bundle.yaml 319 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.9.0
  6. creationTimestamp: null
  7. name: clusterexternalsecrets.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterExternalSecret
  14. listKind: ClusterExternalSecretList
  15. plural: clusterexternalsecrets
  16. shortNames:
  17. - ces
  18. singular: clusterexternalsecret
  19. scope: Cluster
  20. versions:
  21. - name: v1beta1
  22. schema:
  23. openAPIV3Schema:
  24. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  25. properties:
  26. apiVersion:
  27. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  28. type: string
  29. kind:
  30. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  31. type: string
  32. metadata:
  33. type: object
  34. spec:
  35. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  36. properties:
  37. externalSecretName:
  38. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  39. type: string
  40. externalSecretSpec:
  41. description: The spec for the ExternalSecrets to be created
  42. properties:
  43. data:
  44. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  45. items:
  46. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  47. properties:
  48. remoteRef:
  49. description: ExternalSecretDataRemoteRef defines Provider data location.
  50. properties:
  51. conversionStrategy:
  52. default: Default
  53. description: Used to define a conversion Strategy
  54. type: string
  55. key:
  56. description: Key is the key used in the Provider, mandatory
  57. type: string
  58. metadataPolicy:
  59. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  60. type: string
  61. property:
  62. description: Used to select a specific property of the Provider value (if a map), if supported
  63. type: string
  64. version:
  65. description: Used to select a specific version of the Provider value, if supported
  66. type: string
  67. required:
  68. - key
  69. type: object
  70. secretKey:
  71. type: string
  72. required:
  73. - remoteRef
  74. - secretKey
  75. type: object
  76. type: array
  77. dataFrom:
  78. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  79. items:
  80. maxProperties: 1
  81. minProperties: 1
  82. properties:
  83. extract:
  84. description: Used to extract multiple key/value pairs from one secret
  85. properties:
  86. conversionStrategy:
  87. default: Default
  88. description: Used to define a conversion Strategy
  89. type: string
  90. key:
  91. description: Key is the key used in the Provider, mandatory
  92. type: string
  93. metadataPolicy:
  94. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  95. type: string
  96. property:
  97. description: Used to select a specific property of the Provider value (if a map), if supported
  98. type: string
  99. version:
  100. description: Used to select a specific version of the Provider value, if supported
  101. type: string
  102. required:
  103. - key
  104. type: object
  105. find:
  106. description: Used to find secrets based on tags or regular expressions
  107. properties:
  108. conversionStrategy:
  109. default: Default
  110. description: Used to define a conversion Strategy
  111. type: string
  112. name:
  113. description: Finds secrets based on the name.
  114. properties:
  115. regexp:
  116. description: Finds secrets base
  117. type: string
  118. type: object
  119. path:
  120. description: A root path to start the find operations.
  121. type: string
  122. tags:
  123. additionalProperties:
  124. type: string
  125. description: Find secrets based on tags.
  126. type: object
  127. type: object
  128. type: object
  129. type: array
  130. refreshInterval:
  131. default: 1h
  132. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  133. type: string
  134. secretStoreRef:
  135. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  136. properties:
  137. kind:
  138. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  139. type: string
  140. name:
  141. description: Name of the SecretStore resource
  142. type: string
  143. required:
  144. - name
  145. type: object
  146. target:
  147. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  148. properties:
  149. creationPolicy:
  150. default: Owner
  151. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  152. enum:
  153. - Owner
  154. - Orphan
  155. - Merge
  156. - None
  157. type: string
  158. deletionPolicy:
  159. default: Retain
  160. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  161. enum:
  162. - Delete
  163. - Merge
  164. - Retain
  165. type: string
  166. immutable:
  167. description: Immutable defines if the final secret will be immutable
  168. type: boolean
  169. name:
  170. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  171. type: string
  172. template:
  173. description: Template defines a blueprint for the created Secret resource.
  174. properties:
  175. data:
  176. additionalProperties:
  177. type: string
  178. type: object
  179. engineVersion:
  180. default: v2
  181. type: string
  182. metadata:
  183. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  184. properties:
  185. annotations:
  186. additionalProperties:
  187. type: string
  188. type: object
  189. labels:
  190. additionalProperties:
  191. type: string
  192. type: object
  193. type: object
  194. templateFrom:
  195. items:
  196. maxProperties: 1
  197. minProperties: 1
  198. properties:
  199. configMap:
  200. properties:
  201. items:
  202. items:
  203. properties:
  204. key:
  205. type: string
  206. required:
  207. - key
  208. type: object
  209. type: array
  210. name:
  211. type: string
  212. required:
  213. - items
  214. - name
  215. type: object
  216. secret:
  217. properties:
  218. items:
  219. items:
  220. properties:
  221. key:
  222. type: string
  223. required:
  224. - key
  225. type: object
  226. type: array
  227. name:
  228. type: string
  229. required:
  230. - items
  231. - name
  232. type: object
  233. type: object
  234. type: array
  235. type:
  236. type: string
  237. type: object
  238. type: object
  239. required:
  240. - secretStoreRef
  241. type: object
  242. namespaceSelector:
  243. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  244. properties:
  245. matchExpressions:
  246. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  247. items:
  248. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  249. properties:
  250. key:
  251. description: key is the label key that the selector applies to.
  252. type: string
  253. operator:
  254. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  255. type: string
  256. values:
  257. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  258. items:
  259. type: string
  260. type: array
  261. required:
  262. - key
  263. - operator
  264. type: object
  265. type: array
  266. matchLabels:
  267. additionalProperties:
  268. type: string
  269. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  270. type: object
  271. type: object
  272. refreshTime:
  273. description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
  274. type: string
  275. required:
  276. - externalSecretSpec
  277. - namespaceSelector
  278. type: object
  279. status:
  280. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  281. properties:
  282. conditions:
  283. items:
  284. properties:
  285. message:
  286. type: string
  287. status:
  288. type: string
  289. type:
  290. type: string
  291. required:
  292. - status
  293. - type
  294. type: object
  295. type: array
  296. failedNamespaces:
  297. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  298. items:
  299. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  300. properties:
  301. namespace:
  302. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  303. type: string
  304. reason:
  305. description: Reason is why the ExternalSecret failed to apply to the namespace
  306. type: string
  307. required:
  308. - namespace
  309. type: object
  310. type: array
  311. provisionedNamespaces:
  312. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  313. items:
  314. type: string
  315. type: array
  316. type: object
  317. type: object
  318. served: true
  319. storage: true
  320. subresources:
  321. status: {}
  322. conversion:
  323. strategy: Webhook
  324. webhook:
  325. conversionReviewVersions:
  326. - v1
  327. clientConfig:
  328. service:
  329. name: kubernetes
  330. namespace: default
  331. path: /convert
  332. ---
  333. apiVersion: apiextensions.k8s.io/v1
  334. kind: CustomResourceDefinition
  335. metadata:
  336. annotations:
  337. controller-gen.kubebuilder.io/version: v0.9.0
  338. creationTimestamp: null
  339. name: clustersecretstores.external-secrets.io
  340. spec:
  341. group: external-secrets.io
  342. names:
  343. categories:
  344. - externalsecrets
  345. kind: ClusterSecretStore
  346. listKind: ClusterSecretStoreList
  347. plural: clustersecretstores
  348. shortNames:
  349. - css
  350. singular: clustersecretstore
  351. scope: Cluster
  352. versions:
  353. - additionalPrinterColumns:
  354. - jsonPath: .metadata.creationTimestamp
  355. name: AGE
  356. type: date
  357. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  358. name: Status
  359. type: string
  360. deprecated: true
  361. name: v1alpha1
  362. schema:
  363. openAPIV3Schema:
  364. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  365. properties:
  366. apiVersion:
  367. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  368. type: string
  369. kind:
  370. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  371. type: string
  372. metadata:
  373. type: object
  374. spec:
  375. description: SecretStoreSpec defines the desired state of SecretStore.
  376. properties:
  377. controller:
  378. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  379. type: string
  380. provider:
  381. description: Used to configure the provider. Only one provider may be set
  382. maxProperties: 1
  383. minProperties: 1
  384. properties:
  385. akeyless:
  386. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  387. properties:
  388. akeylessGWApiURL:
  389. description: Akeyless GW API Url from which the secrets to be fetched from.
  390. type: string
  391. authSecretRef:
  392. description: Auth configures how the operator authenticates with Akeyless.
  393. properties:
  394. secretRef:
  395. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  396. properties:
  397. accessID:
  398. description: The SecretAccessID is used for authentication
  399. properties:
  400. key:
  401. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  402. type: string
  403. name:
  404. description: The name of the Secret resource being referred to.
  405. type: string
  406. namespace:
  407. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  408. type: string
  409. type: object
  410. accessType:
  411. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  412. properties:
  413. key:
  414. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  415. type: string
  416. name:
  417. description: The name of the Secret resource being referred to.
  418. type: string
  419. namespace:
  420. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  421. type: string
  422. type: object
  423. accessTypeParam:
  424. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  425. properties:
  426. key:
  427. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  428. type: string
  429. name:
  430. description: The name of the Secret resource being referred to.
  431. type: string
  432. namespace:
  433. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  434. type: string
  435. type: object
  436. type: object
  437. required:
  438. - secretRef
  439. type: object
  440. required:
  441. - akeylessGWApiURL
  442. - authSecretRef
  443. type: object
  444. alibaba:
  445. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  446. properties:
  447. auth:
  448. description: AlibabaAuth contains a secretRef for credentials.
  449. properties:
  450. secretRef:
  451. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  452. properties:
  453. accessKeyIDSecretRef:
  454. description: The AccessKeyID is used for authentication
  455. properties:
  456. key:
  457. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  458. type: string
  459. name:
  460. description: The name of the Secret resource being referred to.
  461. type: string
  462. namespace:
  463. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  464. type: string
  465. type: object
  466. accessKeySecretSecretRef:
  467. description: The AccessKeySecret is used for authentication
  468. properties:
  469. key:
  470. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  471. type: string
  472. name:
  473. description: The name of the Secret resource being referred to.
  474. type: string
  475. namespace:
  476. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  477. type: string
  478. type: object
  479. required:
  480. - accessKeyIDSecretRef
  481. - accessKeySecretSecretRef
  482. type: object
  483. required:
  484. - secretRef
  485. type: object
  486. endpoint:
  487. type: string
  488. regionID:
  489. description: Alibaba Region to be used for the provider
  490. type: string
  491. required:
  492. - auth
  493. - regionID
  494. type: object
  495. aws:
  496. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  497. properties:
  498. auth:
  499. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  500. properties:
  501. jwt:
  502. description: Authenticate against AWS using service account tokens.
  503. properties:
  504. serviceAccountRef:
  505. description: A reference to a ServiceAccount resource.
  506. properties:
  507. name:
  508. description: The name of the ServiceAccount resource being referred to.
  509. type: string
  510. namespace:
  511. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  512. type: string
  513. required:
  514. - name
  515. type: object
  516. type: object
  517. secretRef:
  518. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  519. properties:
  520. accessKeyIDSecretRef:
  521. description: The AccessKeyID is used for authentication
  522. properties:
  523. key:
  524. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  525. type: string
  526. name:
  527. description: The name of the Secret resource being referred to.
  528. type: string
  529. namespace:
  530. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  531. type: string
  532. type: object
  533. secretAccessKeySecretRef:
  534. description: The SecretAccessKey is used for authentication
  535. properties:
  536. key:
  537. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  538. type: string
  539. name:
  540. description: The name of the Secret resource being referred to.
  541. type: string
  542. namespace:
  543. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  544. type: string
  545. type: object
  546. type: object
  547. type: object
  548. region:
  549. description: AWS Region to be used for the provider
  550. type: string
  551. role:
  552. description: Role is a Role ARN which the SecretManager provider will assume
  553. type: string
  554. service:
  555. description: Service defines which service should be used to fetch the secrets
  556. enum:
  557. - SecretsManager
  558. - ParameterStore
  559. type: string
  560. required:
  561. - region
  562. - service
  563. type: object
  564. azurekv:
  565. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  566. properties:
  567. authSecretRef:
  568. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  569. properties:
  570. clientId:
  571. description: The Azure clientId of the service principle used for authentication.
  572. properties:
  573. key:
  574. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  575. type: string
  576. name:
  577. description: The name of the Secret resource being referred to.
  578. type: string
  579. namespace:
  580. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  581. type: string
  582. type: object
  583. clientSecret:
  584. description: The Azure ClientSecret of the service principle used for authentication.
  585. properties:
  586. key:
  587. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  588. type: string
  589. name:
  590. description: The name of the Secret resource being referred to.
  591. type: string
  592. namespace:
  593. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  594. type: string
  595. type: object
  596. type: object
  597. authType:
  598. default: ServicePrincipal
  599. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  600. enum:
  601. - ServicePrincipal
  602. - ManagedIdentity
  603. - WorkloadIdentity
  604. type: string
  605. identityId:
  606. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  607. type: string
  608. serviceAccountRef:
  609. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  610. properties:
  611. name:
  612. description: The name of the ServiceAccount resource being referred to.
  613. type: string
  614. namespace:
  615. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  616. type: string
  617. required:
  618. - name
  619. type: object
  620. tenantId:
  621. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  622. type: string
  623. vaultUrl:
  624. description: Vault Url from which the secrets to be fetched from.
  625. type: string
  626. required:
  627. - vaultUrl
  628. type: object
  629. fake:
  630. description: Fake configures a store with static key/value pairs
  631. properties:
  632. data:
  633. items:
  634. properties:
  635. key:
  636. type: string
  637. value:
  638. type: string
  639. valueMap:
  640. additionalProperties:
  641. type: string
  642. type: object
  643. version:
  644. type: string
  645. required:
  646. - key
  647. type: object
  648. type: array
  649. required:
  650. - data
  651. type: object
  652. gcpsm:
  653. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  654. properties:
  655. auth:
  656. description: Auth defines the information necessary to authenticate against GCP
  657. properties:
  658. secretRef:
  659. properties:
  660. secretAccessKeySecretRef:
  661. description: The SecretAccessKey is used for authentication
  662. properties:
  663. key:
  664. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  665. type: string
  666. name:
  667. description: The name of the Secret resource being referred to.
  668. type: string
  669. namespace:
  670. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  671. type: string
  672. type: object
  673. type: object
  674. workloadIdentity:
  675. properties:
  676. clusterLocation:
  677. type: string
  678. clusterName:
  679. type: string
  680. clusterProjectID:
  681. type: string
  682. serviceAccountRef:
  683. description: A reference to a ServiceAccount resource.
  684. properties:
  685. name:
  686. description: The name of the ServiceAccount resource being referred to.
  687. type: string
  688. namespace:
  689. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  690. type: string
  691. required:
  692. - name
  693. type: object
  694. required:
  695. - clusterLocation
  696. - clusterName
  697. - serviceAccountRef
  698. type: object
  699. type: object
  700. projectID:
  701. description: ProjectID project where secret is located
  702. type: string
  703. type: object
  704. gitlab:
  705. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  706. properties:
  707. auth:
  708. description: Auth configures how secret-manager authenticates with a GitLab instance.
  709. properties:
  710. SecretRef:
  711. properties:
  712. accessToken:
  713. description: AccessToken is used for authentication.
  714. properties:
  715. key:
  716. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  717. type: string
  718. name:
  719. description: The name of the Secret resource being referred to.
  720. type: string
  721. namespace:
  722. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  723. type: string
  724. type: object
  725. type: object
  726. required:
  727. - SecretRef
  728. type: object
  729. projectID:
  730. description: ProjectID specifies a project where secrets are located.
  731. type: string
  732. url:
  733. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  734. type: string
  735. required:
  736. - auth
  737. type: object
  738. ibm:
  739. description: IBM configures this store to sync secrets using IBM Cloud provider
  740. properties:
  741. auth:
  742. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  743. properties:
  744. secretRef:
  745. properties:
  746. secretApiKeySecretRef:
  747. description: The SecretAccessKey is used for authentication
  748. properties:
  749. key:
  750. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  751. type: string
  752. name:
  753. description: The name of the Secret resource being referred to.
  754. type: string
  755. namespace:
  756. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  757. type: string
  758. type: object
  759. type: object
  760. required:
  761. - secretRef
  762. type: object
  763. serviceUrl:
  764. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  765. type: string
  766. required:
  767. - auth
  768. type: object
  769. kubernetes:
  770. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  771. properties:
  772. auth:
  773. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  774. maxProperties: 1
  775. minProperties: 1
  776. properties:
  777. cert:
  778. description: has both clientCert and clientKey as secretKeySelector
  779. properties:
  780. clientCert:
  781. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  782. properties:
  783. key:
  784. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  785. type: string
  786. name:
  787. description: The name of the Secret resource being referred to.
  788. type: string
  789. namespace:
  790. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  791. type: string
  792. type: object
  793. clientKey:
  794. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  795. properties:
  796. key:
  797. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  798. type: string
  799. name:
  800. description: The name of the Secret resource being referred to.
  801. type: string
  802. namespace:
  803. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  804. type: string
  805. type: object
  806. type: object
  807. serviceAccount:
  808. description: points to a service account that should be used for authentication
  809. properties:
  810. serviceAccount:
  811. description: A reference to a ServiceAccount resource.
  812. properties:
  813. name:
  814. description: The name of the ServiceAccount resource being referred to.
  815. type: string
  816. namespace:
  817. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  818. type: string
  819. required:
  820. - name
  821. type: object
  822. type: object
  823. token:
  824. description: use static token to authenticate with
  825. properties:
  826. bearerToken:
  827. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  828. properties:
  829. key:
  830. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  831. type: string
  832. name:
  833. description: The name of the Secret resource being referred to.
  834. type: string
  835. namespace:
  836. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  837. type: string
  838. type: object
  839. type: object
  840. type: object
  841. remoteNamespace:
  842. default: default
  843. description: Remote namespace to fetch the secrets from
  844. type: string
  845. server:
  846. description: configures the Kubernetes server Address.
  847. properties:
  848. caBundle:
  849. description: CABundle is a base64-encoded CA certificate
  850. format: byte
  851. type: string
  852. caProvider:
  853. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  854. properties:
  855. key:
  856. description: The key the value inside of the provider type to use, only used with "Secret" type
  857. type: string
  858. name:
  859. description: The name of the object located at the provider type.
  860. type: string
  861. namespace:
  862. description: The namespace the Provider type is in.
  863. type: string
  864. type:
  865. description: The type of provider to use such as "Secret", or "ConfigMap".
  866. enum:
  867. - Secret
  868. - ConfigMap
  869. type: string
  870. required:
  871. - name
  872. - type
  873. type: object
  874. url:
  875. default: kubernetes.default
  876. description: configures the Kubernetes server Address.
  877. type: string
  878. type: object
  879. required:
  880. - auth
  881. type: object
  882. oracle:
  883. description: Oracle configures this store to sync secrets using Oracle Vault provider
  884. properties:
  885. auth:
  886. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  887. properties:
  888. secretRef:
  889. description: SecretRef to pass through sensitive information.
  890. properties:
  891. fingerprint:
  892. description: Fingerprint is the fingerprint of the API private key.
  893. properties:
  894. key:
  895. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  896. type: string
  897. name:
  898. description: The name of the Secret resource being referred to.
  899. type: string
  900. namespace:
  901. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  902. type: string
  903. type: object
  904. privatekey:
  905. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  906. properties:
  907. key:
  908. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  909. type: string
  910. name:
  911. description: The name of the Secret resource being referred to.
  912. type: string
  913. namespace:
  914. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  915. type: string
  916. type: object
  917. required:
  918. - fingerprint
  919. - privatekey
  920. type: object
  921. tenancy:
  922. description: Tenancy is the tenancy OCID where user is located.
  923. type: string
  924. user:
  925. description: User is an access OCID specific to the account.
  926. type: string
  927. required:
  928. - secretRef
  929. - tenancy
  930. - user
  931. type: object
  932. region:
  933. description: Region is the region where vault is located.
  934. type: string
  935. vault:
  936. description: Vault is the vault's OCID of the specific vault where secret is located.
  937. type: string
  938. required:
  939. - region
  940. - vault
  941. type: object
  942. vault:
  943. description: Vault configures this store to sync secrets using Hashi provider
  944. properties:
  945. auth:
  946. description: Auth configures how secret-manager authenticates with the Vault server.
  947. properties:
  948. appRole:
  949. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  950. properties:
  951. path:
  952. default: approle
  953. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  954. type: string
  955. roleId:
  956. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  957. type: string
  958. secretRef:
  959. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  960. properties:
  961. key:
  962. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  963. type: string
  964. name:
  965. description: The name of the Secret resource being referred to.
  966. type: string
  967. namespace:
  968. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  969. type: string
  970. type: object
  971. required:
  972. - path
  973. - roleId
  974. - secretRef
  975. type: object
  976. cert:
  977. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  978. properties:
  979. clientCert:
  980. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  981. properties:
  982. key:
  983. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  984. type: string
  985. name:
  986. description: The name of the Secret resource being referred to.
  987. type: string
  988. namespace:
  989. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  990. type: string
  991. type: object
  992. secretRef:
  993. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  994. properties:
  995. key:
  996. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  997. type: string
  998. name:
  999. description: The name of the Secret resource being referred to.
  1000. type: string
  1001. namespace:
  1002. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1003. type: string
  1004. type: object
  1005. type: object
  1006. jwt:
  1007. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1008. properties:
  1009. kubernetesServiceAccountToken:
  1010. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1011. properties:
  1012. audiences:
  1013. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1014. items:
  1015. type: string
  1016. type: array
  1017. expirationSeconds:
  1018. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1019. format: int64
  1020. type: integer
  1021. serviceAccountRef:
  1022. description: Service account field containing the name of a kubernetes ServiceAccount.
  1023. properties:
  1024. name:
  1025. description: The name of the ServiceAccount resource being referred to.
  1026. type: string
  1027. namespace:
  1028. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1029. type: string
  1030. required:
  1031. - name
  1032. type: object
  1033. required:
  1034. - serviceAccountRef
  1035. type: object
  1036. path:
  1037. default: jwt
  1038. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1039. type: string
  1040. role:
  1041. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1042. type: string
  1043. secretRef:
  1044. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1045. properties:
  1046. key:
  1047. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1048. type: string
  1049. name:
  1050. description: The name of the Secret resource being referred to.
  1051. type: string
  1052. namespace:
  1053. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1054. type: string
  1055. type: object
  1056. required:
  1057. - path
  1058. type: object
  1059. kubernetes:
  1060. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1061. properties:
  1062. mountPath:
  1063. default: kubernetes
  1064. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1065. type: string
  1066. role:
  1067. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1068. type: string
  1069. secretRef:
  1070. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1071. properties:
  1072. key:
  1073. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1074. type: string
  1075. name:
  1076. description: The name of the Secret resource being referred to.
  1077. type: string
  1078. namespace:
  1079. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1080. type: string
  1081. type: object
  1082. serviceAccountRef:
  1083. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1084. properties:
  1085. name:
  1086. description: The name of the ServiceAccount resource being referred to.
  1087. type: string
  1088. namespace:
  1089. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1090. type: string
  1091. required:
  1092. - name
  1093. type: object
  1094. required:
  1095. - mountPath
  1096. - role
  1097. type: object
  1098. ldap:
  1099. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1100. properties:
  1101. path:
  1102. default: ldap
  1103. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1104. type: string
  1105. secretRef:
  1106. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1107. properties:
  1108. key:
  1109. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1110. type: string
  1111. name:
  1112. description: The name of the Secret resource being referred to.
  1113. type: string
  1114. namespace:
  1115. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1116. type: string
  1117. type: object
  1118. username:
  1119. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1120. type: string
  1121. required:
  1122. - path
  1123. - username
  1124. type: object
  1125. tokenSecretRef:
  1126. description: TokenSecretRef authenticates with Vault by presenting a token.
  1127. properties:
  1128. key:
  1129. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1130. type: string
  1131. name:
  1132. description: The name of the Secret resource being referred to.
  1133. type: string
  1134. namespace:
  1135. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1136. type: string
  1137. type: object
  1138. type: object
  1139. caBundle:
  1140. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1141. format: byte
  1142. type: string
  1143. caProvider:
  1144. description: The provider for the CA bundle to use to validate Vault server certificate.
  1145. properties:
  1146. key:
  1147. description: The key the value inside of the provider type to use, only used with "Secret" type
  1148. type: string
  1149. name:
  1150. description: The name of the object located at the provider type.
  1151. type: string
  1152. namespace:
  1153. description: The namespace the Provider type is in.
  1154. type: string
  1155. type:
  1156. description: The type of provider to use such as "Secret", or "ConfigMap".
  1157. enum:
  1158. - Secret
  1159. - ConfigMap
  1160. type: string
  1161. required:
  1162. - name
  1163. - type
  1164. type: object
  1165. forwardInconsistent:
  1166. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1167. type: boolean
  1168. namespace:
  1169. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1170. type: string
  1171. path:
  1172. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1173. type: string
  1174. readYourWrites:
  1175. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1176. type: boolean
  1177. server:
  1178. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1179. type: string
  1180. version:
  1181. default: v2
  1182. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1183. enum:
  1184. - v1
  1185. - v2
  1186. type: string
  1187. required:
  1188. - auth
  1189. - server
  1190. type: object
  1191. webhook:
  1192. description: Webhook configures this store to sync secrets using a generic templated webhook
  1193. properties:
  1194. body:
  1195. description: Body
  1196. type: string
  1197. caBundle:
  1198. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1199. format: byte
  1200. type: string
  1201. caProvider:
  1202. description: The provider for the CA bundle to use to validate webhook server certificate.
  1203. properties:
  1204. key:
  1205. description: The key the value inside of the provider type to use, only used with "Secret" type
  1206. type: string
  1207. name:
  1208. description: The name of the object located at the provider type.
  1209. type: string
  1210. namespace:
  1211. description: The namespace the Provider type is in.
  1212. type: string
  1213. type:
  1214. description: The type of provider to use such as "Secret", or "ConfigMap".
  1215. enum:
  1216. - Secret
  1217. - ConfigMap
  1218. type: string
  1219. required:
  1220. - name
  1221. - type
  1222. type: object
  1223. headers:
  1224. additionalProperties:
  1225. type: string
  1226. description: Headers
  1227. type: object
  1228. method:
  1229. description: Webhook Method
  1230. type: string
  1231. result:
  1232. description: Result formatting
  1233. properties:
  1234. jsonPath:
  1235. description: Json path of return value
  1236. type: string
  1237. type: object
  1238. secrets:
  1239. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1240. items:
  1241. properties:
  1242. name:
  1243. description: Name of this secret in templates
  1244. type: string
  1245. secretRef:
  1246. description: Secret ref to fill in credentials
  1247. properties:
  1248. key:
  1249. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1250. type: string
  1251. name:
  1252. description: The name of the Secret resource being referred to.
  1253. type: string
  1254. namespace:
  1255. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1256. type: string
  1257. type: object
  1258. required:
  1259. - name
  1260. - secretRef
  1261. type: object
  1262. type: array
  1263. timeout:
  1264. description: Timeout
  1265. type: string
  1266. url:
  1267. description: Webhook url to call
  1268. type: string
  1269. required:
  1270. - result
  1271. - url
  1272. type: object
  1273. yandexlockbox:
  1274. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1275. properties:
  1276. apiEndpoint:
  1277. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1278. type: string
  1279. auth:
  1280. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1281. properties:
  1282. authorizedKeySecretRef:
  1283. description: The authorized key used for authentication
  1284. properties:
  1285. key:
  1286. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1287. type: string
  1288. name:
  1289. description: The name of the Secret resource being referred to.
  1290. type: string
  1291. namespace:
  1292. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1293. type: string
  1294. type: object
  1295. type: object
  1296. caProvider:
  1297. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1298. properties:
  1299. certSecretRef:
  1300. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1301. properties:
  1302. key:
  1303. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1304. type: string
  1305. name:
  1306. description: The name of the Secret resource being referred to.
  1307. type: string
  1308. namespace:
  1309. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1310. type: string
  1311. type: object
  1312. type: object
  1313. required:
  1314. - auth
  1315. type: object
  1316. type: object
  1317. retrySettings:
  1318. description: Used to configure http retries if failed
  1319. properties:
  1320. maxRetries:
  1321. format: int32
  1322. type: integer
  1323. retryInterval:
  1324. type: string
  1325. type: object
  1326. required:
  1327. - provider
  1328. type: object
  1329. status:
  1330. description: SecretStoreStatus defines the observed state of the SecretStore.
  1331. properties:
  1332. conditions:
  1333. items:
  1334. properties:
  1335. lastTransitionTime:
  1336. format: date-time
  1337. type: string
  1338. message:
  1339. type: string
  1340. reason:
  1341. type: string
  1342. status:
  1343. type: string
  1344. type:
  1345. type: string
  1346. required:
  1347. - status
  1348. - type
  1349. type: object
  1350. type: array
  1351. type: object
  1352. type: object
  1353. served: true
  1354. storage: false
  1355. subresources:
  1356. status: {}
  1357. - additionalPrinterColumns:
  1358. - jsonPath: .metadata.creationTimestamp
  1359. name: AGE
  1360. type: date
  1361. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1362. name: Status
  1363. type: string
  1364. - jsonPath: .status.capabilities
  1365. name: Capabilities
  1366. type: string
  1367. name: v1beta1
  1368. schema:
  1369. openAPIV3Schema:
  1370. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1371. properties:
  1372. apiVersion:
  1373. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1374. type: string
  1375. kind:
  1376. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1377. type: string
  1378. metadata:
  1379. type: object
  1380. spec:
  1381. description: SecretStoreSpec defines the desired state of SecretStore.
  1382. properties:
  1383. controller:
  1384. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  1385. type: string
  1386. provider:
  1387. description: Used to configure the provider. Only one provider may be set
  1388. maxProperties: 1
  1389. minProperties: 1
  1390. properties:
  1391. akeyless:
  1392. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1393. properties:
  1394. akeylessGWApiURL:
  1395. description: Akeyless GW API Url from which the secrets to be fetched from.
  1396. type: string
  1397. authSecretRef:
  1398. description: Auth configures how the operator authenticates with Akeyless.
  1399. properties:
  1400. secretRef:
  1401. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  1402. properties:
  1403. accessID:
  1404. description: The SecretAccessID is used for authentication
  1405. properties:
  1406. key:
  1407. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1408. type: string
  1409. name:
  1410. description: The name of the Secret resource being referred to.
  1411. type: string
  1412. namespace:
  1413. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1414. type: string
  1415. type: object
  1416. accessType:
  1417. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1418. properties:
  1419. key:
  1420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1421. type: string
  1422. name:
  1423. description: The name of the Secret resource being referred to.
  1424. type: string
  1425. namespace:
  1426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1427. type: string
  1428. type: object
  1429. accessTypeParam:
  1430. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1431. properties:
  1432. key:
  1433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1434. type: string
  1435. name:
  1436. description: The name of the Secret resource being referred to.
  1437. type: string
  1438. namespace:
  1439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1440. type: string
  1441. type: object
  1442. type: object
  1443. required:
  1444. - secretRef
  1445. type: object
  1446. required:
  1447. - akeylessGWApiURL
  1448. - authSecretRef
  1449. type: object
  1450. alibaba:
  1451. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1452. properties:
  1453. auth:
  1454. description: AlibabaAuth contains a secretRef for credentials.
  1455. properties:
  1456. secretRef:
  1457. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1458. properties:
  1459. accessKeyIDSecretRef:
  1460. description: The AccessKeyID is used for authentication
  1461. properties:
  1462. key:
  1463. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1464. type: string
  1465. name:
  1466. description: The name of the Secret resource being referred to.
  1467. type: string
  1468. namespace:
  1469. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1470. type: string
  1471. type: object
  1472. accessKeySecretSecretRef:
  1473. description: The AccessKeySecret is used for authentication
  1474. properties:
  1475. key:
  1476. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1477. type: string
  1478. name:
  1479. description: The name of the Secret resource being referred to.
  1480. type: string
  1481. namespace:
  1482. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1483. type: string
  1484. type: object
  1485. required:
  1486. - accessKeyIDSecretRef
  1487. - accessKeySecretSecretRef
  1488. type: object
  1489. required:
  1490. - secretRef
  1491. type: object
  1492. endpoint:
  1493. type: string
  1494. regionID:
  1495. description: Alibaba Region to be used for the provider
  1496. type: string
  1497. required:
  1498. - auth
  1499. - regionID
  1500. type: object
  1501. aws:
  1502. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1503. properties:
  1504. auth:
  1505. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1506. properties:
  1507. jwt:
  1508. description: Authenticate against AWS using service account tokens.
  1509. properties:
  1510. serviceAccountRef:
  1511. description: A reference to a ServiceAccount resource.
  1512. properties:
  1513. name:
  1514. description: The name of the ServiceAccount resource being referred to.
  1515. type: string
  1516. namespace:
  1517. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1518. type: string
  1519. required:
  1520. - name
  1521. type: object
  1522. type: object
  1523. secretRef:
  1524. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1525. properties:
  1526. accessKeyIDSecretRef:
  1527. description: The AccessKeyID is used for authentication
  1528. properties:
  1529. key:
  1530. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1531. type: string
  1532. name:
  1533. description: The name of the Secret resource being referred to.
  1534. type: string
  1535. namespace:
  1536. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1537. type: string
  1538. type: object
  1539. secretAccessKeySecretRef:
  1540. description: The SecretAccessKey is used for authentication
  1541. properties:
  1542. key:
  1543. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1544. type: string
  1545. name:
  1546. description: The name of the Secret resource being referred to.
  1547. type: string
  1548. namespace:
  1549. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1550. type: string
  1551. type: object
  1552. type: object
  1553. type: object
  1554. region:
  1555. description: AWS Region to be used for the provider
  1556. type: string
  1557. role:
  1558. description: Role is a Role ARN which the SecretManager provider will assume
  1559. type: string
  1560. service:
  1561. description: Service defines which service should be used to fetch the secrets
  1562. enum:
  1563. - SecretsManager
  1564. - ParameterStore
  1565. type: string
  1566. required:
  1567. - region
  1568. - service
  1569. type: object
  1570. azurekv:
  1571. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1572. properties:
  1573. authSecretRef:
  1574. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1575. properties:
  1576. clientId:
  1577. description: The Azure clientId of the service principle used for authentication.
  1578. properties:
  1579. key:
  1580. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1581. type: string
  1582. name:
  1583. description: The name of the Secret resource being referred to.
  1584. type: string
  1585. namespace:
  1586. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1587. type: string
  1588. type: object
  1589. clientSecret:
  1590. description: The Azure ClientSecret of the service principle used for authentication.
  1591. properties:
  1592. key:
  1593. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1594. type: string
  1595. name:
  1596. description: The name of the Secret resource being referred to.
  1597. type: string
  1598. namespace:
  1599. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1600. type: string
  1601. type: object
  1602. type: object
  1603. authType:
  1604. default: ServicePrincipal
  1605. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1606. enum:
  1607. - ServicePrincipal
  1608. - ManagedIdentity
  1609. - WorkloadIdentity
  1610. type: string
  1611. identityId:
  1612. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1613. type: string
  1614. serviceAccountRef:
  1615. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1616. properties:
  1617. name:
  1618. description: The name of the ServiceAccount resource being referred to.
  1619. type: string
  1620. namespace:
  1621. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1622. type: string
  1623. required:
  1624. - name
  1625. type: object
  1626. tenantId:
  1627. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1628. type: string
  1629. vaultUrl:
  1630. description: Vault Url from which the secrets to be fetched from.
  1631. type: string
  1632. required:
  1633. - vaultUrl
  1634. type: object
  1635. fake:
  1636. description: Fake configures a store with static key/value pairs
  1637. properties:
  1638. data:
  1639. items:
  1640. properties:
  1641. key:
  1642. type: string
  1643. value:
  1644. type: string
  1645. valueMap:
  1646. additionalProperties:
  1647. type: string
  1648. type: object
  1649. version:
  1650. type: string
  1651. required:
  1652. - key
  1653. type: object
  1654. type: array
  1655. required:
  1656. - data
  1657. type: object
  1658. gcpsm:
  1659. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1660. properties:
  1661. auth:
  1662. description: Auth defines the information necessary to authenticate against GCP
  1663. properties:
  1664. secretRef:
  1665. properties:
  1666. secretAccessKeySecretRef:
  1667. description: The SecretAccessKey is used for authentication
  1668. properties:
  1669. key:
  1670. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1671. type: string
  1672. name:
  1673. description: The name of the Secret resource being referred to.
  1674. type: string
  1675. namespace:
  1676. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1677. type: string
  1678. type: object
  1679. type: object
  1680. workloadIdentity:
  1681. properties:
  1682. clusterLocation:
  1683. type: string
  1684. clusterName:
  1685. type: string
  1686. clusterProjectID:
  1687. type: string
  1688. serviceAccountRef:
  1689. description: A reference to a ServiceAccount resource.
  1690. properties:
  1691. name:
  1692. description: The name of the ServiceAccount resource being referred to.
  1693. type: string
  1694. namespace:
  1695. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1696. type: string
  1697. required:
  1698. - name
  1699. type: object
  1700. required:
  1701. - clusterLocation
  1702. - clusterName
  1703. - serviceAccountRef
  1704. type: object
  1705. type: object
  1706. projectID:
  1707. description: ProjectID project where secret is located
  1708. type: string
  1709. type: object
  1710. gitlab:
  1711. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  1712. properties:
  1713. auth:
  1714. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1715. properties:
  1716. SecretRef:
  1717. properties:
  1718. accessToken:
  1719. description: AccessToken is used for authentication.
  1720. properties:
  1721. key:
  1722. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1723. type: string
  1724. name:
  1725. description: The name of the Secret resource being referred to.
  1726. type: string
  1727. namespace:
  1728. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1729. type: string
  1730. type: object
  1731. type: object
  1732. required:
  1733. - SecretRef
  1734. type: object
  1735. projectID:
  1736. description: ProjectID specifies a project where secrets are located.
  1737. type: string
  1738. url:
  1739. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1740. type: string
  1741. required:
  1742. - auth
  1743. type: object
  1744. ibm:
  1745. description: IBM configures this store to sync secrets using IBM Cloud provider
  1746. properties:
  1747. auth:
  1748. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1749. properties:
  1750. secretRef:
  1751. properties:
  1752. secretApiKeySecretRef:
  1753. description: The SecretAccessKey is used for authentication
  1754. properties:
  1755. key:
  1756. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1757. type: string
  1758. name:
  1759. description: The name of the Secret resource being referred to.
  1760. type: string
  1761. namespace:
  1762. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1763. type: string
  1764. type: object
  1765. type: object
  1766. required:
  1767. - secretRef
  1768. type: object
  1769. serviceUrl:
  1770. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1771. type: string
  1772. required:
  1773. - auth
  1774. type: object
  1775. kubernetes:
  1776. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1777. properties:
  1778. auth:
  1779. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1780. maxProperties: 1
  1781. minProperties: 1
  1782. properties:
  1783. cert:
  1784. description: has both clientCert and clientKey as secretKeySelector
  1785. properties:
  1786. clientCert:
  1787. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1788. properties:
  1789. key:
  1790. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1791. type: string
  1792. name:
  1793. description: The name of the Secret resource being referred to.
  1794. type: string
  1795. namespace:
  1796. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1797. type: string
  1798. type: object
  1799. clientKey:
  1800. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1801. properties:
  1802. key:
  1803. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1804. type: string
  1805. name:
  1806. description: The name of the Secret resource being referred to.
  1807. type: string
  1808. namespace:
  1809. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1810. type: string
  1811. type: object
  1812. type: object
  1813. serviceAccount:
  1814. description: points to a service account that should be used for authentication
  1815. properties:
  1816. serviceAccount:
  1817. description: A reference to a ServiceAccount resource.
  1818. properties:
  1819. name:
  1820. description: The name of the ServiceAccount resource being referred to.
  1821. type: string
  1822. namespace:
  1823. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1824. type: string
  1825. required:
  1826. - name
  1827. type: object
  1828. type: object
  1829. token:
  1830. description: use static token to authenticate with
  1831. properties:
  1832. bearerToken:
  1833. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1834. properties:
  1835. key:
  1836. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1837. type: string
  1838. name:
  1839. description: The name of the Secret resource being referred to.
  1840. type: string
  1841. namespace:
  1842. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1843. type: string
  1844. type: object
  1845. type: object
  1846. type: object
  1847. remoteNamespace:
  1848. default: default
  1849. description: Remote namespace to fetch the secrets from
  1850. type: string
  1851. server:
  1852. description: configures the Kubernetes server Address.
  1853. properties:
  1854. caBundle:
  1855. description: CABundle is a base64-encoded CA certificate
  1856. format: byte
  1857. type: string
  1858. caProvider:
  1859. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1860. properties:
  1861. key:
  1862. description: The key the value inside of the provider type to use, only used with "Secret" type
  1863. type: string
  1864. name:
  1865. description: The name of the object located at the provider type.
  1866. type: string
  1867. namespace:
  1868. description: The namespace the Provider type is in.
  1869. type: string
  1870. type:
  1871. description: The type of provider to use such as "Secret", or "ConfigMap".
  1872. enum:
  1873. - Secret
  1874. - ConfigMap
  1875. type: string
  1876. required:
  1877. - name
  1878. - type
  1879. type: object
  1880. url:
  1881. default: kubernetes.default
  1882. description: configures the Kubernetes server Address.
  1883. type: string
  1884. type: object
  1885. required:
  1886. - auth
  1887. type: object
  1888. onepassword:
  1889. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  1890. properties:
  1891. auth:
  1892. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  1893. properties:
  1894. secretRef:
  1895. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  1896. properties:
  1897. connectTokenSecretRef:
  1898. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  1899. properties:
  1900. key:
  1901. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1902. type: string
  1903. name:
  1904. description: The name of the Secret resource being referred to.
  1905. type: string
  1906. namespace:
  1907. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1908. type: string
  1909. type: object
  1910. required:
  1911. - connectTokenSecretRef
  1912. type: object
  1913. required:
  1914. - secretRef
  1915. type: object
  1916. connectHost:
  1917. description: ConnectHost defines the OnePassword Connect Server to connect to
  1918. type: string
  1919. vaults:
  1920. additionalProperties:
  1921. type: integer
  1922. description: Vaults defines which OnePassword vaults to search in which order
  1923. type: object
  1924. required:
  1925. - auth
  1926. - connectHost
  1927. - vaults
  1928. type: object
  1929. oracle:
  1930. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1931. properties:
  1932. auth:
  1933. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  1934. properties:
  1935. secretRef:
  1936. description: SecretRef to pass through sensitive information.
  1937. properties:
  1938. fingerprint:
  1939. description: Fingerprint is the fingerprint of the API private key.
  1940. properties:
  1941. key:
  1942. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1943. type: string
  1944. name:
  1945. description: The name of the Secret resource being referred to.
  1946. type: string
  1947. namespace:
  1948. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1949. type: string
  1950. type: object
  1951. privatekey:
  1952. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1953. properties:
  1954. key:
  1955. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1956. type: string
  1957. name:
  1958. description: The name of the Secret resource being referred to.
  1959. type: string
  1960. namespace:
  1961. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1962. type: string
  1963. type: object
  1964. required:
  1965. - fingerprint
  1966. - privatekey
  1967. type: object
  1968. tenancy:
  1969. description: Tenancy is the tenancy OCID where user is located.
  1970. type: string
  1971. user:
  1972. description: User is an access OCID specific to the account.
  1973. type: string
  1974. required:
  1975. - secretRef
  1976. - tenancy
  1977. - user
  1978. type: object
  1979. region:
  1980. description: Region is the region where vault is located.
  1981. type: string
  1982. vault:
  1983. description: Vault is the vault's OCID of the specific vault where secret is located.
  1984. type: string
  1985. required:
  1986. - region
  1987. - vault
  1988. type: object
  1989. senhasegura:
  1990. description: Senhasegura configures this store to sync secrets using senhasegura provider
  1991. properties:
  1992. auth:
  1993. description: Auth defines parameters to authenticate in senhasegura
  1994. properties:
  1995. clientId:
  1996. type: string
  1997. clientSecretSecretRef:
  1998. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1999. properties:
  2000. key:
  2001. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2002. type: string
  2003. name:
  2004. description: The name of the Secret resource being referred to.
  2005. type: string
  2006. namespace:
  2007. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2008. type: string
  2009. type: object
  2010. required:
  2011. - clientId
  2012. - clientSecretSecretRef
  2013. type: object
  2014. ignoreSslCertificate:
  2015. default: false
  2016. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2017. type: boolean
  2018. module:
  2019. description: Module defines which senhasegura module should be used to get secrets
  2020. type: string
  2021. url:
  2022. description: URL of senhasegura
  2023. type: string
  2024. required:
  2025. - auth
  2026. - module
  2027. - url
  2028. type: object
  2029. vault:
  2030. description: Vault configures this store to sync secrets using Hashi provider
  2031. properties:
  2032. auth:
  2033. description: Auth configures how secret-manager authenticates with the Vault server.
  2034. properties:
  2035. appRole:
  2036. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2037. properties:
  2038. path:
  2039. default: approle
  2040. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2041. type: string
  2042. roleId:
  2043. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2044. type: string
  2045. secretRef:
  2046. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2047. properties:
  2048. key:
  2049. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2050. type: string
  2051. name:
  2052. description: The name of the Secret resource being referred to.
  2053. type: string
  2054. namespace:
  2055. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2056. type: string
  2057. type: object
  2058. required:
  2059. - path
  2060. - roleId
  2061. - secretRef
  2062. type: object
  2063. cert:
  2064. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2065. properties:
  2066. clientCert:
  2067. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2068. properties:
  2069. key:
  2070. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2071. type: string
  2072. name:
  2073. description: The name of the Secret resource being referred to.
  2074. type: string
  2075. namespace:
  2076. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2077. type: string
  2078. type: object
  2079. secretRef:
  2080. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2081. properties:
  2082. key:
  2083. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2084. type: string
  2085. name:
  2086. description: The name of the Secret resource being referred to.
  2087. type: string
  2088. namespace:
  2089. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2090. type: string
  2091. type: object
  2092. type: object
  2093. jwt:
  2094. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2095. properties:
  2096. kubernetesServiceAccountToken:
  2097. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2098. properties:
  2099. audiences:
  2100. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  2101. items:
  2102. type: string
  2103. type: array
  2104. expirationSeconds:
  2105. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  2106. format: int64
  2107. type: integer
  2108. serviceAccountRef:
  2109. description: Service account field containing the name of a kubernetes ServiceAccount.
  2110. properties:
  2111. name:
  2112. description: The name of the ServiceAccount resource being referred to.
  2113. type: string
  2114. namespace:
  2115. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2116. type: string
  2117. required:
  2118. - name
  2119. type: object
  2120. required:
  2121. - serviceAccountRef
  2122. type: object
  2123. path:
  2124. default: jwt
  2125. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2126. type: string
  2127. role:
  2128. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2129. type: string
  2130. secretRef:
  2131. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  2132. properties:
  2133. key:
  2134. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2135. type: string
  2136. name:
  2137. description: The name of the Secret resource being referred to.
  2138. type: string
  2139. namespace:
  2140. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2141. type: string
  2142. type: object
  2143. required:
  2144. - path
  2145. type: object
  2146. kubernetes:
  2147. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2148. properties:
  2149. mountPath:
  2150. default: kubernetes
  2151. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2152. type: string
  2153. role:
  2154. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2155. type: string
  2156. secretRef:
  2157. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2158. properties:
  2159. key:
  2160. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2161. type: string
  2162. name:
  2163. description: The name of the Secret resource being referred to.
  2164. type: string
  2165. namespace:
  2166. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2167. type: string
  2168. type: object
  2169. serviceAccountRef:
  2170. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2171. properties:
  2172. name:
  2173. description: The name of the ServiceAccount resource being referred to.
  2174. type: string
  2175. namespace:
  2176. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2177. type: string
  2178. required:
  2179. - name
  2180. type: object
  2181. required:
  2182. - mountPath
  2183. - role
  2184. type: object
  2185. ldap:
  2186. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2187. properties:
  2188. path:
  2189. default: ldap
  2190. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2191. type: string
  2192. secretRef:
  2193. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2194. properties:
  2195. key:
  2196. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2197. type: string
  2198. name:
  2199. description: The name of the Secret resource being referred to.
  2200. type: string
  2201. namespace:
  2202. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2203. type: string
  2204. type: object
  2205. username:
  2206. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2207. type: string
  2208. required:
  2209. - path
  2210. - username
  2211. type: object
  2212. tokenSecretRef:
  2213. description: TokenSecretRef authenticates with Vault by presenting a token.
  2214. properties:
  2215. key:
  2216. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2217. type: string
  2218. name:
  2219. description: The name of the Secret resource being referred to.
  2220. type: string
  2221. namespace:
  2222. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2223. type: string
  2224. type: object
  2225. type: object
  2226. caBundle:
  2227. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2228. format: byte
  2229. type: string
  2230. caProvider:
  2231. description: The provider for the CA bundle to use to validate Vault server certificate.
  2232. properties:
  2233. key:
  2234. description: The key the value inside of the provider type to use, only used with "Secret" type
  2235. type: string
  2236. name:
  2237. description: The name of the object located at the provider type.
  2238. type: string
  2239. namespace:
  2240. description: The namespace the Provider type is in.
  2241. type: string
  2242. type:
  2243. description: The type of provider to use such as "Secret", or "ConfigMap".
  2244. enum:
  2245. - Secret
  2246. - ConfigMap
  2247. type: string
  2248. required:
  2249. - name
  2250. - type
  2251. type: object
  2252. forwardInconsistent:
  2253. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2254. type: boolean
  2255. namespace:
  2256. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2257. type: string
  2258. path:
  2259. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2260. type: string
  2261. readYourWrites:
  2262. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2263. type: boolean
  2264. server:
  2265. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2266. type: string
  2267. version:
  2268. default: v2
  2269. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2270. enum:
  2271. - v1
  2272. - v2
  2273. type: string
  2274. required:
  2275. - auth
  2276. - server
  2277. type: object
  2278. webhook:
  2279. description: Webhook configures this store to sync secrets using a generic templated webhook
  2280. properties:
  2281. body:
  2282. description: Body
  2283. type: string
  2284. caBundle:
  2285. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2286. format: byte
  2287. type: string
  2288. caProvider:
  2289. description: The provider for the CA bundle to use to validate webhook server certificate.
  2290. properties:
  2291. key:
  2292. description: The key the value inside of the provider type to use, only used with "Secret" type
  2293. type: string
  2294. name:
  2295. description: The name of the object located at the provider type.
  2296. type: string
  2297. namespace:
  2298. description: The namespace the Provider type is in.
  2299. type: string
  2300. type:
  2301. description: The type of provider to use such as "Secret", or "ConfigMap".
  2302. enum:
  2303. - Secret
  2304. - ConfigMap
  2305. type: string
  2306. required:
  2307. - name
  2308. - type
  2309. type: object
  2310. headers:
  2311. additionalProperties:
  2312. type: string
  2313. description: Headers
  2314. type: object
  2315. method:
  2316. description: Webhook Method
  2317. type: string
  2318. result:
  2319. description: Result formatting
  2320. properties:
  2321. jsonPath:
  2322. description: Json path of return value
  2323. type: string
  2324. type: object
  2325. secrets:
  2326. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2327. items:
  2328. properties:
  2329. name:
  2330. description: Name of this secret in templates
  2331. type: string
  2332. secretRef:
  2333. description: Secret ref to fill in credentials
  2334. properties:
  2335. key:
  2336. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2337. type: string
  2338. name:
  2339. description: The name of the Secret resource being referred to.
  2340. type: string
  2341. namespace:
  2342. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2343. type: string
  2344. type: object
  2345. required:
  2346. - name
  2347. - secretRef
  2348. type: object
  2349. type: array
  2350. timeout:
  2351. description: Timeout
  2352. type: string
  2353. url:
  2354. description: Webhook url to call
  2355. type: string
  2356. required:
  2357. - result
  2358. - url
  2359. type: object
  2360. yandexcertificatemanager:
  2361. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  2362. properties:
  2363. apiEndpoint:
  2364. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2365. type: string
  2366. auth:
  2367. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  2368. properties:
  2369. authorizedKeySecretRef:
  2370. description: The authorized key used for authentication
  2371. properties:
  2372. key:
  2373. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2374. type: string
  2375. name:
  2376. description: The name of the Secret resource being referred to.
  2377. type: string
  2378. namespace:
  2379. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2380. type: string
  2381. type: object
  2382. type: object
  2383. caProvider:
  2384. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2385. properties:
  2386. certSecretRef:
  2387. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2388. properties:
  2389. key:
  2390. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2391. type: string
  2392. name:
  2393. description: The name of the Secret resource being referred to.
  2394. type: string
  2395. namespace:
  2396. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2397. type: string
  2398. type: object
  2399. type: object
  2400. required:
  2401. - auth
  2402. type: object
  2403. yandexlockbox:
  2404. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2405. properties:
  2406. apiEndpoint:
  2407. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2408. type: string
  2409. auth:
  2410. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2411. properties:
  2412. authorizedKeySecretRef:
  2413. description: The authorized key used for authentication
  2414. properties:
  2415. key:
  2416. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2417. type: string
  2418. name:
  2419. description: The name of the Secret resource being referred to.
  2420. type: string
  2421. namespace:
  2422. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2423. type: string
  2424. type: object
  2425. type: object
  2426. caProvider:
  2427. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2428. properties:
  2429. certSecretRef:
  2430. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2431. properties:
  2432. key:
  2433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2434. type: string
  2435. name:
  2436. description: The name of the Secret resource being referred to.
  2437. type: string
  2438. namespace:
  2439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2440. type: string
  2441. type: object
  2442. type: object
  2443. required:
  2444. - auth
  2445. type: object
  2446. type: object
  2447. refreshInterval:
  2448. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  2449. type: integer
  2450. retrySettings:
  2451. description: Used to configure http retries if failed
  2452. properties:
  2453. maxRetries:
  2454. format: int32
  2455. type: integer
  2456. retryInterval:
  2457. type: string
  2458. type: object
  2459. required:
  2460. - provider
  2461. type: object
  2462. status:
  2463. description: SecretStoreStatus defines the observed state of the SecretStore.
  2464. properties:
  2465. capabilities:
  2466. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  2467. type: string
  2468. conditions:
  2469. items:
  2470. properties:
  2471. lastTransitionTime:
  2472. format: date-time
  2473. type: string
  2474. message:
  2475. type: string
  2476. reason:
  2477. type: string
  2478. status:
  2479. type: string
  2480. type:
  2481. type: string
  2482. required:
  2483. - status
  2484. - type
  2485. type: object
  2486. type: array
  2487. type: object
  2488. type: object
  2489. served: true
  2490. storage: true
  2491. subresources:
  2492. status: {}
  2493. conversion:
  2494. strategy: Webhook
  2495. webhook:
  2496. conversionReviewVersions:
  2497. - v1
  2498. clientConfig:
  2499. service:
  2500. name: kubernetes
  2501. namespace: default
  2502. path: /convert
  2503. ---
  2504. apiVersion: apiextensions.k8s.io/v1
  2505. kind: CustomResourceDefinition
  2506. metadata:
  2507. annotations:
  2508. controller-gen.kubebuilder.io/version: v0.9.0
  2509. creationTimestamp: null
  2510. name: externalsecrets.external-secrets.io
  2511. spec:
  2512. group: external-secrets.io
  2513. names:
  2514. categories:
  2515. - externalsecrets
  2516. kind: ExternalSecret
  2517. listKind: ExternalSecretList
  2518. plural: externalsecrets
  2519. shortNames:
  2520. - es
  2521. singular: externalsecret
  2522. scope: Namespaced
  2523. versions:
  2524. - additionalPrinterColumns:
  2525. - jsonPath: .spec.secretStoreRef.name
  2526. name: Store
  2527. type: string
  2528. - jsonPath: .spec.refreshInterval
  2529. name: Refresh Interval
  2530. type: string
  2531. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2532. name: Status
  2533. type: string
  2534. deprecated: true
  2535. name: v1alpha1
  2536. schema:
  2537. openAPIV3Schema:
  2538. description: ExternalSecret is the Schema for the external-secrets API.
  2539. properties:
  2540. apiVersion:
  2541. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2542. type: string
  2543. kind:
  2544. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2545. type: string
  2546. metadata:
  2547. type: object
  2548. spec:
  2549. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2550. properties:
  2551. data:
  2552. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2553. items:
  2554. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2555. properties:
  2556. remoteRef:
  2557. description: ExternalSecretDataRemoteRef defines Provider data location.
  2558. properties:
  2559. conversionStrategy:
  2560. default: Default
  2561. description: Used to define a conversion Strategy
  2562. type: string
  2563. key:
  2564. description: Key is the key used in the Provider, mandatory
  2565. type: string
  2566. property:
  2567. description: Used to select a specific property of the Provider value (if a map), if supported
  2568. type: string
  2569. version:
  2570. description: Used to select a specific version of the Provider value, if supported
  2571. type: string
  2572. required:
  2573. - key
  2574. type: object
  2575. secretKey:
  2576. type: string
  2577. required:
  2578. - remoteRef
  2579. - secretKey
  2580. type: object
  2581. type: array
  2582. dataFrom:
  2583. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2584. items:
  2585. description: ExternalSecretDataRemoteRef defines Provider data location.
  2586. properties:
  2587. conversionStrategy:
  2588. default: Default
  2589. description: Used to define a conversion Strategy
  2590. type: string
  2591. key:
  2592. description: Key is the key used in the Provider, mandatory
  2593. type: string
  2594. property:
  2595. description: Used to select a specific property of the Provider value (if a map), if supported
  2596. type: string
  2597. version:
  2598. description: Used to select a specific version of the Provider value, if supported
  2599. type: string
  2600. required:
  2601. - key
  2602. type: object
  2603. type: array
  2604. refreshInterval:
  2605. default: 1h
  2606. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2607. type: string
  2608. secretStoreRef:
  2609. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2610. properties:
  2611. kind:
  2612. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2613. type: string
  2614. name:
  2615. description: Name of the SecretStore resource
  2616. type: string
  2617. required:
  2618. - name
  2619. type: object
  2620. target:
  2621. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2622. properties:
  2623. creationPolicy:
  2624. default: Owner
  2625. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2626. type: string
  2627. immutable:
  2628. description: Immutable defines if the final secret will be immutable
  2629. type: boolean
  2630. name:
  2631. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2632. type: string
  2633. template:
  2634. description: Template defines a blueprint for the created Secret resource.
  2635. properties:
  2636. data:
  2637. additionalProperties:
  2638. type: string
  2639. type: object
  2640. engineVersion:
  2641. default: v1
  2642. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  2643. type: string
  2644. metadata:
  2645. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2646. properties:
  2647. annotations:
  2648. additionalProperties:
  2649. type: string
  2650. type: object
  2651. labels:
  2652. additionalProperties:
  2653. type: string
  2654. type: object
  2655. type: object
  2656. templateFrom:
  2657. items:
  2658. maxProperties: 1
  2659. minProperties: 1
  2660. properties:
  2661. configMap:
  2662. properties:
  2663. items:
  2664. items:
  2665. properties:
  2666. key:
  2667. type: string
  2668. required:
  2669. - key
  2670. type: object
  2671. type: array
  2672. name:
  2673. type: string
  2674. required:
  2675. - items
  2676. - name
  2677. type: object
  2678. secret:
  2679. properties:
  2680. items:
  2681. items:
  2682. properties:
  2683. key:
  2684. type: string
  2685. required:
  2686. - key
  2687. type: object
  2688. type: array
  2689. name:
  2690. type: string
  2691. required:
  2692. - items
  2693. - name
  2694. type: object
  2695. type: object
  2696. type: array
  2697. type:
  2698. type: string
  2699. type: object
  2700. type: object
  2701. required:
  2702. - secretStoreRef
  2703. - target
  2704. type: object
  2705. status:
  2706. properties:
  2707. conditions:
  2708. items:
  2709. properties:
  2710. lastTransitionTime:
  2711. format: date-time
  2712. type: string
  2713. message:
  2714. type: string
  2715. reason:
  2716. type: string
  2717. status:
  2718. type: string
  2719. type:
  2720. type: string
  2721. required:
  2722. - status
  2723. - type
  2724. type: object
  2725. type: array
  2726. refreshTime:
  2727. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2728. format: date-time
  2729. nullable: true
  2730. type: string
  2731. syncedResourceVersion:
  2732. description: SyncedResourceVersion keeps track of the last synced version
  2733. type: string
  2734. type: object
  2735. type: object
  2736. served: true
  2737. storage: false
  2738. subresources:
  2739. status: {}
  2740. - additionalPrinterColumns:
  2741. - jsonPath: .spec.secretStoreRef.name
  2742. name: Store
  2743. type: string
  2744. - jsonPath: .spec.refreshInterval
  2745. name: Refresh Interval
  2746. type: string
  2747. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2748. name: Status
  2749. type: string
  2750. name: v1beta1
  2751. schema:
  2752. openAPIV3Schema:
  2753. description: ExternalSecret is the Schema for the external-secrets API.
  2754. properties:
  2755. apiVersion:
  2756. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2757. type: string
  2758. kind:
  2759. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2760. type: string
  2761. metadata:
  2762. type: object
  2763. spec:
  2764. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2765. properties:
  2766. data:
  2767. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2768. items:
  2769. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2770. properties:
  2771. remoteRef:
  2772. description: ExternalSecretDataRemoteRef defines Provider data location.
  2773. properties:
  2774. conversionStrategy:
  2775. default: Default
  2776. description: Used to define a conversion Strategy
  2777. type: string
  2778. key:
  2779. description: Key is the key used in the Provider, mandatory
  2780. type: string
  2781. metadataPolicy:
  2782. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2783. type: string
  2784. property:
  2785. description: Used to select a specific property of the Provider value (if a map), if supported
  2786. type: string
  2787. version:
  2788. description: Used to select a specific version of the Provider value, if supported
  2789. type: string
  2790. required:
  2791. - key
  2792. type: object
  2793. secretKey:
  2794. type: string
  2795. required:
  2796. - remoteRef
  2797. - secretKey
  2798. type: object
  2799. type: array
  2800. dataFrom:
  2801. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2802. items:
  2803. maxProperties: 1
  2804. minProperties: 1
  2805. properties:
  2806. extract:
  2807. description: Used to extract multiple key/value pairs from one secret
  2808. properties:
  2809. conversionStrategy:
  2810. default: Default
  2811. description: Used to define a conversion Strategy
  2812. type: string
  2813. key:
  2814. description: Key is the key used in the Provider, mandatory
  2815. type: string
  2816. metadataPolicy:
  2817. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2818. type: string
  2819. property:
  2820. description: Used to select a specific property of the Provider value (if a map), if supported
  2821. type: string
  2822. version:
  2823. description: Used to select a specific version of the Provider value, if supported
  2824. type: string
  2825. required:
  2826. - key
  2827. type: object
  2828. find:
  2829. description: Used to find secrets based on tags or regular expressions
  2830. properties:
  2831. conversionStrategy:
  2832. default: Default
  2833. description: Used to define a conversion Strategy
  2834. type: string
  2835. name:
  2836. description: Finds secrets based on the name.
  2837. properties:
  2838. regexp:
  2839. description: Finds secrets base
  2840. type: string
  2841. type: object
  2842. path:
  2843. description: A root path to start the find operations.
  2844. type: string
  2845. tags:
  2846. additionalProperties:
  2847. type: string
  2848. description: Find secrets based on tags.
  2849. type: object
  2850. type: object
  2851. type: object
  2852. type: array
  2853. refreshInterval:
  2854. default: 1h
  2855. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2856. type: string
  2857. secretStoreRef:
  2858. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2859. properties:
  2860. kind:
  2861. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2862. type: string
  2863. name:
  2864. description: Name of the SecretStore resource
  2865. type: string
  2866. required:
  2867. - name
  2868. type: object
  2869. target:
  2870. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2871. properties:
  2872. creationPolicy:
  2873. default: Owner
  2874. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2875. enum:
  2876. - Owner
  2877. - Orphan
  2878. - Merge
  2879. - None
  2880. type: string
  2881. deletionPolicy:
  2882. default: Retain
  2883. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  2884. enum:
  2885. - Delete
  2886. - Merge
  2887. - Retain
  2888. type: string
  2889. immutable:
  2890. description: Immutable defines if the final secret will be immutable
  2891. type: boolean
  2892. name:
  2893. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2894. type: string
  2895. template:
  2896. description: Template defines a blueprint for the created Secret resource.
  2897. properties:
  2898. data:
  2899. additionalProperties:
  2900. type: string
  2901. type: object
  2902. engineVersion:
  2903. default: v2
  2904. type: string
  2905. metadata:
  2906. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2907. properties:
  2908. annotations:
  2909. additionalProperties:
  2910. type: string
  2911. type: object
  2912. labels:
  2913. additionalProperties:
  2914. type: string
  2915. type: object
  2916. type: object
  2917. templateFrom:
  2918. items:
  2919. maxProperties: 1
  2920. minProperties: 1
  2921. properties:
  2922. configMap:
  2923. properties:
  2924. items:
  2925. items:
  2926. properties:
  2927. key:
  2928. type: string
  2929. required:
  2930. - key
  2931. type: object
  2932. type: array
  2933. name:
  2934. type: string
  2935. required:
  2936. - items
  2937. - name
  2938. type: object
  2939. secret:
  2940. properties:
  2941. items:
  2942. items:
  2943. properties:
  2944. key:
  2945. type: string
  2946. required:
  2947. - key
  2948. type: object
  2949. type: array
  2950. name:
  2951. type: string
  2952. required:
  2953. - items
  2954. - name
  2955. type: object
  2956. type: object
  2957. type: array
  2958. type:
  2959. type: string
  2960. type: object
  2961. type: object
  2962. required:
  2963. - secretStoreRef
  2964. type: object
  2965. status:
  2966. properties:
  2967. conditions:
  2968. items:
  2969. properties:
  2970. lastTransitionTime:
  2971. format: date-time
  2972. type: string
  2973. message:
  2974. type: string
  2975. reason:
  2976. type: string
  2977. status:
  2978. type: string
  2979. type:
  2980. type: string
  2981. required:
  2982. - status
  2983. - type
  2984. type: object
  2985. type: array
  2986. refreshTime:
  2987. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2988. format: date-time
  2989. nullable: true
  2990. type: string
  2991. syncedResourceVersion:
  2992. description: SyncedResourceVersion keeps track of the last synced version
  2993. type: string
  2994. type: object
  2995. type: object
  2996. served: true
  2997. storage: true
  2998. subresources:
  2999. status: {}
  3000. conversion:
  3001. strategy: Webhook
  3002. webhook:
  3003. conversionReviewVersions:
  3004. - v1
  3005. clientConfig:
  3006. service:
  3007. name: kubernetes
  3008. namespace: default
  3009. path: /convert
  3010. ---
  3011. apiVersion: apiextensions.k8s.io/v1
  3012. kind: CustomResourceDefinition
  3013. metadata:
  3014. annotations:
  3015. controller-gen.kubebuilder.io/version: v0.9.0
  3016. creationTimestamp: null
  3017. name: secretsinks.external-secrets.io
  3018. spec:
  3019. group: external-secrets.io
  3020. names:
  3021. categories:
  3022. - secretsinks
  3023. kind: SecretSink
  3024. listKind: SecretSinkList
  3025. plural: secretsinks
  3026. singular: secretsink
  3027. scope: Namespaced
  3028. versions:
  3029. - additionalPrinterColumns:
  3030. - jsonPath: .metadata.creationTimestamp
  3031. name: AGE
  3032. type: date
  3033. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3034. name: Status
  3035. type: string
  3036. name: v1alpha1
  3037. schema:
  3038. openAPIV3Schema:
  3039. properties:
  3040. apiVersion:
  3041. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3042. type: string
  3043. kind:
  3044. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3045. type: string
  3046. metadata:
  3047. type: object
  3048. spec:
  3049. description: SecretSinkSpec configures the behavior of the SecretSink.
  3050. properties:
  3051. data:
  3052. items:
  3053. properties:
  3054. match:
  3055. items:
  3056. properties:
  3057. remoteRefs:
  3058. items:
  3059. properties:
  3060. remoteKey:
  3061. type: string
  3062. required:
  3063. - remoteKey
  3064. type: object
  3065. type: array
  3066. secretKey:
  3067. type: string
  3068. required:
  3069. - remoteRefs
  3070. - secretKey
  3071. type: object
  3072. type: array
  3073. required:
  3074. - match
  3075. type: object
  3076. type: array
  3077. secretStoreRefs:
  3078. items:
  3079. properties:
  3080. kind:
  3081. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3082. type: string
  3083. name:
  3084. description: Name of the SecretStore resource
  3085. type: string
  3086. required:
  3087. - name
  3088. type: object
  3089. type: array
  3090. selector:
  3091. properties:
  3092. secret:
  3093. properties:
  3094. name:
  3095. type: string
  3096. required:
  3097. - name
  3098. type: object
  3099. required:
  3100. - secret
  3101. type: object
  3102. required:
  3103. - secretStoreRefs
  3104. - selector
  3105. type: object
  3106. status:
  3107. description: SecretSinkStatus indicates the history of the status of SecretSink.
  3108. properties:
  3109. conditions:
  3110. items:
  3111. description: SecretSinkStatusCondition indicates the status of the SecretSink.
  3112. properties:
  3113. lastTransitionTime:
  3114. format: date-time
  3115. type: string
  3116. message:
  3117. type: string
  3118. reason:
  3119. type: string
  3120. status:
  3121. type: string
  3122. type:
  3123. description: SecretSinkConditionType indicates the condition of the SecretSink.
  3124. type: string
  3125. required:
  3126. - status
  3127. - type
  3128. type: object
  3129. type: array
  3130. refreshTime:
  3131. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3132. format: date-time
  3133. nullable: true
  3134. type: string
  3135. syncedResourceVersion:
  3136. description: SyncedResourceVersion keeps track of the last synced version.
  3137. type: string
  3138. type: object
  3139. type: object
  3140. served: true
  3141. storage: true
  3142. subresources:
  3143. status: {}
  3144. conversion:
  3145. strategy: Webhook
  3146. webhook:
  3147. conversionReviewVersions:
  3148. - v1
  3149. clientConfig:
  3150. service:
  3151. name: kubernetes
  3152. namespace: default
  3153. path: /convert
  3154. status:
  3155. acceptedNames:
  3156. kind: ""
  3157. plural: ""
  3158. conditions: []
  3159. storedVersions: []
  3160. ---
  3161. apiVersion: apiextensions.k8s.io/v1
  3162. kind: CustomResourceDefinition
  3163. metadata:
  3164. annotations:
  3165. controller-gen.kubebuilder.io/version: v0.8.0
  3166. creationTimestamp: null
  3167. name: secretstores.external-secrets.io
  3168. spec:
  3169. group: external-secrets.io
  3170. names:
  3171. categories:
  3172. - externalsecrets
  3173. kind: SecretStore
  3174. listKind: SecretStoreList
  3175. plural: secretstores
  3176. shortNames:
  3177. - ss
  3178. singular: secretstore
  3179. scope: Namespaced
  3180. versions:
  3181. - additionalPrinterColumns:
  3182. - jsonPath: .metadata.creationTimestamp
  3183. name: AGE
  3184. type: date
  3185. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3186. name: Status
  3187. type: string
  3188. deprecated: true
  3189. name: v1alpha1
  3190. schema:
  3191. openAPIV3Schema:
  3192. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3193. properties:
  3194. apiVersion:
  3195. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3196. type: string
  3197. kind:
  3198. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3199. type: string
  3200. metadata:
  3201. type: object
  3202. spec:
  3203. description: SecretStoreSpec defines the desired state of SecretStore.
  3204. properties:
  3205. controller:
  3206. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3207. type: string
  3208. provider:
  3209. description: Used to configure the provider. Only one provider may be set
  3210. maxProperties: 1
  3211. minProperties: 1
  3212. properties:
  3213. akeyless:
  3214. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3215. properties:
  3216. akeylessGWApiURL:
  3217. description: Akeyless GW API Url from which the secrets to be fetched from.
  3218. type: string
  3219. authSecretRef:
  3220. description: Auth configures how the operator authenticates with Akeyless.
  3221. properties:
  3222. secretRef:
  3223. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  3224. properties:
  3225. accessID:
  3226. description: The SecretAccessID is used for authentication
  3227. properties:
  3228. key:
  3229. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3230. type: string
  3231. name:
  3232. description: The name of the Secret resource being referred to.
  3233. type: string
  3234. namespace:
  3235. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3236. type: string
  3237. type: object
  3238. accessType:
  3239. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3240. properties:
  3241. key:
  3242. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3243. type: string
  3244. name:
  3245. description: The name of the Secret resource being referred to.
  3246. type: string
  3247. namespace:
  3248. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3249. type: string
  3250. type: object
  3251. accessTypeParam:
  3252. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3253. properties:
  3254. key:
  3255. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3256. type: string
  3257. name:
  3258. description: The name of the Secret resource being referred to.
  3259. type: string
  3260. namespace:
  3261. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3262. type: string
  3263. type: object
  3264. type: object
  3265. required:
  3266. - secretRef
  3267. type: object
  3268. required:
  3269. - akeylessGWApiURL
  3270. - authSecretRef
  3271. type: object
  3272. alibaba:
  3273. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3274. properties:
  3275. auth:
  3276. description: AlibabaAuth contains a secretRef for credentials.
  3277. properties:
  3278. secretRef:
  3279. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3280. properties:
  3281. accessKeyIDSecretRef:
  3282. description: The AccessKeyID is used for authentication
  3283. properties:
  3284. key:
  3285. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3286. type: string
  3287. name:
  3288. description: The name of the Secret resource being referred to.
  3289. type: string
  3290. namespace:
  3291. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3292. type: string
  3293. type: object
  3294. accessKeySecretSecretRef:
  3295. description: The AccessKeySecret is used for authentication
  3296. properties:
  3297. key:
  3298. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3299. type: string
  3300. name:
  3301. description: The name of the Secret resource being referred to.
  3302. type: string
  3303. namespace:
  3304. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3305. type: string
  3306. type: object
  3307. required:
  3308. - accessKeyIDSecretRef
  3309. - accessKeySecretSecretRef
  3310. type: object
  3311. required:
  3312. - secretRef
  3313. type: object
  3314. endpoint:
  3315. type: string
  3316. regionID:
  3317. description: Alibaba Region to be used for the provider
  3318. type: string
  3319. required:
  3320. - auth
  3321. - regionID
  3322. type: object
  3323. aws:
  3324. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3325. properties:
  3326. auth:
  3327. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3328. properties:
  3329. jwt:
  3330. description: Authenticate against AWS using service account tokens.
  3331. properties:
  3332. serviceAccountRef:
  3333. description: A reference to a ServiceAccount resource.
  3334. properties:
  3335. name:
  3336. description: The name of the ServiceAccount resource being referred to.
  3337. type: string
  3338. namespace:
  3339. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3340. type: string
  3341. required:
  3342. - name
  3343. type: object
  3344. type: object
  3345. secretRef:
  3346. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3347. properties:
  3348. accessKeyIDSecretRef:
  3349. description: The AccessKeyID is used for authentication
  3350. properties:
  3351. key:
  3352. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3353. type: string
  3354. name:
  3355. description: The name of the Secret resource being referred to.
  3356. type: string
  3357. namespace:
  3358. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3359. type: string
  3360. type: object
  3361. secretAccessKeySecretRef:
  3362. description: The SecretAccessKey is used for authentication
  3363. properties:
  3364. key:
  3365. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3366. type: string
  3367. name:
  3368. description: The name of the Secret resource being referred to.
  3369. type: string
  3370. namespace:
  3371. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3372. type: string
  3373. type: object
  3374. type: object
  3375. type: object
  3376. region:
  3377. description: AWS Region to be used for the provider
  3378. type: string
  3379. role:
  3380. description: Role is a Role ARN which the SecretManager provider will assume
  3381. type: string
  3382. service:
  3383. description: Service defines which service should be used to fetch the secrets
  3384. enum:
  3385. - SecretsManager
  3386. - ParameterStore
  3387. type: string
  3388. required:
  3389. - region
  3390. - service
  3391. type: object
  3392. azurekv:
  3393. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3394. properties:
  3395. authSecretRef:
  3396. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3397. properties:
  3398. clientId:
  3399. description: The Azure clientId of the service principle used for authentication.
  3400. properties:
  3401. key:
  3402. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3403. type: string
  3404. name:
  3405. description: The name of the Secret resource being referred to.
  3406. type: string
  3407. namespace:
  3408. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3409. type: string
  3410. type: object
  3411. clientSecret:
  3412. description: The Azure ClientSecret of the service principle used for authentication.
  3413. properties:
  3414. key:
  3415. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3416. type: string
  3417. name:
  3418. description: The name of the Secret resource being referred to.
  3419. type: string
  3420. namespace:
  3421. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3422. type: string
  3423. type: object
  3424. type: object
  3425. authType:
  3426. default: ServicePrincipal
  3427. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3428. enum:
  3429. - ServicePrincipal
  3430. - ManagedIdentity
  3431. - WorkloadIdentity
  3432. type: string
  3433. identityId:
  3434. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3435. type: string
  3436. serviceAccountRef:
  3437. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  3438. properties:
  3439. name:
  3440. description: The name of the ServiceAccount resource being referred to.
  3441. type: string
  3442. namespace:
  3443. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3444. type: string
  3445. required:
  3446. - name
  3447. type: object
  3448. tenantId:
  3449. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3450. type: string
  3451. vaultUrl:
  3452. description: Vault Url from which the secrets to be fetched from.
  3453. type: string
  3454. required:
  3455. - vaultUrl
  3456. type: object
  3457. fake:
  3458. description: Fake configures a store with static key/value pairs
  3459. properties:
  3460. data:
  3461. items:
  3462. properties:
  3463. key:
  3464. type: string
  3465. value:
  3466. type: string
  3467. valueMap:
  3468. additionalProperties:
  3469. type: string
  3470. type: object
  3471. version:
  3472. type: string
  3473. required:
  3474. - key
  3475. type: object
  3476. type: array
  3477. required:
  3478. - data
  3479. type: object
  3480. gcpsm:
  3481. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3482. properties:
  3483. auth:
  3484. description: Auth defines the information necessary to authenticate against GCP
  3485. properties:
  3486. secretRef:
  3487. properties:
  3488. secretAccessKeySecretRef:
  3489. description: The SecretAccessKey is used for authentication
  3490. properties:
  3491. key:
  3492. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3493. type: string
  3494. name:
  3495. description: The name of the Secret resource being referred to.
  3496. type: string
  3497. namespace:
  3498. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3499. type: string
  3500. type: object
  3501. type: object
  3502. workloadIdentity:
  3503. properties:
  3504. clusterLocation:
  3505. type: string
  3506. clusterName:
  3507. type: string
  3508. clusterProjectID:
  3509. type: string
  3510. serviceAccountRef:
  3511. description: A reference to a ServiceAccount resource.
  3512. properties:
  3513. name:
  3514. description: The name of the ServiceAccount resource being referred to.
  3515. type: string
  3516. namespace:
  3517. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3518. type: string
  3519. required:
  3520. - name
  3521. type: object
  3522. required:
  3523. - clusterLocation
  3524. - clusterName
  3525. - serviceAccountRef
  3526. type: object
  3527. type: object
  3528. projectID:
  3529. description: ProjectID project where secret is located
  3530. type: string
  3531. type: object
  3532. gitlab:
  3533. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  3534. properties:
  3535. auth:
  3536. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3537. properties:
  3538. SecretRef:
  3539. properties:
  3540. accessToken:
  3541. description: AccessToken is used for authentication.
  3542. properties:
  3543. key:
  3544. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3545. type: string
  3546. name:
  3547. description: The name of the Secret resource being referred to.
  3548. type: string
  3549. namespace:
  3550. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3551. type: string
  3552. type: object
  3553. type: object
  3554. required:
  3555. - SecretRef
  3556. type: object
  3557. projectID:
  3558. description: ProjectID specifies a project where secrets are located.
  3559. type: string
  3560. url:
  3561. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3562. type: string
  3563. required:
  3564. - auth
  3565. type: object
  3566. ibm:
  3567. description: IBM configures this store to sync secrets using IBM Cloud provider
  3568. properties:
  3569. auth:
  3570. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3571. properties:
  3572. secretRef:
  3573. properties:
  3574. secretApiKeySecretRef:
  3575. description: The SecretAccessKey is used for authentication
  3576. properties:
  3577. key:
  3578. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3579. type: string
  3580. name:
  3581. description: The name of the Secret resource being referred to.
  3582. type: string
  3583. namespace:
  3584. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3585. type: string
  3586. type: object
  3587. type: object
  3588. required:
  3589. - secretRef
  3590. type: object
  3591. serviceUrl:
  3592. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3593. type: string
  3594. required:
  3595. - auth
  3596. type: object
  3597. kubernetes:
  3598. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3599. properties:
  3600. auth:
  3601. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3602. maxProperties: 1
  3603. minProperties: 1
  3604. properties:
  3605. cert:
  3606. description: has both clientCert and clientKey as secretKeySelector
  3607. properties:
  3608. clientCert:
  3609. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3610. properties:
  3611. key:
  3612. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3613. type: string
  3614. name:
  3615. description: The name of the Secret resource being referred to.
  3616. type: string
  3617. namespace:
  3618. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3619. type: string
  3620. type: object
  3621. clientKey:
  3622. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3623. properties:
  3624. key:
  3625. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3626. type: string
  3627. name:
  3628. description: The name of the Secret resource being referred to.
  3629. type: string
  3630. namespace:
  3631. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3632. type: string
  3633. type: object
  3634. type: object
  3635. serviceAccount:
  3636. description: points to a service account that should be used for authentication
  3637. properties:
  3638. serviceAccount:
  3639. description: A reference to a ServiceAccount resource.
  3640. properties:
  3641. name:
  3642. description: The name of the ServiceAccount resource being referred to.
  3643. type: string
  3644. namespace:
  3645. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3646. type: string
  3647. required:
  3648. - name
  3649. type: object
  3650. type: object
  3651. token:
  3652. description: use static token to authenticate with
  3653. properties:
  3654. bearerToken:
  3655. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3656. properties:
  3657. key:
  3658. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3659. type: string
  3660. name:
  3661. description: The name of the Secret resource being referred to.
  3662. type: string
  3663. namespace:
  3664. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3665. type: string
  3666. type: object
  3667. type: object
  3668. type: object
  3669. remoteNamespace:
  3670. default: default
  3671. description: Remote namespace to fetch the secrets from
  3672. type: string
  3673. server:
  3674. description: configures the Kubernetes server Address.
  3675. properties:
  3676. caBundle:
  3677. description: CABundle is a base64-encoded CA certificate
  3678. format: byte
  3679. type: string
  3680. caProvider:
  3681. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3682. properties:
  3683. key:
  3684. description: The key the value inside of the provider type to use, only used with "Secret" type
  3685. type: string
  3686. name:
  3687. description: The name of the object located at the provider type.
  3688. type: string
  3689. namespace:
  3690. description: The namespace the Provider type is in.
  3691. type: string
  3692. type:
  3693. description: The type of provider to use such as "Secret", or "ConfigMap".
  3694. enum:
  3695. - Secret
  3696. - ConfigMap
  3697. type: string
  3698. required:
  3699. - name
  3700. - type
  3701. type: object
  3702. url:
  3703. default: kubernetes.default
  3704. description: configures the Kubernetes server Address.
  3705. type: string
  3706. type: object
  3707. required:
  3708. - auth
  3709. type: object
  3710. oracle:
  3711. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3712. properties:
  3713. auth:
  3714. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3715. properties:
  3716. secretRef:
  3717. description: SecretRef to pass through sensitive information.
  3718. properties:
  3719. fingerprint:
  3720. description: Fingerprint is the fingerprint of the API private key.
  3721. properties:
  3722. key:
  3723. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3724. type: string
  3725. name:
  3726. description: The name of the Secret resource being referred to.
  3727. type: string
  3728. namespace:
  3729. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3730. type: string
  3731. type: object
  3732. privatekey:
  3733. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3734. properties:
  3735. key:
  3736. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3737. type: string
  3738. name:
  3739. description: The name of the Secret resource being referred to.
  3740. type: string
  3741. namespace:
  3742. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3743. type: string
  3744. type: object
  3745. required:
  3746. - fingerprint
  3747. - privatekey
  3748. type: object
  3749. tenancy:
  3750. description: Tenancy is the tenancy OCID where user is located.
  3751. type: string
  3752. user:
  3753. description: User is an access OCID specific to the account.
  3754. type: string
  3755. required:
  3756. - secretRef
  3757. - tenancy
  3758. - user
  3759. type: object
  3760. region:
  3761. description: Region is the region where vault is located.
  3762. type: string
  3763. vault:
  3764. description: Vault is the vault's OCID of the specific vault where secret is located.
  3765. type: string
  3766. required:
  3767. - region
  3768. - vault
  3769. type: object
  3770. vault:
  3771. description: Vault configures this store to sync secrets using Hashi provider
  3772. properties:
  3773. auth:
  3774. description: Auth configures how secret-manager authenticates with the Vault server.
  3775. properties:
  3776. appRole:
  3777. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3778. properties:
  3779. path:
  3780. default: approle
  3781. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3782. type: string
  3783. roleId:
  3784. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3785. type: string
  3786. secretRef:
  3787. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3788. properties:
  3789. key:
  3790. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3791. type: string
  3792. name:
  3793. description: The name of the Secret resource being referred to.
  3794. type: string
  3795. namespace:
  3796. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3797. type: string
  3798. type: object
  3799. required:
  3800. - path
  3801. - roleId
  3802. - secretRef
  3803. type: object
  3804. cert:
  3805. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  3806. properties:
  3807. clientCert:
  3808. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  3809. properties:
  3810. key:
  3811. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3812. type: string
  3813. name:
  3814. description: The name of the Secret resource being referred to.
  3815. type: string
  3816. namespace:
  3817. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3818. type: string
  3819. type: object
  3820. secretRef:
  3821. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  3822. properties:
  3823. key:
  3824. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3825. type: string
  3826. name:
  3827. description: The name of the Secret resource being referred to.
  3828. type: string
  3829. namespace:
  3830. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3831. type: string
  3832. type: object
  3833. type: object
  3834. jwt:
  3835. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3836. properties:
  3837. kubernetesServiceAccountToken:
  3838. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  3839. properties:
  3840. audiences:
  3841. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  3842. items:
  3843. type: string
  3844. type: array
  3845. expirationSeconds:
  3846. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  3847. format: int64
  3848. type: integer
  3849. serviceAccountRef:
  3850. description: Service account field containing the name of a kubernetes ServiceAccount.
  3851. properties:
  3852. name:
  3853. description: The name of the ServiceAccount resource being referred to.
  3854. type: string
  3855. namespace:
  3856. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3857. type: string
  3858. required:
  3859. - name
  3860. type: object
  3861. required:
  3862. - serviceAccountRef
  3863. type: object
  3864. path:
  3865. default: jwt
  3866. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3867. type: string
  3868. role:
  3869. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3870. type: string
  3871. secretRef:
  3872. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  3873. properties:
  3874. key:
  3875. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3876. type: string
  3877. name:
  3878. description: The name of the Secret resource being referred to.
  3879. type: string
  3880. namespace:
  3881. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3882. type: string
  3883. type: object
  3884. required:
  3885. - path
  3886. type: object
  3887. kubernetes:
  3888. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3889. properties:
  3890. mountPath:
  3891. default: kubernetes
  3892. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3893. type: string
  3894. role:
  3895. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3896. type: string
  3897. secretRef:
  3898. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3899. properties:
  3900. key:
  3901. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3902. type: string
  3903. name:
  3904. description: The name of the Secret resource being referred to.
  3905. type: string
  3906. namespace:
  3907. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3908. type: string
  3909. type: object
  3910. serviceAccountRef:
  3911. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3912. properties:
  3913. name:
  3914. description: The name of the ServiceAccount resource being referred to.
  3915. type: string
  3916. namespace:
  3917. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3918. type: string
  3919. required:
  3920. - name
  3921. type: object
  3922. required:
  3923. - mountPath
  3924. - role
  3925. type: object
  3926. ldap:
  3927. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  3928. properties:
  3929. path:
  3930. default: ldap
  3931. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  3932. type: string
  3933. secretRef:
  3934. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  3935. properties:
  3936. key:
  3937. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3938. type: string
  3939. name:
  3940. description: The name of the Secret resource being referred to.
  3941. type: string
  3942. namespace:
  3943. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3944. type: string
  3945. type: object
  3946. username:
  3947. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  3948. type: string
  3949. required:
  3950. - path
  3951. - username
  3952. type: object
  3953. tokenSecretRef:
  3954. description: TokenSecretRef authenticates with Vault by presenting a token.
  3955. properties:
  3956. key:
  3957. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3958. type: string
  3959. name:
  3960. description: The name of the Secret resource being referred to.
  3961. type: string
  3962. namespace:
  3963. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3964. type: string
  3965. type: object
  3966. type: object
  3967. caBundle:
  3968. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3969. format: byte
  3970. type: string
  3971. caProvider:
  3972. description: The provider for the CA bundle to use to validate Vault server certificate.
  3973. properties:
  3974. key:
  3975. description: The key the value inside of the provider type to use, only used with "Secret" type
  3976. type: string
  3977. name:
  3978. description: The name of the object located at the provider type.
  3979. type: string
  3980. namespace:
  3981. description: The namespace the Provider type is in.
  3982. type: string
  3983. type:
  3984. description: The type of provider to use such as "Secret", or "ConfigMap".
  3985. enum:
  3986. - Secret
  3987. - ConfigMap
  3988. type: string
  3989. required:
  3990. - name
  3991. - type
  3992. type: object
  3993. forwardInconsistent:
  3994. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  3995. type: boolean
  3996. namespace:
  3997. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  3998. type: string
  3999. path:
  4000. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  4001. type: string
  4002. readYourWrites:
  4003. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  4004. type: boolean
  4005. server:
  4006. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4007. type: string
  4008. version:
  4009. default: v2
  4010. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  4011. enum:
  4012. - v1
  4013. - v2
  4014. type: string
  4015. required:
  4016. - auth
  4017. - server
  4018. type: object
  4019. webhook:
  4020. description: Webhook configures this store to sync secrets using a generic templated webhook
  4021. properties:
  4022. body:
  4023. description: Body
  4024. type: string
  4025. caBundle:
  4026. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4027. format: byte
  4028. type: string
  4029. caProvider:
  4030. description: The provider for the CA bundle to use to validate webhook server certificate.
  4031. properties:
  4032. key:
  4033. description: The key the value inside of the provider type to use, only used with "Secret" type
  4034. type: string
  4035. name:
  4036. description: The name of the object located at the provider type.
  4037. type: string
  4038. namespace:
  4039. description: The namespace the Provider type is in.
  4040. type: string
  4041. type:
  4042. description: The type of provider to use such as "Secret", or "ConfigMap".
  4043. enum:
  4044. - Secret
  4045. - ConfigMap
  4046. type: string
  4047. required:
  4048. - name
  4049. - type
  4050. type: object
  4051. headers:
  4052. additionalProperties:
  4053. type: string
  4054. description: Headers
  4055. type: object
  4056. method:
  4057. description: Webhook Method
  4058. type: string
  4059. result:
  4060. description: Result formatting
  4061. properties:
  4062. jsonPath:
  4063. description: Json path of return value
  4064. type: string
  4065. type: object
  4066. secrets:
  4067. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  4068. items:
  4069. properties:
  4070. name:
  4071. description: Name of this secret in templates
  4072. type: string
  4073. secretRef:
  4074. description: Secret ref to fill in credentials
  4075. properties:
  4076. key:
  4077. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4078. type: string
  4079. name:
  4080. description: The name of the Secret resource being referred to.
  4081. type: string
  4082. namespace:
  4083. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4084. type: string
  4085. type: object
  4086. required:
  4087. - name
  4088. - secretRef
  4089. type: object
  4090. type: array
  4091. timeout:
  4092. description: Timeout
  4093. type: string
  4094. url:
  4095. description: Webhook url to call
  4096. type: string
  4097. required:
  4098. - result
  4099. - url
  4100. type: object
  4101. yandexlockbox:
  4102. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4103. properties:
  4104. apiEndpoint:
  4105. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4106. type: string
  4107. auth:
  4108. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4109. properties:
  4110. authorizedKeySecretRef:
  4111. description: The authorized key used for authentication
  4112. properties:
  4113. key:
  4114. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4115. type: string
  4116. name:
  4117. description: The name of the Secret resource being referred to.
  4118. type: string
  4119. namespace:
  4120. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4121. type: string
  4122. type: object
  4123. type: object
  4124. caProvider:
  4125. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4126. properties:
  4127. certSecretRef:
  4128. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4129. properties:
  4130. key:
  4131. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4132. type: string
  4133. name:
  4134. description: The name of the Secret resource being referred to.
  4135. type: string
  4136. namespace:
  4137. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4138. type: string
  4139. type: object
  4140. type: object
  4141. required:
  4142. - auth
  4143. type: object
  4144. type: object
  4145. retrySettings:
  4146. description: Used to configure http retries if failed
  4147. properties:
  4148. maxRetries:
  4149. format: int32
  4150. type: integer
  4151. retryInterval:
  4152. type: string
  4153. type: object
  4154. required:
  4155. - provider
  4156. type: object
  4157. status:
  4158. description: SecretStoreStatus defines the observed state of the SecretStore.
  4159. properties:
  4160. conditions:
  4161. items:
  4162. properties:
  4163. lastTransitionTime:
  4164. format: date-time
  4165. type: string
  4166. message:
  4167. type: string
  4168. reason:
  4169. type: string
  4170. status:
  4171. type: string
  4172. type:
  4173. type: string
  4174. required:
  4175. - status
  4176. - type
  4177. type: object
  4178. type: array
  4179. type: object
  4180. type: object
  4181. served: true
  4182. storage: false
  4183. subresources:
  4184. status: {}
  4185. - additionalPrinterColumns:
  4186. - jsonPath: .metadata.creationTimestamp
  4187. name: AGE
  4188. type: date
  4189. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4190. name: Status
  4191. type: string
  4192. - jsonPath: .status.capabilities
  4193. name: Capabilities
  4194. type: string
  4195. name: v1beta1
  4196. schema:
  4197. openAPIV3Schema:
  4198. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4199. properties:
  4200. apiVersion:
  4201. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4202. type: string
  4203. kind:
  4204. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4205. type: string
  4206. metadata:
  4207. type: object
  4208. spec:
  4209. description: SecretStoreSpec defines the desired state of SecretStore.
  4210. properties:
  4211. controller:
  4212. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  4213. type: string
  4214. provider:
  4215. description: Used to configure the provider. Only one provider may be set
  4216. maxProperties: 1
  4217. minProperties: 1
  4218. properties:
  4219. akeyless:
  4220. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4221. properties:
  4222. akeylessGWApiURL:
  4223. description: Akeyless GW API Url from which the secrets to be fetched from.
  4224. type: string
  4225. authSecretRef:
  4226. description: Auth configures how the operator authenticates with Akeyless.
  4227. properties:
  4228. secretRef:
  4229. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  4230. properties:
  4231. accessID:
  4232. description: The SecretAccessID is used for authentication
  4233. properties:
  4234. key:
  4235. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4236. type: string
  4237. name:
  4238. description: The name of the Secret resource being referred to.
  4239. type: string
  4240. namespace:
  4241. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4242. type: string
  4243. type: object
  4244. accessType:
  4245. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4246. properties:
  4247. key:
  4248. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4249. type: string
  4250. name:
  4251. description: The name of the Secret resource being referred to.
  4252. type: string
  4253. namespace:
  4254. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4255. type: string
  4256. type: object
  4257. accessTypeParam:
  4258. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4259. properties:
  4260. key:
  4261. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4262. type: string
  4263. name:
  4264. description: The name of the Secret resource being referred to.
  4265. type: string
  4266. namespace:
  4267. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4268. type: string
  4269. type: object
  4270. type: object
  4271. required:
  4272. - secretRef
  4273. type: object
  4274. required:
  4275. - akeylessGWApiURL
  4276. - authSecretRef
  4277. type: object
  4278. alibaba:
  4279. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4280. properties:
  4281. auth:
  4282. description: AlibabaAuth contains a secretRef for credentials.
  4283. properties:
  4284. secretRef:
  4285. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4286. properties:
  4287. accessKeyIDSecretRef:
  4288. description: The AccessKeyID is used for authentication
  4289. properties:
  4290. key:
  4291. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4292. type: string
  4293. name:
  4294. description: The name of the Secret resource being referred to.
  4295. type: string
  4296. namespace:
  4297. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4298. type: string
  4299. type: object
  4300. accessKeySecretSecretRef:
  4301. description: The AccessKeySecret is used for authentication
  4302. properties:
  4303. key:
  4304. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4305. type: string
  4306. name:
  4307. description: The name of the Secret resource being referred to.
  4308. type: string
  4309. namespace:
  4310. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4311. type: string
  4312. type: object
  4313. required:
  4314. - accessKeyIDSecretRef
  4315. - accessKeySecretSecretRef
  4316. type: object
  4317. required:
  4318. - secretRef
  4319. type: object
  4320. endpoint:
  4321. type: string
  4322. regionID:
  4323. description: Alibaba Region to be used for the provider
  4324. type: string
  4325. required:
  4326. - auth
  4327. - regionID
  4328. type: object
  4329. aws:
  4330. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4331. properties:
  4332. auth:
  4333. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4334. properties:
  4335. jwt:
  4336. description: Authenticate against AWS using service account tokens.
  4337. properties:
  4338. serviceAccountRef:
  4339. description: A reference to a ServiceAccount resource.
  4340. properties:
  4341. name:
  4342. description: The name of the ServiceAccount resource being referred to.
  4343. type: string
  4344. namespace:
  4345. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4346. type: string
  4347. required:
  4348. - name
  4349. type: object
  4350. type: object
  4351. secretRef:
  4352. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4353. properties:
  4354. accessKeyIDSecretRef:
  4355. description: The AccessKeyID is used for authentication
  4356. properties:
  4357. key:
  4358. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4359. type: string
  4360. name:
  4361. description: The name of the Secret resource being referred to.
  4362. type: string
  4363. namespace:
  4364. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4365. type: string
  4366. type: object
  4367. secretAccessKeySecretRef:
  4368. description: The SecretAccessKey is used for authentication
  4369. properties:
  4370. key:
  4371. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4372. type: string
  4373. name:
  4374. description: The name of the Secret resource being referred to.
  4375. type: string
  4376. namespace:
  4377. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4378. type: string
  4379. type: object
  4380. type: object
  4381. type: object
  4382. region:
  4383. description: AWS Region to be used for the provider
  4384. type: string
  4385. role:
  4386. description: Role is a Role ARN which the SecretManager provider will assume
  4387. type: string
  4388. service:
  4389. description: Service defines which service should be used to fetch the secrets
  4390. enum:
  4391. - SecretsManager
  4392. - ParameterStore
  4393. type: string
  4394. required:
  4395. - region
  4396. - service
  4397. type: object
  4398. azurekv:
  4399. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4400. properties:
  4401. authSecretRef:
  4402. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4403. properties:
  4404. clientId:
  4405. description: The Azure clientId of the service principle used for authentication.
  4406. properties:
  4407. key:
  4408. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4409. type: string
  4410. name:
  4411. description: The name of the Secret resource being referred to.
  4412. type: string
  4413. namespace:
  4414. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4415. type: string
  4416. type: object
  4417. clientSecret:
  4418. description: The Azure ClientSecret of the service principle used for authentication.
  4419. properties:
  4420. key:
  4421. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4422. type: string
  4423. name:
  4424. description: The name of the Secret resource being referred to.
  4425. type: string
  4426. namespace:
  4427. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4428. type: string
  4429. type: object
  4430. type: object
  4431. authType:
  4432. default: ServicePrincipal
  4433. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4434. enum:
  4435. - ServicePrincipal
  4436. - ManagedIdentity
  4437. - WorkloadIdentity
  4438. type: string
  4439. identityId:
  4440. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4441. type: string
  4442. serviceAccountRef:
  4443. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4444. properties:
  4445. name:
  4446. description: The name of the ServiceAccount resource being referred to.
  4447. type: string
  4448. namespace:
  4449. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4450. type: string
  4451. required:
  4452. - name
  4453. type: object
  4454. tenantId:
  4455. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4456. type: string
  4457. vaultUrl:
  4458. description: Vault Url from which the secrets to be fetched from.
  4459. type: string
  4460. required:
  4461. - vaultUrl
  4462. type: object
  4463. fake:
  4464. description: Fake configures a store with static key/value pairs
  4465. properties:
  4466. data:
  4467. items:
  4468. properties:
  4469. key:
  4470. type: string
  4471. value:
  4472. type: string
  4473. valueMap:
  4474. additionalProperties:
  4475. type: string
  4476. type: object
  4477. version:
  4478. type: string
  4479. required:
  4480. - key
  4481. type: object
  4482. type: array
  4483. required:
  4484. - data
  4485. type: object
  4486. gcpsm:
  4487. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4488. properties:
  4489. auth:
  4490. description: Auth defines the information necessary to authenticate against GCP
  4491. properties:
  4492. secretRef:
  4493. properties:
  4494. secretAccessKeySecretRef:
  4495. description: The SecretAccessKey is used for authentication
  4496. properties:
  4497. key:
  4498. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4499. type: string
  4500. name:
  4501. description: The name of the Secret resource being referred to.
  4502. type: string
  4503. namespace:
  4504. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4505. type: string
  4506. type: object
  4507. type: object
  4508. workloadIdentity:
  4509. properties:
  4510. clusterLocation:
  4511. type: string
  4512. clusterName:
  4513. type: string
  4514. clusterProjectID:
  4515. type: string
  4516. serviceAccountRef:
  4517. description: A reference to a ServiceAccount resource.
  4518. properties:
  4519. name:
  4520. description: The name of the ServiceAccount resource being referred to.
  4521. type: string
  4522. namespace:
  4523. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4524. type: string
  4525. required:
  4526. - name
  4527. type: object
  4528. required:
  4529. - clusterLocation
  4530. - clusterName
  4531. - serviceAccountRef
  4532. type: object
  4533. type: object
  4534. projectID:
  4535. description: ProjectID project where secret is located
  4536. type: string
  4537. type: object
  4538. gitlab:
  4539. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  4540. properties:
  4541. auth:
  4542. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4543. properties:
  4544. SecretRef:
  4545. properties:
  4546. accessToken:
  4547. description: AccessToken is used for authentication.
  4548. properties:
  4549. key:
  4550. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4551. type: string
  4552. name:
  4553. description: The name of the Secret resource being referred to.
  4554. type: string
  4555. namespace:
  4556. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4557. type: string
  4558. type: object
  4559. type: object
  4560. required:
  4561. - SecretRef
  4562. type: object
  4563. projectID:
  4564. description: ProjectID specifies a project where secrets are located.
  4565. type: string
  4566. url:
  4567. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4568. type: string
  4569. required:
  4570. - auth
  4571. type: object
  4572. ibm:
  4573. description: IBM configures this store to sync secrets using IBM Cloud provider
  4574. properties:
  4575. auth:
  4576. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4577. properties:
  4578. secretRef:
  4579. properties:
  4580. secretApiKeySecretRef:
  4581. description: The SecretAccessKey is used for authentication
  4582. properties:
  4583. key:
  4584. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4585. type: string
  4586. name:
  4587. description: The name of the Secret resource being referred to.
  4588. type: string
  4589. namespace:
  4590. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4591. type: string
  4592. type: object
  4593. type: object
  4594. required:
  4595. - secretRef
  4596. type: object
  4597. serviceUrl:
  4598. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4599. type: string
  4600. required:
  4601. - auth
  4602. type: object
  4603. kubernetes:
  4604. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  4605. properties:
  4606. auth:
  4607. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  4608. maxProperties: 1
  4609. minProperties: 1
  4610. properties:
  4611. cert:
  4612. description: has both clientCert and clientKey as secretKeySelector
  4613. properties:
  4614. clientCert:
  4615. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4616. properties:
  4617. key:
  4618. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4619. type: string
  4620. name:
  4621. description: The name of the Secret resource being referred to.
  4622. type: string
  4623. namespace:
  4624. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4625. type: string
  4626. type: object
  4627. clientKey:
  4628. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4629. properties:
  4630. key:
  4631. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4632. type: string
  4633. name:
  4634. description: The name of the Secret resource being referred to.
  4635. type: string
  4636. namespace:
  4637. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4638. type: string
  4639. type: object
  4640. type: object
  4641. serviceAccount:
  4642. description: points to a service account that should be used for authentication
  4643. properties:
  4644. serviceAccount:
  4645. description: A reference to a ServiceAccount resource.
  4646. properties:
  4647. name:
  4648. description: The name of the ServiceAccount resource being referred to.
  4649. type: string
  4650. namespace:
  4651. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4652. type: string
  4653. required:
  4654. - name
  4655. type: object
  4656. type: object
  4657. token:
  4658. description: use static token to authenticate with
  4659. properties:
  4660. bearerToken:
  4661. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4662. properties:
  4663. key:
  4664. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4665. type: string
  4666. name:
  4667. description: The name of the Secret resource being referred to.
  4668. type: string
  4669. namespace:
  4670. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4671. type: string
  4672. type: object
  4673. type: object
  4674. type: object
  4675. remoteNamespace:
  4676. default: default
  4677. description: Remote namespace to fetch the secrets from
  4678. type: string
  4679. server:
  4680. description: configures the Kubernetes server Address.
  4681. properties:
  4682. caBundle:
  4683. description: CABundle is a base64-encoded CA certificate
  4684. format: byte
  4685. type: string
  4686. caProvider:
  4687. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4688. properties:
  4689. key:
  4690. description: The key the value inside of the provider type to use, only used with "Secret" type
  4691. type: string
  4692. name:
  4693. description: The name of the object located at the provider type.
  4694. type: string
  4695. namespace:
  4696. description: The namespace the Provider type is in.
  4697. type: string
  4698. type:
  4699. description: The type of provider to use such as "Secret", or "ConfigMap".
  4700. enum:
  4701. - Secret
  4702. - ConfigMap
  4703. type: string
  4704. required:
  4705. - name
  4706. - type
  4707. type: object
  4708. url:
  4709. default: kubernetes.default
  4710. description: configures the Kubernetes server Address.
  4711. type: string
  4712. type: object
  4713. required:
  4714. - auth
  4715. type: object
  4716. onepassword:
  4717. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  4718. properties:
  4719. auth:
  4720. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  4721. properties:
  4722. secretRef:
  4723. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  4724. properties:
  4725. connectTokenSecretRef:
  4726. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  4727. properties:
  4728. key:
  4729. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4730. type: string
  4731. name:
  4732. description: The name of the Secret resource being referred to.
  4733. type: string
  4734. namespace:
  4735. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4736. type: string
  4737. type: object
  4738. required:
  4739. - connectTokenSecretRef
  4740. type: object
  4741. required:
  4742. - secretRef
  4743. type: object
  4744. connectHost:
  4745. description: ConnectHost defines the OnePassword Connect Server to connect to
  4746. type: string
  4747. vaults:
  4748. additionalProperties:
  4749. type: integer
  4750. description: Vaults defines which OnePassword vaults to search in which order
  4751. type: object
  4752. required:
  4753. - auth
  4754. - connectHost
  4755. - vaults
  4756. type: object
  4757. oracle:
  4758. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4759. properties:
  4760. auth:
  4761. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4762. properties:
  4763. secretRef:
  4764. description: SecretRef to pass through sensitive information.
  4765. properties:
  4766. fingerprint:
  4767. description: Fingerprint is the fingerprint of the API private key.
  4768. properties:
  4769. key:
  4770. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4771. type: string
  4772. name:
  4773. description: The name of the Secret resource being referred to.
  4774. type: string
  4775. namespace:
  4776. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4777. type: string
  4778. type: object
  4779. privatekey:
  4780. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4781. properties:
  4782. key:
  4783. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4784. type: string
  4785. name:
  4786. description: The name of the Secret resource being referred to.
  4787. type: string
  4788. namespace:
  4789. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4790. type: string
  4791. type: object
  4792. required:
  4793. - fingerprint
  4794. - privatekey
  4795. type: object
  4796. tenancy:
  4797. description: Tenancy is the tenancy OCID where user is located.
  4798. type: string
  4799. user:
  4800. description: User is an access OCID specific to the account.
  4801. type: string
  4802. required:
  4803. - secretRef
  4804. - tenancy
  4805. - user
  4806. type: object
  4807. region:
  4808. description: Region is the region where vault is located.
  4809. type: string
  4810. vault:
  4811. description: Vault is the vault's OCID of the specific vault where secret is located.
  4812. type: string
  4813. required:
  4814. - region
  4815. - vault
  4816. type: object
  4817. senhasegura:
  4818. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4819. properties:
  4820. auth:
  4821. description: Auth defines parameters to authenticate in senhasegura
  4822. properties:
  4823. clientId:
  4824. type: string
  4825. clientSecretSecretRef:
  4826. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4827. properties:
  4828. key:
  4829. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4830. type: string
  4831. name:
  4832. description: The name of the Secret resource being referred to.
  4833. type: string
  4834. namespace:
  4835. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4836. type: string
  4837. type: object
  4838. required:
  4839. - clientId
  4840. - clientSecretSecretRef
  4841. type: object
  4842. ignoreSslCertificate:
  4843. default: false
  4844. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4845. type: boolean
  4846. module:
  4847. description: Module defines which senhasegura module should be used to get secrets
  4848. type: string
  4849. url:
  4850. description: URL of senhasegura
  4851. type: string
  4852. required:
  4853. - auth
  4854. - module
  4855. - url
  4856. type: object
  4857. vault:
  4858. description: Vault configures this store to sync secrets using Hashi provider
  4859. properties:
  4860. auth:
  4861. description: Auth configures how secret-manager authenticates with the Vault server.
  4862. properties:
  4863. appRole:
  4864. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  4865. properties:
  4866. path:
  4867. default: approle
  4868. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  4869. type: string
  4870. roleId:
  4871. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  4872. type: string
  4873. secretRef:
  4874. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  4875. properties:
  4876. key:
  4877. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4878. type: string
  4879. name:
  4880. description: The name of the Secret resource being referred to.
  4881. type: string
  4882. namespace:
  4883. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4884. type: string
  4885. type: object
  4886. required:
  4887. - path
  4888. - roleId
  4889. - secretRef
  4890. type: object
  4891. cert:
  4892. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  4893. properties:
  4894. clientCert:
  4895. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  4896. properties:
  4897. key:
  4898. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4899. type: string
  4900. name:
  4901. description: The name of the Secret resource being referred to.
  4902. type: string
  4903. namespace:
  4904. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4905. type: string
  4906. type: object
  4907. secretRef:
  4908. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  4909. properties:
  4910. key:
  4911. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4912. type: string
  4913. name:
  4914. description: The name of the Secret resource being referred to.
  4915. type: string
  4916. namespace:
  4917. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4918. type: string
  4919. type: object
  4920. type: object
  4921. jwt:
  4922. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  4923. properties:
  4924. kubernetesServiceAccountToken:
  4925. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  4926. properties:
  4927. audiences:
  4928. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  4929. items:
  4930. type: string
  4931. type: array
  4932. expirationSeconds:
  4933. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  4934. format: int64
  4935. type: integer
  4936. serviceAccountRef:
  4937. description: Service account field containing the name of a kubernetes ServiceAccount.
  4938. properties:
  4939. name:
  4940. description: The name of the ServiceAccount resource being referred to.
  4941. type: string
  4942. namespace:
  4943. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4944. type: string
  4945. required:
  4946. - name
  4947. type: object
  4948. required:
  4949. - serviceAccountRef
  4950. type: object
  4951. path:
  4952. default: jwt
  4953. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  4954. type: string
  4955. role:
  4956. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  4957. type: string
  4958. secretRef:
  4959. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  4960. properties:
  4961. key:
  4962. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4963. type: string
  4964. name:
  4965. description: The name of the Secret resource being referred to.
  4966. type: string
  4967. namespace:
  4968. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4969. type: string
  4970. type: object
  4971. required:
  4972. - path
  4973. type: object
  4974. kubernetes:
  4975. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  4976. properties:
  4977. mountPath:
  4978. default: kubernetes
  4979. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  4980. type: string
  4981. role:
  4982. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  4983. type: string
  4984. secretRef:
  4985. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  4986. properties:
  4987. key:
  4988. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4989. type: string
  4990. name:
  4991. description: The name of the Secret resource being referred to.
  4992. type: string
  4993. namespace:
  4994. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4995. type: string
  4996. type: object
  4997. serviceAccountRef:
  4998. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  4999. properties:
  5000. name:
  5001. description: The name of the ServiceAccount resource being referred to.
  5002. type: string
  5003. namespace:
  5004. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5005. type: string
  5006. required:
  5007. - name
  5008. type: object
  5009. required:
  5010. - mountPath
  5011. - role
  5012. type: object
  5013. ldap:
  5014. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5015. properties:
  5016. path:
  5017. default: ldap
  5018. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5019. type: string
  5020. secretRef:
  5021. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5022. properties:
  5023. key:
  5024. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5025. type: string
  5026. name:
  5027. description: The name of the Secret resource being referred to.
  5028. type: string
  5029. namespace:
  5030. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5031. type: string
  5032. type: object
  5033. username:
  5034. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5035. type: string
  5036. required:
  5037. - path
  5038. - username
  5039. type: object
  5040. tokenSecretRef:
  5041. description: TokenSecretRef authenticates with Vault by presenting a token.
  5042. properties:
  5043. key:
  5044. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5045. type: string
  5046. name:
  5047. description: The name of the Secret resource being referred to.
  5048. type: string
  5049. namespace:
  5050. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5051. type: string
  5052. type: object
  5053. type: object
  5054. caBundle:
  5055. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5056. format: byte
  5057. type: string
  5058. caProvider:
  5059. description: The provider for the CA bundle to use to validate Vault server certificate.
  5060. properties:
  5061. key:
  5062. description: The key the value inside of the provider type to use, only used with "Secret" type
  5063. type: string
  5064. name:
  5065. description: The name of the object located at the provider type.
  5066. type: string
  5067. namespace:
  5068. description: The namespace the Provider type is in.
  5069. type: string
  5070. type:
  5071. description: The type of provider to use such as "Secret", or "ConfigMap".
  5072. enum:
  5073. - Secret
  5074. - ConfigMap
  5075. type: string
  5076. required:
  5077. - name
  5078. - type
  5079. type: object
  5080. forwardInconsistent:
  5081. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5082. type: boolean
  5083. namespace:
  5084. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5085. type: string
  5086. path:
  5087. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5088. type: string
  5089. readYourWrites:
  5090. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5091. type: boolean
  5092. server:
  5093. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5094. type: string
  5095. version:
  5096. default: v2
  5097. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5098. enum:
  5099. - v1
  5100. - v2
  5101. type: string
  5102. required:
  5103. - auth
  5104. - server
  5105. type: object
  5106. webhook:
  5107. description: Webhook configures this store to sync secrets using a generic templated webhook
  5108. properties:
  5109. body:
  5110. description: Body
  5111. type: string
  5112. caBundle:
  5113. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5114. format: byte
  5115. type: string
  5116. caProvider:
  5117. description: The provider for the CA bundle to use to validate webhook server certificate.
  5118. properties:
  5119. key:
  5120. description: The key the value inside of the provider type to use, only used with "Secret" type
  5121. type: string
  5122. name:
  5123. description: The name of the object located at the provider type.
  5124. type: string
  5125. namespace:
  5126. description: The namespace the Provider type is in.
  5127. type: string
  5128. type:
  5129. description: The type of provider to use such as "Secret", or "ConfigMap".
  5130. enum:
  5131. - Secret
  5132. - ConfigMap
  5133. type: string
  5134. required:
  5135. - name
  5136. - type
  5137. type: object
  5138. headers:
  5139. additionalProperties:
  5140. type: string
  5141. description: Headers
  5142. type: object
  5143. method:
  5144. description: Webhook Method
  5145. type: string
  5146. result:
  5147. description: Result formatting
  5148. properties:
  5149. jsonPath:
  5150. description: Json path of return value
  5151. type: string
  5152. type: object
  5153. secrets:
  5154. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5155. items:
  5156. properties:
  5157. name:
  5158. description: Name of this secret in templates
  5159. type: string
  5160. secretRef:
  5161. description: Secret ref to fill in credentials
  5162. properties:
  5163. key:
  5164. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5165. type: string
  5166. name:
  5167. description: The name of the Secret resource being referred to.
  5168. type: string
  5169. namespace:
  5170. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5171. type: string
  5172. type: object
  5173. required:
  5174. - name
  5175. - secretRef
  5176. type: object
  5177. type: array
  5178. timeout:
  5179. description: Timeout
  5180. type: string
  5181. url:
  5182. description: Webhook url to call
  5183. type: string
  5184. required:
  5185. - result
  5186. - url
  5187. type: object
  5188. yandexcertificatemanager:
  5189. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5190. properties:
  5191. apiEndpoint:
  5192. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5193. type: string
  5194. auth:
  5195. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5196. properties:
  5197. authorizedKeySecretRef:
  5198. description: The authorized key used for authentication
  5199. properties:
  5200. key:
  5201. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5202. type: string
  5203. name:
  5204. description: The name of the Secret resource being referred to.
  5205. type: string
  5206. namespace:
  5207. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5208. type: string
  5209. type: object
  5210. type: object
  5211. caProvider:
  5212. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5213. properties:
  5214. certSecretRef:
  5215. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5216. properties:
  5217. key:
  5218. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5219. type: string
  5220. name:
  5221. description: The name of the Secret resource being referred to.
  5222. type: string
  5223. namespace:
  5224. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5225. type: string
  5226. type: object
  5227. type: object
  5228. required:
  5229. - auth
  5230. type: object
  5231. yandexlockbox:
  5232. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5233. properties:
  5234. apiEndpoint:
  5235. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5236. type: string
  5237. auth:
  5238. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5239. properties:
  5240. authorizedKeySecretRef:
  5241. description: The authorized key used for authentication
  5242. properties:
  5243. key:
  5244. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5245. type: string
  5246. name:
  5247. description: The name of the Secret resource being referred to.
  5248. type: string
  5249. namespace:
  5250. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5251. type: string
  5252. type: object
  5253. type: object
  5254. caProvider:
  5255. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5256. properties:
  5257. certSecretRef:
  5258. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5259. properties:
  5260. key:
  5261. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5262. type: string
  5263. name:
  5264. description: The name of the Secret resource being referred to.
  5265. type: string
  5266. namespace:
  5267. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5268. type: string
  5269. type: object
  5270. type: object
  5271. required:
  5272. - auth
  5273. type: object
  5274. type: object
  5275. refreshInterval:
  5276. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5277. type: integer
  5278. retrySettings:
  5279. description: Used to configure http retries if failed
  5280. properties:
  5281. maxRetries:
  5282. format: int32
  5283. type: integer
  5284. retryInterval:
  5285. type: string
  5286. type: object
  5287. required:
  5288. - provider
  5289. type: object
  5290. status:
  5291. description: SecretStoreStatus defines the observed state of the SecretStore.
  5292. properties:
  5293. capabilities:
  5294. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5295. type: string
  5296. conditions:
  5297. items:
  5298. properties:
  5299. lastTransitionTime:
  5300. format: date-time
  5301. type: string
  5302. message:
  5303. type: string
  5304. reason:
  5305. type: string
  5306. status:
  5307. type: string
  5308. type:
  5309. type: string
  5310. required:
  5311. - status
  5312. - type
  5313. type: object
  5314. type: array
  5315. type: object
  5316. type: object
  5317. served: true
  5318. storage: true
  5319. subresources:
  5320. status: {}
  5321. conversion:
  5322. strategy: Webhook
  5323. webhook:
  5324. conversionReviewVersions:
  5325. - v1
  5326. clientConfig:
  5327. service:
  5328. name: kubernetes
  5329. namespace: default
  5330. path: /convert