: string
  22520. auth:
  22521. description: |-
  22522. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  22523. Make sure that the token being used has permissions on the given secret.
  22524. properties:
  22525. secretRef:
  22526. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  22527. properties:
  22528. credentials:
  22529. description: AccessToken used for the bitwarden instance.
  22530. properties:
  22531. key:
  22532. description: |-
  22533. A key in the referenced Secret.
  22534. Some instances of this field may be defaulted, in others it may be required.
  22535. maxLength: 253
  22536. minLength: 1
  22537. pattern: ^[-._a-zA-Z0-9]+$
  22538. type: string
  22539. name:
  22540. description: The name of the Secret resource being referred to.
  22541. maxLength: 253
  22542. minLength: 1
  22543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22544. type: string
  22545. namespace:
  22546. description: |-
  22547. The namespace of the Secret resource being referred to.
  22548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22549. maxLength: 63
  22550. minLength: 1
  22551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22552. type: string
  22553. type: object
  22554. required:
  22555. - credentials
  22556. type: object
  22557. required:
  22558. - secretRef
  22559. type: object
  22560. bitwardenServerSDKURL:
  22561. type: string
  22562. caBundle:
  22563. description: |-
  22564. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22565. can be performed.
  22566. type: string
  22567. caProvider:
  22568. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22569. properties:
  22570. key:
  22571. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22572. maxLength: 253
  22573. minLength: 1
  22574. pattern: ^[-._a-zA-Z0-9]+$
  22575. type: string
  22576. name:
  22577. description: The name of the object located at the provider type.
  22578. maxLength: 253
  22579. minLength: 1
  22580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22581. type: string
  22582. namespace:
  22583. description: |-
  22584. The namespace the Provider type is in.
  22585. Can only be defined when used in a ClusterSecretStore.
  22586. maxLength: 63
  22587. minLength: 1
  22588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22589. type: string
  22590. type:
  22591. description: The type of provider to use such as "Secret", or "ConfigMap".
  22592. enum:
  22593. - Secret
  22594. - ConfigMap
  22595. type: string
  22596. required:
  22597. - name
  22598. - type
  22599. type: object
  22600. identityURL:
  22601. type: string
  22602. organizationID:
  22603. description: OrganizationID determines which organization this secret store manages.
  22604. type: string
  22605. projectID:
  22606. description: ProjectID determines which project this secret store manages.
  22607. type: string
  22608. required:
  22609. - auth
  22610. - organizationID
  22611. - projectID
  22612. type: object
  22613. chef:
  22614. description: Chef configures this store to sync secrets with chef server
  22615. properties:
  22616. auth:
  22617. description: Auth defines the information necessary to authenticate against chef Server
  22618. properties:
  22619. secretRef:
  22620. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22621. properties:
  22622. privateKeySecretRef:
  22623. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22624. properties:
  22625. key:
  22626. description: |-
  22627. A key in the referenced Secret.
  22628. Some instances of this field may be defaulted, in others it may be required.
  22629. maxLength: 253
  22630. minLength: 1
  22631. pattern: ^[-._a-zA-Z0-9]+$
  22632. type: string
  22633. name:
  22634. description: The name of the Secret resource being referred to.
  22635. maxLength: 253
  22636. minLength: 1
  22637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22638. type: string
  22639. namespace:
  22640. description: |-
  22641. The namespace of the Secret resource being referred to.
  22642. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22643. maxLength: 63
  22644. minLength: 1
  22645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22646. type: string
  22647. type: object
  22648. required:
  22649. - privateKeySecretRef
  22650. type: object
  22651. required:
  22652. - secretRef
  22653. type: object
  22654. serverUrl:
  22655. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22656. type: string
  22657. username:
  22658. description: UserName should be the user ID on the chef server
  22659. type: string
  22660. required:
  22661. - auth
  22662. - serverUrl
  22663. - username
  22664. type: object
  22665. cloudrusm:
  22666. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22667. properties:
  22668. auth:
  22669. description: CSMAuth contains a secretRef for credentials.
  22670. properties:
  22671. secretRef:
  22672. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22673. properties:
  22674. accessKeyIDSecretRef:
  22675. description: The AccessKeyID is used for authentication
  22676. properties:
  22677. key:
  22678. description: |-
  22679. A key in the referenced Secret.
  22680. Some instances of this field may be defaulted, in others it may be required.
  22681. maxLength: 253
  22682. minLength: 1
  22683. pattern: ^[-._a-zA-Z0-9]+$
  22684. type: string
  22685. name:
  22686. description: The name of the Secret resource being referred to.
  22687. maxLength: 253
  22688. minLength: 1
  22689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22690. type: string
  22691. namespace:
  22692. description: |-
  22693. The namespace of the Secret resource being referred to.
  22694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22695. maxLength: 63
  22696. minLength: 1
  22697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22698. type: string
  22699. type: object
  22700. accessKeySecretSecretRef:
  22701. description: The AccessKeySecret is used for authentication
  22702. properties:
  22703. key:
  22704. description: |-
  22705. A key in the referenced Secret.
  22706. Some instances of this field may be defaulted, in others it may be required.
  22707. maxLength: 253
  22708. minLength: 1
  22709. pattern: ^[-._a-zA-Z0-9]+$
  22710. type: string
  22711. name:
  22712. description: The name of the Secret resource being referred to.
  22713. maxLength: 253
  22714. minLength: 1
  22715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22716. type: string
  22717. namespace:
  22718. description: |-
  22719. The namespace of the Secret resource being referred to.
  22720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22721. maxLength: 63
  22722. minLength: 1
  22723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22724. type: string
  22725. type: object
  22726. required:
  22727. - accessKeyIDSecretRef
  22728. - accessKeySecretSecretRef
  22729. type: object
  22730. type: object
  22731. projectID:
  22732. description: ProjectID is the project, which the secrets are stored in.
  22733. type: string
  22734. required:
  22735. - auth
  22736. type: object
  22737. conjur:
  22738. description: Conjur configures this store to sync secrets using conjur provider
  22739. properties:
  22740. auth:
  22741. description: Defines authentication settings for connecting to Conjur.
  22742. properties:
  22743. apikey:
  22744. description: Authenticates with Conjur using an API key.
  22745. properties:
  22746. account:
  22747. description: Account is the Conjur organization account name.
  22748. type: string
  22749. apiKeyRef:
  22750. description: |-
  22751. A reference to a specific 'key' containing the Conjur API key
  22752. within a Secret resource. In some instances, `key` is a required field.
  22753. properties:
  22754. key:
  22755. description: |-
  22756. A key in the referenced Secret.
  22757. Some instances of this field may be defaulted, in others it may be required.
  22758. maxLength: 253
  22759. minLength: 1
  22760. pattern: ^[-._a-zA-Z0-9]+$
  22761. type: string
  22762. name:
  22763. description: The name of the Secret resource being referred to.
  22764. maxLength: 253
  22765. minLength: 1
  22766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22767. type: string
  22768. namespace:
  22769. description: |-
  22770. The namespace of the Secret resource being referred to.
  22771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22772. maxLength: 63
  22773. minLength: 1
  22774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22775. type: string
  22776. type: object
  22777. userRef:
  22778. description: |-
  22779. A reference to a specific 'key' containing the Conjur username
  22780. within a Secret resource. In some instances, `key` is a required field.
  22781. properties:
  22782. key:
  22783. description: |-
  22784. A key in the referenced Secret.
  22785. Some instances of this field may be defaulted, in others it may be required.
  22786. maxLength: 253
  22787. minLength: 1
  22788. pattern: ^[-._a-zA-Z0-9]+$
  22789. type: string
  22790. name:
  22791. description: The name of the Secret resource being referred to.
  22792. maxLength: 253
  22793. minLength: 1
  22794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22795. type: string
  22796. namespace:
  22797. description: |-
  22798. The namespace of the Secret resource being referred to.
  22799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22800. maxLength: 63
  22801. minLength: 1
  22802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22803. type: string
  22804. type: object
  22805. required:
  22806. - account
  22807. - apiKeyRef
  22808. - userRef
  22809. type: object
  22810. jwt:
  22811. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22812. properties:
  22813. account:
  22814. description: Account is the Conjur organization account name.
  22815. type: string
  22816. hostId:
  22817. description: |-
  22818. Optional HostID for JWT authentication. This may be used depending
  22819. on how the Conjur JWT authenticator policy is configured.
  22820. type: string
  22821. secretRef:
  22822. description: |-
  22823. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22824. authenticate with Conjur using the JWT authentication method.
  22825. properties:
  22826. key:
  22827. description: |-
  22828. A key in the referenced Secret.
  22829. Some instances of this field may be defaulted, in others it may be required.
  22830. maxLength: 253
  22831. minLength: 1
  22832. pattern: ^[-._a-zA-Z0-9]+$
  22833. type: string
  22834. name:
  22835. description: The name of the Secret resource being referred to.
  22836. maxLength: 253
  22837. minLength: 1
  22838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22839. type: string
  22840. namespace:
  22841. description: |-
  22842. The namespace of the Secret resource being referred to.
  22843. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22844. maxLength: 63
  22845. minLength: 1
  22846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22847. type: string
  22848. type: object
  22849. serviceAccountRef:
  22850. description: |-
  22851. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22852. a token for with the `TokenRequest` API.
  22853. properties:
  22854. audiences:
  22855. description: |-
  22856. Audience specifies the `aud` claim for the service account token
  22857. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22858. then this audiences will be appended to the list
  22859. items:
  22860. type: string
  22861. type: array
  22862. name:
  22863. description: The name of the ServiceAccount resource being referred to.
  22864. maxLength: 253
  22865. minLength: 1
  22866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22867. type: string
  22868. namespace:
  22869. description: |-
  22870. Namespace of the resource being referred to.
  22871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22872. maxLength: 63
  22873. minLength: 1
  22874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22875. type: string
  22876. required:
  22877. - name
  22878. type: object
  22879. serviceID:
  22880. description: The conjur authn jwt webservice id
  22881. type: string
  22882. required:
  22883. - account
  22884. - serviceID
  22885. type: object
  22886. type: object
  22887. caBundle:
  22888. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22889. type: string
  22890. caProvider:
  22891. description: |-
  22892. Used to provide custom certificate authority (CA) certificates
  22893. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22894. that contains a PEM-encoded certificate.
  22895. properties:
  22896. key:
  22897. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22898. maxLength: 253
  22899. minLength: 1
  22900. pattern: ^[-._a-zA-Z0-9]+$
  22901. type: string
  22902. name:
  22903. description: The name of the object located at the provider type.
  22904. maxLength: 253
  22905. minLength: 1
  22906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22907. type: string
  22908. namespace:
  22909. description: |-
  22910. The namespace the Provider type is in.
  22911. Can only be defined when used in a ClusterSecretStore.
  22912. maxLength: 63
  22913. minLength: 1
  22914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22915. type: string
  22916. type:
  22917. description: The type of provider to use such as "Secret", or "ConfigMap".
  22918. enum:
  22919. - Secret
  22920. - ConfigMap
  22921. type: string
  22922. required:
  22923. - name
  22924. - type
  22925. type: object
  22926. url:
  22927. description: URL is the endpoint of the Conjur instance.
  22928. type: string
  22929. required:
  22930. - auth
  22931. - url
  22932. type: object
  22933. delinea:
  22934. description: |-
  22935. Delinea DevOps Secrets Vault
  22936. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22937. properties:
  22938. clientId:
  22939. description: ClientID is the non-secret part of the credential.
  22940. properties:
  22941. secretRef:
  22942. description: SecretRef references a key in a secret that will be used as value.
  22943. properties:
  22944. key:
  22945. description: |-
  22946. A key in the referenced Secret.
  22947. Some instances of this field may be defaulted, in others it may be required.
  22948. maxLength: 253
  22949. minLength: 1
  22950. pattern: ^[-._a-zA-Z0-9]+$
  22951. type: string
  22952. name:
  22953. description: The name of the Secret resource being referred to.
  22954. maxLength: 253
  22955. minLength: 1
  22956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22957. type: string
  22958. namespace:
  22959. description: |-
  22960. The namespace of the Secret resource being referred to.
  22961. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22962. maxLength: 63
  22963. minLength: 1
  22964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22965. type: string
  22966. type: object
  22967. value:
  22968. description: Value can be specified directly to set a value without using a secret.
  22969. type: string
  22970. type: object
  22971. clientSecret:
  22972. description: ClientSecret is the secret part of the credential.
  22973. properties:
  22974. secretRef:
  22975. description: SecretRef references a key in a secret that will be used as value.
  22976. properties:
  22977. key:
  22978. description: |-
  22979. A key in the referenced Secret.
  22980. Some instances of this field may be defaulted, in others it may be required.
  22981. maxLength: 253
  22982. minLength: 1
  22983. pattern: ^[-._a-zA-Z0-9]+$
  22984. type: string
  22985. name:
  22986. description: The name of the Secret resource being referred to.
  22987. maxLength: 253
  22988. minLength: 1
  22989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22990. type: string
  22991. namespace:
  22992. description: |-
  22993. The namespace of the Secret resource being referred to.
  22994. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22995. maxLength: 63
  22996. minLength: 1
  22997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22998. type: string
  22999. type: object
  23000. value:
  23001. description: Value can be specified directly to set a value without using a secret.
  23002. type: string
  23003. type: object
  23004. tenant:
  23005. description: Tenant is the chosen hostname / site name.
  23006. type: string
  23007. tld:
  23008. description: |-
  23009. TLD is based on the server location that was chosen during provisioning.
  23010. If unset, defaults to "com".
  23011. type: string
  23012. urlTemplate:
  23013. description: |-
  23014. URLTemplate
  23015. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  23016. type: string
  23017. required:
  23018. - clientId
  23019. - clientSecret
  23020. - tenant
  23021. type: object
  23022. device42:
  23023. description: Device42 configures this store to sync secrets using the Device42 provider
  23024. properties:
  23025. auth:
  23026. description: Auth configures how secret-manager authenticates with a Device42 instance.
  23027. properties:
  23028. secretRef:
  23029. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  23030. properties:
  23031. credentials:
  23032. description: Username / Password is used for authentication.
  23033. properties:
  23034. key:
  23035. description: |-
  23036. A key in the referenced Secret.
  23037. Some instances of this field may be defaulted, in others it may be required.
  23038. maxLength: 253
  23039. minLength: 1
  23040. pattern: ^[-._a-zA-Z0-9]+$
  23041. type: string
  23042. name:
  23043. description: The name of the Secret resource being referred to.
  23044. maxLength: 253
  23045. minLength: 1
  23046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23047. type: string
  23048. namespace:
  23049. description: |-
  23050. The namespace of the Secret resource being referred to.
  23051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23052. maxLength: 63
  23053. minLength: 1
  23054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23055. type: string
  23056. type: object
  23057. type: object
  23058. required:
  23059. - secretRef
  23060. type: object
  23061. host:
  23062. description: URL configures the Device42 instance URL.
  23063. type: string
  23064. required:
  23065. - auth
  23066. - host
  23067. type: object
  23068. doppler:
  23069. description: Doppler configures this store to sync secrets using the Doppler provider
  23070. properties:
  23071. auth:
  23072. description: Auth configures how the Operator authenticates with the Doppler API
  23073. properties:
  23074. secretRef:
  23075. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  23076. properties:
  23077. dopplerToken:
  23078. description: |-
  23079. The DopplerToken is used for authentication.
  23080. See https://docs.doppler.com/reference/api#authentication for auth token types.
  23081. The Key attribute defaults to dopplerToken if not specified.
  23082. properties:
  23083. key:
  23084. description: |-
  23085. A key in the referenced Secret.
  23086. Some instances of this field may be defaulted, in others it may be required.
  23087. maxLength: 253
  23088. minLength: 1
  23089. pattern: ^[-._a-zA-Z0-9]+$
  23090. type: string
  23091. name:
  23092. description: The name of the Secret resource being referred to.
  23093. maxLength: 253
  23094. minLength: 1
  23095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23096. type: string
  23097. namespace:
  23098. description: |-
  23099. The namespace of the Secret resource being referred to.
  23100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23101. maxLength: 63
  23102. minLength: 1
  23103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23104. type: string
  23105. type: object
  23106. required:
  23107. - dopplerToken
  23108. type: object
  23109. required:
  23110. - secretRef
  23111. type: object
  23112. config:
  23113. description: Doppler config (required if not using a Service Token)
  23114. type: string
  23115. format:
  23116. description: Format enables the downloading of secrets as a file (string)
  23117. enum:
  23118. - json
  23119. - dotnet-json
  23120. - env
  23121. - yaml
  23122. - docker
  23123. type: string
  23124. nameTransformer:
  23125. description: Environment variable compatible name transforms that change secret names to a different format
  23126. enum:
  23127. - upper-camel
  23128. - camel
  23129. - lower-snake
  23130. - tf-var
  23131. - dotnet-env
  23132. - lower-kebab
  23133. type: string
  23134. project:
  23135. description: Doppler project (required if not using a Service Token)
  23136. type: string
  23137. required:
  23138. - auth
  23139. type: object
  23140. fake:
  23141. description: Fake configures a store with static key/value pairs
  23142. properties:
  23143. data:
  23144. items:
  23145. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  23146. properties:
  23147. key:
  23148. type: string
  23149. value:
  23150. type: string
  23151. version:
  23152. type: string
  23153. required:
  23154. - key
  23155. - value
  23156. type: object
  23157. type: array
  23158. required:
  23159. - data
  23160. type: object
  23161. fortanix:
  23162. description: Fortanix configures this store to sync secrets using the Fortanix provider
  23163. properties:
  23164. apiKey:
  23165. description: APIKey is the API token to access SDKMS Applications.
  23166. properties:
  23167. secretRef:
  23168. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  23169. properties:
  23170. key:
  23171. description: |-
  23172. A key in the referenced Secret.
  23173. Some instances of this field may be defaulted, in others it may be required.
  23174. maxLength: 253
  23175. minLength: 1
  23176. pattern: ^[-._a-zA-Z0-9]+$
  23177. type: string
  23178. name:
  23179. description: The name of the Secret resource being referred to.
  23180. maxLength: 253
  23181. minLength: 1
  23182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23183. type: string
  23184. namespace:
  23185. description: |-
  23186. The namespace of the Secret resource being referred to.
  23187. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23188. maxLength: 63
  23189. minLength: 1
  23190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23191. type: string
  23192. type: object
  23193. type: object
  23194. apiUrl:
  23195. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  23196. type: string
  23197. type: object
  23198. gcpsm:
  23199. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  23200. properties:
  23201. auth:
  23202. description: Auth defines the information necessary to authenticate against GCP
  23203. properties:
  23204. secretRef:
  23205. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  23206. properties:
  23207. secretAccessKeySecretRef:
  23208. description: The SecretAccessKey is used for authentication
  23209. properties:
  23210. key:
  23211. description: |-
  23212. A key in the referenced Secret.
  23213. Some instances of this field may be defaulted, in others it may be required.
  23214. maxLength: 253
  23215. minLength: 1
  23216. pattern: ^[-._a-zA-Z0-9]+$
  23217. type: string
  23218. name:
  23219. description: The name of the Secret resource being referred to.
  23220. maxLength: 253
  23221. minLength: 1
  23222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23223. type: string
  23224. namespace:
  23225. description: |-
  23226. The namespace of the Secret resource being referred to.
  23227. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23228. maxLength: 63
  23229. minLength: 1
  23230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23231. type: string
  23232. type: object
  23233. type: object
  23234. workloadIdentity:
  23235. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  23236. properties:
  23237. clusterLocation:
  23238. description: |-
  23239. ClusterLocation is the location of the cluster
  23240. If not specified, it fetches information from the metadata server
  23241. type: string
  23242. clusterName:
  23243. description: |-
  23244. ClusterName is the name of the cluster
  23245. If not specified, it fetches information from the metadata server
  23246. type: string
  23247. clusterProjectID:
  23248. description: |-
  23249. ClusterProjectID is the project ID of the cluster
  23250. If not specified, it fetches information from the metadata server
  23251. type: string
  23252. serviceAccountRef:
  23253. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23254. properties:
  23255. audiences:
  23256. description: |-
  23257. Audience specifies the `aud` claim for the service account token
  23258. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23259. then this audiences will be appended to the list
  23260. items:
  23261. type: string
  23262. type: array
  23263. name:
  23264. description: The name of the ServiceAccount resource being referred to.
  23265. maxLength: 253
  23266. minLength: 1
  23267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23268. type: string
  23269. namespace:
  23270. description: |-
  23271. Namespace of the resource being referred to.
  23272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23273. maxLength: 63
  23274. minLength: 1
  23275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23276. type: string
  23277. required:
  23278. - name
  23279. type: object
  23280. required:
  23281. - serviceAccountRef
  23282. type: object
  23283. type: object
  23284. location:
  23285. description: Location optionally defines a location for a secret
  23286. type: string
  23287. projectID:
  23288. description: ProjectID project where secret is located
  23289. type: string
  23290. type: object
  23291. github:
  23292. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  23293. properties:
  23294. appID:
  23295. description: appID specifies the Github APP that will be used to authenticate the client
  23296. format: int64
  23297. type: integer
  23298. auth:
  23299. description: auth configures how secret-manager authenticates with a Github instance.
  23300. properties:
  23301. privateKey:
  23302. description: |-
  23303. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23304. In some instances, `key` is a required field.
  23305. properties:
  23306. key:
  23307. description: |-
  23308. A key in the referenced Secret.
  23309. Some instances of this field may be defaulted, in others it may be required.
  23310. maxLength: 253
  23311. minLength: 1
  23312. pattern: ^[-._a-zA-Z0-9]+$
  23313. type: string
  23314. name:
  23315. description: The name of the Secret resource being referred to.
  23316. maxLength: 253
  23317. minLength: 1
  23318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23319. type: string
  23320. namespace:
  23321. description: |-
  23322. The namespace of the Secret resource being referred to.
  23323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23324. maxLength: 63
  23325. minLength: 1
  23326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23327. type: string
  23328. type: object
  23329. required:
  23330. - privateKey
  23331. type: object
  23332. environment:
  23333. description: environment will be used to fetch secrets from a particular environment within a github repository
  23334. type: string
  23335. installationID:
  23336. description: installationID specifies the Github APP installation that will be used to authenticate the client
  23337. format: int64
  23338. type: integer
  23339. organization:
  23340. description: organization will be used to fetch secrets from the Github organization
  23341. type: string
  23342. repository:
  23343. description: repository will be used to fetch secrets from the Github repository within an organization
  23344. type: string
  23345. uploadURL:
  23346. description: Upload URL for enterprise instances. Default to URL.
  23347. type: string
  23348. url:
  23349. default: https://github.com/
  23350. description: URL configures the Github instance URL. Defaults to https://github.com/.
  23351. type: string
  23352. required:
  23353. - appID
  23354. - auth
  23355. - installationID
  23356. - organization
  23357. type: object
  23358. gitlab:
  23359. description: GitLab configures this store to sync secrets using GitLab Variables provider
  23360. properties:
  23361. auth:
  23362. description: Auth configures how secret-manager authenticates with a GitLab instance.
  23363. properties:
  23364. SecretRef:
  23365. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  23366. properties:
  23367. accessToken:
  23368. description: AccessToken is used for authentication.
  23369. properties:
  23370. key:
  23371. description: |-
  23372. A key in the referenced Secret.
  23373. Some instances of this field may be defaulted, in others it may be required.
  23374. maxLength: 253
  23375. minLength: 1
  23376. pattern: ^[-._a-zA-Z0-9]+$
  23377. type: string
  23378. name:
  23379. description: The name of the Secret resource being referred to.
  23380. maxLength: 253
  23381. minLength: 1
  23382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23383. type: string
  23384. namespace:
  23385. description: |-
  23386. The namespace of the Secret resource being referred to.
  23387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23388. maxLength: 63
  23389. minLength: 1
  23390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23391. type: string
  23392. type: object
  23393. type: object
  23394. required:
  23395. - SecretRef
  23396. type: object
  23397. caBundle:
  23398. description: |-
  23399. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  23400. can be performed.
  23401. format: byte
  23402. type: string
  23403. caProvider:
  23404. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  23405. properties:
  23406. key:
  23407. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23408. maxLength: 253
  23409. minLength: 1
  23410. pattern: ^[-._a-zA-Z0-9]+$
  23411. type: string
  23412. name:
  23413. description: The name of the object located at the provider type.
  23414. maxLength: 253
  23415. minLength: 1
  23416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23417. type: string
  23418. namespace:
  23419. description: |-
  23420. The namespace the Provider type is in.
  23421. Can only be defined when used in a ClusterSecretStore.
  23422. maxLength: 63
  23423. minLength: 1
  23424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23425. type: string
  23426. type:
  23427. description: The type of provider to use such as "Secret", or "ConfigMap".
  23428. enum:
  23429. - Secret
  23430. - ConfigMap
  23431. type: string
  23432. required:
  23433. - name
  23434. - type
  23435. type: object
  23436. environment:
  23437. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  23438. type: string
  23439. groupIDs:
  23440. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  23441. items:
  23442. type: string
  23443. type: array
  23444. inheritFromGroups:
  23445. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  23446. type: boolean
  23447. projectID:
  23448. description: ProjectID specifies a project where secrets are located.
  23449. type: string
  23450. url:
  23451. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  23452. type: string
  23453. required:
  23454. - auth
  23455. type: object
  23456. ibm:
  23457. description: IBM configures this store to sync secrets using IBM Cloud provider
  23458. properties:
  23459. auth:
  23460. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  23461. maxProperties: 1
  23462. minProperties: 1
  23463. properties:
  23464. containerAuth:
  23465. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  23466. properties:
  23467. iamEndpoint:
  23468. type: string
  23469. profile:
  23470. description: the IBM Trusted Profile
  23471. type: string
  23472. tokenLocation:
  23473. description: Location the token is mounted on the pod
  23474. type: string
  23475. required:
  23476. - profile
  23477. type: object
  23478. secretRef:
  23479. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  23480. properties:
  23481. secretApiKeySecretRef:
  23482. description: The SecretAccessKey is used for authentication
  23483. properties:
  23484. key:
  23485. description: |-
  23486. A key in the referenced Secret.
  23487. Some instances of this field may be defaulted, in others it may be required.
  23488. maxLength: 253
  23489. minLength: 1
  23490. pattern: ^[-._a-zA-Z0-9]+$
  23491. type: string
  23492. name:
  23493. description: The name of the Secret resource being referred to.
  23494. maxLength: 253
  23495. minLength: 1
  23496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23497. type: string
  23498. namespace:
  23499. description: |-
  23500. The namespace of the Secret resource being referred to.
  23501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23502. maxLength: 63
  23503. minLength: 1
  23504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23505. type: string
  23506. type: object
  23507. type: object
  23508. type: object
  23509. serviceUrl:
  23510. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  23511. type: string
  23512. required:
  23513. - auth
  23514. type: object
  23515. infisical:
  23516. description: Infisical configures this store to sync secrets using the Infisical provider
  23517. properties:
  23518. auth:
  23519. description: Auth configures how the Operator authenticates with the Infisical API
  23520. properties:
  23521. universalAuthCredentials:
  23522. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  23523. properties:
  23524. clientId:
  23525. description: |-
  23526. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23527. In some instances, `key` is a required field.
  23528. properties:
  23529. key:
  23530. description: |-
  23531. A key in the referenced Secret.
  23532. Some instances of this field may be defaulted, in others it may be required.
  23533. maxLength: 253
  23534. minLength: 1
  23535. pattern: ^[-._a-zA-Z0-9]+$
  23536. type: string
  23537. name:
  23538. description: The name of the Secret resource being referred to.
  23539. maxLength: 253
  23540. minLength: 1
  23541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23542. type: string
  23543. namespace:
  23544. description: |-
  23545. The namespace of the Secret resource being referred to.
  23546. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23547. maxLength: 63
  23548. minLength: 1
  23549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23550. type: string
  23551. type: object
  23552. clientSecret:
  23553. description: |-
  23554. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23555. In some instances, `key` is a required field.
  23556. properties:
  23557. key:
  23558. description: |-
  23559. A key in the referenced Secret.
  23560. Some instances of this field may be defaulted, in others it may be required.
  23561. maxLength: 253
  23562. minLength: 1
  23563. pattern: ^[-._a-zA-Z0-9]+$
  23564. type: string
  23565. name:
  23566. description: The name of the Secret resource being referred to.
  23567. maxLength: 253
  23568. minLength: 1
  23569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23570. type: string
  23571. namespace:
  23572. description: |-
  23573. The namespace of the Secret resource being referred to.
  23574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23575. maxLength: 63
  23576. minLength: 1
  23577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23578. type: string
  23579. type: object
  23580. required:
  23581. - clientId
  23582. - clientSecret
  23583. type: object
  23584. type: object
  23585. hostAPI:
  23586. default: https://app.infisical.com/api
  23587. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23588. type: string
  23589. secretsScope:
  23590. description: SecretsScope defines the scope of the secrets within the workspace
  23591. properties:
  23592. environmentSlug:
  23593. description: EnvironmentSlug is the required slug identifier for the environment.
  23594. type: string
  23595. expandSecretReferences:
  23596. default: true
  23597. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23598. type: boolean
  23599. projectSlug:
  23600. description: ProjectSlug is the required slug identifier for the project.
  23601. type: string
  23602. recursive:
  23603. default: false
  23604. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23605. type: boolean
  23606. secretsPath:
  23607. default: /
  23608. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23609. type: string
  23610. required:
  23611. - environmentSlug
  23612. - projectSlug
  23613. type: object
  23614. required:
  23615. - auth
  23616. - secretsScope
  23617. type: object
  23618. keepersecurity:
  23619. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23620. properties:
  23621. authRef:
  23622. description: |-
  23623. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23624. In some instances, `key` is a required field.
  23625. properties:
  23626. key:
  23627. description: |-
  23628. A key in the referenced Secret.
  23629. Some instances of this field may be defaulted, in others it may be required.
  23630. maxLength: 253
  23631. minLength: 1
  23632. pattern: ^[-._a-zA-Z0-9]+$
  23633. type: string
  23634. name:
  23635. description: The name of the Secret resource being referred to.
  23636. maxLength: 253
  23637. minLength: 1
  23638. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23639. type: string
  23640. namespace:
  23641. description: |-
  23642. The namespace of the Secret resource being referred to.
  23643. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23644. maxLength: 63
  23645. minLength: 1
  23646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23647. type: string
  23648. type: object
  23649. folderID:
  23650. type: string
  23651. required:
  23652. - authRef
  23653. - folderID
  23654. type: object
  23655. kubernetes:
  23656. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23657. properties:
  23658. auth:
  23659. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23660. maxProperties: 1
  23661. minProperties: 1
  23662. properties:
  23663. cert:
  23664. description: has both clientCert and clientKey as secretKeySelector
  23665. properties:
  23666. clientCert:
  23667. description: |-
  23668. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23669. In some instances, `key` is a required field.
  23670. properties:
  23671. key:
  23672. description: |-
  23673. A key in the referenced Secret.
  23674. Some instances of this field may be defaulted, in others it may be required.
  23675. maxLength: 253
  23676. minLength: 1
  23677. pattern: ^[-._a-zA-Z0-9]+$
  23678. type: string
  23679. name:
  23680. description: The name of the Secret resource being referred to.
  23681. maxLength: 253
  23682. minLength: 1
  23683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23684. type: string
  23685. namespace:
  23686. description: |-
  23687. The namespace of the Secret resource being referred to.
  23688. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23689. maxLength: 63
  23690. minLength: 1
  23691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23692. type: string
  23693. type: object
  23694. clientKey:
  23695. description: |-
  23696. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23697. In some instances, `key` is a required field.
  23698. properties:
  23699. key:
  23700. description: |-
  23701. A key in the referenced Secret.
  23702. Some instances of this field may be defaulted, in others it may be required.
  23703. maxLength: 253
  23704. minLength: 1
  23705. pattern: ^[-._a-zA-Z0-9]+$
  23706. type: string
  23707. name:
  23708. description: The name of the Secret resource being referred to.
  23709. maxLength: 253
  23710. minLength: 1
  23711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23712. type: string
  23713. namespace:
  23714. description: |-
  23715. The namespace of the Secret resource being referred to.
  23716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23717. maxLength: 63
  23718. minLength: 1
  23719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23720. type: string
  23721. type: object
  23722. type: object
  23723. serviceAccount:
  23724. description: points to a service account that should be used for authentication
  23725. properties:
  23726. audiences:
  23727. description: |-
  23728. Audience specifies the `aud` claim for the service account token
  23729. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23730. then this audiences will be appended to the list
  23731. items:
  23732. type: string
  23733. type: array
  23734. name:
  23735. description: The name of the ServiceAccount resource being referred to.
  23736. maxLength: 253
  23737. minLength: 1
  23738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23739. type: string
  23740. namespace:
  23741. description: |-
  23742. Namespace of the resource being referred to.
  23743. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23744. maxLength: 63
  23745. minLength: 1
  23746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23747. type: string
  23748. required:
  23749. - name
  23750. type: object
  23751. token:
  23752. description: use static token to authenticate with
  23753. properties:
  23754. bearerToken:
  23755. description: |-
  23756. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23757. In some instances, `key` is a required field.
  23758. properties:
  23759. key:
  23760. description: |-
  23761. A key in the referenced Secret.
  23762. Some instances of this field may be defaulted, in others it may be required.
  23763. maxLength: 253
  23764. minLength: 1
  23765. pattern: ^[-._a-zA-Z0-9]+$
  23766. type: string
  23767. name:
  23768. description: The name of the Secret resource being referred to.
  23769. maxLength: 253
  23770. minLength: 1
  23771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23772. type: string
  23773. namespace:
  23774. description: |-
  23775. The namespace of the Secret resource being referred to.
  23776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23777. maxLength: 63
  23778. minLength: 1
  23779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23780. type: string
  23781. type: object
  23782. type: object
  23783. type: object
  23784. authRef:
  23785. description: A reference to a secret that contains the auth information.
  23786. properties:
  23787. key:
  23788. description: |-
  23789. A key in the referenced Secret.
  23790. Some instances of this field may be defaulted, in others it may be required.
  23791. maxLength: 253
  23792. minLength: 1
  23793. pattern: ^[-._a-zA-Z0-9]+$
  23794. type: string
  23795. name:
  23796. description: The name of the Secret resource being referred to.
  23797. maxLength: 253
  23798. minLength: 1
  23799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23800. type: string
  23801. namespace:
  23802. description: |-
  23803. The namespace of the Secret resource being referred to.
  23804. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23805. maxLength: 63
  23806. minLength: 1
  23807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23808. type: string
  23809. type: object
  23810. remoteNamespace:
  23811. default: default
  23812. description: Remote namespace to fetch the secrets from
  23813. maxLength: 63
  23814. minLength: 1
  23815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23816. type: string
  23817. server:
  23818. description: configures the Kubernetes server Address.
  23819. properties:
  23820. caBundle:
  23821. description: CABundle is a base64-encoded CA certificate
  23822. format: byte
  23823. type: string
  23824. caProvider:
  23825. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23826. properties:
  23827. key:
  23828. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23829. maxLength: 253
  23830. minLength: 1
  23831. pattern: ^[-._a-zA-Z0-9]+$
  23832. type: string
  23833. name:
  23834. description: The name of the object located at the provider type.
  23835. maxLength: 253
  23836. minLength: 1
  23837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23838. type: string
  23839. namespace:
  23840. description: |-
  23841. The namespace the Provider type is in.
  23842. Can only be defined when used in a ClusterSecretStore.
  23843. maxLength: 63
  23844. minLength: 1
  23845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23846. type: string
  23847. type:
  23848. description: The type of provider to use such as "Secret", or "ConfigMap".
  23849. enum:
  23850. - Secret
  23851. - ConfigMap
  23852. type: string
  23853. required:
  23854. - name
  23855. - type
  23856. type: object
  23857. url:
  23858. default: kubernetes.default
  23859. description: configures the Kubernetes server Address.
  23860. type: string
  23861. type: object
  23862. type: object
  23863. onboardbase:
  23864. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23865. properties:
  23866. apiHost:
  23867. default: https://public.onboardbase.com/api/v1/
  23868. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23869. type: string
  23870. auth:
  23871. description: Auth configures how the Operator authenticates with the Onboardbase API
  23872. properties:
  23873. apiKeyRef:
  23874. description: |-
  23875. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23876. It is used to recognize and authorize access to a project and environment within onboardbase
  23877. properties:
  23878. key:
  23879. description: |-
  23880. A key in the referenced Secret.
  23881. Some instances of this field may be defaulted, in others it may be required.
  23882. maxLength: 253
  23883. minLength: 1
  23884. pattern: ^[-._a-zA-Z0-9]+$
  23885. type: string
  23886. name:
  23887. description: The name of the Secret resource being referred to.
  23888. maxLength: 253
  23889. minLength: 1
  23890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23891. type: string
  23892. namespace:
  23893. description: |-
  23894. The namespace of the Secret resource being referred to.
  23895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23896. maxLength: 63
  23897. minLength: 1
  23898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23899. type: string
  23900. type: object
  23901. passcodeRef:
  23902. description: OnboardbasePasscode is the passcode attached to the API Key
  23903. properties:
  23904. key:
  23905. description: |-
  23906. A key in the referenced Secret.
  23907. Some instances of this field may be defaulted, in others it may be required.
  23908. maxLength: 253
  23909. minLength: 1
  23910. pattern: ^[-._a-zA-Z0-9]+$
  23911. type: string
  23912. name:
  23913. description: The name of the Secret resource being referred to.
  23914. maxLength: 253
  23915. minLength: 1
  23916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23917. type: string
  23918. namespace:
  23919. description: |-
  23920. The namespace of the Secret resource being referred to.
  23921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23922. maxLength: 63
  23923. minLength: 1
  23924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23925. type: string
  23926. type: object
  23927. required:
  23928. - apiKeyRef
  23929. - passcodeRef
  23930. type: object
  23931. environment:
  23932. default: development
  23933. description: Environment is the name of an environmnent within a project to pull the secrets from
  23934. type: string
  23935. project:
  23936. default: development
  23937. description: Project is an onboardbase project that the secrets should be pulled from
  23938. type: string
  23939. required:
  23940. - apiHost
  23941. - auth
  23942. - environment
  23943. - project
  23944. type: object
  23945. onepassword:
  23946. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23947. properties:
  23948. auth:
  23949. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23950. properties:
  23951. secretRef:
  23952. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23953. properties:
  23954. connectTokenSecretRef:
  23955. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23956. properties:
  23957. key:
  23958. description: |-
  23959. A key in the referenced Secret.
  23960. Some instances of this field may be defaulted, in others it may be required.
  23961. maxLength: 253
  23962. minLength: 1
  23963. pattern: ^[-._a-zA-Z0-9]+$
  23964. type: string
  23965. name:
  23966. description: The name of the Secret resource being referred to.
  23967. maxLength: 253
  23968. minLength: 1
  23969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23970. type: string
  23971. namespace:
  23972. description: |-
  23973. The namespace of the Secret resource being referred to.
  23974. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23975. maxLength: 63
  23976. minLength: 1
  23977. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23978. type: string
  23979. type: object
  23980. required:
  23981. - connectTokenSecretRef
  23982. type: object
  23983. required:
  23984. - secretRef
  23985. type: object
  23986. connectHost:
  23987. description: ConnectHost defines the OnePassword Connect Server to connect to
  23988. type: string
  23989. vaults:
  23990. additionalProperties:
  23991. type: integer
  23992. description: Vaults defines which OnePassword vaults to search in which order
  23993. type: object
  23994. required:
  23995. - auth
  23996. - connectHost
  23997. - vaults
  23998. type: object
  23999. oracle:
  24000. description: Oracle configures this store to sync secrets using Oracle Vault provider
  24001. properties:
  24002. auth:
  24003. description: |-
  24004. Auth configures how secret-manager authenticates with the Oracle Vault.
  24005. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  24006. properties:
  24007. secretRef:
  24008. description: SecretRef to pass through sensitive information.
  24009. properties:
  24010. fingerprint:
  24011. description: Fingerprint is the fingerprint of the API private key.
  24012. properties:
  24013. key:
  24014. description: |-
  24015. A key in the referenced Secret.
  24016. Some instances of this field may be defaulted, in others it may be required.
  24017. maxLength: 253
  24018. minLength: 1
  24019. pattern: ^[-._a-zA-Z0-9]+$
  24020. type: string
  24021. name:
  24022. description: The name of the Secret resource being referred to.
  24023. maxLength: 253
  24024. minLength: 1
  24025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24026. type: string
  24027. namespace:
  24028. description: |-
  24029. The namespace of the Secret resource being referred to.
  24030. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24031. maxLength: 63
  24032. minLength: 1
  24033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24034. type: string
  24035. type: object
  24036. privatekey:
  24037. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  24038. properties:
  24039. key:
  24040. description: |-
  24041. A key in the referenced Secret.
  24042. Some instances of this field may be defaulted, in others it may be required.
  24043. maxLength: 253
  24044. minLength: 1
  24045. pattern: ^[-._a-zA-Z0-9]+$
  24046. type: string
  24047. name:
  24048. description: The name of the Secret resource being referred to.
  24049. maxLength: 253
  24050. minLength: 1
  24051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24052. type: string
  24053. namespace:
  24054. description: |-
  24055. The namespace of the Secret resource being referred to.
  24056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24057. maxLength: 63
  24058. minLength: 1
  24059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24060. type: string
  24061. type: object
  24062. required:
  24063. - fingerprint
  24064. - privatekey
  24065. type: object
  24066. tenancy:
  24067. description: Tenancy is the tenancy OCID where user is located.
  24068. type: string
  24069. user:
  24070. description: User is an access OCID specific to the account.
  24071. type: string
  24072. required:
  24073. - secretRef
  24074. - tenancy
  24075. - user
  24076. type: object
  24077. compartment:
  24078. description: |-
  24079. Compartment is the vault compartment OCID.
  24080. Required for PushSecret
  24081. type: string
  24082. encryptionKey:
  24083. description: |-
  24084. EncryptionKey is the OCID of the encryption key within the vault.
  24085. Required for PushSecret
  24086. type: string
  24087. principalType:
  24088. description: |-
  24089. The type of principal to use for authentication. If left blank, the Auth struct will
  24090. determine the principal type. This optional field must be specified if using
  24091. workload identity.
  24092. enum:
  24093. - ""
  24094. - UserPrincipal
  24095. - InstancePrincipal
  24096. - Workload
  24097. type: string
  24098. region:
  24099. description: Region is the region where vault is located.
  24100. type: string
  24101. serviceAccountRef:
  24102. description: |-
  24103. ServiceAccountRef specified the service account
  24104. that should be used when authenticating with WorkloadIdentity.
  24105. properties:
  24106. audiences:
  24107. description: |-
  24108. Audience specifies the `aud` claim for the service account token
  24109. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24110. then this audiences will be appended to the list
  24111. items:
  24112. type: string
  24113. type: array
  24114. name:
  24115. description: The name of the ServiceAccount resource being referred to.
  24116. maxLength: 253
  24117. minLength: 1
  24118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24119. type: string
  24120. namespace:
  24121. description: |-
  24122. Namespace of the resource being referred to.
  24123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24124. maxLength: 63
  24125. minLength: 1
  24126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24127. type: string
  24128. required:
  24129. - name
  24130. type: object
  24131. vault:
  24132. description: Vault is the vault's OCID of the specific vault where secret is located.
  24133. type: string
  24134. required:
  24135. - region
  24136. - vault
  24137. type: object
  24138. passbolt:
  24139. description: PassboltProvider defines configuration for the Passbolt provider.
  24140. properties:
  24141. auth:
  24142. description: Auth defines the information necessary to authenticate against Passbolt Server
  24143. properties:
  24144. passwordSecretRef:
  24145. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  24146. properties:
  24147. key:
  24148. description: |-
  24149. A key in the referenced Secret.
  24150. Some instances of this field may be defaulted, in others it may be required.
  24151. maxLength: 253
  24152. minLength: 1
  24153. pattern: ^[-._a-zA-Z0-9]+$
  24154. type: string
  24155. name:
  24156. description: The name of the Secret resource being referred to.
  24157. maxLength: 253
  24158. minLength: 1
  24159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24160. type: string
  24161. namespace:
  24162. description: |-
  24163. The namespace of the Secret resource being referred to.
  24164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24165. maxLength: 63
  24166. minLength: 1
  24167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24168. type: string
  24169. type: object
  24170. privateKeySecretRef:
  24171. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  24172. properties:
  24173. key:
  24174. description: |-
  24175. A key in the referenced Secret.
  24176. Some instances of this field may be defaulted, in others it may be required.
  24177. maxLength: 253
  24178. minLength: 1
  24179. pattern: ^[-._a-zA-Z0-9]+$
  24180. type: string
  24181. name:
  24182. description: The name of the Secret resource being referred to.
  24183. maxLength: 253
  24184. minLength: 1
  24185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24186. type: string
  24187. namespace:
  24188. description: |-
  24189. The namespace of the Secret resource being referred to.
  24190. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24191. maxLength: 63
  24192. minLength: 1
  24193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24194. type: string
  24195. type: object
  24196. required:
  24197. - passwordSecretRef
  24198. - privateKeySecretRef
  24199. type: object
  24200. host:
  24201. description: Host defines the Passbolt Server to connect to
  24202. type: string
  24203. required:
  24204. - auth
  24205. - host
  24206. type: object
  24207. passworddepot:
  24208. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  24209. properties:
  24210. auth:
  24211. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  24212. properties:
  24213. secretRef:
  24214. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  24215. properties:
  24216. credentials:
  24217. description: Username / Password is used for authentication.
  24218. properties:
  24219. key:
  24220. description: |-
  24221. A key in the referenced Secret.
  24222. Some instances of this field may be defaulted, in others it may be required.
  24223. maxLength: 253
  24224. minLength: 1
  24225. pattern: ^[-._a-zA-Z0-9]+$
  24226. type: string
  24227. name:
  24228. description: The name of the Secret resource being referred to.
  24229. maxLength: 253
  24230. minLength: 1
  24231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24232. type: string
  24233. namespace:
  24234. description: |-
  24235. The namespace of the Secret resource being referred to.
  24236. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24237. maxLength: 63
  24238. minLength: 1
  24239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24240. type: string
  24241. type: object
  24242. type: object
  24243. required:
  24244. - secretRef
  24245. type: object
  24246. database:
  24247. description: Database to use as source
  24248. type: string
  24249. host:
  24250. description: URL configures the Password Depot instance URL.
  24251. type: string
  24252. required:
  24253. - auth
  24254. - database
  24255. - host
  24256. type: object
  24257. previder:
  24258. description: Previder configures this store to sync secrets using the Previder provider
  24259. properties:
  24260. auth:
  24261. description: PreviderAuth contains a secretRef for credentials.
  24262. properties:
  24263. secretRef:
  24264. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  24265. properties:
  24266. accessToken:
  24267. description: The AccessToken is used for authentication
  24268. properties:
  24269. key:
  24270. description: |-
  24271. A key in the referenced Secret.
  24272. Some instances of this field may be defaulted, in others it may be required.
  24273. maxLength: 253
  24274. minLength: 1
  24275. pattern: ^[-._a-zA-Z0-9]+$
  24276. type: string
  24277. name:
  24278. description: The name of the Secret resource being referred to.
  24279. maxLength: 253
  24280. minLength: 1
  24281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24282. type: string
  24283. namespace:
  24284. description: |-
  24285. The namespace of the Secret resource being referred to.
  24286. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24287. maxLength: 63
  24288. minLength: 1
  24289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24290. type: string
  24291. type: object
  24292. required:
  24293. - accessToken
  24294. type: object
  24295. type: object
  24296. baseUri:
  24297. type: string
  24298. required:
  24299. - auth
  24300. type: object
  24301. pulumi:
  24302. description: Pulumi configures this store to sync secrets using the Pulumi provider
  24303. properties:
  24304. accessToken:
  24305. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  24306. properties:
  24307. secretRef:
  24308. description: SecretRef is a reference to a secret containing the Pulumi API token.
  24309. properties:
  24310. key:
  24311. description: |-
  24312. A key in the referenced Secret.
  24313. Some instances of this field may be defaulted, in others it may be required.
  24314. maxLength: 253
  24315. minLength: 1
  24316. pattern: ^[-._a-zA-Z0-9]+$
  24317. type: string
  24318. name:
  24319. description: The name of the Secret resource being referred to.
  24320. maxLength: 253
  24321. minLength: 1
  24322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24323. type: string
  24324. namespace:
  24325. description: |-
  24326. The namespace of the Secret resource being referred to.
  24327. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24328. maxLength: 63
  24329. minLength: 1
  24330. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24331. type: string
  24332. type: object
  24333. type: object
  24334. apiUrl:
  24335. default: https://api.pulumi.com/api/esc
  24336. description: APIURL is the URL of the Pulumi API.
  24337. type: string
  24338. environment:
  24339. description: |-
  24340. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  24341. dynamically retrieved values from supported providers including all major clouds,
  24342. and other Pulumi ESC environments.
  24343. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  24344. type: string
  24345. organization:
  24346. description: |-
  24347. Organization are a space to collaborate on shared projects and stacks.
  24348. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  24349. type: string
  24350. project:
  24351. description: Project is the name of the Pulumi ESC project the environment belongs to.
  24352. type: string
  24353. required:
  24354. - accessToken
  24355. - environment
  24356. - organization
  24357. - project
  24358. type: object
  24359. scaleway:
  24360. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  24361. properties:
  24362. accessKey:
  24363. description: AccessKey is the non-secret part of the api key.
  24364. properties:
  24365. secretRef:
  24366. description: SecretRef references a key in a secret that will be used as value.
  24367. properties:
  24368. key:
  24369. description: |-
  24370. A key in the referenced Secret.
  24371. Some instances of this field may be defaulted, in others it may be required.
  24372. maxLength: 253
  24373. minLength: 1
  24374. pattern: ^[-._a-zA-Z0-9]+$
  24375. type: string
  24376. name:
  24377. description: The name of the Secret resource being referred to.
  24378. maxLength: 253
  24379. minLength: 1
  24380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24381. type: string
  24382. namespace:
  24383. description: |-
  24384. The namespace of the Secret resource being referred to.
  24385. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24386. maxLength: 63
  24387. minLength: 1
  24388. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24389. type: string
  24390. type: object
  24391. value:
  24392. description: Value can be specified directly to set a value without using a secret.
  24393. type: string
  24394. type: object
  24395. apiUrl:
  24396. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  24397. type: string
  24398. projectId:
  24399. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  24400. type: string
  24401. region:
  24402. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  24403. type: string
  24404. secretKey:
  24405. description: SecretKey is the non-secret part of the api key.
  24406. properties:
  24407. secretRef:
  24408. description: SecretRef references a key in a secret that will be used as value.
  24409. properties:
  24410. key:
  24411. description: |-
  24412. A key in the referenced Secret.
  24413. Some instances of this field may be defaulted, in others it may be required.
  24414. maxLength: 253
  24415. minLength: 1
  24416. pattern: ^[-._a-zA-Z0-9]+$
  24417. type: string
  24418. name:
  24419. description: The name of the Secret resource being referred to.
  24420. maxLength: 253
  24421. minLength: 1
  24422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24423. type: string
  24424. namespace:
  24425. description: |-
  24426. The namespace of the Secret resource being referred to.
  24427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24428. maxLength: 63
  24429. minLength: 1
  24430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24431. type: string
  24432. type: object
  24433. value:
  24434. description: Value can be specified directly to set a value without using a secret.
  24435. type: string
  24436. type: object
  24437. required:
  24438. - accessKey
  24439. - projectId
  24440. - region
  24441. - secretKey
  24442. type: object
  24443. secretserver:
  24444. description: |-
  24445. SecretServer configures this store to sync secrets using SecretServer provider
  24446. https://docs.delinea.com/online-help/secret-server/start.htm
  24447. properties:
  24448. password:
  24449. description: Password is the secret server account password.
  24450. properties:
  24451. secretRef:
  24452. description: SecretRef references a key in a secret that will be used as value.
  24453. properties:
  24454. key:
  24455. description: |-
  24456. A key in the referenced Secret.
  24457. Some instances of this field may be defaulted, in others it may be required.
  24458. maxLength: 253
  24459. minLength: 1
  24460. pattern: ^[-._a-zA-Z0-9]+$
  24461. type: string
  24462. name:
  24463. description: The name of the Secret resource being referred to.
  24464. maxLength: 253
  24465. minLength: 1
  24466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24467. type: string
  24468. namespace:
  24469. description: |-
  24470. The namespace of the Secret resource being referred to.
  24471. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24472. maxLength: 63
  24473. minLength: 1
  24474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24475. type: string
  24476. type: object
  24477. value:
  24478. description: Value can be specified directly to set a value without using a secret.
  24479. type: string
  24480. type: object
  24481. serverURL:
  24482. description: |-
  24483. ServerURL
  24484. URL to your secret server installation
  24485. type: string
  24486. username:
  24487. description: Username is the secret server account username.
  24488. properties:
  24489. secretRef:
  24490. description: SecretRef references a key in a secret that will be used as value.
  24491. properties:
  24492. key:
  24493. description: |-
  24494. A key in the referenced Secret.
  24495. Some instances of this field may be defaulted, in others it may be required.
  24496. maxLength: 253
  24497. minLength: 1
  24498. pattern: ^[-._a-zA-Z0-9]+$
  24499. type: string
  24500. name:
  24501. description: The name of the Secret resource being referred to.
  24502. maxLength: 253
  24503. minLength: 1
  24504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24505. type: string
  24506. namespace:
  24507. description: |-
  24508. The namespace of the Secret resource being referred to.
  24509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24510. maxLength: 63
  24511. minLength: 1
  24512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24513. type: string
  24514. type: object
  24515. value:
  24516. description: Value can be specified directly to set a value without using a secret.
  24517. type: string
  24518. type: object
  24519. required:
  24520. - password
  24521. - serverURL
  24522. - username
  24523. type: object
  24524. senhasegura:
  24525. description: Senhasegura configures this store to sync secrets using senhasegura provider
  24526. properties:
  24527. auth:
  24528. description: Auth defines parameters to authenticate in senhasegura
  24529. properties:
  24530. clientId:
  24531. type: string
  24532. clientSecretSecretRef:
  24533. description: |-
  24534. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24535. In some instances, `key` is a required field.
  24536. properties:
  24537. key:
  24538. description: |-
  24539. A key in the referenced Secret.
  24540. Some instances of this field may be defaulted, in others it may be required.
  24541. maxLength: 253
  24542. minLength: 1
  24543. pattern: ^[-._a-zA-Z0-9]+$
  24544. type: string
  24545. name:
  24546. description: The name of the Secret resource being referred to.
  24547. maxLength: 253
  24548. minLength: 1
  24549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24550. type: string
  24551. namespace:
  24552. description: |-
  24553. The namespace of the Secret resource being referred to.
  24554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24555. maxLength: 63
  24556. minLength: 1
  24557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24558. type: string
  24559. type: object
  24560. required:
  24561. - clientId
  24562. - clientSecretSecretRef
  24563. type: object
  24564. ignoreSslCertificate:
  24565. default: false
  24566. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24567. type: boolean
  24568. module:
  24569. description: Module defines which senhasegura module should be used to get secrets
  24570. type: string
  24571. url:
  24572. description: URL of senhasegura
  24573. type: string
  24574. required:
  24575. - auth
  24576. - module
  24577. - url
  24578. type: object
  24579. vault:
  24580. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24581. properties:
  24582. auth:
  24583. description: Auth configures how secret-manager authenticates with the Vault server.
  24584. properties:
  24585. appRole:
  24586. description: |-
  24587. AppRole authenticates with Vault using the App Role auth mechanism,
  24588. with the role and secret stored in a Kubernetes Secret resource.
  24589. properties:
  24590. path:
  24591. default: approle
  24592. description: |-
  24593. Path where the App Role authentication backend is mounted
  24594. in Vault, e.g: "approle"
  24595. type: string
  24596. roleId:
  24597. description: |-
  24598. RoleID configured in the App Role authentication backend when setting
  24599. up the authentication backend in Vault.
  24600. type: string
  24601. roleRef:
  24602. description: |-
  24603. Reference to a key in a Secret that contains the App Role ID used
  24604. to authenticate with Vault.
  24605. The `key` field must be specified and denotes which entry within the Secret
  24606. resource is used as the app role id.
  24607. properties:
  24608. key:
  24609. description: |-
  24610. A key in the referenced Secret.
  24611. Some instances of this field may be defaulted, in others it may be required.
  24612. maxLength: 253
  24613. minLength: 1
  24614. pattern: ^[-._a-zA-Z0-9]+$
  24615. type: string
  24616. name:
  24617. description: The name of the Secret resource being referred to.
  24618. maxLength: 253
  24619. minLength: 1
  24620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24621. type: string
  24622. namespace:
  24623. description: |-
  24624. The namespace of the Secret resource being referred to.
  24625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24626. maxLength: 63
  24627. minLength: 1
  24628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24629. type: string
  24630. type: object
  24631. secretRef:
  24632. description: |-
  24633. Reference to a key in a Secret that contains the App Role secret used
  24634. to authenticate with Vault.
  24635. The `key` field must be specified and denotes which entry within the Secret
  24636. resource is used as the app role secret.
  24637. properties:
  24638. key:
  24639. description: |-
  24640. A key in the referenced Secret.
  24641. Some instances of this field may be defaulted, in others it may be required.
  24642. maxLength: 253
  24643. minLength: 1
  24644. pattern: ^[-._a-zA-Z0-9]+$
  24645. type: string
  24646. name:
  24647. description: The name of the Secret resource being referred to.
  24648. maxLength: 253
  24649. minLength: 1
  24650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24651. type: string
  24652. namespace:
  24653. description: |-
  24654. The namespace of the Secret resource being referred to.
  24655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24656. maxLength: 63
  24657. minLength: 1
  24658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24659. type: string
  24660. type: object
  24661. required:
  24662. - path
  24663. - secretRef
  24664. type: object
  24665. cert:
  24666. description: |-
  24667. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24668. Cert authentication method
  24669. properties:
  24670. clientCert:
  24671. description: |-
  24672. ClientCert is a certificate to authenticate using the Cert Vault
  24673. authentication method
  24674. properties:
  24675. key:
  24676. description: |-
  24677. A key in the referenced Secret.
  24678. Some instances of this field may be defaulted, in others it may be required.
  24679. maxLength: 253
  24680. minLength: 1
  24681. pattern: ^[-._a-zA-Z0-9]+$
  24682. type: string
  24683. name:
  24684. description: The name of the Secret resource being referred to.
  24685. maxLength: 253
  24686. minLength: 1
  24687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24688. type: string
  24689. namespace:
  24690. description: |-
  24691. The namespace of the Secret resource being referred to.
  24692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24693. maxLength: 63
  24694. minLength: 1
  24695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24696. type: string
  24697. type: object
  24698. secretRef:
  24699. description: |-
  24700. SecretRef to a key in a Secret resource containing client private key to
  24701. authenticate with Vault using the Cert authentication method
  24702. properties:
  24703. key:
  24704. description: |-
  24705. A key in the referenced Secret.
  24706. Some instances of this field may be defaulted, in others it may be required.
  24707. maxLength: 253
  24708. minLength: 1
  24709. pattern: ^[-._a-zA-Z0-9]+$
  24710. type: string
  24711. name:
  24712. description: The name of the Secret resource being referred to.
  24713. maxLength: 253
  24714. minLength: 1
  24715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24716. type: string
  24717. namespace:
  24718. description: |-
  24719. The namespace of the Secret resource being referred to.
  24720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24721. maxLength: 63
  24722. minLength: 1
  24723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24724. type: string
  24725. type: object
  24726. type: object
  24727. iam:
  24728. description: |-
  24729. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24730. AWS IAM authentication method
  24731. properties:
  24732. externalID:
  24733. description: AWS External ID set on assumed IAM roles
  24734. type: string
  24735. jwt:
  24736. description: Specify a service account with IRSA enabled
  24737. properties:
  24738. serviceAccountRef:
  24739. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24740. properties:
  24741. audiences:
  24742. description: |-
  24743. Audience specifies the `aud` claim for the service account token
  24744. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24745. then this audiences will be appended to the list
  24746. items:
  24747. type: string
  24748. type: array
  24749. name:
  24750. description: The name of the ServiceAccount resource being referred to.
  24751. maxLength: 253
  24752. minLength: 1
  24753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24754. type: string
  24755. namespace:
  24756. description: |-
  24757. Namespace of the resource being referred to.
  24758. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24759. maxLength: 63
  24760. minLength: 1
  24761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24762. type: string
  24763. required:
  24764. - name
  24765. type: object
  24766. type: object
  24767. path:
  24768. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24769. type: string
  24770. region:
  24771. description: AWS region
  24772. type: string
  24773. role:
  24774. description: This is the AWS role to be assumed before talking to vault
  24775. type: string
  24776. secretRef:
  24777. description: Specify credentials in a Secret object
  24778. properties:
  24779. accessKeyIDSecretRef:
  24780. description: The AccessKeyID is used for authentication
  24781. properties:
  24782. key:
  24783. description: |-
  24784. A key in the referenced Secret.
  24785. Some instances of this field may be defaulted, in others it may be required.
  24786. maxLength: 253
  24787. minLength: 1
  24788. pattern: ^[-._a-zA-Z0-9]+$
  24789. type: string
  24790. name:
  24791. description: The name of the Secret resource being referred to.
  24792. maxLength: 253
  24793. minLength: 1
  24794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24795. type: string
  24796. namespace:
  24797. description: |-
  24798. The namespace of the Secret resource being referred to.
  24799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24800. maxLength: 63
  24801. minLength: 1
  24802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24803. type: string
  24804. type: object
  24805. secretAccessKeySecretRef:
  24806. description: The SecretAccessKey is used for authentication
  24807. properties:
  24808. key:
  24809. description: |-
  24810. A key in the referenced Secret.
  24811. Some instances of this field may be defaulted, in others it may be required.
  24812. maxLength: 253
  24813. minLength: 1
  24814. pattern: ^[-._a-zA-Z0-9]+$
  24815. type: string
  24816. name:
  24817. description: The name of the Secret resource being referred to.
  24818. maxLength: 253
  24819. minLength: 1
  24820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24821. type: string
  24822. namespace:
  24823. description: |-
  24824. The namespace of the Secret resource being referred to.
  24825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24826. maxLength: 63
  24827. minLength: 1
  24828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24829. type: string
  24830. type: object
  24831. sessionTokenSecretRef:
  24832. description: |-
  24833. The SessionToken used for authentication
  24834. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24835. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24836. properties:
  24837. key:
  24838. description: |-
  24839. A key in the referenced Secret.
  24840. Some instances of this field may be defaulted, in others it may be required.
  24841. maxLength: 253
  24842. minLength: 1
  24843. pattern: ^[-._a-zA-Z0-9]+$
  24844. type: string
  24845. name:
  24846. description: The name of the Secret resource being referred to.
  24847. maxLength: 253
  24848. minLength: 1
  24849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24850. type: string
  24851. namespace:
  24852. description: |-
  24853. The namespace of the Secret resource being referred to.
  24854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24855. maxLength: 63
  24856. minLength: 1
  24857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24858. type: string
  24859. type: object
  24860. type: object
  24861. vaultAwsIamServerID:
  24862. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24863. type: string
  24864. vaultRole:
  24865. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24866. type: string
  24867. required:
  24868. - vaultRole
  24869. type: object
  24870. jwt:
  24871. description: |-
  24872. Jwt authenticates with Vault by passing role and JWT token using the
  24873. JWT/OIDC authentication method
  24874. properties:
  24875. kubernetesServiceAccountToken:
  24876. description: |-
  24877. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24878. a token for with the `TokenRequest` API.
  24879. properties:
  24880. audiences:
  24881. description: |-
  24882. Optional audiences field that will be used to request a temporary Kubernetes service
  24883. account token for the service account referenced by `serviceAccountRef`.
  24884. Defaults to a single audience `vault` it not specified.
  24885. Deprecated: use serviceAccountRef.Audiences instead
  24886. items:
  24887. type: string
  24888. type: array
  24889. expirationSeconds:
  24890. description: |-
  24891. Optional expiration time in seconds that will be used to request a temporary
  24892. Kubernetes service account token for the service account referenced by
  24893. `serviceAccountRef`.
  24894. Deprecated: this will be removed in the future.
  24895. Defaults to 10 minutes.
  24896. format: int64
  24897. type: integer
  24898. serviceAccountRef:
  24899. description: Service account field containing the name of a kubernetes ServiceAccount.
  24900. properties:
  24901. audiences:
  24902. description: |-
  24903. Audience specifies the `aud` claim for the service account token
  24904. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24905. then this audiences will be appended to the list
  24906. items:
  24907. type: string
  24908. type: array
  24909. name:
  24910. description: The name of the ServiceAccount resource being referred to.
  24911. maxLength: 253
  24912. minLength: 1
  24913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24914. type: string
  24915. namespace:
  24916. description: |-
  24917. Namespace of the resource being referred to.
  24918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24919. maxLength: 63
  24920. minLength: 1
  24921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24922. type: string
  24923. required:
  24924. - name
  24925. type: object
  24926. required:
  24927. - serviceAccountRef
  24928. type: object
  24929. path:
  24930. default: jwt
  24931. description: |-
  24932. Path where the JWT authentication backend is mounted
  24933. in Vault, e.g: "jwt"
  24934. type: string
  24935. role:
  24936. description: |-
  24937. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24938. authentication method
  24939. type: string
  24940. secretRef:
  24941. description: |-
  24942. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24943. authenticate with Vault using the JWT/OIDC authentication method.
  24944. properties:
  24945. key:
  24946. description: |-
  24947. A key in the referenced Secret.
  24948. Some instances of this field may be defaulted, in others it may be required.
  24949. maxLength: 253
  24950. minLength: 1
  24951. pattern: ^[-._a-zA-Z0-9]+$
  24952. type: string
  24953. name:
  24954. description: The name of the Secret resource being referred to.
  24955. maxLength: 253
  24956. minLength: 1
  24957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24958. type: string
  24959. namespace:
  24960. description: |-
  24961. The namespace of the Secret resource being referred to.
  24962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24963. maxLength: 63
  24964. minLength: 1
  24965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24966. type: string
  24967. type: object
  24968. required:
  24969. - path
  24970. type: object
  24971. kubernetes:
  24972. description: |-
  24973. Kubernetes authenticates with Vault by passing the ServiceAccount
  24974. token stored in the named Secret resource to the Vault server.
  24975. properties:
  24976. mountPath:
  24977. default: kubernetes
  24978. description: |-
  24979. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24980. "kubernetes"
  24981. type: string
  24982. role:
  24983. description: |-
  24984. A required field containing the Vault Role to assume. A Role binds a
  24985. Kubernetes ServiceAccount with a set of Vault policies.
  24986. type: string
  24987. secretRef:
  24988. description: |-
  24989. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24990. for authenticating with Vault. If a name is specified without a key,
  24991. `token` is the default. If one is not specified, the one bound to
  24992. the controller will be used.
  24993. properties:
  24994. key:
  24995. description: |-
  24996. A key in the referenced Secret.
  24997. Some instances of this field may be defaulted, in others it may be required.
  24998. maxLength: 253
  24999. minLength: 1
  25000. pattern: ^[-._a-zA-Z0-9]+$
  25001. type: string
  25002. name:
  25003. description: The name of the Secret resource being referred to.
  25004. maxLength: 253
  25005. minLength: 1
  25006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25007. type: string
  25008. namespace:
  25009. description: |-
  25010. The namespace of the Secret resource being referred to.
  25011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25012. maxLength: 63
  25013. minLength: 1
  25014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25015. type: string
  25016. type: object
  25017. serviceAccountRef:
  25018. description: |-
  25019. Optional service account field containing the name of a kubernetes ServiceAccount.
  25020. If the service account is specified, the service account secret token JWT will be used
  25021. for authenticating with Vault. If the service account selector is not supplied,
  25022. the secretRef will be used instead.
  25023. properties:
  25024. audiences:
  25025. description: |-
  25026. Audience specifies the `aud` claim for the service account token
  25027. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25028. then this audiences will be appended to the list
  25029. items:
  25030. type: string
  25031. type: array
  25032. name:
  25033. description: The name of the ServiceAccount resource being referred to.
  25034. maxLength: 253
  25035. minLength: 1
  25036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25037. type: string
  25038. namespace:
  25039. description: |-
  25040. Namespace of the resource being referred to.
  25041. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25042. maxLength: 63
  25043. minLength: 1
  25044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25045. type: string
  25046. required:
  25047. - name
  25048. type: object
  25049. required:
  25050. - mountPath
  25051. - role
  25052. type: object
  25053. ldap:
  25054. description: |-
  25055. Ldap authenticates with Vault by passing username/password pair using
  25056. the LDAP authentication method
  25057. properties:
  25058. path:
  25059. default: ldap
  25060. description: |-
  25061. Path where the LDAP authentication backend is mounted
  25062. in Vault, e.g: "ldap"
  25063. type: string
  25064. secretRef:
  25065. description: |-
  25066. SecretRef to a key in a Secret resource containing password for the LDAP
  25067. user used to authenticate with Vault using the LDAP authentication
  25068. method
  25069. properties:
  25070. key:
  25071. description: |-
  25072. A key in the referenced Secret.
  25073. Some instances of this field may be defaulted, in others it may be required.
  25074. maxLength: 253
  25075. minLength: 1
  25076. pattern: ^[-._a-zA-Z0-9]+$
  25077. type: string
  25078. name:
  25079. description: The name of the Secret resource being referred to.
  25080. maxLength: 253
  25081. minLength: 1
  25082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25083. type: string
  25084. namespace:
  25085. description: |-
  25086. The namespace of the Secret resource being referred to.
  25087. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25088. maxLength: 63
  25089. minLength: 1
  25090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25091. type: string
  25092. type: object
  25093. username:
  25094. description: |-
  25095. Username is an LDAP username used to authenticate using the LDAP Vault
  25096. authentication method
  25097. type: string
  25098. required:
  25099. - path
  25100. - username
  25101. type: object
  25102. namespace:
  25103. description: |-
  25104. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  25105. Namespaces is a set of features within Vault Enterprise that allows
  25106. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25107. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25108. This will default to Vault.Namespace field if set, or empty otherwise
  25109. type: string
  25110. tokenSecretRef:
  25111. description: TokenSecretRef authenticates with Vault by presenting a token.
  25112. properties:
  25113. key:
  25114. description: |-
  25115. A key in the referenced Secret.
  25116. Some instances of this field may be defaulted, in others it may be required.
  25117. maxLength: 253
  25118. minLength: 1
  25119. pattern: ^[-._a-zA-Z0-9]+$
  25120. type: string
  25121. name:
  25122. description: The name of the Secret resource being referred to.
  25123. maxLength: 253
  25124. minLength: 1
  25125. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25126. type: string
  25127. namespace:
  25128. description: |-
  25129. The namespace of the Secret resource being referred to.
  25130. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25131. maxLength: 63
  25132. minLength: 1
  25133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25134. type: string
  25135. type: object
  25136. userPass:
  25137. description: UserPass authenticates with Vault by passing username/password pair
  25138. properties:
  25139. path:
  25140. default: userpass
  25141. description: |-
  25142. Path where the UserPassword authentication backend is mounted
  25143. in Vault, e.g: "userpass"
  25144. type: string
  25145. secretRef:
  25146. description: |-
  25147. SecretRef to a key in a Secret resource containing password for the
  25148. user used to authenticate with Vault using the UserPass authentication
  25149. method
  25150. properties:
  25151. key:
  25152. description: |-
  25153. A key in the referenced Secret.
  25154. Some instances of this field may be defaulted, in others it may be required.
  25155. maxLength: 253
  25156. minLength: 1
  25157. pattern: ^[-._a-zA-Z0-9]+$
  25158. type: string
  25159. name:
  25160. description: The name of the Secret resource being referred to.
  25161. maxLength: 253
  25162. minLength: 1
  25163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25164. type: string
  25165. namespace:
  25166. description: |-
  25167. The namespace of the Secret resource being referred to.
  25168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25169. maxLength: 63
  25170. minLength: 1
  25171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25172. type: string
  25173. type: object
  25174. username:
  25175. description: |-
  25176. Username is a username used to authenticate using the UserPass Vault
  25177. authentication method
  25178. type: string
  25179. required:
  25180. - path
  25181. - username
  25182. type: object
  25183. type: object
  25184. caBundle:
  25185. description: |-
  25186. PEM encoded CA bundle used to validate Vault server certificate. Only used
  25187. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25188. plain HTTP protocol connection. If not set the system root certificates
  25189. are used to validate the TLS connection.
  25190. format: byte
  25191. type: string
  25192. caProvider:
  25193. description: The provider for the CA bundle to use to validate Vault server certificate.
  25194. properties:
  25195. key:
  25196. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25197. maxLength: 253
  25198. minLength: 1
  25199. pattern: ^[-._a-zA-Z0-9]+$
  25200. type: string
  25201. name:
  25202. description: The name of the object located at the provider type.
  25203. maxLength: 253
  25204. minLength: 1
  25205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25206. type: string
  25207. namespace:
  25208. description: |-
  25209. The namespace the Provider type is in.
  25210. Can only be defined when used in a ClusterSecretStore.
  25211. maxLength: 63
  25212. minLength: 1
  25213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25214. type: string
  25215. type:
  25216. description: The type of provider to use such as "Secret", or "ConfigMap".
  25217. enum:
  25218. - Secret
  25219. - ConfigMap
  25220. type: string
  25221. required:
  25222. - name
  25223. - type
  25224. type: object
  25225. forwardInconsistent:
  25226. description: |-
  25227. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  25228. leader instead of simply retrying within a loop. This can increase performance if
  25229. the option is enabled serverside.
  25230. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  25231. type: boolean
  25232. headers:
  25233. additionalProperties:
  25234. type: string
  25235. description: Headers to be added in Vault request
  25236. type: object
  25237. namespace:
  25238. description: |-
  25239. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  25240. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25241. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25242. type: string
  25243. path:
  25244. description: |-
  25245. Path is the mount path of the Vault KV backend endpoint, e.g:
  25246. "secret". The v2 KV secret engine version specific "/data" path suffix
  25247. for fetching secrets from Vault is optional and will be appended
  25248. if not present in specified path.
  25249. type: string
  25250. readYourWrites:
  25251. description: |-
  25252. ReadYourWrites ensures isolated read-after-write semantics by
  25253. providing discovered cluster replication states in each request.
  25254. More information about eventual consistency in Vault can be found here
  25255. https://www.vaultproject.io/docs/enterprise/consistency
  25256. type: boolean
  25257. server:
  25258. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  25259. type: string
  25260. tls:
  25261. description: |-
  25262. The configuration used for client side related TLS communication, when the Vault server
  25263. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  25264. This parameter is ignored for plain HTTP protocol connection.
  25265. It's worth noting this configuration is different from the "TLS certificates auth method",
  25266. which is available under the `auth.cert` section.
  25267. properties:
  25268. certSecretRef:
  25269. description: |-
  25270. CertSecretRef is a certificate added to the transport layer
  25271. when communicating with the Vault server.
  25272. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  25273. properties:
  25274. key:
  25275. description: |-
  25276. A key in the referenced Secret.
  25277. Some instances of this field may be defaulted, in others it may be required.
  25278. maxLength: 253
  25279. minLength: 1
  25280. pattern: ^[-._a-zA-Z0-9]+$
  25281. type: string
  25282. name:
  25283. description: The name of the Secret resource being referred to.
  25284. maxLength: 253
  25285. minLength: 1
  25286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25287. type: string
  25288. namespace:
  25289. description: |-
  25290. The namespace of the Secret resource being referred to.
  25291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25292. maxLength: 63
  25293. minLength: 1
  25294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25295. type: string
  25296. type: object
  25297. keySecretRef:
  25298. description: |-
  25299. KeySecretRef to a key in a Secret resource containing client private key
  25300. added to the transport layer when communicating with the Vault server.
  25301. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  25302. properties:
  25303. key:
  25304. description: |-
  25305. A key in the referenced Secret.
  25306. Some instances of this field may be defaulted, in others it may be required.
  25307. maxLength: 253
  25308. minLength: 1
  25309. pattern: ^[-._a-zA-Z0-9]+$
  25310. type: string
  25311. name:
  25312. description: The name of the Secret resource being referred to.
  25313. maxLength: 253
  25314. minLength: 1
  25315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25316. type: string
  25317. namespace:
  25318. description: |-
  25319. The namespace of the Secret resource being referred to.
  25320. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25321. maxLength: 63
  25322. minLength: 1
  25323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25324. type: string
  25325. type: object
  25326. type: object
  25327. version:
  25328. default: v2
  25329. description: |-
  25330. Version is the Vault KV secret engine version. This can be either "v1" or
  25331. "v2". Version defaults to "v2".
  25332. enum:
  25333. - v1
  25334. - v2
  25335. type: string
  25336. required:
  25337. - server
  25338. type: object
  25339. webhook:
  25340. description: Webhook configures this store to sync secrets using a generic templated webhook
  25341. properties:
  25342. auth:
  25343. description: Auth specifies a authorization protocol. Only one protocol may be set.
  25344. maxProperties: 1
  25345. minProperties: 1
  25346. properties:
  25347. ntlm:
  25348. description: NTLMProtocol configures the store to use NTLM for auth
  25349. properties:
  25350. passwordSecret:
  25351. description: |-
  25352. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25353. In some instances, `key` is a required field.
  25354. properties:
  25355. key:
  25356. description: |-
  25357. A key in the referenced Secret.
  25358. Some instances of this field may be defaulted, in others it may be required.
  25359. maxLength: 253
  25360. minLength: 1
  25361. pattern: ^[-._a-zA-Z0-9]+$
  25362. type: string
  25363. name:
  25364. description: The name of the Secret resource being referred to.
  25365. maxLength: 253
  25366. minLength: 1
  25367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25368. type: string
  25369. namespace:
  25370. description: |-
  25371. The namespace of the Secret resource being referred to.
  25372. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25373. maxLength: 63
  25374. minLength: 1
  25375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25376. type: string
  25377. type: object
  25378. usernameSecret:
  25379. description: |-
  25380. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25381. In some instances, `key` is a required field.
  25382. properties:
  25383. key:
  25384. description: |-
  25385. A key in the referenced Secret.
  25386. Some instances of this field may be defaulted, in others it may be required.
  25387. maxLength: 253
  25388. minLength: 1
  25389. pattern: ^[-._a-zA-Z0-9]+$
  25390. type: string
  25391. name:
  25392. description: The name of the Secret resource being referred to.
  25393. maxLength: 253
  25394. minLength: 1
  25395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25396. type: string
  25397. namespace:
  25398. description: |-
  25399. The namespace of the Secret resource being referred to.
  25400. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25401. maxLength: 63
  25402. minLength: 1
  25403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25404. type: string
  25405. type: object
  25406. required:
  25407. - passwordSecret
  25408. - usernameSecret
  25409. type: object
  25410. type: object
  25411. body:
  25412. description: Body
  25413. type: string
  25414. caBundle:
  25415. description: |-
  25416. PEM encoded CA bundle used to validate webhook server certificate. Only used
  25417. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25418. plain HTTP protocol connection. If not set the system root certificates
  25419. are used to validate the TLS connection.
  25420. format: byte
  25421. type: string
  25422. caProvider:
  25423. description: The provider for the CA bundle to use to validate webhook server certificate.
  25424. properties:
  25425. key:
  25426. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25427. maxLength: 253
  25428. minLength: 1
  25429. pattern: ^[-._a-zA-Z0-9]+$
  25430. type: string
  25431. name:
  25432. description: The name of the object located at the provider type.
  25433. maxLength: 253
  25434. minLength: 1
  25435. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25436. type: string
  25437. namespace:
  25438. description: The namespace the Provider type is in.
  25439. maxLength: 63
  25440. minLength: 1
  25441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25442. type: string
  25443. type:
  25444. description: The type of provider to use such as "Secret", or "ConfigMap".
  25445. enum:
  25446. - Secret
  25447. - ConfigMap
  25448. type: string
  25449. required:
  25450. - name
  25451. - type
  25452. type: object
  25453. headers:
  25454. additionalProperties:
  25455. type: string
  25456. description: Headers
  25457. type: object
  25458. method:
  25459. description: Webhook Method
  25460. type: string
  25461. result:
  25462. description: Result formatting
  25463. properties:
  25464. jsonPath:
  25465. description: Json path of return value
  25466. type: string
  25467. type: object
  25468. secrets:
  25469. description: |-
  25470. Secrets to fill in templates
  25471. These secrets will be passed to the templating function as key value pairs under the given name
  25472. items:
  25473. description: WebhookSecret defines a secret to be used in webhook templates.
  25474. properties:
  25475. name:
  25476. description: Name of this secret in templates
  25477. type: string
  25478. secretRef:
  25479. description: Secret ref to fill in credentials
  25480. properties:
  25481. key:
  25482. description: |-
  25483. A key in the referenced Secret.
  25484. Some instances of this field may be defaulted, in others it may be required.
  25485. maxLength: 253
  25486. minLength: 1
  25487. pattern: ^[-._a-zA-Z0-9]+$
  25488. type: string
  25489. name:
  25490. description: The name of the Secret resource being referred to.
  25491. maxLength: 253
  25492. minLength: 1
  25493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25494. type: string
  25495. namespace:
  25496. description: |-
  25497. The namespace of the Secret resource being referred to.
  25498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25499. maxLength: 63
  25500. minLength: 1
  25501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25502. type: string
  25503. type: object
  25504. required:
  25505. - name
  25506. - secretRef
  25507. type: object
  25508. type: array
  25509. timeout:
  25510. description: Timeout
  25511. type: string
  25512. url:
  25513. description: Webhook url to call
  25514. type: string
  25515. required:
  25516. - result
  25517. - url
  25518. type: object
  25519. yandexcertificatemanager:
  25520. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  25521. properties:
  25522. apiEndpoint:
  25523. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25524. type: string
  25525. auth:
  25526. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  25527. properties:
  25528. authorizedKeySecretRef:
  25529. description: The authorized key used for authentication
  25530. properties:
  25531. key:
  25532. description: |-
  25533. A key in the referenced Secret.
  25534. Some instances of this field may be defaulted, in others it may be required.
  25535. maxLength: 253
  25536. minLength: 1
  25537. pattern: ^[-._a-zA-Z0-9]+$
  25538. type: string
  25539. name:
  25540. description: The name of the Secret resource being referred to.
  25541. maxLength: 253
  25542. minLength: 1
  25543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25544. type: string
  25545. namespace:
  25546. description: |-
  25547. The namespace of the Secret resource being referred to.
  25548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25549. maxLength: 63
  25550. minLength: 1
  25551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25552. type: string
  25553. type: object
  25554. type: object
  25555. caProvider:
  25556. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25557. properties:
  25558. certSecretRef:
  25559. description: |-
  25560. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25561. In some instances, `key` is a required field.
  25562. properties:
  25563. key:
  25564. description: |-
  25565. A key in the referenced Secret.
  25566. Some instances of this field may be defaulted, in others it may be required.
  25567. maxLength: 253
  25568. minLength: 1
  25569. pattern: ^[-._a-zA-Z0-9]+$
  25570. type: string
  25571. name:
  25572. description: The name of the Secret resource being referred to.
  25573. maxLength: 253
  25574. minLength: 1
  25575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25576. type: string
  25577. namespace:
  25578. description: |-
  25579. The namespace of the Secret resource being referred to.
  25580. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25581. maxLength: 63
  25582. minLength: 1
  25583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25584. type: string
  25585. type: object
  25586. type: object
  25587. required:
  25588. - auth
  25589. type: object
  25590. yandexlockbox:
  25591. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25592. properties:
  25593. apiEndpoint:
  25594. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25595. type: string
  25596. auth:
  25597. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25598. properties:
  25599. authorizedKeySecretRef:
  25600. description: The authorized key used for authentication
  25601. properties:
  25602. key:
  25603. description: |-
  25604. A key in the referenced Secret.
  25605. Some instances of this field may be defaulted, in others it may be required.
  25606. maxLength: 253
  25607. minLength: 1
  25608. pattern: ^[-._a-zA-Z0-9]+$
  25609. type: string
  25610. name:
  25611. description: The name of the Secret resource being referred to.
  25612. maxLength: 253
  25613. minLength: 1
  25614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25615. type: string
  25616. namespace:
  25617. description: |-
  25618. The namespace of the Secret resource being referred to.
  25619. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25620. maxLength: 63
  25621. minLength: 1
  25622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25623. type: string
  25624. type: object
  25625. type: object
  25626. caProvider:
  25627. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25628. properties:
  25629. certSecretRef:
  25630. description: |-
  25631. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25632. In some instances, `key` is a required field.
  25633. properties:
  25634. key:
  25635. description: |-
  25636. A key in the referenced Secret.
  25637. Some instances of this field may be defaulted, in others it may be required.
  25638. maxLength: 253
  25639. minLength: 1
  25640. pattern: ^[-._a-zA-Z0-9]+$
  25641. type: string
  25642. name:
  25643. description: The name of the Secret resource being referred to.
  25644. maxLength: 253
  25645. minLength: 1
  25646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25647. type: string
  25648. namespace:
  25649. description: |-
  25650. The namespace of the Secret resource being referred to.
  25651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25652. maxLength: 63
  25653. minLength: 1
  25654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25655. type: string
  25656. type: object
  25657. type: object
  25658. required:
  25659. - auth
  25660. type: object
  25661. type: object
  25662. refreshInterval:
  25663. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25664. type: integer
  25665. retrySettings:
  25666. description: Used to configure HTTP retries on failures.
  25667. properties:
  25668. maxRetries:
  25669. description: MaxRetries is the maximum number of retry attempts.
  25670. format: int32
  25671. type: integer
  25672. retryInterval:
  25673. description: RetryInterval is the interval between retry attempts.
  25674. type: string
  25675. type: object
  25676. required:
  25677. - provider
  25678. type: object
  25679. status:
  25680. description: SecretStoreStatus defines the observed state of the SecretStore.
  25681. properties:
  25682. capabilities:
  25683. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25684. type: string
  25685. conditions:
  25686. items:
  25687. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25688. properties:
  25689. lastTransitionTime:
  25690. format: date-time
  25691. type: string
  25692. message:
  25693. type: string
  25694. reason:
  25695. type: string
  25696. status:
  25697. type: string
  25698. type:
  25699. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25700. type: string
  25701. required:
  25702. - status
  25703. - type
  25704. type: object
  25705. type: array
  25706. type: object
  25707. type: object
  25708. served: false
  25709. storage: false
  25710. subresources:
  25711. status: {}
  25712. ---
  25713. apiVersion: apiextensions.k8s.io/v1
  25714. kind: CustomResourceDefinition
  25715. metadata:
  25716. annotations:
  25717. controller-gen.kubebuilder.io/version: v0.19.0
  25718. labels:
  25719. external-secrets.io/component: controller
  25720. name: acraccesstokens.generators.external-secrets.io
  25721. spec:
  25722. group: generators.external-secrets.io
  25723. names:
  25724. categories:
  25725. - external-secrets
  25726. - external-secrets-generators
  25727. kind: ACRAccessToken
  25728. listKind: ACRAccessTokenList
  25729. plural: acraccesstokens
  25730. singular: acraccesstoken
  25731. scope: Namespaced
  25732. versions:
  25733. - name: v1alpha1
  25734. schema:
  25735. openAPIV3Schema:
  25736. description: |-
  25737. ACRAccessToken returns an Azure Container Registry token
  25738. that can be used for pushing/pulling images.
  25739. Note: by default it will return an ACR Refresh Token with full access
  25740. (depending on the identity).
  25741. This can be scoped down to the repository level using .spec.scope.
  25742. In case scope is defined it will return an ACR Access Token.
  25743. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25744. properties:
  25745. apiVersion:
  25746. description: |-
  25747. APIVersion defines the versioned schema of this representation of an object.
  25748. Servers should convert recognized schemas to the latest internal value, and
  25749. may reject unrecognized values.
  25750. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25751. type: string
  25752. kind:
  25753. description: |-
  25754. Kind is a string value representing the REST resource this object represents.
  25755. Servers may infer this from the endpoint the client submits requests to.
  25756. Cannot be updated.
  25757. In CamelCase.
  25758. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25759. type: string
  25760. metadata:
  25761. type: object
  25762. spec:
  25763. description: |-
  25764. ACRAccessTokenSpec defines how to generate the access token
  25765. e.g. how to authenticate and which registry to use.
  25766. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25767. properties:
  25768. auth:
  25769. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25770. properties:
  25771. managedIdentity:
  25772. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25773. properties:
  25774. identityId:
  25775. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25776. type: string
  25777. type: object
  25778. servicePrincipal:
  25779. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25780. properties:
  25781. secretRef:
  25782. description: |-
  25783. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25784. It uses static credentials stored in a Kind=Secret.
  25785. properties:
  25786. clientId:
  25787. description: The Azure clientId of the service principle used for authentication.
  25788. properties:
  25789. key:
  25790. description: |-
  25791. A key in the referenced Secret.
  25792. Some instances of this field may be defaulted, in others it may be required.
  25793. maxLength: 253
  25794. minLength: 1
  25795. pattern: ^[-._a-zA-Z0-9]+$
  25796. type: string
  25797. name:
  25798. description: The name of the Secret resource being referred to.
  25799. maxLength: 253
  25800. minLength: 1
  25801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25802. type: string
  25803. namespace:
  25804. description: |-
  25805. The namespace of the Secret resource being referred to.
  25806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25807. maxLength: 63
  25808. minLength: 1
  25809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25810. type: string
  25811. type: object
  25812. clientSecret:
  25813. description: The Azure ClientSecret of the service principle used for authentication.
  25814. properties:
  25815. key:
  25816. description: |-
  25817. A key in the referenced Secret.
  25818. Some instances of this field may be defaulted, in others it may be required.
  25819. maxLength: 253
  25820. minLength: 1
  25821. pattern: ^[-._a-zA-Z0-9]+$
  25822. type: string
  25823. name:
  25824. description: The name of the Secret resource being referred to.
  25825. maxLength: 253
  25826. minLength: 1
  25827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25828. type: string
  25829. namespace:
  25830. description: |-
  25831. The namespace of the Secret resource being referred to.
  25832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25833. maxLength: 63
  25834. minLength: 1
  25835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25836. type: string
  25837. type: object
  25838. type: object
  25839. required:
  25840. - secretRef
  25841. type: object
  25842. workloadIdentity:
  25843. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25844. properties:
  25845. serviceAccountRef:
  25846. description: |-
  25847. ServiceAccountRef specified the service account
  25848. that should be used when authenticating with WorkloadIdentity.
  25849. properties:
  25850. audiences:
  25851. description: |-
  25852. Audience specifies the `aud` claim for the service account token
  25853. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25854. then this audiences will be appended to the list
  25855. items:
  25856. type: string
  25857. type: array
  25858. name:
  25859. description: The name of the ServiceAccount resource being referred to.
  25860. maxLength: 253
  25861. minLength: 1
  25862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25863. type: string
  25864. namespace:
  25865. description: |-
  25866. Namespace of the resource being referred to.
  25867. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25868. maxLength: 63
  25869. minLength: 1
  25870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25871. type: string
  25872. required:
  25873. - name
  25874. type: object
  25875. type: object
  25876. type: object
  25877. environmentType:
  25878. default: PublicCloud
  25879. description: |-
  25880. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25881. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25882. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25883. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25884. enum:
  25885. - PublicCloud
  25886. - USGovernmentCloud
  25887. - ChinaCloud
  25888. - GermanCloud
  25889. - AzureStackCloud
  25890. type: string
  25891. registry:
  25892. description: |-
  25893. the domain name of the ACR registry
  25894. e.g. foobarexample.azurecr.io
  25895. type: string
  25896. scope:
  25897. description: |-
  25898. Define the scope for the access token, e.g. pull/push access for a repository.
  25899. if not provided it will return a refresh token that has full scope.
  25900. Note: you need to pin it down to the repository level, there is no wildcard available.
  25901. examples:
  25902. repository:my-repository:pull,push
  25903. repository:my-repository:pull
  25904. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25905. type: string
  25906. tenantId:
  25907. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25908. type: string
  25909. required:
  25910. - auth
  25911. - registry
  25912. type: object
  25913. type: object
  25914. served: true
  25915. storage: true
  25916. subresources:
  25917. status: {}
  25918. ---
  25919. apiVersion: apiextensions.k8s.io/v1
  25920. kind: CustomResourceDefinition
  25921. metadata:
  25922. annotations:
  25923. controller-gen.kubebuilder.io/version: v0.19.0
  25924. labels:
  25925. external-secrets.io/component: controller
  25926. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  25927. spec:
  25928. group: generators.external-secrets.io
  25929. names:
  25930. categories:
  25931. - external-secrets
  25932. - external-secrets-generators
  25933. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  25934. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  25935. plural: beyondtrustworkloadcredentialsdynamicsecrets
  25936. singular: beyondtrustworkloadcredentialsdynamicsecret
  25937. scope: Namespaced
  25938. versions:
  25939. - name: v1alpha1
  25940. schema:
  25941. openAPIV3Schema:
  25942. description: |-
  25943. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  25944. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  25945. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  25946. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  25947. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25948. properties:
  25949. apiVersion:
  25950. description: |-
  25951. APIVersion defines the versioned schema of this representation of an object.
  25952. Servers should convert recognized schemas to the latest internal value, and
  25953. may reject unrecognized values.
  25954. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25955. type: string
  25956. kind:
  25957. description: |-
  25958. Kind is a string value representing the REST resource this object represents.
  25959. Servers may infer this from the endpoint the client submits requests to.
  25960. Cannot be updated.
  25961. In CamelCase.
  25962. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25963. type: string
  25964. metadata:
  25965. type: object
  25966. spec:
  25967. description: |-
  25968. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  25969. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  25970. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25971. properties:
  25972. controller:
  25973. description: |-
  25974. Controller selects the controller that should handle this generator.
  25975. Leave empty to use the default controller.
  25976. type: string
  25977. provider:
  25978. description: |-
  25979. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  25980. server connection details, and the folder path to the dynamic secret definition.
  25981. The folderPath should point to a dynamic secret definition that has been created in
  25982. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  25983. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25984. properties:
  25985. auth:
  25986. description: |-
  25987. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  25988. Currently supports API key authentication via Kubernetes secret reference.
  25989. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25990. properties:
  25991. apikey:
  25992. description: |-
  25993. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  25994. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  25995. properties:
  25996. token:
  25997. description: |-
  25998. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  25999. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26000. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26001. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26002. properties:
  26003. key:
  26004. description: |-
  26005. A key in the referenced Secret.
  26006. Some instances of this field may be defaulted, in others it may be required.
  26007. maxLength: 253
  26008. minLength: 1
  26009. pattern: ^[-._a-zA-Z0-9]+$
  26010. type: string
  26011. name:
  26012. description: The name of the Secret resource being referred to.
  26013. maxLength: 253
  26014. minLength: 1
  26015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26016. type: string
  26017. namespace:
  26018. description: |-
  26019. The namespace of the Secret resource being referred to.
  26020. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26021. maxLength: 63
  26022. minLength: 1
  26023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26024. type: string
  26025. type: object
  26026. required:
  26027. - token
  26028. type: object
  26029. required:
  26030. - apikey
  26031. type: object
  26032. caBundle:
  26033. description: |-
  26034. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26035. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26036. If not set, the system's trusted root certificates are used.
  26037. format: byte
  26038. type: string
  26039. caProvider:
  26040. description: |-
  26041. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26042. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26043. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26044. properties:
  26045. key:
  26046. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26047. maxLength: 253
  26048. minLength: 1
  26049. pattern: ^[-._a-zA-Z0-9]+$
  26050. type: string
  26051. name:
  26052. description: The name of the object located at the provider type.
  26053. maxLength: 253
  26054. minLength: 1
  26055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26056. type: string
  26057. namespace:
  26058. description: |-
  26059. The namespace the Provider type is in.
  26060. Can only be defined when used in a ClusterSecretStore.
  26061. maxLength: 63
  26062. minLength: 1
  26063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26064. type: string
  26065. type:
  26066. description: The type of provider to use such as "Secret", or "ConfigMap".
  26067. enum:
  26068. - Secret
  26069. - ConfigMap
  26070. type: string
  26071. required:
  26072. - name
  26073. - type
  26074. type: object
  26075. folderPath:
  26076. description: |-
  26077. FolderPath specifies the default folder path for secret retrieval.
  26078. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26079. Example: "production/database" or "dev/api-keys"
  26080. Leave empty to retrieve secrets from the root folder.
  26081. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26082. type: string
  26083. server:
  26084. description: |-
  26085. Server configures the BeyondTrust Workload Credentials server connection details.
  26086. Includes the API URL and Site ID for your BeyondTrust instance.
  26087. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26088. properties:
  26089. apiUrl:
  26090. description: |-
  26091. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26092. This should be the full URL to your BeyondTrust instance.
  26093. Example: https://api.beyondtrust.io/siie
  26094. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26095. type: string
  26096. siteId:
  26097. description: |-
  26098. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26099. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26100. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26101. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26102. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26103. type: string
  26104. required:
  26105. - apiUrl
  26106. - siteId
  26107. type: object
  26108. required:
  26109. - auth
  26110. - server
  26111. type: object
  26112. retrySettings:
  26113. description: |-
  26114. RetrySettings configures exponential backoff for failed API requests.
  26115. If not specified, uses the default retry settings.
  26116. properties:
  26117. maxRetries:
  26118. format: int32
  26119. type: integer
  26120. retryInterval:
  26121. type: string
  26122. type: object
  26123. required:
  26124. - provider
  26125. type: object
  26126. type: object
  26127. served: true
  26128. storage: true
  26129. subresources:
  26130. status: {}
  26131. ---
  26132. apiVersion: apiextensions.k8s.io/v1
  26133. kind: CustomResourceDefinition
  26134. metadata:
  26135. annotations:
  26136. controller-gen.kubebuilder.io/version: v0.19.0
  26137. labels:
  26138. external-secrets.io/component: controller
  26139. name: cloudsmithaccesstokens.generators.external-secrets.io
  26140. spec:
  26141. group: generators.external-secrets.io
  26142. names:
  26143. categories:
  26144. - external-secrets
  26145. - external-secrets-generators
  26146. kind: CloudsmithAccessToken
  26147. listKind: CloudsmithAccessTokenList
  26148. plural: cloudsmithaccesstokens
  26149. singular: cloudsmithaccesstoken
  26150. scope: Namespaced
  26151. versions:
  26152. - name: v1alpha1
  26153. schema:
  26154. openAPIV3Schema:
  26155. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  26156. properties:
  26157. apiVersion:
  26158. description: |-
  26159. APIVersion defines the versioned schema of this representation of an object.
  26160. Servers should convert recognized schemas to the latest internal value, and
  26161. may reject unrecognized values.
  26162. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26163. type: string
  26164. kind:
  26165. description: |-
  26166. Kind is a string value representing the REST resource this object represents.
  26167. Servers may infer this from the endpoint the client submits requests to.
  26168. Cannot be updated.
  26169. In CamelCase.
  26170. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26171. type: string
  26172. metadata:
  26173. type: object
  26174. spec:
  26175. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26176. properties:
  26177. apiUrl:
  26178. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26179. type: string
  26180. orgSlug:
  26181. description: OrgSlug is the organization slug in Cloudsmith
  26182. type: string
  26183. serviceAccountRef:
  26184. description: Name of the service account you are federating with
  26185. properties:
  26186. audiences:
  26187. description: |-
  26188. Audience specifies the `aud` claim for the service account token
  26189. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26190. then this audiences will be appended to the list
  26191. items:
  26192. type: string
  26193. type: array
  26194. name:
  26195. description: The name of the ServiceAccount resource being referred to.
  26196. maxLength: 253
  26197. minLength: 1
  26198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26199. type: string
  26200. namespace:
  26201. description: |-
  26202. Namespace of the resource being referred to.
  26203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26204. maxLength: 63
  26205. minLength: 1
  26206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26207. type: string
  26208. required:
  26209. - name
  26210. type: object
  26211. serviceSlug:
  26212. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26213. type: string
  26214. required:
  26215. - orgSlug
  26216. - serviceAccountRef
  26217. - serviceSlug
  26218. type: object
  26219. type: object
  26220. served: true
  26221. storage: true
  26222. subresources:
  26223. status: {}
  26224. ---
  26225. apiVersion: apiextensions.k8s.io/v1
  26226. kind: CustomResourceDefinition
  26227. metadata:
  26228. annotations:
  26229. controller-gen.kubebuilder.io/version: v0.19.0
  26230. labels:
  26231. external-secrets.io/component: controller
  26232. name: clustergenerators.generators.external-secrets.io
  26233. spec:
  26234. group: generators.external-secrets.io
  26235. names:
  26236. categories:
  26237. - external-secrets
  26238. - external-secrets-generators
  26239. kind: ClusterGenerator
  26240. listKind: ClusterGeneratorList
  26241. plural: clustergenerators
  26242. singular: clustergenerator
  26243. scope: Cluster
  26244. versions:
  26245. - name: v1alpha1
  26246. schema:
  26247. openAPIV3Schema:
  26248. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  26249. properties:
  26250. apiVersion:
  26251. description: |-
  26252. APIVersion defines the versioned schema of this representation of an object.
  26253. Servers should convert recognized schemas to the latest internal value, and
  26254. may reject unrecognized values.
  26255. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26256. type: string
  26257. kind:
  26258. description: |-
  26259. Kind is a string value representing the REST resource this object represents.
  26260. Servers may infer this from the endpoint the client submits requests to.
  26261. Cannot be updated.
  26262. In CamelCase.
  26263. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26264. type: string
  26265. metadata:
  26266. type: object
  26267. spec:
  26268. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  26269. properties:
  26270. generator:
  26271. description: Generator the spec for this generator, must match the kind.
  26272. maxProperties: 1
  26273. minProperties: 1
  26274. properties:
  26275. acrAccessTokenSpec:
  26276. description: |-
  26277. ACRAccessTokenSpec defines how to generate the access token
  26278. e.g. how to authenticate and which registry to use.
  26279. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  26280. properties:
  26281. auth:
  26282. description: ACRAuth defines the authentication methods for Azure Container Registry.
  26283. properties:
  26284. managedIdentity:
  26285. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  26286. properties:
  26287. identityId:
  26288. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  26289. type: string
  26290. type: object
  26291. servicePrincipal:
  26292. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  26293. properties:
  26294. secretRef:
  26295. description: |-
  26296. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  26297. It uses static credentials stored in a Kind=Secret.
  26298. properties:
  26299. clientId:
  26300. description: The Azure clientId of the service principle used for authentication.
  26301. properties:
  26302. key:
  26303. description: |-
  26304. A key in the referenced Secret.
  26305. Some instances of this field may be defaulted, in others it may be required.
  26306. maxLength: 253
  26307. minLength: 1
  26308. pattern: ^[-._a-zA-Z0-9]+$
  26309. type: string
  26310. name:
  26311. description: The name of the Secret resource being referred to.
  26312. maxLength: 253
  26313. minLength: 1
  26314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26315. type: string
  26316. namespace:
  26317. description: |-
  26318. The namespace of the Secret resource being referred to.
  26319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26320. maxLength: 63
  26321. minLength: 1
  26322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26323. type: string
  26324. type: object
  26325. clientSecret:
  26326. description: The Azure ClientSecret of the service principle used for authentication.
  26327. properties:
  26328. key:
  26329. description: |-
  26330. A key in the referenced Secret.
  26331. Some instances of this field may be defaulted, in others it may be required.
  26332. maxLength: 253
  26333. minLength: 1
  26334. pattern: ^[-._a-zA-Z0-9]+$
  26335. type: string
  26336. name:
  26337. description: The name of the Secret resource being referred to.
  26338. maxLength: 253
  26339. minLength: 1
  26340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26341. type: string
  26342. namespace:
  26343. description: |-
  26344. The namespace of the Secret resource being referred to.
  26345. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26346. maxLength: 63
  26347. minLength: 1
  26348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26349. type: string
  26350. type: object
  26351. type: object
  26352. required:
  26353. - secretRef
  26354. type: object
  26355. workloadIdentity:
  26356. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  26357. properties:
  26358. serviceAccountRef:
  26359. description: |-
  26360. ServiceAccountRef specified the service account
  26361. that should be used when authenticating with WorkloadIdentity.
  26362. properties:
  26363. audiences:
  26364. description: |-
  26365. Audience specifies the `aud` claim for the service account token
  26366. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26367. then this audiences will be appended to the list
  26368. items:
  26369. type: string
  26370. type: array
  26371. name:
  26372. description: The name of the ServiceAccount resource being referred to.
  26373. maxLength: 253
  26374. minLength: 1
  26375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26376. type: string
  26377. namespace:
  26378. description: |-
  26379. Namespace of the resource being referred to.
  26380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26381. maxLength: 63
  26382. minLength: 1
  26383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26384. type: string
  26385. required:
  26386. - name
  26387. type: object
  26388. type: object
  26389. type: object
  26390. environmentType:
  26391. default: PublicCloud
  26392. description: |-
  26393. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26394. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26395. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26396. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26397. enum:
  26398. - PublicCloud
  26399. - USGovernmentCloud
  26400. - ChinaCloud
  26401. - GermanCloud
  26402. - AzureStackCloud
  26403. type: string
  26404. registry:
  26405. description: |-
  26406. the domain name of the ACR registry
  26407. e.g. foobarexample.azurecr.io
  26408. type: string
  26409. scope:
  26410. description: |-
  26411. Define the scope for the access token, e.g. pull/push access for a repository.
  26412. if not provided it will return a refresh token that has full scope.
  26413. Note: you need to pin it down to the repository level, there is no wildcard available.
  26414. examples:
  26415. repository:my-repository:pull,push
  26416. repository:my-repository:pull
  26417. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26418. type: string
  26419. tenantId:
  26420. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26421. type: string
  26422. required:
  26423. - auth
  26424. - registry
  26425. type: object
  26426. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  26427. description: |-
  26428. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26429. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26430. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26431. properties:
  26432. controller:
  26433. description: |-
  26434. Controller selects the controller that should handle this generator.
  26435. Leave empty to use the default controller.
  26436. type: string
  26437. provider:
  26438. description: |-
  26439. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26440. server connection details, and the folder path to the dynamic secret definition.
  26441. The folderPath should point to a dynamic secret definition that has been created in
  26442. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26443. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26444. properties:
  26445. auth:
  26446. description: |-
  26447. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26448. Currently supports API key authentication via Kubernetes secret reference.
  26449. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26450. properties:
  26451. apikey:
  26452. description: |-
  26453. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26454. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26455. properties:
  26456. token:
  26457. description: |-
  26458. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26459. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26460. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26461. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26462. properties:
  26463. key:
  26464. description: |-
  26465. A key in the referenced Secret.
  26466. Some instances of this field may be defaulted, in others it may be required.
  26467. maxLength: 253
  26468. minLength: 1
  26469. pattern: ^[-._a-zA-Z0-9]+$
  26470. type: string
  26471. name:
  26472. description: The name of the Secret resource being referred to.
  26473. maxLength: 253
  26474. minLength: 1
  26475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26476. type: string
  26477. namespace:
  26478. description: |-
  26479. The namespace of the Secret resource being referred to.
  26480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26481. maxLength: 63
  26482. minLength: 1
  26483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26484. type: string
  26485. type: object
  26486. required:
  26487. - token
  26488. type: object
  26489. required:
  26490. - apikey
  26491. type: object
  26492. caBundle:
  26493. description: |-
  26494. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26495. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26496. If not set, the system's trusted root certificates are used.
  26497. format: byte
  26498. type: string
  26499. caProvider:
  26500. description: |-
  26501. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26502. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26503. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26504. properties:
  26505. key:
  26506. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26507. maxLength: 253
  26508. minLength: 1
  26509. pattern: ^[-._a-zA-Z0-9]+$
  26510. type: string
  26511. name:
  26512. description: The name of the object located at the provider type.
  26513. maxLength: 253
  26514. minLength: 1
  26515. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26516. type: string
  26517. namespace:
  26518. description: |-
  26519. The namespace the Provider type is in.
  26520. Can only be defined when used in a ClusterSecretStore.
  26521. maxLength: 63
  26522. minLength: 1
  26523. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26524. type: string
  26525. type:
  26526. description: The type of provider to use such as "Secret", or "ConfigMap".
  26527. enum:
  26528. - Secret
  26529. - ConfigMap
  26530. type: string
  26531. required:
  26532. - name
  26533. - type
  26534. type: object
  26535. folderPath:
  26536. description: |-
  26537. FolderPath specifies the default folder path for secret retrieval.
  26538. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26539. Example: "production/database" or "dev/api-keys"
  26540. Leave empty to retrieve secrets from the root folder.
  26541. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26542. type: string
  26543. server:
  26544. description: |-
  26545. Server configures the BeyondTrust Workload Credentials server connection details.
  26546. Includes the API URL and Site ID for your BeyondTrust instance.
  26547. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26548. properties:
  26549. apiUrl:
  26550. description: |-
  26551. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26552. This should be the full URL to your BeyondTrust instance.
  26553. Example: https://api.beyondtrust.io/siie
  26554. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26555. type: string
  26556. siteId:
  26557. description: |-
  26558. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26559. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26560. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26561. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26562. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26563. type: string
  26564. required:
  26565. - apiUrl
  26566. - siteId
  26567. type: object
  26568. required:
  26569. - auth
  26570. - server
  26571. type: object
  26572. retrySettings:
  26573. description: |-
  26574. RetrySettings configures exponential backoff for failed API requests.
  26575. If not specified, uses the default retry settings.
  26576. properties:
  26577. maxRetries:
  26578. format: int32
  26579. type: integer
  26580. retryInterval:
  26581. type: string
  26582. type: object
  26583. required:
  26584. - provider
  26585. type: object
  26586. cloudsmithAccessTokenSpec:
  26587. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26588. properties:
  26589. apiUrl:
  26590. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26591. type: string
  26592. orgSlug:
  26593. description: OrgSlug is the organization slug in Cloudsmith
  26594. type: string
  26595. serviceAccountRef:
  26596. description: Name of the service account you are federating with
  26597. properties:
  26598. audiences:
  26599. description: |-
  26600. Audience specifies the `aud` claim for the service account token
  26601. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26602. then this audiences will be appended to the list
  26603. items:
  26604. type: string
  26605. type: array
  26606. name:
  26607. description: The name of the ServiceAccount resource being referred to.
  26608. maxLength: 253
  26609. minLength: 1
  26610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26611. type: string
  26612. namespace:
  26613. description: |-
  26614. Namespace of the resource being referred to.
  26615. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26616. maxLength: 63
  26617. minLength: 1
  26618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26619. type: string
  26620. required:
  26621. - name
  26622. type: object
  26623. serviceSlug:
  26624. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26625. type: string
  26626. required:
  26627. - orgSlug
  26628. - serviceAccountRef
  26629. - serviceSlug
  26630. type: object
  26631. ecrAuthorizationTokenSpec:
  26632. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26633. properties:
  26634. auth:
  26635. description: Auth defines how to authenticate with AWS
  26636. properties:
  26637. jwt:
  26638. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26639. properties:
  26640. serviceAccountRef:
  26641. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26642. properties:
  26643. audiences:
  26644. description: |-
  26645. Audience specifies the `aud` claim for the service account token
  26646. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26647. then this audiences will be appended to the list
  26648. items:
  26649. type: string
  26650. type: array
  26651. name:
  26652. description: The name of the ServiceAccount resource being referred to.
  26653. maxLength: 253
  26654. minLength: 1
  26655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26656. type: string
  26657. namespace:
  26658. description: |-
  26659. Namespace of the resource being referred to.
  26660. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26661. maxLength: 63
  26662. minLength: 1
  26663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26664. type: string
  26665. required:
  26666. - name
  26667. type: object
  26668. type: object
  26669. secretRef:
  26670. description: |-
  26671. AWSAuthSecretRef holds secret references for AWS credentials
  26672. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26673. properties:
  26674. accessKeyIDSecretRef:
  26675. description: The AccessKeyID is used for authentication
  26676. properties:
  26677. key:
  26678. description: |-
  26679. A key in the referenced Secret.
  26680. Some instances of this field may be defaulted, in others it may be required.
  26681. maxLength: 253
  26682. minLength: 1
  26683. pattern: ^[-._a-zA-Z0-9]+$
  26684. type: string
  26685. name:
  26686. description: The name of the Secret resource being referred to.
  26687. maxLength: 253
  26688. minLength: 1
  26689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26690. type: string
  26691. namespace:
  26692. description: |-
  26693. The namespace of the Secret resource being referred to.
  26694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26695. maxLength: 63
  26696. minLength: 1
  26697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26698. type: string
  26699. type: object
  26700. secretAccessKeySecretRef:
  26701. description: The SecretAccessKey is used for authentication
  26702. properties:
  26703. key:
  26704. description: |-
  26705. A key in the referenced Secret.
  26706. Some instances of this field may be defaulted, in others it may be required.
  26707. maxLength: 253
  26708. minLength: 1
  26709. pattern: ^[-._a-zA-Z0-9]+$
  26710. type: string
  26711. name:
  26712. description: The name of the Secret resource being referred to.
  26713. maxLength: 253
  26714. minLength: 1
  26715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26716. type: string
  26717. namespace:
  26718. description: |-
  26719. The namespace of the Secret resource being referred to.
  26720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26721. maxLength: 63
  26722. minLength: 1
  26723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26724. type: string
  26725. type: object
  26726. sessionTokenSecretRef:
  26727. description: |-
  26728. The SessionToken used for authentication
  26729. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26730. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26731. properties:
  26732. key:
  26733. description: |-
  26734. A key in the referenced Secret.
  26735. Some instances of this field may be defaulted, in others it may be required.
  26736. maxLength: 253
  26737. minLength: 1
  26738. pattern: ^[-._a-zA-Z0-9]+$
  26739. type: string
  26740. name:
  26741. description: The name of the Secret resource being referred to.
  26742. maxLength: 253
  26743. minLength: 1
  26744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26745. type: string
  26746. namespace:
  26747. description: |-
  26748. The namespace of the Secret resource being referred to.
  26749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26750. maxLength: 63
  26751. minLength: 1
  26752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26753. type: string
  26754. type: object
  26755. type: object
  26756. type: object
  26757. region:
  26758. description: Region specifies the region to operate in.
  26759. type: string
  26760. role:
  26761. description: |-
  26762. You can assume a role before making calls to the
  26763. desired AWS service.
  26764. type: string
  26765. scope:
  26766. description: |-
  26767. Scope specifies the ECR service scope.
  26768. Valid options are private and public.
  26769. type: string
  26770. required:
  26771. - region
  26772. type: object
  26773. fakeSpec:
  26774. description: FakeSpec contains the static data.
  26775. properties:
  26776. controller:
  26777. description: |-
  26778. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26779. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26780. type: string
  26781. data:
  26782. additionalProperties:
  26783. type: string
  26784. description: |-
  26785. Data defines the static data returned
  26786. by this generator.
  26787. type: object
  26788. type: object
  26789. gcrAccessTokenSpec:
  26790. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26791. properties:
  26792. auth:
  26793. description: Auth defines the means for authenticating with GCP
  26794. properties:
  26795. secretRef:
  26796. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26797. properties:
  26798. secretAccessKeySecretRef:
  26799. description: The SecretAccessKey is used for authentication
  26800. properties:
  26801. key:
  26802. description: |-
  26803. A key in the referenced Secret.
  26804. Some instances of this field may be defaulted, in others it may be required.
  26805. maxLength: 253
  26806. minLength: 1
  26807. pattern: ^[-._a-zA-Z0-9]+$
  26808. type: string
  26809. name:
  26810. description: The name of the Secret resource being referred to.
  26811. maxLength: 253
  26812. minLength: 1
  26813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26814. type: string
  26815. namespace:
  26816. description: |-
  26817. The namespace of the Secret resource being referred to.
  26818. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26819. maxLength: 63
  26820. minLength: 1
  26821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26822. type: string
  26823. type: object
  26824. type: object
  26825. workloadIdentity:
  26826. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26827. properties:
  26828. clusterLocation:
  26829. type: string
  26830. clusterName:
  26831. type: string
  26832. clusterProjectID:
  26833. type: string
  26834. serviceAccountRef:
  26835. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26836. properties:
  26837. audiences:
  26838. description: |-
  26839. Audience specifies the `aud` claim for the service account token
  26840. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26841. then this audiences will be appended to the list
  26842. items:
  26843. type: string
  26844. type: array
  26845. name:
  26846. description: The name of the ServiceAccount resource being referred to.
  26847. maxLength: 253
  26848. minLength: 1
  26849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26850. type: string
  26851. namespace:
  26852. description: |-
  26853. Namespace of the resource being referred to.
  26854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26855. maxLength: 63
  26856. minLength: 1
  26857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26858. type: string
  26859. required:
  26860. - name
  26861. type: object
  26862. required:
  26863. - clusterLocation
  26864. - clusterName
  26865. - serviceAccountRef
  26866. type: object
  26867. workloadIdentityFederation:
  26868. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  26869. properties:
  26870. audience:
  26871. description: |-
  26872. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  26873. If specified, Audience found in the external account credential config will be overridden with the configured value.
  26874. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  26875. type: string
  26876. awsSecurityCredentials:
  26877. description: |-
  26878. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  26879. when using the AWS metadata server is not an option.
  26880. properties:
  26881. awsCredentialsSecretRef:
  26882. description: |-
  26883. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  26884. Secret should be created with below names for keys
  26885. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  26886. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  26887. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  26888. properties:
  26889. name:
  26890. description: name of the secret.
  26891. maxLength: 253
  26892. minLength: 1
  26893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26894. type: string
  26895. namespace:
  26896. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  26897. maxLength: 63
  26898. minLength: 1
  26899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26900. type: string
  26901. required:
  26902. - name
  26903. type: object
  26904. region:
  26905. description: region is for configuring the AWS region to be used.
  26906. example: ap-south-1
  26907. maxLength: 50
  26908. minLength: 1
  26909. pattern: ^[a-z0-9-]+$
  26910. type: string
  26911. required:
  26912. - awsCredentialsSecretRef
  26913. - region
  26914. type: object
  26915. credConfig:
  26916. description: |-
  26917. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  26918. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  26919. serviceAccountRef must be used by providing operators service account details.
  26920. properties:
  26921. key:
  26922. description: key name holding the external account credential config.
  26923. maxLength: 253
  26924. minLength: 1
  26925. pattern: ^[-._a-zA-Z0-9]+$
  26926. type: string
  26927. name:
  26928. description: name of the configmap.
  26929. maxLength: 253
  26930. minLength: 1
  26931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26932. type: string
  26933. namespace:
  26934. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  26935. maxLength: 63
  26936. minLength: 1
  26937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26938. type: string
  26939. required:
  26940. - key
  26941. - name
  26942. type: object
  26943. externalTokenEndpoint:
  26944. description: |-
  26945. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  26946. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  26947. URL is having the expected value.
  26948. type: string
  26949. gcpServiceAccountEmail:
  26950. description: |-
  26951. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  26952. after Workload Identity Federation. Use this to grant access through the service account's
  26953. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  26954. service_account_impersonation_url in the external account JSON from credConfig;
  26955. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  26956. on that ServiceAccount.
  26957. example: my-gsa@my-project.iam.gserviceaccount.com
  26958. minLength: 1
  26959. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  26960. type: string
  26961. serviceAccountRef:
  26962. description: |-
  26963. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  26964. when Kubernetes is configured as provider in workload identity pool.
  26965. properties:
  26966. audiences:
  26967. description: |-
  26968. Audience specifies the `aud` claim for the service account token
  26969. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26970. then this audiences will be appended to the list
  26971. items:
  26972. type: string
  26973. type: array
  26974. name:
  26975. description: The name of the ServiceAccount resource being referred to.
  26976. maxLength: 253
  26977. minLength: 1
  26978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26979. type: string
  26980. namespace:
  26981. description: |-
  26982. Namespace of the resource being referred to.
  26983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26984. maxLength: 63
  26985. minLength: 1
  26986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26987. type: string
  26988. required:
  26989. - name
  26990. type: object
  26991. type: object
  26992. type: object
  26993. projectID:
  26994. description: ProjectID defines which project to use to authenticate with
  26995. type: string
  26996. required:
  26997. - auth
  26998. - projectID
  26999. type: object
  27000. githubAccessTokenSpec:
  27001. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  27002. properties:
  27003. appID:
  27004. type: string
  27005. auth:
  27006. description: Auth configures how ESO authenticates with a Github instance.
  27007. properties:
  27008. privateKey:
  27009. description: GithubSecretRef references a secret containing GitHub credentials.
  27010. properties:
  27011. secretRef:
  27012. description: |-
  27013. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27014. In some instances, `key` is a required field.
  27015. properties:
  27016. key:
  27017. description: |-
  27018. A key in the referenced Secret.
  27019. Some instances of this field may be defaulted, in others it may be required.
  27020. maxLength: 253
  27021. minLength: 1
  27022. pattern: ^[-._a-zA-Z0-9]+$
  27023. type: string
  27024. name:
  27025. description: The name of the Secret resource being referred to.
  27026. maxLength: 253
  27027. minLength: 1
  27028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27029. type: string
  27030. namespace:
  27031. description: |-
  27032. The namespace of the Secret resource being referred to.
  27033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27034. maxLength: 63
  27035. minLength: 1
  27036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27037. type: string
  27038. type: object
  27039. required:
  27040. - secretRef
  27041. type: object
  27042. required:
  27043. - privateKey
  27044. type: object
  27045. installID:
  27046. type: string
  27047. permissions:
  27048. additionalProperties:
  27049. type: string
  27050. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  27051. type: object
  27052. repositories:
  27053. description: |-
  27054. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  27055. is installed to.
  27056. items:
  27057. type: string
  27058. type: array
  27059. url:
  27060. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  27061. type: string
  27062. required:
  27063. - appID
  27064. - auth
  27065. - installID
  27066. type: object
  27067. grafanaSpec:
  27068. description: GrafanaSpec controls the behavior of the grafana generator.
  27069. properties:
  27070. auth:
  27071. description: |-
  27072. Auth is the authentication configuration to authenticate
  27073. against the Grafana instance.
  27074. properties:
  27075. basic:
  27076. description: |-
  27077. Basic auth credentials used to authenticate against the Grafana instance.
  27078. Note: you need a token which has elevated permissions to create service accounts.
  27079. See here for the documentation on basic roles offered by Grafana:
  27080. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27081. properties:
  27082. password:
  27083. description: A basic auth password used to authenticate against the Grafana instance.
  27084. properties:
  27085. key:
  27086. description: The key where the token is found.
  27087. maxLength: 253
  27088. minLength: 1
  27089. pattern: ^[-._a-zA-Z0-9]+$
  27090. type: string
  27091. name:
  27092. description: The name of the Secret resource being referred to.
  27093. maxLength: 253
  27094. minLength: 1
  27095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27096. type: string
  27097. type: object
  27098. username:
  27099. description: A basic auth username used to authenticate against the Grafana instance.
  27100. type: string
  27101. required:
  27102. - password
  27103. - username
  27104. type: object
  27105. token:
  27106. description: |-
  27107. A service account token used to authenticate against the Grafana instance.
  27108. Note: you need a token which has elevated permissions to create service accounts.
  27109. See here for the documentation on basic roles offered by Grafana:
  27110. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27111. properties:
  27112. key:
  27113. description: The key where the token is found.
  27114. maxLength: 253
  27115. minLength: 1
  27116. pattern: ^[-._a-zA-Z0-9]+$
  27117. type: string
  27118. name:
  27119. description: The name of the Secret resource being referred to.
  27120. maxLength: 253
  27121. minLength: 1
  27122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27123. type: string
  27124. type: object
  27125. type: object
  27126. serviceAccount:
  27127. description: |-
  27128. ServiceAccount is the configuration for the service account that
  27129. is supposed to be generated by the generator.
  27130. properties:
  27131. name:
  27132. description: Name is the name of the service account that will be created by ESO.
  27133. type: string
  27134. role:
  27135. description: |-
  27136. Role is the role of the service account.
  27137. See here for the documentation on basic roles offered by Grafana:
  27138. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27139. type: string
  27140. required:
  27141. - name
  27142. - role
  27143. type: object
  27144. url:
  27145. description: URL is the URL of the Grafana instance.
  27146. type: string
  27147. required:
  27148. - auth
  27149. - serviceAccount
  27150. - url
  27151. type: object
  27152. mfaSpec:
  27153. description: MFASpec controls the behavior of the mfa generator.
  27154. properties:
  27155. algorithm:
  27156. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  27157. type: string
  27158. length:
  27159. description: Length defines the token length. Defaults to 6 characters.
  27160. type: integer
  27161. secret:
  27162. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  27163. properties:
  27164. key:
  27165. description: |-
  27166. A key in the referenced Secret.
  27167. Some instances of this field may be defaulted, in others it may be required.
  27168. maxLength: 253
  27169. minLength: 1
  27170. pattern: ^[-._a-zA-Z0-9]+$
  27171. type: string
  27172. name:
  27173. description: The name of the Secret resource being referred to.
  27174. maxLength: 253
  27175. minLength: 1
  27176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27177. type: string
  27178. namespace:
  27179. description: |-
  27180. The namespace of the Secret resource being referred to.
  27181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27182. maxLength: 63
  27183. minLength: 1
  27184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27185. type: string
  27186. type: object
  27187. timePeriod:
  27188. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  27189. type: integer
  27190. when:
  27191. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  27192. format: date-time
  27193. type: string
  27194. required:
  27195. - secret
  27196. type: object
  27197. passwordSpec:
  27198. description: PasswordSpec controls the behavior of the password generator.
  27199. properties:
  27200. allowRepeat:
  27201. default: false
  27202. description: set AllowRepeat to true to allow repeating characters.
  27203. type: boolean
  27204. digits:
  27205. description: |-
  27206. Digits specifies the number of digits in the generated
  27207. password. If omitted it defaults to 25% of the length of the password
  27208. type: integer
  27209. encoding:
  27210. default: raw
  27211. description: |-
  27212. Encoding specifies the encoding of the generated password.
  27213. Valid values are:
  27214. - "raw" (default): no encoding
  27215. - "base64": standard base64 encoding
  27216. - "base64url": base64url encoding
  27217. - "base32": base32 encoding
  27218. - "hex": hexadecimal encoding
  27219. enum:
  27220. - base64
  27221. - base64url
  27222. - base32
  27223. - hex
  27224. - raw
  27225. type: string
  27226. length:
  27227. default: 24
  27228. description: |-
  27229. Length of the password to be generated.
  27230. Defaults to 24
  27231. type: integer
  27232. noUpper:
  27233. default: false
  27234. description: Set NoUpper to disable uppercase characters
  27235. type: boolean
  27236. secretKeys:
  27237. description: |-
  27238. SecretKeys defines the keys that will be populated with generated passwords.
  27239. Defaults to "password" when not set.
  27240. items:
  27241. type: string
  27242. minItems: 1
  27243. type: array
  27244. symbolCharacters:
  27245. description: |-
  27246. SymbolCharacters specifies the special characters that should be used
  27247. in the generated password.
  27248. type: string
  27249. symbols:
  27250. description: |-
  27251. Symbols specifies the number of symbol characters in the generated
  27252. password. If omitted it defaults to 25% of the length of the password
  27253. type: integer
  27254. required:
  27255. - allowRepeat
  27256. - length
  27257. - noUpper
  27258. type: object
  27259. quayAccessTokenSpec:
  27260. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  27261. properties:
  27262. robotAccount:
  27263. description: Name of the robot account you are federating with
  27264. type: string
  27265. serviceAccountRef:
  27266. description: Name of the service account you are federating with
  27267. properties:
  27268. audiences:
  27269. description: |-
  27270. Audience specifies the `aud` claim for the service account token
  27271. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27272. then this audiences will be appended to the list
  27273. items:
  27274. type: string
  27275. type: array
  27276. name:
  27277. description: The name of the ServiceAccount resource being referred to.
  27278. maxLength: 253
  27279. minLength: 1
  27280. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27281. type: string
  27282. namespace:
  27283. description: |-
  27284. Namespace of the resource being referred to.
  27285. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27286. maxLength: 63
  27287. minLength: 1
  27288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27289. type: string
  27290. required:
  27291. - name
  27292. type: object
  27293. url:
  27294. description: URL configures the Quay instance URL. Defaults to quay.io.
  27295. type: string
  27296. required:
  27297. - robotAccount
  27298. - serviceAccountRef
  27299. type: object
  27300. sshKeySpec:
  27301. description: SSHKeySpec controls the behavior of the ssh key generator.
  27302. properties:
  27303. comment:
  27304. description: Comment specifies an optional comment for the SSH key
  27305. type: string
  27306. keySize:
  27307. description: |-
  27308. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  27309. For RSA keys: 2048, 3072, 4096
  27310. For ECDSA keys: 256, 384, 521
  27311. Ignored for ed25519 keys
  27312. maximum: 8192
  27313. minimum: 256
  27314. type: integer
  27315. keyType:
  27316. default: rsa
  27317. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  27318. enum:
  27319. - rsa
  27320. - ecdsa
  27321. - ed25519
  27322. type: string
  27323. type: object
  27324. stsSessionTokenSpec:
  27325. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  27326. properties:
  27327. auth:
  27328. description: Auth defines how to authenticate with AWS
  27329. properties:
  27330. jwt:
  27331. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27332. properties:
  27333. serviceAccountRef:
  27334. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27335. properties:
  27336. audiences:
  27337. description: |-
  27338. Audience specifies the `aud` claim for the service account token
  27339. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27340. then this audiences will be appended to the list
  27341. items:
  27342. type: string
  27343. type: array
  27344. name:
  27345. description: The name of the ServiceAccount resource being referred to.
  27346. maxLength: 253
  27347. minLength: 1
  27348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27349. type: string
  27350. namespace:
  27351. description: |-
  27352. Namespace of the resource being referred to.
  27353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27354. maxLength: 63
  27355. minLength: 1
  27356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27357. type: string
  27358. required:
  27359. - name
  27360. type: object
  27361. type: object
  27362. secretRef:
  27363. description: |-
  27364. AWSAuthSecretRef holds secret references for AWS credentials
  27365. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27366. properties:
  27367. accessKeyIDSecretRef:
  27368. description: The AccessKeyID is used for authentication
  27369. properties:
  27370. key:
  27371. description: |-
  27372. A key in the referenced Secret.
  27373. Some instances of this field may be defaulted, in others it may be required.
  27374. maxLength: 253
  27375. minLength: 1
  27376. pattern: ^[-._a-zA-Z0-9]+$
  27377. type: string
  27378. name:
  27379. description: The name of the Secret resource being referred to.
  27380. maxLength: 253
  27381. minLength: 1
  27382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27383. type: string
  27384. namespace:
  27385. description: |-
  27386. The namespace of the Secret resource being referred to.
  27387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27388. maxLength: 63
  27389. minLength: 1
  27390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27391. type: string
  27392. type: object
  27393. secretAccessKeySecretRef:
  27394. description: The SecretAccessKey is used for authentication
  27395. properties:
  27396. key:
  27397. description: |-
  27398. A key in the referenced Secret.
  27399. Some instances of this field may be defaulted, in others it may be required.
  27400. maxLength: 253
  27401. minLength: 1
  27402. pattern: ^[-._a-zA-Z0-9]+$
  27403. type: string
  27404. name:
  27405. description: The name of the Secret resource being referred to.
  27406. maxLength: 253
  27407. minLength: 1
  27408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27409. type: string
  27410. namespace:
  27411. description: |-
  27412. The namespace of the Secret resource being referred to.
  27413. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27414. maxLength: 63
  27415. minLength: 1
  27416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27417. type: string
  27418. type: object
  27419. sessionTokenSecretRef:
  27420. description: |-
  27421. The SessionToken used for authentication
  27422. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27423. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27424. properties:
  27425. key:
  27426. description: |-
  27427. A key in the referenced Secret.
  27428. Some instances of this field may be defaulted, in others it may be required.
  27429. maxLength: 253
  27430. minLength: 1
  27431. pattern: ^[-._a-zA-Z0-9]+$
  27432. type: string
  27433. name:
  27434. description: The name of the Secret resource being referred to.
  27435. maxLength: 253
  27436. minLength: 1
  27437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27438. type: string
  27439. namespace:
  27440. description: |-
  27441. The namespace of the Secret resource being referred to.
  27442. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27443. maxLength: 63
  27444. minLength: 1
  27445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27446. type: string
  27447. type: object
  27448. type: object
  27449. type: object
  27450. region:
  27451. description: Region specifies the region to operate in.
  27452. type: string
  27453. requestParameters:
  27454. description: RequestParameters contains parameters that can be passed to the STS service.
  27455. properties:
  27456. serialNumber:
  27457. description: |-
  27458. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  27459. the GetSessionToken call.
  27460. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  27461. (such as arn:aws:iam::123456789012:mfa/user)
  27462. type: string
  27463. sessionDuration:
  27464. format: int32
  27465. type: integer
  27466. tokenCode:
  27467. description: TokenCode is the value provided by the MFA device, if MFA is required.
  27468. type: string
  27469. type: object
  27470. role:
  27471. description: |-
  27472. You can assume a role before making calls to the
  27473. desired AWS service.
  27474. type: string
  27475. required:
  27476. - region
  27477. type: object
  27478. uuidSpec:
  27479. description: UUIDSpec controls the behavior of the uuid generator.
  27480. type: object
  27481. vaultDynamicSecretSpec:
  27482. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  27483. properties:
  27484. allowEmptyResponse:
  27485. default: false
  27486. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  27487. type: boolean
  27488. controller:
  27489. description: |-
  27490. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27491. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27492. type: string
  27493. getParameters:
  27494. additionalProperties:
  27495. items:
  27496. type: string
  27497. type: array
  27498. description: |-
  27499. GetParameters are query-string parameters passed to Vault on GET calls.
  27500. Each key may map to multiple values, matching HTTP query-string semantics.
  27501. Ignored for non-GET methods; use Parameters for write bodies.
  27502. type: object
  27503. method:
  27504. description: Vault API method to use (GET/POST/other)
  27505. type: string
  27506. parameters:
  27507. description: Parameters to pass to Vault write (for non-GET methods)
  27508. x-kubernetes-preserve-unknown-fields: true
  27509. path:
  27510. description: Vault path to obtain the dynamic secret from
  27511. type: string
  27512. provider:
  27513. description: Vault provider common spec
  27514. properties:
  27515. auth:
  27516. description: Auth configures how secret-manager authenticates with the Vault server.
  27517. properties:
  27518. appRole:
  27519. description: |-
  27520. AppRole authenticates with Vault using the App Role auth mechanism,
  27521. with the role and secret stored in a Kubernetes Secret resource.
  27522. properties:
  27523. path:
  27524. default: approle
  27525. description: |-
  27526. Path where the App Role authentication backend is mounted
  27527. in Vault, e.g: "approle"
  27528. type: string
  27529. roleId:
  27530. description: |-
  27531. RoleID configured in the App Role authentication backend when setting
  27532. up the authentication backend in Vault.
  27533. type: string
  27534. roleRef:
  27535. description: |-
  27536. Reference to a key in a Secret that contains the App Role ID used
  27537. to authenticate with Vault.
  27538. The `key` field must be specified and denotes which entry within the Secret
  27539. resource is used as the app role id.
  27540. properties:
  27541. key:
  27542. description: |-
  27543. A key in the referenced Secret.
  27544. Some instances of this field may be defaulted, in others it may be required.
  27545. maxLength: 253
  27546. minLength: 1
  27547. pattern: ^[-._a-zA-Z0-9]+$
  27548. type: string
  27549. name:
  27550. description: The name of the Secret resource being referred to.
  27551. maxLength: 253
  27552. minLength: 1
  27553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27554. type: string
  27555. namespace:
  27556. description: |-
  27557. The namespace of the Secret resource being referred to.
  27558. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27559. maxLength: 63
  27560. minLength: 1
  27561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27562. type: string
  27563. type: object
  27564. secretRef:
  27565. description: |-
  27566. Reference to a key in a Secret that contains the App Role secret used
  27567. to authenticate with Vault.
  27568. The `key` field must be specified and denotes which entry within the Secret
  27569. resource is used as the app role secret.
  27570. properties:
  27571. key:
  27572. description: |-
  27573. A key in the referenced Secret.
  27574. Some instances of this field may be defaulted, in others it may be required.
  27575. maxLength: 253
  27576. minLength: 1
  27577. pattern: ^[-._a-zA-Z0-9]+$
  27578. type: string
  27579. name:
  27580. description: The name of the Secret resource being referred to.
  27581. maxLength: 253
  27582. minLength: 1
  27583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27584. type: string
  27585. namespace:
  27586. description: |-
  27587. The namespace of the Secret resource being referred to.
  27588. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27589. maxLength: 63
  27590. minLength: 1
  27591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27592. type: string
  27593. type: object
  27594. required:
  27595. - path
  27596. - secretRef
  27597. type: object
  27598. cert:
  27599. description: |-
  27600. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27601. Cert authentication method
  27602. properties:
  27603. clientCert:
  27604. description: |-
  27605. ClientCert is a certificate to authenticate using the Cert Vault
  27606. authentication method
  27607. properties:
  27608. key:
  27609. description: |-
  27610. A key in the referenced Secret.
  27611. Some instances of this field may be defaulted, in others it may be required.
  27612. maxLength: 253
  27613. minLength: 1
  27614. pattern: ^[-._a-zA-Z0-9]+$
  27615. type: string
  27616. name:
  27617. description: The name of the Secret resource being referred to.
  27618. maxLength: 253
  27619. minLength: 1
  27620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27621. type: string
  27622. namespace:
  27623. description: |-
  27624. The namespace of the Secret resource being referred to.
  27625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27626. maxLength: 63
  27627. minLength: 1
  27628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27629. type: string
  27630. type: object
  27631. path:
  27632. default: cert
  27633. description: |-
  27634. Path where the Certificate authentication backend is mounted
  27635. in Vault, e.g: "cert"
  27636. type: string
  27637. secretRef:
  27638. description: |-
  27639. SecretRef to a key in a Secret resource containing client private key to
  27640. authenticate with Vault using the Cert authentication method
  27641. properties:
  27642. key:
  27643. description: |-
  27644. A key in the referenced Secret.
  27645. Some instances of this field may be defaulted, in others it may be required.
  27646. maxLength: 253
  27647. minLength: 1
  27648. pattern: ^[-._a-zA-Z0-9]+$
  27649. type: string
  27650. name:
  27651. description: The name of the Secret resource being referred to.
  27652. maxLength: 253
  27653. minLength: 1
  27654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27655. type: string
  27656. namespace:
  27657. description: |-
  27658. The namespace of the Secret resource being referred to.
  27659. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27660. maxLength: 63
  27661. minLength: 1
  27662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27663. type: string
  27664. type: object
  27665. vaultRole:
  27666. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27667. type: string
  27668. type: object
  27669. gcp:
  27670. description: |-
  27671. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27672. GCP authentication method
  27673. properties:
  27674. location:
  27675. description: Location optionally defines a location/region for the secret
  27676. type: string
  27677. path:
  27678. default: gcp
  27679. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27680. type: string
  27681. projectID:
  27682. description: Project ID of the Google Cloud Platform project
  27683. type: string
  27684. role:
  27685. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27686. type: string
  27687. secretRef:
  27688. description: Specify credentials in a Secret object
  27689. properties:
  27690. secretAccessKeySecretRef:
  27691. description: The SecretAccessKey is used for authentication
  27692. properties:
  27693. key:
  27694. description: |-
  27695. A key in the referenced Secret.
  27696. Some instances of this field may be defaulted, in others it may be required.
  27697. maxLength: 253
  27698. minLength: 1
  27699. pattern: ^[-._a-zA-Z0-9]+$
  27700. type: string
  27701. name:
  27702. description: The name of the Secret resource being referred to.
  27703. maxLength: 253
  27704. minLength: 1
  27705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27706. type: string
  27707. namespace:
  27708. description: |-
  27709. The namespace of the Secret resource being referred to.
  27710. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27711. maxLength: 63
  27712. minLength: 1
  27713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27714. type: string
  27715. type: object
  27716. type: object
  27717. serviceAccountRef:
  27718. description: ServiceAccountRef to a service account for impersonation
  27719. properties:
  27720. audiences:
  27721. description: |-
  27722. Audience specifies the `aud` claim for the service account token
  27723. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27724. then this audiences will be appended to the list
  27725. items:
  27726. type: string
  27727. type: array
  27728. name:
  27729. description: The name of the ServiceAccount resource being referred to.
  27730. maxLength: 253
  27731. minLength: 1
  27732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27733. type: string
  27734. namespace:
  27735. description: |-
  27736. Namespace of the resource being referred to.
  27737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27738. maxLength: 63
  27739. minLength: 1
  27740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27741. type: string
  27742. required:
  27743. - name
  27744. type: object
  27745. workloadIdentity:
  27746. description: Specify a service account with Workload Identity
  27747. properties:
  27748. clusterLocation:
  27749. description: |-
  27750. ClusterLocation is the location of the cluster
  27751. If not specified, it fetches information from the metadata server
  27752. type: string
  27753. clusterName:
  27754. description: |-
  27755. ClusterName is the name of the cluster
  27756. If not specified, it fetches information from the metadata server
  27757. type: string
  27758. clusterProjectID:
  27759. description: |-
  27760. ClusterProjectID is the project ID of the cluster
  27761. If not specified, it fetches information from the metadata server
  27762. type: string
  27763. serviceAccountRef:
  27764. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27765. properties:
  27766. audiences:
  27767. description: |-
  27768. Audience specifies the `aud` claim for the service account token
  27769. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27770. then this audiences will be appended to the list
  27771. items:
  27772. type: string
  27773. type: array
  27774. name:
  27775. description: The name of the ServiceAccount resource being referred to.
  27776. maxLength: 253
  27777. minLength: 1
  27778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27779. type: string
  27780. namespace:
  27781. description: |-
  27782. Namespace of the resource being referred to.
  27783. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27784. maxLength: 63
  27785. minLength: 1
  27786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27787. type: string
  27788. required:
  27789. - name
  27790. type: object
  27791. required:
  27792. - serviceAccountRef
  27793. type: object
  27794. required:
  27795. - role
  27796. type: object
  27797. iam:
  27798. description: |-
  27799. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27800. AWS IAM authentication method
  27801. properties:
  27802. externalID:
  27803. description: AWS External ID set on assumed IAM roles
  27804. type: string
  27805. jwt:
  27806. description: Specify a service account with IRSA enabled
  27807. properties:
  27808. serviceAccountRef:
  27809. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27810. properties:
  27811. audiences:
  27812. description: |-
  27813. Audience specifies the `aud` claim for the service account token
  27814. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27815. then this audiences will be appended to the list
  27816. items:
  27817. type: string
  27818. type: array
  27819. name:
  27820. description: The name of the ServiceAccount resource being referred to.
  27821. maxLength: 253
  27822. minLength: 1
  27823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27824. type: string
  27825. namespace:
  27826. description: |-
  27827. Namespace of the resource being referred to.
  27828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27829. maxLength: 63
  27830. minLength: 1
  27831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27832. type: string
  27833. required:
  27834. - name
  27835. type: object
  27836. type: object
  27837. path:
  27838. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  27839. type: string
  27840. region:
  27841. description: AWS region
  27842. type: string
  27843. role:
  27844. description: This is the AWS role to be assumed before talking to vault
  27845. type: string
  27846. secretRef:
  27847. description: Specify credentials in a Secret object
  27848. properties:
  27849. accessKeyIDSecretRef:
  27850. description: The AccessKeyID is used for authentication
  27851. properties:
  27852. key:
  27853. description: |-
  27854. A key in the referenced Secret.
  27855. Some instances of this field may be defaulted, in others it may be required.
  27856. maxLength: 253
  27857. minLength: 1
  27858. pattern: ^[-._a-zA-Z0-9]+$
  27859. type: string
  27860. name:
  27861. description: The name of the Secret resource being referred to.
  27862. maxLength: 253
  27863. minLength: 1
  27864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27865. type: string
  27866. namespace:
  27867. description: |-
  27868. The namespace of the Secret resource being referred to.
  27869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27870. maxLength: 63
  27871. minLength: 1
  27872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27873. type: string
  27874. type: object
  27875. secretAccessKeySecretRef:
  27876. description: The SecretAccessKey is used for authentication
  27877. properties:
  27878. key:
  27879. description: |-
  27880. A key in the referenced Secret.
  27881. Some instances of this field may be defaulted, in others it may be required.
  27882. maxLength: 253
  27883. minLength: 1
  27884. pattern: ^[-._a-zA-Z0-9]+$
  27885. type: string
  27886. name:
  27887. description: The name of the Secret resource being referred to.
  27888. maxLength: 253
  27889. minLength: 1
  27890. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27891. type: string
  27892. namespace:
  27893. description: |-
  27894. The namespace of the Secret resource being referred to.
  27895. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27896. maxLength: 63
  27897. minLength: 1
  27898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27899. type: string
  27900. type: object
  27901. sessionTokenSecretRef:
  27902. description: |-
  27903. The SessionToken used for authentication
  27904. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27905. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27906. properties:
  27907. key:
  27908. description: |-
  27909. A key in the referenced Secret.
  27910. Some instances of this field may be defaulted, in others it may be required.
  27911. maxLength: 253
  27912. minLength: 1
  27913. pattern: ^[-._a-zA-Z0-9]+$
  27914. type: string
  27915. name:
  27916. description: The name of the Secret resource being referred to.
  27917. maxLength: 253
  27918. minLength: 1
  27919. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27920. type: string
  27921. namespace:
  27922. description: |-
  27923. The namespace of the Secret resource being referred to.
  27924. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27925. maxLength: 63
  27926. minLength: 1
  27927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27928. type: string
  27929. type: object
  27930. type: object
  27931. vaultAwsIamServerID:
  27932. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  27933. type: string
  27934. vaultRole:
  27935. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  27936. type: string
  27937. required:
  27938. - vaultRole
  27939. type: object
  27940. jwt:
  27941. description: |-
  27942. Jwt authenticates with Vault by passing role and JWT token using the
  27943. JWT/OIDC authentication method
  27944. properties:
  27945. kubernetesServiceAccountToken:
  27946. description: |-
  27947. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  27948. a token for with the `TokenRequest` API.
  27949. properties:
  27950. audiences:
  27951. description: |-
  27952. Optional audiences field that will be used to request a temporary Kubernetes service
  27953. account token for the service account referenced by `serviceAccountRef`.
  27954. Defaults to a single audience `vault` it not specified.
  27955. Deprecated: use serviceAccountRef.Audiences instead
  27956. items:
  27957. type: string
  27958. type: array
  27959. expirationSeconds:
  27960. description: |-
  27961. Optional expiration time in seconds that will be used to request a temporary
  27962. Kubernetes service account token for the service account referenced by
  27963. `serviceAccountRef`.
  27964. Deprecated: this will be removed in the future.
  27965. Defaults to 10 minutes.
  27966. format: int64
  27967. type: integer
  27968. serviceAccountRef:
  27969. description: Service account field containing the name of a kubernetes ServiceAccount.
  27970. properties:
  27971. audiences:
  27972. description: |-
  27973. Audience specifies the `aud` claim for the service account token
  27974. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27975. then this audiences will be appended to the list
  27976. items:
  27977. type: string
  27978. type: array
  27979. name:
  27980. description: The name of the ServiceAccount resource being referred to.
  27981. maxLength: 253
  27982. minLength: 1
  27983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27984. type: string
  27985. namespace:
  27986. description: |-
  27987. Namespace of the resource being referred to.
  27988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27989. maxLength: 63
  27990. minLength: 1
  27991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27992. type: string
  27993. required:
  27994. - name
  27995. type: object
  27996. required:
  27997. - serviceAccountRef
  27998. type: object
  27999. path:
  28000. default: jwt
  28001. description: |-
  28002. Path where the JWT authentication backend is mounted
  28003. in Vault, e.g: "jwt"
  28004. type: string
  28005. role:
  28006. description: |-
  28007. Role is a JWT role to authenticate using the JWT/OIDC Vault
  28008. authentication method
  28009. type: string
  28010. secretRef:
  28011. description: |-
  28012. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  28013. authenticate with Vault using the JWT/OIDC authentication method.
  28014. properties:
  28015. key:
  28016. description: |-
  28017. A key in the referenced Secret.
  28018. Some instances of this field may be defaulted, in others it may be required.
  28019. maxLength: 253
  28020. minLength: 1
  28021. pattern: ^[-._a-zA-Z0-9]+$
  28022. type: string
  28023. name:
  28024. description: The name of the Secret resource being referred to.
  28025. maxLength: 253
  28026. minLength: 1
  28027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28028. type: string
  28029. namespace:
  28030. description: |-
  28031. The namespace of the Secret resource being referred to.
  28032. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28033. maxLength: 63
  28034. minLength: 1
  28035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28036. type: string
  28037. type: object
  28038. required:
  28039. - path
  28040. type: object
  28041. kubernetes:
  28042. description: |-
  28043. Kubernetes authenticates with Vault by passing the ServiceAccount
  28044. token stored in the named Secret resource to the Vault server.
  28045. properties:
  28046. mountPath:
  28047. default: kubernetes
  28048. description: |-
  28049. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  28050. "kubernetes"
  28051. type: string
  28052. role:
  28053. description: |-
  28054. A required field containing the Vault Role to assume. A Role binds a
  28055. Kubernetes ServiceAccount with a set of Vault policies.
  28056. type: string
  28057. secretRef:
  28058. description: |-
  28059. Optional secret field containing a Kubernetes ServiceAccount JWT used
  28060. for authenticating with Vault. If a name is specified without a key,
  28061. `token` is the default. If one is not specified, the one bound to
  28062. the controller will be used.
  28063. properties:
  28064. key:
  28065. description: |-
  28066. A key in the referenced Secret.
  28067. Some instances of this field may be defaulted, in others it may be required.
  28068. maxLength: 253
  28069. minLength: 1
  28070. pattern: ^[-._a-zA-Z0-9]+$
  28071. type: string
  28072. name:
  28073. description: The name of the Secret resource being referred to.
  28074. maxLength: 253
  28075. minLength: 1
  28076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28077. type: string
  28078. namespace:
  28079. description: |-
  28080. The namespace of the Secret resource being referred to.
  28081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28082. maxLength: 63
  28083. minLength: 1
  28084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28085. type: string
  28086. type: object
  28087. serviceAccountRef:
  28088. description: |-
  28089. Optional service account field containing the name of a kubernetes ServiceAccount.
  28090. If the service account is specified, the service account secret token JWT will be used
  28091. for authenticating with Vault. If the service account selector is not supplied,
  28092. the secretRef will be used instead.
  28093. properties:
  28094. audiences:
  28095. description: |-
  28096. Audience specifies the `aud` claim for the service account token
  28097. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28098. then this audiences will be appended to the list
  28099. items:
  28100. type: string
  28101. type: array
  28102. name:
  28103. description: The name of the ServiceAccount resource being referred to.
  28104. maxLength: 253
  28105. minLength: 1
  28106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28107. type: string
  28108. namespace:
  28109. description: |-
  28110. Namespace of the resource being referred to.
  28111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28112. maxLength: 63
  28113. minLength: 1
  28114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28115. type: string
  28116. required:
  28117. - name
  28118. type: object
  28119. required:
  28120. - mountPath
  28121. - role
  28122. type: object
  28123. ldap:
  28124. description: |-
  28125. Ldap authenticates with Vault by passing username/password pair using
  28126. the LDAP authentication method
  28127. properties:
  28128. path:
  28129. default: ldap
  28130. description: |-
  28131. Path where the LDAP authentication backend is mounted
  28132. in Vault, e.g: "ldap"
  28133. type: string
  28134. secretRef:
  28135. description: |-
  28136. SecretRef to a key in a Secret resource containing password for the LDAP
  28137. user used to authenticate with Vault using the LDAP authentication
  28138. method
  28139. properties:
  28140. key:
  28141. description: |-
  28142. A key in the referenced Secret.
  28143. Some instances of this field may be defaulted, in others it may be required.
  28144. maxLength: 253
  28145. minLength: 1
  28146. pattern: ^[-._a-zA-Z0-9]+$
  28147. type: string
  28148. name:
  28149. description: The name of the Secret resource being referred to.
  28150. maxLength: 253
  28151. minLength: 1
  28152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28153. type: string
  28154. namespace:
  28155. description: |-
  28156. The namespace of the Secret resource being referred to.
  28157. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28158. maxLength: 63
  28159. minLength: 1
  28160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28161. type: string
  28162. type: object
  28163. username:
  28164. description: |-
  28165. Username is an LDAP username used to authenticate using the LDAP Vault
  28166. authentication method
  28167. type: string
  28168. required:
  28169. - path
  28170. - username
  28171. type: object
  28172. namespace:
  28173. description: |-
  28174. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  28175. Namespaces is a set of features within Vault Enterprise that allows
  28176. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28177. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28178. This will default to Vault.Namespace field if set, or empty otherwise
  28179. type: string
  28180. tokenSecretRef:
  28181. description: TokenSecretRef authenticates with Vault by presenting a token.
  28182. properties:
  28183. key:
  28184. description: |-
  28185. A key in the referenced Secret.
  28186. Some instances of this field may be defaulted, in others it may be required.
  28187. maxLength: 253
  28188. minLength: 1
  28189. pattern: ^[-._a-zA-Z0-9]+$
  28190. type: string
  28191. name:
  28192. description: The name of the Secret resource being referred to.
  28193. maxLength: 253
  28194. minLength: 1
  28195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28196. type: string
  28197. namespace:
  28198. description: |-
  28199. The namespace of the Secret resource being referred to.
  28200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28201. maxLength: 63
  28202. minLength: 1
  28203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28204. type: string
  28205. type: object
  28206. userPass:
  28207. description: UserPass authenticates with Vault by passing username/password pair
  28208. properties:
  28209. path:
  28210. default: userpass
  28211. description: |-
  28212. Path where the UserPassword authentication backend is mounted
  28213. in Vault, e.g: "userpass"
  28214. type: string
  28215. secretRef:
  28216. description: |-
  28217. SecretRef to a key in a Secret resource containing password for the
  28218. user used to authenticate with Vault using the UserPass authentication
  28219. method
  28220. properties:
  28221. key:
  28222. description: |-
  28223. A key in the referenced Secret.
  28224. Some instances of this field may be defaulted, in others it may be required.
  28225. maxLength: 253
  28226. minLength: 1
  28227. pattern: ^[-._a-zA-Z0-9]+$
  28228. type: string
  28229. name:
  28230. description: The name of the Secret resource being referred to.
  28231. maxLength: 253
  28232. minLength: 1
  28233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28234. type: string
  28235. namespace:
  28236. description: |-
  28237. The namespace of the Secret resource being referred to.
  28238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28239. maxLength: 63
  28240. minLength: 1
  28241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28242. type: string
  28243. type: object
  28244. username:
  28245. description: |-
  28246. Username is a username used to authenticate using the UserPass Vault
  28247. authentication method
  28248. type: string
  28249. required:
  28250. - path
  28251. - username
  28252. type: object
  28253. type: object
  28254. caBundle:
  28255. description: |-
  28256. PEM encoded CA bundle used to validate Vault server certificate. Only used
  28257. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28258. plain HTTP protocol connection. If not set the system root certificates
  28259. are used to validate the TLS connection.
  28260. format: byte
  28261. type: string
  28262. caProvider:
  28263. description: The provider for the CA bundle to use to validate Vault server certificate.
  28264. properties:
  28265. key:
  28266. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28267. maxLength: 253
  28268. minLength: 1
  28269. pattern: ^[-._a-zA-Z0-9]+$
  28270. type: string
  28271. name:
  28272. description: The name of the object located at the provider type.
  28273. maxLength: 253
  28274. minLength: 1
  28275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28276. type: string
  28277. namespace:
  28278. description: |-
  28279. The namespace the Provider type is in.
  28280. Can only be defined when used in a ClusterSecretStore.
  28281. maxLength: 63
  28282. minLength: 1
  28283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28284. type: string
  28285. type:
  28286. description: The type of provider to use such as "Secret", or "ConfigMap".
  28287. enum:
  28288. - Secret
  28289. - ConfigMap
  28290. type: string
  28291. required:
  28292. - name
  28293. - type
  28294. type: object
  28295. checkAndSet:
  28296. description: |-
  28297. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  28298. Only applies to Vault KV v2 stores. When enabled, write operations must include
  28299. the current version of the secret to prevent unintentional overwrites.
  28300. properties:
  28301. required:
  28302. description: |-
  28303. Required when true, all write operations must include a check-and-set parameter.
  28304. This helps prevent unintentional overwrites of secrets.
  28305. type: boolean
  28306. type: object
  28307. forwardInconsistent:
  28308. description: |-
  28309. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  28310. leader instead of simply retrying within a loop. This can increase performance if
  28311. the option is enabled serverside.
  28312. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  28313. type: boolean
  28314. headers:
  28315. additionalProperties:
  28316. type: string
  28317. description: Headers to be added in Vault request
  28318. type: object
  28319. namespace:
  28320. description: |-
  28321. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  28322. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28323. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28324. type: string
  28325. path:
  28326. description: |-
  28327. Path is the mount path of the Vault KV backend endpoint, e.g:
  28328. "secret". The v2 KV secret engine version specific "/data" path suffix
  28329. for fetching secrets from Vault is optional and will be appended
  28330. if not present in specified path.
  28331. type: string
  28332. readYourWrites:
  28333. description: |-
  28334. ReadYourWrites ensures isolated read-after-write semantics by
  28335. providing discovered cluster replication states in each request.
  28336. More information about eventual consistency in Vault can be found here
  28337. https://www.vaultproject.io/docs/enterprise/consistency
  28338. type: boolean
  28339. server:
  28340. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  28341. type: string
  28342. tls:
  28343. description: |-
  28344. The configuration used for client side related TLS communication, when the Vault server
  28345. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  28346. This parameter is ignored for plain HTTP protocol connection.
  28347. It's worth noting this configuration is different from the "TLS certificates auth method",
  28348. which is available under the `auth.cert` section.
  28349. properties:
  28350. certSecretRef:
  28351. description: |-
  28352. CertSecretRef is a certificate added to the transport layer
  28353. when communicating with the Vault server.
  28354. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  28355. properties:
  28356. key:
  28357. description: |-
  28358. A key in the referenced Secret.
  28359. Some instances of this field may be defaulted, in others it may be required.
  28360. maxLength: 253
  28361. minLength: 1
  28362. pattern: ^[-._a-zA-Z0-9]+$
  28363. type: string
  28364. name:
  28365. description: The name of the Secret resource being referred to.
  28366. maxLength: 253
  28367. minLength: 1
  28368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28369. type: string
  28370. namespace:
  28371. description: |-
  28372. The namespace of the Secret resource being referred to.
  28373. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28374. maxLength: 63
  28375. minLength: 1
  28376. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28377. type: string
  28378. type: object
  28379. keySecretRef:
  28380. description: |-
  28381. KeySecretRef to a key in a Secret resource containing client private key
  28382. added to the transport layer when communicating with the Vault server.
  28383. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  28384. properties:
  28385. key:
  28386. description: |-
  28387. A key in the referenced Secret.
  28388. Some instances of this field may be defaulted, in others it may be required.
  28389. maxLength: 253
  28390. minLength: 1
  28391. pattern: ^[-._a-zA-Z0-9]+$
  28392. type: string
  28393. name:
  28394. description: The name of the Secret resource being referred to.
  28395. maxLength: 253
  28396. minLength: 1
  28397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28398. type: string
  28399. namespace:
  28400. description: |-
  28401. The namespace of the Secret resource being referred to.
  28402. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28403. maxLength: 63
  28404. minLength: 1
  28405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28406. type: string
  28407. type: object
  28408. type: object
  28409. version:
  28410. default: v2
  28411. description: |-
  28412. Version is the Vault KV secret engine version. This can be either "v1" or
  28413. "v2". Version defaults to "v2".
  28414. enum:
  28415. - v1
  28416. - v2
  28417. type: string
  28418. required:
  28419. - server
  28420. type: object
  28421. resultType:
  28422. default: Data
  28423. description: |-
  28424. Result type defines which data is returned from the generator.
  28425. By default, it is the "data" section of the Vault API response.
  28426. When using e.g. /auth/token/create the "data" section is empty but
  28427. the "auth" section contains the generated token.
  28428. Please refer to the vault docs regarding the result data structure.
  28429. Additionally, accessing the raw response is possibly by using "Raw" result type.
  28430. enum:
  28431. - Data
  28432. - Auth
  28433. - Raw
  28434. type: string
  28435. retrySettings:
  28436. description: Used to configure http retries if failed
  28437. properties:
  28438. maxRetries:
  28439. format: int32
  28440. type: integer
  28441. retryInterval:
  28442. type: string
  28443. type: object
  28444. required:
  28445. - path
  28446. - provider
  28447. type: object
  28448. webhookSpec:
  28449. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  28450. properties:
  28451. auth:
  28452. description: Auth specifies a authorization protocol. Only one protocol may be set.
  28453. maxProperties: 1
  28454. minProperties: 1
  28455. properties:
  28456. ntlm:
  28457. description: NTLMProtocol configures the store to use NTLM for auth
  28458. properties:
  28459. passwordSecret:
  28460. description: |-
  28461. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28462. In some instances, `key` is a required field.
  28463. properties:
  28464. key:
  28465. description: |-
  28466. A key in the referenced Secret.
  28467. Some instances of this field may be defaulted, in others it may be required.
  28468. maxLength: 253
  28469. minLength: 1
  28470. pattern: ^[-._a-zA-Z0-9]+$
  28471. type: string
  28472. name:
  28473. description: The name of the Secret resource being referred to.
  28474. maxLength: 253
  28475. minLength: 1
  28476. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28477. type: string
  28478. namespace:
  28479. description: |-
  28480. The namespace of the Secret resource being referred to.
  28481. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28482. maxLength: 63
  28483. minLength: 1
  28484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28485. type: string
  28486. type: object
  28487. usernameSecret:
  28488. description: |-
  28489. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28490. In some instances, `key` is a required field.
  28491. properties:
  28492. key:
  28493. description: |-
  28494. A key in the referenced Secret.
  28495. Some instances of this field may be defaulted, in others it may be required.
  28496. maxLength: 253
  28497. minLength: 1
  28498. pattern: ^[-._a-zA-Z0-9]+$
  28499. type: string
  28500. name:
  28501. description: The name of the Secret resource being referred to.
  28502. maxLength: 253
  28503. minLength: 1
  28504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28505. type: string
  28506. namespace:
  28507. description: |-
  28508. The namespace of the Secret resource being referred to.
  28509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28510. maxLength: 63
  28511. minLength: 1
  28512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28513. type: string
  28514. type: object
  28515. required:
  28516. - passwordSecret
  28517. - usernameSecret
  28518. type: object
  28519. type: object
  28520. body:
  28521. description: Body
  28522. type: string
  28523. caBundle:
  28524. description: |-
  28525. PEM encoded CA bundle used to validate webhook server certificate. Only used
  28526. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28527. plain HTTP protocol connection. If not set the system root certificates
  28528. are used to validate the TLS connection.
  28529. format: byte
  28530. type: string
  28531. caProvider:
  28532. description: The provider for the CA bundle to use to validate webhook server certificate.
  28533. properties:
  28534. key:
  28535. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28536. maxLength: 253
  28537. minLength: 1
  28538. pattern: ^[-._a-zA-Z0-9]+$
  28539. type: string
  28540. name:
  28541. description: The name of the object located at the provider type.
  28542. maxLength: 253
  28543. minLength: 1
  28544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28545. type: string
  28546. namespace:
  28547. description: The namespace the Provider type is in.
  28548. maxLength: 63
  28549. minLength: 1
  28550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28551. type: string
  28552. type:
  28553. description: The type of provider to use such as "Secret", or "ConfigMap".
  28554. enum:
  28555. - Secret
  28556. - ConfigMap
  28557. type: string
  28558. required:
  28559. - name
  28560. - type
  28561. type: object
  28562. headers:
  28563. additionalProperties:
  28564. type: string
  28565. description: Headers
  28566. type: object
  28567. method:
  28568. description: Webhook Method
  28569. type: string
  28570. result:
  28571. description: Result formatting
  28572. properties:
  28573. jsonPath:
  28574. description: Json path of return value
  28575. type: string
  28576. type: object
  28577. secrets:
  28578. description: |-
  28579. Secrets to fill in templates
  28580. These secrets will be passed to the templating function as key value pairs under the given name
  28581. items:
  28582. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28583. properties:
  28584. name:
  28585. description: Name of this secret in templates
  28586. type: string
  28587. secretRef:
  28588. description: Secret ref to fill in credentials
  28589. properties:
  28590. key:
  28591. description: The key where the token is found.
  28592. maxLength: 253
  28593. minLength: 1
  28594. pattern: ^[-._a-zA-Z0-9]+$
  28595. type: string
  28596. name:
  28597. description: The name of the Secret resource being referred to.
  28598. maxLength: 253
  28599. minLength: 1
  28600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28601. type: string
  28602. type: object
  28603. required:
  28604. - name
  28605. - secretRef
  28606. type: object
  28607. type: array
  28608. timeout:
  28609. description: Timeout
  28610. type: string
  28611. url:
  28612. description: Webhook url to call
  28613. type: string
  28614. required:
  28615. - result
  28616. - url
  28617. type: object
  28618. type: object
  28619. kind:
  28620. description: Kind the kind of this generator.
  28621. enum:
  28622. - ACRAccessToken
  28623. - BeyondtrustWorkloadCredentialsDynamicSecret
  28624. - CloudsmithAccessToken
  28625. - ECRAuthorizationToken
  28626. - Fake
  28627. - GCRAccessToken
  28628. - GithubAccessToken
  28629. - QuayAccessToken
  28630. - Password
  28631. - SSHKey
  28632. - STSSessionToken
  28633. - UUID
  28634. - VaultDynamicSecret
  28635. - Webhook
  28636. - Grafana
  28637. - MFA
  28638. type: string
  28639. required:
  28640. - generator
  28641. - kind
  28642. type: object
  28643. type: object
  28644. served: true
  28645. storage: true
  28646. subresources:
  28647. status: {}
  28648. ---
  28649. apiVersion: apiextensions.k8s.io/v1
  28650. kind: CustomResourceDefinition
  28651. metadata:
  28652. annotations:
  28653. controller-gen.kubebuilder.io/version: v0.19.0
  28654. labels:
  28655. external-secrets.io/component: controller
  28656. name: ecrauthorizationtokens.generators.external-secrets.io
  28657. spec:
  28658. group: generators.external-secrets.io
  28659. names:
  28660. categories:
  28661. - external-secrets
  28662. - external-secrets-generators
  28663. kind: ECRAuthorizationToken
  28664. listKind: ECRAuthorizationTokenList
  28665. plural: ecrauthorizationtokens
  28666. singular: ecrauthorizationtoken
  28667. scope: Namespaced
  28668. versions:
  28669. - name: v1alpha1
  28670. schema:
  28671. openAPIV3Schema:
  28672. description: |-
  28673. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28674. The authorization token is valid for 12 hours.
  28675. The authorizationToken returned is a base64 encoded string that can be decoded
  28676. and used in a docker login command to authenticate to a registry.
  28677. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28678. properties:
  28679. apiVersion:
  28680. description: |-
  28681. APIVersion defines the versioned schema of this representation of an object.
  28682. Servers should convert recognized schemas to the latest internal value, and
  28683. may reject unrecognized values.
  28684. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28685. type: string
  28686. kind:
  28687. description: |-
  28688. Kind is a string value representing the REST resource this object represents.
  28689. Servers may infer this from the endpoint the client submits requests to.
  28690. Cannot be updated.
  28691. In CamelCase.
  28692. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28693. type: string
  28694. metadata:
  28695. type: object
  28696. spec:
  28697. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28698. properties:
  28699. auth:
  28700. description: Auth defines how to authenticate with AWS
  28701. properties:
  28702. jwt:
  28703. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28704. properties:
  28705. serviceAccountRef:
  28706. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28707. properties:
  28708. audiences:
  28709. description: |-
  28710. Audience specifies the `aud` claim for the service account token
  28711. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28712. then this audiences will be appended to the list
  28713. items:
  28714. type: string
  28715. type: array
  28716. name:
  28717. description: The name of the ServiceAccount resource being referred to.
  28718. maxLength: 253
  28719. minLength: 1
  28720. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28721. type: string
  28722. namespace:
  28723. description: |-
  28724. Namespace of the resource being referred to.
  28725. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28726. maxLength: 63
  28727. minLength: 1
  28728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28729. type: string
  28730. required:
  28731. - name
  28732. type: object
  28733. type: object
  28734. secretRef:
  28735. description: |-
  28736. AWSAuthSecretRef holds secret references for AWS credentials
  28737. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28738. properties:
  28739. accessKeyIDSecretRef:
  28740. description: The AccessKeyID is used for authentication
  28741. properties:
  28742. key:
  28743. description: |-
  28744. A key in the referenced Secret.
  28745. Some instances of this field may be defaulted, in others it may be required.
  28746. maxLength: 253
  28747. minLength: 1
  28748. pattern: ^[-._a-zA-Z0-9]+$
  28749. type: string
  28750. name:
  28751. description: The name of the Secret resource being referred to.
  28752. maxLength: 253
  28753. minLength: 1
  28754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28755. type: string
  28756. namespace:
  28757. description: |-
  28758. The namespace of the Secret resource being referred to.
  28759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28760. maxLength: 63
  28761. minLength: 1
  28762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28763. type: string
  28764. type: object
  28765. secretAccessKeySecretRef:
  28766. description: The SecretAccessKey is used for authentication
  28767. properties:
  28768. key:
  28769. description: |-
  28770. A key in the referenced Secret.
  28771. Some instances of this field may be defaulted, in others it may be required.
  28772. maxLength: 253
  28773. minLength: 1
  28774. pattern: ^[-._a-zA-Z0-9]+$
  28775. type: string
  28776. name:
  28777. description: The name of the Secret resource being referred to.
  28778. maxLength: 253
  28779. minLength: 1
  28780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28781. type: string
  28782. namespace:
  28783. description: |-
  28784. The namespace of the Secret resource being referred to.
  28785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28786. maxLength: 63
  28787. minLength: 1
  28788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28789. type: string
  28790. type: object
  28791. sessionTokenSecretRef:
  28792. description: |-
  28793. The SessionToken used for authentication
  28794. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28795. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28796. properties:
  28797. key:
  28798. description: |-
  28799. A key in the referenced Secret.
  28800. Some instances of this field may be defaulted, in others it may be required.
  28801. maxLength: 253
  28802. minLength: 1
  28803. pattern: ^[-._a-zA-Z0-9]+$
  28804. type: string
  28805. name:
  28806. description: The name of the Secret resource being referred to.
  28807. maxLength: 253
  28808. minLength: 1
  28809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28810. type: string
  28811. namespace:
  28812. description: |-
  28813. The namespace of the Secret resource being referred to.
  28814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28815. maxLength: 63
  28816. minLength: 1
  28817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28818. type: string
  28819. type: object
  28820. type: object
  28821. type: object
  28822. region:
  28823. description: Region specifies the region to operate in.
  28824. type: string
  28825. role:
  28826. description: |-
  28827. You can assume a role before making calls to the
  28828. desired AWS service.
  28829. type: string
  28830. scope:
  28831. description: |-
  28832. Scope specifies the ECR service scope.
  28833. Valid options are private and public.
  28834. type: string
  28835. required:
  28836. - region
  28837. type: object
  28838. type: object
  28839. served: true
  28840. storage: true
  28841. subresources:
  28842. status: {}
  28843. ---
  28844. apiVersion: apiextensions.k8s.io/v1
  28845. kind: CustomResourceDefinition
  28846. metadata:
  28847. annotations:
  28848. controller-gen.kubebuilder.io/version: v0.19.0
  28849. labels:
  28850. external-secrets.io/component: controller
  28851. name: fakes.generators.external-secrets.io
  28852. spec:
  28853. group: generators.external-secrets.io
  28854. names:
  28855. categories:
  28856. - external-secrets
  28857. - external-secrets-generators
  28858. kind: Fake
  28859. listKind: FakeList
  28860. plural: fakes
  28861. singular: fake
  28862. scope: Namespaced
  28863. versions:
  28864. - name: v1alpha1
  28865. schema:
  28866. openAPIV3Schema:
  28867. description: |-
  28868. Fake generator is used for testing. It lets you define
  28869. a static set of credentials that is always returned.
  28870. properties:
  28871. apiVersion:
  28872. description: |-
  28873. APIVersion defines the versioned schema of this representation of an object.
  28874. Servers should convert recognized schemas to the latest internal value, and
  28875. may reject unrecognized values.
  28876. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28877. type: string
  28878. kind:
  28879. description: |-
  28880. Kind is a string value representing the REST resource this object represents.
  28881. Servers may infer this from the endpoint the client submits requests to.
  28882. Cannot be updated.
  28883. In CamelCase.
  28884. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28885. type: string
  28886. metadata:
  28887. type: object
  28888. spec:
  28889. description: FakeSpec contains the static data.
  28890. properties:
  28891. controller:
  28892. description: |-
  28893. Used to select the correct ESO controller (think: ingress.ingressClassName)
  28894. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  28895. type: string
  28896. data:
  28897. additionalProperties:
  28898. type: string
  28899. description: |-
  28900. Data defines the static data returned
  28901. by this generator.
  28902. type: object
  28903. type: object
  28904. type: object
  28905. served: true
  28906. storage: true
  28907. subresources:
  28908. status: {}
  28909. ---
  28910. apiVersion: apiextensions.k8s.io/v1
  28911. kind: CustomResourceDefinition
  28912. metadata:
  28913. annotations:
  28914. controller-gen.kubebuilder.io/version: v0.19.0
  28915. labels:
  28916. external-secrets.io/component: controller
  28917. name: gcraccesstokens.generators.external-secrets.io
  28918. spec:
  28919. group: generators.external-secrets.io
  28920. names:
  28921. categories:
  28922. - external-secrets
  28923. - external-secrets-generators
  28924. kind: GCRAccessToken
  28925. listKind: GCRAccessTokenList
  28926. plural: gcraccesstokens
  28927. singular: gcraccesstoken
  28928. scope: Namespaced
  28929. versions:
  28930. - name: v1alpha1
  28931. schema:
  28932. openAPIV3Schema:
  28933. description: |-
  28934. GCRAccessToken generates an GCP access token
  28935. that can be used to authenticate with GCR.
  28936. properties:
  28937. apiVersion:
  28938. description: |-
  28939. APIVersion defines the versioned schema of this representation of an object.
  28940. Servers should convert recognized schemas to the latest internal value, and
  28941. may reject unrecognized values.
  28942. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28943. type: string
  28944. kind:
  28945. description: |-
  28946. Kind is a string value representing the REST resource this object represents.
  28947. Servers may infer this from the endpoint the client submits requests to.
  28948. Cannot be updated.
  28949. In CamelCase.
  28950. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28951. type: string
  28952. metadata:
  28953. type: object
  28954. spec:
  28955. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  28956. properties:
  28957. auth:
  28958. description: Auth defines the means for authenticating with GCP
  28959. properties:
  28960. secretRef:
  28961. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  28962. properties:
  28963. secretAccessKeySecretRef:
  28964. description: The SecretAccessKey is used for authentication
  28965. properties:
  28966. key:
  28967. description: |-
  28968. A key in the referenced Secret.
  28969. Some instances of this field may be defaulted, in others it may be required.
  28970. maxLength: 253
  28971. minLength: 1
  28972. pattern: ^[-._a-zA-Z0-9]+$
  28973. type: string
  28974. name:
  28975. description: The name of the Secret resource being referred to.
  28976. maxLength: 253
  28977. minLength: 1
  28978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28979. type: string
  28980. namespace:
  28981. description: |-
  28982. The namespace of the Secret resource being referred to.
  28983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28984. maxLength: 63
  28985. minLength: 1
  28986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28987. type: string
  28988. type: object
  28989. type: object
  28990. workloadIdentity:
  28991. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  28992. properties:
  28993. clusterLocation:
  28994. type: string
  28995. clusterName:
  28996. type: string
  28997. clusterProjectID:
  28998. type: string
  28999. serviceAccountRef:
  29000. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29001. properties:
  29002. audiences:
  29003. description: |-
  29004. Audience specifies the `aud` claim for the service account token
  29005. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29006. then this audiences will be appended to the list
  29007. items:
  29008. type: string
  29009. type: array
  29010. name:
  29011. description: The name of the ServiceAccount resource being referred to.
  29012. maxLength: 253
  29013. minLength: 1
  29014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29015. type: string
  29016. namespace:
  29017. description: |-
  29018. Namespace of the resource being referred to.
  29019. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29020. maxLength: 63
  29021. minLength: 1
  29022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29023. type: string
  29024. required:
  29025. - name
  29026. type: object
  29027. required:
  29028. - clusterLocation
  29029. - clusterName
  29030. - serviceAccountRef
  29031. type: object
  29032. workloadIdentityFederation:
  29033. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  29034. properties:
  29035. audience:
  29036. description: |-
  29037. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  29038. If specified, Audience found in the external account credential config will be overridden with the configured value.
  29039. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  29040. type: string
  29041. awsSecurityCredentials:
  29042. description: |-
  29043. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  29044. when using the AWS metadata server is not an option.
  29045. properties:
  29046. awsCredentialsSecretRef:
  29047. description: |-
  29048. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  29049. Secret should be created with below names for keys
  29050. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  29051. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  29052. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  29053. properties:
  29054. name:
  29055. description: name of the secret.
  29056. maxLength: 253
  29057. minLength: 1
  29058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29059. type: string
  29060. namespace:
  29061. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  29062. maxLength: 63
  29063. minLength: 1
  29064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29065. type: string
  29066. required:
  29067. - name
  29068. type: object
  29069. region:
  29070. description: region is for configuring the AWS region to be used.
  29071. example: ap-south-1
  29072. maxLength: 50
  29073. minLength: 1
  29074. pattern: ^[a-z0-9-]+$
  29075. type: string
  29076. required:
  29077. - awsCredentialsSecretRef
  29078. - region
  29079. type: object
  29080. credConfig:
  29081. description: |-
  29082. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  29083. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  29084. serviceAccountRef must be used by providing operators service account details.
  29085. properties:
  29086. key:
  29087. description: key name holding the external account credential config.
  29088. maxLength: 253
  29089. minLength: 1
  29090. pattern: ^[-._a-zA-Z0-9]+$
  29091. type: string
  29092. name:
  29093. description: name of the configmap.
  29094. maxLength: 253
  29095. minLength: 1
  29096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29097. type: string
  29098. namespace:
  29099. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  29100. maxLength: 63
  29101. minLength: 1
  29102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29103. type: string
  29104. required:
  29105. - key
  29106. - name
  29107. type: object
  29108. externalTokenEndpoint:
  29109. description: |-
  29110. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  29111. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  29112. URL is having the expected value.
  29113. type: string
  29114. gcpServiceAccountEmail:
  29115. description: |-
  29116. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  29117. after Workload Identity Federation. Use this to grant access through the service account's
  29118. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  29119. service_account_impersonation_url in the external account JSON from credConfig;
  29120. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  29121. on that ServiceAccount.
  29122. example: my-gsa@my-project.iam.gserviceaccount.com
  29123. minLength: 1
  29124. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  29125. type: string
  29126. serviceAccountRef:
  29127. description: |-
  29128. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  29129. when Kubernetes is configured as provider in workload identity pool.
  29130. properties:
  29131. audiences:
  29132. description: |-
  29133. Audience specifies the `aud` claim for the service account token
  29134. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29135. then this audiences will be appended to the list
  29136. items:
  29137. type: string
  29138. type: array
  29139. name:
  29140. description: The name of the ServiceAccount resource being referred to.
  29141. maxLength: 253
  29142. minLength: 1
  29143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29144. type: string
  29145. namespace:
  29146. description: |-
  29147. Namespace of the resource being referred to.
  29148. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29149. maxLength: 63
  29150. minLength: 1
  29151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29152. type: string
  29153. required:
  29154. - name
  29155. type: object
  29156. type: object
  29157. type: object
  29158. projectID:
  29159. description: ProjectID defines which project to use to authenticate with
  29160. type: string
  29161. required:
  29162. - auth
  29163. - projectID
  29164. type: object
  29165. type: object
  29166. served: true
  29167. storage: true
  29168. subresources:
  29169. status: {}
  29170. ---
  29171. apiVersion: apiextensions.k8s.io/v1
  29172. kind: CustomResourceDefinition
  29173. metadata:
  29174. annotations:
  29175. controller-gen.kubebuilder.io/version: v0.19.0
  29176. labels:
  29177. external-secrets.io/component: controller
  29178. name: generatorstates.generators.external-secrets.io
  29179. spec:
  29180. group: generators.external-secrets.io
  29181. names:
  29182. categories:
  29183. - external-secrets
  29184. - external-secrets-generators
  29185. kind: GeneratorState
  29186. listKind: GeneratorStateList
  29187. plural: generatorstates
  29188. shortNames:
  29189. - gs
  29190. singular: generatorstate
  29191. scope: Namespaced
  29192. versions:
  29193. - additionalPrinterColumns:
  29194. - jsonPath: .spec.garbageCollectionDeadline
  29195. name: GC Deadline
  29196. type: string
  29197. - jsonPath: .metadata.creationTimestamp
  29198. name: Age
  29199. type: date
  29200. name: v1alpha1
  29201. schema:
  29202. openAPIV3Schema:
  29203. description: GeneratorState represents the state created and managed by a generator resource.
  29204. properties:
  29205. apiVersion:
  29206. description: |-
  29207. APIVersion defines the versioned schema of this representation of an object.
  29208. Servers should convert recognized schemas to the latest internal value, and
  29209. may reject unrecognized values.
  29210. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29211. type: string
  29212. kind:
  29213. description: |-
  29214. Kind is a string value representing the REST resource this object represents.
  29215. Servers may infer this from the endpoint the client submits requests to.
  29216. Cannot be updated.
  29217. In CamelCase.
  29218. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29219. type: string
  29220. metadata:
  29221. type: object
  29222. spec:
  29223. description: GeneratorStateSpec defines the desired state of a generator state resource.
  29224. properties:
  29225. garbageCollectionDeadline:
  29226. description: |-
  29227. GarbageCollectionDeadline is the time after which the generator state
  29228. will be deleted.
  29229. It is set by the controller which creates the generator state and
  29230. can be set configured by the user.
  29231. If the garbage collection deadline is not set the generator state will not be deleted.
  29232. format: date-time
  29233. type: string
  29234. resource:
  29235. description: |-
  29236. Resource is the generator manifest that produced the state.
  29237. It is a snapshot of the generator manifest at the time the state was produced.
  29238. This manifest will be used to delete the resource. Any configuration that is referenced
  29239. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  29240. be blocked by a finalizer.
  29241. x-kubernetes-preserve-unknown-fields: true
  29242. state:
  29243. description: State is the state that was produced by the generator implementation.
  29244. x-kubernetes-preserve-unknown-fields: true
  29245. required:
  29246. - resource
  29247. - state
  29248. type: object
  29249. status:
  29250. description: GeneratorStateStatus defines the observed state of a generator state resource.
  29251. properties:
  29252. conditions:
  29253. items:
  29254. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  29255. properties:
  29256. lastTransitionTime:
  29257. format: date-time
  29258. type: string
  29259. message:
  29260. type: string
  29261. reason:
  29262. type: string
  29263. status:
  29264. type: string
  29265. type:
  29266. description: GeneratorStateConditionType represents the type of condition for a generator state.
  29267. type: string
  29268. required:
  29269. - status
  29270. - type
  29271. type: object
  29272. type: array
  29273. type: object
  29274. type: object
  29275. served: true
  29276. storage: true
  29277. subresources: {}
  29278. ---
  29279. apiVersion: apiextensions.k8s.io/v1
  29280. kind: CustomResourceDefinition
  29281. metadata:
  29282. annotations:
  29283. controller-gen.kubebuilder.io/version: v0.19.0
  29284. labels:
  29285. external-secrets.io/component: controller
  29286. name: githubaccesstokens.generators.external-secrets.io
  29287. spec:
  29288. group: generators.external-secrets.io
  29289. names:
  29290. categories:
  29291. - external-secrets
  29292. - external-secrets-generators
  29293. kind: GithubAccessToken
  29294. listKind: GithubAccessTokenList
  29295. plural: githubaccesstokens
  29296. singular: githubaccesstoken
  29297. scope: Namespaced
  29298. versions:
  29299. - name: v1alpha1
  29300. schema:
  29301. openAPIV3Schema:
  29302. description: GithubAccessToken generates ghs_ accessToken
  29303. properties:
  29304. apiVersion:
  29305. description: |-
  29306. APIVersion defines the versioned schema of this representation of an object.
  29307. Servers should convert recognized schemas to the latest internal value, and
  29308. may reject unrecognized values.
  29309. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29310. type: string
  29311. kind:
  29312. description: |-
  29313. Kind is a string value representing the REST resource this object represents.
  29314. Servers may infer this from the endpoint the client submits requests to.
  29315. Cannot be updated.
  29316. In CamelCase.
  29317. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29318. type: string
  29319. metadata:
  29320. type: object
  29321. spec:
  29322. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  29323. properties:
  29324. appID:
  29325. type: string
  29326. auth:
  29327. description: Auth configures how ESO authenticates with a Github instance.
  29328. properties:
  29329. privateKey:
  29330. description: GithubSecretRef references a secret containing GitHub credentials.
  29331. properties:
  29332. secretRef:
  29333. description: |-
  29334. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29335. In some instances, `key` is a required field.
  29336. properties:
  29337. key:
  29338. description: |-
  29339. A key in the referenced Secret.
  29340. Some instances of this field may be defaulted, in others it may be required.
  29341. maxLength: 253
  29342. minLength: 1
  29343. pattern: ^[-._a-zA-Z0-9]+$
  29344. type: string
  29345. name:
  29346. description: The name of the Secret resource being referred to.
  29347. maxLength: 253
  29348. minLength: 1
  29349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29350. type: string
  29351. namespace:
  29352. description: |-
  29353. The namespace of the Secret resource being referred to.
  29354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29355. maxLength: 63
  29356. minLength: 1
  29357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29358. type: string
  29359. type: object
  29360. required:
  29361. - secretRef
  29362. type: object
  29363. required:
  29364. - privateKey
  29365. type: object
  29366. installID:
  29367. type: string
  29368. permissions:
  29369. additionalProperties:
  29370. type: string
  29371. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  29372. type: object
  29373. repositories:
  29374. description: |-
  29375. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  29376. is installed to.
  29377. items:
  29378. type: string
  29379. type: array
  29380. url:
  29381. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  29382. type: string
  29383. required:
  29384. - appID
  29385. - auth
  29386. - installID
  29387. type: object
  29388. type: object
  29389. served: true
  29390. storage: true
  29391. subresources:
  29392. status: {}
  29393. ---
  29394. apiVersion: apiextensions.k8s.io/v1
  29395. kind: CustomResourceDefinition
  29396. metadata:
  29397. annotations:
  29398. controller-gen.kubebuilder.io/version: v0.19.0
  29399. labels:
  29400. external-secrets.io/component: controller
  29401. name: grafanas.generators.external-secrets.io
  29402. spec:
  29403. group: generators.external-secrets.io
  29404. names:
  29405. categories:
  29406. - external-secrets
  29407. - external-secrets-generators
  29408. kind: Grafana
  29409. listKind: GrafanaList
  29410. plural: grafanas
  29411. singular: grafana
  29412. scope: Namespaced
  29413. versions:
  29414. - name: v1alpha1
  29415. schema:
  29416. openAPIV3Schema:
  29417. description: Grafana represents a generator for Grafana service account tokens.
  29418. properties:
  29419. apiVersion:
  29420. description: |-
  29421. APIVersion defines the versioned schema of this representation of an object.
  29422. Servers should convert recognized schemas to the latest internal value, and
  29423. may reject unrecognized values.
  29424. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29425. type: string
  29426. kind:
  29427. description: |-
  29428. Kind is a string value representing the REST resource this object represents.
  29429. Servers may infer this from the endpoint the client submits requests to.
  29430. Cannot be updated.
  29431. In CamelCase.
  29432. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29433. type: string
  29434. metadata:
  29435. type: object
  29436. spec:
  29437. description: GrafanaSpec controls the behavior of the grafana generator.
  29438. properties:
  29439. auth:
  29440. description: |-
  29441. Auth is the authentication configuration to authenticate
  29442. against the Grafana instance.
  29443. properties:
  29444. basic:
  29445. description: |-
  29446. Basic auth credentials used to authenticate against the Grafana instance.
  29447. Note: you need a token which has elevated permissions to create service accounts.
  29448. See here for the documentation on basic roles offered by Grafana:
  29449. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29450. properties:
  29451. password:
  29452. description: A basic auth password used to authenticate against the Grafana instance.
  29453. properties:
  29454. key:
  29455. description: The key where the token is found.
  29456. maxLength: 253
  29457. minLength: 1
  29458. pattern: ^[-._a-zA-Z0-9]+$
  29459. type: string
  29460. name:
  29461. description: The name of the Secret resource being referred to.
  29462. maxLength: 253
  29463. minLength: 1
  29464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29465. type: string
  29466. type: object
  29467. username:
  29468. description: A basic auth username used to authenticate against the Grafana instance.
  29469. type: string
  29470. required:
  29471. - password
  29472. - username
  29473. type: object
  29474. token:
  29475. description: |-
  29476. A service account token used to authenticate against the Grafana instance.
  29477. Note: you need a token which has elevated permissions to create service accounts.
  29478. See here for the documentation on basic roles offered by Grafana:
  29479. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29480. properties:
  29481. key:
  29482. description: The key where the token is found.
  29483. maxLength: 253
  29484. minLength: 1
  29485. pattern: ^[-._a-zA-Z0-9]+$
  29486. type: string
  29487. name:
  29488. description: The name of the Secret resource being referred to.
  29489. maxLength: 253
  29490. minLength: 1
  29491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29492. type: string
  29493. type: object
  29494. type: object
  29495. serviceAccount:
  29496. description: |-
  29497. ServiceAccount is the configuration for the service account that
  29498. is supposed to be generated by the generator.
  29499. properties:
  29500. name:
  29501. description: Name is the name of the service account that will be created by ESO.
  29502. type: string
  29503. role:
  29504. description: |-
  29505. Role is the role of the service account.
  29506. See here for the documentation on basic roles offered by Grafana:
  29507. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29508. type: string
  29509. required:
  29510. - name
  29511. - role
  29512. type: object
  29513. url:
  29514. description: URL is the URL of the Grafana instance.
  29515. type: string
  29516. required:
  29517. - auth
  29518. - serviceAccount
  29519. - url
  29520. type: object
  29521. type: object
  29522. served: true
  29523. storage: true
  29524. subresources:
  29525. status: {}
  29526. ---
  29527. apiVersion: apiextensions.k8s.io/v1
  29528. kind: CustomResourceDefinition
  29529. metadata:
  29530. annotations:
  29531. controller-gen.kubebuilder.io/version: v0.19.0
  29532. labels:
  29533. external-secrets.io/component: controller
  29534. name: mfas.generators.external-secrets.io
  29535. spec:
  29536. group: generators.external-secrets.io
  29537. names:
  29538. categories:
  29539. - external-secrets
  29540. - external-secrets-generators
  29541. kind: MFA
  29542. listKind: MFAList
  29543. plural: mfas
  29544. singular: mfa
  29545. scope: Namespaced
  29546. versions:
  29547. - name: v1alpha1
  29548. schema:
  29549. openAPIV3Schema:
  29550. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29551. properties:
  29552. apiVersion:
  29553. description: |-
  29554. APIVersion defines the versioned schema of this representation of an object.
  29555. Servers should convert recognized schemas to the latest internal value, and
  29556. may reject unrecognized values.
  29557. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29558. type: string
  29559. kind:
  29560. description: |-
  29561. Kind is a string value representing the REST resource this object represents.
  29562. Servers may infer this from the endpoint the client submits requests to.
  29563. Cannot be updated.
  29564. In CamelCase.
  29565. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29566. type: string
  29567. metadata:
  29568. type: object
  29569. spec:
  29570. description: MFASpec controls the behavior of the mfa generator.
  29571. properties:
  29572. algorithm:
  29573. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29574. type: string
  29575. length:
  29576. description: Length defines the token length. Defaults to 6 characters.
  29577. type: integer
  29578. secret:
  29579. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29580. properties:
  29581. key:
  29582. description: |-
  29583. A key in the referenced Secret.
  29584. Some instances of this field may be defaulted, in others it may be required.
  29585. maxLength: 253
  29586. minLength: 1
  29587. pattern: ^[-._a-zA-Z0-9]+$
  29588. type: string
  29589. name:
  29590. description: The name of the Secret resource being referred to.
  29591. maxLength: 253
  29592. minLength: 1
  29593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29594. type: string
  29595. namespace:
  29596. description: |-
  29597. The namespace of the Secret resource being referred to.
  29598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29599. maxLength: 63
  29600. minLength: 1
  29601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29602. type: string
  29603. type: object
  29604. timePeriod:
  29605. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29606. type: integer
  29607. when:
  29608. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29609. format: date-time
  29610. type: string
  29611. required:
  29612. - secret
  29613. type: object
  29614. type: object
  29615. served: true
  29616. storage: true
  29617. subresources:
  29618. status: {}
  29619. ---
  29620. apiVersion: apiextensions.k8s.io/v1
  29621. kind: CustomResourceDefinition
  29622. metadata:
  29623. annotations:
  29624. controller-gen.kubebuilder.io/version: v0.19.0
  29625. labels:
  29626. external-secrets.io/component: controller
  29627. name: passwords.generators.external-secrets.io
  29628. spec:
  29629. group: generators.external-secrets.io
  29630. names:
  29631. categories:
  29632. - external-secrets
  29633. - external-secrets-generators
  29634. kind: Password
  29635. listKind: PasswordList
  29636. plural: passwords
  29637. singular: password
  29638. scope: Namespaced
  29639. versions:
  29640. - name: v1alpha1
  29641. schema:
  29642. openAPIV3Schema:
  29643. description: |-
  29644. Password generates a random password based on the
  29645. configuration parameters in spec.
  29646. You can specify the length, characterset and other attributes.
  29647. properties:
  29648. apiVersion:
  29649. description: |-
  29650. APIVersion defines the versioned schema of this representation of an object.
  29651. Servers should convert recognized schemas to the latest internal value, and
  29652. may reject unrecognized values.
  29653. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29654. type: string
  29655. kind:
  29656. description: |-
  29657. Kind is a string value representing the REST resource this object represents.
  29658. Servers may infer this from the endpoint the client submits requests to.
  29659. Cannot be updated.
  29660. In CamelCase.
  29661. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29662. type: string
  29663. metadata:
  29664. type: object
  29665. spec:
  29666. description: PasswordSpec controls the behavior of the password generator.
  29667. properties:
  29668. allowRepeat:
  29669. default: false
  29670. description: set AllowRepeat to true to allow repeating characters.
  29671. type: boolean
  29672. digits:
  29673. description: |-
  29674. Digits specifies the number of digits in the generated
  29675. password. If omitted it defaults to 25% of the length of the password
  29676. type: integer
  29677. encoding:
  29678. default: raw
  29679. description: |-
  29680. Encoding specifies the encoding of the generated password.
  29681. Valid values are:
  29682. - "raw" (default): no encoding
  29683. - "base64": standard base64 encoding
  29684. - "base64url": base64url encoding
  29685. - "base32": base32 encoding
  29686. - "hex": hexadecimal encoding
  29687. enum:
  29688. - base64
  29689. - base64url
  29690. - base32
  29691. - hex
  29692. - raw
  29693. type: string
  29694. length:
  29695. default: 24
  29696. description: |-
  29697. Length of the password to be generated.
  29698. Defaults to 24
  29699. type: integer
  29700. noUpper:
  29701. default: false
  29702. description: Set NoUpper to disable uppercase characters
  29703. type: boolean
  29704. secretKeys:
  29705. description: |-
  29706. SecretKeys defines the keys that will be populated with generated passwords.
  29707. Defaults to "password" when not set.
  29708. items:
  29709. type: string
  29710. minItems: 1
  29711. type: array
  29712. symbolCharacters:
  29713. description: |-
  29714. SymbolCharacters specifies the special characters that should be used
  29715. in the generated password.
  29716. type: string
  29717. symbols:
  29718. description: |-
  29719. Symbols specifies the number of symbol characters in the generated
  29720. password. If omitted it defaults to 25% of the length of the password
  29721. type: integer
  29722. required:
  29723. - allowRepeat
  29724. - length
  29725. - noUpper
  29726. type: object
  29727. type: object
  29728. served: true
  29729. storage: true
  29730. subresources:
  29731. status: {}
  29732. ---
  29733. apiVersion: apiextensions.k8s.io/v1
  29734. kind: CustomResourceDefinition
  29735. metadata:
  29736. annotations:
  29737. controller-gen.kubebuilder.io/version: v0.19.0
  29738. labels:
  29739. external-secrets.io/component: controller
  29740. name: quayaccesstokens.generators.external-secrets.io
  29741. spec:
  29742. group: generators.external-secrets.io
  29743. names:
  29744. categories:
  29745. - external-secrets
  29746. - external-secrets-generators
  29747. kind: QuayAccessToken
  29748. listKind: QuayAccessTokenList
  29749. plural: quayaccesstokens
  29750. singular: quayaccesstoken
  29751. scope: Namespaced
  29752. versions:
  29753. - name: v1alpha1
  29754. schema:
  29755. openAPIV3Schema:
  29756. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  29757. properties:
  29758. apiVersion:
  29759. description: |-
  29760. APIVersion defines the versioned schema of this representation of an object.
  29761. Servers should convert recognized schemas to the latest internal value, and
  29762. may reject unrecognized values.
  29763. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29764. type: string
  29765. kind:
  29766. description: |-
  29767. Kind is a string value representing the REST resource this object represents.
  29768. Servers may infer this from the endpoint the client submits requests to.
  29769. Cannot be updated.
  29770. In CamelCase.
  29771. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29772. type: string
  29773. metadata:
  29774. type: object
  29775. spec:
  29776. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  29777. properties:
  29778. robotAccount:
  29779. description: Name of the robot account you are federating with
  29780. type: string
  29781. serviceAccountRef:
  29782. description: Name of the service account you are federating with
  29783. properties:
  29784. audiences:
  29785. description: |-
  29786. Audience specifies the `aud` claim for the service account token
  29787. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29788. then this audiences will be appended to the list
  29789. items:
  29790. type: string
  29791. type: array
  29792. name:
  29793. description: The name of the ServiceAccount resource being referred to.
  29794. maxLength: 253
  29795. minLength: 1
  29796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29797. type: string
  29798. namespace:
  29799. description: |-
  29800. Namespace of the resource being referred to.
  29801. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29802. maxLength: 63
  29803. minLength: 1
  29804. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29805. type: string
  29806. required:
  29807. - name
  29808. type: object
  29809. url:
  29810. description: URL configures the Quay instance URL. Defaults to quay.io.
  29811. type: string
  29812. required:
  29813. - robotAccount
  29814. - serviceAccountRef
  29815. type: object
  29816. type: object
  29817. served: true
  29818. storage: true
  29819. subresources:
  29820. status: {}
  29821. ---
  29822. apiVersion: apiextensions.k8s.io/v1
  29823. kind: CustomResourceDefinition
  29824. metadata:
  29825. annotations:
  29826. controller-gen.kubebuilder.io/version: v0.19.0
  29827. labels:
  29828. external-secrets.io/component: controller
  29829. name: sshkeys.generators.external-secrets.io
  29830. spec:
  29831. group: generators.external-secrets.io
  29832. names:
  29833. categories:
  29834. - external-secrets
  29835. - external-secrets-generators
  29836. kind: SSHKey
  29837. listKind: SSHKeyList
  29838. plural: sshkeys
  29839. singular: sshkey
  29840. scope: Namespaced
  29841. versions:
  29842. - name: v1alpha1
  29843. schema:
  29844. openAPIV3Schema:
  29845. description: SSHKey generates SSH key pairs.
  29846. properties:
  29847. apiVersion:
  29848. description: |-
  29849. APIVersion defines the versioned schema of this representation of an object.
  29850. Servers should convert recognized schemas to the latest internal value, and
  29851. may reject unrecognized values.
  29852. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29853. type: string
  29854. kind:
  29855. description: |-
  29856. Kind is a string value representing the REST resource this object represents.
  29857. Servers may infer this from the endpoint the client submits requests to.
  29858. Cannot be updated.
  29859. In CamelCase.
  29860. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29861. type: string
  29862. metadata:
  29863. type: object
  29864. spec:
  29865. description: SSHKeySpec controls the behavior of the ssh key generator.
  29866. properties:
  29867. comment:
  29868. description: Comment specifies an optional comment for the SSH key
  29869. type: string
  29870. keySize:
  29871. description: |-
  29872. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  29873. For RSA keys: 2048, 3072, 4096
  29874. For ECDSA keys: 256, 384, 521
  29875. Ignored for ed25519 keys
  29876. maximum: 8192
  29877. minimum: 256
  29878. type: integer
  29879. keyType:
  29880. default: rsa
  29881. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  29882. enum:
  29883. - rsa
  29884. - ecdsa
  29885. - ed25519
  29886. type: string
  29887. type: object
  29888. type: object
  29889. served: true
  29890. storage: true
  29891. subresources:
  29892. status: {}
  29893. ---
  29894. apiVersion: apiextensions.k8s.io/v1
  29895. kind: CustomResourceDefinition
  29896. metadata:
  29897. annotations:
  29898. controller-gen.kubebuilder.io/version: v0.19.0
  29899. labels:
  29900. external-secrets.io/component: controller
  29901. name: stssessiontokens.generators.external-secrets.io
  29902. spec:
  29903. group: generators.external-secrets.io
  29904. names:
  29905. categories:
  29906. - external-secrets
  29907. - external-secrets-generators
  29908. kind: STSSessionToken
  29909. listKind: STSSessionTokenList
  29910. plural: stssessiontokens
  29911. singular: stssessiontoken
  29912. scope: Namespaced
  29913. versions:
  29914. - name: v1alpha1
  29915. schema:
  29916. openAPIV3Schema:
  29917. description: |-
  29918. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  29919. The authorization token is valid for 12 hours.
  29920. The authorizationToken returned is a base64 encoded string that can be decoded.
  29921. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  29922. properties:
  29923. apiVersion:
  29924. description: |-
  29925. APIVersion defines the versioned schema of this representation of an object.
  29926. Servers should convert recognized schemas to the latest internal value, and
  29927. may reject unrecognized values.
  29928. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29929. type: string
  29930. kind:
  29931. description: |-
  29932. Kind is a string value representing the REST resource this object represents.
  29933. Servers may infer this from the endpoint the client submits requests to.
  29934. Cannot be updated.
  29935. In CamelCase.
  29936. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29937. type: string
  29938. metadata:
  29939. type: object
  29940. spec:
  29941. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  29942. properties:
  29943. auth:
  29944. description: Auth defines how to authenticate with AWS
  29945. properties:
  29946. jwt:
  29947. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  29948. properties:
  29949. serviceAccountRef:
  29950. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29951. properties:
  29952. audiences:
  29953. description: |-
  29954. Audience specifies the `aud` claim for the service account token
  29955. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29956. then this audiences will be appended to the list
  29957. items:
  29958. type: string
  29959. type: array
  29960. name:
  29961. description: The name of the ServiceAccount resource being referred to.
  29962. maxLength: 253
  29963. minLength: 1
  29964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29965. type: string
  29966. namespace:
  29967. description: |-
  29968. Namespace of the resource being referred to.
  29969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29970. maxLength: 63
  29971. minLength: 1
  29972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29973. type: string
  29974. required:
  29975. - name
  29976. type: object
  29977. type: object
  29978. secretRef:
  29979. description: |-
  29980. AWSAuthSecretRef holds secret references for AWS credentials
  29981. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  29982. properties:
  29983. accessKeyIDSecretRef:
  29984. description: The AccessKeyID is used for authentication
  29985. properties:
  29986. key:
  29987. description: |-
  29988. A key in the referenced Secret.
  29989. Some instances of this field may be defaulted, in others it may be required.
  29990. maxLength: 253
  29991. minLength: 1
  29992. pattern: ^[-._a-zA-Z0-9]+$
  29993. type: string
  29994. name:
  29995. description: The name of the Secret resource being referred to.
  29996. maxLength: 253
  29997. minLength: 1
  29998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29999. type: string
  30000. namespace:
  30001. description: |-
  30002. The namespace of the Secret resource being referred to.
  30003. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30004. maxLength: 63
  30005. minLength: 1
  30006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30007. type: string
  30008. type: object
  30009. secretAccessKeySecretRef:
  30010. description: The SecretAccessKey is used for authentication
  30011. properties:
  30012. key:
  30013. description: |-
  30014. A key in the referenced Secret.
  30015. Some instances of this field may be defaulted, in others it may be required.
  30016. maxLength: 253
  30017. minLength: 1
  30018. pattern: ^[-._a-zA-Z0-9]+$
  30019. type: string
  30020. name:
  30021. description: The name of the Secret resource being referred to.
  30022. maxLength: 253
  30023. minLength: 1
  30024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30025. type: string
  30026. namespace:
  30027. description: |-
  30028. The namespace of the Secret resource being referred to.
  30029. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30030. maxLength: 63
  30031. minLength: 1
  30032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30033. type: string
  30034. type: object
  30035. sessionTokenSecretRef:
  30036. description: |-
  30037. The SessionToken used for authentication
  30038. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30039. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30040. properties:
  30041. key:
  30042. description: |-
  30043. A key in the referenced Secret.
  30044. Some instances of this field may be defaulted, in others it may be required.
  30045. maxLength: 253
  30046. minLength: 1
  30047. pattern: ^[-._a-zA-Z0-9]+$
  30048. type: string
  30049. name:
  30050. description: The name of the Secret resource being referred to.
  30051. maxLength: 253
  30052. minLength: 1
  30053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30054. type: string
  30055. namespace:
  30056. description: |-
  30057. The namespace of the Secret resource being referred to.
  30058. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30059. maxLength: 63
  30060. minLength: 1
  30061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30062. type: string
  30063. type: object
  30064. type: object
  30065. type: object
  30066. region:
  30067. description: Region specifies the region to operate in.
  30068. type: string
  30069. requestParameters:
  30070. description: RequestParameters contains parameters that can be passed to the STS service.
  30071. properties:
  30072. serialNumber:
  30073. description: |-
  30074. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  30075. the GetSessionToken call.
  30076. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  30077. (such as arn:aws:iam::123456789012:mfa/user)
  30078. type: string
  30079. sessionDuration:
  30080. format: int32
  30081. type: integer
  30082. tokenCode:
  30083. description: TokenCode is the value provided by the MFA device, if MFA is required.
  30084. type: string
  30085. type: object
  30086. role:
  30087. description: |-
  30088. You can assume a role before making calls to the
  30089. desired AWS service.
  30090. type: string
  30091. required:
  30092. - region
  30093. type: object
  30094. type: object
  30095. served: true
  30096. storage: true
  30097. subresources:
  30098. status: {}
  30099. ---
  30100. apiVersion: apiextensions.k8s.io/v1
  30101. kind: CustomResourceDefinition
  30102. metadata:
  30103. annotations:
  30104. controller-gen.kubebuilder.io/version: v0.19.0
  30105. labels:
  30106. external-secrets.io/component: controller
  30107. name: uuids.generators.external-secrets.io
  30108. spec:
  30109. group: generators.external-secrets.io
  30110. names:
  30111. categories:
  30112. - external-secrets
  30113. - external-secrets-generators
  30114. kind: UUID
  30115. listKind: UUIDList
  30116. plural: uuids
  30117. singular: uuid
  30118. scope: Namespaced
  30119. versions:
  30120. - name: v1alpha1
  30121. schema:
  30122. openAPIV3Schema:
  30123. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  30124. properties:
  30125. apiVersion:
  30126. description: |-
  30127. APIVersion defines the versioned schema of this representation of an object.
  30128. Servers should convert recognized schemas to the latest internal value, and
  30129. may reject unrecognized values.
  30130. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30131. type: string
  30132. kind:
  30133. description: |-
  30134. Kind is a string value representing the REST resource this object represents.
  30135. Servers may infer this from the endpoint the client submits requests to.
  30136. Cannot be updated.
  30137. In CamelCase.
  30138. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30139. type: string
  30140. metadata:
  30141. type: object
  30142. spec:
  30143. description: UUIDSpec controls the behavior of the uuid generator.
  30144. type: object
  30145. type: object
  30146. served: true
  30147. storage: true
  30148. subresources:
  30149. status: {}
  30150. ---
  30151. apiVersion: apiextensions.k8s.io/v1
  30152. kind: CustomResourceDefinition
  30153. metadata:
  30154. annotations:
  30155. controller-gen.kubebuilder.io/version: v0.19.0
  30156. labels:
  30157. external-secrets.io/component: controller
  30158. name: vaultdynamicsecrets.generators.external-secrets.io
  30159. spec:
  30160. group: generators.external-secrets.io
  30161. names:
  30162. categories:
  30163. - external-secrets
  30164. - external-secrets-generators
  30165. kind: VaultDynamicSecret
  30166. listKind: VaultDynamicSecretList
  30167. plural: vaultdynamicsecrets
  30168. singular: vaultdynamicsecret
  30169. scope: Namespaced
  30170. versions:
  30171. - name: v1alpha1
  30172. schema:
  30173. openAPIV3Schema:
  30174. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  30175. properties:
  30176. apiVersion:
  30177. description: |-
  30178. APIVersion defines the versioned schema of this representation of an object.
  30179. Servers should convert recognized schemas to the latest internal value, and
  30180. may reject unrecognized values.
  30181. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30182. type: string
  30183. kind:
  30184. description: |-
  30185. Kind is a string value representing the REST resource this object represents.
  30186. Servers may infer this from the endpoint the client submits requests to.
  30187. Cannot be updated.
  30188. In CamelCase.
  30189. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30190. type: string
  30191. metadata:
  30192. type: object
  30193. spec:
  30194. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  30195. properties:
  30196. allowEmptyResponse:
  30197. default: false
  30198. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  30199. type: boolean
  30200. controller:
  30201. description: |-
  30202. Used to select the correct ESO controller (think: ingress.ingressClassName)
  30203. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  30204. type: string
  30205. getParameters:
  30206. additionalProperties:
  30207. items:
  30208. type: string
  30209. type: array
  30210. description: |-
  30211. GetParameters are query-string parameters passed to Vault on GET calls.
  30212. Each key may map to multiple values, matching HTTP query-string semantics.
  30213. Ignored for non-GET methods; use Parameters for write bodies.
  30214. type: object
  30215. method:
  30216. description: Vault API method to use (GET/POST/other)
  30217. type: string
  30218. parameters:
  30219. description: Parameters to pass to Vault write (for non-GET methods)
  30220. x-kubernetes-preserve-unknown-fields: true
  30221. path:
  30222. description: Vault path to obtain the dynamic secret from
  30223. type: string
  30224. provider:
  30225. description: Vault provider common spec
  30226. properties:
  30227. auth:
  30228. description: Auth configures how secret-manager authenticates with the Vault server.
  30229. properties:
  30230. appRole:
  30231. description: |-
  30232. AppRole authenticates with Vault using the App Role auth mechanism,
  30233. with the role and secret stored in a Kubernetes Secret resource.
  30234. properties:
  30235. path:
  30236. default: approle
  30237. description: |-
  30238. Path where the App Role authentication backend is mounted
  30239. in Vault, e.g: "approle"
  30240. type: string
  30241. roleId:
  30242. description: |-
  30243. RoleID configured in the App Role authentication backend when setting
  30244. up the authentication backend in Vault.
  30245. type: string
  30246. roleRef:
  30247. description: |-
  30248. Reference to a key in a Secret that contains the App Role ID used
  30249. to authenticate with Vault.
  30250. The `key` field must be specified and denotes which entry within the Secret
  30251. resource is used as the app role id.
  30252. properties:
  30253. key:
  30254. description: |-
  30255. A key in the referenced Secret.
  30256. Some instances of this field may be defaulted, in others it may be required.
  30257. maxLength: 253
  30258. minLength: 1
  30259. pattern: ^[-._a-zA-Z0-9]+$
  30260. type: string
  30261. name:
  30262. description: The name of the Secret resource being referred to.
  30263. maxLength: 253
  30264. minLength: 1
  30265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30266. type: string
  30267. namespace:
  30268. description: |-
  30269. The namespace of the Secret resource being referred to.
  30270. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30271. maxLength: 63
  30272. minLength: 1
  30273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30274. type: string
  30275. type: object
  30276. secretRef:
  30277. description: |-
  30278. Reference to a key in a Secret that contains the App Role secret used
  30279. to authenticate with Vault.
  30280. The `key` field must be specified and denotes which entry within the Secret
  30281. resource is used as the app role secret.
  30282. properties:
  30283. key:
  30284. description: |-
  30285. A key in the referenced Secret.
  30286. Some instances of this field may be defaulted, in others it may be required.
  30287. maxLength: 253
  30288. minLength: 1
  30289. pattern: ^[-._a-zA-Z0-9]+$
  30290. type: string
  30291. name:
  30292. description: The name of the Secret resource being referred to.
  30293. maxLength: 253
  30294. minLength: 1
  30295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30296. type: string
  30297. namespace:
  30298. description: |-
  30299. The namespace of the Secret resource being referred to.
  30300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30301. maxLength: 63
  30302. minLength: 1
  30303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30304. type: string
  30305. type: object
  30306. required:
  30307. - path
  30308. - secretRef
  30309. type: object
  30310. cert:
  30311. description: |-
  30312. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  30313. Cert authentication method
  30314. properties:
  30315. clientCert:
  30316. description: |-
  30317. ClientCert is a certificate to authenticate using the Cert Vault
  30318. authentication method
  30319. properties:
  30320. key:
  30321. description: |-
  30322. A key in the referenced Secret.
  30323. Some instances of this field may be defaulted, in others it may be required.
  30324. maxLength: 253
  30325. minLength: 1
  30326. pattern: ^[-._a-zA-Z0-9]+$
  30327. type: string
  30328. name:
  30329. description: The name of the Secret resource being referred to.
  30330. maxLength: 253
  30331. minLength: 1
  30332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30333. type: string
  30334. namespace:
  30335. description: |-
  30336. The namespace of the Secret resource being referred to.
  30337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30338. maxLength: 63
  30339. minLength: 1
  30340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30341. type: string
  30342. type: object
  30343. path:
  30344. default: cert
  30345. description: |-
  30346. Path where the Certificate authentication backend is mounted
  30347. in Vault, e.g: "cert"
  30348. type: string
  30349. secretRef:
  30350. description: |-
  30351. SecretRef to a key in a Secret resource containing client private key to
  30352. authenticate with Vault using the Cert authentication method
  30353. properties:
  30354. key:
  30355. description: |-
  30356. A key in the referenced Secret.
  30357. Some instances of this field may be defaulted, in others it may be required.
  30358. maxLength: 253
  30359. minLength: 1
  30360. pattern: ^[-._a-zA-Z0-9]+$
  30361. type: string
  30362. name:
  30363. description: The name of the Secret resource being referred to.
  30364. maxLength: 253
  30365. minLength: 1
  30366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30367. type: string
  30368. namespace:
  30369. description: |-
  30370. The namespace of the Secret resource being referred to.
  30371. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30372. maxLength: 63
  30373. minLength: 1
  30374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30375. type: string
  30376. type: object
  30377. vaultRole:
  30378. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  30379. type: string
  30380. type: object
  30381. gcp:
  30382. description: |-
  30383. Gcp authenticates with Vault using Google Cloud Platform authentication method
  30384. GCP authentication method
  30385. properties:
  30386. location:
  30387. description: Location optionally defines a location/region for the secret
  30388. type: string
  30389. path:
  30390. default: gcp
  30391. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  30392. type: string
  30393. projectID:
  30394. description: Project ID of the Google Cloud Platform project
  30395. type: string
  30396. role:
  30397. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  30398. type: string
  30399. secretRef:
  30400. description: Specify credentials in a Secret object
  30401. properties:
  30402. secretAccessKeySecretRef:
  30403. description: The SecretAccessKey is used for authentication
  30404. properties:
  30405. key:
  30406. description: |-
  30407. A key in the referenced Secret.
  30408. Some instances of this field may be defaulted, in others it may be required.
  30409. maxLength: 253
  30410. minLength: 1
  30411. pattern: ^[-._a-zA-Z0-9]+$
  30412. type: string
  30413. name:
  30414. description: The name of the Secret resource being referred to.
  30415. maxLength: 253
  30416. minLength: 1
  30417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30418. type: string
  30419. namespace:
  30420. description: |-
  30421. The namespace of the Secret resource being referred to.
  30422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30423. maxLength: 63
  30424. minLength: 1
  30425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30426. type: string
  30427. type: object
  30428. type: object
  30429. serviceAccountRef:
  30430. description: ServiceAccountRef to a service account for impersonation
  30431. properties:
  30432. audiences:
  30433. description: |-
  30434. Audience specifies the `aud` claim for the service account token
  30435. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30436. then this audiences will be appended to the list
  30437. items:
  30438. type: string
  30439. type: array
  30440. name:
  30441. description: The name of the ServiceAccount resource being referred to.
  30442. maxLength: 253
  30443. minLength: 1
  30444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30445. type: string
  30446. namespace:
  30447. description: |-
  30448. Namespace of the resource being referred to.
  30449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30450. maxLength: 63
  30451. minLength: 1
  30452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30453. type: string
  30454. required:
  30455. - name
  30456. type: object
  30457. workloadIdentity:
  30458. description: Specify a service account with Workload Identity
  30459. properties:
  30460. clusterLocation:
  30461. description: |-
  30462. ClusterLocation is the location of the cluster
  30463. If not specified, it fetches information from the metadata server
  30464. type: string
  30465. clusterName:
  30466. description: |-
  30467. ClusterName is the name of the cluster
  30468. If not specified, it fetches information from the metadata server
  30469. type: string
  30470. clusterProjectID:
  30471. description: |-
  30472. ClusterProjectID is the project ID of the cluster
  30473. If not specified, it fetches information from the metadata server
  30474. type: string
  30475. serviceAccountRef:
  30476. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30477. properties:
  30478. audiences:
  30479. description: |-
  30480. Audience specifies the `aud` claim for the service account token
  30481. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30482. then this audiences will be appended to the list
  30483. items:
  30484. type: string
  30485. type: array
  30486. name:
  30487. description: The name of the ServiceAccount resource being referred to.
  30488. maxLength: 253
  30489. minLength: 1
  30490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30491. type: string
  30492. namespace:
  30493. description: |-
  30494. Namespace of the resource being referred to.
  30495. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30496. maxLength: 63
  30497. minLength: 1
  30498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30499. type: string
  30500. required:
  30501. - name
  30502. type: object
  30503. required:
  30504. - serviceAccountRef
  30505. type: object
  30506. required:
  30507. - role
  30508. type: object
  30509. iam:
  30510. description: |-
  30511. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  30512. AWS IAM authentication method
  30513. properties:
  30514. externalID:
  30515. description: AWS External ID set on assumed IAM roles
  30516. type: string
  30517. jwt:
  30518. description: Specify a service account with IRSA enabled
  30519. properties:
  30520. serviceAccountRef:
  30521. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30522. properties:
  30523. audiences:
  30524. description: |-
  30525. Audience specifies the `aud` claim for the service account token
  30526. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30527. then this audiences will be appended to the list
  30528. items:
  30529. type: string
  30530. type: array
  30531. name:
  30532. description: The name of the ServiceAccount resource being referred to.
  30533. maxLength: 253
  30534. minLength: 1
  30535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30536. type: string
  30537. namespace:
  30538. description: |-
  30539. Namespace of the resource being referred to.
  30540. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30541. maxLength: 63
  30542. minLength: 1
  30543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30544. type: string
  30545. required:
  30546. - name
  30547. type: object
  30548. type: object
  30549. path:
  30550. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30551. type: string
  30552. region:
  30553. description: AWS region
  30554. type: string
  30555. role:
  30556. description: This is the AWS role to be assumed before talking to vault
  30557. type: string
  30558. secretRef:
  30559. description: Specify credentials in a Secret object
  30560. properties:
  30561. accessKeyIDSecretRef:
  30562. description: The AccessKeyID is used for authentication
  30563. properties:
  30564. key:
  30565. description: |-
  30566. A key in the referenced Secret.
  30567. Some instances of this field may be defaulted, in others it may be required.
  30568. maxLength: 253
  30569. minLength: 1
  30570. pattern: ^[-._a-zA-Z0-9]+$
  30571. type: string
  30572. name:
  30573. description: The name of the Secret resource being referred to.
  30574. maxLength: 253
  30575. minLength: 1
  30576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30577. type: string
  30578. namespace:
  30579. description: |-
  30580. The namespace of the Secret resource being referred to.
  30581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30582. maxLength: 63
  30583. minLength: 1
  30584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30585. type: string
  30586. type: object
  30587. secretAccessKeySecretRef:
  30588. description: The SecretAccessKey is used for authentication
  30589. properties:
  30590. key:
  30591. description: |-
  30592. A key in the referenced Secret.
  30593. Some instances of this field may be defaulted, in others it may be required.
  30594. maxLength: 253
  30595. minLength: 1
  30596. pattern: ^[-._a-zA-Z0-9]+$
  30597. type: string
  30598. name:
  30599. description: The name of the Secret resource being referred to.
  30600. maxLength: 253
  30601. minLength: 1
  30602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30603. type: string
  30604. namespace:
  30605. description: |-
  30606. The namespace of the Secret resource being referred to.
  30607. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30608. maxLength: 63
  30609. minLength: 1
  30610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30611. type: string
  30612. type: object
  30613. sessionTokenSecretRef:
  30614. description: |-
  30615. The SessionToken used for authentication
  30616. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30617. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30618. properties:
  30619. key:
  30620. description: |-
  30621. A key in the referenced Secret.
  30622. Some instances of this field may be defaulted, in others it may be required.
  30623. maxLength: 253
  30624. minLength: 1
  30625. pattern: ^[-._a-zA-Z0-9]+$
  30626. type: string
  30627. name:
  30628. description: The name of the Secret resource being referred to.
  30629. maxLength: 253
  30630. minLength: 1
  30631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30632. type: string
  30633. namespace:
  30634. description: |-
  30635. The namespace of the Secret resource being referred to.
  30636. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30637. maxLength: 63
  30638. minLength: 1
  30639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30640. type: string
  30641. type: object
  30642. type: object
  30643. vaultAwsIamServerID:
  30644. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30645. type: string
  30646. vaultRole:
  30647. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30648. type: string
  30649. required:
  30650. - vaultRole
  30651. type: object
  30652. jwt:
  30653. description: |-
  30654. Jwt authenticates with Vault by passing role and JWT token using the
  30655. JWT/OIDC authentication method
  30656. properties:
  30657. kubernetesServiceAccountToken:
  30658. description: |-
  30659. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30660. a token for with the `TokenRequest` API.
  30661. properties:
  30662. audiences:
  30663. description: |-
  30664. Optional audiences field that will be used to request a temporary Kubernetes service
  30665. account token for the service account referenced by `serviceAccountRef`.
  30666. Defaults to a single audience `vault` it not specified.
  30667. Deprecated: use serviceAccountRef.Audiences instead
  30668. items:
  30669. type: string
  30670. type: array
  30671. expirationSeconds:
  30672. description: |-
  30673. Optional expiration time in seconds that will be used to request a temporary
  30674. Kubernetes service account token for the service account referenced by
  30675. `serviceAccountRef`.
  30676. Deprecated: this will be removed in the future.
  30677. Defaults to 10 minutes.
  30678. format: int64
  30679. type: integer
  30680. serviceAccountRef:
  30681. description: Service account field containing the name of a kubernetes ServiceAccount.
  30682. properties:
  30683. audiences:
  30684. description: |-
  30685. Audience specifies the `aud` claim for the service account token
  30686. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30687. then this audiences will be appended to the list
  30688. items:
  30689. type: string
  30690. type: array
  30691. name:
  30692. description: The name of the ServiceAccount resource being referred to.
  30693. maxLength: 253
  30694. minLength: 1
  30695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30696. type: string
  30697. namespace:
  30698. description: |-
  30699. Namespace of the resource being referred to.
  30700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30701. maxLength: 63
  30702. minLength: 1
  30703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30704. type: string
  30705. required:
  30706. - name
  30707. type: object
  30708. required:
  30709. - serviceAccountRef
  30710. type: object
  30711. path:
  30712. default: jwt
  30713. description: |-
  30714. Path where the JWT authentication backend is mounted
  30715. in Vault, e.g: "jwt"
  30716. type: string
  30717. role:
  30718. description: |-
  30719. Role is a JWT role to authenticate using the JWT/OIDC Vault
  30720. authentication method
  30721. type: string
  30722. secretRef:
  30723. description: |-
  30724. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  30725. authenticate with Vault using the JWT/OIDC authentication method.
  30726. properties:
  30727. key:
  30728. description: |-
  30729. A key in the referenced Secret.
  30730. Some instances of this field may be defaulted, in others it may be required.
  30731. maxLength: 253
  30732. minLength: 1
  30733. pattern: ^[-._a-zA-Z0-9]+$
  30734. type: string
  30735. name:
  30736. description: The name of the Secret resource being referred to.
  30737. maxLength: 253
  30738. minLength: 1
  30739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30740. type: string
  30741. namespace:
  30742. description: |-
  30743. The namespace of the Secret resource being referred to.
  30744. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30745. maxLength: 63
  30746. minLength: 1
  30747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30748. type: string
  30749. type: object
  30750. required:
  30751. - path
  30752. type: object
  30753. kubernetes:
  30754. description: |-
  30755. Kubernetes authenticates with Vault by passing the ServiceAccount
  30756. token stored in the named Secret resource to the Vault server.
  30757. properties:
  30758. mountPath:
  30759. default: kubernetes
  30760. description: |-
  30761. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  30762. "kubernetes"
  30763. type: string
  30764. role:
  30765. description: |-
  30766. A required field containing the Vault Role to assume. A Role binds a
  30767. Kubernetes ServiceAccount with a set of Vault policies.
  30768. type: string
  30769. secretRef:
  30770. description: |-
  30771. Optional secret field containing a Kubernetes ServiceAccount JWT used
  30772. for authenticating with Vault. If a name is specified without a key,
  30773. `token` is the default. If one is not specified, the one bound to
  30774. the controller will be used.
  30775. properties:
  30776. key:
  30777. description: |-
  30778. A key in the referenced Secret.
  30779. Some instances of this field may be defaulted, in others it may be required.
  30780. maxLength: 253
  30781. minLength: 1
  30782. pattern: ^[-._a-zA-Z0-9]+$
  30783. type: string
  30784. name:
  30785. description: The name of the Secret resource being referred to.
  30786. maxLength: 253
  30787. minLength: 1
  30788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30789. type: string
  30790. namespace:
  30791. description: |-
  30792. The namespace of the Secret resource being referred to.
  30793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30794. maxLength: 63
  30795. minLength: 1
  30796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30797. type: string
  30798. type: object
  30799. serviceAccountRef:
  30800. description: |-
  30801. Optional service account field containing the name of a kubernetes ServiceAccount.
  30802. If the service account is specified, the service account secret token JWT will be used
  30803. for authenticating with Vault. If the service account selector is not supplied,
  30804. the secretRef will be used instead.
  30805. properties:
  30806. audiences:
  30807. description: |-
  30808. Audience specifies the `aud` claim for the service account token
  30809. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30810. then this audiences will be appended to the list
  30811. items:
  30812. type: string
  30813. type: array
  30814. name:
  30815. description: The name of the ServiceAccount resource being referred to.
  30816. maxLength: 253
  30817. minLength: 1
  30818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30819. type: string
  30820. namespace:
  30821. description: |-
  30822. Namespace of the resource being referred to.
  30823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30824. maxLength: 63
  30825. minLength: 1
  30826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30827. type: string
  30828. required:
  30829. - name
  30830. type: object
  30831. required:
  30832. - mountPath
  30833. - role
  30834. type: object
  30835. ldap:
  30836. description: |-
  30837. Ldap authenticates with Vault by passing username/password pair using
  30838. the LDAP authentication method
  30839. properties:
  30840. path:
  30841. default: ldap
  30842. description: |-
  30843. Path where the LDAP authentication backend is mounted
  30844. in Vault, e.g: "ldap"
  30845. type: string
  30846. secretRef:
  30847. description: |-
  30848. SecretRef to a key in a Secret resource containing password for the LDAP
  30849. user used to authenticate with Vault using the LDAP authentication
  30850. method
  30851. properties:
  30852. key:
  30853. description: |-
  30854. A key in the referenced Secret.
  30855. Some instances of this field may be defaulted, in others it may be required.
  30856. maxLength: 253
  30857. minLength: 1
  30858. pattern: ^[-._a-zA-Z0-9]+$
  30859. type: string
  30860. name:
  30861. description: The name of the Secret resource being referred to.
  30862. maxLength: 253
  30863. minLength: 1
  30864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30865. type: string
  30866. namespace:
  30867. description: |-
  30868. The namespace of the Secret resource being referred to.
  30869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30870. maxLength: 63
  30871. minLength: 1
  30872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30873. type: string
  30874. type: object
  30875. username:
  30876. description: |-
  30877. Username is an LDAP username used to authenticate using the LDAP Vault
  30878. authentication method
  30879. type: string
  30880. required:
  30881. - path
  30882. - username
  30883. type: object
  30884. namespace:
  30885. description: |-
  30886. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  30887. Namespaces is a set of features within Vault Enterprise that allows
  30888. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30889. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30890. This will default to Vault.Namespace field if set, or empty otherwise
  30891. type: string
  30892. tokenSecretRef:
  30893. description: TokenSecretRef authenticates with Vault by presenting a token.
  30894. properties:
  30895. key:
  30896. description: |-
  30897. A key in the referenced Secret.
  30898. Some instances of this field may be defaulted, in others it may be required.
  30899. maxLength: 253
  30900. minLength: 1
  30901. pattern: ^[-._a-zA-Z0-9]+$
  30902. type: string
  30903. name:
  30904. description: The name of the Secret resource being referred to.
  30905. maxLength: 253
  30906. minLength: 1
  30907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30908. type: string
  30909. namespace:
  30910. description: |-
  30911. The namespace of the Secret resource being referred to.
  30912. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30913. maxLength: 63
  30914. minLength: 1
  30915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30916. type: string
  30917. type: object
  30918. userPass:
  30919. description: UserPass authenticates with Vault by passing username/password pair
  30920. properties:
  30921. path:
  30922. default: userpass
  30923. description: |-
  30924. Path where the UserPassword authentication backend is mounted
  30925. in Vault, e.g: "userpass"
  30926. type: string
  30927. secretRef:
  30928. description: |-
  30929. SecretRef to a key in a Secret resource containing password for the
  30930. user used to authenticate with Vault using the UserPass authentication
  30931. method
  30932. properties:
  30933. key:
  30934. description: |-
  30935. A key in the referenced Secret.
  30936. Some instances of this field may be defaulted, in others it may be required.
  30937. maxLength: 253
  30938. minLength: 1
  30939. pattern: ^[-._a-zA-Z0-9]+$
  30940. type: string
  30941. name:
  30942. description: The name of the Secret resource being referred to.
  30943. maxLength: 253
  30944. minLength: 1
  30945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30946. type: string
  30947. namespace:
  30948. description: |-
  30949. The namespace of the Secret resource being referred to.
  30950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30951. maxLength: 63
  30952. minLength: 1
  30953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30954. type: string
  30955. type: object
  30956. username:
  30957. description: |-
  30958. Username is a username used to authenticate using the UserPass Vault
  30959. authentication method
  30960. type: string
  30961. required:
  30962. - path
  30963. - username
  30964. type: object
  30965. type: object
  30966. caBundle:
  30967. description: |-
  30968. PEM encoded CA bundle used to validate Vault server certificate. Only used
  30969. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30970. plain HTTP protocol connection. If not set the system root certificates
  30971. are used to validate the TLS connection.
  30972. format: byte
  30973. type: string
  30974. caProvider:
  30975. description: The provider for the CA bundle to use to validate Vault server certificate.
  30976. properties:
  30977. key:
  30978. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30979. maxLength: 253
  30980. minLength: 1
  30981. pattern: ^[-._a-zA-Z0-9]+$
  30982. type: string
  30983. name:
  30984. description: The name of the object located at the provider type.
  30985. maxLength: 253
  30986. minLength: 1
  30987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30988. type: string
  30989. namespace:
  30990. description: |-
  30991. The namespace the Provider type is in.
  30992. Can only be defined when used in a ClusterSecretStore.
  30993. maxLength: 63
  30994. minLength: 1
  30995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30996. type: string
  30997. type:
  30998. description: The type of provider to use such as "Secret", or "ConfigMap".
  30999. enum:
  31000. - Secret
  31001. - ConfigMap
  31002. type: string
  31003. required:
  31004. - name
  31005. - type
  31006. type: object
  31007. checkAndSet:
  31008. description: |-
  31009. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  31010. Only applies to Vault KV v2 stores. When enabled, write operations must include
  31011. the current version of the secret to prevent unintentional overwrites.
  31012. properties:
  31013. required:
  31014. description: |-
  31015. Required when true, all write operations must include a check-and-set parameter.
  31016. This helps prevent unintentional overwrites of secrets.
  31017. type: boolean
  31018. type: object
  31019. forwardInconsistent:
  31020. description: |-
  31021. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  31022. leader instead of simply retrying within a loop. This can increase performance if
  31023. the option is enabled serverside.
  31024. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  31025. type: boolean
  31026. headers:
  31027. additionalProperties:
  31028. type: string
  31029. description: Headers to be added in Vault request
  31030. type: object
  31031. namespace:
  31032. description: |-
  31033. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  31034. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31035. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31036. type: string
  31037. path:
  31038. description: |-
  31039. Path is the mount path of the Vault KV backend endpoint, e.g:
  31040. "secret". The v2 KV secret engine version specific "/data" path suffix
  31041. for fetching secrets from Vault is optional and will be appended
  31042. if not present in specified path.
  31043. type: string
  31044. readYourWrites:
  31045. description: |-
  31046. ReadYourWrites ensures isolated read-after-write semantics by
  31047. providing discovered cluster replication states in each request.
  31048. More information about eventual consistency in Vault can be found here
  31049. https://www.vaultproject.io/docs/enterprise/consistency
  31050. type: boolean
  31051. server:
  31052. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  31053. type: string
  31054. tls:
  31055. description: |-
  31056. The configuration used for client side related TLS communication, when the Vault server
  31057. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  31058. This parameter is ignored for plain HTTP protocol connection.
  31059. It's worth noting this configuration is different from the "TLS certificates auth method",
  31060. which is available under the `auth.cert` section.
  31061. properties:
  31062. certSecretRef:
  31063. description: |-
  31064. CertSecretRef is a certificate added to the transport layer
  31065. when communicating with the Vault server.
  31066. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  31067. properties:
  31068. key:
  31069. description: |-
  31070. A key in the referenced Secret.
  31071. Some instances of this field may be defaulted, in others it may be required.
  31072. maxLength: 253
  31073. minLength: 1
  31074. pattern: ^[-._a-zA-Z0-9]+$
  31075. type: string
  31076. name:
  31077. description: The name of the Secret resource being referred to.
  31078. maxLength: 253
  31079. minLength: 1
  31080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31081. type: string
  31082. namespace:
  31083. description: |-
  31084. The namespace of the Secret resource being referred to.
  31085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31086. maxLength: 63
  31087. minLength: 1
  31088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31089. type: string
  31090. type: object
  31091. keySecretRef:
  31092. description: |-
  31093. KeySecretRef to a key in a Secret resource containing client private key
  31094. added to the transport layer when communicating with the Vault server.
  31095. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  31096. properties:
  31097. key:
  31098. description: |-
  31099. A key in the referenced Secret.
  31100. Some instances of this field may be defaulted, in others it may be required.
  31101. maxLength: 253
  31102. minLength: 1
  31103. pattern: ^[-._a-zA-Z0-9]+$
  31104. type: string
  31105. name:
  31106. description: The name of the Secret resource being referred to.
  31107. maxLength: 253
  31108. minLength: 1
  31109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31110. type: string
  31111. namespace:
  31112. description: |-
  31113. The namespace of the Secret resource being referred to.
  31114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31115. maxLength: 63
  31116. minLength: 1
  31117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31118. type: string
  31119. type: object
  31120. type: object
  31121. version:
  31122. default: v2
  31123. description: |-
  31124. Version is the Vault KV secret engine version. This can be either "v1" or
  31125. "v2". Version defaults to "v2".
  31126. enum:
  31127. - v1
  31128. - v2
  31129. type: string
  31130. required:
  31131. - server
  31132. type: object
  31133. resultType:
  31134. default: Data
  31135. description: |-
  31136. Result type defines which data is returned from the generator.
  31137. By default, it is the "data" section of the Vault API response.
  31138. When using e.g. /auth/token/create the "data" section is empty but
  31139. the "auth" section contains the generated token.
  31140. Please refer to the vault docs regarding the result data structure.
  31141. Additionally, accessing the raw response is possibly by using "Raw" result type.
  31142. enum:
  31143. - Data
  31144. - Auth
  31145. - Raw
  31146. type: string
  31147. retrySettings:
  31148. description: Used to configure http retries if failed
  31149. properties:
  31150. maxRetries:
  31151. format: int32
  31152. type: integer
  31153. retryInterval:
  31154. type: string
  31155. type: object
  31156. required:
  31157. - path
  31158. - provider
  31159. type: object
  31160. type: object
  31161. served: true
  31162. storage: true
  31163. subresources:
  31164. status: {}
  31165. ---
  31166. apiVersion: apiextensions.k8s.io/v1
  31167. kind: CustomResourceDefinition
  31168. metadata:
  31169. annotations:
  31170. controller-gen.kubebuilder.io/version: v0.19.0
  31171. labels:
  31172. external-secrets.io/component: controller
  31173. name: webhooks.generators.external-secrets.io
  31174. spec:
  31175. group: generators.external-secrets.io
  31176. names:
  31177. categories:
  31178. - external-secrets
  31179. - external-secrets-generators
  31180. kind: Webhook
  31181. listKind: WebhookList
  31182. plural: webhooks
  31183. singular: webhook
  31184. scope: Namespaced
  31185. versions:
  31186. - name: v1alpha1
  31187. schema:
  31188. openAPIV3Schema:
  31189. description: |-
  31190. Webhook connects to a third party API server to handle the secrets generation
  31191. configuration parameters in spec.
  31192. You can specify the server, the token, and additional body parameters.
  31193. See documentation for the full API specification for requests and responses.
  31194. properties:
  31195. apiVersion:
  31196. description: |-
  31197. APIVersion defines the versioned schema of this representation of an object.
  31198. Servers should convert recognized schemas to the latest internal value, and
  31199. may reject unrecognized values.
  31200. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31201. type: string
  31202. kind:
  31203. description: |-
  31204. Kind is a string value representing the REST resource this object represents.
  31205. Servers may infer this from the endpoint the client submits requests to.
  31206. Cannot be updated.
  31207. In CamelCase.
  31208. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31209. type: string
  31210. metadata:
  31211. type: object
  31212. spec:
  31213. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  31214. properties:
  31215. auth:
  31216. description: Auth specifies a authorization protocol. Only one protocol may be set.
  31217. maxProperties: 1
  31218. minProperties: 1
  31219. properties:
  31220. ntlm:
  31221. description: NTLMProtocol configures the store to use NTLM for auth
  31222. properties:
  31223. passwordSecret:
  31224. description: |-
  31225. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31226. In some instances, `key` is a required field.
  31227. properties:
  31228. key:
  31229. description: |-
  31230. A key in the referenced Secret.
  31231. Some instances of this field may be defaulted, in others it may be required.
  31232. maxLength: 253
  31233. minLength: 1
  31234. pattern: ^[-._a-zA-Z0-9]+$
  31235. type: string
  31236. name:
  31237. description: The name of the Secret resource being referred to.
  31238. maxLength: 253
  31239. minLength: 1
  31240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31241. type: string
  31242. namespace:
  31243. description: |-
  31244. The namespace of the Secret resource being referred to.
  31245. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31246. maxLength: 63
  31247. minLength: 1
  31248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31249. type: string
  31250. type: object
  31251. usernameSecret:
  31252. description: |-
  31253. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31254. In some instances, `key` is a required field.
  31255. properties:
  31256. key:
  31257. description: |-
  31258. A key in the referenced Secret.
  31259. Some instances of this field may be defaulted, in others it may be required.
  31260. maxLength: 253
  31261. minLength: 1
  31262. pattern: ^[-._a-zA-Z0-9]+$
  31263. type: string
  31264. name:
  31265. description: The name of the Secret resource being referred to.
  31266. maxLength: 253
  31267. minLength: 1
  31268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31269. type: string
  31270. namespace:
  31271. description: |-
  31272. The namespace of the Secret resource being referred to.
  31273. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31274. maxLength: 63
  31275. minLength: 1
  31276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31277. type: string
  31278. type: object
  31279. required:
  31280. - passwordSecret
  31281. - usernameSecret
  31282. type: object
  31283. type: object
  31284. body:
  31285. description: Body
  31286. type: string
  31287. caBundle:
  31288. description: |-
  31289. PEM encoded CA bundle used to validate webhook server certificate. Only used
  31290. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31291. plain HTTP protocol connection. If not set the system root certificates
  31292. are used to validate the TLS connection.
  31293. format: byte
  31294. type: string
  31295. caProvider:
  31296. description: The provider for the CA bundle to use to validate webhook server certificate.
  31297. properties:
  31298. key:
  31299. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31300. maxLength: 253
  31301. minLength: 1
  31302. pattern: ^[-._a-zA-Z0-9]+$
  31303. type: string
  31304. name:
  31305. description: The name of the object located at the provider type.
  31306. maxLength: 253
  31307. minLength: 1
  31308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31309. type: string
  31310. namespace:
  31311. description: The namespace the Provider type is in.
  31312. maxLength: 63
  31313. minLength: 1
  31314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31315. type: string
  31316. type:
  31317. description: The type of provider to use such as "Secret", or "ConfigMap".
  31318. enum:
  31319. - Secret
  31320. - ConfigMap
  31321. type: string
  31322. required:
  31323. - name
  31324. - type
  31325. type: object
  31326. headers:
  31327. additionalProperties:
  31328. type: string
  31329. description: Headers
  31330. type: object
  31331. method:
  31332. description: Webhook Method
  31333. type: string
  31334. result:
  31335. description: Result formatting
  31336. properties:
  31337. jsonPath:
  31338. description: Json path of return value
  31339. type: string
  31340. type: object
  31341. secrets:
  31342. description: |-
  31343. Secrets to fill in templates
  31344. These secrets will be passed to the templating function as key value pairs under the given name
  31345. items:
  31346. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  31347. properties:
  31348. name:
  31349. description: Name of this secret in templates
  31350. type: string
  31351. secretRef:
  31352. description: Secret ref to fill in credentials
  31353. properties:
  31354. key:
  31355. description: The key where the token is found.
  31356. maxLength: 253
  31357. minLength: 1
  31358. pattern: ^[-._a-zA-Z0-9]+$
  31359. type: string
  31360. name:
  31361. description: The name of the Secret resource being referred to.
  31362. maxLength: 253
  31363. minLength: 1
  31364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31365. type: string
  31366. type: object
  31367. required:
  31368. - name
  31369. - secretRef
  31370. type: object
  31371. type: array
  31372. timeout:
  31373. description: Timeout
  31374. type: string
  31375. url:
  31376. description: Webhook url to call
  31377. type: string
  31378. required:
  31379. - result
  31380. - url
  31381. type: object
  31382. type: object
  31383. served: true
  31384. storage: true
  31385. subresources:
  31386. status: {}