| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.14.0
- name: clustersecretstores.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - externalsecrets
- kind: ClusterSecretStore
- listKind: ClusterSecretStoreList
- plural: clustersecretstores
- shortNames:
- - css
- singular: clustersecretstore
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- deprecated: true
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterSecretStore represents a secure external location for
- storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may
- be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using
- Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to
- be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in
- Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- Akeyless Gateway certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using
- Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references
- for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS
- Secret Manager provider
- properties:
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account
- tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the SecretManager provider
- will assume
- type: string
- service:
- description: Service defines which service should be used
- to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using
- Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Azure. Required for ServicePrincipal auth type.
- properties:
- clientId:
- description: The Azure clientId of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the
- pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send
- requests to. Required for ServicePrincipal auth type.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched
- from.
- type: string
- required:
- - vaultUrl
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- valueMap:
- additionalProperties:
- type: string
- type: object
- version:
- type: string
- required:
- - key
- type: object
- type: array
- required:
- - data
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using
- Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate
- against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using
- GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- projectID:
- description: ProjectID specifies a project where secrets are
- located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults
- to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM
- Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the IBM secrets manager.
- properties:
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific
- to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets
- using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be
- used for authentication
- properties:
- serviceAccount:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the
- provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- required:
- - auth
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using
- Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, instance principal is used. Optionally, the authenticating principal type
- and/or user data may be supplied for the use of workload identity and user principal.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the
- API private key.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing
- Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is
- located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault
- where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- vault:
- description: Vault configures this store to sync secrets using
- Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing
- the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a LDAP user name used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by
- presenting a token.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- Vault server certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault
- server, e.g: "https://vault.example.com:8200".'
- type: string
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using
- a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- webhook server certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets
- using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate
- against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate
- Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: ClusterSecretStore represents a secure external location for
- storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces.
- Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector
- requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- required:
- - key
- - operator
- type: object
- type: array
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may
- be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using
- Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to
- be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in
- Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found
- in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using
- Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references
- for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS
- Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs
- which the provider will sequentially assume before assuming
- the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account
- tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves
- when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used
- to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags.
- Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using
- Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates
- with Azure. Required for ServicePrincipal auth type.
- properties:
- clientId:
- description: The Azure clientId of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle
- used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the
- pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send
- requests to. Required for ServicePrincipal auth type.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched
- from.
- type: string
- required:
- - vaultUrl
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef
- server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate
- against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references
- for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format,
- used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect
- to. If using orgs you should include your org in the url
- and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using
- conjur provider
- properties:
- auth:
- properties:
- apikey:
- properties:
- account:
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- properties:
- account:
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found
- in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that
- will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a
- value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that
- will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a
- value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using
- the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates
- with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service
- Token)
- type: string
- format:
- description: Format enables the downloading of secrets as
- a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms
- that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service
- Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- valueMap:
- additionalProperties:
- type: string
- description: 'Deprecated: ValueMap is deprecated and
- is intended to be removed in the future, use the `value`
- field instead.'
- type: object
- version:
- type: string
- required:
- - key
- type: object
- type: array
- required:
- - data
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using
- Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate
- against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using
- GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD
- variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment
- on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull
- secrets from. Group secrets are read from left to right
- followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups
- should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are
- located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults
- to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM
- Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted
- Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the
- pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific
- to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets
- using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred
- to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets
- using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be
- used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can
- be found in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the
- provider type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- required:
- - auth
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets
- using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate
- against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references
- for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication
- to a 1Password Connect Server.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server
- to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search
- in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using
- Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the
- API private key.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing
- Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is
- located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault
- where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that
- will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a
- value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults
- to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you
- can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that
- will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a
- value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets
- using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate
- must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should
- be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using
- Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled
- in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before
- talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional
- header used by Vault IAM auth method to mitigate
- against different types of replay attacks. More
- details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes
- an identity with a set of permissions, groups, or
- policies you want to attach a user of the secrets
- engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing
- the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a LDAP user name used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by
- presenting a token.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing
- username/password pair
- properties:
- path:
- default: user
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "user"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a user name used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found
- in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault
- server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using
- a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- webhook server certificate.
- properties:
- key:
- description: The key the value inside of the provider
- type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider
- type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to
- sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate
- against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate
- Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets
- using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate
- against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate
- Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds.
- Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations
- a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
