| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442 |
- should match snapshot of default values:
- 1: |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.15.0
- labels:
- external-secrets.io/component: controller
- name: secretstores.external-secrets.io
- spec:
- conversion:
- strategy: Webhook
- webhook:
- clientConfig:
- service:
- name: RELEASE-NAME-external-secrets-webhook
- namespace: NAMESPACE
- path: /convert
- conversionReviewVersions:
- - v1
- group: external-secrets.io
- names:
- categories:
- - externalsecrets
- kind: SecretStore
- listKind: SecretStoreList
- plural: secretstores
- shortNames:
- - ss
- singular: secretstore
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- deprecated: true
- name: v1alpha1
- schema:
- openAPIV3Schema:
- description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key the value inside of the provider type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the SecretManager provider will assume
- type: string
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
- properties:
- clientId:
- description: The Azure clientId of the service principle used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- valueMap:
- additionalProperties:
- type: string
- type: object
- version:
- type: string
- required:
- - key
- type: object
- type: array
- required:
- - data
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- properties:
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- serviceAccount:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key the value inside of the provider type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- required:
- - auth
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, instance principal is used. Optionally, the authenticating principal type
- and/or user data may be supplied for the use of workload identity and user principal.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- - roleId
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a LDAP user name used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key the value inside of the provider type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key the value inside of the provider type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - caBundle
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using conjur provider
- properties:
- auth:
- properties:
- apikey:
- properties:
- account:
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- properties:
- account:
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service Token)
- type: string
- format:
- description: Format enables the downloading of secrets as a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- valueMap:
- additionalProperties:
- type: string
- description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
- type: object
- version:
- type: string
- required:
- - key
- type: object
- type: array
- required:
- - data
- type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- type: string
- secretsScope:
- properties:
- environmentSlug:
- type: string
- projectSlug:
- type: string
- secretsPath:
- default: /
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
- required:
- - apiHost
- - auth
- - environment
- - project
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication to a 1Password Connect Server.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/preview
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- required:
- - accessToken
- - environment
- - organization
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a LDAP user name used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: user
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "user"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- username:
- description: |-
- Username is a user name used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - auth
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key the value inside of the provider type to use, only used with "Secret" type
- type: string
- name:
- description: The name of the object located at the provider type.
- type: string
- namespace:
- description: The namespace the Provider type is in.
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource,
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
- defaulted, in others it may be required.
- type: string
- name:
- description: The name of the Secret resource being referred to.
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
- to the namespace of the referent.
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
