| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.19.0
- labels:
- external-secrets.io/component: controller
- name: pushsecrets.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - external-secrets
- kind: PushSecret
- listKind: PushSecretList
- plural: pushsecrets
- shortNames:
- - ps
- singular: pushsecret
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.refreshTime
- name: Last Sync
- type: date
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: PushSecret is the Schema for the PushSecrets API that enables
- pushing Kubernetes secrets to external secret providers.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: PushSecretSpec configures the behavior of the PushSecret.
- properties:
- data:
- description: Secret Data that should be pushed to providers
- items:
- description: PushSecretData defines data to be pushed to the provider
- and associated metadata.
- properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the secret
- keys
- enum:
- - None
- - ReverseUnicode
- type: string
- match:
- description: Match a given Secret Key to be pushed to the provider.
- properties:
- remoteRef:
- description: Remote Refs to push to providers.
- properties:
- property:
- description: Name of the property in the resulting secret
- type: string
- remoteKey:
- description: Name of the resulting provider secret.
- type: string
- required:
- - remoteKey
- type: object
- secretKey:
- description: Secret Key to be pushed
- type: string
- required:
- - remoteRef
- type: object
- metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
- x-kubernetes-preserve-unknown-fields: true
- required:
- - match
- type: object
- type: array
- dataTo:
- description: DataTo defines bulk push rules that expand source Secret
- keys into provider entries.
- items:
- description: PushSecretDataTo defines how to bulk-push secrets to
- providers without explicit per-key mappings.
- properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the secret
- keys
- enum:
- - None
- - ReverseUnicode
- type: string
- match:
- description: |-
- Match pattern for selecting keys from the source Secret.
- If not specified, all keys are selected.
- properties:
- regexp:
- description: |-
- Regexp matches keys by regular expression.
- If not specified, all keys are matched.
- type: string
- type: object
- metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
- x-kubernetes-preserve-unknown-fields: true
- remoteKey:
- description: |-
- RemoteKey is the name of the single provider secret that will receive ALL
- matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
- When set, per-key expansion is skipped and a single push is performed.
- The provider's store prefix (if any) is still prepended to this value.
- When not set, each matched key is pushed as its own individual provider secret.
- type: string
- rewrite:
- description: |-
- Rewrite operations to transform keys before pushing to the provider.
- Operations are applied sequentially.
- items:
- description: PushSecretRewrite defines how to transform secret
- keys before pushing.
- properties:
- regexp:
- description: Used to rewrite with regular expressions.
- properties:
- source:
- description: Used to define the regular expression
- of a re.Compiler.
- type: string
- target:
- description: Used to define the target pattern of
- a ReplaceAll operation.
- type: string
- required:
- - source
- - target
- type: object
- transform:
- description: Used to apply string transformation on the
- secrets.
- properties:
- template:
- description: |-
- Used to define the template to apply on the secret name.
- `.value ` will specify the secret name in the template.
- type: string
- required:
- - template
- type: object
- type: object
- x-kubernetes-validations:
- - message: exactly one of regexp or transform must be set
- rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp)
- && has(self.transform))
- type: array
- storeRef:
- description: StoreRef specifies which SecretStore to push to.
- Required.
- properties:
- kind:
- default: SecretStore
- description: Kind of the SecretStore resource (SecretStore
- or ClusterSecretStore)
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- labelSelector:
- description: Optionally, sync to secret stores with label
- selector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector
- requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- name:
- description: Optionally, sync to the SecretStore of the
- given name
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- x-kubernetes-validations:
- - message: storeRef must specify either name or labelSelector
- rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
- - message: 'remoteKey and rewrite are mutually exclusive: rewrite
- is only supported in per-key mode (without remoteKey)'
- rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite)
- == 0'
- type: array
- deletionPolicy:
- default: None
- description: Deletion Policy to handle Secrets in the provider.
- enum:
- - Delete
- - None
- type: string
- refreshInterval:
- default: 1h0m0s
- description: The Interval to which External Secrets will try to push
- a secret definition
- type: string
- secretStoreRefs:
- items:
- description: PushSecretStoreRef contains a reference on how to sync
- to a SecretStore.
- properties:
- kind:
- default: SecretStore
- description: Kind of the SecretStore resource (SecretStore or
- ClusterSecretStore)
- enum:
- - SecretStore
- - ClusterSecretStore
- type: string
- labelSelector:
- description: Optionally, sync to secret stores with label selector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector
- requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- name:
- description: Optionally, sync to the SecretStore of the given
- name
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: array
- selector:
- description: The Secret Selector (k8s source) for the Push Secret
- maxProperties: 1
- minProperties: 1
- properties:
- generatorRef:
- description: Point to a generator to create a Secret.
- properties:
- apiVersion:
- default: generators.external-secrets.io/v1alpha1
- description: Specify the apiVersion of the generator resource
- type: string
- kind:
- description: Specify the Kind of the generator resource
- enum:
- - ACRAccessToken
- - ClusterGenerator
- - CloudsmithAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - SSHKey
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- - MFA
- type: string
- name:
- description: Specify the name of the generator resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - kind
- - name
- type: object
- secret:
- description: Select a Secret to Push.
- properties:
- name:
- description: |-
- Name of the Secret.
- The Secret must exist in the same namespace as the PushSecret manifest.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- selector:
- description: Selector chooses secrets using a labelSelector.
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector
- requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector
- applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- type: object
- type: object
- template:
- description: Template defines a blueprint for the created Secret resource.
- properties:
- data:
- additionalProperties:
- type: string
- type: object
- engineVersion:
- default: v2
- description: |-
- EngineVersion specifies the template engine version
- that should be used to compile/execute the
- template specified in .data and .templateFrom[].
- enum:
- - v2
- type: string
- mergePolicy:
- default: Replace
- description: TemplateMergePolicy defines how the rendered template
- should be merged with the existing Secret data.
- enum:
- - Replace
- - Merge
- type: string
- metadata:
- description: ExternalSecretTemplateMetadata defines metadata fields
- for the Secret blueprint.
- properties:
- annotations:
- additionalProperties:
- type: string
- type: object
- finalizers:
- items:
- type: string
- type: array
- labels:
- additionalProperties:
- type: string
- type: object
- type: object
- templateFrom:
- items:
- description: |-
- TemplateFrom specifies a source for templates.
- Each item in the list can either reference a ConfigMap or a Secret resource.
- properties:
- configMap:
- description: TemplateRef specifies a reference to either
- a ConfigMap or a Secret resource.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem specifies a key in the
- ConfigMap/Secret to use as a template for Secret
- data.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope specifies how the template
- keys should be interpreted.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- literal:
- type: string
- secret:
- description: TemplateRef specifies a reference to either
- a ConfigMap or a Secret resource.
- properties:
- items:
- description: A list of keys in the ConfigMap/Secret
- to use as templates for Secret data
- items:
- description: TemplateRefItem specifies a key in the
- ConfigMap/Secret to use as a template for Secret
- data.
- properties:
- key:
- description: A key in the ConfigMap/Secret
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- templateAs:
- default: Values
- description: TemplateScope specifies how the template
- keys should be interpreted.
- enum:
- - Values
- - KeysAndValues
- type: string
- required:
- - key
- type: object
- type: array
- name:
- description: The name of the ConfigMap/Secret resource
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- required:
- - items
- - name
- type: object
- target:
- default: Data
- description: |-
- Target specifies where to place the template result.
- For Secret resources, common values are: "Data", "Annotations", "Labels".
- For custom resources (when spec.target.manifest is set), this supports
- nested paths like "spec.database.config" or "data".
- type: string
- type: object
- type: array
- type:
- type: string
- type: object
- updatePolicy:
- default: Replace
- description: UpdatePolicy to handle Secrets in the provider.
- enum:
- - Replace
- - IfNotExists
- type: string
- required:
- - secretStoreRefs
- - selector
- type: object
- status:
- description: PushSecretStatus indicates the history of the status of PushSecret.
- properties:
- conditions:
- items:
- description: PushSecretStatusCondition indicates the status of the
- PushSecret.
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- description: PushSecretConditionType indicates the condition
- of the PushSecret.
- type: string
- required:
- - status
- - type
- type: object
- type: array
- refreshTime:
- description: |-
- refreshTime is the time and date the external secret was fetched and
- the target secret updated
- format: date-time
- nullable: true
- type: string
- syncedPushSecrets:
- additionalProperties:
- additionalProperties:
- description: PushSecretData defines data to be pushed to the provider
- and associated metadata.
- properties:
- conversionStrategy:
- default: None
- description: Used to define a conversion Strategy for the
- secret keys
- enum:
- - None
- - ReverseUnicode
- type: string
- match:
- description: Match a given Secret Key to be pushed to the
- provider.
- properties:
- remoteRef:
- description: Remote Refs to push to providers.
- properties:
- property:
- description: Name of the property in the resulting
- secret
- type: string
- remoteKey:
- description: Name of the resulting provider secret.
- type: string
- required:
- - remoteKey
- type: object
- secretKey:
- description: Secret Key to be pushed
- type: string
- required:
- - remoteRef
- type: object
- metadata:
- description: |-
- Metadata is metadata attached to the secret.
- The structure of metadata is provider specific, please look it up in the provider documentation.
- x-kubernetes-preserve-unknown-fields: true
- required:
- - match
- type: object
- type: object
- description: |-
- Synced PushSecrets, including secrets that already exist in provider.
- Matches secret stores to PushSecretData that was stored to that secret store.
- type: object
- syncedResourceVersion:
- description: SyncedResourceVersion keeps track of the last synced
- version.
- type: string
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
