bundle.yaml 319 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.8.0
  6. creationTimestamp: null
  7. name: clusterexternalsecrets.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterExternalSecret
  14. listKind: ClusterExternalSecretList
  15. plural: clusterexternalsecrets
  16. shortNames:
  17. - ces
  18. singular: clusterexternalsecret
  19. scope: Cluster
  20. versions:
  21. - name: v1beta1
  22. schema:
  23. openAPIV3Schema:
  24. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  25. properties:
  26. apiVersion:
  27. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  28. type: string
  29. kind:
  30. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  31. type: string
  32. metadata:
  33. type: object
  34. spec:
  35. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  36. properties:
  37. externalSecretName:
  38. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  39. type: string
  40. externalSecretSpec:
  41. description: The spec for the ExternalSecrets to be created
  42. properties:
  43. data:
  44. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  45. items:
  46. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  47. properties:
  48. remoteRef:
  49. description: ExternalSecretDataRemoteRef defines Provider data location.
  50. properties:
  51. conversionStrategy:
  52. default: Default
  53. description: Used to define a conversion Strategy
  54. type: string
  55. key:
  56. description: Key is the key used in the Provider, mandatory
  57. type: string
  58. metadataPolicy:
  59. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  60. type: string
  61. property:
  62. description: Used to select a specific property of the Provider value (if a map), if supported
  63. type: string
  64. version:
  65. description: Used to select a specific version of the Provider value, if supported
  66. type: string
  67. required:
  68. - key
  69. type: object
  70. secretKey:
  71. type: string
  72. required:
  73. - remoteRef
  74. - secretKey
  75. type: object
  76. type: array
  77. dataFrom:
  78. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  79. items:
  80. maxProperties: 1
  81. minProperties: 1
  82. properties:
  83. extract:
  84. description: Used to extract multiple key/value pairs from one secret
  85. properties:
  86. conversionStrategy:
  87. default: Default
  88. description: Used to define a conversion Strategy
  89. type: string
  90. key:
  91. description: Key is the key used in the Provider, mandatory
  92. type: string
  93. metadataPolicy:
  94. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  95. type: string
  96. property:
  97. description: Used to select a specific property of the Provider value (if a map), if supported
  98. type: string
  99. version:
  100. description: Used to select a specific version of the Provider value, if supported
  101. type: string
  102. required:
  103. - key
  104. type: object
  105. find:
  106. description: Used to find secrets based on tags or regular expressions
  107. properties:
  108. conversionStrategy:
  109. default: Default
  110. description: Used to define a conversion Strategy
  111. type: string
  112. name:
  113. description: Finds secrets based on the name.
  114. properties:
  115. regexp:
  116. description: Finds secrets base
  117. type: string
  118. type: object
  119. path:
  120. description: A root path to start the find operations.
  121. type: string
  122. tags:
  123. additionalProperties:
  124. type: string
  125. description: Find secrets based on tags.
  126. type: object
  127. type: object
  128. type: object
  129. type: array
  130. refreshInterval:
  131. default: 1h
  132. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  133. type: string
  134. secretStoreRef:
  135. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  136. properties:
  137. kind:
  138. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  139. type: string
  140. name:
  141. description: Name of the SecretStore resource
  142. type: string
  143. required:
  144. - name
  145. type: object
  146. target:
  147. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  148. properties:
  149. creationPolicy:
  150. default: Owner
  151. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  152. enum:
  153. - Owner
  154. - Orphan
  155. - Merge
  156. - None
  157. type: string
  158. deletionPolicy:
  159. default: Retain
  160. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  161. enum:
  162. - Delete
  163. - Merge
  164. - Retain
  165. type: string
  166. immutable:
  167. description: Immutable defines if the final secret will be immutable
  168. type: boolean
  169. name:
  170. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  171. type: string
  172. template:
  173. description: Template defines a blueprint for the created Secret resource.
  174. properties:
  175. data:
  176. additionalProperties:
  177. type: string
  178. type: object
  179. engineVersion:
  180. default: v2
  181. type: string
  182. metadata:
  183. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  184. properties:
  185. annotations:
  186. additionalProperties:
  187. type: string
  188. type: object
  189. labels:
  190. additionalProperties:
  191. type: string
  192. type: object
  193. type: object
  194. templateFrom:
  195. items:
  196. maxProperties: 1
  197. minProperties: 1
  198. properties:
  199. configMap:
  200. properties:
  201. items:
  202. items:
  203. properties:
  204. key:
  205. type: string
  206. required:
  207. - key
  208. type: object
  209. type: array
  210. name:
  211. type: string
  212. required:
  213. - items
  214. - name
  215. type: object
  216. secret:
  217. properties:
  218. items:
  219. items:
  220. properties:
  221. key:
  222. type: string
  223. required:
  224. - key
  225. type: object
  226. type: array
  227. name:
  228. type: string
  229. required:
  230. - items
  231. - name
  232. type: object
  233. type: object
  234. type: array
  235. type:
  236. type: string
  237. type: object
  238. type: object
  239. required:
  240. - secretStoreRef
  241. type: object
  242. namespaceSelector:
  243. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  244. properties:
  245. matchExpressions:
  246. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  247. items:
  248. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  249. properties:
  250. key:
  251. description: key is the label key that the selector applies to.
  252. type: string
  253. operator:
  254. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  255. type: string
  256. values:
  257. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  258. items:
  259. type: string
  260. type: array
  261. required:
  262. - key
  263. - operator
  264. type: object
  265. type: array
  266. matchLabels:
  267. additionalProperties:
  268. type: string
  269. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  270. type: object
  271. type: object
  272. refreshTime:
  273. description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
  274. type: string
  275. required:
  276. - externalSecretSpec
  277. - namespaceSelector
  278. type: object
  279. status:
  280. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  281. properties:
  282. conditions:
  283. items:
  284. properties:
  285. message:
  286. type: string
  287. status:
  288. type: string
  289. type:
  290. type: string
  291. required:
  292. - status
  293. - type
  294. type: object
  295. type: array
  296. failedNamespaces:
  297. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  298. items:
  299. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  300. properties:
  301. namespace:
  302. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  303. type: string
  304. reason:
  305. description: Reason is why the ExternalSecret failed to apply to the namespace
  306. type: string
  307. required:
  308. - namespace
  309. type: object
  310. type: array
  311. provisionedNamespaces:
  312. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  313. items:
  314. type: string
  315. type: array
  316. type: object
  317. type: object
  318. served: true
  319. storage: true
  320. subresources:
  321. status: {}
  322. conversion:
  323. strategy: Webhook
  324. webhook:
  325. conversionReviewVersions:
  326. - v1
  327. clientConfig:
  328. service:
  329. name: kubernetes
  330. namespace: default
  331. path: /convert
  332. status:
  333. acceptedNames:
  334. kind: ""
  335. plural: ""
  336. conditions: []
  337. storedVersions: []
  338. ---
  339. apiVersion: apiextensions.k8s.io/v1
  340. kind: CustomResourceDefinition
  341. metadata:
  342. annotations:
  343. controller-gen.kubebuilder.io/version: v0.8.0
  344. creationTimestamp: null
  345. name: clustersecretstores.external-secrets.io
  346. spec:
  347. group: external-secrets.io
  348. names:
  349. categories:
  350. - externalsecrets
  351. kind: ClusterSecretStore
  352. listKind: ClusterSecretStoreList
  353. plural: clustersecretstores
  354. shortNames:
  355. - css
  356. singular: clustersecretstore
  357. scope: Cluster
  358. versions:
  359. - additionalPrinterColumns:
  360. - jsonPath: .metadata.creationTimestamp
  361. name: AGE
  362. type: date
  363. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  364. name: Status
  365. type: string
  366. deprecated: true
  367. name: v1alpha1
  368. schema:
  369. openAPIV3Schema:
  370. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  371. properties:
  372. apiVersion:
  373. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  374. type: string
  375. kind:
  376. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  377. type: string
  378. metadata:
  379. type: object
  380. spec:
  381. description: SecretStoreSpec defines the desired state of SecretStore.
  382. properties:
  383. controller:
  384. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  385. type: string
  386. provider:
  387. description: Used to configure the provider. Only one provider may be set
  388. maxProperties: 1
  389. minProperties: 1
  390. properties:
  391. akeyless:
  392. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  393. properties:
  394. akeylessGWApiURL:
  395. description: Akeyless GW API Url from which the secrets to be fetched from.
  396. type: string
  397. authSecretRef:
  398. description: Auth configures how the operator authenticates with Akeyless.
  399. properties:
  400. secretRef:
  401. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  402. properties:
  403. accessID:
  404. description: The SecretAccessID is used for authentication
  405. properties:
  406. key:
  407. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  408. type: string
  409. name:
  410. description: The name of the Secret resource being referred to.
  411. type: string
  412. namespace:
  413. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  414. type: string
  415. type: object
  416. accessType:
  417. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  418. properties:
  419. key:
  420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  421. type: string
  422. name:
  423. description: The name of the Secret resource being referred to.
  424. type: string
  425. namespace:
  426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  427. type: string
  428. type: object
  429. accessTypeParam:
  430. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  431. properties:
  432. key:
  433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  434. type: string
  435. name:
  436. description: The name of the Secret resource being referred to.
  437. type: string
  438. namespace:
  439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  440. type: string
  441. type: object
  442. type: object
  443. required:
  444. - secretRef
  445. type: object
  446. required:
  447. - akeylessGWApiURL
  448. - authSecretRef
  449. type: object
  450. alibaba:
  451. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  452. properties:
  453. auth:
  454. description: AlibabaAuth contains a secretRef for credentials.
  455. properties:
  456. secretRef:
  457. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  458. properties:
  459. accessKeyIDSecretRef:
  460. description: The AccessKeyID is used for authentication
  461. properties:
  462. key:
  463. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  464. type: string
  465. name:
  466. description: The name of the Secret resource being referred to.
  467. type: string
  468. namespace:
  469. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  470. type: string
  471. type: object
  472. accessKeySecretSecretRef:
  473. description: The AccessKeySecret is used for authentication
  474. properties:
  475. key:
  476. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  477. type: string
  478. name:
  479. description: The name of the Secret resource being referred to.
  480. type: string
  481. namespace:
  482. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  483. type: string
  484. type: object
  485. required:
  486. - accessKeyIDSecretRef
  487. - accessKeySecretSecretRef
  488. type: object
  489. required:
  490. - secretRef
  491. type: object
  492. endpoint:
  493. type: string
  494. regionID:
  495. description: Alibaba Region to be used for the provider
  496. type: string
  497. required:
  498. - auth
  499. - regionID
  500. type: object
  501. aws:
  502. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  503. properties:
  504. auth:
  505. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  506. properties:
  507. jwt:
  508. description: Authenticate against AWS using service account tokens.
  509. properties:
  510. serviceAccountRef:
  511. description: A reference to a ServiceAccount resource.
  512. properties:
  513. name:
  514. description: The name of the ServiceAccount resource being referred to.
  515. type: string
  516. namespace:
  517. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  518. type: string
  519. required:
  520. - name
  521. type: object
  522. type: object
  523. secretRef:
  524. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  525. properties:
  526. accessKeyIDSecretRef:
  527. description: The AccessKeyID is used for authentication
  528. properties:
  529. key:
  530. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  531. type: string
  532. name:
  533. description: The name of the Secret resource being referred to.
  534. type: string
  535. namespace:
  536. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  537. type: string
  538. type: object
  539. secretAccessKeySecretRef:
  540. description: The SecretAccessKey is used for authentication
  541. properties:
  542. key:
  543. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  544. type: string
  545. name:
  546. description: The name of the Secret resource being referred to.
  547. type: string
  548. namespace:
  549. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  550. type: string
  551. type: object
  552. type: object
  553. type: object
  554. region:
  555. description: AWS Region to be used for the provider
  556. type: string
  557. role:
  558. description: Role is a Role ARN which the SecretManager provider will assume
  559. type: string
  560. service:
  561. description: Service defines which service should be used to fetch the secrets
  562. enum:
  563. - SecretsManager
  564. - ParameterStore
  565. type: string
  566. required:
  567. - region
  568. - service
  569. type: object
  570. azurekv:
  571. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  572. properties:
  573. authSecretRef:
  574. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  575. properties:
  576. clientId:
  577. description: The Azure clientId of the service principle used for authentication.
  578. properties:
  579. key:
  580. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  581. type: string
  582. name:
  583. description: The name of the Secret resource being referred to.
  584. type: string
  585. namespace:
  586. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  587. type: string
  588. type: object
  589. clientSecret:
  590. description: The Azure ClientSecret of the service principle used for authentication.
  591. properties:
  592. key:
  593. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  594. type: string
  595. name:
  596. description: The name of the Secret resource being referred to.
  597. type: string
  598. namespace:
  599. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  600. type: string
  601. type: object
  602. type: object
  603. authType:
  604. default: ServicePrincipal
  605. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  606. enum:
  607. - ServicePrincipal
  608. - ManagedIdentity
  609. - WorkloadIdentity
  610. type: string
  611. identityId:
  612. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  613. type: string
  614. serviceAccountRef:
  615. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  616. properties:
  617. name:
  618. description: The name of the ServiceAccount resource being referred to.
  619. type: string
  620. namespace:
  621. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  622. type: string
  623. required:
  624. - name
  625. type: object
  626. tenantId:
  627. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  628. type: string
  629. vaultUrl:
  630. description: Vault Url from which the secrets to be fetched from.
  631. type: string
  632. required:
  633. - vaultUrl
  634. type: object
  635. fake:
  636. description: Fake configures a store with static key/value pairs
  637. properties:
  638. data:
  639. items:
  640. properties:
  641. key:
  642. type: string
  643. value:
  644. type: string
  645. valueMap:
  646. additionalProperties:
  647. type: string
  648. type: object
  649. version:
  650. type: string
  651. required:
  652. - key
  653. type: object
  654. type: array
  655. required:
  656. - data
  657. type: object
  658. gcpsm:
  659. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  660. properties:
  661. auth:
  662. description: Auth defines the information necessary to authenticate against GCP
  663. properties:
  664. secretRef:
  665. properties:
  666. secretAccessKeySecretRef:
  667. description: The SecretAccessKey is used for authentication
  668. properties:
  669. key:
  670. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  671. type: string
  672. name:
  673. description: The name of the Secret resource being referred to.
  674. type: string
  675. namespace:
  676. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  677. type: string
  678. type: object
  679. type: object
  680. workloadIdentity:
  681. properties:
  682. clusterLocation:
  683. type: string
  684. clusterName:
  685. type: string
  686. clusterProjectID:
  687. type: string
  688. serviceAccountRef:
  689. description: A reference to a ServiceAccount resource.
  690. properties:
  691. name:
  692. description: The name of the ServiceAccount resource being referred to.
  693. type: string
  694. namespace:
  695. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  696. type: string
  697. required:
  698. - name
  699. type: object
  700. required:
  701. - clusterLocation
  702. - clusterName
  703. - serviceAccountRef
  704. type: object
  705. type: object
  706. projectID:
  707. description: ProjectID project where secret is located
  708. type: string
  709. type: object
  710. gitlab:
  711. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  712. properties:
  713. auth:
  714. description: Auth configures how secret-manager authenticates with a GitLab instance.
  715. properties:
  716. SecretRef:
  717. properties:
  718. accessToken:
  719. description: AccessToken is used for authentication.
  720. properties:
  721. key:
  722. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  723. type: string
  724. name:
  725. description: The name of the Secret resource being referred to.
  726. type: string
  727. namespace:
  728. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  729. type: string
  730. type: object
  731. type: object
  732. required:
  733. - SecretRef
  734. type: object
  735. projectID:
  736. description: ProjectID specifies a project where secrets are located.
  737. type: string
  738. url:
  739. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  740. type: string
  741. required:
  742. - auth
  743. type: object
  744. ibm:
  745. description: IBM configures this store to sync secrets using IBM Cloud provider
  746. properties:
  747. auth:
  748. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  749. properties:
  750. secretRef:
  751. properties:
  752. secretApiKeySecretRef:
  753. description: The SecretAccessKey is used for authentication
  754. properties:
  755. key:
  756. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  757. type: string
  758. name:
  759. description: The name of the Secret resource being referred to.
  760. type: string
  761. namespace:
  762. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  763. type: string
  764. type: object
  765. type: object
  766. required:
  767. - secretRef
  768. type: object
  769. serviceUrl:
  770. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  771. type: string
  772. required:
  773. - auth
  774. type: object
  775. kubernetes:
  776. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  777. properties:
  778. auth:
  779. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  780. maxProperties: 1
  781. minProperties: 1
  782. properties:
  783. cert:
  784. description: has both clientCert and clientKey as secretKeySelector
  785. properties:
  786. clientCert:
  787. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  788. properties:
  789. key:
  790. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  791. type: string
  792. name:
  793. description: The name of the Secret resource being referred to.
  794. type: string
  795. namespace:
  796. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  797. type: string
  798. type: object
  799. clientKey:
  800. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  801. properties:
  802. key:
  803. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  804. type: string
  805. name:
  806. description: The name of the Secret resource being referred to.
  807. type: string
  808. namespace:
  809. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  810. type: string
  811. type: object
  812. type: object
  813. serviceAccount:
  814. description: points to a service account that should be used for authentication
  815. properties:
  816. serviceAccount:
  817. description: A reference to a ServiceAccount resource.
  818. properties:
  819. name:
  820. description: The name of the ServiceAccount resource being referred to.
  821. type: string
  822. namespace:
  823. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  824. type: string
  825. required:
  826. - name
  827. type: object
  828. type: object
  829. token:
  830. description: use static token to authenticate with
  831. properties:
  832. bearerToken:
  833. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  834. properties:
  835. key:
  836. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  837. type: string
  838. name:
  839. description: The name of the Secret resource being referred to.
  840. type: string
  841. namespace:
  842. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  843. type: string
  844. type: object
  845. type: object
  846. type: object
  847. remoteNamespace:
  848. default: default
  849. description: Remote namespace to fetch the secrets from
  850. type: string
  851. server:
  852. description: configures the Kubernetes server Address.
  853. properties:
  854. caBundle:
  855. description: CABundle is a base64-encoded CA certificate
  856. format: byte
  857. type: string
  858. caProvider:
  859. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  860. properties:
  861. key:
  862. description: The key the value inside of the provider type to use, only used with "Secret" type
  863. type: string
  864. name:
  865. description: The name of the object located at the provider type.
  866. type: string
  867. namespace:
  868. description: The namespace the Provider type is in.
  869. type: string
  870. type:
  871. description: The type of provider to use such as "Secret", or "ConfigMap".
  872. enum:
  873. - Secret
  874. - ConfigMap
  875. type: string
  876. required:
  877. - name
  878. - type
  879. type: object
  880. url:
  881. default: kubernetes.default
  882. description: configures the Kubernetes server Address.
  883. type: string
  884. type: object
  885. required:
  886. - auth
  887. type: object
  888. oracle:
  889. description: Oracle configures this store to sync secrets using Oracle Vault provider
  890. properties:
  891. auth:
  892. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  893. properties:
  894. secretRef:
  895. description: SecretRef to pass through sensitive information.
  896. properties:
  897. fingerprint:
  898. description: Fingerprint is the fingerprint of the API private key.
  899. properties:
  900. key:
  901. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  902. type: string
  903. name:
  904. description: The name of the Secret resource being referred to.
  905. type: string
  906. namespace:
  907. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  908. type: string
  909. type: object
  910. privatekey:
  911. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  912. properties:
  913. key:
  914. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  915. type: string
  916. name:
  917. description: The name of the Secret resource being referred to.
  918. type: string
  919. namespace:
  920. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  921. type: string
  922. type: object
  923. required:
  924. - fingerprint
  925. - privatekey
  926. type: object
  927. tenancy:
  928. description: Tenancy is the tenancy OCID where user is located.
  929. type: string
  930. user:
  931. description: User is an access OCID specific to the account.
  932. type: string
  933. required:
  934. - secretRef
  935. - tenancy
  936. - user
  937. type: object
  938. region:
  939. description: Region is the region where vault is located.
  940. type: string
  941. vault:
  942. description: Vault is the vault's OCID of the specific vault where secret is located.
  943. type: string
  944. required:
  945. - region
  946. - vault
  947. type: object
  948. vault:
  949. description: Vault configures this store to sync secrets using Hashi provider
  950. properties:
  951. auth:
  952. description: Auth configures how secret-manager authenticates with the Vault server.
  953. properties:
  954. appRole:
  955. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  956. properties:
  957. path:
  958. default: approle
  959. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  960. type: string
  961. roleId:
  962. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  963. type: string
  964. secretRef:
  965. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  966. properties:
  967. key:
  968. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  969. type: string
  970. name:
  971. description: The name of the Secret resource being referred to.
  972. type: string
  973. namespace:
  974. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  975. type: string
  976. type: object
  977. required:
  978. - path
  979. - roleId
  980. - secretRef
  981. type: object
  982. cert:
  983. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  984. properties:
  985. clientCert:
  986. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  987. properties:
  988. key:
  989. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  990. type: string
  991. name:
  992. description: The name of the Secret resource being referred to.
  993. type: string
  994. namespace:
  995. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  996. type: string
  997. type: object
  998. secretRef:
  999. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  1000. properties:
  1001. key:
  1002. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1003. type: string
  1004. name:
  1005. description: The name of the Secret resource being referred to.
  1006. type: string
  1007. namespace:
  1008. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1009. type: string
  1010. type: object
  1011. type: object
  1012. jwt:
  1013. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1014. properties:
  1015. kubernetesServiceAccountToken:
  1016. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1017. properties:
  1018. audiences:
  1019. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1020. items:
  1021. type: string
  1022. type: array
  1023. expirationSeconds:
  1024. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1025. format: int64
  1026. type: integer
  1027. serviceAccountRef:
  1028. description: Service account field containing the name of a kubernetes ServiceAccount.
  1029. properties:
  1030. name:
  1031. description: The name of the ServiceAccount resource being referred to.
  1032. type: string
  1033. namespace:
  1034. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1035. type: string
  1036. required:
  1037. - name
  1038. type: object
  1039. required:
  1040. - serviceAccountRef
  1041. type: object
  1042. path:
  1043. default: jwt
  1044. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1045. type: string
  1046. role:
  1047. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1048. type: string
  1049. secretRef:
  1050. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1051. properties:
  1052. key:
  1053. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1054. type: string
  1055. name:
  1056. description: The name of the Secret resource being referred to.
  1057. type: string
  1058. namespace:
  1059. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1060. type: string
  1061. type: object
  1062. required:
  1063. - path
  1064. type: object
  1065. kubernetes:
  1066. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1067. properties:
  1068. mountPath:
  1069. default: kubernetes
  1070. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1071. type: string
  1072. role:
  1073. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1074. type: string
  1075. secretRef:
  1076. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1077. properties:
  1078. key:
  1079. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1080. type: string
  1081. name:
  1082. description: The name of the Secret resource being referred to.
  1083. type: string
  1084. namespace:
  1085. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1086. type: string
  1087. type: object
  1088. serviceAccountRef:
  1089. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1090. properties:
  1091. name:
  1092. description: The name of the ServiceAccount resource being referred to.
  1093. type: string
  1094. namespace:
  1095. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1096. type: string
  1097. required:
  1098. - name
  1099. type: object
  1100. required:
  1101. - mountPath
  1102. - role
  1103. type: object
  1104. ldap:
  1105. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1106. properties:
  1107. path:
  1108. default: ldap
  1109. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1110. type: string
  1111. secretRef:
  1112. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1113. properties:
  1114. key:
  1115. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1116. type: string
  1117. name:
  1118. description: The name of the Secret resource being referred to.
  1119. type: string
  1120. namespace:
  1121. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1122. type: string
  1123. type: object
  1124. username:
  1125. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1126. type: string
  1127. required:
  1128. - path
  1129. - username
  1130. type: object
  1131. tokenSecretRef:
  1132. description: TokenSecretRef authenticates with Vault by presenting a token.
  1133. properties:
  1134. key:
  1135. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1136. type: string
  1137. name:
  1138. description: The name of the Secret resource being referred to.
  1139. type: string
  1140. namespace:
  1141. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1142. type: string
  1143. type: object
  1144. type: object
  1145. caBundle:
  1146. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1147. format: byte
  1148. type: string
  1149. caProvider:
  1150. description: The provider for the CA bundle to use to validate Vault server certificate.
  1151. properties:
  1152. key:
  1153. description: The key the value inside of the provider type to use, only used with "Secret" type
  1154. type: string
  1155. name:
  1156. description: The name of the object located at the provider type.
  1157. type: string
  1158. namespace:
  1159. description: The namespace the Provider type is in.
  1160. type: string
  1161. type:
  1162. description: The type of provider to use such as "Secret", or "ConfigMap".
  1163. enum:
  1164. - Secret
  1165. - ConfigMap
  1166. type: string
  1167. required:
  1168. - name
  1169. - type
  1170. type: object
  1171. forwardInconsistent:
  1172. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1173. type: boolean
  1174. namespace:
  1175. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1176. type: string
  1177. path:
  1178. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1179. type: string
  1180. readYourWrites:
  1181. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1182. type: boolean
  1183. server:
  1184. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1185. type: string
  1186. version:
  1187. default: v2
  1188. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1189. enum:
  1190. - v1
  1191. - v2
  1192. type: string
  1193. required:
  1194. - auth
  1195. - server
  1196. type: object
  1197. webhook:
  1198. description: Webhook configures this store to sync secrets using a generic templated webhook
  1199. properties:
  1200. body:
  1201. description: Body
  1202. type: string
  1203. caBundle:
  1204. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1205. format: byte
  1206. type: string
  1207. caProvider:
  1208. description: The provider for the CA bundle to use to validate webhook server certificate.
  1209. properties:
  1210. key:
  1211. description: The key the value inside of the provider type to use, only used with "Secret" type
  1212. type: string
  1213. name:
  1214. description: The name of the object located at the provider type.
  1215. type: string
  1216. namespace:
  1217. description: The namespace the Provider type is in.
  1218. type: string
  1219. type:
  1220. description: The type of provider to use such as "Secret", or "ConfigMap".
  1221. enum:
  1222. - Secret
  1223. - ConfigMap
  1224. type: string
  1225. required:
  1226. - name
  1227. - type
  1228. type: object
  1229. headers:
  1230. additionalProperties:
  1231. type: string
  1232. description: Headers
  1233. type: object
  1234. method:
  1235. description: Webhook Method
  1236. type: string
  1237. result:
  1238. description: Result formatting
  1239. properties:
  1240. jsonPath:
  1241. description: Json path of return value
  1242. type: string
  1243. type: object
  1244. secrets:
  1245. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1246. items:
  1247. properties:
  1248. name:
  1249. description: Name of this secret in templates
  1250. type: string
  1251. secretRef:
  1252. description: Secret ref to fill in credentials
  1253. properties:
  1254. key:
  1255. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1256. type: string
  1257. name:
  1258. description: The name of the Secret resource being referred to.
  1259. type: string
  1260. namespace:
  1261. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1262. type: string
  1263. type: object
  1264. required:
  1265. - name
  1266. - secretRef
  1267. type: object
  1268. type: array
  1269. timeout:
  1270. description: Timeout
  1271. type: string
  1272. url:
  1273. description: Webhook url to call
  1274. type: string
  1275. required:
  1276. - result
  1277. - url
  1278. type: object
  1279. yandexlockbox:
  1280. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1281. properties:
  1282. apiEndpoint:
  1283. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1284. type: string
  1285. auth:
  1286. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1287. properties:
  1288. authorizedKeySecretRef:
  1289. description: The authorized key used for authentication
  1290. properties:
  1291. key:
  1292. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1293. type: string
  1294. name:
  1295. description: The name of the Secret resource being referred to.
  1296. type: string
  1297. namespace:
  1298. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1299. type: string
  1300. type: object
  1301. type: object
  1302. caProvider:
  1303. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1304. properties:
  1305. certSecretRef:
  1306. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1307. properties:
  1308. key:
  1309. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1310. type: string
  1311. name:
  1312. description: The name of the Secret resource being referred to.
  1313. type: string
  1314. namespace:
  1315. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1316. type: string
  1317. type: object
  1318. type: object
  1319. required:
  1320. - auth
  1321. type: object
  1322. type: object
  1323. retrySettings:
  1324. description: Used to configure http retries if failed
  1325. properties:
  1326. maxRetries:
  1327. format: int32
  1328. type: integer
  1329. retryInterval:
  1330. type: string
  1331. type: object
  1332. required:
  1333. - provider
  1334. type: object
  1335. status:
  1336. description: SecretStoreStatus defines the observed state of the SecretStore.
  1337. properties:
  1338. conditions:
  1339. items:
  1340. properties:
  1341. lastTransitionTime:
  1342. format: date-time
  1343. type: string
  1344. message:
  1345. type: string
  1346. reason:
  1347. type: string
  1348. status:
  1349. type: string
  1350. type:
  1351. type: string
  1352. required:
  1353. - status
  1354. - type
  1355. type: object
  1356. type: array
  1357. type: object
  1358. type: object
  1359. served: true
  1360. storage: false
  1361. subresources:
  1362. status: {}
  1363. - additionalPrinterColumns:
  1364. - jsonPath: .metadata.creationTimestamp
  1365. name: AGE
  1366. type: date
  1367. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1368. name: Status
  1369. type: string
  1370. - jsonPath: .status.capabilities
  1371. name: Capabilities
  1372. type: string
  1373. name: v1beta1
  1374. schema:
  1375. openAPIV3Schema:
  1376. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1377. properties:
  1378. apiVersion:
  1379. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1380. type: string
  1381. kind:
  1382. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1383. type: string
  1384. metadata:
  1385. type: object
  1386. spec:
  1387. description: SecretStoreSpec defines the desired state of SecretStore.
  1388. properties:
  1389. controller:
  1390. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  1391. type: string
  1392. provider:
  1393. description: Used to configure the provider. Only one provider may be set
  1394. maxProperties: 1
  1395. minProperties: 1
  1396. properties:
  1397. akeyless:
  1398. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1399. properties:
  1400. akeylessGWApiURL:
  1401. description: Akeyless GW API Url from which the secrets to be fetched from.
  1402. type: string
  1403. authSecretRef:
  1404. description: Auth configures how the operator authenticates with Akeyless.
  1405. properties:
  1406. secretRef:
  1407. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  1408. properties:
  1409. accessID:
  1410. description: The SecretAccessID is used for authentication
  1411. properties:
  1412. key:
  1413. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1414. type: string
  1415. name:
  1416. description: The name of the Secret resource being referred to.
  1417. type: string
  1418. namespace:
  1419. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1420. type: string
  1421. type: object
  1422. accessType:
  1423. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1424. properties:
  1425. key:
  1426. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1427. type: string
  1428. name:
  1429. description: The name of the Secret resource being referred to.
  1430. type: string
  1431. namespace:
  1432. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1433. type: string
  1434. type: object
  1435. accessTypeParam:
  1436. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1437. properties:
  1438. key:
  1439. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1440. type: string
  1441. name:
  1442. description: The name of the Secret resource being referred to.
  1443. type: string
  1444. namespace:
  1445. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1446. type: string
  1447. type: object
  1448. type: object
  1449. required:
  1450. - secretRef
  1451. type: object
  1452. required:
  1453. - akeylessGWApiURL
  1454. - authSecretRef
  1455. type: object
  1456. alibaba:
  1457. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1458. properties:
  1459. auth:
  1460. description: AlibabaAuth contains a secretRef for credentials.
  1461. properties:
  1462. secretRef:
  1463. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1464. properties:
  1465. accessKeyIDSecretRef:
  1466. description: The AccessKeyID is used for authentication
  1467. properties:
  1468. key:
  1469. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1470. type: string
  1471. name:
  1472. description: The name of the Secret resource being referred to.
  1473. type: string
  1474. namespace:
  1475. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1476. type: string
  1477. type: object
  1478. accessKeySecretSecretRef:
  1479. description: The AccessKeySecret is used for authentication
  1480. properties:
  1481. key:
  1482. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1483. type: string
  1484. name:
  1485. description: The name of the Secret resource being referred to.
  1486. type: string
  1487. namespace:
  1488. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1489. type: string
  1490. type: object
  1491. required:
  1492. - accessKeyIDSecretRef
  1493. - accessKeySecretSecretRef
  1494. type: object
  1495. required:
  1496. - secretRef
  1497. type: object
  1498. endpoint:
  1499. type: string
  1500. regionID:
  1501. description: Alibaba Region to be used for the provider
  1502. type: string
  1503. required:
  1504. - auth
  1505. - regionID
  1506. type: object
  1507. aws:
  1508. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1509. properties:
  1510. auth:
  1511. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1512. properties:
  1513. jwt:
  1514. description: Authenticate against AWS using service account tokens.
  1515. properties:
  1516. serviceAccountRef:
  1517. description: A reference to a ServiceAccount resource.
  1518. properties:
  1519. name:
  1520. description: The name of the ServiceAccount resource being referred to.
  1521. type: string
  1522. namespace:
  1523. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1524. type: string
  1525. required:
  1526. - name
  1527. type: object
  1528. type: object
  1529. secretRef:
  1530. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1531. properties:
  1532. accessKeyIDSecretRef:
  1533. description: The AccessKeyID is used for authentication
  1534. properties:
  1535. key:
  1536. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1537. type: string
  1538. name:
  1539. description: The name of the Secret resource being referred to.
  1540. type: string
  1541. namespace:
  1542. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1543. type: string
  1544. type: object
  1545. secretAccessKeySecretRef:
  1546. description: The SecretAccessKey is used for authentication
  1547. properties:
  1548. key:
  1549. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1550. type: string
  1551. name:
  1552. description: The name of the Secret resource being referred to.
  1553. type: string
  1554. namespace:
  1555. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1556. type: string
  1557. type: object
  1558. type: object
  1559. type: object
  1560. region:
  1561. description: AWS Region to be used for the provider
  1562. type: string
  1563. role:
  1564. description: Role is a Role ARN which the SecretManager provider will assume
  1565. type: string
  1566. service:
  1567. description: Service defines which service should be used to fetch the secrets
  1568. enum:
  1569. - SecretsManager
  1570. - ParameterStore
  1571. type: string
  1572. required:
  1573. - region
  1574. - service
  1575. type: object
  1576. azurekv:
  1577. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1578. properties:
  1579. authSecretRef:
  1580. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1581. properties:
  1582. clientId:
  1583. description: The Azure clientId of the service principle used for authentication.
  1584. properties:
  1585. key:
  1586. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1587. type: string
  1588. name:
  1589. description: The name of the Secret resource being referred to.
  1590. type: string
  1591. namespace:
  1592. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1593. type: string
  1594. type: object
  1595. clientSecret:
  1596. description: The Azure ClientSecret of the service principle used for authentication.
  1597. properties:
  1598. key:
  1599. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1600. type: string
  1601. name:
  1602. description: The name of the Secret resource being referred to.
  1603. type: string
  1604. namespace:
  1605. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1606. type: string
  1607. type: object
  1608. type: object
  1609. authType:
  1610. default: ServicePrincipal
  1611. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1612. enum:
  1613. - ServicePrincipal
  1614. - ManagedIdentity
  1615. - WorkloadIdentity
  1616. type: string
  1617. identityId:
  1618. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1619. type: string
  1620. serviceAccountRef:
  1621. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1622. properties:
  1623. name:
  1624. description: The name of the ServiceAccount resource being referred to.
  1625. type: string
  1626. namespace:
  1627. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1628. type: string
  1629. required:
  1630. - name
  1631. type: object
  1632. tenantId:
  1633. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1634. type: string
  1635. vaultUrl:
  1636. description: Vault Url from which the secrets to be fetched from.
  1637. type: string
  1638. required:
  1639. - vaultUrl
  1640. type: object
  1641. fake:
  1642. description: Fake configures a store with static key/value pairs
  1643. properties:
  1644. data:
  1645. items:
  1646. properties:
  1647. key:
  1648. type: string
  1649. value:
  1650. type: string
  1651. valueMap:
  1652. additionalProperties:
  1653. type: string
  1654. type: object
  1655. version:
  1656. type: string
  1657. required:
  1658. - key
  1659. type: object
  1660. type: array
  1661. required:
  1662. - data
  1663. type: object
  1664. gcpsm:
  1665. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1666. properties:
  1667. auth:
  1668. description: Auth defines the information necessary to authenticate against GCP
  1669. properties:
  1670. secretRef:
  1671. properties:
  1672. secretAccessKeySecretRef:
  1673. description: The SecretAccessKey is used for authentication
  1674. properties:
  1675. key:
  1676. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1677. type: string
  1678. name:
  1679. description: The name of the Secret resource being referred to.
  1680. type: string
  1681. namespace:
  1682. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1683. type: string
  1684. type: object
  1685. type: object
  1686. workloadIdentity:
  1687. properties:
  1688. clusterLocation:
  1689. type: string
  1690. clusterName:
  1691. type: string
  1692. clusterProjectID:
  1693. type: string
  1694. serviceAccountRef:
  1695. description: A reference to a ServiceAccount resource.
  1696. properties:
  1697. name:
  1698. description: The name of the ServiceAccount resource being referred to.
  1699. type: string
  1700. namespace:
  1701. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1702. type: string
  1703. required:
  1704. - name
  1705. type: object
  1706. required:
  1707. - clusterLocation
  1708. - clusterName
  1709. - serviceAccountRef
  1710. type: object
  1711. type: object
  1712. projectID:
  1713. description: ProjectID project where secret is located
  1714. type: string
  1715. type: object
  1716. gitlab:
  1717. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  1718. properties:
  1719. auth:
  1720. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1721. properties:
  1722. SecretRef:
  1723. properties:
  1724. accessToken:
  1725. description: AccessToken is used for authentication.
  1726. properties:
  1727. key:
  1728. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1729. type: string
  1730. name:
  1731. description: The name of the Secret resource being referred to.
  1732. type: string
  1733. namespace:
  1734. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1735. type: string
  1736. type: object
  1737. type: object
  1738. required:
  1739. - SecretRef
  1740. type: object
  1741. projectID:
  1742. description: ProjectID specifies a project where secrets are located.
  1743. type: string
  1744. url:
  1745. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1746. type: string
  1747. required:
  1748. - auth
  1749. type: object
  1750. ibm:
  1751. description: IBM configures this store to sync secrets using IBM Cloud provider
  1752. properties:
  1753. auth:
  1754. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1755. properties:
  1756. secretRef:
  1757. properties:
  1758. secretApiKeySecretRef:
  1759. description: The SecretAccessKey is used for authentication
  1760. properties:
  1761. key:
  1762. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1763. type: string
  1764. name:
  1765. description: The name of the Secret resource being referred to.
  1766. type: string
  1767. namespace:
  1768. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1769. type: string
  1770. type: object
  1771. type: object
  1772. required:
  1773. - secretRef
  1774. type: object
  1775. serviceUrl:
  1776. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1777. type: string
  1778. required:
  1779. - auth
  1780. type: object
  1781. kubernetes:
  1782. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1783. properties:
  1784. auth:
  1785. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1786. maxProperties: 1
  1787. minProperties: 1
  1788. properties:
  1789. cert:
  1790. description: has both clientCert and clientKey as secretKeySelector
  1791. properties:
  1792. clientCert:
  1793. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1794. properties:
  1795. key:
  1796. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1797. type: string
  1798. name:
  1799. description: The name of the Secret resource being referred to.
  1800. type: string
  1801. namespace:
  1802. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1803. type: string
  1804. type: object
  1805. clientKey:
  1806. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1807. properties:
  1808. key:
  1809. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1810. type: string
  1811. name:
  1812. description: The name of the Secret resource being referred to.
  1813. type: string
  1814. namespace:
  1815. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1816. type: string
  1817. type: object
  1818. type: object
  1819. serviceAccount:
  1820. description: points to a service account that should be used for authentication
  1821. properties:
  1822. serviceAccount:
  1823. description: A reference to a ServiceAccount resource.
  1824. properties:
  1825. name:
  1826. description: The name of the ServiceAccount resource being referred to.
  1827. type: string
  1828. namespace:
  1829. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1830. type: string
  1831. required:
  1832. - name
  1833. type: object
  1834. type: object
  1835. token:
  1836. description: use static token to authenticate with
  1837. properties:
  1838. bearerToken:
  1839. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1840. properties:
  1841. key:
  1842. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1843. type: string
  1844. name:
  1845. description: The name of the Secret resource being referred to.
  1846. type: string
  1847. namespace:
  1848. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1849. type: string
  1850. type: object
  1851. type: object
  1852. type: object
  1853. remoteNamespace:
  1854. default: default
  1855. description: Remote namespace to fetch the secrets from
  1856. type: string
  1857. server:
  1858. description: configures the Kubernetes server Address.
  1859. properties:
  1860. caBundle:
  1861. description: CABundle is a base64-encoded CA certificate
  1862. format: byte
  1863. type: string
  1864. caProvider:
  1865. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1866. properties:
  1867. key:
  1868. description: The key the value inside of the provider type to use, only used with "Secret" type
  1869. type: string
  1870. name:
  1871. description: The name of the object located at the provider type.
  1872. type: string
  1873. namespace:
  1874. description: The namespace the Provider type is in.
  1875. type: string
  1876. type:
  1877. description: The type of provider to use such as "Secret", or "ConfigMap".
  1878. enum:
  1879. - Secret
  1880. - ConfigMap
  1881. type: string
  1882. required:
  1883. - name
  1884. - type
  1885. type: object
  1886. url:
  1887. default: kubernetes.default
  1888. description: configures the Kubernetes server Address.
  1889. type: string
  1890. type: object
  1891. required:
  1892. - auth
  1893. type: object
  1894. onepassword:
  1895. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  1896. properties:
  1897. auth:
  1898. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  1899. properties:
  1900. secretRef:
  1901. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  1902. properties:
  1903. connectTokenSecretRef:
  1904. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  1905. properties:
  1906. key:
  1907. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1908. type: string
  1909. name:
  1910. description: The name of the Secret resource being referred to.
  1911. type: string
  1912. namespace:
  1913. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1914. type: string
  1915. type: object
  1916. required:
  1917. - connectTokenSecretRef
  1918. type: object
  1919. required:
  1920. - secretRef
  1921. type: object
  1922. connectHost:
  1923. description: ConnectHost defines the OnePassword Connect Server to connect to
  1924. type: string
  1925. vaults:
  1926. additionalProperties:
  1927. type: integer
  1928. description: Vaults defines which OnePassword vaults to search in which order
  1929. type: object
  1930. required:
  1931. - auth
  1932. - connectHost
  1933. - vaults
  1934. type: object
  1935. oracle:
  1936. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1937. properties:
  1938. auth:
  1939. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  1940. properties:
  1941. secretRef:
  1942. description: SecretRef to pass through sensitive information.
  1943. properties:
  1944. fingerprint:
  1945. description: Fingerprint is the fingerprint of the API private key.
  1946. properties:
  1947. key:
  1948. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1949. type: string
  1950. name:
  1951. description: The name of the Secret resource being referred to.
  1952. type: string
  1953. namespace:
  1954. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1955. type: string
  1956. type: object
  1957. privatekey:
  1958. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1959. properties:
  1960. key:
  1961. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1962. type: string
  1963. name:
  1964. description: The name of the Secret resource being referred to.
  1965. type: string
  1966. namespace:
  1967. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1968. type: string
  1969. type: object
  1970. required:
  1971. - fingerprint
  1972. - privatekey
  1973. type: object
  1974. tenancy:
  1975. description: Tenancy is the tenancy OCID where user is located.
  1976. type: string
  1977. user:
  1978. description: User is an access OCID specific to the account.
  1979. type: string
  1980. required:
  1981. - secretRef
  1982. - tenancy
  1983. - user
  1984. type: object
  1985. region:
  1986. description: Region is the region where vault is located.
  1987. type: string
  1988. vault:
  1989. description: Vault is the vault's OCID of the specific vault where secret is located.
  1990. type: string
  1991. required:
  1992. - region
  1993. - vault
  1994. type: object
  1995. senhasegura:
  1996. description: Senhasegura configures this store to sync secrets using senhasegura provider
  1997. properties:
  1998. auth:
  1999. description: Auth defines parameters to authenticate in senhasegura
  2000. properties:
  2001. clientId:
  2002. type: string
  2003. clientSecretSecretRef:
  2004. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2005. properties:
  2006. key:
  2007. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2008. type: string
  2009. name:
  2010. description: The name of the Secret resource being referred to.
  2011. type: string
  2012. namespace:
  2013. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2014. type: string
  2015. type: object
  2016. required:
  2017. - clientId
  2018. - clientSecretSecretRef
  2019. type: object
  2020. ignoreSslCertificate:
  2021. default: false
  2022. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2023. type: boolean
  2024. module:
  2025. description: Module defines which senhasegura module should be used to get secrets
  2026. type: string
  2027. url:
  2028. description: URL of senhasegura
  2029. type: string
  2030. required:
  2031. - auth
  2032. - module
  2033. - url
  2034. type: object
  2035. vault:
  2036. description: Vault configures this store to sync secrets using Hashi provider
  2037. properties:
  2038. auth:
  2039. description: Auth configures how secret-manager authenticates with the Vault server.
  2040. properties:
  2041. appRole:
  2042. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2043. properties:
  2044. path:
  2045. default: approle
  2046. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2047. type: string
  2048. roleId:
  2049. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2050. type: string
  2051. secretRef:
  2052. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2053. properties:
  2054. key:
  2055. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2056. type: string
  2057. name:
  2058. description: The name of the Secret resource being referred to.
  2059. type: string
  2060. namespace:
  2061. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2062. type: string
  2063. type: object
  2064. required:
  2065. - path
  2066. - roleId
  2067. - secretRef
  2068. type: object
  2069. cert:
  2070. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2071. properties:
  2072. clientCert:
  2073. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2074. properties:
  2075. key:
  2076. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2077. type: string
  2078. name:
  2079. description: The name of the Secret resource being referred to.
  2080. type: string
  2081. namespace:
  2082. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2083. type: string
  2084. type: object
  2085. secretRef:
  2086. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2087. properties:
  2088. key:
  2089. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2090. type: string
  2091. name:
  2092. description: The name of the Secret resource being referred to.
  2093. type: string
  2094. namespace:
  2095. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2096. type: string
  2097. type: object
  2098. type: object
  2099. jwt:
  2100. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2101. properties:
  2102. kubernetesServiceAccountToken:
  2103. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2104. properties:
  2105. audiences:
  2106. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  2107. items:
  2108. type: string
  2109. type: array
  2110. expirationSeconds:
  2111. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  2112. format: int64
  2113. type: integer
  2114. serviceAccountRef:
  2115. description: Service account field containing the name of a kubernetes ServiceAccount.
  2116. properties:
  2117. name:
  2118. description: The name of the ServiceAccount resource being referred to.
  2119. type: string
  2120. namespace:
  2121. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2122. type: string
  2123. required:
  2124. - name
  2125. type: object
  2126. required:
  2127. - serviceAccountRef
  2128. type: object
  2129. path:
  2130. default: jwt
  2131. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2132. type: string
  2133. role:
  2134. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2135. type: string
  2136. secretRef:
  2137. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  2138. properties:
  2139. key:
  2140. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2141. type: string
  2142. name:
  2143. description: The name of the Secret resource being referred to.
  2144. type: string
  2145. namespace:
  2146. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2147. type: string
  2148. type: object
  2149. required:
  2150. - path
  2151. type: object
  2152. kubernetes:
  2153. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2154. properties:
  2155. mountPath:
  2156. default: kubernetes
  2157. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2158. type: string
  2159. role:
  2160. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2161. type: string
  2162. secretRef:
  2163. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2164. properties:
  2165. key:
  2166. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2167. type: string
  2168. name:
  2169. description: The name of the Secret resource being referred to.
  2170. type: string
  2171. namespace:
  2172. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2173. type: string
  2174. type: object
  2175. serviceAccountRef:
  2176. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2177. properties:
  2178. name:
  2179. description: The name of the ServiceAccount resource being referred to.
  2180. type: string
  2181. namespace:
  2182. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2183. type: string
  2184. required:
  2185. - name
  2186. type: object
  2187. required:
  2188. - mountPath
  2189. - role
  2190. type: object
  2191. ldap:
  2192. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2193. properties:
  2194. path:
  2195. default: ldap
  2196. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2197. type: string
  2198. secretRef:
  2199. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2200. properties:
  2201. key:
  2202. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2203. type: string
  2204. name:
  2205. description: The name of the Secret resource being referred to.
  2206. type: string
  2207. namespace:
  2208. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2209. type: string
  2210. type: object
  2211. username:
  2212. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2213. type: string
  2214. required:
  2215. - path
  2216. - username
  2217. type: object
  2218. tokenSecretRef:
  2219. description: TokenSecretRef authenticates with Vault by presenting a token.
  2220. properties:
  2221. key:
  2222. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2223. type: string
  2224. name:
  2225. description: The name of the Secret resource being referred to.
  2226. type: string
  2227. namespace:
  2228. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2229. type: string
  2230. type: object
  2231. type: object
  2232. caBundle:
  2233. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2234. format: byte
  2235. type: string
  2236. caProvider:
  2237. description: The provider for the CA bundle to use to validate Vault server certificate.
  2238. properties:
  2239. key:
  2240. description: The key the value inside of the provider type to use, only used with "Secret" type
  2241. type: string
  2242. name:
  2243. description: The name of the object located at the provider type.
  2244. type: string
  2245. namespace:
  2246. description: The namespace the Provider type is in.
  2247. type: string
  2248. type:
  2249. description: The type of provider to use such as "Secret", or "ConfigMap".
  2250. enum:
  2251. - Secret
  2252. - ConfigMap
  2253. type: string
  2254. required:
  2255. - name
  2256. - type
  2257. type: object
  2258. forwardInconsistent:
  2259. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2260. type: boolean
  2261. namespace:
  2262. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2263. type: string
  2264. path:
  2265. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2266. type: string
  2267. readYourWrites:
  2268. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2269. type: boolean
  2270. server:
  2271. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2272. type: string
  2273. version:
  2274. default: v2
  2275. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2276. enum:
  2277. - v1
  2278. - v2
  2279. type: string
  2280. required:
  2281. - auth
  2282. - server
  2283. type: object
  2284. webhook:
  2285. description: Webhook configures this store to sync secrets using a generic templated webhook
  2286. properties:
  2287. body:
  2288. description: Body
  2289. type: string
  2290. caBundle:
  2291. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2292. format: byte
  2293. type: string
  2294. caProvider:
  2295. description: The provider for the CA bundle to use to validate webhook server certificate.
  2296. properties:
  2297. key:
  2298. description: The key the value inside of the provider type to use, only used with "Secret" type
  2299. type: string
  2300. name:
  2301. description: The name of the object located at the provider type.
  2302. type: string
  2303. namespace:
  2304. description: The namespace the Provider type is in.
  2305. type: string
  2306. type:
  2307. description: The type of provider to use such as "Secret", or "ConfigMap".
  2308. enum:
  2309. - Secret
  2310. - ConfigMap
  2311. type: string
  2312. required:
  2313. - name
  2314. - type
  2315. type: object
  2316. headers:
  2317. additionalProperties:
  2318. type: string
  2319. description: Headers
  2320. type: object
  2321. method:
  2322. description: Webhook Method
  2323. type: string
  2324. result:
  2325. description: Result formatting
  2326. properties:
  2327. jsonPath:
  2328. description: Json path of return value
  2329. type: string
  2330. type: object
  2331. secrets:
  2332. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2333. items:
  2334. properties:
  2335. name:
  2336. description: Name of this secret in templates
  2337. type: string
  2338. secretRef:
  2339. description: Secret ref to fill in credentials
  2340. properties:
  2341. key:
  2342. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2343. type: string
  2344. name:
  2345. description: The name of the Secret resource being referred to.
  2346. type: string
  2347. namespace:
  2348. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2349. type: string
  2350. type: object
  2351. required:
  2352. - name
  2353. - secretRef
  2354. type: object
  2355. type: array
  2356. timeout:
  2357. description: Timeout
  2358. type: string
  2359. url:
  2360. description: Webhook url to call
  2361. type: string
  2362. required:
  2363. - result
  2364. - url
  2365. type: object
  2366. yandexcertificatemanager:
  2367. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  2368. properties:
  2369. apiEndpoint:
  2370. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2371. type: string
  2372. auth:
  2373. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  2374. properties:
  2375. authorizedKeySecretRef:
  2376. description: The authorized key used for authentication
  2377. properties:
  2378. key:
  2379. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2380. type: string
  2381. name:
  2382. description: The name of the Secret resource being referred to.
  2383. type: string
  2384. namespace:
  2385. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2386. type: string
  2387. type: object
  2388. type: object
  2389. caProvider:
  2390. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2391. properties:
  2392. certSecretRef:
  2393. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2394. properties:
  2395. key:
  2396. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2397. type: string
  2398. name:
  2399. description: The name of the Secret resource being referred to.
  2400. type: string
  2401. namespace:
  2402. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2403. type: string
  2404. type: object
  2405. type: object
  2406. required:
  2407. - auth
  2408. type: object
  2409. yandexlockbox:
  2410. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2411. properties:
  2412. apiEndpoint:
  2413. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2414. type: string
  2415. auth:
  2416. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2417. properties:
  2418. authorizedKeySecretRef:
  2419. description: The authorized key used for authentication
  2420. properties:
  2421. key:
  2422. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2423. type: string
  2424. name:
  2425. description: The name of the Secret resource being referred to.
  2426. type: string
  2427. namespace:
  2428. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2429. type: string
  2430. type: object
  2431. type: object
  2432. caProvider:
  2433. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2434. properties:
  2435. certSecretRef:
  2436. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2437. properties:
  2438. key:
  2439. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2440. type: string
  2441. name:
  2442. description: The name of the Secret resource being referred to.
  2443. type: string
  2444. namespace:
  2445. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2446. type: string
  2447. type: object
  2448. type: object
  2449. required:
  2450. - auth
  2451. type: object
  2452. type: object
  2453. refreshInterval:
  2454. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  2455. type: integer
  2456. retrySettings:
  2457. description: Used to configure http retries if failed
  2458. properties:
  2459. maxRetries:
  2460. format: int32
  2461. type: integer
  2462. retryInterval:
  2463. type: string
  2464. type: object
  2465. required:
  2466. - provider
  2467. type: object
  2468. status:
  2469. description: SecretStoreStatus defines the observed state of the SecretStore.
  2470. properties:
  2471. capabilities:
  2472. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  2473. type: string
  2474. conditions:
  2475. items:
  2476. properties:
  2477. lastTransitionTime:
  2478. format: date-time
  2479. type: string
  2480. message:
  2481. type: string
  2482. reason:
  2483. type: string
  2484. status:
  2485. type: string
  2486. type:
  2487. type: string
  2488. required:
  2489. - status
  2490. - type
  2491. type: object
  2492. type: array
  2493. type: object
  2494. type: object
  2495. served: true
  2496. storage: true
  2497. subresources:
  2498. status: {}
  2499. conversion:
  2500. strategy: Webhook
  2501. webhook:
  2502. conversionReviewVersions:
  2503. - v1
  2504. clientConfig:
  2505. service:
  2506. name: kubernetes
  2507. namespace: default
  2508. path: /convert
  2509. status:
  2510. acceptedNames:
  2511. kind: ""
  2512. plural: ""
  2513. conditions: []
  2514. storedVersions: []
  2515. ---
  2516. apiVersion: apiextensions.k8s.io/v1
  2517. kind: CustomResourceDefinition
  2518. metadata:
  2519. annotations:
  2520. controller-gen.kubebuilder.io/version: v0.8.0
  2521. creationTimestamp: null
  2522. name: externalsecrets.external-secrets.io
  2523. spec:
  2524. group: external-secrets.io
  2525. names:
  2526. categories:
  2527. - externalsecrets
  2528. kind: ExternalSecret
  2529. listKind: ExternalSecretList
  2530. plural: externalsecrets
  2531. shortNames:
  2532. - es
  2533. singular: externalsecret
  2534. scope: Namespaced
  2535. versions:
  2536. - additionalPrinterColumns:
  2537. - jsonPath: .spec.secretStoreRef.name
  2538. name: Store
  2539. type: string
  2540. - jsonPath: .spec.refreshInterval
  2541. name: Refresh Interval
  2542. type: string
  2543. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2544. name: Status
  2545. type: string
  2546. deprecated: true
  2547. name: v1alpha1
  2548. schema:
  2549. openAPIV3Schema:
  2550. description: ExternalSecret is the Schema for the external-secrets API.
  2551. properties:
  2552. apiVersion:
  2553. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2554. type: string
  2555. kind:
  2556. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2557. type: string
  2558. metadata:
  2559. type: object
  2560. spec:
  2561. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2562. properties:
  2563. data:
  2564. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2565. items:
  2566. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2567. properties:
  2568. remoteRef:
  2569. description: ExternalSecretDataRemoteRef defines Provider data location.
  2570. properties:
  2571. conversionStrategy:
  2572. default: Default
  2573. description: Used to define a conversion Strategy
  2574. type: string
  2575. key:
  2576. description: Key is the key used in the Provider, mandatory
  2577. type: string
  2578. property:
  2579. description: Used to select a specific property of the Provider value (if a map), if supported
  2580. type: string
  2581. version:
  2582. description: Used to select a specific version of the Provider value, if supported
  2583. type: string
  2584. required:
  2585. - key
  2586. type: object
  2587. secretKey:
  2588. type: string
  2589. required:
  2590. - remoteRef
  2591. - secretKey
  2592. type: object
  2593. type: array
  2594. dataFrom:
  2595. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2596. items:
  2597. description: ExternalSecretDataRemoteRef defines Provider data location.
  2598. properties:
  2599. conversionStrategy:
  2600. default: Default
  2601. description: Used to define a conversion Strategy
  2602. type: string
  2603. key:
  2604. description: Key is the key used in the Provider, mandatory
  2605. type: string
  2606. property:
  2607. description: Used to select a specific property of the Provider value (if a map), if supported
  2608. type: string
  2609. version:
  2610. description: Used to select a specific version of the Provider value, if supported
  2611. type: string
  2612. required:
  2613. - key
  2614. type: object
  2615. type: array
  2616. refreshInterval:
  2617. default: 1h
  2618. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2619. type: string
  2620. secretStoreRef:
  2621. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2622. properties:
  2623. kind:
  2624. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2625. type: string
  2626. name:
  2627. description: Name of the SecretStore resource
  2628. type: string
  2629. required:
  2630. - name
  2631. type: object
  2632. target:
  2633. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2634. properties:
  2635. creationPolicy:
  2636. default: Owner
  2637. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2638. type: string
  2639. immutable:
  2640. description: Immutable defines if the final secret will be immutable
  2641. type: boolean
  2642. name:
  2643. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2644. type: string
  2645. template:
  2646. description: Template defines a blueprint for the created Secret resource.
  2647. properties:
  2648. data:
  2649. additionalProperties:
  2650. type: string
  2651. type: object
  2652. engineVersion:
  2653. default: v1
  2654. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  2655. type: string
  2656. metadata:
  2657. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2658. properties:
  2659. annotations:
  2660. additionalProperties:
  2661. type: string
  2662. type: object
  2663. labels:
  2664. additionalProperties:
  2665. type: string
  2666. type: object
  2667. type: object
  2668. templateFrom:
  2669. items:
  2670. maxProperties: 1
  2671. minProperties: 1
  2672. properties:
  2673. configMap:
  2674. properties:
  2675. items:
  2676. items:
  2677. properties:
  2678. key:
  2679. type: string
  2680. required:
  2681. - key
  2682. type: object
  2683. type: array
  2684. name:
  2685. type: string
  2686. required:
  2687. - items
  2688. - name
  2689. type: object
  2690. secret:
  2691. properties:
  2692. items:
  2693. items:
  2694. properties:
  2695. key:
  2696. type: string
  2697. required:
  2698. - key
  2699. type: object
  2700. type: array
  2701. name:
  2702. type: string
  2703. required:
  2704. - items
  2705. - name
  2706. type: object
  2707. type: object
  2708. type: array
  2709. type:
  2710. type: string
  2711. type: object
  2712. type: object
  2713. required:
  2714. - secretStoreRef
  2715. - target
  2716. type: object
  2717. status:
  2718. properties:
  2719. conditions:
  2720. items:
  2721. properties:
  2722. lastTransitionTime:
  2723. format: date-time
  2724. type: string
  2725. message:
  2726. type: string
  2727. reason:
  2728. type: string
  2729. status:
  2730. type: string
  2731. type:
  2732. type: string
  2733. required:
  2734. - status
  2735. - type
  2736. type: object
  2737. type: array
  2738. refreshTime:
  2739. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2740. format: date-time
  2741. nullable: true
  2742. type: string
  2743. syncedResourceVersion:
  2744. description: SyncedResourceVersion keeps track of the last synced version
  2745. type: string
  2746. type: object
  2747. type: object
  2748. served: true
  2749. storage: false
  2750. subresources:
  2751. status: {}
  2752. - additionalPrinterColumns:
  2753. - jsonPath: .spec.secretStoreRef.name
  2754. name: Store
  2755. type: string
  2756. - jsonPath: .spec.refreshInterval
  2757. name: Refresh Interval
  2758. type: string
  2759. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2760. name: Status
  2761. type: string
  2762. name: v1beta1
  2763. schema:
  2764. openAPIV3Schema:
  2765. description: ExternalSecret is the Schema for the external-secrets API.
  2766. properties:
  2767. apiVersion:
  2768. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2769. type: string
  2770. kind:
  2771. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2772. type: string
  2773. metadata:
  2774. type: object
  2775. spec:
  2776. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2777. properties:
  2778. data:
  2779. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2780. items:
  2781. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2782. properties:
  2783. remoteRef:
  2784. description: ExternalSecretDataRemoteRef defines Provider data location.
  2785. properties:
  2786. conversionStrategy:
  2787. default: Default
  2788. description: Used to define a conversion Strategy
  2789. type: string
  2790. key:
  2791. description: Key is the key used in the Provider, mandatory
  2792. type: string
  2793. metadataPolicy:
  2794. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2795. type: string
  2796. property:
  2797. description: Used to select a specific property of the Provider value (if a map), if supported
  2798. type: string
  2799. version:
  2800. description: Used to select a specific version of the Provider value, if supported
  2801. type: string
  2802. required:
  2803. - key
  2804. type: object
  2805. secretKey:
  2806. type: string
  2807. required:
  2808. - remoteRef
  2809. - secretKey
  2810. type: object
  2811. type: array
  2812. dataFrom:
  2813. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2814. items:
  2815. maxProperties: 1
  2816. minProperties: 1
  2817. properties:
  2818. extract:
  2819. description: Used to extract multiple key/value pairs from one secret
  2820. properties:
  2821. conversionStrategy:
  2822. default: Default
  2823. description: Used to define a conversion Strategy
  2824. type: string
  2825. key:
  2826. description: Key is the key used in the Provider, mandatory
  2827. type: string
  2828. metadataPolicy:
  2829. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2830. type: string
  2831. property:
  2832. description: Used to select a specific property of the Provider value (if a map), if supported
  2833. type: string
  2834. version:
  2835. description: Used to select a specific version of the Provider value, if supported
  2836. type: string
  2837. required:
  2838. - key
  2839. type: object
  2840. find:
  2841. description: Used to find secrets based on tags or regular expressions
  2842. properties:
  2843. conversionStrategy:
  2844. default: Default
  2845. description: Used to define a conversion Strategy
  2846. type: string
  2847. name:
  2848. description: Finds secrets based on the name.
  2849. properties:
  2850. regexp:
  2851. description: Finds secrets base
  2852. type: string
  2853. type: object
  2854. path:
  2855. description: A root path to start the find operations.
  2856. type: string
  2857. tags:
  2858. additionalProperties:
  2859. type: string
  2860. description: Find secrets based on tags.
  2861. type: object
  2862. type: object
  2863. type: object
  2864. type: array
  2865. refreshInterval:
  2866. default: 1h
  2867. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2868. type: string
  2869. secretStoreRef:
  2870. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2871. properties:
  2872. kind:
  2873. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2874. type: string
  2875. name:
  2876. description: Name of the SecretStore resource
  2877. type: string
  2878. required:
  2879. - name
  2880. type: object
  2881. target:
  2882. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2883. properties:
  2884. creationPolicy:
  2885. default: Owner
  2886. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2887. enum:
  2888. - Owner
  2889. - Orphan
  2890. - Merge
  2891. - None
  2892. type: string
  2893. deletionPolicy:
  2894. default: Retain
  2895. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  2896. enum:
  2897. - Delete
  2898. - Merge
  2899. - Retain
  2900. type: string
  2901. immutable:
  2902. description: Immutable defines if the final secret will be immutable
  2903. type: boolean
  2904. name:
  2905. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2906. type: string
  2907. template:
  2908. description: Template defines a blueprint for the created Secret resource.
  2909. properties:
  2910. data:
  2911. additionalProperties:
  2912. type: string
  2913. type: object
  2914. engineVersion:
  2915. default: v2
  2916. type: string
  2917. metadata:
  2918. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2919. properties:
  2920. annotations:
  2921. additionalProperties:
  2922. type: string
  2923. type: object
  2924. labels:
  2925. additionalProperties:
  2926. type: string
  2927. type: object
  2928. type: object
  2929. templateFrom:
  2930. items:
  2931. maxProperties: 1
  2932. minProperties: 1
  2933. properties:
  2934. configMap:
  2935. properties:
  2936. items:
  2937. items:
  2938. properties:
  2939. key:
  2940. type: string
  2941. required:
  2942. - key
  2943. type: object
  2944. type: array
  2945. name:
  2946. type: string
  2947. required:
  2948. - items
  2949. - name
  2950. type: object
  2951. secret:
  2952. properties:
  2953. items:
  2954. items:
  2955. properties:
  2956. key:
  2957. type: string
  2958. required:
  2959. - key
  2960. type: object
  2961. type: array
  2962. name:
  2963. type: string
  2964. required:
  2965. - items
  2966. - name
  2967. type: object
  2968. type: object
  2969. type: array
  2970. type:
  2971. type: string
  2972. type: object
  2973. type: object
  2974. required:
  2975. - secretStoreRef
  2976. type: object
  2977. status:
  2978. properties:
  2979. conditions:
  2980. items:
  2981. properties:
  2982. lastTransitionTime:
  2983. format: date-time
  2984. type: string
  2985. message:
  2986. type: string
  2987. reason:
  2988. type: string
  2989. status:
  2990. type: string
  2991. type:
  2992. type: string
  2993. required:
  2994. - status
  2995. - type
  2996. type: object
  2997. type: array
  2998. refreshTime:
  2999. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3000. format: date-time
  3001. nullable: true
  3002. type: string
  3003. syncedResourceVersion:
  3004. description: SyncedResourceVersion keeps track of the last synced version
  3005. type: string
  3006. type: object
  3007. type: object
  3008. served: true
  3009. storage: true
  3010. subresources:
  3011. status: {}
  3012. conversion:
  3013. strategy: Webhook
  3014. webhook:
  3015. conversionReviewVersions:
  3016. - v1
  3017. clientConfig:
  3018. service:
  3019. name: kubernetes
  3020. namespace: default
  3021. path: /convert
  3022. status:
  3023. acceptedNames:
  3024. kind: ""
  3025. plural: ""
  3026. conditions: []
  3027. storedVersions: []
  3028. ---
  3029. apiVersion: apiextensions.k8s.io/v1
  3030. kind: CustomResourceDefinition
  3031. metadata:
  3032. annotations:
  3033. controller-gen.kubebuilder.io/version: v0.8.0
  3034. creationTimestamp: null
  3035. name: secretsinks.external-secrets.io
  3036. spec:
  3037. group: external-secrets.io
  3038. names:
  3039. categories:
  3040. - secretsinks
  3041. kind: SecretSink
  3042. listKind: SecretSinkList
  3043. plural: secretsinks
  3044. singular: secretsink
  3045. scope: Namespaced
  3046. versions:
  3047. - additionalPrinterColumns:
  3048. - jsonPath: .metadata.creationTimestamp
  3049. name: AGE
  3050. type: date
  3051. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3052. name: Status
  3053. type: string
  3054. name: v1alpha1
  3055. schema:
  3056. openAPIV3Schema:
  3057. properties:
  3058. apiVersion:
  3059. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3060. type: string
  3061. kind:
  3062. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3063. type: string
  3064. metadata:
  3065. type: object
  3066. spec:
  3067. description: SecretSinkSpec configures the behavior of the SecretSink.
  3068. properties:
  3069. data:
  3070. items:
  3071. properties:
  3072. match:
  3073. items:
  3074. properties:
  3075. remoteRefs:
  3076. items:
  3077. properties:
  3078. remoteKey:
  3079. type: string
  3080. required:
  3081. - remoteKey
  3082. type: object
  3083. type: array
  3084. secretKey:
  3085. type: string
  3086. required:
  3087. - remoteRefs
  3088. - secretKey
  3089. type: object
  3090. type: array
  3091. required:
  3092. - match
  3093. type: object
  3094. type: array
  3095. secretStoreRefs:
  3096. items:
  3097. properties:
  3098. kind:
  3099. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3100. type: string
  3101. name:
  3102. description: Name of the SecretStore resource
  3103. type: string
  3104. required:
  3105. - name
  3106. type: object
  3107. type: array
  3108. selector:
  3109. properties:
  3110. secret:
  3111. properties:
  3112. name:
  3113. type: string
  3114. required:
  3115. - name
  3116. type: object
  3117. required:
  3118. - secret
  3119. type: object
  3120. required:
  3121. - secretStoreRefs
  3122. - selector
  3123. type: object
  3124. status:
  3125. description: SecretSinkStatus indicates the history of the status of SecretSink.
  3126. properties:
  3127. conditions:
  3128. items:
  3129. description: SecretSinkStatusCondition indicates the status of the SecretSink.
  3130. properties:
  3131. lastTransitionTime:
  3132. format: date-time
  3133. type: string
  3134. message:
  3135. type: string
  3136. reason:
  3137. type: string
  3138. status:
  3139. type: string
  3140. type:
  3141. description: SecretSinkConditionType indicates the condition of the SecretSink.
  3142. type: string
  3143. required:
  3144. - status
  3145. - type
  3146. type: object
  3147. type: array
  3148. refreshTime:
  3149. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3150. format: date-time
  3151. nullable: true
  3152. type: string
  3153. syncedResourceVersion:
  3154. description: SyncedResourceVersion keeps track of the last synced version.
  3155. type: string
  3156. type: object
  3157. type: object
  3158. served: true
  3159. storage: true
  3160. subresources:
  3161. status: {}
  3162. conversion:
  3163. strategy: Webhook
  3164. webhook:
  3165. conversionReviewVersions:
  3166. - v1
  3167. clientConfig:
  3168. service:
  3169. name: kubernetes
  3170. namespace: default
  3171. path: /convert
  3172. status:
  3173. acceptedNames:
  3174. kind: ""
  3175. plural: ""
  3176. conditions: []
  3177. storedVersions: []
  3178. ---
  3179. apiVersion: apiextensions.k8s.io/v1
  3180. kind: CustomResourceDefinition
  3181. metadata:
  3182. annotations:
  3183. controller-gen.kubebuilder.io/version: v0.8.0
  3184. creationTimestamp: null
  3185. name: secretstores.external-secrets.io
  3186. spec:
  3187. group: external-secrets.io
  3188. names:
  3189. categories:
  3190. - externalsecrets
  3191. kind: SecretStore
  3192. listKind: SecretStoreList
  3193. plural: secretstores
  3194. shortNames:
  3195. - ss
  3196. singular: secretstore
  3197. scope: Namespaced
  3198. versions:
  3199. - additionalPrinterColumns:
  3200. - jsonPath: .metadata.creationTimestamp
  3201. name: AGE
  3202. type: date
  3203. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3204. name: Status
  3205. type: string
  3206. deprecated: true
  3207. name: v1alpha1
  3208. schema:
  3209. openAPIV3Schema:
  3210. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3211. properties:
  3212. apiVersion:
  3213. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3214. type: string
  3215. kind:
  3216. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3217. type: string
  3218. metadata:
  3219. type: object
  3220. spec:
  3221. description: SecretStoreSpec defines the desired state of SecretStore.
  3222. properties:
  3223. controller:
  3224. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3225. type: string
  3226. provider:
  3227. description: Used to configure the provider. Only one provider may be set
  3228. maxProperties: 1
  3229. minProperties: 1
  3230. properties:
  3231. akeyless:
  3232. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3233. properties:
  3234. akeylessGWApiURL:
  3235. description: Akeyless GW API Url from which the secrets to be fetched from.
  3236. type: string
  3237. authSecretRef:
  3238. description: Auth configures how the operator authenticates with Akeyless.
  3239. properties:
  3240. secretRef:
  3241. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  3242. properties:
  3243. accessID:
  3244. description: The SecretAccessID is used for authentication
  3245. properties:
  3246. key:
  3247. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3248. type: string
  3249. name:
  3250. description: The name of the Secret resource being referred to.
  3251. type: string
  3252. namespace:
  3253. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3254. type: string
  3255. type: object
  3256. accessType:
  3257. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3258. properties:
  3259. key:
  3260. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3261. type: string
  3262. name:
  3263. description: The name of the Secret resource being referred to.
  3264. type: string
  3265. namespace:
  3266. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3267. type: string
  3268. type: object
  3269. accessTypeParam:
  3270. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3271. properties:
  3272. key:
  3273. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3274. type: string
  3275. name:
  3276. description: The name of the Secret resource being referred to.
  3277. type: string
  3278. namespace:
  3279. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3280. type: string
  3281. type: object
  3282. type: object
  3283. required:
  3284. - secretRef
  3285. type: object
  3286. required:
  3287. - akeylessGWApiURL
  3288. - authSecretRef
  3289. type: object
  3290. alibaba:
  3291. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3292. properties:
  3293. auth:
  3294. description: AlibabaAuth contains a secretRef for credentials.
  3295. properties:
  3296. secretRef:
  3297. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3298. properties:
  3299. accessKeyIDSecretRef:
  3300. description: The AccessKeyID is used for authentication
  3301. properties:
  3302. key:
  3303. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3304. type: string
  3305. name:
  3306. description: The name of the Secret resource being referred to.
  3307. type: string
  3308. namespace:
  3309. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3310. type: string
  3311. type: object
  3312. accessKeySecretSecretRef:
  3313. description: The AccessKeySecret is used for authentication
  3314. properties:
  3315. key:
  3316. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3317. type: string
  3318. name:
  3319. description: The name of the Secret resource being referred to.
  3320. type: string
  3321. namespace:
  3322. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3323. type: string
  3324. type: object
  3325. required:
  3326. - accessKeyIDSecretRef
  3327. - accessKeySecretSecretRef
  3328. type: object
  3329. required:
  3330. - secretRef
  3331. type: object
  3332. endpoint:
  3333. type: string
  3334. regionID:
  3335. description: Alibaba Region to be used for the provider
  3336. type: string
  3337. required:
  3338. - auth
  3339. - regionID
  3340. type: object
  3341. aws:
  3342. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3343. properties:
  3344. auth:
  3345. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3346. properties:
  3347. jwt:
  3348. description: Authenticate against AWS using service account tokens.
  3349. properties:
  3350. serviceAccountRef:
  3351. description: A reference to a ServiceAccount resource.
  3352. properties:
  3353. name:
  3354. description: The name of the ServiceAccount resource being referred to.
  3355. type: string
  3356. namespace:
  3357. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3358. type: string
  3359. required:
  3360. - name
  3361. type: object
  3362. type: object
  3363. secretRef:
  3364. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3365. properties:
  3366. accessKeyIDSecretRef:
  3367. description: The AccessKeyID is used for authentication
  3368. properties:
  3369. key:
  3370. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3371. type: string
  3372. name:
  3373. description: The name of the Secret resource being referred to.
  3374. type: string
  3375. namespace:
  3376. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3377. type: string
  3378. type: object
  3379. secretAccessKeySecretRef:
  3380. description: The SecretAccessKey is used for authentication
  3381. properties:
  3382. key:
  3383. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3384. type: string
  3385. name:
  3386. description: The name of the Secret resource being referred to.
  3387. type: string
  3388. namespace:
  3389. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3390. type: string
  3391. type: object
  3392. type: object
  3393. type: object
  3394. region:
  3395. description: AWS Region to be used for the provider
  3396. type: string
  3397. role:
  3398. description: Role is a Role ARN which the SecretManager provider will assume
  3399. type: string
  3400. service:
  3401. description: Service defines which service should be used to fetch the secrets
  3402. enum:
  3403. - SecretsManager
  3404. - ParameterStore
  3405. type: string
  3406. required:
  3407. - region
  3408. - service
  3409. type: object
  3410. azurekv:
  3411. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3412. properties:
  3413. authSecretRef:
  3414. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3415. properties:
  3416. clientId:
  3417. description: The Azure clientId of the service principle used for authentication.
  3418. properties:
  3419. key:
  3420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3421. type: string
  3422. name:
  3423. description: The name of the Secret resource being referred to.
  3424. type: string
  3425. namespace:
  3426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3427. type: string
  3428. type: object
  3429. clientSecret:
  3430. description: The Azure ClientSecret of the service principle used for authentication.
  3431. properties:
  3432. key:
  3433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3434. type: string
  3435. name:
  3436. description: The name of the Secret resource being referred to.
  3437. type: string
  3438. namespace:
  3439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3440. type: string
  3441. type: object
  3442. type: object
  3443. authType:
  3444. default: ServicePrincipal
  3445. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3446. enum:
  3447. - ServicePrincipal
  3448. - ManagedIdentity
  3449. - WorkloadIdentity
  3450. type: string
  3451. identityId:
  3452. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3453. type: string
  3454. serviceAccountRef:
  3455. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  3456. properties:
  3457. name:
  3458. description: The name of the ServiceAccount resource being referred to.
  3459. type: string
  3460. namespace:
  3461. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3462. type: string
  3463. required:
  3464. - name
  3465. type: object
  3466. tenantId:
  3467. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3468. type: string
  3469. vaultUrl:
  3470. description: Vault Url from which the secrets to be fetched from.
  3471. type: string
  3472. required:
  3473. - vaultUrl
  3474. type: object
  3475. fake:
  3476. description: Fake configures a store with static key/value pairs
  3477. properties:
  3478. data:
  3479. items:
  3480. properties:
  3481. key:
  3482. type: string
  3483. value:
  3484. type: string
  3485. valueMap:
  3486. additionalProperties:
  3487. type: string
  3488. type: object
  3489. version:
  3490. type: string
  3491. required:
  3492. - key
  3493. type: object
  3494. type: array
  3495. required:
  3496. - data
  3497. type: object
  3498. gcpsm:
  3499. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3500. properties:
  3501. auth:
  3502. description: Auth defines the information necessary to authenticate against GCP
  3503. properties:
  3504. secretRef:
  3505. properties:
  3506. secretAccessKeySecretRef:
  3507. description: The SecretAccessKey is used for authentication
  3508. properties:
  3509. key:
  3510. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3511. type: string
  3512. name:
  3513. description: The name of the Secret resource being referred to.
  3514. type: string
  3515. namespace:
  3516. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3517. type: string
  3518. type: object
  3519. type: object
  3520. workloadIdentity:
  3521. properties:
  3522. clusterLocation:
  3523. type: string
  3524. clusterName:
  3525. type: string
  3526. clusterProjectID:
  3527. type: string
  3528. serviceAccountRef:
  3529. description: A reference to a ServiceAccount resource.
  3530. properties:
  3531. name:
  3532. description: The name of the ServiceAccount resource being referred to.
  3533. type: string
  3534. namespace:
  3535. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3536. type: string
  3537. required:
  3538. - name
  3539. type: object
  3540. required:
  3541. - clusterLocation
  3542. - clusterName
  3543. - serviceAccountRef
  3544. type: object
  3545. type: object
  3546. projectID:
  3547. description: ProjectID project where secret is located
  3548. type: string
  3549. type: object
  3550. gitlab:
  3551. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  3552. properties:
  3553. auth:
  3554. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3555. properties:
  3556. SecretRef:
  3557. properties:
  3558. accessToken:
  3559. description: AccessToken is used for authentication.
  3560. properties:
  3561. key:
  3562. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3563. type: string
  3564. name:
  3565. description: The name of the Secret resource being referred to.
  3566. type: string
  3567. namespace:
  3568. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3569. type: string
  3570. type: object
  3571. type: object
  3572. required:
  3573. - SecretRef
  3574. type: object
  3575. projectID:
  3576. description: ProjectID specifies a project where secrets are located.
  3577. type: string
  3578. url:
  3579. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3580. type: string
  3581. required:
  3582. - auth
  3583. type: object
  3584. ibm:
  3585. description: IBM configures this store to sync secrets using IBM Cloud provider
  3586. properties:
  3587. auth:
  3588. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3589. properties:
  3590. secretRef:
  3591. properties:
  3592. secretApiKeySecretRef:
  3593. description: The SecretAccessKey is used for authentication
  3594. properties:
  3595. key:
  3596. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3597. type: string
  3598. name:
  3599. description: The name of the Secret resource being referred to.
  3600. type: string
  3601. namespace:
  3602. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3603. type: string
  3604. type: object
  3605. type: object
  3606. required:
  3607. - secretRef
  3608. type: object
  3609. serviceUrl:
  3610. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3611. type: string
  3612. required:
  3613. - auth
  3614. type: object
  3615. kubernetes:
  3616. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3617. properties:
  3618. auth:
  3619. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3620. maxProperties: 1
  3621. minProperties: 1
  3622. properties:
  3623. cert:
  3624. description: has both clientCert and clientKey as secretKeySelector
  3625. properties:
  3626. clientCert:
  3627. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3628. properties:
  3629. key:
  3630. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3631. type: string
  3632. name:
  3633. description: The name of the Secret resource being referred to.
  3634. type: string
  3635. namespace:
  3636. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3637. type: string
  3638. type: object
  3639. clientKey:
  3640. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3641. properties:
  3642. key:
  3643. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3644. type: string
  3645. name:
  3646. description: The name of the Secret resource being referred to.
  3647. type: string
  3648. namespace:
  3649. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3650. type: string
  3651. type: object
  3652. type: object
  3653. serviceAccount:
  3654. description: points to a service account that should be used for authentication
  3655. properties:
  3656. serviceAccount:
  3657. description: A reference to a ServiceAccount resource.
  3658. properties:
  3659. name:
  3660. description: The name of the ServiceAccount resource being referred to.
  3661. type: string
  3662. namespace:
  3663. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3664. type: string
  3665. required:
  3666. - name
  3667. type: object
  3668. type: object
  3669. token:
  3670. description: use static token to authenticate with
  3671. properties:
  3672. bearerToken:
  3673. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3674. properties:
  3675. key:
  3676. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3677. type: string
  3678. name:
  3679. description: The name of the Secret resource being referred to.
  3680. type: string
  3681. namespace:
  3682. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3683. type: string
  3684. type: object
  3685. type: object
  3686. type: object
  3687. remoteNamespace:
  3688. default: default
  3689. description: Remote namespace to fetch the secrets from
  3690. type: string
  3691. server:
  3692. description: configures the Kubernetes server Address.
  3693. properties:
  3694. caBundle:
  3695. description: CABundle is a base64-encoded CA certificate
  3696. format: byte
  3697. type: string
  3698. caProvider:
  3699. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3700. properties:
  3701. key:
  3702. description: The key the value inside of the provider type to use, only used with "Secret" type
  3703. type: string
  3704. name:
  3705. description: The name of the object located at the provider type.
  3706. type: string
  3707. namespace:
  3708. description: The namespace the Provider type is in.
  3709. type: string
  3710. type:
  3711. description: The type of provider to use such as "Secret", or "ConfigMap".
  3712. enum:
  3713. - Secret
  3714. - ConfigMap
  3715. type: string
  3716. required:
  3717. - name
  3718. - type
  3719. type: object
  3720. url:
  3721. default: kubernetes.default
  3722. description: configures the Kubernetes server Address.
  3723. type: string
  3724. type: object
  3725. required:
  3726. - auth
  3727. type: object
  3728. oracle:
  3729. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3730. properties:
  3731. auth:
  3732. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3733. properties:
  3734. secretRef:
  3735. description: SecretRef to pass through sensitive information.
  3736. properties:
  3737. fingerprint:
  3738. description: Fingerprint is the fingerprint of the API private key.
  3739. properties:
  3740. key:
  3741. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3742. type: string
  3743. name:
  3744. description: The name of the Secret resource being referred to.
  3745. type: string
  3746. namespace:
  3747. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3748. type: string
  3749. type: object
  3750. privatekey:
  3751. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3752. properties:
  3753. key:
  3754. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3755. type: string
  3756. name:
  3757. description: The name of the Secret resource being referred to.
  3758. type: string
  3759. namespace:
  3760. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3761. type: string
  3762. type: object
  3763. required:
  3764. - fingerprint
  3765. - privatekey
  3766. type: object
  3767. tenancy:
  3768. description: Tenancy is the tenancy OCID where user is located.
  3769. type: string
  3770. user:
  3771. description: User is an access OCID specific to the account.
  3772. type: string
  3773. required:
  3774. - secretRef
  3775. - tenancy
  3776. - user
  3777. type: object
  3778. region:
  3779. description: Region is the region where vault is located.
  3780. type: string
  3781. vault:
  3782. description: Vault is the vault's OCID of the specific vault where secret is located.
  3783. type: string
  3784. required:
  3785. - region
  3786. - vault
  3787. type: object
  3788. vault:
  3789. description: Vault configures this store to sync secrets using Hashi provider
  3790. properties:
  3791. auth:
  3792. description: Auth configures how secret-manager authenticates with the Vault server.
  3793. properties:
  3794. appRole:
  3795. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3796. properties:
  3797. path:
  3798. default: approle
  3799. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3800. type: string
  3801. roleId:
  3802. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3803. type: string
  3804. secretRef:
  3805. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3806. properties:
  3807. key:
  3808. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3809. type: string
  3810. name:
  3811. description: The name of the Secret resource being referred to.
  3812. type: string
  3813. namespace:
  3814. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3815. type: string
  3816. type: object
  3817. required:
  3818. - path
  3819. - roleId
  3820. - secretRef
  3821. type: object
  3822. cert:
  3823. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  3824. properties:
  3825. clientCert:
  3826. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  3827. properties:
  3828. key:
  3829. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3830. type: string
  3831. name:
  3832. description: The name of the Secret resource being referred to.
  3833. type: string
  3834. namespace:
  3835. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3836. type: string
  3837. type: object
  3838. secretRef:
  3839. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  3840. properties:
  3841. key:
  3842. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3843. type: string
  3844. name:
  3845. description: The name of the Secret resource being referred to.
  3846. type: string
  3847. namespace:
  3848. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3849. type: string
  3850. type: object
  3851. type: object
  3852. jwt:
  3853. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3854. properties:
  3855. kubernetesServiceAccountToken:
  3856. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  3857. properties:
  3858. audiences:
  3859. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  3860. items:
  3861. type: string
  3862. type: array
  3863. expirationSeconds:
  3864. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  3865. format: int64
  3866. type: integer
  3867. serviceAccountRef:
  3868. description: Service account field containing the name of a kubernetes ServiceAccount.
  3869. properties:
  3870. name:
  3871. description: The name of the ServiceAccount resource being referred to.
  3872. type: string
  3873. namespace:
  3874. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3875. type: string
  3876. required:
  3877. - name
  3878. type: object
  3879. required:
  3880. - serviceAccountRef
  3881. type: object
  3882. path:
  3883. default: jwt
  3884. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3885. type: string
  3886. role:
  3887. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3888. type: string
  3889. secretRef:
  3890. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  3891. properties:
  3892. key:
  3893. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3894. type: string
  3895. name:
  3896. description: The name of the Secret resource being referred to.
  3897. type: string
  3898. namespace:
  3899. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3900. type: string
  3901. type: object
  3902. required:
  3903. - path
  3904. type: object
  3905. kubernetes:
  3906. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3907. properties:
  3908. mountPath:
  3909. default: kubernetes
  3910. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3911. type: string
  3912. role:
  3913. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3914. type: string
  3915. secretRef:
  3916. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3917. properties:
  3918. key:
  3919. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3920. type: string
  3921. name:
  3922. description: The name of the Secret resource being referred to.
  3923. type: string
  3924. namespace:
  3925. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3926. type: string
  3927. type: object
  3928. serviceAccountRef:
  3929. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3930. properties:
  3931. name:
  3932. description: The name of the ServiceAccount resource being referred to.
  3933. type: string
  3934. namespace:
  3935. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3936. type: string
  3937. required:
  3938. - name
  3939. type: object
  3940. required:
  3941. - mountPath
  3942. - role
  3943. type: object
  3944. ldap:
  3945. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  3946. properties:
  3947. path:
  3948. default: ldap
  3949. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  3950. type: string
  3951. secretRef:
  3952. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  3953. properties:
  3954. key:
  3955. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3956. type: string
  3957. name:
  3958. description: The name of the Secret resource being referred to.
  3959. type: string
  3960. namespace:
  3961. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3962. type: string
  3963. type: object
  3964. username:
  3965. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  3966. type: string
  3967. required:
  3968. - path
  3969. - username
  3970. type: object
  3971. tokenSecretRef:
  3972. description: TokenSecretRef authenticates with Vault by presenting a token.
  3973. properties:
  3974. key:
  3975. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3976. type: string
  3977. name:
  3978. description: The name of the Secret resource being referred to.
  3979. type: string
  3980. namespace:
  3981. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3982. type: string
  3983. type: object
  3984. type: object
  3985. caBundle:
  3986. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3987. format: byte
  3988. type: string
  3989. caProvider:
  3990. description: The provider for the CA bundle to use to validate Vault server certificate.
  3991. properties:
  3992. key:
  3993. description: The key the value inside of the provider type to use, only used with "Secret" type
  3994. type: string
  3995. name:
  3996. description: The name of the object located at the provider type.
  3997. type: string
  3998. namespace:
  3999. description: The namespace the Provider type is in.
  4000. type: string
  4001. type:
  4002. description: The type of provider to use such as "Secret", or "ConfigMap".
  4003. enum:
  4004. - Secret
  4005. - ConfigMap
  4006. type: string
  4007. required:
  4008. - name
  4009. - type
  4010. type: object
  4011. forwardInconsistent:
  4012. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4013. type: boolean
  4014. namespace:
  4015. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  4016. type: string
  4017. path:
  4018. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  4019. type: string
  4020. readYourWrites:
  4021. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  4022. type: boolean
  4023. server:
  4024. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4025. type: string
  4026. version:
  4027. default: v2
  4028. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  4029. enum:
  4030. - v1
  4031. - v2
  4032. type: string
  4033. required:
  4034. - auth
  4035. - server
  4036. type: object
  4037. webhook:
  4038. description: Webhook configures this store to sync secrets using a generic templated webhook
  4039. properties:
  4040. body:
  4041. description: Body
  4042. type: string
  4043. caBundle:
  4044. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4045. format: byte
  4046. type: string
  4047. caProvider:
  4048. description: The provider for the CA bundle to use to validate webhook server certificate.
  4049. properties:
  4050. key:
  4051. description: The key the value inside of the provider type to use, only used with "Secret" type
  4052. type: string
  4053. name:
  4054. description: The name of the object located at the provider type.
  4055. type: string
  4056. namespace:
  4057. description: The namespace the Provider type is in.
  4058. type: string
  4059. type:
  4060. description: The type of provider to use such as "Secret", or "ConfigMap".
  4061. enum:
  4062. - Secret
  4063. - ConfigMap
  4064. type: string
  4065. required:
  4066. - name
  4067. - type
  4068. type: object
  4069. headers:
  4070. additionalProperties:
  4071. type: string
  4072. description: Headers
  4073. type: object
  4074. method:
  4075. description: Webhook Method
  4076. type: string
  4077. result:
  4078. description: Result formatting
  4079. properties:
  4080. jsonPath:
  4081. description: Json path of return value
  4082. type: string
  4083. type: object
  4084. secrets:
  4085. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  4086. items:
  4087. properties:
  4088. name:
  4089. description: Name of this secret in templates
  4090. type: string
  4091. secretRef:
  4092. description: Secret ref to fill in credentials
  4093. properties:
  4094. key:
  4095. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4096. type: string
  4097. name:
  4098. description: The name of the Secret resource being referred to.
  4099. type: string
  4100. namespace:
  4101. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4102. type: string
  4103. type: object
  4104. required:
  4105. - name
  4106. - secretRef
  4107. type: object
  4108. type: array
  4109. timeout:
  4110. description: Timeout
  4111. type: string
  4112. url:
  4113. description: Webhook url to call
  4114. type: string
  4115. required:
  4116. - result
  4117. - url
  4118. type: object
  4119. yandexlockbox:
  4120. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4121. properties:
  4122. apiEndpoint:
  4123. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4124. type: string
  4125. auth:
  4126. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4127. properties:
  4128. authorizedKeySecretRef:
  4129. description: The authorized key used for authentication
  4130. properties:
  4131. key:
  4132. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4133. type: string
  4134. name:
  4135. description: The name of the Secret resource being referred to.
  4136. type: string
  4137. namespace:
  4138. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4139. type: string
  4140. type: object
  4141. type: object
  4142. caProvider:
  4143. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4144. properties:
  4145. certSecretRef:
  4146. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4147. properties:
  4148. key:
  4149. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4150. type: string
  4151. name:
  4152. description: The name of the Secret resource being referred to.
  4153. type: string
  4154. namespace:
  4155. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4156. type: string
  4157. type: object
  4158. type: object
  4159. required:
  4160. - auth
  4161. type: object
  4162. type: object
  4163. retrySettings:
  4164. description: Used to configure http retries if failed
  4165. properties:
  4166. maxRetries:
  4167. format: int32
  4168. type: integer
  4169. retryInterval:
  4170. type: string
  4171. type: object
  4172. required:
  4173. - provider
  4174. type: object
  4175. status:
  4176. description: SecretStoreStatus defines the observed state of the SecretStore.
  4177. properties:
  4178. conditions:
  4179. items:
  4180. properties:
  4181. lastTransitionTime:
  4182. format: date-time
  4183. type: string
  4184. message:
  4185. type: string
  4186. reason:
  4187. type: string
  4188. status:
  4189. type: string
  4190. type:
  4191. type: string
  4192. required:
  4193. - status
  4194. - type
  4195. type: object
  4196. type: array
  4197. type: object
  4198. type: object
  4199. served: true
  4200. storage: false
  4201. subresources:
  4202. status: {}
  4203. - additionalPrinterColumns:
  4204. - jsonPath: .metadata.creationTimestamp
  4205. name: AGE
  4206. type: date
  4207. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4208. name: Status
  4209. type: string
  4210. - jsonPath: .status.capabilities
  4211. name: Capabilities
  4212. type: string
  4213. name: v1beta1
  4214. schema:
  4215. openAPIV3Schema:
  4216. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4217. properties:
  4218. apiVersion:
  4219. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4220. type: string
  4221. kind:
  4222. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4223. type: string
  4224. metadata:
  4225. type: object
  4226. spec:
  4227. description: SecretStoreSpec defines the desired state of SecretStore.
  4228. properties:
  4229. controller:
  4230. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  4231. type: string
  4232. provider:
  4233. description: Used to configure the provider. Only one provider may be set
  4234. maxProperties: 1
  4235. minProperties: 1
  4236. properties:
  4237. akeyless:
  4238. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4239. properties:
  4240. akeylessGWApiURL:
  4241. description: Akeyless GW API Url from which the secrets to be fetched from.
  4242. type: string
  4243. authSecretRef:
  4244. description: Auth configures how the operator authenticates with Akeyless.
  4245. properties:
  4246. secretRef:
  4247. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  4248. properties:
  4249. accessID:
  4250. description: The SecretAccessID is used for authentication
  4251. properties:
  4252. key:
  4253. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4254. type: string
  4255. name:
  4256. description: The name of the Secret resource being referred to.
  4257. type: string
  4258. namespace:
  4259. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4260. type: string
  4261. type: object
  4262. accessType:
  4263. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4264. properties:
  4265. key:
  4266. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4267. type: string
  4268. name:
  4269. description: The name of the Secret resource being referred to.
  4270. type: string
  4271. namespace:
  4272. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4273. type: string
  4274. type: object
  4275. accessTypeParam:
  4276. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4277. properties:
  4278. key:
  4279. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4280. type: string
  4281. name:
  4282. description: The name of the Secret resource being referred to.
  4283. type: string
  4284. namespace:
  4285. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4286. type: string
  4287. type: object
  4288. type: object
  4289. required:
  4290. - secretRef
  4291. type: object
  4292. required:
  4293. - akeylessGWApiURL
  4294. - authSecretRef
  4295. type: object
  4296. alibaba:
  4297. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4298. properties:
  4299. auth:
  4300. description: AlibabaAuth contains a secretRef for credentials.
  4301. properties:
  4302. secretRef:
  4303. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4304. properties:
  4305. accessKeyIDSecretRef:
  4306. description: The AccessKeyID is used for authentication
  4307. properties:
  4308. key:
  4309. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4310. type: string
  4311. name:
  4312. description: The name of the Secret resource being referred to.
  4313. type: string
  4314. namespace:
  4315. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4316. type: string
  4317. type: object
  4318. accessKeySecretSecretRef:
  4319. description: The AccessKeySecret is used for authentication
  4320. properties:
  4321. key:
  4322. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4323. type: string
  4324. name:
  4325. description: The name of the Secret resource being referred to.
  4326. type: string
  4327. namespace:
  4328. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4329. type: string
  4330. type: object
  4331. required:
  4332. - accessKeyIDSecretRef
  4333. - accessKeySecretSecretRef
  4334. type: object
  4335. required:
  4336. - secretRef
  4337. type: object
  4338. endpoint:
  4339. type: string
  4340. regionID:
  4341. description: Alibaba Region to be used for the provider
  4342. type: string
  4343. required:
  4344. - auth
  4345. - regionID
  4346. type: object
  4347. aws:
  4348. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4349. properties:
  4350. auth:
  4351. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4352. properties:
  4353. jwt:
  4354. description: Authenticate against AWS using service account tokens.
  4355. properties:
  4356. serviceAccountRef:
  4357. description: A reference to a ServiceAccount resource.
  4358. properties:
  4359. name:
  4360. description: The name of the ServiceAccount resource being referred to.
  4361. type: string
  4362. namespace:
  4363. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4364. type: string
  4365. required:
  4366. - name
  4367. type: object
  4368. type: object
  4369. secretRef:
  4370. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4371. properties:
  4372. accessKeyIDSecretRef:
  4373. description: The AccessKeyID is used for authentication
  4374. properties:
  4375. key:
  4376. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4377. type: string
  4378. name:
  4379. description: The name of the Secret resource being referred to.
  4380. type: string
  4381. namespace:
  4382. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4383. type: string
  4384. type: object
  4385. secretAccessKeySecretRef:
  4386. description: The SecretAccessKey is used for authentication
  4387. properties:
  4388. key:
  4389. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4390. type: string
  4391. name:
  4392. description: The name of the Secret resource being referred to.
  4393. type: string
  4394. namespace:
  4395. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4396. type: string
  4397. type: object
  4398. type: object
  4399. type: object
  4400. region:
  4401. description: AWS Region to be used for the provider
  4402. type: string
  4403. role:
  4404. description: Role is a Role ARN which the SecretManager provider will assume
  4405. type: string
  4406. service:
  4407. description: Service defines which service should be used to fetch the secrets
  4408. enum:
  4409. - SecretsManager
  4410. - ParameterStore
  4411. type: string
  4412. required:
  4413. - region
  4414. - service
  4415. type: object
  4416. azurekv:
  4417. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4418. properties:
  4419. authSecretRef:
  4420. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4421. properties:
  4422. clientId:
  4423. description: The Azure clientId of the service principle used for authentication.
  4424. properties:
  4425. key:
  4426. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4427. type: string
  4428. name:
  4429. description: The name of the Secret resource being referred to.
  4430. type: string
  4431. namespace:
  4432. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4433. type: string
  4434. type: object
  4435. clientSecret:
  4436. description: The Azure ClientSecret of the service principle used for authentication.
  4437. properties:
  4438. key:
  4439. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4440. type: string
  4441. name:
  4442. description: The name of the Secret resource being referred to.
  4443. type: string
  4444. namespace:
  4445. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4446. type: string
  4447. type: object
  4448. type: object
  4449. authType:
  4450. default: ServicePrincipal
  4451. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4452. enum:
  4453. - ServicePrincipal
  4454. - ManagedIdentity
  4455. - WorkloadIdentity
  4456. type: string
  4457. identityId:
  4458. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4459. type: string
  4460. serviceAccountRef:
  4461. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4462. properties:
  4463. name:
  4464. description: The name of the ServiceAccount resource being referred to.
  4465. type: string
  4466. namespace:
  4467. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4468. type: string
  4469. required:
  4470. - name
  4471. type: object
  4472. tenantId:
  4473. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4474. type: string
  4475. vaultUrl:
  4476. description: Vault Url from which the secrets to be fetched from.
  4477. type: string
  4478. required:
  4479. - vaultUrl
  4480. type: object
  4481. fake:
  4482. description: Fake configures a store with static key/value pairs
  4483. properties:
  4484. data:
  4485. items:
  4486. properties:
  4487. key:
  4488. type: string
  4489. value:
  4490. type: string
  4491. valueMap:
  4492. additionalProperties:
  4493. type: string
  4494. type: object
  4495. version:
  4496. type: string
  4497. required:
  4498. - key
  4499. type: object
  4500. type: array
  4501. required:
  4502. - data
  4503. type: object
  4504. gcpsm:
  4505. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4506. properties:
  4507. auth:
  4508. description: Auth defines the information necessary to authenticate against GCP
  4509. properties:
  4510. secretRef:
  4511. properties:
  4512. secretAccessKeySecretRef:
  4513. description: The SecretAccessKey is used for authentication
  4514. properties:
  4515. key:
  4516. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4517. type: string
  4518. name:
  4519. description: The name of the Secret resource being referred to.
  4520. type: string
  4521. namespace:
  4522. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4523. type: string
  4524. type: object
  4525. type: object
  4526. workloadIdentity:
  4527. properties:
  4528. clusterLocation:
  4529. type: string
  4530. clusterName:
  4531. type: string
  4532. clusterProjectID:
  4533. type: string
  4534. serviceAccountRef:
  4535. description: A reference to a ServiceAccount resource.
  4536. properties:
  4537. name:
  4538. description: The name of the ServiceAccount resource being referred to.
  4539. type: string
  4540. namespace:
  4541. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4542. type: string
  4543. required:
  4544. - name
  4545. type: object
  4546. required:
  4547. - clusterLocation
  4548. - clusterName
  4549. - serviceAccountRef
  4550. type: object
  4551. type: object
  4552. projectID:
  4553. description: ProjectID project where secret is located
  4554. type: string
  4555. type: object
  4556. gitlab:
  4557. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  4558. properties:
  4559. auth:
  4560. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4561. properties:
  4562. SecretRef:
  4563. properties:
  4564. accessToken:
  4565. description: AccessToken is used for authentication.
  4566. properties:
  4567. key:
  4568. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4569. type: string
  4570. name:
  4571. description: The name of the Secret resource being referred to.
  4572. type: string
  4573. namespace:
  4574. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4575. type: string
  4576. type: object
  4577. type: object
  4578. required:
  4579. - SecretRef
  4580. type: object
  4581. projectID:
  4582. description: ProjectID specifies a project where secrets are located.
  4583. type: string
  4584. url:
  4585. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4586. type: string
  4587. required:
  4588. - auth
  4589. type: object
  4590. ibm:
  4591. description: IBM configures this store to sync secrets using IBM Cloud provider
  4592. properties:
  4593. auth:
  4594. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4595. properties:
  4596. secretRef:
  4597. properties:
  4598. secretApiKeySecretRef:
  4599. description: The SecretAccessKey is used for authentication
  4600. properties:
  4601. key:
  4602. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4603. type: string
  4604. name:
  4605. description: The name of the Secret resource being referred to.
  4606. type: string
  4607. namespace:
  4608. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4609. type: string
  4610. type: object
  4611. type: object
  4612. required:
  4613. - secretRef
  4614. type: object
  4615. serviceUrl:
  4616. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4617. type: string
  4618. required:
  4619. - auth
  4620. type: object
  4621. kubernetes:
  4622. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  4623. properties:
  4624. auth:
  4625. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  4626. maxProperties: 1
  4627. minProperties: 1
  4628. properties:
  4629. cert:
  4630. description: has both clientCert and clientKey as secretKeySelector
  4631. properties:
  4632. clientCert:
  4633. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4634. properties:
  4635. key:
  4636. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4637. type: string
  4638. name:
  4639. description: The name of the Secret resource being referred to.
  4640. type: string
  4641. namespace:
  4642. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4643. type: string
  4644. type: object
  4645. clientKey:
  4646. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4647. properties:
  4648. key:
  4649. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4650. type: string
  4651. name:
  4652. description: The name of the Secret resource being referred to.
  4653. type: string
  4654. namespace:
  4655. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4656. type: string
  4657. type: object
  4658. type: object
  4659. serviceAccount:
  4660. description: points to a service account that should be used for authentication
  4661. properties:
  4662. serviceAccount:
  4663. description: A reference to a ServiceAccount resource.
  4664. properties:
  4665. name:
  4666. description: The name of the ServiceAccount resource being referred to.
  4667. type: string
  4668. namespace:
  4669. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4670. type: string
  4671. required:
  4672. - name
  4673. type: object
  4674. type: object
  4675. token:
  4676. description: use static token to authenticate with
  4677. properties:
  4678. bearerToken:
  4679. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4680. properties:
  4681. key:
  4682. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4683. type: string
  4684. name:
  4685. description: The name of the Secret resource being referred to.
  4686. type: string
  4687. namespace:
  4688. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4689. type: string
  4690. type: object
  4691. type: object
  4692. type: object
  4693. remoteNamespace:
  4694. default: default
  4695. description: Remote namespace to fetch the secrets from
  4696. type: string
  4697. server:
  4698. description: configures the Kubernetes server Address.
  4699. properties:
  4700. caBundle:
  4701. description: CABundle is a base64-encoded CA certificate
  4702. format: byte
  4703. type: string
  4704. caProvider:
  4705. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4706. properties:
  4707. key:
  4708. description: The key the value inside of the provider type to use, only used with "Secret" type
  4709. type: string
  4710. name:
  4711. description: The name of the object located at the provider type.
  4712. type: string
  4713. namespace:
  4714. description: The namespace the Provider type is in.
  4715. type: string
  4716. type:
  4717. description: The type of provider to use such as "Secret", or "ConfigMap".
  4718. enum:
  4719. - Secret
  4720. - ConfigMap
  4721. type: string
  4722. required:
  4723. - name
  4724. - type
  4725. type: object
  4726. url:
  4727. default: kubernetes.default
  4728. description: configures the Kubernetes server Address.
  4729. type: string
  4730. type: object
  4731. required:
  4732. - auth
  4733. type: object
  4734. onepassword:
  4735. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  4736. properties:
  4737. auth:
  4738. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  4739. properties:
  4740. secretRef:
  4741. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  4742. properties:
  4743. connectTokenSecretRef:
  4744. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  4745. properties:
  4746. key:
  4747. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4748. type: string
  4749. name:
  4750. description: The name of the Secret resource being referred to.
  4751. type: string
  4752. namespace:
  4753. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4754. type: string
  4755. type: object
  4756. required:
  4757. - connectTokenSecretRef
  4758. type: object
  4759. required:
  4760. - secretRef
  4761. type: object
  4762. connectHost:
  4763. description: ConnectHost defines the OnePassword Connect Server to connect to
  4764. type: string
  4765. vaults:
  4766. additionalProperties:
  4767. type: integer
  4768. description: Vaults defines which OnePassword vaults to search in which order
  4769. type: object
  4770. required:
  4771. - auth
  4772. - connectHost
  4773. - vaults
  4774. type: object
  4775. oracle:
  4776. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4777. properties:
  4778. auth:
  4779. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4780. properties:
  4781. secretRef:
  4782. description: SecretRef to pass through sensitive information.
  4783. properties:
  4784. fingerprint:
  4785. description: Fingerprint is the fingerprint of the API private key.
  4786. properties:
  4787. key:
  4788. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4789. type: string
  4790. name:
  4791. description: The name of the Secret resource being referred to.
  4792. type: string
  4793. namespace:
  4794. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4795. type: string
  4796. type: object
  4797. privatekey:
  4798. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4799. properties:
  4800. key:
  4801. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4802. type: string
  4803. name:
  4804. description: The name of the Secret resource being referred to.
  4805. type: string
  4806. namespace:
  4807. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4808. type: string
  4809. type: object
  4810. required:
  4811. - fingerprint
  4812. - privatekey
  4813. type: object
  4814. tenancy:
  4815. description: Tenancy is the tenancy OCID where user is located.
  4816. type: string
  4817. user:
  4818. description: User is an access OCID specific to the account.
  4819. type: string
  4820. required:
  4821. - secretRef
  4822. - tenancy
  4823. - user
  4824. type: object
  4825. region:
  4826. description: Region is the region where vault is located.
  4827. type: string
  4828. vault:
  4829. description: Vault is the vault's OCID of the specific vault where secret is located.
  4830. type: string
  4831. required:
  4832. - region
  4833. - vault
  4834. type: object
  4835. senhasegura:
  4836. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4837. properties:
  4838. auth:
  4839. description: Auth defines parameters to authenticate in senhasegura
  4840. properties:
  4841. clientId:
  4842. type: string
  4843. clientSecretSecretRef:
  4844. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4845. properties:
  4846. key:
  4847. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4848. type: string
  4849. name:
  4850. description: The name of the Secret resource being referred to.
  4851. type: string
  4852. namespace:
  4853. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4854. type: string
  4855. type: object
  4856. required:
  4857. - clientId
  4858. - clientSecretSecretRef
  4859. type: object
  4860. ignoreSslCertificate:
  4861. default: false
  4862. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4863. type: boolean
  4864. module:
  4865. description: Module defines which senhasegura module should be used to get secrets
  4866. type: string
  4867. url:
  4868. description: URL of senhasegura
  4869. type: string
  4870. required:
  4871. - auth
  4872. - module
  4873. - url
  4874. type: object
  4875. vault:
  4876. description: Vault configures this store to sync secrets using Hashi provider
  4877. properties:
  4878. auth:
  4879. description: Auth configures how secret-manager authenticates with the Vault server.
  4880. properties:
  4881. appRole:
  4882. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  4883. properties:
  4884. path:
  4885. default: approle
  4886. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  4887. type: string
  4888. roleId:
  4889. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  4890. type: string
  4891. secretRef:
  4892. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  4893. properties:
  4894. key:
  4895. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4896. type: string
  4897. name:
  4898. description: The name of the Secret resource being referred to.
  4899. type: string
  4900. namespace:
  4901. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4902. type: string
  4903. type: object
  4904. required:
  4905. - path
  4906. - roleId
  4907. - secretRef
  4908. type: object
  4909. cert:
  4910. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  4911. properties:
  4912. clientCert:
  4913. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  4914. properties:
  4915. key:
  4916. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4917. type: string
  4918. name:
  4919. description: The name of the Secret resource being referred to.
  4920. type: string
  4921. namespace:
  4922. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4923. type: string
  4924. type: object
  4925. secretRef:
  4926. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  4927. properties:
  4928. key:
  4929. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4930. type: string
  4931. name:
  4932. description: The name of the Secret resource being referred to.
  4933. type: string
  4934. namespace:
  4935. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4936. type: string
  4937. type: object
  4938. type: object
  4939. jwt:
  4940. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  4941. properties:
  4942. kubernetesServiceAccountToken:
  4943. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  4944. properties:
  4945. audiences:
  4946. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  4947. items:
  4948. type: string
  4949. type: array
  4950. expirationSeconds:
  4951. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  4952. format: int64
  4953. type: integer
  4954. serviceAccountRef:
  4955. description: Service account field containing the name of a kubernetes ServiceAccount.
  4956. properties:
  4957. name:
  4958. description: The name of the ServiceAccount resource being referred to.
  4959. type: string
  4960. namespace:
  4961. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4962. type: string
  4963. required:
  4964. - name
  4965. type: object
  4966. required:
  4967. - serviceAccountRef
  4968. type: object
  4969. path:
  4970. default: jwt
  4971. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  4972. type: string
  4973. role:
  4974. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  4975. type: string
  4976. secretRef:
  4977. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  4978. properties:
  4979. key:
  4980. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4981. type: string
  4982. name:
  4983. description: The name of the Secret resource being referred to.
  4984. type: string
  4985. namespace:
  4986. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4987. type: string
  4988. type: object
  4989. required:
  4990. - path
  4991. type: object
  4992. kubernetes:
  4993. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  4994. properties:
  4995. mountPath:
  4996. default: kubernetes
  4997. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  4998. type: string
  4999. role:
  5000. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  5001. type: string
  5002. secretRef:
  5003. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  5004. properties:
  5005. key:
  5006. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5007. type: string
  5008. name:
  5009. description: The name of the Secret resource being referred to.
  5010. type: string
  5011. namespace:
  5012. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5013. type: string
  5014. type: object
  5015. serviceAccountRef:
  5016. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  5017. properties:
  5018. name:
  5019. description: The name of the ServiceAccount resource being referred to.
  5020. type: string
  5021. namespace:
  5022. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5023. type: string
  5024. required:
  5025. - name
  5026. type: object
  5027. required:
  5028. - mountPath
  5029. - role
  5030. type: object
  5031. ldap:
  5032. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5033. properties:
  5034. path:
  5035. default: ldap
  5036. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5037. type: string
  5038. secretRef:
  5039. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5040. properties:
  5041. key:
  5042. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5043. type: string
  5044. name:
  5045. description: The name of the Secret resource being referred to.
  5046. type: string
  5047. namespace:
  5048. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5049. type: string
  5050. type: object
  5051. username:
  5052. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5053. type: string
  5054. required:
  5055. - path
  5056. - username
  5057. type: object
  5058. tokenSecretRef:
  5059. description: TokenSecretRef authenticates with Vault by presenting a token.
  5060. properties:
  5061. key:
  5062. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5063. type: string
  5064. name:
  5065. description: The name of the Secret resource being referred to.
  5066. type: string
  5067. namespace:
  5068. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5069. type: string
  5070. type: object
  5071. type: object
  5072. caBundle:
  5073. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5074. format: byte
  5075. type: string
  5076. caProvider:
  5077. description: The provider for the CA bundle to use to validate Vault server certificate.
  5078. properties:
  5079. key:
  5080. description: The key the value inside of the provider type to use, only used with "Secret" type
  5081. type: string
  5082. name:
  5083. description: The name of the object located at the provider type.
  5084. type: string
  5085. namespace:
  5086. description: The namespace the Provider type is in.
  5087. type: string
  5088. type:
  5089. description: The type of provider to use such as "Secret", or "ConfigMap".
  5090. enum:
  5091. - Secret
  5092. - ConfigMap
  5093. type: string
  5094. required:
  5095. - name
  5096. - type
  5097. type: object
  5098. forwardInconsistent:
  5099. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5100. type: boolean
  5101. namespace:
  5102. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5103. type: string
  5104. path:
  5105. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5106. type: string
  5107. readYourWrites:
  5108. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5109. type: boolean
  5110. server:
  5111. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5112. type: string
  5113. version:
  5114. default: v2
  5115. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5116. enum:
  5117. - v1
  5118. - v2
  5119. type: string
  5120. required:
  5121. - auth
  5122. - server
  5123. type: object
  5124. webhook:
  5125. description: Webhook configures this store to sync secrets using a generic templated webhook
  5126. properties:
  5127. body:
  5128. description: Body
  5129. type: string
  5130. caBundle:
  5131. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5132. format: byte
  5133. type: string
  5134. caProvider:
  5135. description: The provider for the CA bundle to use to validate webhook server certificate.
  5136. properties:
  5137. key:
  5138. description: The key the value inside of the provider type to use, only used with "Secret" type
  5139. type: string
  5140. name:
  5141. description: The name of the object located at the provider type.
  5142. type: string
  5143. namespace:
  5144. description: The namespace the Provider type is in.
  5145. type: string
  5146. type:
  5147. description: The type of provider to use such as "Secret", or "ConfigMap".
  5148. enum:
  5149. - Secret
  5150. - ConfigMap
  5151. type: string
  5152. required:
  5153. - name
  5154. - type
  5155. type: object
  5156. headers:
  5157. additionalProperties:
  5158. type: string
  5159. description: Headers
  5160. type: object
  5161. method:
  5162. description: Webhook Method
  5163. type: string
  5164. result:
  5165. description: Result formatting
  5166. properties:
  5167. jsonPath:
  5168. description: Json path of return value
  5169. type: string
  5170. type: object
  5171. secrets:
  5172. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5173. items:
  5174. properties:
  5175. name:
  5176. description: Name of this secret in templates
  5177. type: string
  5178. secretRef:
  5179. description: Secret ref to fill in credentials
  5180. properties:
  5181. key:
  5182. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5183. type: string
  5184. name:
  5185. description: The name of the Secret resource being referred to.
  5186. type: string
  5187. namespace:
  5188. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5189. type: string
  5190. type: object
  5191. required:
  5192. - name
  5193. - secretRef
  5194. type: object
  5195. type: array
  5196. timeout:
  5197. description: Timeout
  5198. type: string
  5199. url:
  5200. description: Webhook url to call
  5201. type: string
  5202. required:
  5203. - result
  5204. - url
  5205. type: object
  5206. yandexcertificatemanager:
  5207. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5208. properties:
  5209. apiEndpoint:
  5210. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5211. type: string
  5212. auth:
  5213. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5214. properties:
  5215. authorizedKeySecretRef:
  5216. description: The authorized key used for authentication
  5217. properties:
  5218. key:
  5219. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5220. type: string
  5221. name:
  5222. description: The name of the Secret resource being referred to.
  5223. type: string
  5224. namespace:
  5225. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5226. type: string
  5227. type: object
  5228. type: object
  5229. caProvider:
  5230. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5231. properties:
  5232. certSecretRef:
  5233. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5234. properties:
  5235. key:
  5236. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5237. type: string
  5238. name:
  5239. description: The name of the Secret resource being referred to.
  5240. type: string
  5241. namespace:
  5242. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5243. type: string
  5244. type: object
  5245. type: object
  5246. required:
  5247. - auth
  5248. type: object
  5249. yandexlockbox:
  5250. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5251. properties:
  5252. apiEndpoint:
  5253. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5254. type: string
  5255. auth:
  5256. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5257. properties:
  5258. authorizedKeySecretRef:
  5259. description: The authorized key used for authentication
  5260. properties:
  5261. key:
  5262. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5263. type: string
  5264. name:
  5265. description: The name of the Secret resource being referred to.
  5266. type: string
  5267. namespace:
  5268. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5269. type: string
  5270. type: object
  5271. type: object
  5272. caProvider:
  5273. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5274. properties:
  5275. certSecretRef:
  5276. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5277. properties:
  5278. key:
  5279. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5280. type: string
  5281. name:
  5282. description: The name of the Secret resource being referred to.
  5283. type: string
  5284. namespace:
  5285. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5286. type: string
  5287. type: object
  5288. type: object
  5289. required:
  5290. - auth
  5291. type: object
  5292. type: object
  5293. refreshInterval:
  5294. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5295. type: integer
  5296. retrySettings:
  5297. description: Used to configure http retries if failed
  5298. properties:
  5299. maxRetries:
  5300. format: int32
  5301. type: integer
  5302. retryInterval:
  5303. type: string
  5304. type: object
  5305. required:
  5306. - provider
  5307. type: object
  5308. status:
  5309. description: SecretStoreStatus defines the observed state of the SecretStore.
  5310. properties:
  5311. capabilities:
  5312. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5313. type: string
  5314. conditions:
  5315. items:
  5316. properties:
  5317. lastTransitionTime:
  5318. format: date-time
  5319. type: string
  5320. message:
  5321. type: string
  5322. reason:
  5323. type: string
  5324. status:
  5325. type: string
  5326. type:
  5327. type: string
  5328. required:
  5329. - status
  5330. - type
  5331. type: object
  5332. type: array
  5333. type: object
  5334. type: object
  5335. served: true
  5336. storage: true
  5337. subresources:
  5338. status: {}
  5339. conversion:
  5340. strategy: Webhook
  5341. webhook:
  5342. conversionReviewVersions:
  5343. - v1
  5344. clientConfig:
  5345. service:
  5346. name: kubernetes
  5347. namespace: default
  5348. path: /convert
  5349. status:
  5350. acceptedNames:
  5351. kind: ""
  5352. plural: ""
  5353. conditions: []
  5354. storedVersions: []