bundle.yaml 1.8 MB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167816881698170817181728173817481758176817781788179818081818182818381848185818681878188818981908191819281938194819581968197819881998200820182028203820482058206820782088209821082118212821382148215821682178218821982208221822282238224822582268227822882298230823182328233823482358236823782388239824082418242824382448245824682478248824982508251825282538254825582568257825882598260826182628263826482658266826782688269827082718272827382748275827682778278827982808281828282838284828582868287828882898290829182928293829482958296829782988299830083018302830383048305830683078308830983108311831283138314831583168317831883198320832183228323832483258326832783288329833083318332833383348335833683378338833983408341834283438344834583468347834883498350835183528353835483558356835783588359836083618362836383648365836683678368836983708371837283738374837583768377837883798380838183828383838483858386838783888389839083918392839383948395839683978398839984008401840284038404840584068407840884098410841184128413841484158416841784188419842084218422842384248425842684278428842984308431843284338434843584368437843884398440844184428443844484458446844784488449845084518452845384548455845684578458845984608461846284638464846584668467846884698470847184728473847484758476847784788479848084818482848384848485848684878488848984908491849284938494849584968497849884998500850185028503850485058506850785088509851085118512851385148515851685178518851985208521852285238524852585268527852885298530853185328533853485358536853785388539854085418542854385448545854685478548854985508551855285538554855585568557855885598560856185628563856485658566856785688569857085718572857385748575857685778578857985808581858285838584858585868587858885898590859185928593859485958596859785988599860086018602860386048605860686078608860986108611861286138614861586168617861886198620862186228623862486258626862786288629863086318632863386348635863686378638863986408641864286438644864586468647864886498650865186528653865486558656865786588659866086618662866386648665866686678668866986708671867286738674867586768677867886798680868186828683868486858686868786888689869086918692869386948695869686978698869987008701870287038704870587068707870887098710871187128713871487158716871787188719872087218722872387248725872687278728872987308731873287338734873587368737873887398740874187428743874487458746874787488749875087518752875387548755875687578758875987608761876287638764876587668767876887698770877187728773877487758776877787788779878087818782878387848785878687878788878987908791879287938794879587968797879887998800880188028803880488058806880788088809881088118812881388148815881688178818881988208821882288238824882588268827882888298830883188328833883488358836883788388839884088418842884388448845884688478848884988508851885288538854885588568857885888598860886188628863886488658866886788688869887088718872887388748875887688778878887988808881888288838884888588868887888888898890889188928893889488958896889788988899890089018902890389048905890689078908890989108911891289138914891589168917891889198920892189228923892489258926892789288929893089318932893389348935893689378938893989408941894289438944894589468947894889498950895189528953895489558956895789588959896089618962896389648965896689678968896989708971897289738974897589768977897889798980898189828983898489858986898789888989899089918992899389948995899689978998899990009001900290039004900590069007900890099010901190129013901490159016901790189019902090219022902390249025902690279028902990309031903290339034903590369037903890399040904190429043904490459046904790489049905090519052905390549055905690579058905990609061906290639064906590669067906890699070907190729073907490759076907790789079908090819082908390849085908690879088908990909091909290939094909590969097909890999100910191029103910491059106910791089109911091119112911391149115911691179118911991209121912291239124912591269127912891299130913191329133913491359136913791389139914091419142914391449145914691479148914991509151915291539154915591569157915891599160916191629163916491659166916791689169917091719172917391749175917691779178917991809181918291839184918591869187918891899190919191929193919491959196919791989199920092019202920392049205920692079208920992109211921292139214921592169217921892199220922192229223922492259226922792289229923092319232923392349235923692379238923992409241924292439244924592469247924892499250925192529253925492559256925792589259926092619262926392649265926692679268926992709271927292739274927592769277927892799280928192829283928492859286928792889289929092919292929392949295929692979298929993009301930293039304930593069307930893099310931193129313931493159316931793189319932093219322932393249325932693279328932993309331933293339334933593369337933893399340934193429343934493459346934793489349935093519352935393549355935693579358935993609361936293639364936593669367936893699370937193729373937493759376937793789379938093819382938393849385938693879388938993909391939293939394939593969397939893999400940194029403940494059406940794089409941094119412941394149415941694179418941994209421942294239424942594269427942894299430943194329433943494359436943794389439944094419442944394449445944694479448944994509451945294539454945594569457945894599460946194629463946494659466946794689469947094719472947394749475947694779478947994809481948294839484948594869487948894899490949194929493949494959496949794989499950095019502950395049505950695079508950995109511951295139514951595169517951895199520952195229523952495259526952795289529953095319532953395349535953695379538953995409541954295439544954595469547954895499550955195529553955495559556955795589559956095619562956395649565956695679568956995709571957295739574957595769577957895799580958195829583958495859586958795889589959095919592959395949595959695979598959996009601960296039604960596069607960896099610961196129613961496159616961796189619962096219622962396249625962696279628962996309631963296339634963596369637963896399640964196429643964496459646964796489649965096519652965396549655965696579658965996609661966296639664966596669667966896699670967196729673967496759676967796789679968096819682968396849685968696879688968996909691969296939694969596969697969896999700970197029703970497059706970797089709971097119712971397149715971697179718971997209721972297239724972597269727972897299730973197329733973497359736973797389739974097419742974397449745974697479748974997509751975297539754975597569757975897599760976197629763976497659766976797689769977097719772977397749775977697779778977997809781978297839784978597869787978897899790979197929793979497959796979797989799980098019802980398049805980698079808980998109811981298139814981598169817981898199820982198229823982498259826982798289829983098319832983398349835983698379838983998409841984298439844984598469847984898499850985198529853985498559856985798589859986098619862986398649865986698679868986998709871987298739874987598769877987898799880988198829883988498859886988798889889989098919892989398949895989698979898989999009901990299039904990599069907990899099910991199129913991499159916991799189919992099219922992399249925992699279928992999309931993299339934993599369937993899399940994199429943994499459946994799489949995099519952995399549955995699579958995999609961996299639964996599669967996899699970997199729973997499759976997799789979998099819982998399849985998699879988998999909991999299939994999599969997999899991000010001100021000310004100051000610007100081000910010100111001210013100141001510016100171001810019100201002110022100231002410025100261002710028100291003010031100321003310034100351003610037100381003910040100411004210043100441004510046100471004810049100501005110052100531005410055100561005710058100591006010061100621006310064100651006610067100681006910070100711007210073100741007510076100771007810079100801008110082100831008410085100861008710088100891009010091100921009310094100951009610097100981009910100101011010210103101041010510106101071010810109101101011110112101131011410115101161011710118101191012010121101221012310124101251012610127101281012910130101311013210133101341013510136101371013810139101401014110142101431014410145101461014710148101491015010151101521015310154101551015610157101581015910160101611016210163101641016510166101671016810169101701017110172101731017410175101761017710178101791018010181101821018310184101851018610187101881018910190101911019210193101941019510196101971019810199102001020110202102031020410205102061020710208102091021010211102121021310214102151021610217102181021910220102211022210223102241022510226102271022810229102301023110232102331023410235102361023710238102391024010241102421024310244102451024610247102481024910250102511025210253102541025510256102571025810259102601026110262102631026410265102661026710268102691027010271102721027310274102751027610277102781027910280102811028210283102841028510286102871028810289102901029110292102931029410295102961029710298102991030010301103021030310304103051030610307103081030910310103111031210313103141031510316103171031810319103201032110322103231032410325103261032710328103291033010331103321033310334103351033610337103381033910340103411034210343103441034510346103471034810349103501035110352103531035410355103561035710358103591036010361103621036310364103651036610367103681036910370103711037210373103741037510376103771037810379103801038110382103831038410385103861038710388103891039010391103921039310394103951039610397103981039910400104011040210403104041040510406104071040810409104101041110412104131041410415104161041710418104191042010421104221042310424104251042610427104281042910430104311043210433104341043510436104371043810439104401044110442104431044410445104461044710448104491045010451104521045310454104551045610457104581045910460104611046210463104641046510466104671046810469104701047110472104731047410475104761047710478104791048010481104821048310484104851048610487104881048910490104911049210493104941049510496104971049810499105001050110502105031050410505105061050710508105091051010511105121051310514105151051610517105181051910520105211052210523105241052510526105271052810529105301053110532105331053410535105361053710538105391054010541105421054310544105451054610547105481054910550105511055210553105541055510556105571055810559105601056110562105631056410565105661056710568105691057010571105721057310574105751057610577105781057910580105811058210583105841058510586105871058810589105901059110592105931059410595105961059710598105991060010601106021060310604106051060610607106081060910610106111061210613106141061510616106171061810619106201062110622106231062410625106261062710628106291063010631106321063310634106351063610637106381063910640106411064210643106441064510646106471064810649106501065110652106531065410655106561065710658106591066010661106621066310664106651066610667106681066910670106711067210673106741067510676106771067810679106801068110682106831068410685106861068710688106891069010691106921069310694106951069610697106981069910700107011070210703107041070510706107071070810709107101071110712107131071410715107161071710718107191072010721107221072310724107251072610727107281072910730107311073210733107341073510736107371073810739107401074110742107431074410745107461074710748107491075010751107521075310754107551075610757107581075910760107611076210763107641076510766107671076810769107701077110772107731077410775107761077710778107791078010781107821078310784107851078610787107881078910790107911079210793107941079510796107971079810799108001080110802108031080410805108061080710808108091081010811108121081310814108151081610817108181081910820108211082210823108241082510826108271082810829108301083110832108331083410835108361083710838108391084010841108421084310844108451084610847108481084910850108511085210853108541085510856108571085810859108601086110862108631086410865108661086710868108691087010871108721087310874108751087610877108781087910880108811088210883108841088510886108871088810889108901089110892108931089410895108961089710898108991090010901109021090310904109051090610907109081090910910109111091210913109141091510916109171091810919109201092110922109231092410925109261092710928109291093010931109321093310934109351093610937109381093910940109411094210943109441094510946109471094810949109501095110952109531095410955109561095710958109591096010961109621096310964109651096610967109681096910970109711097210973109741097510976109771097810979109801098110982109831098410985109861098710988109891099010991109921099310994109951099610997109981099911000110011100211003110041100511006110071100811009110101101111012110131101411015110161101711018110191102011021110221102311024110251102611027110281102911030110311103211033110341103511036110371103811039110401104111042110431104411045110461104711048110491105011051110521105311054110551105611057110581105911060110611106211063110641106511066110671106811069110701107111072110731107411075110761107711078110791108011081110821108311084110851108611087110881108911090110911109211093110941109511096110971109811099111001110111102111031110411105111061110711108111091111011111111121111311114111151111611117111181111911120111211112211123111241112511126111271112811129111301113111132111331113411135111361113711138111391114011141111421114311144111451114611147111481114911150111511115211153111541115511156111571115811159111601116111162111631116411165111661116711168111691117011171111721117311174111751117611177111781117911180111811118211183111841118511186111871118811189111901119111192111931119411195111961119711198111991120011201112021120311204112051120611207112081120911210112111121211213112141121511216112171121811219112201122111222112231122411225112261122711228112291123011231112321123311234112351123611237112381123911240112411124211243112441124511246112471124811249112501125111252112531125411255112561125711258112591126011261112621126311264112651126611267112681126911270112711127211273112741127511276112771127811279112801128111282112831128411285112861128711288112891129011291112921129311294112951129611297112981129911300113011130211303113041130511306113071130811309113101131111312113131131411315113161131711318113191132011321113221132311324113251132611327113281132911330113311133211333113341133511336113371133811339113401134111342113431134411345113461134711348113491135011351113521135311354113551135611357113581135911360113611136211363113641136511366113671136811369113701137111372113731137411375113761137711378113791138011381113821138311384113851138611387113881138911390113911139211393113941139511396113971139811399114001140111402114031140411405114061140711408114091141011411114121141311414114151141611417114181141911420114211142211423114241142511426114271142811429114301143111432114331143411435114361143711438114391144011441114421144311444114451144611447114481144911450114511145211453114541145511456114571145811459114601146111462114631146411465114661146711468114691147011471114721147311474114751147611477114781147911480114811148211483114841148511486114871148811489114901149111492114931149411495114961149711498114991150011501115021150311504115051150611507115081150911510115111151211513115141151511516115171151811519115201152111522115231152411525115261152711528115291153011531115321153311534115351153611537115381153911540115411154211543115441154511546115471154811549115501155111552115531155411555115561155711558115591156011561115621156311564115651156611567115681156911570115711157211573115741157511576115771157811579115801158111582115831158411585115861158711588115891159011591115921159311594115951159611597115981159911600116011160211603116041160511606116071160811609116101161111612116131161411615116161161711618116191162011621116221162311624116251162611627116281162911630116311163211633116341163511636116371163811639116401164111642116431164411645116461164711648116491165011651116521165311654116551165611657116581165911660116611166211663116641166511666116671166811669116701167111672116731167411675116761167711678116791168011681116821168311684116851168611687116881168911690116911169211693116941169511696116971169811699117001170111702117031170411705117061170711708117091171011711117121171311714117151171611717117181171911720117211172211723117241172511726117271172811729117301173111732117331173411735117361173711738117391174011741117421174311744117451174611747117481174911750117511175211753117541175511756117571175811759117601176111762117631176411765117661176711768117691177011771117721177311774117751177611777117781177911780117811178211783117841178511786117871178811789117901179111792117931179411795117961179711798117991180011801118021180311804118051180611807118081180911810118111181211813118141181511816118171181811819118201182111822118231182411825118261182711828118291183011831118321183311834118351183611837118381183911840118411184211843118441184511846118471184811849118501185111852118531185411855118561185711858118591186011861118621186311864118651186611867118681186911870118711187211873118741187511876118771187811879118801188111882118831188411885118861188711888118891189011891118921189311894118951189611897118981189911900119011190211903119041190511906119071190811909119101191111912119131191411915119161191711918119191192011921119221192311924119251192611927119281192911930119311193211933119341193511936119371193811939119401194111942119431194411945119461194711948119491195011951119521195311954119551195611957119581195911960119611196211963119641196511966119671196811969119701197111972119731197411975119761197711978119791198011981119821198311984119851198611987119881198911990119911199211993119941199511996119971199811999120001200112002120031200412005120061200712008120091201012011120121201312014120151201612017120181201912020120211202212023120241202512026120271202812029120301203112032120331203412035120361203712038120391204012041120421204312044120451204612047120481204912050120511205212053120541205512056120571205812059120601206112062120631206412065120661206712068120691207012071120721207312074120751207612077120781207912080120811208212083120841208512086120871208812089120901209112092120931209412095120961209712098120991210012101121021210312104121051210612107121081210912110121111211212113121141211512116121171211812119121201212112122121231212412125121261212712128121291213012131121321213312134121351213612137121381213912140121411214212143121441214512146121471214812149121501215112152121531215412155121561215712158121591216012161121621216312164121651216612167121681216912170121711217212173121741217512176121771217812179121801218112182121831218412185121861218712188121891219012191121921219312194121951219612197121981219912200122011220212203122041220512206122071220812209122101221112212122131221412215122161221712218122191222012221122221222312224122251222612227122281222912230122311223212233122341223512236122371223812239122401224112242122431224412245122461224712248122491225012251122521225312254122551225612257122581225912260122611226212263122641226512266122671226812269122701227112272122731227412275122761227712278122791228012281122821228312284122851228612287122881228912290122911229212293122941229512296122971229812299123001230112302123031230412305123061230712308123091231012311123121231312314123151231612317123181231912320123211232212323123241232512326123271232812329123301233112332123331233412335123361233712338123391234012341123421234312344123451234612347123481234912350123511235212353123541235512356123571235812359123601236112362123631236412365123661236712368123691237012371123721237312374123751237612377123781237912380123811238212383123841238512386123871238812389123901239112392123931239412395123961239712398123991240012401124021240312404124051240612407124081240912410124111241212413124141241512416124171241812419124201242112422124231242412425124261242712428124291243012431124321243312434124351243612437124381243912440124411244212443124441244512446124471244812449124501245112452124531245412455124561245712458124591246012461124621246312464124651246612467124681246912470124711247212473124741247512476124771247812479124801248112482124831248412485124861248712488124891249012491124921249312494124951249612497124981249912500125011250212503125041250512506125071250812509125101251112512125131251412515125161251712518125191252012521125221252312524125251252612527125281252912530125311253212533125341253512536125371253812539125401254112542125431254412545125461254712548125491255012551125521255312554125551255612557125581255912560125611256212563125641256512566125671256812569125701257112572125731257412575125761257712578125791258012581125821258312584125851258612587125881258912590125911259212593125941259512596125971259812599126001260112602126031260412605126061260712608126091261012611126121261312614126151261612617126181261912620126211262212623126241262512626126271262812629126301263112632126331263412635126361263712638126391264012641126421264312644126451264612647126481264912650126511265212653126541265512656126571265812659126601266112662126631266412665126661266712668126691267012671126721267312674126751267612677126781267912680126811268212683126841268512686126871268812689126901269112692126931269412695126961269712698126991270012701127021270312704127051270612707127081270912710127111271212713127141271512716127171271812719127201272112722127231272412725127261272712728127291273012731127321273312734127351273612737127381273912740127411274212743127441274512746127471274812749127501275112752127531275412755127561275712758127591276012761127621276312764127651276612767127681276912770127711277212773127741277512776127771277812779127801278112782127831278412785127861278712788127891279012791127921279312794127951279612797127981279912800128011280212803128041280512806128071280812809128101281112812128131281412815128161281712818128191282012821128221282312824128251282612827128281282912830128311283212833128341283512836128371283812839128401284112842128431284412845128461284712848128491285012851128521285312854128551285612857128581285912860128611286212863128641286512866128671286812869128701287112872128731287412875128761287712878128791288012881128821288312884128851288612887128881288912890128911289212893128941289512896128971289812899129001290112902129031290412905129061290712908129091291012911129121291312914129151291612917129181291912920129211292212923129241292512926129271292812929129301293112932129331293412935129361293712938129391294012941129421294312944129451294612947129481294912950129511295212953129541295512956129571295812959129601296112962129631296412965129661296712968129691297012971129721297312974129751297612977129781297912980129811298212983129841298512986129871298812989129901299112992129931299412995129961299712998129991300013001130021300313004130051300613007130081300913010130111301213013130141301513016130171301813019130201302113022130231302413025130261302713028130291303013031130321303313034130351303613037130381303913040130411304213043130441304513046130471304813049130501305113052130531305413055130561305713058130591306013061130621306313064130651306613067130681306913070130711307213073130741307513076130771307813079130801308113082130831308413085130861308713088130891309013091130921309313094130951309613097130981309913100131011310213103131041310513106131071310813109131101311113112131131311413115131161311713118131191312013121131221312313124131251312613127131281312913130131311313213133131341313513136131371313813139131401314113142131431314413145131461314713148131491315013151131521315313154131551315613157131581315913160131611316213163131641316513166131671316813169131701317113172131731317413175131761317713178131791318013181131821318313184131851318613187131881318913190131911319213193131941319513196131971319813199132001320113202132031320413205132061320713208132091321013211132121321313214132151321613217132181321913220132211322213223132241322513226132271322813229132301323113232132331323413235132361323713238132391324013241132421324313244132451324613247132481324913250132511325213253132541325513256132571325813259132601326113262132631326413265132661326713268132691327013271132721327313274132751327613277132781327913280132811328213283132841328513286132871328813289132901329113292132931329413295132961329713298132991330013301133021330313304133051330613307133081330913310133111331213313133141331513316133171331813319133201332113322133231332413325133261332713328133291333013331133321333313334133351333613337133381333913340133411334213343133441334513346133471334813349133501335113352133531335413355133561335713358133591336013361133621336313364133651336613367133681336913370133711337213373133741337513376133771337813379133801338113382133831338413385133861338713388133891339013391133921339313394133951339613397133981339913400134011340213403134041340513406134071340813409134101341113412134131341413415134161341713418134191342013421134221342313424134251342613427134281342913430134311343213433134341343513436134371343813439134401344113442134431344413445134461344713448134491345013451134521345313454134551345613457134581345913460134611346213463134641346513466134671346813469134701347113472134731347413475134761347713478134791348013481134821348313484134851348613487134881348913490134911349213493134941349513496134971349813499135001350113502135031350413505135061350713508135091351013511135121351313514135151351613517135181351913520135211352213523135241352513526135271352813529135301353113532135331353413535135361353713538135391354013541135421354313544135451354613547135481354913550135511355213553135541355513556135571355813559135601356113562135631356413565135661356713568135691357013571135721357313574135751357613577135781357913580135811358213583135841358513586135871358813589135901359113592135931359413595135961359713598135991360013601136021360313604136051360613607136081360913610136111361213613136141361513616136171361813619136201362113622136231362413625136261362713628136291363013631136321363313634136351363613637136381363913640136411364213643136441364513646136471364813649136501365113652136531365413655136561365713658136591366013661136621366313664136651366613667136681366913670136711367213673136741367513676136771367813679136801368113682136831368413685136861368713688136891369013691136921369313694136951369613697136981369913700137011370213703137041370513706137071370813709137101371113712137131371413715137161371713718137191372013721137221372313724137251372613727137281372913730137311373213733137341373513736137371373813739137401374113742137431374413745137461374713748137491375013751137521375313754137551375613757137581375913760137611376213763137641376513766137671376813769137701377113772137731377413775137761377713778137791378013781137821378313784137851378613787137881378913790137911379213793137941379513796137971379813799138001380113802138031380413805138061380713808138091381013811138121381313814138151381613817138181381913820138211382213823138241382513826138271382813829138301383113832138331383413835138361383713838138391384013841138421384313844138451384613847138481384913850138511385213853138541385513856138571385813859138601386113862138631386413865138661386713868138691387013871138721387313874138751387613877138781387913880138811388213883138841388513886138871388813889138901389113892138931389413895138961389713898138991390013901139021390313904139051390613907139081390913910139111391213913139141391513916139171391813919139201392113922139231392413925139261392713928139291393013931139321393313934139351393613937139381393913940139411394213943139441394513946139471394813949139501395113952139531395413955139561395713958139591396013961139621396313964139651396613967139681396913970139711397213973139741397513976139771397813979139801398113982139831398413985139861398713988139891399013991139921399313994139951399613997139981399914000140011400214003140041400514006140071400814009140101401114012140131401414015140161401714018140191402014021140221402314024140251402614027140281402914030140311403214033140341403514036140371403814039140401404114042140431404414045140461404714048140491405014051140521405314054140551405614057140581405914060140611406214063140641406514066140671406814069140701407114072140731407414075140761407714078140791408014081140821408314084140851408614087140881408914090140911409214093140941409514096140971409814099141001410114102141031410414105141061410714108141091411014111141121411314114141151411614117141181411914120141211412214123141241412514126141271412814129141301413114132141331413414135141361413714138141391414014141141421414314144141451414614147141481414914150141511415214153141541415514156141571415814159141601416114162141631416414165141661416714168141691417014171141721417314174141751417614177141781417914180141811418214183141841418514186141871418814189141901419114192141931419414195141961419714198141991420014201142021420314204142051420614207142081420914210142111421214213142141421514216142171421814219142201422114222142231422414225142261422714228142291423014231142321423314234142351423614237142381423914240142411424214243142441424514246142471424814249142501425114252142531425414255142561425714258142591426014261142621426314264142651426614267142681426914270142711427214273142741427514276142771427814279142801428114282142831428414285142861428714288142891429014291142921429314294142951429614297142981429914300143011430214303143041430514306143071430814309143101431114312143131431414315143161431714318143191432014321143221432314324143251432614327143281432914330143311433214333143341433514336143371433814339143401434114342143431434414345143461434714348143491435014351143521435314354143551435614357143581435914360143611436214363143641436514366143671436814369143701437114372143731437414375143761437714378143791438014381143821438314384143851438614387143881438914390143911439214393143941439514396143971439814399144001440114402144031440414405144061440714408144091441014411144121441314414144151441614417144181441914420144211442214423144241442514426144271442814429144301443114432144331443414435144361443714438144391444014441144421444314444144451444614447144481444914450144511445214453144541445514456144571445814459144601446114462144631446414465144661446714468144691447014471144721447314474144751447614477144781447914480144811448214483144841448514486144871448814489144901449114492144931449414495144961449714498144991450014501145021450314504145051450614507145081450914510145111451214513145141451514516145171451814519145201452114522145231452414525145261452714528145291453014531145321453314534145351453614537145381453914540145411454214543145441454514546145471454814549145501455114552145531455414555145561455714558145591456014561145621456314564145651456614567145681456914570145711457214573145741457514576145771457814579145801458114582145831458414585145861458714588145891459014591145921459314594145951459614597145981459914600146011460214603146041460514606146071460814609146101461114612146131461414615146161461714618146191462014621146221462314624146251462614627146281462914630146311463214633146341463514636146371463814639146401464114642146431464414645146461464714648146491465014651146521465314654146551465614657146581465914660146611466214663146641466514666146671466814669146701467114672146731467414675146761467714678146791468014681146821468314684146851468614687146881468914690146911469214693146941469514696146971469814699147001470114702147031470414705147061470714708147091471014711147121471314714147151471614717147181471914720147211472214723147241472514726147271472814729147301473114732147331473414735147361473714738147391474014741147421474314744147451474614747147481474914750147511475214753147541475514756147571475814759147601476114762147631476414765147661476714768147691477014771147721477314774147751477614777147781477914780147811478214783147841478514786147871478814789147901479114792147931479414795147961479714798147991480014801148021480314804148051480614807148081480914810148111481214813148141481514816148171481814819148201482114822148231482414825148261482714828148291483014831148321483314834148351483614837148381483914840148411484214843148441484514846148471484814849148501485114852148531485414855148561485714858148591486014861148621486314864148651486614867148681486914870148711487214873148741487514876148771487814879148801488114882148831488414885148861488714888148891489014891148921489314894148951489614897148981489914900149011490214903149041490514906149071490814909149101491114912149131491414915149161491714918149191492014921149221492314924149251492614927149281492914930149311493214933149341493514936149371493814939149401494114942149431494414945149461494714948149491495014951149521495314954149551495614957149581495914960149611496214963149641496514966149671496814969149701497114972149731497414975149761497714978149791498014981149821498314984149851498614987149881498914990149911499214993149941499514996149971499814999150001500115002150031500415005150061500715008150091501015011150121501315014150151501615017150181501915020150211502215023150241502515026150271502815029150301503115032150331503415035150361503715038150391504015041150421504315044150451504615047150481504915050150511505215053150541505515056150571505815059150601506115062150631506415065150661506715068150691507015071150721507315074150751507615077150781507915080150811508215083150841508515086150871508815089150901509115092150931509415095150961509715098150991510015101151021510315104151051510615107151081510915110151111511215113151141511515116151171511815119151201512115122151231512415125151261512715128151291513015131151321513315134151351513615137151381513915140151411514215143151441514515146151471514815149151501515115152151531515415155151561515715158151591516015161151621516315164151651516615167151681516915170151711517215173151741517515176151771517815179151801518115182151831518415185151861518715188151891519015191151921519315194151951519615197151981519915200152011520215203152041520515206152071520815209152101521115212152131521415215152161521715218152191522015221152221522315224152251522615227152281522915230152311523215233152341523515236152371523815239152401524115242152431524415245152461524715248152491525015251152521525315254152551525615257152581525915260152611526215263152641526515266152671526815269152701527115272152731527415275152761527715278152791528015281152821528315284152851528615287152881528915290152911529215293152941529515296152971529815299153001530115302153031530415305153061530715308153091531015311153121531315314153151531615317153181531915320153211532215323153241532515326153271532815329153301533115332153331533415335153361533715338153391534015341153421534315344153451534615347153481534915350153511535215353153541535515356153571535815359153601536115362153631536415365153661536715368153691537015371153721537315374153751537615377153781537915380153811538215383153841538515386153871538815389153901539115392153931539415395153961539715398153991540015401154021540315404154051540615407154081540915410154111541215413154141541515416154171541815419154201542115422154231542415425154261542715428154291543015431154321543315434154351543615437154381543915440154411544215443154441544515446154471544815449154501545115452154531545415455154561545715458154591546015461154621546315464154651546615467154681546915470154711547215473154741547515476154771547815479154801548115482154831548415485154861548715488154891549015491154921549315494154951549615497154981549915500155011550215503155041550515506155071550815509155101551115512155131551415515155161551715518155191552015521155221552315524155251552615527155281552915530155311553215533155341553515536155371553815539155401554115542155431554415545155461554715548155491555015551155521555315554155551555615557155581555915560155611556215563155641556515566155671556815569155701557115572155731557415575155761557715578155791558015581155821558315584155851558615587155881558915590155911559215593155941559515596155971559815599156001560115602156031560415605156061560715608156091561015611156121561315614156151561615617156181561915620156211562215623156241562515626156271562815629156301563115632156331563415635156361563715638156391564015641156421564315644156451564615647156481564915650156511565215653156541565515656156571565815659156601566115662156631566415665156661566715668156691567015671156721567315674156751567615677156781567915680156811568215683156841568515686156871568815689156901569115692156931569415695156961569715698156991570015701157021570315704157051570615707157081570915710157111571215713157141571515716157171571815719157201572115722157231572415725157261572715728157291573015731157321573315734157351573615737157381573915740157411574215743157441574515746157471574815749157501575115752157531575415755157561575715758157591576015761157621576315764157651576615767157681576915770157711577215773157741577515776157771577815779157801578115782157831578415785157861578715788157891579015791157921579315794157951579615797157981579915800158011580215803158041580515806158071580815809158101581115812158131581415815158161581715818158191582015821158221582315824158251582615827158281582915830158311583215833158341583515836158371583815839158401584115842158431584415845158461584715848158491585015851158521585315854158551585615857158581585915860158611586215863158641586515866158671586815869158701587115872158731587415875158761587715878158791588015881158821588315884158851588615887158881588915890158911589215893158941589515896158971589815899159001590115902159031590415905159061590715908159091591015911159121591315914159151591615917159181591915920159211592215923159241592515926159271592815929159301593115932159331593415935159361593715938159391594015941159421594315944159451594615947159481594915950159511595215953159541595515956159571595815959159601596115962159631596415965159661596715968159691597015971159721597315974159751597615977159781597915980159811598215983159841598515986159871598815989159901599115992159931599415995159961599715998159991600016001160021600316004160051600616007160081600916010160111601216013160141601516016160171601816019160201602116022160231602416025160261602716028160291603016031160321603316034160351603616037160381603916040160411604216043160441604516046160471604816049160501605116052160531605416055160561605716058160591606016061160621606316064160651606616067160681606916070160711607216073160741607516076160771607816079160801608116082160831608416085160861608716088160891609016091160921609316094160951609616097160981609916100161011610216103161041610516106161071610816109161101611116112161131611416115161161611716118161191612016121161221612316124161251612616127161281612916130161311613216133161341613516136161371613816139161401614116142161431614416145161461614716148161491615016151161521615316154161551615616157161581615916160161611616216163161641616516166161671616816169161701617116172161731617416175161761617716178161791618016181161821618316184161851618616187161881618916190161911619216193161941619516196161971619816199162001620116202162031620416205162061620716208162091621016211162121621316214162151621616217162181621916220162211622216223162241622516226162271622816229162301623116232162331623416235162361623716238162391624016241162421624316244162451624616247162481624916250162511625216253162541625516256162571625816259162601626116262162631626416265162661626716268162691627016271162721627316274162751627616277162781627916280162811628216283162841628516286162871628816289162901629116292162931629416295162961629716298162991630016301163021630316304163051630616307163081630916310163111631216313163141631516316163171631816319163201632116322163231632416325163261632716328163291633016331163321633316334163351633616337163381633916340163411634216343163441634516346163471634816349163501635116352163531635416355163561635716358163591636016361163621636316364163651636616367163681636916370163711637216373163741637516376163771637816379163801638116382163831638416385163861638716388163891639016391163921639316394163951639616397163981639916400164011640216403164041640516406164071640816409164101641116412164131641416415164161641716418164191642016421164221642316424164251642616427164281642916430164311643216433164341643516436164371643816439164401644116442164431644416445164461644716448164491645016451164521645316454164551645616457164581645916460164611646216463164641646516466164671646816469164701647116472164731647416475164761647716478164791648016481164821648316484164851648616487164881648916490164911649216493164941649516496164971649816499165001650116502165031650416505165061650716508165091651016511165121651316514165151651616517165181651916520165211652216523165241652516526165271652816529165301653116532165331653416535165361653716538165391654016541165421654316544165451654616547165481654916550165511655216553165541655516556165571655816559165601656116562165631656416565165661656716568165691657016571165721657316574165751657616577165781657916580165811658216583165841658516586165871658816589165901659116592165931659416595165961659716598165991660016601166021660316604166051660616607166081660916610166111661216613166141661516616166171661816619166201662116622166231662416625166261662716628166291663016631166321663316634166351663616637166381663916640166411664216643166441664516646166471664816649166501665116652166531665416655166561665716658166591666016661166621666316664166651666616667166681666916670166711667216673166741667516676166771667816679166801668116682166831668416685166861668716688166891669016691166921669316694166951669616697166981669916700167011670216703167041670516706167071670816709167101671116712167131671416715167161671716718167191672016721167221672316724167251672616727167281672916730167311673216733167341673516736167371673816739167401674116742167431674416745167461674716748167491675016751167521675316754167551675616757167581675916760167611676216763167641676516766167671676816769167701677116772167731677416775167761677716778167791678016781167821678316784167851678616787167881678916790167911679216793167941679516796167971679816799168001680116802168031680416805168061680716808168091681016811168121681316814168151681616817168181681916820168211682216823168241682516826168271682816829168301683116832168331683416835168361683716838168391684016841168421684316844168451684616847168481684916850168511685216853168541685516856168571685816859168601686116862168631686416865168661686716868168691687016871168721687316874168751687616877168781687916880168811688216883168841688516886168871688816889168901689116892168931689416895168961689716898168991690016901169021690316904169051690616907169081690916910169111691216913169141691516916169171691816919169201692116922169231692416925169261692716928169291693016931169321693316934169351693616937169381693916940169411694216943169441694516946169471694816949169501695116952169531695416955169561695716958169591696016961169621696316964169651696616967169681696916970169711697216973169741697516976169771697816979169801698116982169831698416985169861698716988169891699016991169921699316994169951699616997169981699917000170011700217003170041700517006170071700817009170101701117012170131701417015170161701717018170191702017021170221702317024170251702617027170281702917030170311703217033170341703517036170371703817039170401704117042170431704417045170461704717048170491705017051170521705317054170551705617057170581705917060170611706217063170641706517066170671706817069170701707117072170731707417075170761707717078170791708017081170821708317084170851708617087170881708917090170911709217093170941709517096170971709817099171001710117102171031710417105171061710717108171091711017111171121711317114171151711617117171181711917120171211712217123171241712517126171271712817129171301713117132171331713417135171361713717138171391714017141171421714317144171451714617147171481714917150171511715217153171541715517156171571715817159171601716117162171631716417165171661716717168171691717017171171721717317174171751717617177171781717917180171811718217183171841718517186171871718817189171901719117192171931719417195171961719717198171991720017201172021720317204172051720617207172081720917210172111721217213172141721517216172171721817219172201722117222172231722417225172261722717228172291723017231172321723317234172351723617237172381723917240172411724217243172441724517246172471724817249172501725117252172531725417255172561725717258172591726017261172621726317264172651726617267172681726917270172711727217273172741727517276172771727817279172801728117282172831728417285172861728717288172891729017291172921729317294172951729617297172981729917300173011730217303173041730517306173071730817309173101731117312173131731417315173161731717318173191732017321173221732317324173251732617327173281732917330173311733217333173341733517336173371733817339173401734117342173431734417345173461734717348173491735017351173521735317354173551735617357173581735917360173611736217363173641736517366173671736817369173701737117372173731737417375173761737717378173791738017381173821738317384173851738617387173881738917390173911739217393173941739517396173971739817399174001740117402174031740417405174061740717408174091741017411174121741317414174151741617417174181741917420174211742217423174241742517426174271742817429174301743117432174331743417435174361743717438174391744017441174421744317444174451744617447174481744917450174511745217453174541745517456174571745817459174601746117462174631746417465174661746717468174691747017471174721747317474174751747617477174781747917480174811748217483174841748517486174871748817489174901749117492174931749417495174961749717498174991750017501175021750317504175051750617507175081750917510175111751217513175141751517516175171751817519175201752117522175231752417525175261752717528175291753017531175321753317534175351753617537175381753917540175411754217543175441754517546175471754817549175501755117552175531755417555175561755717558175591756017561175621756317564175651756617567175681756917570175711757217573175741757517576175771757817579175801758117582175831758417585175861758717588175891759017591175921759317594175951759617597175981759917600176011760217603176041760517606176071760817609176101761117612176131761417615176161761717618176191762017621176221762317624176251762617627176281762917630176311763217633176341763517636176371763817639176401764117642176431764417645176461764717648176491765017651176521765317654176551765617657176581765917660176611766217663176641766517666176671766817669176701767117672176731767417675176761767717678176791768017681176821768317684176851768617687176881768917690176911769217693176941769517696176971769817699177001770117702177031770417705177061770717708177091771017711177121771317714177151771617717177181771917720177211772217723177241772517726177271772817729177301773117732177331773417735177361773717738177391774017741177421774317744177451774617747177481774917750177511775217753177541775517756177571775817759177601776117762177631776417765177661776717768177691777017771177721777317774177751777617777177781777917780177811778217783177841778517786177871778817789177901779117792177931779417795177961779717798177991780017801178021780317804178051780617807178081780917810178111781217813178141781517816178171781817819178201782117822178231782417825178261782717828178291783017831178321783317834178351783617837178381783917840178411784217843178441784517846178471784817849178501785117852178531785417855178561785717858178591786017861178621786317864178651786617867178681786917870178711787217873178741787517876178771787817879178801788117882178831788417885178861788717888178891789017891178921789317894178951789617897178981789917900179011790217903179041790517906179071790817909179101791117912179131791417915179161791717918179191792017921179221792317924179251792617927179281792917930179311793217933179341793517936179371793817939179401794117942179431794417945179461794717948179491795017951179521795317954179551795617957179581795917960179611796217963179641796517966179671796817969179701797117972179731797417975179761797717978179791798017981179821798317984179851798617987179881798917990179911799217993179941799517996179971799817999180001800118002180031800418005180061800718008180091801018011180121801318014180151801618017180181801918020180211802218023180241802518026180271802818029180301803118032180331803418035180361803718038180391804018041180421804318044180451804618047180481804918050180511805218053180541805518056180571805818059180601806118062180631806418065180661806718068180691807018071180721807318074180751807618077180781807918080180811808218083180841808518086180871808818089180901809118092180931809418095180961809718098180991810018101181021810318104181051810618107181081810918110181111811218113181141811518116181171811818119181201812118122181231812418125181261812718128181291813018131181321813318134181351813618137181381813918140181411814218143181441814518146181471814818149181501815118152181531815418155181561815718158181591816018161181621816318164181651816618167181681816918170181711817218173181741817518176181771817818179181801818118182181831818418185181861818718188181891819018191181921819318194181951819618197181981819918200182011820218203182041820518206182071820818209182101821118212182131821418215182161821718218182191822018221182221822318224182251822618227182281822918230182311823218233182341823518236182371823818239182401824118242182431824418245182461824718248182491825018251182521825318254182551825618257182581825918260182611826218263182641826518266182671826818269182701827118272182731827418275182761827718278182791828018281182821828318284182851828618287182881828918290182911829218293182941829518296182971829818299183001830118302183031830418305183061830718308183091831018311183121831318314183151831618317183181831918320183211832218323183241832518326183271832818329183301833118332183331833418335183361833718338183391834018341183421834318344183451834618347183481834918350183511835218353183541835518356183571835818359183601836118362183631836418365183661836718368183691837018371183721837318374183751837618377183781837918380183811838218383183841838518386183871838818389183901839118392183931839418395183961839718398183991840018401184021840318404184051840618407184081840918410184111841218413184141841518416184171841818419184201842118422184231842418425184261842718428184291843018431184321843318434184351843618437184381843918440184411844218443184441844518446184471844818449184501845118452184531845418455184561845718458184591846018461184621846318464184651846618467184681846918470184711847218473184741847518476184771847818479184801848118482184831848418485184861848718488184891849018491184921849318494184951849618497184981849918500185011850218503185041850518506185071850818509185101851118512185131851418515185161851718518185191852018521185221852318524185251852618527185281852918530185311853218533185341853518536185371853818539185401854118542185431854418545185461854718548185491855018551185521855318554185551855618557185581855918560185611856218563185641856518566185671856818569185701857118572185731857418575185761857718578185791858018581185821858318584185851858618587185881858918590185911859218593185941859518596185971859818599186001860118602186031860418605186061860718608186091861018611186121861318614186151861618617186181861918620186211862218623186241862518626186271862818629186301863118632186331863418635186361863718638186391864018641186421864318644186451864618647186481864918650186511865218653186541865518656186571865818659186601866118662186631866418665186661866718668186691867018671186721867318674186751867618677186781867918680186811868218683186841868518686186871868818689186901869118692186931869418695186961869718698186991870018701187021870318704187051870618707187081870918710187111871218713187141871518716187171871818719187201872118722187231872418725187261872718728187291873018731187321873318734187351873618737187381873918740187411874218743187441874518746187471874818749187501875118752187531875418755187561875718758187591876018761187621876318764187651876618767187681876918770187711877218773187741877518776187771877818779187801878118782187831878418785187861878718788187891879018791187921879318794187951879618797187981879918800188011880218803188041880518806188071880818809188101881118812188131881418815188161881718818188191882018821188221882318824188251882618827188281882918830188311883218833188341883518836188371883818839188401884118842188431884418845188461884718848188491885018851188521885318854188551885618857188581885918860188611886218863188641886518866188671886818869188701887118872188731887418875188761887718878188791888018881188821888318884188851888618887188881888918890188911889218893188941889518896188971889818899189001890118902189031890418905189061890718908189091891018911189121891318914189151891618917189181891918920189211892218923189241892518926189271892818929189301893118932189331893418935189361893718938189391894018941189421894318944189451894618947189481894918950189511895218953189541895518956189571895818959189601896118962189631896418965189661896718968189691897018971189721897318974189751897618977189781897918980189811898218983189841898518986189871898818989189901899118992189931899418995189961899718998189991900019001190021900319004190051900619007190081900919010190111901219013190141901519016190171901819019190201902119022190231902419025190261902719028190291903019031190321903319034190351903619037190381903919040190411904219043190441904519046190471904819049190501905119052190531905419055190561905719058190591906019061190621906319064190651906619067190681906919070190711907219073190741907519076190771907819079190801908119082190831908419085190861908719088190891909019091190921909319094190951909619097190981909919100191011910219103191041910519106191071910819109191101911119112191131911419115191161911719118191191912019121191221912319124191251912619127191281912919130191311913219133191341913519136191371913819139191401914119142191431914419145191461914719148191491915019151191521915319154191551915619157191581915919160191611916219163191641916519166191671916819169191701917119172191731917419175191761917719178191791918019181191821918319184191851918619187191881918919190191911919219193191941919519196191971919819199192001920119202192031920419205192061920719208192091921019211192121921319214192151921619217192181921919220192211922219223192241922519226192271922819229192301923119232192331923419235192361923719238192391924019241192421924319244192451924619247192481924919250192511925219253192541925519256192571925819259192601926119262192631926419265192661926719268192691927019271192721927319274192751927619277192781927919280192811928219283192841928519286192871928819289192901929119292192931929419295192961929719298192991930019301193021930319304193051930619307193081930919310193111931219313193141931519316193171931819319193201932119322193231932419325193261932719328193291933019331193321933319334193351933619337193381933919340193411934219343193441934519346193471934819349193501935119352193531935419355193561935719358193591936019361193621936319364193651936619367193681936919370193711937219373193741937519376193771937819379193801938119382193831938419385193861938719388193891939019391193921939319394193951939619397193981939919400194011940219403194041940519406194071940819409194101941119412194131941419415194161941719418194191942019421194221942319424194251942619427194281942919430194311943219433194341943519436194371943819439194401944119442194431944419445194461944719448194491945019451194521945319454194551945619457194581945919460194611946219463194641946519466194671946819469194701947119472194731947419475194761947719478194791948019481194821948319484194851948619487194881948919490194911949219493194941949519496194971949819499195001950119502195031950419505195061950719508195091951019511195121951319514195151951619517195181951919520195211952219523195241952519526195271952819529195301953119532195331953419535195361953719538195391954019541195421954319544195451954619547195481954919550195511955219553195541955519556195571955819559195601956119562195631956419565195661956719568195691957019571195721957319574195751957619577195781957919580195811958219583195841958519586195871958819589195901959119592195931959419595195961959719598195991960019601196021960319604196051960619607196081960919610196111961219613196141961519616196171961819619196201962119622196231962419625196261962719628196291963019631196321963319634196351963619637196381963919640196411964219643196441964519646196471964819649196501965119652196531965419655196561965719658196591966019661196621966319664196651966619667196681966919670196711967219673196741967519676196771967819679196801968119682196831968419685196861968719688196891969019691196921969319694196951969619697196981969919700197011970219703197041970519706197071970819709197101971119712197131971419715197161971719718197191972019721197221972319724197251972619727197281972919730197311973219733197341973519736197371973819739197401974119742197431974419745197461974719748197491975019751197521975319754197551975619757197581975919760197611976219763197641976519766197671976819769197701977119772197731977419775197761977719778197791978019781197821978319784197851978619787197881978919790197911979219793197941979519796197971979819799198001980119802198031980419805198061980719808198091981019811198121981319814198151981619817198181981919820198211982219823198241982519826198271982819829198301983119832198331983419835198361983719838198391984019841198421984319844198451984619847198481984919850198511985219853198541985519856198571985819859198601986119862198631986419865198661986719868198691987019871198721987319874198751987619877198781987919880198811988219883198841988519886198871988819889198901989119892198931989419895198961989719898198991990019901199021990319904199051990619907199081990919910199111991219913199141991519916199171991819919199201992119922199231992419925199261992719928199291993019931199321993319934199351993619937199381993919940199411994219943199441994519946199471994819949199501995119952199531995419955199561995719958199591996019961199621996319964199651996619967199681996919970199711997219973199741997519976199771997819979199801998119982199831998419985199861998719988199891999019991199921999319994199951999619997199981999920000200012000220003200042000520006200072000820009200102001120012200132001420015200162001720018200192002020021200222002320024200252002620027200282002920030200312003220033200342003520036200372003820039200402004120042200432004420045200462004720048200492005020051200522005320054200552005620057200582005920060200612006220063200642006520066200672006820069200702007120072200732007420075200762007720078200792008020081200822008320084200852008620087200882008920090200912009220093200942009520096200972009820099201002010120102201032010420105201062010720108201092011020111201122011320114201152011620117201182011920120201212012220123201242012520126201272012820129201302013120132201332013420135201362013720138201392014020141201422014320144201452014620147201482014920150201512015220153201542015520156201572015820159201602016120162201632016420165201662016720168201692017020171201722017320174201752017620177201782017920180201812018220183201842018520186201872018820189201902019120192201932019420195201962019720198201992020020201202022020320204202052020620207202082020920210202112021220213202142021520216202172021820219202202022120222202232022420225202262022720228202292023020231202322023320234202352023620237202382023920240202412024220243202442024520246202472024820249202502025120252202532025420255202562025720258202592026020261202622026320264202652026620267202682026920270202712027220273202742027520276202772027820279202802028120282202832028420285202862028720288202892029020291202922029320294202952029620297202982029920300203012030220303203042030520306203072030820309203102031120312203132031420315203162031720318203192032020321203222032320324203252032620327203282032920330203312033220333203342033520336203372033820339203402034120342203432034420345203462034720348203492035020351203522035320354203552035620357203582035920360203612036220363203642036520366203672036820369203702037120372203732037420375203762037720378203792038020381203822038320384203852038620387203882038920390203912039220393203942039520396203972039820399204002040120402204032040420405204062040720408204092041020411204122041320414204152041620417204182041920420204212042220423204242042520426204272042820429204302043120432204332043420435204362043720438204392044020441204422044320444204452044620447204482044920450204512045220453204542045520456204572045820459204602046120462204632046420465204662046720468204692047020471204722047320474204752047620477204782047920480204812048220483204842048520486204872048820489204902049120492204932049420495204962049720498204992050020501205022050320504205052050620507205082050920510205112051220513205142051520516205172051820519205202052120522205232052420525205262052720528205292053020531205322053320534205352053620537205382053920540205412054220543205442054520546205472054820549205502055120552205532055420555205562055720558205592056020561205622056320564205652056620567205682056920570205712057220573205742057520576205772057820579205802058120582205832058420585205862058720588205892059020591205922059320594205952059620597205982059920600206012060220603206042060520606206072060820609206102061120612206132061420615206162061720618206192062020621206222062320624206252062620627206282062920630206312063220633206342063520636206372063820639206402064120642206432064420645206462064720648206492065020651206522065320654206552065620657206582065920660206612066220663206642066520666206672066820669206702067120672206732067420675206762067720678206792068020681206822068320684206852068620687206882068920690206912069220693206942069520696206972069820699207002070120702207032070420705207062070720708207092071020711207122071320714207152071620717207182071920720207212072220723207242072520726207272072820729207302073120732207332073420735207362073720738207392074020741207422074320744207452074620747207482074920750207512075220753207542075520756207572075820759207602076120762207632076420765207662076720768207692077020771207722077320774207752077620777207782077920780207812078220783207842078520786207872078820789207902079120792207932079420795207962079720798207992080020801208022080320804208052080620807208082080920810208112081220813208142081520816208172081820819208202082120822208232082420825208262082720828208292083020831208322083320834208352083620837208382083920840208412084220843208442084520846208472084820849208502085120852208532085420855208562085720858208592086020861208622086320864208652086620867208682086920870208712087220873208742087520876208772087820879208802088120882208832088420885208862088720888208892089020891208922089320894208952089620897208982089920900209012090220903209042090520906209072090820909209102091120912209132091420915209162091720918209192092020921209222092320924209252092620927209282092920930209312093220933209342093520936209372093820939209402094120942209432094420945209462094720948209492095020951209522095320954209552095620957209582095920960209612096220963209642096520966209672096820969209702097120972209732097420975209762097720978209792098020981209822098320984209852098620987209882098920990209912099220993209942099520996209972099820999210002100121002210032100421005210062100721008210092101021011210122101321014210152101621017210182101921020210212102221023210242102521026210272102821029210302103121032210332103421035210362103721038210392104021041210422104321044210452104621047210482104921050210512105221053210542105521056210572105821059210602106121062210632106421065210662106721068210692107021071210722107321074210752107621077210782107921080210812108221083210842108521086210872108821089210902109121092210932109421095210962109721098210992110021101211022110321104211052110621107211082110921110211112111221113211142111521116211172111821119211202112121122211232112421125211262112721128211292113021131211322113321134211352113621137211382113921140211412114221143211442114521146211472114821149211502115121152211532115421155211562115721158211592116021161211622116321164211652116621167211682116921170211712117221173211742117521176211772117821179211802118121182211832118421185211862118721188211892119021191211922119321194211952119621197211982119921200212012120221203212042120521206212072120821209212102121121212212132121421215212162121721218212192122021221212222122321224212252122621227212282122921230212312123221233212342123521236212372123821239212402124121242212432124421245212462124721248212492125021251212522125321254212552125621257212582125921260212612126221263212642126521266212672126821269212702127121272212732127421275212762127721278212792128021281212822128321284212852128621287212882128921290212912129221293212942129521296212972129821299213002130121302213032130421305213062130721308213092131021311213122131321314213152131621317213182131921320213212132221323213242132521326213272132821329213302133121332213332133421335213362133721338213392134021341213422134321344213452134621347213482134921350213512135221353213542135521356213572135821359213602136121362213632136421365213662136721368213692137021371213722137321374213752137621377213782137921380213812138221383213842138521386213872138821389213902139121392213932139421395213962139721398213992140021401214022140321404214052140621407214082140921410214112141221413214142141521416214172141821419214202142121422214232142421425214262142721428214292143021431214322143321434214352143621437214382143921440214412144221443214442144521446214472144821449214502145121452214532145421455214562145721458214592146021461214622146321464214652146621467214682146921470214712147221473214742147521476214772147821479214802148121482214832148421485214862148721488214892149021491214922149321494214952149621497214982149921500215012150221503215042150521506215072150821509215102151121512215132151421515215162151721518215192152021521215222152321524215252152621527215282152921530215312153221533215342153521536215372153821539215402154121542215432154421545215462154721548215492155021551215522155321554215552155621557215582155921560215612156221563215642156521566215672156821569215702157121572215732157421575215762157721578215792158021581215822158321584215852158621587215882158921590215912159221593215942159521596215972159821599216002160121602216032160421605216062160721608216092161021611216122161321614216152161621617216182161921620216212162221623216242162521626216272162821629216302163121632216332163421635216362163721638216392164021641216422164321644216452164621647216482164921650216512165221653216542165521656216572165821659216602166121662216632166421665216662166721668216692167021671216722167321674216752167621677216782167921680216812168221683216842168521686216872168821689216902169121692216932169421695216962169721698216992170021701217022170321704217052170621707217082170921710217112171221713217142171521716217172171821719217202172121722217232172421725217262172721728217292173021731217322173321734217352173621737217382173921740217412174221743217442174521746217472174821749217502175121752217532175421755217562175721758217592176021761217622176321764217652176621767217682176921770217712177221773217742177521776217772177821779217802178121782217832178421785217862178721788217892179021791217922179321794217952179621797217982179921800218012180221803218042180521806218072180821809218102181121812218132181421815218162181721818218192182021821218222182321824218252182621827218282182921830218312183221833218342183521836218372183821839218402184121842218432184421845218462184721848218492185021851218522185321854218552185621857218582185921860218612186221863218642186521866218672186821869218702187121872218732187421875218762187721878218792188021881218822188321884218852188621887218882188921890218912189221893218942189521896218972189821899219002190121902219032190421905219062190721908219092191021911219122191321914219152191621917219182191921920219212192221923219242192521926219272192821929219302193121932219332193421935219362193721938219392194021941219422194321944219452194621947219482194921950219512195221953219542195521956219572195821959219602196121962219632196421965219662196721968219692197021971219722197321974219752197621977219782197921980219812198221983219842198521986219872198821989219902199121992219932199421995219962199721998219992200022001220022200322004220052200622007220082200922010220112201222013220142201522016220172201822019220202202122022220232202422025220262202722028220292203022031220322203322034220352203622037220382203922040220412204222043220442204522046220472204822049220502205122052220532205422055220562205722058220592206022061220622206322064220652206622067220682206922070220712207222073220742207522076220772207822079220802208122082220832208422085220862208722088220892209022091220922209322094220952209622097220982209922100221012210222103221042210522106221072210822109221102211122112221132211422115221162211722118221192212022121221222212322124221252212622127221282212922130221312213222133221342213522136221372213822139221402214122142221432214422145221462214722148221492215022151221522215322154221552215622157221582215922160221612216222163221642216522166221672216822169221702217122172221732217422175221762217722178221792218022181221822218322184221852218622187221882218922190221912219222193221942219522196221972219822199222002220122202222032220422205222062220722208222092221022211222122221322214222152221622217222182221922220222212222222223222242222522226222272222822229222302223122232222332223422235222362223722238222392224022241222422224322244222452224622247222482224922250222512225222253222542225522256222572225822259222602226122262222632226422265222662226722268222692227022271222722227322274222752227622277222782227922280222812228222283222842228522286222872228822289222902229122292222932229422295222962229722298222992230022301223022230322304223052230622307223082230922310223112231222313223142231522316223172231822319223202232122322223232232422325223262232722328223292233022331223322233322334223352233622337223382233922340223412234222343223442234522346223472234822349223502235122352223532235422355223562235722358223592236022361223622236322364223652236622367223682236922370223712237222373223742237522376223772237822379223802238122382223832238422385223862238722388223892239022391223922239322394223952239622397223982239922400224012240222403224042240522406224072240822409224102241122412224132241422415224162241722418224192242022421224222242322424224252242622427224282242922430224312243222433224342243522436224372243822439224402244122442224432244422445224462244722448224492245022451224522245322454224552245622457224582245922460224612246222463224642246522466224672246822469224702247122472224732247422475224762247722478224792248022481224822248322484224852248622487224882248922490224912249222493224942249522496224972249822499225002250122502225032250422505225062250722508225092251022511225122251322514225152251622517225182251922520225212252222523225242252522526225272252822529225302253122532225332253422535225362253722538225392254022541225422254322544225452254622547225482254922550225512255222553225542255522556225572255822559225602256122562225632256422565225662256722568225692257022571225722257322574225752257622577225782257922580225812258222583225842258522586225872258822589225902259122592225932259422595225962259722598225992260022601226022260322604226052260622607226082260922610226112261222613226142261522616226172261822619226202262122622226232262422625226262262722628226292263022631226322263322634226352263622637226382263922640226412264222643226442264522646226472264822649226502265122652226532265422655226562265722658226592266022661226622266322664226652266622667226682266922670226712267222673226742267522676226772267822679226802268122682226832268422685226862268722688226892269022691226922269322694226952269622697226982269922700227012270222703227042270522706227072270822709227102271122712227132271422715227162271722718227192272022721227222272322724227252272622727227282272922730227312273222733227342273522736227372273822739227402274122742227432274422745227462274722748227492275022751227522275322754227552275622757227582275922760227612276222763227642276522766227672276822769227702277122772227732277422775227762277722778227792278022781227822278322784227852278622787227882278922790227912279222793227942279522796227972279822799228002280122802228032280422805228062280722808228092281022811228122281322814228152281622817228182281922820228212282222823228242282522826228272282822829228302283122832228332283422835228362283722838228392284022841228422284322844228452284622847228482284922850228512285222853228542285522856228572285822859228602286122862228632286422865228662286722868228692287022871228722287322874228752287622877228782287922880228812288222883228842288522886228872288822889228902289122892228932289422895228962289722898228992290022901229022290322904229052290622907229082290922910229112291222913229142291522916229172291822919229202292122922229232292422925229262292722928229292293022931229322293322934229352293622937229382293922940229412294222943229442294522946229472294822949229502295122952229532295422955229562295722958229592296022961229622296322964229652296622967229682296922970229712297222973229742297522976229772297822979229802298122982229832298422985229862298722988229892299022991229922299322994229952299622997229982299923000230012300223003230042300523006230072300823009230102301123012230132301423015230162301723018230192302023021230222302323024230252302623027230282302923030230312303223033230342303523036230372303823039230402304123042230432304423045230462304723048230492305023051230522305323054230552305623057230582305923060230612306223063230642306523066230672306823069230702307123072230732307423075230762307723078230792308023081230822308323084230852308623087230882308923090230912309223093230942309523096230972309823099231002310123102231032310423105231062310723108231092311023111231122311323114231152311623117231182311923120231212312223123231242312523126231272312823129231302313123132231332313423135231362313723138231392314023141231422314323144231452314623147231482314923150231512315223153231542315523156231572315823159231602316123162231632316423165231662316723168231692317023171231722317323174231752317623177231782317923180231812318223183231842318523186231872318823189231902319123192231932319423195231962319723198231992320023201232022320323204232052320623207232082320923210232112321223213232142321523216232172321823219232202322123222232232322423225232262322723228232292323023231232322323323234232352323623237232382323923240232412324223243232442324523246232472324823249232502325123252232532325423255232562325723258232592326023261232622326323264232652326623267232682326923270232712327223273232742327523276232772327823279232802328123282232832328423285232862328723288232892329023291232922329323294232952329623297232982329923300233012330223303233042330523306233072330823309233102331123312233132331423315233162331723318233192332023321233222332323324233252332623327233282332923330233312333223333233342333523336233372333823339233402334123342233432334423345233462334723348233492335023351233522335323354233552335623357233582335923360233612336223363233642336523366233672336823369233702337123372233732337423375233762337723378233792338023381233822338323384233852338623387233882338923390233912339223393233942339523396233972339823399234002340123402234032340423405234062340723408234092341023411234122341323414234152341623417234182341923420234212342223423234242342523426234272342823429234302343123432234332343423435234362343723438234392344023441234422344323444234452344623447234482344923450234512345223453234542345523456234572345823459234602346123462234632346423465234662346723468234692347023471234722347323474234752347623477234782347923480234812348223483234842348523486234872348823489234902349123492234932349423495234962349723498234992350023501235022350323504235052350623507235082350923510235112351223513235142351523516235172351823519235202352123522235232352423525235262352723528235292353023531235322353323534235352353623537235382353923540235412354223543235442354523546235472354823549235502355123552235532355423555235562355723558235592356023561235622356323564235652356623567235682356923570235712357223573235742357523576235772357823579235802358123582235832358423585235862358723588235892359023591235922359323594235952359623597235982359923600236012360223603236042360523606236072360823609236102361123612236132361423615236162361723618236192362023621236222362323624236252362623627236282362923630236312363223633236342363523636236372363823639236402364123642236432364423645236462364723648236492365023651236522365323654236552365623657236582365923660236612366223663236642366523666236672366823669236702367123672236732367423675236762367723678236792368023681236822368323684236852368623687236882368923690236912369223693236942369523696236972369823699237002370123702237032370423705237062370723708237092371023711237122371323714237152371623717237182371923720237212372223723237242372523726237272372823729237302373123732237332373423735237362373723738237392374023741237422374323744237452374623747237482374923750237512375223753237542375523756237572375823759237602376123762237632376423765237662376723768237692377023771237722377323774237752377623777237782377923780237812378223783237842378523786237872378823789237902379123792237932379423795237962379723798237992380023801238022380323804238052380623807238082380923810238112381223813238142381523816238172381823819238202382123822238232382423825238262382723828238292383023831238322383323834238352383623837238382383923840238412384223843238442384523846238472384823849238502385123852238532385423855238562385723858238592386023861238622386323864238652386623867238682386923870238712387223873238742387523876238772387823879238802388123882238832388423885238862388723888238892389023891238922389323894238952389623897238982389923900239012390223903239042390523906239072390823909239102391123912239132391423915239162391723918239192392023921239222392323924239252392623927239282392923930239312393223933239342393523936239372393823939239402394123942239432394423945239462394723948239492395023951239522395323954239552395623957239582395923960239612396223963239642396523966239672396823969239702397123972239732397423975239762397723978239792398023981239822398323984239852398623987239882398923990239912399223993239942399523996239972399823999240002400124002240032400424005240062400724008240092401024011240122401324014240152401624017240182401924020240212402224023240242402524026240272402824029240302403124032240332403424035240362403724038240392404024041240422404324044240452404624047240482404924050240512405224053240542405524056240572405824059240602406124062240632406424065240662406724068240692407024071240722407324074240752407624077240782407924080240812408224083240842408524086240872408824089240902409124092240932409424095240962409724098240992410024101241022410324104241052410624107241082410924110241112411224113241142411524116241172411824119241202412124122241232412424125241262412724128241292413024131241322413324134241352413624137241382413924140241412414224143241442414524146241472414824149241502415124152241532415424155241562415724158241592416024161241622416324164241652416624167241682416924170241712417224173241742417524176241772417824179241802418124182241832418424185241862418724188241892419024191241922419324194241952419624197241982419924200242012420224203242042420524206242072420824209242102421124212242132421424215242162421724218242192422024221242222422324224242252422624227242282422924230242312423224233242342423524236242372423824239242402424124242242432424424245242462424724248242492425024251242522425324254242552425624257242582425924260242612426224263242642426524266242672426824269242702427124272242732427424275242762427724278242792428024281242822428324284242852428624287242882428924290242912429224293242942429524296242972429824299243002430124302243032430424305243062430724308243092431024311243122431324314243152431624317243182431924320243212432224323243242432524326243272432824329243302433124332243332433424335243362433724338243392434024341243422434324344243452434624347243482434924350243512435224353243542435524356243572435824359243602436124362243632436424365243662436724368243692437024371243722437324374243752437624377243782437924380243812438224383243842438524386243872438824389243902439124392243932439424395243962439724398243992440024401244022440324404244052440624407244082440924410244112441224413244142441524416244172441824419244202442124422244232442424425244262442724428244292443024431244322443324434244352443624437244382443924440244412444224443244442444524446244472444824449244502445124452244532445424455244562445724458244592446024461244622446324464244652446624467244682446924470244712447224473244742447524476244772447824479244802448124482244832448424485244862448724488244892449024491244922449324494244952449624497244982449924500245012450224503245042450524506245072450824509245102451124512245132451424515245162451724518245192452024521245222452324524245252452624527245282452924530245312453224533245342453524536245372453824539245402454124542245432454424545245462454724548245492455024551245522455324554245552455624557245582455924560245612456224563245642456524566245672456824569245702457124572245732457424575245762457724578245792458024581245822458324584245852458624587245882458924590245912459224593245942459524596245972459824599246002460124602246032460424605246062460724608246092461024611246122461324614246152461624617246182461924620246212462224623246242462524626246272462824629246302463124632246332463424635246362463724638246392464024641246422464324644246452464624647246482464924650246512465224653246542465524656246572465824659246602466124662246632466424665246662466724668246692467024671246722467324674246752467624677246782467924680246812468224683246842468524686246872468824689246902469124692246932469424695246962469724698246992470024701247022470324704247052470624707247082470924710247112471224713247142471524716247172471824719247202472124722247232472424725247262472724728247292473024731247322473324734247352473624737247382473924740247412474224743247442474524746247472474824749247502475124752247532475424755247562475724758247592476024761247622476324764247652476624767247682476924770247712477224773247742477524776247772477824779247802478124782247832478424785247862478724788247892479024791247922479324794247952479624797247982479924800248012480224803248042480524806248072480824809248102481124812248132481424815248162481724818248192482024821248222482324824248252482624827248282482924830248312483224833248342483524836248372483824839248402484124842248432484424845248462484724848248492485024851248522485324854248552485624857248582485924860248612486224863248642486524866248672486824869248702487124872248732487424875248762487724878248792488024881248822488324884248852488624887248882488924890248912489224893248942489524896248972489824899249002490124902249032490424905249062490724908249092491024911249122491324914249152491624917249182491924920249212492224923249242492524926249272492824929249302493124932249332493424935249362493724938249392494024941249422494324944249452494624947249482494924950249512495224953249542495524956249572495824959249602496124962249632496424965249662496724968249692497024971249722497324974249752497624977249782497924980249812498224983249842498524986249872498824989249902499124992249932499424995249962499724998249992500025001250022500325004250052500625007250082500925010250112501225013250142501525016250172501825019250202502125022250232502425025250262502725028250292503025031250322503325034250352503625037250382503925040250412504225043250442504525046250472504825049250502505125052250532505425055250562505725058250592506025061250622506325064250652506625067250682506925070250712507225073250742507525076250772507825079250802508125082250832508425085250862508725088250892509025091250922509325094250952509625097250982509925100251012510225103251042510525106251072510825109251102511125112251132511425115251162511725118251192512025121251222512325124251252512625127251282512925130251312513225133251342513525136251372513825139251402514125142251432514425145251462514725148251492515025151251522515325154251552515625157251582515925160251612516225163251642516525166251672516825169251702517125172251732517425175251762517725178251792518025181251822518325184251852518625187251882518925190251912519225193251942519525196251972519825199252002520125202252032520425205252062520725208252092521025211252122521325214252152521625217252182521925220252212522225223252242522525226252272522825229252302523125232252332523425235252362523725238252392524025241252422524325244252452524625247252482524925250252512525225253252542525525256252572525825259252602526125262252632526425265252662526725268252692527025271252722527325274252752527625277252782527925280252812528225283252842528525286252872528825289252902529125292252932529425295252962529725298252992530025301253022530325304253052530625307253082530925310253112531225313253142531525316253172531825319253202532125322253232532425325253262532725328253292533025331253322533325334253352533625337253382533925340253412534225343253442534525346253472534825349253502535125352253532535425355253562535725358253592536025361253622536325364253652536625367253682536925370253712537225373253742537525376253772537825379253802538125382253832538425385253862538725388253892539025391253922539325394253952539625397253982539925400254012540225403254042540525406254072540825409254102541125412254132541425415254162541725418254192542025421254222542325424254252542625427254282542925430254312543225433254342543525436254372543825439254402544125442254432544425445254462544725448254492545025451254522545325454254552545625457254582545925460254612546225463254642546525466254672546825469254702547125472254732547425475254762547725478254792548025481254822548325484254852548625487254882548925490254912549225493254942549525496254972549825499255002550125502255032550425505255062550725508255092551025511255122551325514255152551625517255182551925520255212552225523255242552525526255272552825529255302553125532255332553425535255362553725538255392554025541255422554325544255452554625547255482554925550255512555225553255542555525556255572555825559255602556125562255632556425565255662556725568255692557025571255722557325574255752557625577255782557925580255812558225583255842558525586255872558825589255902559125592255932559425595255962559725598255992560025601256022560325604256052560625607256082560925610256112561225613256142561525616256172561825619256202562125622256232562425625256262562725628256292563025631256322563325634256352563625637256382563925640256412564225643256442564525646256472564825649256502565125652256532565425655256562565725658256592566025661256622566325664256652566625667256682566925670256712567225673256742567525676256772567825679256802568125682256832568425685256862568725688256892569025691256922569325694256952569625697256982569925700257012570225703257042570525706257072570825709257102571125712257132571425715257162571725718257192572025721257222572325724257252572625727257282572925730257312573225733257342573525736257372573825739257402574125742257432574425745257462574725748257492575025751257522575325754257552575625757257582575925760257612576225763257642576525766257672576825769257702577125772257732577425775257762577725778257792578025781257822578325784257852578625787257882578925790257912579225793257942579525796257972579825799258002580125802258032580425805258062580725808258092581025811258122581325814258152581625817258182581925820258212582225823258242582525826258272582825829258302583125832258332583425835258362583725838258392584025841258422584325844258452584625847258482584925850258512585225853258542585525856258572585825859258602586125862258632586425865258662586725868258692587025871258722587325874258752587625877258782587925880258812588225883258842588525886258872588825889258902589125892258932589425895258962589725898258992590025901259022590325904259052590625907259082590925910259112591225913259142591525916259172591825919259202592125922259232592425925259262592725928259292593025931259322593325934259352593625937259382593925940259412594225943259442594525946259472594825949259502595125952259532595425955259562595725958259592596025961259622596325964259652596625967259682596925970259712597225973259742597525976259772597825979259802598125982259832598425985259862598725988259892599025991259922599325994259952599625997259982599926000260012600226003260042600526006260072600826009260102601126012260132601426015260162601726018260192602026021260222602326024260252602626027260282602926030260312603226033260342603526036260372603826039260402604126042260432604426045260462604726048260492605026051260522605326054260552605626057260582605926060260612606226063260642606526066260672606826069260702607126072260732607426075260762607726078260792608026081260822608326084260852608626087260882608926090260912609226093260942609526096260972609826099261002610126102261032610426105261062610726108261092611026111261122611326114261152611626117261182611926120261212612226123261242612526126261272612826129261302613126132261332613426135261362613726138261392614026141261422614326144261452614626147261482614926150261512615226153261542615526156261572615826159261602616126162261632616426165261662616726168261692617026171261722617326174261752617626177261782617926180261812618226183261842618526186261872618826189261902619126192261932619426195261962619726198261992620026201262022620326204262052620626207262082620926210262112621226213262142621526216262172621826219262202622126222262232622426225262262622726228262292623026231262322623326234262352623626237262382623926240262412624226243262442624526246262472624826249262502625126252262532625426255262562625726258262592626026261262622626326264262652626626267262682626926270262712627226273262742627526276262772627826279262802628126282262832628426285262862628726288262892629026291262922629326294262952629626297262982629926300263012630226303263042630526306263072630826309263102631126312263132631426315263162631726318263192632026321263222632326324263252632626327263282632926330263312633226333263342633526336263372633826339263402634126342263432634426345263462634726348263492635026351263522635326354263552635626357263582635926360263612636226363263642636526366263672636826369263702637126372263732637426375263762637726378263792638026381263822638326384263852638626387263882638926390263912639226393263942639526396263972639826399264002640126402264032640426405264062640726408264092641026411264122641326414264152641626417264182641926420264212642226423264242642526426264272642826429264302643126432264332643426435264362643726438264392644026441264422644326444264452644626447264482644926450264512645226453264542645526456264572645826459264602646126462264632646426465264662646726468264692647026471264722647326474264752647626477264782647926480264812648226483264842648526486264872648826489264902649126492264932649426495264962649726498264992650026501265022650326504265052650626507265082650926510265112651226513265142651526516265172651826519265202652126522265232652426525265262652726528265292653026531265322653326534265352653626537265382653926540265412654226543265442654526546265472654826549265502655126552265532655426555265562655726558265592656026561265622656326564265652656626567265682656926570265712657226573265742657526576265772657826579265802658126582265832658426585265862658726588265892659026591265922659326594265952659626597265982659926600266012660226603266042660526606266072660826609266102661126612266132661426615266162661726618266192662026621266222662326624266252662626627266282662926630266312663226633266342663526636266372663826639266402664126642266432664426645266462664726648266492665026651266522665326654266552665626657266582665926660266612666226663266642666526666266672666826669266702667126672266732667426675266762667726678266792668026681266822668326684266852668626687266882668926690266912669226693266942669526696266972669826699267002670126702267032670426705267062670726708267092671026711267122671326714267152671626717267182671926720267212672226723267242672526726267272672826729267302673126732267332673426735267362673726738267392674026741267422674326744267452674626747267482674926750267512675226753267542675526756267572675826759267602676126762267632676426765267662676726768267692677026771267722677326774267752677626777267782677926780267812678226783267842678526786267872678826789267902679126792267932679426795267962679726798267992680026801268022680326804268052680626807268082680926810268112681226813268142681526816268172681826819268202682126822268232682426825268262682726828268292683026831268322683326834268352683626837268382683926840268412684226843268442684526846268472684826849268502685126852268532685426855268562685726858268592686026861268622686326864268652686626867268682686926870268712687226873268742687526876268772687826879268802688126882268832688426885268862688726888268892689026891268922689326894268952689626897268982689926900269012690226903269042690526906269072690826909269102691126912269132691426915269162691726918269192692026921269222692326924269252692626927269282692926930269312693226933269342693526936269372693826939269402694126942269432694426945269462694726948269492695026951269522695326954269552695626957269582695926960269612696226963269642696526966269672696826969269702697126972269732697426975269762697726978269792698026981269822698326984269852698626987269882698926990269912699226993269942699526996269972699826999270002700127002270032700427005270062700727008270092701027011270122701327014270152701627017270182701927020270212702227023270242702527026270272702827029270302703127032270332703427035270362703727038270392704027041270422704327044270452704627047270482704927050270512705227053270542705527056270572705827059270602706127062270632706427065270662706727068270692707027071270722707327074270752707627077270782707927080270812708227083270842708527086270872708827089270902709127092270932709427095270962709727098270992710027101271022710327104271052710627107271082710927110271112711227113271142711527116271172711827119271202712127122271232712427125271262712727128271292713027131271322713327134271352713627137271382713927140271412714227143271442714527146271472714827149271502715127152271532715427155271562715727158271592716027161271622716327164271652716627167271682716927170271712717227173271742717527176271772717827179271802718127182271832718427185271862718727188271892719027191271922719327194271952719627197271982719927200272012720227203272042720527206272072720827209272102721127212272132721427215272162721727218272192722027221272222722327224272252722627227272282722927230272312723227233272342723527236272372723827239272402724127242272432724427245272462724727248272492725027251272522725327254272552725627257272582725927260272612726227263272642726527266272672726827269272702727127272272732727427275272762727727278272792728027281272822728327284272852728627287272882728927290272912729227293272942729527296272972729827299273002730127302273032730427305273062730727308273092731027311273122731327314273152731627317273182731927320273212732227323273242732527326273272732827329273302733127332273332733427335273362733727338273392734027341273422734327344273452734627347273482734927350273512735227353273542735527356273572735827359273602736127362273632736427365273662736727368273692737027371273722737327374273752737627377273782737927380273812738227383273842738527386273872738827389273902739127392273932739427395273962739727398273992740027401274022740327404274052740627407274082740927410274112741227413274142741527416274172741827419274202742127422274232742427425274262742727428274292743027431274322743327434274352743627437274382743927440274412744227443274442744527446274472744827449274502745127452274532745427455274562745727458274592746027461274622746327464274652746627467274682746927470274712747227473274742747527476274772747827479274802748127482274832748427485274862748727488274892749027491274922749327494274952749627497274982749927500275012750227503275042750527506275072750827509275102751127512275132751427515275162751727518275192752027521275222752327524275252752627527275282752927530275312753227533275342753527536275372753827539275402754127542275432754427545275462754727548275492755027551275522755327554275552755627557275582755927560275612756227563275642756527566275672756827569275702757127572275732757427575275762757727578275792758027581275822758327584275852758627587275882758927590275912759227593275942759527596275972759827599276002760127602276032760427605276062760727608276092761027611276122761327614276152761627617276182761927620276212762227623276242762527626276272762827629276302763127632276332763427635276362763727638276392764027641276422764327644276452764627647276482764927650276512765227653276542765527656276572765827659276602766127662276632766427665276662766727668276692767027671276722767327674276752767627677276782767927680276812768227683276842768527686276872768827689276902769127692276932769427695276962769727698276992770027701277022770327704277052770627707277082770927710277112771227713277142771527716277172771827719277202772127722277232772427725277262772727728277292773027731277322773327734277352773627737277382773927740277412774227743277442774527746277472774827749277502775127752277532775427755277562775727758277592776027761277622776327764277652776627767277682776927770277712777227773277742777527776277772777827779277802778127782277832778427785277862778727788277892779027791277922779327794277952779627797277982779927800278012780227803278042780527806278072780827809278102781127812278132781427815278162781727818278192782027821278222782327824278252782627827278282782927830278312783227833278342783527836278372783827839278402784127842278432784427845278462784727848278492785027851278522785327854278552785627857278582785927860278612786227863278642786527866278672786827869278702787127872278732787427875278762787727878278792788027881278822788327884278852788627887278882788927890278912789227893278942789527896278972789827899279002790127902279032790427905279062790727908279092791027911279122791327914279152791627917279182791927920279212792227923279242792527926279272792827929279302793127932279332793427935279362793727938279392794027941279422794327944279452794627947279482794927950279512795227953279542795527956279572795827959279602796127962279632796427965279662796727968279692797027971279722797327974279752797627977279782797927980279812798227983279842798527986279872798827989279902799127992279932799427995279962799727998279992800028001280022800328004280052800628007280082800928010280112801228013280142801528016280172801828019280202802128022280232802428025280262802728028280292803028031280322803328034280352803628037280382803928040280412804228043280442804528046280472804828049280502805128052280532805428055280562805728058280592806028061280622806328064280652806628067280682806928070280712807228073280742807528076280772807828079280802808128082280832808428085280862808728088280892809028091280922809328094280952809628097280982809928100281012810228103281042810528106281072810828109281102811128112281132811428115281162811728118281192812028121281222812328124281252812628127281282812928130281312813228133281342813528136281372813828139281402814128142281432814428145281462814728148281492815028151281522815328154281552815628157281582815928160281612816228163281642816528166281672816828169281702817128172281732817428175281762817728178281792818028181281822818328184281852818628187281882818928190281912819228193281942819528196281972819828199282002820128202282032820428205282062820728208282092821028211282122821328214282152821628217282182821928220282212822228223282242822528226282272822828229282302823128232282332823428235282362823728238282392824028241282422824328244282452824628247282482824928250282512825228253282542825528256282572825828259282602826128262282632826428265282662826728268282692827028271282722827328274282752827628277282782827928280282812828228283282842828528286282872828828289282902829128292282932829428295282962829728298282992830028301283022830328304283052830628307283082830928310283112831228313283142831528316283172831828319283202832128322283232832428325283262832728328283292833028331283322833328334283352833628337283382833928340283412834228343283442834528346283472834828349283502835128352283532835428355283562835728358283592836028361283622836328364283652836628367283682836928370283712837228373283742837528376283772837828379283802838128382283832838428385283862838728388283892839028391283922839328394283952839628397283982839928400284012840228403284042840528406284072840828409284102841128412284132841428415284162841728418284192842028421284222842328424284252842628427284282842928430284312843228433284342843528436284372843828439284402844128442284432844428445284462844728448284492845028451284522845328454284552845628457284582845928460284612846228463284642846528466284672846828469284702847128472284732847428475284762847728478284792848028481284822848328484284852848628487284882848928490284912849228493284942849528496284972849828499285002850128502285032850428505285062850728508285092851028511285122851328514285152851628517285182851928520285212852228523285242852528526285272852828529285302853128532285332853428535285362853728538285392854028541285422854328544285452854628547285482854928550285512855228553285542855528556285572855828559285602856128562285632856428565285662856728568285692857028571285722857328574285752857628577285782857928580285812858228583285842858528586285872858828589285902859128592285932859428595285962859728598285992860028601286022860328604286052860628607286082860928610286112861228613286142861528616286172861828619286202862128622286232862428625286262862728628286292863028631286322863328634286352863628637286382863928640286412864228643286442864528646286472864828649286502865128652286532865428655286562865728658286592866028661286622866328664286652866628667286682866928670286712867228673286742867528676286772867828679286802868128682286832868428685286862868728688286892869028691286922869328694286952869628697286982869928700287012870228703287042870528706287072870828709287102871128712287132871428715287162871728718287192872028721287222872328724287252872628727287282872928730287312873228733287342873528736287372873828739287402874128742287432874428745287462874728748287492875028751287522875328754287552875628757287582875928760287612876228763287642876528766287672876828769287702877128772287732877428775287762877728778287792878028781287822878328784287852878628787287882878928790287912879228793287942879528796287972879828799288002880128802288032880428805288062880728808288092881028811288122881328814288152881628817288182881928820288212882228823288242882528826288272882828829288302883128832288332883428835288362883728838288392884028841288422884328844288452884628847288482884928850288512885228853288542885528856288572885828859288602886128862288632886428865288662886728868288692887028871288722887328874288752887628877288782887928880288812888228883288842888528886288872888828889288902889128892288932889428895288962889728898288992890028901289022890328904289052890628907289082890928910289112891228913289142891528916289172891828919289202892128922289232892428925289262892728928289292893028931289322893328934289352893628937289382893928940289412894228943289442894528946289472894828949289502895128952289532895428955289562895728958289592896028961289622896328964289652896628967289682896928970289712897228973289742897528976289772897828979289802898128982289832898428985289862898728988289892899028991289922899328994289952899628997289982899929000290012900229003290042900529006290072900829009290102901129012290132901429015290162901729018290192902029021290222902329024290252902629027290282902929030290312903229033290342903529036290372903829039290402904129042290432904429045290462904729048290492905029051290522905329054290552905629057290582905929060290612906229063290642906529066290672906829069290702907129072290732907429075290762907729078290792908029081290822908329084290852908629087290882908929090290912909229093290942909529096290972909829099291002910129102291032910429105291062910729108291092911029111291122911329114291152911629117291182911929120291212912229123291242912529126291272912829129291302913129132291332913429135291362913729138291392914029141291422914329144291452914629147291482914929150291512915229153291542915529156291572915829159291602916129162291632916429165291662916729168291692917029171291722917329174291752917629177291782917929180291812918229183291842918529186291872918829189291902919129192291932919429195291962919729198291992920029201292022920329204292052920629207292082920929210292112921229213292142921529216292172921829219292202922129222292232922429225292262922729228292292923029231292322923329234292352923629237292382923929240292412924229243292442924529246292472924829249292502925129252292532925429255292562925729258292592926029261292622926329264292652926629267292682926929270292712927229273292742927529276292772927829279292802928129282292832928429285292862928729288292892929029291292922929329294292952929629297292982929929300293012930229303293042930529306293072930829309293102931129312293132931429315293162931729318293192932029321293222932329324293252932629327293282932929330293312933229333293342933529336293372933829339293402934129342293432934429345293462934729348293492935029351293522935329354293552935629357293582935929360293612936229363293642936529366293672936829369293702937129372293732937429375293762937729378293792938029381293822938329384293852938629387293882938929390293912939229393293942939529396293972939829399294002940129402294032940429405294062940729408294092941029411294122941329414294152941629417294182941929420294212942229423294242942529426294272942829429294302943129432294332943429435294362943729438294392944029441294422944329444294452944629447294482944929450294512945229453294542945529456294572945829459294602946129462294632946429465294662946729468294692947029471294722947329474294752947629477294782947929480294812948229483294842948529486294872948829489294902949129492294932949429495294962949729498294992950029501295022950329504295052950629507295082950929510295112951229513295142951529516295172951829519295202952129522295232952429525295262952729528295292953029531295322953329534295352953629537295382953929540295412954229543295442954529546295472954829549295502955129552295532955429555295562955729558295592956029561295622956329564295652956629567295682956929570295712957229573295742957529576295772957829579295802958129582295832958429585295862958729588295892959029591295922959329594295952959629597295982959929600296012960229603296042960529606296072960829609296102961129612296132961429615296162961729618296192962029621296222962329624296252962629627296282962929630296312963229633296342963529636296372963829639296402964129642296432964429645296462964729648296492965029651296522965329654296552965629657296582965929660296612966229663296642966529666296672966829669296702967129672296732967429675296762967729678296792968029681296822968329684296852968629687296882968929690296912969229693296942969529696296972969829699297002970129702297032970429705297062970729708297092971029711297122971329714297152971629717297182971929720297212972229723297242972529726297272972829729297302973129732297332973429735297362973729738297392974029741297422974329744297452974629747297482974929750297512975229753297542975529756297572975829759297602976129762297632976429765297662976729768297692977029771297722977329774297752977629777297782977929780297812978229783297842978529786297872978829789297902979129792297932979429795297962979729798297992980029801298022980329804298052980629807298082980929810298112981229813298142981529816298172981829819298202982129822298232982429825298262982729828298292983029831298322983329834298352983629837298382983929840298412984229843298442984529846298472984829849298502985129852298532985429855298562985729858298592986029861298622986329864298652986629867298682986929870298712987229873298742987529876298772987829879298802988129882298832988429885298862988729888298892989029891298922989329894298952989629897298982989929900299012990229903299042990529906299072990829909299102991129912299132991429915299162991729918299192992029921299222992329924299252992629927299282992929930299312993229933299342993529936299372993829939299402994129942299432994429945299462994729948299492995029951299522995329954299552995629957299582995929960299612996229963299642996529966299672996829969299702997129972299732997429975299762997729978299792998029981299822998329984299852998629987299882998929990299912999229993299942999529996299972999829999300003000130002300033000430005300063000730008300093001030011300123001330014300153001630017300183001930020300213002230023300243002530026300273002830029300303003130032300333003430035300363003730038300393004030041300423004330044300453004630047300483004930050300513005230053300543005530056300573005830059300603006130062300633006430065300663006730068300693007030071300723007330074300753007630077300783007930080300813008230083300843008530086300873008830089300903009130092300933009430095300963009730098300993010030101301023010330104301053010630107301083010930110301113011230113301143011530116301173011830119301203012130122301233012430125301263012730128301293013030131301323013330134301353013630137301383013930140301413014230143301443014530146301473014830149301503015130152301533015430155301563015730158301593016030161301623016330164301653016630167301683016930170301713017230173301743017530176301773017830179301803018130182301833018430185301863018730188301893019030191301923019330194301953019630197301983019930200302013020230203302043020530206302073020830209302103021130212302133021430215302163021730218302193022030221302223022330224302253022630227302283022930230302313023230233302343023530236302373023830239302403024130242302433024430245302463024730248302493025030251302523025330254302553025630257302583025930260302613026230263302643026530266302673026830269302703027130272302733027430275302763027730278302793028030281302823028330284302853028630287302883028930290302913029230293302943029530296302973029830299303003030130302303033030430305303063030730308303093031030311303123031330314303153031630317303183031930320303213032230323303243032530326303273032830329303303033130332303333033430335303363033730338303393034030341303423034330344303453034630347303483034930350303513035230353303543035530356303573035830359303603036130362303633036430365303663036730368303693037030371303723037330374303753037630377303783037930380303813038230383303843038530386303873038830389303903039130392303933039430395303963039730398303993040030401304023040330404304053040630407304083040930410304113041230413304143041530416304173041830419304203042130422304233042430425304263042730428304293043030431304323043330434304353043630437304383043930440304413044230443304443044530446304473044830449304503045130452304533045430455304563045730458304593046030461304623046330464304653046630467304683046930470304713047230473304743047530476304773047830479304803048130482304833048430485304863048730488304893049030491304923049330494304953049630497304983049930500305013050230503305043050530506305073050830509305103051130512305133051430515305163051730518305193052030521305223052330524305253052630527305283052930530305313053230533305343053530536305373053830539305403054130542305433054430545305463054730548305493055030551305523055330554305553055630557305583055930560305613056230563305643056530566305673056830569305703057130572305733057430575305763057730578305793058030581305823058330584305853058630587305883058930590305913059230593305943059530596305973059830599306003060130602306033060430605306063060730608306093061030611306123061330614306153061630617306183061930620306213062230623306243062530626306273062830629306303063130632306333063430635306363063730638306393064030641306423064330644306453064630647306483064930650306513065230653306543065530656306573065830659306603066130662306633066430665306663066730668306693067030671306723067330674306753067630677306783067930680306813068230683306843068530686306873068830689306903069130692306933069430695306963069730698306993070030701307023070330704307053070630707307083070930710307113071230713307143071530716307173071830719307203072130722307233072430725307263072730728307293073030731307323073330734307353073630737307383073930740307413074230743307443074530746307473074830749307503075130752307533075430755307563075730758307593076030761307623076330764307653076630767307683076930770307713077230773307743077530776307773077830779307803078130782307833078430785307863078730788307893079030791307923079330794307953079630797307983079930800308013080230803308043080530806308073080830809308103081130812308133081430815308163081730818308193082030821308223082330824308253082630827308283082930830308313083230833308343083530836308373083830839308403084130842308433084430845308463084730848308493085030851308523085330854308553085630857308583085930860308613086230863308643086530866308673086830869308703087130872308733087430875308763087730878308793088030881308823088330884308853088630887308883088930890308913089230893308943089530896308973089830899309003090130902309033090430905309063090730908309093091030911309123091330914309153091630917309183091930920309213092230923309243092530926309273092830929309303093130932309333093430935309363093730938309393094030941309423094330944309453094630947309483094930950309513095230953309543095530956309573095830959309603096130962309633096430965309663096730968309693097030971309723097330974309753097630977309783097930980309813098230983309843098530986309873098830989309903099130992309933099430995309963099730998309993100031001310023100331004310053100631007310083100931010310113101231013310143101531016310173101831019310203102131022310233102431025310263102731028310293103031031310323103331034310353103631037310383103931040310413104231043310443104531046310473104831049310503105131052310533105431055310563105731058310593106031061310623106331064310653106631067310683106931070310713107231073310743107531076310773107831079310803108131082
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  118. enum:
  119. - Ignore
  120. - Fail
  121. type: string
  122. property:
  123. description: Used to select a specific property of the Provider value (if a map), if supported
  124. type: string
  125. version:
  126. description: Used to select a specific version of the Provider value, if supported
  127. type: string
  128. required:
  129. - key
  130. type: object
  131. secretKey:
  132. description: The key in the Kubernetes Secret to store the value.
  133. maxLength: 253
  134. minLength: 1
  135. pattern: ^[-._a-zA-Z0-9]+$
  136. type: string
  137. sourceRef:
  138. description: |-
  139. SourceRef allows you to override the source
  140. from which the value will be pulled.
  141. maxProperties: 1
  142. minProperties: 1
  143. properties:
  144. generatorRef:
  145. description: |-
  146. GeneratorRef points to a generator custom resource.
  147. Deprecated: The generatorRef is not implemented in .data[].
  148. this will be removed with v1.
  149. properties:
  150. apiVersion:
  151. default: generators.external-secrets.io/v1alpha1
  152. description: Specify the apiVersion of the generator resource
  153. type: string
  154. kind:
  155. description: Specify the Kind of the generator resource
  156. enum:
  157. - ACRAccessToken
  158. - BeyondtrustWorkloadCredentialsDynamicSecret
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - QuayAccessToken
  166. - Password
  167. - SSHKey
  168. - STSSessionToken
  169. - UUID
  170. - VaultDynamicSecret
  171. - Webhook
  172. - Grafana
  173. - MFA
  174. type: string
  175. name:
  176. description: Specify the name of the generator resource
  177. maxLength: 253
  178. minLength: 1
  179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  180. type: string
  181. required:
  182. - kind
  183. - name
  184. type: object
  185. storeRef:
  186. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  187. properties:
  188. kind:
  189. description: |-
  190. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  191. Defaults to `SecretStore`
  192. enum:
  193. - SecretStore
  194. - ClusterSecretStore
  195. type: string
  196. name:
  197. description: Name of the SecretStore resource
  198. maxLength: 253
  199. minLength: 1
  200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  201. type: string
  202. type: object
  203. type: object
  204. required:
  205. - remoteRef
  206. - secretKey
  207. type: object
  208. type: array
  209. dataFrom:
  210. description: |-
  211. DataFrom is used to fetch all properties from a specific Provider data
  212. If multiple entries are specified, the Secret keys are merged in the specified order
  213. items:
  214. description: |-
  215. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  216. when using DataFrom to fetch multiple values from a Provider.
  217. properties:
  218. extract:
  219. description: |-
  220. Used to extract multiple key/value pairs from one secret
  221. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  222. properties:
  223. conversionStrategy:
  224. default: Default
  225. description: Used to define a conversion Strategy
  226. enum:
  227. - Default
  228. - Unicode
  229. type: string
  230. decodingStrategy:
  231. default: None
  232. description: Used to define a decoding Strategy
  233. enum:
  234. - Auto
  235. - Base64
  236. - Base64URL
  237. - None
  238. type: string
  239. key:
  240. description: Key is the key used in the Provider, mandatory
  241. type: string
  242. metadataPolicy:
  243. default: None
  244. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  245. enum:
  246. - None
  247. - Fetch
  248. type: string
  249. nullBytePolicy:
  250. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  251. enum:
  252. - Ignore
  253. - Fail
  254. type: string
  255. property:
  256. description: Used to select a specific property of the Provider value (if a map), if supported
  257. type: string
  258. version:
  259. description: Used to select a specific version of the Provider value, if supported
  260. type: string
  261. required:
  262. - key
  263. type: object
  264. find:
  265. description: |-
  266. Used to find secrets based on tags or regular expressions
  267. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  268. properties:
  269. conversionStrategy:
  270. default: Default
  271. description: Used to define a conversion Strategy
  272. enum:
  273. - Default
  274. - Unicode
  275. type: string
  276. decodingStrategy:
  277. default: None
  278. description: Used to define a decoding Strategy
  279. enum:
  280. - Auto
  281. - Base64
  282. - Base64URL
  283. - None
  284. type: string
  285. name:
  286. description: Finds secrets based on the name.
  287. properties:
  288. regexp:
  289. description: Finds secrets base
  290. type: string
  291. type: object
  292. nullBytePolicy:
  293. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  294. enum:
  295. - Ignore
  296. - Fail
  297. type: string
  298. path:
  299. description: A root path to start the find operations.
  300. type: string
  301. tags:
  302. additionalProperties:
  303. type: string
  304. description: Find secrets based on tags.
  305. type: object
  306. type: object
  307. rewrite:
  308. description: |-
  309. Used to rewrite secret Keys after getting them from the secret Provider
  310. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  311. items:
  312. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  313. maxProperties: 1
  314. minProperties: 1
  315. properties:
  316. merge:
  317. description: |-
  318. Used to merge key/values in one single Secret
  319. The resulting key will contain all values from the specified secrets
  320. properties:
  321. conflictPolicy:
  322. default: Error
  323. description: Used to define the policy to use in conflict resolution.
  324. enum:
  325. - Ignore
  326. - Error
  327. type: string
  328. into:
  329. default: ""
  330. description: |-
  331. Used to define the target key of the merge operation.
  332. Required if strategy is JSON. Ignored otherwise.
  333. type: string
  334. priority:
  335. description: Used to define key priority in conflict resolution.
  336. items:
  337. type: string
  338. type: array
  339. priorityPolicy:
  340. default: Strict
  341. description: Used to define the policy when a key in the priority list does not exist in the input.
  342. enum:
  343. - IgnoreNotFound
  344. - Strict
  345. type: string
  346. strategy:
  347. default: Extract
  348. description: Used to define the strategy to use in the merge operation.
  349. enum:
  350. - Extract
  351. - JSON
  352. type: string
  353. type: object
  354. regexp:
  355. description: |-
  356. Used to rewrite with regular expressions.
  357. The resulting key will be the output of a regexp.ReplaceAll operation.
  358. properties:
  359. source:
  360. description: Used to define the regular expression of a re.Compiler.
  361. type: string
  362. target:
  363. description: Used to define the target pattern of a ReplaceAll operation.
  364. type: string
  365. required:
  366. - source
  367. - target
  368. type: object
  369. transform:
  370. description: |-
  371. Used to apply string transformation on the secrets.
  372. The resulting key will be the output of the template applied by the operation.
  373. properties:
  374. template:
  375. description: |-
  376. Used to define the template to apply on the secret name.
  377. `.value ` will specify the secret name in the template.
  378. type: string
  379. required:
  380. - template
  381. type: object
  382. type: object
  383. type: array
  384. sourceRef:
  385. description: |-
  386. SourceRef points to a store or generator
  387. which contains secret values ready to use.
  388. Use this in combination with Extract or Find pull values out of
  389. a specific SecretStore.
  390. When sourceRef points to a generator Extract or Find is not supported.
  391. The generator returns a static map of values
  392. maxProperties: 1
  393. minProperties: 1
  394. properties:
  395. generatorRef:
  396. description: GeneratorRef points to a generator custom resource.
  397. properties:
  398. apiVersion:
  399. default: generators.external-secrets.io/v1alpha1
  400. description: Specify the apiVersion of the generator resource
  401. type: string
  402. kind:
  403. description: Specify the Kind of the generator resource
  404. enum:
  405. - ACRAccessToken
  406. - BeyondtrustWorkloadCredentialsDynamicSecret
  407. - ClusterGenerator
  408. - CloudsmithAccessToken
  409. - ECRAuthorizationToken
  410. - Fake
  411. - GCRAccessToken
  412. - GithubAccessToken
  413. - QuayAccessToken
  414. - Password
  415. - SSHKey
  416. - STSSessionToken
  417. - UUID
  418. - VaultDynamicSecret
  419. - Webhook
  420. - Grafana
  421. - MFA
  422. type: string
  423. name:
  424. description: Specify the name of the generator resource
  425. maxLength: 253
  426. minLength: 1
  427. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  428. type: string
  429. required:
  430. - kind
  431. - name
  432. type: object
  433. storeRef:
  434. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  435. properties:
  436. kind:
  437. description: |-
  438. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  439. Defaults to `SecretStore`
  440. enum:
  441. - SecretStore
  442. - ClusterSecretStore
  443. type: string
  444. name:
  445. description: Name of the SecretStore resource
  446. maxLength: 253
  447. minLength: 1
  448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  449. type: string
  450. type: object
  451. type: object
  452. type: object
  453. type: array
  454. refreshInterval:
  455. default: 1h0m0s
  456. description: |-
  457. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  458. specified as Golang Duration strings.
  459. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  460. Example values: "1h0m0s", "2h30m0s", "10m0s"
  461. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  462. type: string
  463. refreshPolicy:
  464. description: |-
  465. RefreshPolicy determines how the ExternalSecret should be refreshed:
  466. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  467. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  468. No periodic updates occur if refreshInterval is 0.
  469. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  470. enum:
  471. - CreatedOnce
  472. - Periodic
  473. - OnChange
  474. type: string
  475. secretStoreRef:
  476. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  477. properties:
  478. kind:
  479. description: |-
  480. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  481. Defaults to `SecretStore`
  482. enum:
  483. - SecretStore
  484. - ClusterSecretStore
  485. type: string
  486. name:
  487. description: Name of the SecretStore resource
  488. maxLength: 253
  489. minLength: 1
  490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  491. type: string
  492. type: object
  493. target:
  494. default:
  495. creationPolicy: Owner
  496. deletionPolicy: Retain
  497. description: |-
  498. ExternalSecretTarget defines the Kubernetes Secret to be created,
  499. there can be only one target per ExternalSecret.
  500. properties:
  501. creationPolicy:
  502. default: Owner
  503. description: |-
  504. CreationPolicy defines rules on how to create the resulting Secret.
  505. Defaults to "Owner"
  506. enum:
  507. - Owner
  508. - Orphan
  509. - Merge
  510. - None
  511. type: string
  512. deletionPolicy:
  513. default: Retain
  514. description: |-
  515. DeletionPolicy defines rules on how to delete the resulting Secret.
  516. Defaults to "Retain"
  517. enum:
  518. - Delete
  519. - Merge
  520. - Retain
  521. type: string
  522. immutable:
  523. description: Immutable defines if the final secret will be immutable
  524. type: boolean
  525. manifest:
  526. description: |-
  527. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  528. When specified, ExternalSecret will create the resource type defined here
  529. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  530. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  531. properties:
  532. apiVersion:
  533. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  534. minLength: 1
  535. type: string
  536. kind:
  537. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  538. minLength: 1
  539. type: string
  540. required:
  541. - apiVersion
  542. - kind
  543. type: object
  544. name:
  545. description: |-
  546. The name of the Secret resource to be managed.
  547. Defaults to the .metadata.name of the ExternalSecret resource
  548. maxLength: 253
  549. minLength: 1
  550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  551. type: string
  552. template:
  553. description: Template defines a blueprint for the created Secret resource.
  554. properties:
  555. data:
  556. additionalProperties:
  557. type: string
  558. type: object
  559. engineVersion:
  560. default: v2
  561. description: |-
  562. EngineVersion specifies the template engine version
  563. that should be used to compile/execute the
  564. template specified in .data and .templateFrom[].
  565. enum:
  566. - v2
  567. type: string
  568. mergePolicy:
  569. default: Replace
  570. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  571. enum:
  572. - Replace
  573. - Merge
  574. type: string
  575. metadata:
  576. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  577. properties:
  578. annotations:
  579. additionalProperties:
  580. type: string
  581. type: object
  582. finalizers:
  583. items:
  584. type: string
  585. type: array
  586. labels:
  587. additionalProperties:
  588. type: string
  589. type: object
  590. type: object
  591. templateFrom:
  592. items:
  593. description: |-
  594. TemplateFrom specifies a source for templates.
  595. Each item in the list can either reference a ConfigMap or a Secret resource.
  596. properties:
  597. configMap:
  598. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  599. properties:
  600. items:
  601. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  602. items:
  603. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  604. properties:
  605. key:
  606. description: A key in the ConfigMap/Secret
  607. maxLength: 253
  608. minLength: 1
  609. pattern: ^[-._a-zA-Z0-9]+$
  610. type: string
  611. templateAs:
  612. default: Values
  613. description: TemplateScope specifies how the template keys should be interpreted.
  614. enum:
  615. - Values
  616. - KeysAndValues
  617. type: string
  618. required:
  619. - key
  620. type: object
  621. type: array
  622. name:
  623. description: The name of the ConfigMap/Secret resource
  624. maxLength: 253
  625. minLength: 1
  626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  627. type: string
  628. required:
  629. - items
  630. - name
  631. type: object
  632. literal:
  633. type: string
  634. secret:
  635. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  636. properties:
  637. items:
  638. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  639. items:
  640. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  641. properties:
  642. key:
  643. description: A key in the ConfigMap/Secret
  644. maxLength: 253
  645. minLength: 1
  646. pattern: ^[-._a-zA-Z0-9]+$
  647. type: string
  648. templateAs:
  649. default: Values
  650. description: TemplateScope specifies how the template keys should be interpreted.
  651. enum:
  652. - Values
  653. - KeysAndValues
  654. type: string
  655. required:
  656. - key
  657. type: object
  658. type: array
  659. name:
  660. description: The name of the ConfigMap/Secret resource
  661. maxLength: 253
  662. minLength: 1
  663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  664. type: string
  665. required:
  666. - items
  667. - name
  668. type: object
  669. target:
  670. default: Data
  671. description: |-
  672. Target specifies where to place the template result.
  673. For Secret resources, common values are: "Data", "Annotations", "Labels".
  674. For custom resources (when spec.target.manifest is set), this supports
  675. nested paths like "spec.database.config" or "data".
  676. type: string
  677. type: object
  678. type: array
  679. type:
  680. type: string
  681. type: object
  682. type: object
  683. type: object
  684. namespaceSelector:
  685. description: |-
  686. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  687. Deprecated: Use NamespaceSelectors instead.
  688. properties:
  689. matchExpressions:
  690. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  691. items:
  692. description: |-
  693. A label selector requirement is a selector that contains values, a key, and an operator that
  694. relates the key and values.
  695. properties:
  696. key:
  697. description: key is the label key that the selector applies to.
  698. type: string
  699. operator:
  700. description: |-
  701. operator represents a key's relationship to a set of values.
  702. Valid operators are In, NotIn, Exists and DoesNotExist.
  703. type: string
  704. values:
  705. description: |-
  706. values is an array of string values. If the operator is In or NotIn,
  707. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  708. the values array must be empty. This array is replaced during a strategic
  709. merge patch.
  710. items:
  711. type: string
  712. type: array
  713. x-kubernetes-list-type: atomic
  714. required:
  715. - key
  716. - operator
  717. type: object
  718. type: array
  719. x-kubernetes-list-type: atomic
  720. matchLabels:
  721. additionalProperties:
  722. type: string
  723. description: |-
  724. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  725. map is equivalent to an element of matchExpressions, whose key field is "key", the
  726. operator is "In", and the values array contains only "value". The requirements are ANDed.
  727. type: object
  728. type: object
  729. x-kubernetes-map-type: atomic
  730. namespaceSelectors:
  731. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  732. items:
  733. description: |-
  734. A label selector is a label query over a set of resources. The result of matchLabels and
  735. matchExpressions are ANDed. An empty label selector matches all objects. A null
  736. label selector matches no objects.
  737. properties:
  738. matchExpressions:
  739. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  740. items:
  741. description: |-
  742. A label selector requirement is a selector that contains values, a key, and an operator that
  743. relates the key and values.
  744. properties:
  745. key:
  746. description: key is the label key that the selector applies to.
  747. type: string
  748. operator:
  749. description: |-
  750. operator represents a key's relationship to a set of values.
  751. Valid operators are In, NotIn, Exists and DoesNotExist.
  752. type: string
  753. values:
  754. description: |-
  755. values is an array of string values. If the operator is In or NotIn,
  756. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  757. the values array must be empty. This array is replaced during a strategic
  758. merge patch.
  759. items:
  760. type: string
  761. type: array
  762. x-kubernetes-list-type: atomic
  763. required:
  764. - key
  765. - operator
  766. type: object
  767. type: array
  768. x-kubernetes-list-type: atomic
  769. matchLabels:
  770. additionalProperties:
  771. type: string
  772. description: |-
  773. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  774. map is equivalent to an element of matchExpressions, whose key field is "key", the
  775. operator is "In", and the values array contains only "value". The requirements are ANDed.
  776. type: object
  777. type: object
  778. x-kubernetes-map-type: atomic
  779. type: array
  780. namespaces:
  781. description: |-
  782. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  783. Deprecated: Use NamespaceSelectors instead.
  784. items:
  785. maxLength: 63
  786. minLength: 1
  787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  788. type: string
  789. type: array
  790. refreshTime:
  791. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  792. type: string
  793. required:
  794. - externalSecretSpec
  795. type: object
  796. status:
  797. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  798. properties:
  799. conditions:
  800. items:
  801. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  802. properties:
  803. message:
  804. type: string
  805. status:
  806. type: string
  807. type:
  808. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  809. type: string
  810. required:
  811. - status
  812. - type
  813. type: object
  814. type: array
  815. externalSecretName:
  816. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  817. type: string
  818. failedNamespaces:
  819. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  820. items:
  821. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  822. properties:
  823. namespace:
  824. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  825. type: string
  826. reason:
  827. description: Reason is why the ExternalSecret failed to apply to the namespace
  828. type: string
  829. required:
  830. - namespace
  831. type: object
  832. type: array
  833. provisionedNamespaces:
  834. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  835. items:
  836. type: string
  837. type: array
  838. type: object
  839. type: object
  840. served: true
  841. storage: true
  842. subresources:
  843. status: {}
  844. - additionalPrinterColumns:
  845. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  846. name: Store
  847. type: string
  848. - jsonPath: .spec.refreshTime
  849. name: Refresh Interval
  850. type: string
  851. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  852. name: Ready
  853. type: string
  854. deprecated: true
  855. name: v1beta1
  856. schema:
  857. openAPIV3Schema:
  858. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  859. properties:
  860. apiVersion:
  861. description: |-
  862. APIVersion defines the versioned schema of this representation of an object.
  863. Servers should convert recognized schemas to the latest internal value, and
  864. may reject unrecognized values.
  865. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  866. type: string
  867. kind:
  868. description: |-
  869. Kind is a string value representing the REST resource this object represents.
  870. Servers may infer this from the endpoint the client submits requests to.
  871. Cannot be updated.
  872. In CamelCase.
  873. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  874. type: string
  875. metadata:
  876. type: object
  877. spec:
  878. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  879. properties:
  880. externalSecretMetadata:
  881. description: The metadata of the external secrets to be created
  882. properties:
  883. annotations:
  884. additionalProperties:
  885. type: string
  886. type: object
  887. labels:
  888. additionalProperties:
  889. type: string
  890. type: object
  891. type: object
  892. externalSecretName:
  893. description: |-
  894. The name of the external secrets to be created.
  895. Defaults to the name of the ClusterExternalSecret
  896. maxLength: 253
  897. minLength: 1
  898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  899. type: string
  900. externalSecretSpec:
  901. description: The spec for the ExternalSecrets to be created
  902. properties:
  903. data:
  904. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  905. items:
  906. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  907. properties:
  908. remoteRef:
  909. description: |-
  910. RemoteRef points to the remote secret and defines
  911. which secret (version/property/..) to fetch.
  912. properties:
  913. conversionStrategy:
  914. default: Default
  915. description: Used to define a conversion Strategy
  916. enum:
  917. - Default
  918. - Unicode
  919. type: string
  920. decodingStrategy:
  921. default: None
  922. description: Used to define a decoding Strategy
  923. enum:
  924. - Auto
  925. - Base64
  926. - Base64URL
  927. - None
  928. type: string
  929. key:
  930. description: Key is the key used in the Provider, mandatory
  931. type: string
  932. metadataPolicy:
  933. default: None
  934. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  935. enum:
  936. - None
  937. - Fetch
  938. type: string
  939. property:
  940. description: Used to select a specific property of the Provider value (if a map), if supported
  941. type: string
  942. version:
  943. description: Used to select a specific version of the Provider value, if supported
  944. type: string
  945. required:
  946. - key
  947. type: object
  948. secretKey:
  949. description: The key in the Kubernetes Secret to store the value.
  950. maxLength: 253
  951. minLength: 1
  952. pattern: ^[-._a-zA-Z0-9]+$
  953. type: string
  954. sourceRef:
  955. description: |-
  956. SourceRef allows you to override the source
  957. from which the value will be pulled.
  958. maxProperties: 1
  959. minProperties: 1
  960. properties:
  961. generatorRef:
  962. description: |-
  963. GeneratorRef points to a generator custom resource.
  964. Deprecated: The generatorRef is not implemented in .data[].
  965. this will be removed with v1.
  966. properties:
  967. apiVersion:
  968. default: generators.external-secrets.io/v1alpha1
  969. description: Specify the apiVersion of the generator resource
  970. type: string
  971. kind:
  972. description: Specify the Kind of the generator resource
  973. enum:
  974. - ACRAccessToken
  975. - ClusterGenerator
  976. - ECRAuthorizationToken
  977. - Fake
  978. - GCRAccessToken
  979. - GithubAccessToken
  980. - QuayAccessToken
  981. - Password
  982. - SSHKey
  983. - STSSessionToken
  984. - UUID
  985. - VaultDynamicSecret
  986. - Webhook
  987. - Grafana
  988. type: string
  989. name:
  990. description: Specify the name of the generator resource
  991. maxLength: 253
  992. minLength: 1
  993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  994. type: string
  995. required:
  996. - kind
  997. - name
  998. type: object
  999. storeRef:
  1000. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1001. properties:
  1002. kind:
  1003. description: |-
  1004. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1005. Defaults to `SecretStore`
  1006. enum:
  1007. - SecretStore
  1008. - ClusterSecretStore
  1009. type: string
  1010. name:
  1011. description: Name of the SecretStore resource
  1012. maxLength: 253
  1013. minLength: 1
  1014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1015. type: string
  1016. type: object
  1017. type: object
  1018. required:
  1019. - remoteRef
  1020. - secretKey
  1021. type: object
  1022. type: array
  1023. dataFrom:
  1024. description: |-
  1025. DataFrom is used to fetch all properties from a specific Provider data
  1026. If multiple entries are specified, the Secret keys are merged in the specified order
  1027. items:
  1028. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1029. properties:
  1030. extract:
  1031. description: |-
  1032. Used to extract multiple key/value pairs from one secret
  1033. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1034. properties:
  1035. conversionStrategy:
  1036. default: Default
  1037. description: Used to define a conversion Strategy
  1038. enum:
  1039. - Default
  1040. - Unicode
  1041. type: string
  1042. decodingStrategy:
  1043. default: None
  1044. description: Used to define a decoding Strategy
  1045. enum:
  1046. - Auto
  1047. - Base64
  1048. - Base64URL
  1049. - None
  1050. type: string
  1051. key:
  1052. description: Key is the key used in the Provider, mandatory
  1053. type: string
  1054. metadataPolicy:
  1055. default: None
  1056. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1057. enum:
  1058. - None
  1059. - Fetch
  1060. type: string
  1061. property:
  1062. description: Used to select a specific property of the Provider value (if a map), if supported
  1063. type: string
  1064. version:
  1065. description: Used to select a specific version of the Provider value, if supported
  1066. type: string
  1067. required:
  1068. - key
  1069. type: object
  1070. find:
  1071. description: |-
  1072. Used to find secrets based on tags or regular expressions
  1073. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1074. properties:
  1075. conversionStrategy:
  1076. default: Default
  1077. description: Used to define a conversion Strategy
  1078. enum:
  1079. - Default
  1080. - Unicode
  1081. type: string
  1082. decodingStrategy:
  1083. default: None
  1084. description: Used to define a decoding Strategy
  1085. enum:
  1086. - Auto
  1087. - Base64
  1088. - Base64URL
  1089. - None
  1090. type: string
  1091. name:
  1092. description: Finds secrets based on the name.
  1093. properties:
  1094. regexp:
  1095. description: Finds secrets base
  1096. type: string
  1097. type: object
  1098. path:
  1099. description: A root path to start the find operations.
  1100. type: string
  1101. tags:
  1102. additionalProperties:
  1103. type: string
  1104. description: Find secrets based on tags.
  1105. type: object
  1106. type: object
  1107. rewrite:
  1108. description: |-
  1109. Used to rewrite secret Keys after getting them from the secret Provider
  1110. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1111. items:
  1112. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1113. maxProperties: 1
  1114. minProperties: 1
  1115. properties:
  1116. regexp:
  1117. description: |-
  1118. Used to rewrite with regular expressions.
  1119. The resulting key will be the output of a regexp.ReplaceAll operation.
  1120. properties:
  1121. source:
  1122. description: Used to define the regular expression of a re.Compiler.
  1123. type: string
  1124. target:
  1125. description: Used to define the target pattern of a ReplaceAll operation.
  1126. type: string
  1127. required:
  1128. - source
  1129. - target
  1130. type: object
  1131. transform:
  1132. description: |-
  1133. Used to apply string transformation on the secrets.
  1134. The resulting key will be the output of the template applied by the operation.
  1135. properties:
  1136. template:
  1137. description: |-
  1138. Used to define the template to apply on the secret name.
  1139. `.value ` will specify the secret name in the template.
  1140. type: string
  1141. required:
  1142. - template
  1143. type: object
  1144. type: object
  1145. type: array
  1146. sourceRef:
  1147. description: |-
  1148. SourceRef points to a store or generator
  1149. which contains secret values ready to use.
  1150. Use this in combination with Extract or Find pull values out of
  1151. a specific SecretStore.
  1152. When sourceRef points to a generator Extract or Find is not supported.
  1153. The generator returns a static map of values
  1154. maxProperties: 1
  1155. minProperties: 1
  1156. properties:
  1157. generatorRef:
  1158. description: GeneratorRef points to a generator custom resource.
  1159. properties:
  1160. apiVersion:
  1161. default: generators.external-secrets.io/v1alpha1
  1162. description: Specify the apiVersion of the generator resource
  1163. type: string
  1164. kind:
  1165. description: Specify the Kind of the generator resource
  1166. enum:
  1167. - ACRAccessToken
  1168. - ClusterGenerator
  1169. - ECRAuthorizationToken
  1170. - Fake
  1171. - GCRAccessToken
  1172. - GithubAccessToken
  1173. - QuayAccessToken
  1174. - Password
  1175. - SSHKey
  1176. - STSSessionToken
  1177. - UUID
  1178. - VaultDynamicSecret
  1179. - Webhook
  1180. - Grafana
  1181. type: string
  1182. name:
  1183. description: Specify the name of the generator resource
  1184. maxLength: 253
  1185. minLength: 1
  1186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1187. type: string
  1188. required:
  1189. - kind
  1190. - name
  1191. type: object
  1192. storeRef:
  1193. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1194. properties:
  1195. kind:
  1196. description: |-
  1197. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1198. Defaults to `SecretStore`
  1199. enum:
  1200. - SecretStore
  1201. - ClusterSecretStore
  1202. type: string
  1203. name:
  1204. description: Name of the SecretStore resource
  1205. maxLength: 253
  1206. minLength: 1
  1207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1208. type: string
  1209. type: object
  1210. type: object
  1211. type: object
  1212. type: array
  1213. refreshInterval:
  1214. default: 1h0m0s
  1215. description: |-
  1216. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1217. specified as Golang Duration strings.
  1218. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1219. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1220. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1221. type: string
  1222. refreshPolicy:
  1223. description: |-
  1224. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1225. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1226. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1227. No periodic updates occur if refreshInterval is 0.
  1228. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1229. enum:
  1230. - CreatedOnce
  1231. - Periodic
  1232. - OnChange
  1233. type: string
  1234. secretStoreRef:
  1235. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1236. properties:
  1237. kind:
  1238. description: |-
  1239. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1240. Defaults to `SecretStore`
  1241. enum:
  1242. - SecretStore
  1243. - ClusterSecretStore
  1244. type: string
  1245. name:
  1246. description: Name of the SecretStore resource
  1247. maxLength: 253
  1248. minLength: 1
  1249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1250. type: string
  1251. type: object
  1252. target:
  1253. default:
  1254. creationPolicy: Owner
  1255. deletionPolicy: Retain
  1256. description: |-
  1257. ExternalSecretTarget defines the Kubernetes Secret to be created
  1258. There can be only one target per ExternalSecret.
  1259. properties:
  1260. creationPolicy:
  1261. default: Owner
  1262. description: |-
  1263. CreationPolicy defines rules on how to create the resulting Secret.
  1264. Defaults to "Owner"
  1265. enum:
  1266. - Owner
  1267. - Orphan
  1268. - Merge
  1269. - None
  1270. type: string
  1271. deletionPolicy:
  1272. default: Retain
  1273. description: |-
  1274. DeletionPolicy defines rules on how to delete the resulting Secret.
  1275. Defaults to "Retain"
  1276. enum:
  1277. - Delete
  1278. - Merge
  1279. - Retain
  1280. type: string
  1281. immutable:
  1282. description: Immutable defines if the final secret will be immutable
  1283. type: boolean
  1284. name:
  1285. description: |-
  1286. The name of the Secret resource to be managed.
  1287. Defaults to the .metadata.name of the ExternalSecret resource
  1288. maxLength: 253
  1289. minLength: 1
  1290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1291. type: string
  1292. template:
  1293. description: Template defines a blueprint for the created Secret resource.
  1294. properties:
  1295. data:
  1296. additionalProperties:
  1297. type: string
  1298. type: object
  1299. engineVersion:
  1300. default: v2
  1301. description: |-
  1302. EngineVersion specifies the template engine version
  1303. that should be used to compile/execute the
  1304. template specified in .data and .templateFrom[].
  1305. enum:
  1306. - v2
  1307. type: string
  1308. mergePolicy:
  1309. default: Replace
  1310. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1311. enum:
  1312. - Replace
  1313. - Merge
  1314. type: string
  1315. metadata:
  1316. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1317. properties:
  1318. annotations:
  1319. additionalProperties:
  1320. type: string
  1321. type: object
  1322. labels:
  1323. additionalProperties:
  1324. type: string
  1325. type: object
  1326. type: object
  1327. templateFrom:
  1328. items:
  1329. description: TemplateFrom defines a source for template data.
  1330. properties:
  1331. configMap:
  1332. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1333. properties:
  1334. items:
  1335. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1336. items:
  1337. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1338. properties:
  1339. key:
  1340. description: A key in the ConfigMap/Secret
  1341. maxLength: 253
  1342. minLength: 1
  1343. pattern: ^[-._a-zA-Z0-9]+$
  1344. type: string
  1345. templateAs:
  1346. default: Values
  1347. description: TemplateScope defines the scope of the template when processing template data.
  1348. enum:
  1349. - Values
  1350. - KeysAndValues
  1351. type: string
  1352. required:
  1353. - key
  1354. type: object
  1355. type: array
  1356. name:
  1357. description: The name of the ConfigMap/Secret resource
  1358. maxLength: 253
  1359. minLength: 1
  1360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1361. type: string
  1362. required:
  1363. - items
  1364. - name
  1365. type: object
  1366. literal:
  1367. type: string
  1368. secret:
  1369. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1370. properties:
  1371. items:
  1372. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1373. items:
  1374. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1375. properties:
  1376. key:
  1377. description: A key in the ConfigMap/Secret
  1378. maxLength: 253
  1379. minLength: 1
  1380. pattern: ^[-._a-zA-Z0-9]+$
  1381. type: string
  1382. templateAs:
  1383. default: Values
  1384. description: TemplateScope defines the scope of the template when processing template data.
  1385. enum:
  1386. - Values
  1387. - KeysAndValues
  1388. type: string
  1389. required:
  1390. - key
  1391. type: object
  1392. type: array
  1393. name:
  1394. description: The name of the ConfigMap/Secret resource
  1395. maxLength: 253
  1396. minLength: 1
  1397. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1398. type: string
  1399. required:
  1400. - items
  1401. - name
  1402. type: object
  1403. target:
  1404. default: Data
  1405. description: TemplateTarget defines the target field where the template result will be stored.
  1406. enum:
  1407. - Data
  1408. - Annotations
  1409. - Labels
  1410. type: string
  1411. type: object
  1412. type: array
  1413. type:
  1414. type: string
  1415. type: object
  1416. type: object
  1417. type: object
  1418. namespaceSelector:
  1419. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1420. properties:
  1421. matchExpressions:
  1422. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1423. items:
  1424. description: |-
  1425. A label selector requirement is a selector that contains values, a key, and an operator that
  1426. relates the key and values.
  1427. properties:
  1428. key:
  1429. description: key is the label key that the selector applies to.
  1430. type: string
  1431. operator:
  1432. description: |-
  1433. operator represents a key's relationship to a set of values.
  1434. Valid operators are In, NotIn, Exists and DoesNotExist.
  1435. type: string
  1436. values:
  1437. description: |-
  1438. values is an array of string values. If the operator is In or NotIn,
  1439. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1440. the values array must be empty. This array is replaced during a strategic
  1441. merge patch.
  1442. items:
  1443. type: string
  1444. type: array
  1445. x-kubernetes-list-type: atomic
  1446. required:
  1447. - key
  1448. - operator
  1449. type: object
  1450. type: array
  1451. x-kubernetes-list-type: atomic
  1452. matchLabels:
  1453. additionalProperties:
  1454. type: string
  1455. description: |-
  1456. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1457. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1458. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1459. type: object
  1460. type: object
  1461. x-kubernetes-map-type: atomic
  1462. namespaceSelectors:
  1463. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1464. items:
  1465. description: |-
  1466. A label selector is a label query over a set of resources. The result of matchLabels and
  1467. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1468. label selector matches no objects.
  1469. properties:
  1470. matchExpressions:
  1471. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1472. items:
  1473. description: |-
  1474. A label selector requirement is a selector that contains values, a key, and an operator that
  1475. relates the key and values.
  1476. properties:
  1477. key:
  1478. description: key is the label key that the selector applies to.
  1479. type: string
  1480. operator:
  1481. description: |-
  1482. operator represents a key's relationship to a set of values.
  1483. Valid operators are In, NotIn, Exists and DoesNotExist.
  1484. type: string
  1485. values:
  1486. description: |-
  1487. values is an array of string values. If the operator is In or NotIn,
  1488. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1489. the values array must be empty. This array is replaced during a strategic
  1490. merge patch.
  1491. items:
  1492. type: string
  1493. type: array
  1494. x-kubernetes-list-type: atomic
  1495. required:
  1496. - key
  1497. - operator
  1498. type: object
  1499. type: array
  1500. x-kubernetes-list-type: atomic
  1501. matchLabels:
  1502. additionalProperties:
  1503. type: string
  1504. description: |-
  1505. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1506. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1507. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1508. type: object
  1509. type: object
  1510. x-kubernetes-map-type: atomic
  1511. type: array
  1512. namespaces:
  1513. description: |-
  1514. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1515. Deprecated: Use NamespaceSelectors instead.
  1516. items:
  1517. maxLength: 63
  1518. minLength: 1
  1519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1520. type: string
  1521. type: array
  1522. refreshTime:
  1523. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1524. type: string
  1525. required:
  1526. - externalSecretSpec
  1527. type: object
  1528. status:
  1529. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1530. properties:
  1531. conditions:
  1532. items:
  1533. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1534. properties:
  1535. message:
  1536. type: string
  1537. status:
  1538. type: string
  1539. type:
  1540. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1541. type: string
  1542. required:
  1543. - status
  1544. - type
  1545. type: object
  1546. type: array
  1547. externalSecretName:
  1548. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1549. type: string
  1550. failedNamespaces:
  1551. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1552. items:
  1553. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1554. properties:
  1555. namespace:
  1556. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1557. type: string
  1558. reason:
  1559. description: Reason is why the ExternalSecret failed to apply to the namespace
  1560. type: string
  1561. required:
  1562. - namespace
  1563. type: object
  1564. type: array
  1565. provisionedNamespaces:
  1566. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1567. items:
  1568. type: string
  1569. type: array
  1570. type: object
  1571. type: object
  1572. served: false
  1573. storage: false
  1574. subresources:
  1575. status: {}
  1576. ---
  1577. apiVersion: apiextensions.k8s.io/v1
  1578. kind: CustomResourceDefinition
  1579. metadata:
  1580. annotations:
  1581. controller-gen.kubebuilder.io/version: v0.19.0
  1582. labels:
  1583. external-secrets.io/component: controller
  1584. name: clusterpushsecrets.external-secrets.io
  1585. spec:
  1586. group: external-secrets.io
  1587. names:
  1588. categories:
  1589. - external-secrets
  1590. kind: ClusterPushSecret
  1591. listKind: ClusterPushSecretList
  1592. plural: clusterpushsecrets
  1593. singular: clusterpushsecret
  1594. scope: Cluster
  1595. versions:
  1596. - additionalPrinterColumns:
  1597. - jsonPath: .metadata.creationTimestamp
  1598. name: AGE
  1599. type: date
  1600. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1601. name: Status
  1602. type: string
  1603. name: v1alpha1
  1604. schema:
  1605. openAPIV3Schema:
  1606. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1607. properties:
  1608. apiVersion:
  1609. description: |-
  1610. APIVersion defines the versioned schema of this representation of an object.
  1611. Servers should convert recognized schemas to the latest internal value, and
  1612. may reject unrecognized values.
  1613. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1614. type: string
  1615. kind:
  1616. description: |-
  1617. Kind is a string value representing the REST resource this object represents.
  1618. Servers may infer this from the endpoint the client submits requests to.
  1619. Cannot be updated.
  1620. In CamelCase.
  1621. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1622. type: string
  1623. metadata:
  1624. type: object
  1625. spec:
  1626. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1627. properties:
  1628. namespaceSelectors:
  1629. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1630. items:
  1631. description: |-
  1632. A label selector is a label query over a set of resources. The result of matchLabels and
  1633. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1634. label selector matches no objects.
  1635. properties:
  1636. matchExpressions:
  1637. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1638. items:
  1639. description: |-
  1640. A label selector requirement is a selector that contains values, a key, and an operator that
  1641. relates the key and values.
  1642. properties:
  1643. key:
  1644. description: key is the label key that the selector applies to.
  1645. type: string
  1646. operator:
  1647. description: |-
  1648. operator represents a key's relationship to a set of values.
  1649. Valid operators are In, NotIn, Exists and DoesNotExist.
  1650. type: string
  1651. values:
  1652. description: |-
  1653. values is an array of string values. If the operator is In or NotIn,
  1654. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1655. the values array must be empty. This array is replaced during a strategic
  1656. merge patch.
  1657. items:
  1658. type: string
  1659. type: array
  1660. x-kubernetes-list-type: atomic
  1661. required:
  1662. - key
  1663. - operator
  1664. type: object
  1665. type: array
  1666. x-kubernetes-list-type: atomic
  1667. matchLabels:
  1668. additionalProperties:
  1669. type: string
  1670. description: |-
  1671. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1672. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1673. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1674. type: object
  1675. type: object
  1676. x-kubernetes-map-type: atomic
  1677. type: array
  1678. pushSecretMetadata:
  1679. description: The metadata of the external secrets to be created
  1680. properties:
  1681. annotations:
  1682. additionalProperties:
  1683. type: string
  1684. type: object
  1685. labels:
  1686. additionalProperties:
  1687. type: string
  1688. type: object
  1689. type: object
  1690. pushSecretName:
  1691. description: |-
  1692. The name of the push secrets to be created.
  1693. Defaults to the name of the ClusterPushSecret
  1694. maxLength: 253
  1695. minLength: 1
  1696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1697. type: string
  1698. pushSecretSpec:
  1699. description: PushSecretSpec defines what to do with the secrets.
  1700. properties:
  1701. data:
  1702. description: Secret Data that should be pushed to providers
  1703. items:
  1704. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1705. properties:
  1706. conversionStrategy:
  1707. default: None
  1708. description: Used to define a conversion Strategy for the secret keys
  1709. enum:
  1710. - None
  1711. - ReverseUnicode
  1712. type: string
  1713. match:
  1714. description: Match a given Secret Key to be pushed to the provider.
  1715. properties:
  1716. remoteRef:
  1717. description: Remote Refs to push to providers.
  1718. properties:
  1719. property:
  1720. description: Name of the property in the resulting secret
  1721. type: string
  1722. remoteKey:
  1723. description: Name of the resulting provider secret.
  1724. type: string
  1725. required:
  1726. - remoteKey
  1727. type: object
  1728. secretKey:
  1729. description: Secret Key to be pushed
  1730. type: string
  1731. required:
  1732. - remoteRef
  1733. type: object
  1734. metadata:
  1735. description: |-
  1736. Metadata is metadata attached to the secret.
  1737. The structure of metadata is provider specific, please look it up in the provider documentation.
  1738. x-kubernetes-preserve-unknown-fields: true
  1739. required:
  1740. - match
  1741. type: object
  1742. type: array
  1743. dataTo:
  1744. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1745. items:
  1746. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1747. properties:
  1748. conversionStrategy:
  1749. default: None
  1750. description: Used to define a conversion Strategy for the secret keys
  1751. enum:
  1752. - None
  1753. - ReverseUnicode
  1754. type: string
  1755. match:
  1756. description: |-
  1757. Match pattern for selecting keys from the source Secret.
  1758. If not specified, all keys are selected.
  1759. properties:
  1760. regexp:
  1761. description: |-
  1762. Regexp matches keys by regular expression.
  1763. If not specified, all keys are matched.
  1764. type: string
  1765. type: object
  1766. metadata:
  1767. description: |-
  1768. Metadata is metadata attached to the secret.
  1769. The structure of metadata is provider specific, please look it up in the provider documentation.
  1770. x-kubernetes-preserve-unknown-fields: true
  1771. remoteKey:
  1772. description: |-
  1773. RemoteKey is the name of the single provider secret that will receive ALL
  1774. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1775. When set, per-key expansion is skipped and a single push is performed.
  1776. The provider's store prefix (if any) is still prepended to this value.
  1777. When not set, each matched key is pushed as its own individual provider secret.
  1778. type: string
  1779. rewrite:
  1780. description: |-
  1781. Rewrite operations to transform keys before pushing to the provider.
  1782. Operations are applied sequentially.
  1783. items:
  1784. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1785. properties:
  1786. regexp:
  1787. description: Used to rewrite with regular expressions.
  1788. properties:
  1789. source:
  1790. description: Used to define the regular expression of a re.Compiler.
  1791. type: string
  1792. target:
  1793. description: Used to define the target pattern of a ReplaceAll operation.
  1794. type: string
  1795. required:
  1796. - source
  1797. - target
  1798. type: object
  1799. transform:
  1800. description: Used to apply string transformation on the secrets.
  1801. properties:
  1802. template:
  1803. description: |-
  1804. Used to define the template to apply on the secret name.
  1805. `.value ` will specify the secret name in the template.
  1806. type: string
  1807. required:
  1808. - template
  1809. type: object
  1810. type: object
  1811. x-kubernetes-validations:
  1812. - message: exactly one of regexp or transform must be set
  1813. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1814. type: array
  1815. storeRef:
  1816. description: StoreRef specifies which SecretStore to push to. Required.
  1817. properties:
  1818. kind:
  1819. default: SecretStore
  1820. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1821. enum:
  1822. - SecretStore
  1823. - ClusterSecretStore
  1824. type: string
  1825. labelSelector:
  1826. description: Optionally, sync to secret stores with label selector
  1827. properties:
  1828. matchExpressions:
  1829. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1830. items:
  1831. description: |-
  1832. A label selector requirement is a selector that contains values, a key, and an operator that
  1833. relates the key and values.
  1834. properties:
  1835. key:
  1836. description: key is the label key that the selector applies to.
  1837. type: string
  1838. operator:
  1839. description: |-
  1840. operator represents a key's relationship to a set of values.
  1841. Valid operators are In, NotIn, Exists and DoesNotExist.
  1842. type: string
  1843. values:
  1844. description: |-
  1845. values is an array of string values. If the operator is In or NotIn,
  1846. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1847. the values array must be empty. This array is replaced during a strategic
  1848. merge patch.
  1849. items:
  1850. type: string
  1851. type: array
  1852. x-kubernetes-list-type: atomic
  1853. required:
  1854. - key
  1855. - operator
  1856. type: object
  1857. type: array
  1858. x-kubernetes-list-type: atomic
  1859. matchLabels:
  1860. additionalProperties:
  1861. type: string
  1862. description: |-
  1863. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1864. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1865. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1866. type: object
  1867. type: object
  1868. x-kubernetes-map-type: atomic
  1869. name:
  1870. description: Optionally, sync to the SecretStore of the given name
  1871. maxLength: 253
  1872. minLength: 1
  1873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1874. type: string
  1875. type: object
  1876. type: object
  1877. x-kubernetes-validations:
  1878. - message: storeRef must specify either name or labelSelector
  1879. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1880. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1881. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1882. type: array
  1883. deletionPolicy:
  1884. default: None
  1885. description: Deletion Policy to handle Secrets in the provider.
  1886. enum:
  1887. - Delete
  1888. - None
  1889. type: string
  1890. refreshInterval:
  1891. default: 1h0m0s
  1892. description: The Interval to which External Secrets will try to push a secret definition
  1893. type: string
  1894. secretStoreRefs:
  1895. items:
  1896. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1897. properties:
  1898. kind:
  1899. default: SecretStore
  1900. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1901. enum:
  1902. - SecretStore
  1903. - ClusterSecretStore
  1904. type: string
  1905. labelSelector:
  1906. description: Optionally, sync to secret stores with label selector
  1907. properties:
  1908. matchExpressions:
  1909. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1910. items:
  1911. description: |-
  1912. A label selector requirement is a selector that contains values, a key, and an operator that
  1913. relates the key and values.
  1914. properties:
  1915. key:
  1916. description: key is the label key that the selector applies to.
  1917. type: string
  1918. operator:
  1919. description: |-
  1920. operator represents a key's relationship to a set of values.
  1921. Valid operators are In, NotIn, Exists and DoesNotExist.
  1922. type: string
  1923. values:
  1924. description: |-
  1925. values is an array of string values. If the operator is In or NotIn,
  1926. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1927. the values array must be empty. This array is replaced during a strategic
  1928. merge patch.
  1929. items:
  1930. type: string
  1931. type: array
  1932. x-kubernetes-list-type: atomic
  1933. required:
  1934. - key
  1935. - operator
  1936. type: object
  1937. type: array
  1938. x-kubernetes-list-type: atomic
  1939. matchLabels:
  1940. additionalProperties:
  1941. type: string
  1942. description: |-
  1943. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1944. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1945. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1946. type: object
  1947. type: object
  1948. x-kubernetes-map-type: atomic
  1949. name:
  1950. description: Optionally, sync to the SecretStore of the given name
  1951. maxLength: 253
  1952. minLength: 1
  1953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1954. type: string
  1955. type: object
  1956. type: array
  1957. selector:
  1958. description: The Secret Selector (k8s source) for the Push Secret
  1959. maxProperties: 1
  1960. minProperties: 1
  1961. properties:
  1962. generatorRef:
  1963. description: Point to a generator to create a Secret.
  1964. properties:
  1965. apiVersion:
  1966. default: generators.external-secrets.io/v1alpha1
  1967. description: Specify the apiVersion of the generator resource
  1968. type: string
  1969. kind:
  1970. description: Specify the Kind of the generator resource
  1971. enum:
  1972. - ACRAccessToken
  1973. - BeyondtrustWorkloadCredentialsDynamicSecret
  1974. - ClusterGenerator
  1975. - CloudsmithAccessToken
  1976. - ECRAuthorizationToken
  1977. - Fake
  1978. - GCRAccessToken
  1979. - GithubAccessToken
  1980. - QuayAccessToken
  1981. - Password
  1982. - SSHKey
  1983. - STSSessionToken
  1984. - UUID
  1985. - VaultDynamicSecret
  1986. - Webhook
  1987. - Grafana
  1988. - MFA
  1989. type: string
  1990. name:
  1991. description: Specify the name of the generator resource
  1992. maxLength: 253
  1993. minLength: 1
  1994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1995. type: string
  1996. required:
  1997. - kind
  1998. - name
  1999. type: object
  2000. secret:
  2001. description: Select a Secret to Push.
  2002. properties:
  2003. name:
  2004. description: |-
  2005. Name of the Secret.
  2006. The Secret must exist in the same namespace as the PushSecret manifest.
  2007. maxLength: 253
  2008. minLength: 1
  2009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2010. type: string
  2011. selector:
  2012. description: Selector chooses secrets using a labelSelector.
  2013. properties:
  2014. matchExpressions:
  2015. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2016. items:
  2017. description: |-
  2018. A label selector requirement is a selector that contains values, a key, and an operator that
  2019. relates the key and values.
  2020. properties:
  2021. key:
  2022. description: key is the label key that the selector applies to.
  2023. type: string
  2024. operator:
  2025. description: |-
  2026. operator represents a key's relationship to a set of values.
  2027. Valid operators are In, NotIn, Exists and DoesNotExist.
  2028. type: string
  2029. values:
  2030. description: |-
  2031. values is an array of string values. If the operator is In or NotIn,
  2032. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2033. the values array must be empty. This array is replaced during a strategic
  2034. merge patch.
  2035. items:
  2036. type: string
  2037. type: array
  2038. x-kubernetes-list-type: atomic
  2039. required:
  2040. - key
  2041. - operator
  2042. type: object
  2043. type: array
  2044. x-kubernetes-list-type: atomic
  2045. matchLabels:
  2046. additionalProperties:
  2047. type: string
  2048. description: |-
  2049. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2050. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2051. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2052. type: object
  2053. type: object
  2054. x-kubernetes-map-type: atomic
  2055. type: object
  2056. type: object
  2057. template:
  2058. description: Template defines a blueprint for the created Secret resource.
  2059. properties:
  2060. data:
  2061. additionalProperties:
  2062. type: string
  2063. type: object
  2064. engineVersion:
  2065. default: v2
  2066. description: |-
  2067. EngineVersion specifies the template engine version
  2068. that should be used to compile/execute the
  2069. template specified in .data and .templateFrom[].
  2070. enum:
  2071. - v2
  2072. type: string
  2073. mergePolicy:
  2074. default: Replace
  2075. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2076. enum:
  2077. - Replace
  2078. - Merge
  2079. type: string
  2080. metadata:
  2081. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2082. properties:
  2083. annotations:
  2084. additionalProperties:
  2085. type: string
  2086. type: object
  2087. finalizers:
  2088. items:
  2089. type: string
  2090. type: array
  2091. labels:
  2092. additionalProperties:
  2093. type: string
  2094. type: object
  2095. type: object
  2096. templateFrom:
  2097. items:
  2098. description: |-
  2099. TemplateFrom specifies a source for templates.
  2100. Each item in the list can either reference a ConfigMap or a Secret resource.
  2101. properties:
  2102. configMap:
  2103. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2104. properties:
  2105. items:
  2106. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2107. items:
  2108. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2109. properties:
  2110. key:
  2111. description: A key in the ConfigMap/Secret
  2112. maxLength: 253
  2113. minLength: 1
  2114. pattern: ^[-._a-zA-Z0-9]+$
  2115. type: string
  2116. templateAs:
  2117. default: Values
  2118. description: TemplateScope specifies how the template keys should be interpreted.
  2119. enum:
  2120. - Values
  2121. - KeysAndValues
  2122. type: string
  2123. required:
  2124. - key
  2125. type: object
  2126. type: array
  2127. name:
  2128. description: The name of the ConfigMap/Secret resource
  2129. maxLength: 253
  2130. minLength: 1
  2131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2132. type: string
  2133. required:
  2134. - items
  2135. - name
  2136. type: object
  2137. literal:
  2138. type: string
  2139. secret:
  2140. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2141. properties:
  2142. items:
  2143. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2144. items:
  2145. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2146. properties:
  2147. key:
  2148. description: A key in the ConfigMap/Secret
  2149. maxLength: 253
  2150. minLength: 1
  2151. pattern: ^[-._a-zA-Z0-9]+$
  2152. type: string
  2153. templateAs:
  2154. default: Values
  2155. description: TemplateScope specifies how the template keys should be interpreted.
  2156. enum:
  2157. - Values
  2158. - KeysAndValues
  2159. type: string
  2160. required:
  2161. - key
  2162. type: object
  2163. type: array
  2164. name:
  2165. description: The name of the ConfigMap/Secret resource
  2166. maxLength: 253
  2167. minLength: 1
  2168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2169. type: string
  2170. required:
  2171. - items
  2172. - name
  2173. type: object
  2174. target:
  2175. default: Data
  2176. description: |-
  2177. Target specifies where to place the template result.
  2178. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2179. For custom resources (when spec.target.manifest is set), this supports
  2180. nested paths like "spec.database.config" or "data".
  2181. type: string
  2182. type: object
  2183. type: array
  2184. type:
  2185. type: string
  2186. type: object
  2187. updatePolicy:
  2188. default: Replace
  2189. description: UpdatePolicy to handle Secrets in the provider.
  2190. enum:
  2191. - Replace
  2192. - IfNotExists
  2193. type: string
  2194. required:
  2195. - secretStoreRefs
  2196. - selector
  2197. type: object
  2198. refreshTime:
  2199. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2200. type: string
  2201. required:
  2202. - pushSecretSpec
  2203. type: object
  2204. status:
  2205. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2206. properties:
  2207. conditions:
  2208. items:
  2209. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2210. properties:
  2211. lastTransitionTime:
  2212. format: date-time
  2213. type: string
  2214. message:
  2215. type: string
  2216. reason:
  2217. type: string
  2218. status:
  2219. type: string
  2220. type:
  2221. description: PushSecretConditionType indicates the condition of the PushSecret.
  2222. type: string
  2223. required:
  2224. - status
  2225. - type
  2226. type: object
  2227. type: array
  2228. failedNamespaces:
  2229. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2230. items:
  2231. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2232. properties:
  2233. namespace:
  2234. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2235. type: string
  2236. reason:
  2237. description: Reason is why the PushSecret failed to apply to the namespace
  2238. type: string
  2239. required:
  2240. - namespace
  2241. type: object
  2242. type: array
  2243. provisionedNamespaces:
  2244. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2245. items:
  2246. type: string
  2247. type: array
  2248. pushSecretName:
  2249. type: string
  2250. type: object
  2251. type: object
  2252. served: true
  2253. storage: true
  2254. subresources:
  2255. status: {}
  2256. ---
  2257. apiVersion: apiextensions.k8s.io/v1
  2258. kind: CustomResourceDefinition
  2259. metadata:
  2260. annotations:
  2261. controller-gen.kubebuilder.io/version: v0.19.0
  2262. labels:
  2263. external-secrets.io/component: controller
  2264. name: clustersecretstores.external-secrets.io
  2265. spec:
  2266. group: external-secrets.io
  2267. names:
  2268. categories:
  2269. - external-secrets
  2270. kind: ClusterSecretStore
  2271. listKind: ClusterSecretStoreList
  2272. plural: clustersecretstores
  2273. shortNames:
  2274. - css
  2275. singular: clustersecretstore
  2276. scope: Cluster
  2277. versions:
  2278. - additionalPrinterColumns:
  2279. - jsonPath: .metadata.creationTimestamp
  2280. name: AGE
  2281. type: date
  2282. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2283. name: Status
  2284. type: string
  2285. - jsonPath: .status.capabilities
  2286. name: Capabilities
  2287. type: string
  2288. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2289. name: Ready
  2290. type: string
  2291. name: v1
  2292. schema:
  2293. openAPIV3Schema:
  2294. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2295. properties:
  2296. apiVersion:
  2297. description: |-
  2298. APIVersion defines the versioned schema of this representation of an object.
  2299. Servers should convert recognized schemas to the latest internal value, and
  2300. may reject unrecognized values.
  2301. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2302. type: string
  2303. kind:
  2304. description: |-
  2305. Kind is a string value representing the REST resource this object represents.
  2306. Servers may infer this from the endpoint the client submits requests to.
  2307. Cannot be updated.
  2308. In CamelCase.
  2309. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2310. type: string
  2311. metadata:
  2312. type: object
  2313. spec:
  2314. description: SecretStoreSpec defines the desired state of SecretStore.
  2315. properties:
  2316. conditions:
  2317. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2318. items:
  2319. description: |-
  2320. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2321. for a ClusterSecretStore instance.
  2322. properties:
  2323. namespaceRegexes:
  2324. description: Choose namespaces by using regex matching
  2325. items:
  2326. type: string
  2327. type: array
  2328. namespaceSelector:
  2329. description: Choose namespace using a labelSelector
  2330. properties:
  2331. matchExpressions:
  2332. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2333. items:
  2334. description: |-
  2335. A label selector requirement is a selector that contains values, a key, and an operator that
  2336. relates the key and values.
  2337. properties:
  2338. key:
  2339. description: key is the label key that the selector applies to.
  2340. type: string
  2341. operator:
  2342. description: |-
  2343. operator represents a key's relationship to a set of values.
  2344. Valid operators are In, NotIn, Exists and DoesNotExist.
  2345. type: string
  2346. values:
  2347. description: |-
  2348. values is an array of string values. If the operator is In or NotIn,
  2349. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2350. the values array must be empty. This array is replaced during a strategic
  2351. merge patch.
  2352. items:
  2353. type: string
  2354. type: array
  2355. x-kubernetes-list-type: atomic
  2356. required:
  2357. - key
  2358. - operator
  2359. type: object
  2360. type: array
  2361. x-kubernetes-list-type: atomic
  2362. matchLabels:
  2363. additionalProperties:
  2364. type: string
  2365. description: |-
  2366. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2367. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2368. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2369. type: object
  2370. type: object
  2371. x-kubernetes-map-type: atomic
  2372. namespaces:
  2373. description: Choose namespaces by name
  2374. items:
  2375. maxLength: 63
  2376. minLength: 1
  2377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2378. type: string
  2379. type: array
  2380. type: object
  2381. type: array
  2382. controller:
  2383. description: |-
  2384. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2385. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2386. type: string
  2387. provider:
  2388. description: Used to configure the provider. Only one provider may be set
  2389. maxProperties: 1
  2390. minProperties: 1
  2391. properties:
  2392. akeyless:
  2393. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2394. properties:
  2395. akeylessGWApiURL:
  2396. description: Akeyless GW API Url from which the secrets to be fetched from.
  2397. type: string
  2398. authSecretRef:
  2399. description: Auth configures how the operator authenticates with Akeyless.
  2400. properties:
  2401. kubernetesAuth:
  2402. description: |-
  2403. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2404. token stored in the named Secret resource.
  2405. properties:
  2406. accessID:
  2407. description: the Akeyless Kubernetes auth-method access-id
  2408. type: string
  2409. k8sConfName:
  2410. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2411. type: string
  2412. secretRef:
  2413. description: |-
  2414. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2415. for authenticating with Akeyless. If a name is specified without a key,
  2416. `token` is the default. If one is not specified, the one bound to
  2417. the controller will be used.
  2418. properties:
  2419. key:
  2420. description: |-
  2421. A key in the referenced Secret.
  2422. Some instances of this field may be defaulted, in others it may be required.
  2423. maxLength: 253
  2424. minLength: 1
  2425. pattern: ^[-._a-zA-Z0-9]+$
  2426. type: string
  2427. name:
  2428. description: The name of the Secret resource being referred to.
  2429. maxLength: 253
  2430. minLength: 1
  2431. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2432. type: string
  2433. namespace:
  2434. description: |-
  2435. The namespace of the Secret resource being referred to.
  2436. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2437. maxLength: 63
  2438. minLength: 1
  2439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2440. type: string
  2441. type: object
  2442. serviceAccountRef:
  2443. description: |-
  2444. Optional service account field containing the name of a kubernetes ServiceAccount.
  2445. If the service account is specified, the service account secret token JWT will be used
  2446. for authenticating with Akeyless. If the service account selector is not supplied,
  2447. the secretRef will be used instead.
  2448. properties:
  2449. audiences:
  2450. description: |-
  2451. Audience specifies the `aud` claim for the service account token
  2452. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2453. then this audiences will be appended to the list
  2454. items:
  2455. type: string
  2456. type: array
  2457. name:
  2458. description: The name of the ServiceAccount resource being referred to.
  2459. maxLength: 253
  2460. minLength: 1
  2461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2462. type: string
  2463. namespace:
  2464. description: |-
  2465. Namespace of the resource being referred to.
  2466. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2467. maxLength: 63
  2468. minLength: 1
  2469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2470. type: string
  2471. required:
  2472. - name
  2473. type: object
  2474. required:
  2475. - accessID
  2476. - k8sConfName
  2477. type: object
  2478. secretRef:
  2479. description: |-
  2480. Reference to a Secret that contains the details
  2481. to authenticate with Akeyless.
  2482. properties:
  2483. accessID:
  2484. description: The SecretAccessID is used for authentication
  2485. properties:
  2486. key:
  2487. description: |-
  2488. A key in the referenced Secret.
  2489. Some instances of this field may be defaulted, in others it may be required.
  2490. maxLength: 253
  2491. minLength: 1
  2492. pattern: ^[-._a-zA-Z0-9]+$
  2493. type: string
  2494. name:
  2495. description: The name of the Secret resource being referred to.
  2496. maxLength: 253
  2497. minLength: 1
  2498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2499. type: string
  2500. namespace:
  2501. description: |-
  2502. The namespace of the Secret resource being referred to.
  2503. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2504. maxLength: 63
  2505. minLength: 1
  2506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2507. type: string
  2508. type: object
  2509. accessType:
  2510. description: |-
  2511. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2512. In some instances, `key` is a required field.
  2513. properties:
  2514. key:
  2515. description: |-
  2516. A key in the referenced Secret.
  2517. Some instances of this field may be defaulted, in others it may be required.
  2518. maxLength: 253
  2519. minLength: 1
  2520. pattern: ^[-._a-zA-Z0-9]+$
  2521. type: string
  2522. name:
  2523. description: The name of the Secret resource being referred to.
  2524. maxLength: 253
  2525. minLength: 1
  2526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2527. type: string
  2528. namespace:
  2529. description: |-
  2530. The namespace of the Secret resource being referred to.
  2531. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2532. maxLength: 63
  2533. minLength: 1
  2534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2535. type: string
  2536. type: object
  2537. accessTypeParam:
  2538. description: |-
  2539. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2540. In some instances, `key` is a required field.
  2541. properties:
  2542. key:
  2543. description: |-
  2544. A key in the referenced Secret.
  2545. Some instances of this field may be defaulted, in others it may be required.
  2546. maxLength: 253
  2547. minLength: 1
  2548. pattern: ^[-._a-zA-Z0-9]+$
  2549. type: string
  2550. name:
  2551. description: The name of the Secret resource being referred to.
  2552. maxLength: 253
  2553. minLength: 1
  2554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2555. type: string
  2556. namespace:
  2557. description: |-
  2558. The namespace of the Secret resource being referred to.
  2559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2560. maxLength: 63
  2561. minLength: 1
  2562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2563. type: string
  2564. type: object
  2565. type: object
  2566. type: object
  2567. caBundle:
  2568. description: |-
  2569. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2570. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2571. are used to validate the TLS connection.
  2572. format: byte
  2573. type: string
  2574. caProvider:
  2575. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2576. properties:
  2577. key:
  2578. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2579. maxLength: 253
  2580. minLength: 1
  2581. pattern: ^[-._a-zA-Z0-9]+$
  2582. type: string
  2583. name:
  2584. description: The name of the object located at the provider type.
  2585. maxLength: 253
  2586. minLength: 1
  2587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2588. type: string
  2589. namespace:
  2590. description: |-
  2591. The namespace the Provider type is in.
  2592. Can only be defined when used in a ClusterSecretStore.
  2593. maxLength: 63
  2594. minLength: 1
  2595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2596. type: string
  2597. type:
  2598. description: The type of provider to use such as "Secret", or "ConfigMap".
  2599. enum:
  2600. - Secret
  2601. - ConfigMap
  2602. type: string
  2603. required:
  2604. - name
  2605. - type
  2606. type: object
  2607. required:
  2608. - akeylessGWApiURL
  2609. - authSecretRef
  2610. type: object
  2611. aws:
  2612. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2613. properties:
  2614. additionalRoles:
  2615. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2616. items:
  2617. type: string
  2618. type: array
  2619. auth:
  2620. description: |-
  2621. Auth defines the information necessary to authenticate against AWS
  2622. if not set aws sdk will infer credentials from your environment
  2623. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2624. properties:
  2625. jwt:
  2626. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2627. properties:
  2628. serviceAccountRef:
  2629. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2630. properties:
  2631. audiences:
  2632. description: |-
  2633. Audience specifies the `aud` claim for the service account token
  2634. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2635. then this audiences will be appended to the list
  2636. items:
  2637. type: string
  2638. type: array
  2639. name:
  2640. description: The name of the ServiceAccount resource being referred to.
  2641. maxLength: 253
  2642. minLength: 1
  2643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2644. type: string
  2645. namespace:
  2646. description: |-
  2647. Namespace of the resource being referred to.
  2648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2649. maxLength: 63
  2650. minLength: 1
  2651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2652. type: string
  2653. required:
  2654. - name
  2655. type: object
  2656. type: object
  2657. secretRef:
  2658. description: |-
  2659. AWSAuthSecretRef holds secret references for AWS credentials
  2660. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2661. properties:
  2662. accessKeyIDSecretRef:
  2663. description: The AccessKeyID is used for authentication
  2664. properties:
  2665. key:
  2666. description: |-
  2667. A key in the referenced Secret.
  2668. Some instances of this field may be defaulted, in others it may be required.
  2669. maxLength: 253
  2670. minLength: 1
  2671. pattern: ^[-._a-zA-Z0-9]+$
  2672. type: string
  2673. name:
  2674. description: The name of the Secret resource being referred to.
  2675. maxLength: 253
  2676. minLength: 1
  2677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2678. type: string
  2679. namespace:
  2680. description: |-
  2681. The namespace of the Secret resource being referred to.
  2682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2683. maxLength: 63
  2684. minLength: 1
  2685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2686. type: string
  2687. type: object
  2688. secretAccessKeySecretRef:
  2689. description: The SecretAccessKey is used for authentication
  2690. properties:
  2691. key:
  2692. description: |-
  2693. A key in the referenced Secret.
  2694. Some instances of this field may be defaulted, in others it may be required.
  2695. maxLength: 253
  2696. minLength: 1
  2697. pattern: ^[-._a-zA-Z0-9]+$
  2698. type: string
  2699. name:
  2700. description: The name of the Secret resource being referred to.
  2701. maxLength: 253
  2702. minLength: 1
  2703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2704. type: string
  2705. namespace:
  2706. description: |-
  2707. The namespace of the Secret resource being referred to.
  2708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2709. maxLength: 63
  2710. minLength: 1
  2711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2712. type: string
  2713. type: object
  2714. sessionTokenSecretRef:
  2715. description: |-
  2716. The SessionToken used for authentication
  2717. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2718. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2719. properties:
  2720. key:
  2721. description: |-
  2722. A key in the referenced Secret.
  2723. Some instances of this field may be defaulted, in others it may be required.
  2724. maxLength: 253
  2725. minLength: 1
  2726. pattern: ^[-._a-zA-Z0-9]+$
  2727. type: string
  2728. name:
  2729. description: The name of the Secret resource being referred to.
  2730. maxLength: 253
  2731. minLength: 1
  2732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2733. type: string
  2734. namespace:
  2735. description: |-
  2736. The namespace of the Secret resource being referred to.
  2737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2738. maxLength: 63
  2739. minLength: 1
  2740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2741. type: string
  2742. type: object
  2743. type: object
  2744. type: object
  2745. customSessionTags:
  2746. additionalProperties:
  2747. type: string
  2748. description: |-
  2749. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2750. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2751. type: object
  2752. x-kubernetes-validations:
  2753. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2754. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2755. externalID:
  2756. description: AWS External ID set on assumed IAM roles
  2757. type: string
  2758. prefix:
  2759. description: Prefix adds a prefix to all retrieved values.
  2760. type: string
  2761. region:
  2762. description: AWS Region to be used for the provider
  2763. type: string
  2764. role:
  2765. description: Role is a Role ARN which the provider will assume
  2766. type: string
  2767. secretsManager:
  2768. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2769. properties:
  2770. forceDeleteWithoutRecovery:
  2771. description: |-
  2772. Specifies whether to delete the secret without any recovery window. You
  2773. can't use both this parameter and RecoveryWindowInDays in the same call.
  2774. If you don't use either, then by default Secrets Manager uses a 30 day
  2775. recovery window.
  2776. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2777. type: boolean
  2778. recoveryWindowInDays:
  2779. description: |-
  2780. The number of days from 7 to 30 that Secrets Manager waits before
  2781. permanently deleting the secret. You can't use both this parameter and
  2782. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2783. then by default Secrets Manager uses a 30-day recovery window.
  2784. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2785. format: int64
  2786. type: integer
  2787. type: object
  2788. service:
  2789. description: Service defines which service should be used to fetch the secrets
  2790. enum:
  2791. - SecretsManager
  2792. - ParameterStore
  2793. type: string
  2794. sessionTags:
  2795. description: AWS STS assume role session tags
  2796. items:
  2797. description: |-
  2798. Tag is a key-value pair that can be attached to an AWS resource.
  2799. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2800. properties:
  2801. key:
  2802. type: string
  2803. value:
  2804. type: string
  2805. required:
  2806. - key
  2807. - value
  2808. type: object
  2809. type: array
  2810. sessionTagsPolicy:
  2811. default: None
  2812. description: |-
  2813. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2814. None (default): no tags are added.
  2815. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2816. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2817. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2818. enum:
  2819. - None
  2820. - Simple
  2821. - Custom
  2822. type: string
  2823. transitiveTagKeys:
  2824. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2825. items:
  2826. type: string
  2827. type: array
  2828. required:
  2829. - region
  2830. - service
  2831. type: object
  2832. azurekv:
  2833. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2834. properties:
  2835. authSecretRef:
  2836. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2837. properties:
  2838. clientCertificate:
  2839. description: The Azure ClientCertificate of the service principle used for authentication.
  2840. properties:
  2841. key:
  2842. description: |-
  2843. A key in the referenced Secret.
  2844. Some instances of this field may be defaulted, in others it may be required.
  2845. maxLength: 253
  2846. minLength: 1
  2847. pattern: ^[-._a-zA-Z0-9]+$
  2848. type: string
  2849. name:
  2850. description: The name of the Secret resource being referred to.
  2851. maxLength: 253
  2852. minLength: 1
  2853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2854. type: string
  2855. namespace:
  2856. description: |-
  2857. The namespace of the Secret resource being referred to.
  2858. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2859. maxLength: 63
  2860. minLength: 1
  2861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2862. type: string
  2863. type: object
  2864. clientId:
  2865. description: The Azure clientId of the service principle or managed identity used for authentication.
  2866. properties:
  2867. key:
  2868. description: |-
  2869. A key in the referenced Secret.
  2870. Some instances of this field may be defaulted, in others it may be required.
  2871. maxLength: 253
  2872. minLength: 1
  2873. pattern: ^[-._a-zA-Z0-9]+$
  2874. type: string
  2875. name:
  2876. description: The name of the Secret resource being referred to.
  2877. maxLength: 253
  2878. minLength: 1
  2879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2880. type: string
  2881. namespace:
  2882. description: |-
  2883. The namespace of the Secret resource being referred to.
  2884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2885. maxLength: 63
  2886. minLength: 1
  2887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2888. type: string
  2889. type: object
  2890. clientSecret:
  2891. description: The Azure ClientSecret of the service principle used for authentication.
  2892. properties:
  2893. key:
  2894. description: |-
  2895. A key in the referenced Secret.
  2896. Some instances of this field may be defaulted, in others it may be required.
  2897. maxLength: 253
  2898. minLength: 1
  2899. pattern: ^[-._a-zA-Z0-9]+$
  2900. type: string
  2901. name:
  2902. description: The name of the Secret resource being referred to.
  2903. maxLength: 253
  2904. minLength: 1
  2905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2906. type: string
  2907. namespace:
  2908. description: |-
  2909. The namespace of the Secret resource being referred to.
  2910. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2911. maxLength: 63
  2912. minLength: 1
  2913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2914. type: string
  2915. type: object
  2916. tenantId:
  2917. description: The Azure tenantId of the managed identity used for authentication.
  2918. properties:
  2919. key:
  2920. description: |-
  2921. A key in the referenced Secret.
  2922. Some instances of this field may be defaulted, in others it may be required.
  2923. maxLength: 253
  2924. minLength: 1
  2925. pattern: ^[-._a-zA-Z0-9]+$
  2926. type: string
  2927. name:
  2928. description: The name of the Secret resource being referred to.
  2929. maxLength: 253
  2930. minLength: 1
  2931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2932. type: string
  2933. namespace:
  2934. description: |-
  2935. The namespace of the Secret resource being referred to.
  2936. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2937. maxLength: 63
  2938. minLength: 1
  2939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2940. type: string
  2941. type: object
  2942. type: object
  2943. authType:
  2944. default: ServicePrincipal
  2945. description: |-
  2946. Auth type defines how to authenticate to the keyvault service.
  2947. Valid values are:
  2948. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2949. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2950. enum:
  2951. - ServicePrincipal
  2952. - ManagedIdentity
  2953. - WorkloadIdentity
  2954. type: string
  2955. customCloudConfig:
  2956. description: |-
  2957. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  2958. Required when EnvironmentType is AzureStackCloud.
  2959. Optional for other environment types - useful for Azure China when using Workload Identity
  2960. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  2961. standard China Cloud endpoint (login.chinacloudapi.cn).
  2962. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  2963. configuration is not supported with the legacy go-autorest SDK.
  2964. properties:
  2965. activeDirectoryEndpoint:
  2966. description: |-
  2967. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  2968. Required when using custom cloud configuration
  2969. type: string
  2970. keyVaultDNSSuffix:
  2971. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  2972. type: string
  2973. keyVaultEndpoint:
  2974. description: KeyVaultEndpoint is the Key Vault service endpoint
  2975. type: string
  2976. resourceManagerEndpoint:
  2977. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  2978. type: string
  2979. required:
  2980. - activeDirectoryEndpoint
  2981. type: object
  2982. environmentType:
  2983. default: PublicCloud
  2984. description: |-
  2985. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2986. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2987. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2988. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  2989. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  2990. enum:
  2991. - PublicCloud
  2992. - USGovernmentCloud
  2993. - ChinaCloud
  2994. - GermanCloud
  2995. - AzureStackCloud
  2996. type: string
  2997. identityId:
  2998. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2999. type: string
  3000. serviceAccountRef:
  3001. description: |-
  3002. ServiceAccountRef specified the service account
  3003. that should be used when authenticating with WorkloadIdentity.
  3004. properties:
  3005. audiences:
  3006. description: |-
  3007. Audience specifies the `aud` claim for the service account token
  3008. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3009. then this audiences will be appended to the list
  3010. items:
  3011. type: string
  3012. type: array
  3013. name:
  3014. description: The name of the ServiceAccount resource being referred to.
  3015. maxLength: 253
  3016. minLength: 1
  3017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3018. type: string
  3019. namespace:
  3020. description: |-
  3021. Namespace of the resource being referred to.
  3022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3023. maxLength: 63
  3024. minLength: 1
  3025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3026. type: string
  3027. required:
  3028. - name
  3029. type: object
  3030. tenantId:
  3031. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3032. type: string
  3033. useAzureSDK:
  3034. default: false
  3035. description: |-
  3036. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3037. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3038. type: boolean
  3039. vaultUrl:
  3040. description: Vault Url from which the secrets to be fetched from.
  3041. type: string
  3042. required:
  3043. - vaultUrl
  3044. type: object
  3045. barbican:
  3046. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3047. properties:
  3048. auth:
  3049. description: BarbicanAuth contains the authentication information for Barbican.
  3050. properties:
  3051. password:
  3052. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3053. properties:
  3054. secretRef:
  3055. description: |-
  3056. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3057. In some instances, `key` is a required field.
  3058. properties:
  3059. key:
  3060. description: |-
  3061. A key in the referenced Secret.
  3062. Some instances of this field may be defaulted, in others it may be required.
  3063. maxLength: 253
  3064. minLength: 1
  3065. pattern: ^[-._a-zA-Z0-9]+$
  3066. type: string
  3067. name:
  3068. description: The name of the Secret resource being referred to.
  3069. maxLength: 253
  3070. minLength: 1
  3071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3072. type: string
  3073. namespace:
  3074. description: |-
  3075. The namespace of the Secret resource being referred to.
  3076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3077. maxLength: 63
  3078. minLength: 1
  3079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3080. type: string
  3081. type: object
  3082. required:
  3083. - secretRef
  3084. type: object
  3085. username:
  3086. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3087. maxProperties: 1
  3088. minProperties: 1
  3089. properties:
  3090. secretRef:
  3091. description: |-
  3092. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3093. In some instances, `key` is a required field.
  3094. properties:
  3095. key:
  3096. description: |-
  3097. A key in the referenced Secret.
  3098. Some instances of this field may be defaulted, in others it may be required.
  3099. maxLength: 253
  3100. minLength: 1
  3101. pattern: ^[-._a-zA-Z0-9]+$
  3102. type: string
  3103. name:
  3104. description: The name of the Secret resource being referred to.
  3105. maxLength: 253
  3106. minLength: 1
  3107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3108. type: string
  3109. namespace:
  3110. description: |-
  3111. The namespace of the Secret resource being referred to.
  3112. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3113. maxLength: 63
  3114. minLength: 1
  3115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3116. type: string
  3117. type: object
  3118. value:
  3119. type: string
  3120. type: object
  3121. required:
  3122. - password
  3123. - username
  3124. type: object
  3125. authURL:
  3126. type: string
  3127. domainName:
  3128. type: string
  3129. region:
  3130. type: string
  3131. tenantName:
  3132. type: string
  3133. required:
  3134. - auth
  3135. type: object
  3136. beyondtrust:
  3137. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3138. properties:
  3139. auth:
  3140. description: Auth configures how the operator authenticates with Beyondtrust.
  3141. properties:
  3142. apiKey:
  3143. description: APIKey If not provided then ClientID/ClientSecret become required.
  3144. properties:
  3145. secretRef:
  3146. description: SecretRef references a key in a secret that will be used as value.
  3147. properties:
  3148. key:
  3149. description: |-
  3150. A key in the referenced Secret.
  3151. Some instances of this field may be defaulted, in others it may be required.
  3152. maxLength: 253
  3153. minLength: 1
  3154. pattern: ^[-._a-zA-Z0-9]+$
  3155. type: string
  3156. name:
  3157. description: The name of the Secret resource being referred to.
  3158. maxLength: 253
  3159. minLength: 1
  3160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3161. type: string
  3162. namespace:
  3163. description: |-
  3164. The namespace of the Secret resource being referred to.
  3165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3166. maxLength: 63
  3167. minLength: 1
  3168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3169. type: string
  3170. type: object
  3171. value:
  3172. description: Value can be specified directly to set a value without using a secret.
  3173. type: string
  3174. type: object
  3175. certificate:
  3176. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3177. properties:
  3178. secretRef:
  3179. description: SecretRef references a key in a secret that will be used as value.
  3180. properties:
  3181. key:
  3182. description: |-
  3183. A key in the referenced Secret.
  3184. Some instances of this field may be defaulted, in others it may be required.
  3185. maxLength: 253
  3186. minLength: 1
  3187. pattern: ^[-._a-zA-Z0-9]+$
  3188. type: string
  3189. name:
  3190. description: The name of the Secret resource being referred to.
  3191. maxLength: 253
  3192. minLength: 1
  3193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3194. type: string
  3195. namespace:
  3196. description: |-
  3197. The namespace of the Secret resource being referred to.
  3198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3199. maxLength: 63
  3200. minLength: 1
  3201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3202. type: string
  3203. type: object
  3204. value:
  3205. description: Value can be specified directly to set a value without using a secret.
  3206. type: string
  3207. type: object
  3208. certificateKey:
  3209. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3210. properties:
  3211. secretRef:
  3212. description: SecretRef references a key in a secret that will be used as value.
  3213. properties:
  3214. key:
  3215. description: |-
  3216. A key in the referenced Secret.
  3217. Some instances of this field may be defaulted, in others it may be required.
  3218. maxLength: 253
  3219. minLength: 1
  3220. pattern: ^[-._a-zA-Z0-9]+$
  3221. type: string
  3222. name:
  3223. description: The name of the Secret resource being referred to.
  3224. maxLength: 253
  3225. minLength: 1
  3226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3227. type: string
  3228. namespace:
  3229. description: |-
  3230. The namespace of the Secret resource being referred to.
  3231. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3232. maxLength: 63
  3233. minLength: 1
  3234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3235. type: string
  3236. type: object
  3237. value:
  3238. description: Value can be specified directly to set a value without using a secret.
  3239. type: string
  3240. type: object
  3241. clientId:
  3242. description: ClientID is the API OAuth Client ID.
  3243. properties:
  3244. secretRef:
  3245. description: SecretRef references a key in a secret that will be used as value.
  3246. properties:
  3247. key:
  3248. description: |-
  3249. A key in the referenced Secret.
  3250. Some instances of this field may be defaulted, in others it may be required.
  3251. maxLength: 253
  3252. minLength: 1
  3253. pattern: ^[-._a-zA-Z0-9]+$
  3254. type: string
  3255. name:
  3256. description: The name of the Secret resource being referred to.
  3257. maxLength: 253
  3258. minLength: 1
  3259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3260. type: string
  3261. namespace:
  3262. description: |-
  3263. The namespace of the Secret resource being referred to.
  3264. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3265. maxLength: 63
  3266. minLength: 1
  3267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3268. type: string
  3269. type: object
  3270. value:
  3271. description: Value can be specified directly to set a value without using a secret.
  3272. type: string
  3273. type: object
  3274. clientSecret:
  3275. description: ClientSecret is the API OAuth Client Secret.
  3276. properties:
  3277. secretRef:
  3278. description: SecretRef references a key in a secret that will be used as value.
  3279. properties:
  3280. key:
  3281. description: |-
  3282. A key in the referenced Secret.
  3283. Some instances of this field may be defaulted, in others it may be required.
  3284. maxLength: 253
  3285. minLength: 1
  3286. pattern: ^[-._a-zA-Z0-9]+$
  3287. type: string
  3288. name:
  3289. description: The name of the Secret resource being referred to.
  3290. maxLength: 253
  3291. minLength: 1
  3292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3293. type: string
  3294. namespace:
  3295. description: |-
  3296. The namespace of the Secret resource being referred to.
  3297. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3298. maxLength: 63
  3299. minLength: 1
  3300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3301. type: string
  3302. type: object
  3303. value:
  3304. description: Value can be specified directly to set a value without using a secret.
  3305. type: string
  3306. type: object
  3307. type: object
  3308. server:
  3309. description: Auth configures how API server works.
  3310. properties:
  3311. apiUrl:
  3312. type: string
  3313. apiVersion:
  3314. type: string
  3315. clientTimeOutSeconds:
  3316. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3317. type: integer
  3318. decrypt:
  3319. default: true
  3320. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3321. type: boolean
  3322. retrievalType:
  3323. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3324. type: string
  3325. separator:
  3326. description: A character that separates the folder names.
  3327. type: string
  3328. verifyCA:
  3329. type: boolean
  3330. required:
  3331. - apiUrl
  3332. - verifyCA
  3333. type: object
  3334. required:
  3335. - auth
  3336. - server
  3337. type: object
  3338. beyondtrustworkloadcredentials:
  3339. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3340. properties:
  3341. auth:
  3342. description: |-
  3343. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3344. Currently supports API key authentication via Kubernetes secret reference.
  3345. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3346. properties:
  3347. apikey:
  3348. description: |-
  3349. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3350. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3351. properties:
  3352. token:
  3353. description: |-
  3354. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3355. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3356. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3357. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3358. properties:
  3359. key:
  3360. description: |-
  3361. A key in the referenced Secret.
  3362. Some instances of this field may be defaulted, in others it may be required.
  3363. maxLength: 253
  3364. minLength: 1
  3365. pattern: ^[-._a-zA-Z0-9]+$
  3366. type: string
  3367. name:
  3368. description: The name of the Secret resource being referred to.
  3369. maxLength: 253
  3370. minLength: 1
  3371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3372. type: string
  3373. namespace:
  3374. description: |-
  3375. The namespace of the Secret resource being referred to.
  3376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3377. maxLength: 63
  3378. minLength: 1
  3379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3380. type: string
  3381. type: object
  3382. required:
  3383. - token
  3384. type: object
  3385. required:
  3386. - apikey
  3387. type: object
  3388. caBundle:
  3389. description: |-
  3390. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3391. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3392. If not set, the system's trusted root certificates are used.
  3393. format: byte
  3394. type: string
  3395. caProvider:
  3396. description: |-
  3397. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3398. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3399. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3400. properties:
  3401. key:
  3402. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3403. maxLength: 253
  3404. minLength: 1
  3405. pattern: ^[-._a-zA-Z0-9]+$
  3406. type: string
  3407. name:
  3408. description: The name of the object located at the provider type.
  3409. maxLength: 253
  3410. minLength: 1
  3411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3412. type: string
  3413. namespace:
  3414. description: |-
  3415. The namespace the Provider type is in.
  3416. Can only be defined when used in a ClusterSecretStore.
  3417. maxLength: 63
  3418. minLength: 1
  3419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3420. type: string
  3421. type:
  3422. description: The type of provider to use such as "Secret", or "ConfigMap".
  3423. enum:
  3424. - Secret
  3425. - ConfigMap
  3426. type: string
  3427. required:
  3428. - name
  3429. - type
  3430. type: object
  3431. folderPath:
  3432. description: |-
  3433. FolderPath specifies the default folder path for secret retrieval.
  3434. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3435. Example: "production/database" or "dev/api-keys"
  3436. Leave empty to retrieve secrets from the root folder.
  3437. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3438. type: string
  3439. server:
  3440. description: |-
  3441. Server configures the BeyondTrust Workload Credentials server connection details.
  3442. Includes the API URL and Site ID for your BeyondTrust instance.
  3443. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3444. properties:
  3445. apiUrl:
  3446. description: |-
  3447. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3448. This should be the full URL to your BeyondTrust instance.
  3449. Example: https://api.beyondtrust.io/siie
  3450. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3451. type: string
  3452. siteId:
  3453. description: |-
  3454. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3455. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3456. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3457. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3458. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3459. type: string
  3460. required:
  3461. - apiUrl
  3462. - siteId
  3463. type: object
  3464. required:
  3465. - auth
  3466. - server
  3467. type: object
  3468. bitwardensecretsmanager:
  3469. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3470. properties:
  3471. apiURL:
  3472. type: string
  3473. auth:
  3474. description: |-
  3475. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3476. Make sure that the token being used has permissions on the given secret.
  3477. properties:
  3478. secretRef:
  3479. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3480. properties:
  3481. credentials:
  3482. description: AccessToken used for the bitwarden instance.
  3483. properties:
  3484. key:
  3485. description: |-
  3486. A key in the referenced Secret.
  3487. Some instances of this field may be defaulted, in others it may be required.
  3488. maxLength: 253
  3489. minLength: 1
  3490. pattern: ^[-._a-zA-Z0-9]+$
  3491. type: string
  3492. name:
  3493. description: The name of the Secret resource being referred to.
  3494. maxLength: 253
  3495. minLength: 1
  3496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3497. type: string
  3498. namespace:
  3499. description: |-
  3500. The namespace of the Secret resource being referred to.
  3501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3502. maxLength: 63
  3503. minLength: 1
  3504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3505. type: string
  3506. type: object
  3507. required:
  3508. - credentials
  3509. type: object
  3510. required:
  3511. - secretRef
  3512. type: object
  3513. bitwardenServerSDKURL:
  3514. type: string
  3515. caBundle:
  3516. description: |-
  3517. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3518. can be performed.
  3519. type: string
  3520. caProvider:
  3521. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3522. properties:
  3523. key:
  3524. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3525. maxLength: 253
  3526. minLength: 1
  3527. pattern: ^[-._a-zA-Z0-9]+$
  3528. type: string
  3529. name:
  3530. description: The name of the object located at the provider type.
  3531. maxLength: 253
  3532. minLength: 1
  3533. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3534. type: string
  3535. namespace:
  3536. description: |-
  3537. The namespace the Provider type is in.
  3538. Can only be defined when used in a ClusterSecretStore.
  3539. maxLength: 63
  3540. minLength: 1
  3541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3542. type: string
  3543. type:
  3544. description: The type of provider to use such as "Secret", or "ConfigMap".
  3545. enum:
  3546. - Secret
  3547. - ConfigMap
  3548. type: string
  3549. required:
  3550. - name
  3551. - type
  3552. type: object
  3553. identityURL:
  3554. type: string
  3555. organizationID:
  3556. description: OrganizationID determines which organization this secret store manages.
  3557. type: string
  3558. projectID:
  3559. description: ProjectID determines which project this secret store manages.
  3560. type: string
  3561. required:
  3562. - auth
  3563. - organizationID
  3564. - projectID
  3565. type: object
  3566. chef:
  3567. description: Chef configures this store to sync secrets with chef server
  3568. properties:
  3569. auth:
  3570. description: Auth defines the information necessary to authenticate against chef Server
  3571. properties:
  3572. secretRef:
  3573. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3574. properties:
  3575. privateKeySecretRef:
  3576. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3577. properties:
  3578. key:
  3579. description: |-
  3580. A key in the referenced Secret.
  3581. Some instances of this field may be defaulted, in others it may be required.
  3582. maxLength: 253
  3583. minLength: 1
  3584. pattern: ^[-._a-zA-Z0-9]+$
  3585. type: string
  3586. name:
  3587. description: The name of the Secret resource being referred to.
  3588. maxLength: 253
  3589. minLength: 1
  3590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3591. type: string
  3592. namespace:
  3593. description: |-
  3594. The namespace of the Secret resource being referred to.
  3595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3596. maxLength: 63
  3597. minLength: 1
  3598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3599. type: string
  3600. type: object
  3601. required:
  3602. - privateKeySecretRef
  3603. type: object
  3604. required:
  3605. - secretRef
  3606. type: object
  3607. serverUrl:
  3608. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3609. type: string
  3610. username:
  3611. description: UserName should be the user ID on the chef server
  3612. type: string
  3613. required:
  3614. - auth
  3615. - serverUrl
  3616. - username
  3617. type: object
  3618. cloudrusm:
  3619. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3620. properties:
  3621. auth:
  3622. description: CSMAuth contains a secretRef for credentials.
  3623. properties:
  3624. secretRef:
  3625. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3626. properties:
  3627. accessKeyIDSecretRef:
  3628. description: The AccessKeyID is used for authentication
  3629. properties:
  3630. key:
  3631. description: |-
  3632. A key in the referenced Secret.
  3633. Some instances of this field may be defaulted, in others it may be required.
  3634. maxLength: 253
  3635. minLength: 1
  3636. pattern: ^[-._a-zA-Z0-9]+$
  3637. type: string
  3638. name:
  3639. description: The name of the Secret resource being referred to.
  3640. maxLength: 253
  3641. minLength: 1
  3642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3643. type: string
  3644. namespace:
  3645. description: |-
  3646. The namespace of the Secret resource being referred to.
  3647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3648. maxLength: 63
  3649. minLength: 1
  3650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3651. type: string
  3652. type: object
  3653. accessKeySecretSecretRef:
  3654. description: The AccessKeySecret is used for authentication
  3655. properties:
  3656. key:
  3657. description: |-
  3658. A key in the referenced Secret.
  3659. Some instances of this field may be defaulted, in others it may be required.
  3660. maxLength: 253
  3661. minLength: 1
  3662. pattern: ^[-._a-zA-Z0-9]+$
  3663. type: string
  3664. name:
  3665. description: The name of the Secret resource being referred to.
  3666. maxLength: 253
  3667. minLength: 1
  3668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3669. type: string
  3670. namespace:
  3671. description: |-
  3672. The namespace of the Secret resource being referred to.
  3673. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3674. maxLength: 63
  3675. minLength: 1
  3676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3677. type: string
  3678. type: object
  3679. required:
  3680. - accessKeyIDSecretRef
  3681. - accessKeySecretSecretRef
  3682. type: object
  3683. type: object
  3684. projectID:
  3685. description: ProjectID is the project, which the secrets are stored in.
  3686. type: string
  3687. required:
  3688. - auth
  3689. type: object
  3690. conjur:
  3691. description: Conjur configures this store to sync secrets using conjur provider
  3692. properties:
  3693. auth:
  3694. description: Defines authentication settings for connecting to Conjur.
  3695. properties:
  3696. apikey:
  3697. description: Authenticates with Conjur using an API key.
  3698. properties:
  3699. account:
  3700. description: Account is the Conjur organization account name.
  3701. type: string
  3702. apiKeyRef:
  3703. description: |-
  3704. A reference to a specific 'key' containing the Conjur API key
  3705. within a Secret resource. In some instances, `key` is a required field.
  3706. properties:
  3707. key:
  3708. description: |-
  3709. A key in the referenced Secret.
  3710. Some instances of this field may be defaulted, in others it may be required.
  3711. maxLength: 253
  3712. minLength: 1
  3713. pattern: ^[-._a-zA-Z0-9]+$
  3714. type: string
  3715. name:
  3716. description: The name of the Secret resource being referred to.
  3717. maxLength: 253
  3718. minLength: 1
  3719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3720. type: string
  3721. namespace:
  3722. description: |-
  3723. The namespace of the Secret resource being referred to.
  3724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3725. maxLength: 63
  3726. minLength: 1
  3727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3728. type: string
  3729. type: object
  3730. userRef:
  3731. description: |-
  3732. A reference to a specific 'key' containing the Conjur username
  3733. within a Secret resource. In some instances, `key` is a required field.
  3734. properties:
  3735. key:
  3736. description: |-
  3737. A key in the referenced Secret.
  3738. Some instances of this field may be defaulted, in others it may be required.
  3739. maxLength: 253
  3740. minLength: 1
  3741. pattern: ^[-._a-zA-Z0-9]+$
  3742. type: string
  3743. name:
  3744. description: The name of the Secret resource being referred to.
  3745. maxLength: 253
  3746. minLength: 1
  3747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3748. type: string
  3749. namespace:
  3750. description: |-
  3751. The namespace of the Secret resource being referred to.
  3752. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3753. maxLength: 63
  3754. minLength: 1
  3755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3756. type: string
  3757. type: object
  3758. required:
  3759. - account
  3760. - apiKeyRef
  3761. - userRef
  3762. type: object
  3763. jwt:
  3764. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3765. properties:
  3766. account:
  3767. description: Account is the Conjur organization account name.
  3768. type: string
  3769. hostId:
  3770. description: |-
  3771. Optional HostID for JWT authentication. This may be used depending
  3772. on how the Conjur JWT authenticator policy is configured.
  3773. type: string
  3774. secretRef:
  3775. description: |-
  3776. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3777. authenticate with Conjur using the JWT authentication method.
  3778. properties:
  3779. key:
  3780. description: |-
  3781. A key in the referenced Secret.
  3782. Some instances of this field may be defaulted, in others it may be required.
  3783. maxLength: 253
  3784. minLength: 1
  3785. pattern: ^[-._a-zA-Z0-9]+$
  3786. type: string
  3787. name:
  3788. description: The name of the Secret resource being referred to.
  3789. maxLength: 253
  3790. minLength: 1
  3791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3792. type: string
  3793. namespace:
  3794. description: |-
  3795. The namespace of the Secret resource being referred to.
  3796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3797. maxLength: 63
  3798. minLength: 1
  3799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3800. type: string
  3801. type: object
  3802. serviceAccountRef:
  3803. description: |-
  3804. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3805. a token for with the `TokenRequest` API.
  3806. properties:
  3807. audiences:
  3808. description: |-
  3809. Audience specifies the `aud` claim for the service account token
  3810. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3811. then this audiences will be appended to the list
  3812. items:
  3813. type: string
  3814. type: array
  3815. name:
  3816. description: The name of the ServiceAccount resource being referred to.
  3817. maxLength: 253
  3818. minLength: 1
  3819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3820. type: string
  3821. namespace:
  3822. description: |-
  3823. Namespace of the resource being referred to.
  3824. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3825. maxLength: 63
  3826. minLength: 1
  3827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3828. type: string
  3829. required:
  3830. - name
  3831. type: object
  3832. serviceID:
  3833. description: The conjur authn jwt webservice id
  3834. type: string
  3835. required:
  3836. - account
  3837. - serviceID
  3838. type: object
  3839. type: object
  3840. caBundle:
  3841. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3842. type: string
  3843. caProvider:
  3844. description: |-
  3845. Used to provide custom certificate authority (CA) certificates
  3846. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3847. that contains a PEM-encoded certificate.
  3848. properties:
  3849. key:
  3850. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3851. maxLength: 253
  3852. minLength: 1
  3853. pattern: ^[-._a-zA-Z0-9]+$
  3854. type: string
  3855. name:
  3856. description: The name of the object located at the provider type.
  3857. maxLength: 253
  3858. minLength: 1
  3859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3860. type: string
  3861. namespace:
  3862. description: |-
  3863. The namespace the Provider type is in.
  3864. Can only be defined when used in a ClusterSecretStore.
  3865. maxLength: 63
  3866. minLength: 1
  3867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3868. type: string
  3869. type:
  3870. description: The type of provider to use such as "Secret", or "ConfigMap".
  3871. enum:
  3872. - Secret
  3873. - ConfigMap
  3874. type: string
  3875. required:
  3876. - name
  3877. - type
  3878. type: object
  3879. url:
  3880. description: URL is the endpoint of the Conjur instance.
  3881. type: string
  3882. required:
  3883. - auth
  3884. - url
  3885. type: object
  3886. delinea:
  3887. description: |-
  3888. Delinea DevOps Secrets Vault
  3889. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3890. properties:
  3891. clientId:
  3892. description: ClientID is the non-secret part of the credential.
  3893. properties:
  3894. secretRef:
  3895. description: SecretRef references a key in a secret that will be used as value.
  3896. properties:
  3897. key:
  3898. description: |-
  3899. A key in the referenced Secret.
  3900. Some instances of this field may be defaulted, in others it may be required.
  3901. maxLength: 253
  3902. minLength: 1
  3903. pattern: ^[-._a-zA-Z0-9]+$
  3904. type: string
  3905. name:
  3906. description: The name of the Secret resource being referred to.
  3907. maxLength: 253
  3908. minLength: 1
  3909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3910. type: string
  3911. namespace:
  3912. description: |-
  3913. The namespace of the Secret resource being referred to.
  3914. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3915. maxLength: 63
  3916. minLength: 1
  3917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3918. type: string
  3919. type: object
  3920. value:
  3921. description: Value can be specified directly to set a value without using a secret.
  3922. type: string
  3923. type: object
  3924. clientSecret:
  3925. description: ClientSecret is the secret part of the credential.
  3926. properties:
  3927. secretRef:
  3928. description: SecretRef references a key in a secret that will be used as value.
  3929. properties:
  3930. key:
  3931. description: |-
  3932. A key in the referenced Secret.
  3933. Some instances of this field may be defaulted, in others it may be required.
  3934. maxLength: 253
  3935. minLength: 1
  3936. pattern: ^[-._a-zA-Z0-9]+$
  3937. type: string
  3938. name:
  3939. description: The name of the Secret resource being referred to.
  3940. maxLength: 253
  3941. minLength: 1
  3942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3943. type: string
  3944. namespace:
  3945. description: |-
  3946. The namespace of the Secret resource being referred to.
  3947. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3948. maxLength: 63
  3949. minLength: 1
  3950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3951. type: string
  3952. type: object
  3953. value:
  3954. description: Value can be specified directly to set a value without using a secret.
  3955. type: string
  3956. type: object
  3957. tenant:
  3958. description: Tenant is the chosen hostname / site name.
  3959. type: string
  3960. tld:
  3961. description: |-
  3962. TLD is based on the server location that was chosen during provisioning.
  3963. If unset, defaults to "com".
  3964. type: string
  3965. urlTemplate:
  3966. description: |-
  3967. URLTemplate
  3968. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3969. type: string
  3970. required:
  3971. - clientId
  3972. - clientSecret
  3973. - tenant
  3974. type: object
  3975. doppler:
  3976. description: Doppler configures this store to sync secrets using the Doppler provider
  3977. properties:
  3978. auth:
  3979. description: Auth configures how the Operator authenticates with the Doppler API
  3980. properties:
  3981. oidcConfig:
  3982. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  3983. properties:
  3984. expirationSeconds:
  3985. default: 600
  3986. description: |-
  3987. ExpirationSeconds sets the ServiceAccount token validity duration.
  3988. Defaults to 10 minutes.
  3989. format: int64
  3990. type: integer
  3991. identity:
  3992. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  3993. type: string
  3994. serviceAccountRef:
  3995. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  3996. properties:
  3997. audiences:
  3998. description: |-
  3999. Audience specifies the `aud` claim for the service account token
  4000. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4001. then this audiences will be appended to the list
  4002. items:
  4003. type: string
  4004. type: array
  4005. name:
  4006. description: The name of the ServiceAccount resource being referred to.
  4007. maxLength: 253
  4008. minLength: 1
  4009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4010. type: string
  4011. namespace:
  4012. description: |-
  4013. Namespace of the resource being referred to.
  4014. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4015. maxLength: 63
  4016. minLength: 1
  4017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4018. type: string
  4019. required:
  4020. - name
  4021. type: object
  4022. required:
  4023. - identity
  4024. - serviceAccountRef
  4025. type: object
  4026. secretRef:
  4027. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4028. properties:
  4029. dopplerToken:
  4030. description: |-
  4031. The DopplerToken is used for authentication.
  4032. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4033. The Key attribute defaults to dopplerToken if not specified.
  4034. properties:
  4035. key:
  4036. description: |-
  4037. A key in the referenced Secret.
  4038. Some instances of this field may be defaulted, in others it may be required.
  4039. maxLength: 253
  4040. minLength: 1
  4041. pattern: ^[-._a-zA-Z0-9]+$
  4042. type: string
  4043. name:
  4044. description: The name of the Secret resource being referred to.
  4045. maxLength: 253
  4046. minLength: 1
  4047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4048. type: string
  4049. namespace:
  4050. description: |-
  4051. The namespace of the Secret resource being referred to.
  4052. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4053. maxLength: 63
  4054. minLength: 1
  4055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4056. type: string
  4057. type: object
  4058. required:
  4059. - dopplerToken
  4060. type: object
  4061. type: object
  4062. x-kubernetes-validations:
  4063. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4064. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4065. config:
  4066. description: Doppler config (required if not using a Service Token)
  4067. type: string
  4068. format:
  4069. description: Format enables the downloading of secrets as a file (string)
  4070. enum:
  4071. - json
  4072. - dotnet-json
  4073. - env
  4074. - yaml
  4075. - docker
  4076. type: string
  4077. nameTransformer:
  4078. description: Environment variable compatible name transforms that change secret names to a different format
  4079. enum:
  4080. - upper-camel
  4081. - camel
  4082. - lower-snake
  4083. - tf-var
  4084. - dotnet-env
  4085. - lower-kebab
  4086. type: string
  4087. project:
  4088. description: Doppler project (required if not using a Service Token)
  4089. type: string
  4090. required:
  4091. - auth
  4092. type: object
  4093. dvls:
  4094. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4095. properties:
  4096. auth:
  4097. description: Auth defines the authentication method to use.
  4098. properties:
  4099. secretRef:
  4100. description: SecretRef contains the Application ID and Application Secret for authentication.
  4101. properties:
  4102. appId:
  4103. description: AppID is the reference to the secret containing the Application ID.
  4104. properties:
  4105. key:
  4106. description: |-
  4107. A key in the referenced Secret.
  4108. Some instances of this field may be defaulted, in others it may be required.
  4109. maxLength: 253
  4110. minLength: 1
  4111. pattern: ^[-._a-zA-Z0-9]+$
  4112. type: string
  4113. name:
  4114. description: The name of the Secret resource being referred to.
  4115. maxLength: 253
  4116. minLength: 1
  4117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4118. type: string
  4119. namespace:
  4120. description: |-
  4121. The namespace of the Secret resource being referred to.
  4122. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4123. maxLength: 63
  4124. minLength: 1
  4125. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4126. type: string
  4127. type: object
  4128. appSecret:
  4129. description: AppSecret is the reference to the secret containing the Application Secret.
  4130. properties:
  4131. key:
  4132. description: |-
  4133. A key in the referenced Secret.
  4134. Some instances of this field may be defaulted, in others it may be required.
  4135. maxLength: 253
  4136. minLength: 1
  4137. pattern: ^[-._a-zA-Z0-9]+$
  4138. type: string
  4139. name:
  4140. description: The name of the Secret resource being referred to.
  4141. maxLength: 253
  4142. minLength: 1
  4143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4144. type: string
  4145. namespace:
  4146. description: |-
  4147. The namespace of the Secret resource being referred to.
  4148. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4149. maxLength: 63
  4150. minLength: 1
  4151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4152. type: string
  4153. type: object
  4154. required:
  4155. - appId
  4156. - appSecret
  4157. type: object
  4158. required:
  4159. - secretRef
  4160. type: object
  4161. insecure:
  4162. description: |-
  4163. Insecure allows connecting to DVLS over plain HTTP.
  4164. This is NOT RECOMMENDED for production use.
  4165. Set to true only if you understand the security implications.
  4166. type: boolean
  4167. serverUrl:
  4168. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4169. type: string
  4170. vault:
  4171. description: |-
  4172. Vault is the name or UUID of the vault to fetch secrets from.
  4173. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4174. type: string
  4175. required:
  4176. - auth
  4177. - serverUrl
  4178. type: object
  4179. fake:
  4180. description: Fake configures a store with static key/value pairs
  4181. properties:
  4182. data:
  4183. items:
  4184. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4185. properties:
  4186. key:
  4187. type: string
  4188. value:
  4189. type: string
  4190. version:
  4191. type: string
  4192. required:
  4193. - key
  4194. - value
  4195. type: object
  4196. type: array
  4197. validationResult:
  4198. description: ValidationResult is defined type for the number of validation results.
  4199. type: integer
  4200. required:
  4201. - data
  4202. type: object
  4203. fortanix:
  4204. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4205. properties:
  4206. apiKey:
  4207. description: APIKey is the API token to access SDKMS Applications.
  4208. properties:
  4209. secretRef:
  4210. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4211. properties:
  4212. key:
  4213. description: |-
  4214. A key in the referenced Secret.
  4215. Some instances of this field may be defaulted, in others it may be required.
  4216. maxLength: 253
  4217. minLength: 1
  4218. pattern: ^[-._a-zA-Z0-9]+$
  4219. type: string
  4220. name:
  4221. description: The name of the Secret resource being referred to.
  4222. maxLength: 253
  4223. minLength: 1
  4224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4225. type: string
  4226. namespace:
  4227. description: |-
  4228. The namespace of the Secret resource being referred to.
  4229. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4230. maxLength: 63
  4231. minLength: 1
  4232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4233. type: string
  4234. type: object
  4235. type: object
  4236. apiUrl:
  4237. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4238. type: string
  4239. type: object
  4240. gcpsm:
  4241. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4242. properties:
  4243. auth:
  4244. description: Auth defines the information necessary to authenticate against GCP
  4245. properties:
  4246. secretRef:
  4247. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4248. properties:
  4249. secretAccessKeySecretRef:
  4250. description: The SecretAccessKey is used for authentication
  4251. properties:
  4252. key:
  4253. description: |-
  4254. A key in the referenced Secret.
  4255. Some instances of this field may be defaulted, in others it may be required.
  4256. maxLength: 253
  4257. minLength: 1
  4258. pattern: ^[-._a-zA-Z0-9]+$
  4259. type: string
  4260. name:
  4261. description: The name of the Secret resource being referred to.
  4262. maxLength: 253
  4263. minLength: 1
  4264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4265. type: string
  4266. namespace:
  4267. description: |-
  4268. The namespace of the Secret resource being referred to.
  4269. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4270. maxLength: 63
  4271. minLength: 1
  4272. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4273. type: string
  4274. type: object
  4275. type: object
  4276. workloadIdentity:
  4277. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4278. properties:
  4279. clusterLocation:
  4280. description: |-
  4281. ClusterLocation is the location of the cluster
  4282. If not specified, it fetches information from the metadata server
  4283. type: string
  4284. clusterName:
  4285. description: |-
  4286. ClusterName is the name of the cluster
  4287. If not specified, it fetches information from the metadata server
  4288. type: string
  4289. clusterProjectID:
  4290. description: |-
  4291. ClusterProjectID is the project ID of the cluster
  4292. If not specified, it fetches information from the metadata server
  4293. type: string
  4294. serviceAccountRef:
  4295. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4296. properties:
  4297. audiences:
  4298. description: |-
  4299. Audience specifies the `aud` claim for the service account token
  4300. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4301. then this audiences will be appended to the list
  4302. items:
  4303. type: string
  4304. type: array
  4305. name:
  4306. description: The name of the ServiceAccount resource being referred to.
  4307. maxLength: 253
  4308. minLength: 1
  4309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4310. type: string
  4311. namespace:
  4312. description: |-
  4313. Namespace of the resource being referred to.
  4314. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4315. maxLength: 63
  4316. minLength: 1
  4317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4318. type: string
  4319. required:
  4320. - name
  4321. type: object
  4322. required:
  4323. - serviceAccountRef
  4324. type: object
  4325. workloadIdentityFederation:
  4326. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4327. properties:
  4328. audience:
  4329. description: |-
  4330. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4331. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4332. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4333. type: string
  4334. awsSecurityCredentials:
  4335. description: |-
  4336. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4337. when using the AWS metadata server is not an option.
  4338. properties:
  4339. awsCredentialsSecretRef:
  4340. description: |-
  4341. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4342. Secret should be created with below names for keys
  4343. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4344. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4345. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4346. properties:
  4347. name:
  4348. description: name of the secret.
  4349. maxLength: 253
  4350. minLength: 1
  4351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4352. type: string
  4353. namespace:
  4354. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4355. maxLength: 63
  4356. minLength: 1
  4357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4358. type: string
  4359. required:
  4360. - name
  4361. type: object
  4362. region:
  4363. description: region is for configuring the AWS region to be used.
  4364. example: ap-south-1
  4365. maxLength: 50
  4366. minLength: 1
  4367. pattern: ^[a-z0-9-]+$
  4368. type: string
  4369. required:
  4370. - awsCredentialsSecretRef
  4371. - region
  4372. type: object
  4373. credConfig:
  4374. description: |-
  4375. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4376. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4377. serviceAccountRef must be used by providing operators service account details.
  4378. properties:
  4379. key:
  4380. description: key name holding the external account credential config.
  4381. maxLength: 253
  4382. minLength: 1
  4383. pattern: ^[-._a-zA-Z0-9]+$
  4384. type: string
  4385. name:
  4386. description: name of the configmap.
  4387. maxLength: 253
  4388. minLength: 1
  4389. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4390. type: string
  4391. namespace:
  4392. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4393. maxLength: 63
  4394. minLength: 1
  4395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4396. type: string
  4397. required:
  4398. - key
  4399. - name
  4400. type: object
  4401. externalTokenEndpoint:
  4402. description: |-
  4403. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4404. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4405. URL is having the expected value.
  4406. type: string
  4407. gcpServiceAccountEmail:
  4408. description: |-
  4409. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4410. after Workload Identity Federation. Use this to grant access through the service account's
  4411. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4412. service_account_impersonation_url in the external account JSON from credConfig;
  4413. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4414. on that ServiceAccount.
  4415. example: my-gsa@my-project.iam.gserviceaccount.com
  4416. minLength: 1
  4417. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4418. type: string
  4419. serviceAccountRef:
  4420. description: |-
  4421. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4422. when Kubernetes is configured as provider in workload identity pool.
  4423. properties:
  4424. audiences:
  4425. description: |-
  4426. Audience specifies the `aud` claim for the service account token
  4427. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4428. then this audiences will be appended to the list
  4429. items:
  4430. type: string
  4431. type: array
  4432. name:
  4433. description: The name of the ServiceAccount resource being referred to.
  4434. maxLength: 253
  4435. minLength: 1
  4436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4437. type: string
  4438. namespace:
  4439. description: |-
  4440. Namespace of the resource being referred to.
  4441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4442. maxLength: 63
  4443. minLength: 1
  4444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4445. type: string
  4446. required:
  4447. - name
  4448. type: object
  4449. type: object
  4450. type: object
  4451. location:
  4452. description: Location optionally defines a location for a secret
  4453. type: string
  4454. projectID:
  4455. description: ProjectID project where secret is located
  4456. type: string
  4457. secretVersionSelectionPolicy:
  4458. default: LatestOrFail
  4459. description: |-
  4460. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4461. when "latest" is disabled or destroyed.
  4462. Possible values are:
  4463. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4464. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4465. type: string
  4466. type: object
  4467. github:
  4468. description: |-
  4469. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4470. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4471. properties:
  4472. appID:
  4473. description: appID specifies the Github APP that will be used to authenticate the client
  4474. format: int64
  4475. type: integer
  4476. auth:
  4477. description: auth configures how secret-manager authenticates with a Github instance.
  4478. properties:
  4479. privateKey:
  4480. description: |-
  4481. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4482. In some instances, `key` is a required field.
  4483. properties:
  4484. key:
  4485. description: |-
  4486. A key in the referenced Secret.
  4487. Some instances of this field may be defaulted, in others it may be required.
  4488. maxLength: 253
  4489. minLength: 1
  4490. pattern: ^[-._a-zA-Z0-9]+$
  4491. type: string
  4492. name:
  4493. description: The name of the Secret resource being referred to.
  4494. maxLength: 253
  4495. minLength: 1
  4496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4497. type: string
  4498. namespace:
  4499. description: |-
  4500. The namespace of the Secret resource being referred to.
  4501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4502. maxLength: 63
  4503. minLength: 1
  4504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4505. type: string
  4506. type: object
  4507. required:
  4508. - privateKey
  4509. type: object
  4510. environment:
  4511. description: environment will be used to fetch secrets from a particular environment within a github repository
  4512. type: string
  4513. installationID:
  4514. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4515. format: int64
  4516. type: integer
  4517. orgSecretVisibility:
  4518. description: |-
  4519. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4520. Valid values are "all" or "private".
  4521. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4522. whatever visibility they already have in GitHub.
  4523. enum:
  4524. - all
  4525. - private
  4526. type: string
  4527. organization:
  4528. description: organization will be used to fetch secrets from the Github organization
  4529. type: string
  4530. repository:
  4531. description: repository will be used to fetch secrets from the Github repository within an organization
  4532. type: string
  4533. uploadURL:
  4534. description: Upload URL for enterprise instances. Default to URL.
  4535. type: string
  4536. url:
  4537. default: https://github.com/
  4538. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4539. type: string
  4540. required:
  4541. - appID
  4542. - auth
  4543. - installationID
  4544. - organization
  4545. type: object
  4546. gitlab:
  4547. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4548. properties:
  4549. auth:
  4550. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4551. properties:
  4552. SecretRef:
  4553. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4554. properties:
  4555. accessToken:
  4556. description: AccessToken is used for authentication.
  4557. properties:
  4558. key:
  4559. description: |-
  4560. A key in the referenced Secret.
  4561. Some instances of this field may be defaulted, in others it may be required.
  4562. maxLength: 253
  4563. minLength: 1
  4564. pattern: ^[-._a-zA-Z0-9]+$
  4565. type: string
  4566. name:
  4567. description: The name of the Secret resource being referred to.
  4568. maxLength: 253
  4569. minLength: 1
  4570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4571. type: string
  4572. namespace:
  4573. description: |-
  4574. The namespace of the Secret resource being referred to.
  4575. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4576. maxLength: 63
  4577. minLength: 1
  4578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4579. type: string
  4580. type: object
  4581. type: object
  4582. required:
  4583. - SecretRef
  4584. type: object
  4585. caBundle:
  4586. description: |-
  4587. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4588. can be performed.
  4589. format: byte
  4590. type: string
  4591. caProvider:
  4592. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4593. properties:
  4594. key:
  4595. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4596. maxLength: 253
  4597. minLength: 1
  4598. pattern: ^[-._a-zA-Z0-9]+$
  4599. type: string
  4600. name:
  4601. description: The name of the object located at the provider type.
  4602. maxLength: 253
  4603. minLength: 1
  4604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4605. type: string
  4606. namespace:
  4607. description: |-
  4608. The namespace the Provider type is in.
  4609. Can only be defined when used in a ClusterSecretStore.
  4610. maxLength: 63
  4611. minLength: 1
  4612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4613. type: string
  4614. type:
  4615. description: The type of provider to use such as "Secret", or "ConfigMap".
  4616. enum:
  4617. - Secret
  4618. - ConfigMap
  4619. type: string
  4620. required:
  4621. - name
  4622. - type
  4623. type: object
  4624. environment:
  4625. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4626. type: string
  4627. groupIDs:
  4628. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4629. items:
  4630. type: string
  4631. type: array
  4632. inheritFromGroups:
  4633. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4634. type: boolean
  4635. projectID:
  4636. description: ProjectID specifies a project where secrets are located.
  4637. type: string
  4638. url:
  4639. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4640. type: string
  4641. required:
  4642. - auth
  4643. type: object
  4644. ibm:
  4645. description: IBM configures this store to sync secrets using IBM Cloud provider
  4646. properties:
  4647. auth:
  4648. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4649. maxProperties: 1
  4650. minProperties: 1
  4651. properties:
  4652. containerAuth:
  4653. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4654. properties:
  4655. iamEndpoint:
  4656. type: string
  4657. profile:
  4658. description: the IBM Trusted Profile
  4659. type: string
  4660. tokenLocation:
  4661. description: Location the token is mounted on the pod
  4662. type: string
  4663. required:
  4664. - profile
  4665. type: object
  4666. secretRef:
  4667. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4668. properties:
  4669. iamEndpoint:
  4670. description: The IAM endpoint used to obain a token
  4671. type: string
  4672. secretApiKeySecretRef:
  4673. description: The SecretAccessKey is used for authentication
  4674. properties:
  4675. key:
  4676. description: |-
  4677. A key in the referenced Secret.
  4678. Some instances of this field may be defaulted, in others it may be required.
  4679. maxLength: 253
  4680. minLength: 1
  4681. pattern: ^[-._a-zA-Z0-9]+$
  4682. type: string
  4683. name:
  4684. description: The name of the Secret resource being referred to.
  4685. maxLength: 253
  4686. minLength: 1
  4687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4688. type: string
  4689. namespace:
  4690. description: |-
  4691. The namespace of the Secret resource being referred to.
  4692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4693. maxLength: 63
  4694. minLength: 1
  4695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4696. type: string
  4697. type: object
  4698. type: object
  4699. type: object
  4700. serviceUrl:
  4701. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4702. type: string
  4703. required:
  4704. - auth
  4705. type: object
  4706. infisical:
  4707. description: Infisical configures this store to sync secrets using the Infisical provider
  4708. properties:
  4709. auth:
  4710. description: Auth configures how the Operator authenticates with the Infisical API
  4711. properties:
  4712. awsAuthCredentials:
  4713. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4714. properties:
  4715. identityId:
  4716. description: |-
  4717. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4718. In some instances, `key` is a required field.
  4719. properties:
  4720. key:
  4721. description: |-
  4722. A key in the referenced Secret.
  4723. Some instances of this field may be defaulted, in others it may be required.
  4724. maxLength: 253
  4725. minLength: 1
  4726. pattern: ^[-._a-zA-Z0-9]+$
  4727. type: string
  4728. name:
  4729. description: The name of the Secret resource being referred to.
  4730. maxLength: 253
  4731. minLength: 1
  4732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4733. type: string
  4734. namespace:
  4735. description: |-
  4736. The namespace of the Secret resource being referred to.
  4737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4738. maxLength: 63
  4739. minLength: 1
  4740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4741. type: string
  4742. type: object
  4743. required:
  4744. - identityId
  4745. type: object
  4746. azureAuthCredentials:
  4747. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4748. properties:
  4749. identityId:
  4750. description: |-
  4751. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4752. In some instances, `key` is a required field.
  4753. properties:
  4754. key:
  4755. description: |-
  4756. A key in the referenced Secret.
  4757. Some instances of this field may be defaulted, in others it may be required.
  4758. maxLength: 253
  4759. minLength: 1
  4760. pattern: ^[-._a-zA-Z0-9]+$
  4761. type: string
  4762. name:
  4763. description: The name of the Secret resource being referred to.
  4764. maxLength: 253
  4765. minLength: 1
  4766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4767. type: string
  4768. namespace:
  4769. description: |-
  4770. The namespace of the Secret resource being referred to.
  4771. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4772. maxLength: 63
  4773. minLength: 1
  4774. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4775. type: string
  4776. type: object
  4777. resource:
  4778. description: |-
  4779. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4780. In some instances, `key` is a required field.
  4781. properties:
  4782. key:
  4783. description: |-
  4784. A key in the referenced Secret.
  4785. Some instances of this field may be defaulted, in others it may be required.
  4786. maxLength: 253
  4787. minLength: 1
  4788. pattern: ^[-._a-zA-Z0-9]+$
  4789. type: string
  4790. name:
  4791. description: The name of the Secret resource being referred to.
  4792. maxLength: 253
  4793. minLength: 1
  4794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4795. type: string
  4796. namespace:
  4797. description: |-
  4798. The namespace of the Secret resource being referred to.
  4799. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4800. maxLength: 63
  4801. minLength: 1
  4802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4803. type: string
  4804. type: object
  4805. required:
  4806. - identityId
  4807. type: object
  4808. gcpIamAuthCredentials:
  4809. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4810. properties:
  4811. identityId:
  4812. description: |-
  4813. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4814. In some instances, `key` is a required field.
  4815. properties:
  4816. key:
  4817. description: |-
  4818. A key in the referenced Secret.
  4819. Some instances of this field may be defaulted, in others it may be required.
  4820. maxLength: 253
  4821. minLength: 1
  4822. pattern: ^[-._a-zA-Z0-9]+$
  4823. type: string
  4824. name:
  4825. description: The name of the Secret resource being referred to.
  4826. maxLength: 253
  4827. minLength: 1
  4828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4829. type: string
  4830. namespace:
  4831. description: |-
  4832. The namespace of the Secret resource being referred to.
  4833. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4834. maxLength: 63
  4835. minLength: 1
  4836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4837. type: string
  4838. type: object
  4839. serviceAccountKeyFilePath:
  4840. description: |-
  4841. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4842. In some instances, `key` is a required field.
  4843. properties:
  4844. key:
  4845. description: |-
  4846. A key in the referenced Secret.
  4847. Some instances of this field may be defaulted, in others it may be required.
  4848. maxLength: 253
  4849. minLength: 1
  4850. pattern: ^[-._a-zA-Z0-9]+$
  4851. type: string
  4852. name:
  4853. description: The name of the Secret resource being referred to.
  4854. maxLength: 253
  4855. minLength: 1
  4856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4857. type: string
  4858. namespace:
  4859. description: |-
  4860. The namespace of the Secret resource being referred to.
  4861. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4862. maxLength: 63
  4863. minLength: 1
  4864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4865. type: string
  4866. type: object
  4867. required:
  4868. - identityId
  4869. - serviceAccountKeyFilePath
  4870. type: object
  4871. gcpIdTokenAuthCredentials:
  4872. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4873. properties:
  4874. identityId:
  4875. description: |-
  4876. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4877. In some instances, `key` is a required field.
  4878. properties:
  4879. key:
  4880. description: |-
  4881. A key in the referenced Secret.
  4882. Some instances of this field may be defaulted, in others it may be required.
  4883. maxLength: 253
  4884. minLength: 1
  4885. pattern: ^[-._a-zA-Z0-9]+$
  4886. type: string
  4887. name:
  4888. description: The name of the Secret resource being referred to.
  4889. maxLength: 253
  4890. minLength: 1
  4891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4892. type: string
  4893. namespace:
  4894. description: |-
  4895. The namespace of the Secret resource being referred to.
  4896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4897. maxLength: 63
  4898. minLength: 1
  4899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4900. type: string
  4901. type: object
  4902. required:
  4903. - identityId
  4904. type: object
  4905. jwtAuthCredentials:
  4906. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4907. properties:
  4908. identityId:
  4909. description: |-
  4910. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4911. In some instances, `key` is a required field.
  4912. properties:
  4913. key:
  4914. description: |-
  4915. A key in the referenced Secret.
  4916. Some instances of this field may be defaulted, in others it may be required.
  4917. maxLength: 253
  4918. minLength: 1
  4919. pattern: ^[-._a-zA-Z0-9]+$
  4920. type: string
  4921. name:
  4922. description: The name of the Secret resource being referred to.
  4923. maxLength: 253
  4924. minLength: 1
  4925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4926. type: string
  4927. namespace:
  4928. description: |-
  4929. The namespace of the Secret resource being referred to.
  4930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4931. maxLength: 63
  4932. minLength: 1
  4933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4934. type: string
  4935. type: object
  4936. jwt:
  4937. description: |-
  4938. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4939. In some instances, `key` is a required field.
  4940. properties:
  4941. key:
  4942. description: |-
  4943. A key in the referenced Secret.
  4944. Some instances of this field may be defaulted, in others it may be required.
  4945. maxLength: 253
  4946. minLength: 1
  4947. pattern: ^[-._a-zA-Z0-9]+$
  4948. type: string
  4949. name:
  4950. description: The name of the Secret resource being referred to.
  4951. maxLength: 253
  4952. minLength: 1
  4953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4954. type: string
  4955. namespace:
  4956. description: |-
  4957. The namespace of the Secret resource being referred to.
  4958. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4959. maxLength: 63
  4960. minLength: 1
  4961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4962. type: string
  4963. type: object
  4964. required:
  4965. - identityId
  4966. - jwt
  4967. type: object
  4968. kubernetesAuthCredentials:
  4969. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  4970. properties:
  4971. identityId:
  4972. description: |-
  4973. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4974. In some instances, `key` is a required field.
  4975. properties:
  4976. key:
  4977. description: |-
  4978. A key in the referenced Secret.
  4979. Some instances of this field may be defaulted, in others it may be required.
  4980. maxLength: 253
  4981. minLength: 1
  4982. pattern: ^[-._a-zA-Z0-9]+$
  4983. type: string
  4984. name:
  4985. description: The name of the Secret resource being referred to.
  4986. maxLength: 253
  4987. minLength: 1
  4988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4989. type: string
  4990. namespace:
  4991. description: |-
  4992. The namespace of the Secret resource being referred to.
  4993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4994. maxLength: 63
  4995. minLength: 1
  4996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4997. type: string
  4998. type: object
  4999. serviceAccountTokenPath:
  5000. description: |-
  5001. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5002. In some instances, `key` is a required field.
  5003. properties:
  5004. key:
  5005. description: |-
  5006. A key in the referenced Secret.
  5007. Some instances of this field may be defaulted, in others it may be required.
  5008. maxLength: 253
  5009. minLength: 1
  5010. pattern: ^[-._a-zA-Z0-9]+$
  5011. type: string
  5012. name:
  5013. description: The name of the Secret resource being referred to.
  5014. maxLength: 253
  5015. minLength: 1
  5016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5017. type: string
  5018. namespace:
  5019. description: |-
  5020. The namespace of the Secret resource being referred to.
  5021. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5022. maxLength: 63
  5023. minLength: 1
  5024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5025. type: string
  5026. type: object
  5027. required:
  5028. - identityId
  5029. type: object
  5030. ldapAuthCredentials:
  5031. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5032. properties:
  5033. identityId:
  5034. description: |-
  5035. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5036. In some instances, `key` is a required field.
  5037. properties:
  5038. key:
  5039. description: |-
  5040. A key in the referenced Secret.
  5041. Some instances of this field may be defaulted, in others it may be required.
  5042. maxLength: 253
  5043. minLength: 1
  5044. pattern: ^[-._a-zA-Z0-9]+$
  5045. type: string
  5046. name:
  5047. description: The name of the Secret resource being referred to.
  5048. maxLength: 253
  5049. minLength: 1
  5050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5051. type: string
  5052. namespace:
  5053. description: |-
  5054. The namespace of the Secret resource being referred to.
  5055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5056. maxLength: 63
  5057. minLength: 1
  5058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5059. type: string
  5060. type: object
  5061. ldapPassword:
  5062. description: |-
  5063. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5064. In some instances, `key` is a required field.
  5065. properties:
  5066. key:
  5067. description: |-
  5068. A key in the referenced Secret.
  5069. Some instances of this field may be defaulted, in others it may be required.
  5070. maxLength: 253
  5071. minLength: 1
  5072. pattern: ^[-._a-zA-Z0-9]+$
  5073. type: string
  5074. name:
  5075. description: The name of the Secret resource being referred to.
  5076. maxLength: 253
  5077. minLength: 1
  5078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5079. type: string
  5080. namespace:
  5081. description: |-
  5082. The namespace of the Secret resource being referred to.
  5083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5084. maxLength: 63
  5085. minLength: 1
  5086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5087. type: string
  5088. type: object
  5089. ldapUsername:
  5090. description: |-
  5091. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5092. In some instances, `key` is a required field.
  5093. properties:
  5094. key:
  5095. description: |-
  5096. A key in the referenced Secret.
  5097. Some instances of this field may be defaulted, in others it may be required.
  5098. maxLength: 253
  5099. minLength: 1
  5100. pattern: ^[-._a-zA-Z0-9]+$
  5101. type: string
  5102. name:
  5103. description: The name of the Secret resource being referred to.
  5104. maxLength: 253
  5105. minLength: 1
  5106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5107. type: string
  5108. namespace:
  5109. description: |-
  5110. The namespace of the Secret resource being referred to.
  5111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5112. maxLength: 63
  5113. minLength: 1
  5114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5115. type: string
  5116. type: object
  5117. required:
  5118. - identityId
  5119. - ldapPassword
  5120. - ldapUsername
  5121. type: object
  5122. ociAuthCredentials:
  5123. description: OciAuthCredentials represents the credentials for OCI authentication.
  5124. properties:
  5125. fingerprint:
  5126. description: |-
  5127. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5128. In some instances, `key` is a required field.
  5129. properties:
  5130. key:
  5131. description: |-
  5132. A key in the referenced Secret.
  5133. Some instances of this field may be defaulted, in others it may be required.
  5134. maxLength: 253
  5135. minLength: 1
  5136. pattern: ^[-._a-zA-Z0-9]+$
  5137. type: string
  5138. name:
  5139. description: The name of the Secret resource being referred to.
  5140. maxLength: 253
  5141. minLength: 1
  5142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5143. type: string
  5144. namespace:
  5145. description: |-
  5146. The namespace of the Secret resource being referred to.
  5147. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5148. maxLength: 63
  5149. minLength: 1
  5150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5151. type: string
  5152. type: object
  5153. identityId:
  5154. description: |-
  5155. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5156. In some instances, `key` is a required field.
  5157. properties:
  5158. key:
  5159. description: |-
  5160. A key in the referenced Secret.
  5161. Some instances of this field may be defaulted, in others it may be required.
  5162. maxLength: 253
  5163. minLength: 1
  5164. pattern: ^[-._a-zA-Z0-9]+$
  5165. type: string
  5166. name:
  5167. description: The name of the Secret resource being referred to.
  5168. maxLength: 253
  5169. minLength: 1
  5170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5171. type: string
  5172. namespace:
  5173. description: |-
  5174. The namespace of the Secret resource being referred to.
  5175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5176. maxLength: 63
  5177. minLength: 1
  5178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5179. type: string
  5180. type: object
  5181. privateKey:
  5182. description: |-
  5183. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5184. In some instances, `key` is a required field.
  5185. properties:
  5186. key:
  5187. description: |-
  5188. A key in the referenced Secret.
  5189. Some instances of this field may be defaulted, in others it may be required.
  5190. maxLength: 253
  5191. minLength: 1
  5192. pattern: ^[-._a-zA-Z0-9]+$
  5193. type: string
  5194. name:
  5195. description: The name of the Secret resource being referred to.
  5196. maxLength: 253
  5197. minLength: 1
  5198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5199. type: string
  5200. namespace:
  5201. description: |-
  5202. The namespace of the Secret resource being referred to.
  5203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5204. maxLength: 63
  5205. minLength: 1
  5206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5207. type: string
  5208. type: object
  5209. privateKeyPassphrase:
  5210. description: |-
  5211. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5212. In some instances, `key` is a required field.
  5213. properties:
  5214. key:
  5215. description: |-
  5216. A key in the referenced Secret.
  5217. Some instances of this field may be defaulted, in others it may be required.
  5218. maxLength: 253
  5219. minLength: 1
  5220. pattern: ^[-._a-zA-Z0-9]+$
  5221. type: string
  5222. name:
  5223. description: The name of the Secret resource being referred to.
  5224. maxLength: 253
  5225. minLength: 1
  5226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5227. type: string
  5228. namespace:
  5229. description: |-
  5230. The namespace of the Secret resource being referred to.
  5231. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5232. maxLength: 63
  5233. minLength: 1
  5234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5235. type: string
  5236. type: object
  5237. region:
  5238. description: |-
  5239. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5240. In some instances, `key` is a required field.
  5241. properties:
  5242. key:
  5243. description: |-
  5244. A key in the referenced Secret.
  5245. Some instances of this field may be defaulted, in others it may be required.
  5246. maxLength: 253
  5247. minLength: 1
  5248. pattern: ^[-._a-zA-Z0-9]+$
  5249. type: string
  5250. name:
  5251. description: The name of the Secret resource being referred to.
  5252. maxLength: 253
  5253. minLength: 1
  5254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5255. type: string
  5256. namespace:
  5257. description: |-
  5258. The namespace of the Secret resource being referred to.
  5259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5260. maxLength: 63
  5261. minLength: 1
  5262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5263. type: string
  5264. type: object
  5265. tenancyId:
  5266. description: |-
  5267. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5268. In some instances, `key` is a required field.
  5269. properties:
  5270. key:
  5271. description: |-
  5272. A key in the referenced Secret.
  5273. Some instances of this field may be defaulted, in others it may be required.
  5274. maxLength: 253
  5275. minLength: 1
  5276. pattern: ^[-._a-zA-Z0-9]+$
  5277. type: string
  5278. name:
  5279. description: The name of the Secret resource being referred to.
  5280. maxLength: 253
  5281. minLength: 1
  5282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5283. type: string
  5284. namespace:
  5285. description: |-
  5286. The namespace of the Secret resource being referred to.
  5287. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5288. maxLength: 63
  5289. minLength: 1
  5290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5291. type: string
  5292. type: object
  5293. userId:
  5294. description: |-
  5295. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5296. In some instances, `key` is a required field.
  5297. properties:
  5298. key:
  5299. description: |-
  5300. A key in the referenced Secret.
  5301. Some instances of this field may be defaulted, in others it may be required.
  5302. maxLength: 253
  5303. minLength: 1
  5304. pattern: ^[-._a-zA-Z0-9]+$
  5305. type: string
  5306. name:
  5307. description: The name of the Secret resource being referred to.
  5308. maxLength: 253
  5309. minLength: 1
  5310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5311. type: string
  5312. namespace:
  5313. description: |-
  5314. The namespace of the Secret resource being referred to.
  5315. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5316. maxLength: 63
  5317. minLength: 1
  5318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5319. type: string
  5320. type: object
  5321. required:
  5322. - fingerprint
  5323. - identityId
  5324. - privateKey
  5325. - region
  5326. - tenancyId
  5327. - userId
  5328. type: object
  5329. tokenAuthCredentials:
  5330. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5331. properties:
  5332. accessToken:
  5333. description: |-
  5334. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5335. In some instances, `key` is a required field.
  5336. properties:
  5337. key:
  5338. description: |-
  5339. A key in the referenced Secret.
  5340. Some instances of this field may be defaulted, in others it may be required.
  5341. maxLength: 253
  5342. minLength: 1
  5343. pattern: ^[-._a-zA-Z0-9]+$
  5344. type: string
  5345. name:
  5346. description: The name of the Secret resource being referred to.
  5347. maxLength: 253
  5348. minLength: 1
  5349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5350. type: string
  5351. namespace:
  5352. description: |-
  5353. The namespace of the Secret resource being referred to.
  5354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5355. maxLength: 63
  5356. minLength: 1
  5357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5358. type: string
  5359. type: object
  5360. required:
  5361. - accessToken
  5362. type: object
  5363. universalAuthCredentials:
  5364. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5365. properties:
  5366. clientId:
  5367. description: |-
  5368. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5369. In some instances, `key` is a required field.
  5370. properties:
  5371. key:
  5372. description: |-
  5373. A key in the referenced Secret.
  5374. Some instances of this field may be defaulted, in others it may be required.
  5375. maxLength: 253
  5376. minLength: 1
  5377. pattern: ^[-._a-zA-Z0-9]+$
  5378. type: string
  5379. name:
  5380. description: The name of the Secret resource being referred to.
  5381. maxLength: 253
  5382. minLength: 1
  5383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5384. type: string
  5385. namespace:
  5386. description: |-
  5387. The namespace of the Secret resource being referred to.
  5388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5389. maxLength: 63
  5390. minLength: 1
  5391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5392. type: string
  5393. type: object
  5394. clientSecret:
  5395. description: |-
  5396. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5397. In some instances, `key` is a required field.
  5398. properties:
  5399. key:
  5400. description: |-
  5401. A key in the referenced Secret.
  5402. Some instances of this field may be defaulted, in others it may be required.
  5403. maxLength: 253
  5404. minLength: 1
  5405. pattern: ^[-._a-zA-Z0-9]+$
  5406. type: string
  5407. name:
  5408. description: The name of the Secret resource being referred to.
  5409. maxLength: 253
  5410. minLength: 1
  5411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5412. type: string
  5413. namespace:
  5414. description: |-
  5415. The namespace of the Secret resource being referred to.
  5416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5417. maxLength: 63
  5418. minLength: 1
  5419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5420. type: string
  5421. type: object
  5422. required:
  5423. - clientId
  5424. - clientSecret
  5425. type: object
  5426. type: object
  5427. caBundle:
  5428. description: |-
  5429. CABundle is a PEM-encoded CA certificate bundle used to validate
  5430. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5431. format: byte
  5432. type: string
  5433. caProvider:
  5434. description: |-
  5435. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5436. The certificate is used to validate the Infisical server's TLS certificate.
  5437. Mutually exclusive with CABundle.
  5438. properties:
  5439. key:
  5440. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5441. maxLength: 253
  5442. minLength: 1
  5443. pattern: ^[-._a-zA-Z0-9]+$
  5444. type: string
  5445. name:
  5446. description: The name of the object located at the provider type.
  5447. maxLength: 253
  5448. minLength: 1
  5449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5450. type: string
  5451. namespace:
  5452. description: |-
  5453. The namespace the Provider type is in.
  5454. Can only be defined when used in a ClusterSecretStore.
  5455. maxLength: 63
  5456. minLength: 1
  5457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5458. type: string
  5459. type:
  5460. description: The type of provider to use such as "Secret", or "ConfigMap".
  5461. enum:
  5462. - Secret
  5463. - ConfigMap
  5464. type: string
  5465. required:
  5466. - name
  5467. - type
  5468. type: object
  5469. hostAPI:
  5470. default: https://app.infisical.com/api
  5471. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5472. type: string
  5473. secretsScope:
  5474. description: SecretsScope defines the scope of the secrets within the workspace
  5475. properties:
  5476. environmentSlug:
  5477. description: EnvironmentSlug is the required slug identifier for the environment.
  5478. type: string
  5479. expandSecretReferences:
  5480. default: true
  5481. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5482. type: boolean
  5483. organizationSlug:
  5484. description: |-
  5485. OrganizationSlug is the optional slug that identifies the organization that will be used
  5486. during authentication. Useful for sub-organization setups
  5487. type: string
  5488. projectSlug:
  5489. description: ProjectSlug is the required slug identifier for the project.
  5490. type: string
  5491. recursive:
  5492. default: false
  5493. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5494. type: boolean
  5495. secretsPath:
  5496. default: /
  5497. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5498. type: string
  5499. required:
  5500. - environmentSlug
  5501. - projectSlug
  5502. type: object
  5503. required:
  5504. - auth
  5505. - secretsScope
  5506. type: object
  5507. keepersecurity:
  5508. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5509. properties:
  5510. authRef:
  5511. description: |-
  5512. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5513. In some instances, `key` is a required field.
  5514. properties:
  5515. key:
  5516. description: |-
  5517. A key in the referenced Secret.
  5518. Some instances of this field may be defaulted, in others it may be required.
  5519. maxLength: 253
  5520. minLength: 1
  5521. pattern: ^[-._a-zA-Z0-9]+$
  5522. type: string
  5523. name:
  5524. description: The name of the Secret resource being referred to.
  5525. maxLength: 253
  5526. minLength: 1
  5527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5528. type: string
  5529. namespace:
  5530. description: |-
  5531. The namespace of the Secret resource being referred to.
  5532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5533. maxLength: 63
  5534. minLength: 1
  5535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5536. type: string
  5537. type: object
  5538. folderID:
  5539. type: string
  5540. getByTitleFallback:
  5541. type: boolean
  5542. required:
  5543. - authRef
  5544. - folderID
  5545. type: object
  5546. kubernetes:
  5547. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5548. properties:
  5549. auth:
  5550. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5551. maxProperties: 1
  5552. minProperties: 1
  5553. properties:
  5554. cert:
  5555. description: has both clientCert and clientKey as secretKeySelector
  5556. properties:
  5557. clientCert:
  5558. description: |-
  5559. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5560. In some instances, `key` is a required field.
  5561. properties:
  5562. key:
  5563. description: |-
  5564. A key in the referenced Secret.
  5565. Some instances of this field may be defaulted, in others it may be required.
  5566. maxLength: 253
  5567. minLength: 1
  5568. pattern: ^[-._a-zA-Z0-9]+$
  5569. type: string
  5570. name:
  5571. description: The name of the Secret resource being referred to.
  5572. maxLength: 253
  5573. minLength: 1
  5574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5575. type: string
  5576. namespace:
  5577. description: |-
  5578. The namespace of the Secret resource being referred to.
  5579. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5580. maxLength: 63
  5581. minLength: 1
  5582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5583. type: string
  5584. type: object
  5585. clientKey:
  5586. description: |-
  5587. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5588. In some instances, `key` is a required field.
  5589. properties:
  5590. key:
  5591. description: |-
  5592. A key in the referenced Secret.
  5593. Some instances of this field may be defaulted, in others it may be required.
  5594. maxLength: 253
  5595. minLength: 1
  5596. pattern: ^[-._a-zA-Z0-9]+$
  5597. type: string
  5598. name:
  5599. description: The name of the Secret resource being referred to.
  5600. maxLength: 253
  5601. minLength: 1
  5602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5603. type: string
  5604. namespace:
  5605. description: |-
  5606. The namespace of the Secret resource being referred to.
  5607. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5608. maxLength: 63
  5609. minLength: 1
  5610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5611. type: string
  5612. type: object
  5613. type: object
  5614. serviceAccount:
  5615. description: points to a service account that should be used for authentication
  5616. properties:
  5617. audiences:
  5618. description: |-
  5619. Audience specifies the `aud` claim for the service account token
  5620. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5621. then this audiences will be appended to the list
  5622. items:
  5623. type: string
  5624. type: array
  5625. name:
  5626. description: The name of the ServiceAccount resource being referred to.
  5627. maxLength: 253
  5628. minLength: 1
  5629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5630. type: string
  5631. namespace:
  5632. description: |-
  5633. Namespace of the resource being referred to.
  5634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5635. maxLength: 63
  5636. minLength: 1
  5637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5638. type: string
  5639. required:
  5640. - name
  5641. type: object
  5642. token:
  5643. description: use static token to authenticate with
  5644. properties:
  5645. bearerToken:
  5646. description: |-
  5647. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5648. In some instances, `key` is a required field.
  5649. properties:
  5650. key:
  5651. description: |-
  5652. A key in the referenced Secret.
  5653. Some instances of this field may be defaulted, in others it may be required.
  5654. maxLength: 253
  5655. minLength: 1
  5656. pattern: ^[-._a-zA-Z0-9]+$
  5657. type: string
  5658. name:
  5659. description: The name of the Secret resource being referred to.
  5660. maxLength: 253
  5661. minLength: 1
  5662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5663. type: string
  5664. namespace:
  5665. description: |-
  5666. The namespace of the Secret resource being referred to.
  5667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5668. maxLength: 63
  5669. minLength: 1
  5670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5671. type: string
  5672. type: object
  5673. type: object
  5674. type: object
  5675. authRef:
  5676. description: A reference to a secret that contains the auth information.
  5677. properties:
  5678. key:
  5679. description: |-
  5680. A key in the referenced Secret.
  5681. Some instances of this field may be defaulted, in others it may be required.
  5682. maxLength: 253
  5683. minLength: 1
  5684. pattern: ^[-._a-zA-Z0-9]+$
  5685. type: string
  5686. name:
  5687. description: The name of the Secret resource being referred to.
  5688. maxLength: 253
  5689. minLength: 1
  5690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5691. type: string
  5692. namespace:
  5693. description: |-
  5694. The namespace of the Secret resource being referred to.
  5695. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5696. maxLength: 63
  5697. minLength: 1
  5698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5699. type: string
  5700. type: object
  5701. remoteNamespace:
  5702. default: default
  5703. description: Remote namespace to fetch the secrets from
  5704. maxLength: 63
  5705. minLength: 1
  5706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5707. type: string
  5708. server:
  5709. description: configures the Kubernetes server Address.
  5710. properties:
  5711. caBundle:
  5712. description: CABundle is a base64-encoded CA certificate
  5713. format: byte
  5714. type: string
  5715. caProvider:
  5716. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5717. properties:
  5718. key:
  5719. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5720. maxLength: 253
  5721. minLength: 1
  5722. pattern: ^[-._a-zA-Z0-9]+$
  5723. type: string
  5724. name:
  5725. description: The name of the object located at the provider type.
  5726. maxLength: 253
  5727. minLength: 1
  5728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5729. type: string
  5730. namespace:
  5731. description: |-
  5732. The namespace the Provider type is in.
  5733. Can only be defined when used in a ClusterSecretStore.
  5734. maxLength: 63
  5735. minLength: 1
  5736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5737. type: string
  5738. type:
  5739. description: The type of provider to use such as "Secret", or "ConfigMap".
  5740. enum:
  5741. - Secret
  5742. - ConfigMap
  5743. type: string
  5744. required:
  5745. - name
  5746. - type
  5747. type: object
  5748. url:
  5749. default: kubernetes.default
  5750. description: configures the Kubernetes server Address.
  5751. type: string
  5752. type: object
  5753. type: object
  5754. nebiusmysterybox:
  5755. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5756. properties:
  5757. apiDomain:
  5758. description: NebiusMysterybox API endpoint
  5759. type: string
  5760. auth:
  5761. description: Auth defines parameters to authenticate in MysteryBox
  5762. properties:
  5763. serviceAccountCredsSecretRef:
  5764. description: |-
  5765. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5766. document with service account credentials used to get an IAM token.
  5767. Expected JSON structure:
  5768. {
  5769. "subject-credentials": {
  5770. "alg": "RS256",
  5771. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5772. "kid": "<public-key-id>",
  5773. "iss": "<issuer-service-account-id>",
  5774. "sub": "<subject-service-account-id>"
  5775. }
  5776. }
  5777. properties:
  5778. key:
  5779. description: |-
  5780. A key in the referenced Secret.
  5781. Some instances of this field may be defaulted, in others it may be required.
  5782. maxLength: 253
  5783. minLength: 1
  5784. pattern: ^[-._a-zA-Z0-9]+$
  5785. type: string
  5786. name:
  5787. description: The name of the Secret resource being referred to.
  5788. maxLength: 253
  5789. minLength: 1
  5790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5791. type: string
  5792. namespace:
  5793. description: |-
  5794. The namespace of the Secret resource being referred to.
  5795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5796. maxLength: 63
  5797. minLength: 1
  5798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5799. type: string
  5800. type: object
  5801. tokenSecretRef:
  5802. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5803. properties:
  5804. key:
  5805. description: |-
  5806. A key in the referenced Secret.
  5807. Some instances of this field may be defaulted, in others it may be required.
  5808. maxLength: 253
  5809. minLength: 1
  5810. pattern: ^[-._a-zA-Z0-9]+$
  5811. type: string
  5812. name:
  5813. description: The name of the Secret resource being referred to.
  5814. maxLength: 253
  5815. minLength: 1
  5816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5817. type: string
  5818. namespace:
  5819. description: |-
  5820. The namespace of the Secret resource being referred to.
  5821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5822. maxLength: 63
  5823. minLength: 1
  5824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5825. type: string
  5826. type: object
  5827. type: object
  5828. x-kubernetes-validations:
  5829. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5830. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5831. caProvider:
  5832. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5833. properties:
  5834. certSecretRef:
  5835. description: |-
  5836. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5837. In some instances, `key` is a required field.
  5838. properties:
  5839. key:
  5840. description: |-
  5841. A key in the referenced Secret.
  5842. Some instances of this field may be defaulted, in others it may be required.
  5843. maxLength: 253
  5844. minLength: 1
  5845. pattern: ^[-._a-zA-Z0-9]+$
  5846. type: string
  5847. name:
  5848. description: The name of the Secret resource being referred to.
  5849. maxLength: 253
  5850. minLength: 1
  5851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5852. type: string
  5853. namespace:
  5854. description: |-
  5855. The namespace of the Secret resource being referred to.
  5856. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5857. maxLength: 63
  5858. minLength: 1
  5859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5860. type: string
  5861. type: object
  5862. type: object
  5863. required:
  5864. - apiDomain
  5865. - auth
  5866. type: object
  5867. ngrok:
  5868. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5869. properties:
  5870. apiUrl:
  5871. default: https://api.ngrok.com
  5872. description: APIURL is the URL of the ngrok API.
  5873. type: string
  5874. auth:
  5875. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5876. maxProperties: 1
  5877. minProperties: 1
  5878. properties:
  5879. apiKey:
  5880. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5881. properties:
  5882. secretRef:
  5883. description: SecretRef is a reference to a secret containing the ngrok API key.
  5884. properties:
  5885. key:
  5886. description: |-
  5887. A key in the referenced Secret.
  5888. Some instances of this field may be defaulted, in others it may be required.
  5889. maxLength: 253
  5890. minLength: 1
  5891. pattern: ^[-._a-zA-Z0-9]+$
  5892. type: string
  5893. name:
  5894. description: The name of the Secret resource being referred to.
  5895. maxLength: 253
  5896. minLength: 1
  5897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5898. type: string
  5899. namespace:
  5900. description: |-
  5901. The namespace of the Secret resource being referred to.
  5902. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5903. maxLength: 63
  5904. minLength: 1
  5905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5906. type: string
  5907. type: object
  5908. type: object
  5909. type: object
  5910. vault:
  5911. description: Vault configures the ngrok vault to sync secrets with.
  5912. properties:
  5913. name:
  5914. description: Name is the name of the ngrok vault to sync secrets with.
  5915. type: string
  5916. required:
  5917. - name
  5918. type: object
  5919. required:
  5920. - auth
  5921. - vault
  5922. type: object
  5923. onboardbase:
  5924. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5925. properties:
  5926. apiHost:
  5927. default: https://public.onboardbase.com/api/v1/
  5928. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5929. type: string
  5930. auth:
  5931. description: Auth configures how the Operator authenticates with the Onboardbase API
  5932. properties:
  5933. apiKeyRef:
  5934. description: |-
  5935. OnboardbaseAPIKey is the APIKey generated by an admin account.
  5936. It is used to recognize and authorize access to a project and environment within onboardbase
  5937. properties:
  5938. key:
  5939. description: |-
  5940. A key in the referenced Secret.
  5941. Some instances of this field may be defaulted, in others it may be required.
  5942. maxLength: 253
  5943. minLength: 1
  5944. pattern: ^[-._a-zA-Z0-9]+$
  5945. type: string
  5946. name:
  5947. description: The name of the Secret resource being referred to.
  5948. maxLength: 253
  5949. minLength: 1
  5950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5951. type: string
  5952. namespace:
  5953. description: |-
  5954. The namespace of the Secret resource being referred to.
  5955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5956. maxLength: 63
  5957. minLength: 1
  5958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5959. type: string
  5960. type: object
  5961. passcodeRef:
  5962. description: OnboardbasePasscode is the passcode attached to the API Key
  5963. properties:
  5964. key:
  5965. description: |-
  5966. A key in the referenced Secret.
  5967. Some instances of this field may be defaulted, in others it may be required.
  5968. maxLength: 253
  5969. minLength: 1
  5970. pattern: ^[-._a-zA-Z0-9]+$
  5971. type: string
  5972. name:
  5973. description: The name of the Secret resource being referred to.
  5974. maxLength: 253
  5975. minLength: 1
  5976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5977. type: string
  5978. namespace:
  5979. description: |-
  5980. The namespace of the Secret resource being referred to.
  5981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5982. maxLength: 63
  5983. minLength: 1
  5984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5985. type: string
  5986. type: object
  5987. required:
  5988. - apiKeyRef
  5989. - passcodeRef
  5990. type: object
  5991. environment:
  5992. default: development
  5993. description: Environment is the name of an environmnent within a project to pull the secrets from
  5994. type: string
  5995. project:
  5996. default: development
  5997. description: Project is an onboardbase project that the secrets should be pulled from
  5998. type: string
  5999. required:
  6000. - apiHost
  6001. - auth
  6002. - environment
  6003. - project
  6004. type: object
  6005. onepassword:
  6006. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6007. properties:
  6008. auth:
  6009. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6010. properties:
  6011. secretRef:
  6012. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6013. properties:
  6014. connectTokenSecretRef:
  6015. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6016. properties:
  6017. key:
  6018. description: |-
  6019. A key in the referenced Secret.
  6020. Some instances of this field may be defaulted, in others it may be required.
  6021. maxLength: 253
  6022. minLength: 1
  6023. pattern: ^[-._a-zA-Z0-9]+$
  6024. type: string
  6025. name:
  6026. description: The name of the Secret resource being referred to.
  6027. maxLength: 253
  6028. minLength: 1
  6029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6030. type: string
  6031. namespace:
  6032. description: |-
  6033. The namespace of the Secret resource being referred to.
  6034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6035. maxLength: 63
  6036. minLength: 1
  6037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6038. type: string
  6039. type: object
  6040. required:
  6041. - connectTokenSecretRef
  6042. type: object
  6043. required:
  6044. - secretRef
  6045. type: object
  6046. connectHost:
  6047. description: ConnectHost defines the OnePassword Connect Server to connect to
  6048. type: string
  6049. vaults:
  6050. additionalProperties:
  6051. type: integer
  6052. description: Vaults defines which OnePassword vaults to search in which order
  6053. type: object
  6054. required:
  6055. - auth
  6056. - connectHost
  6057. - vaults
  6058. type: object
  6059. onepasswordSDK:
  6060. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6061. properties:
  6062. auth:
  6063. description: Auth defines the information necessary to authenticate against OnePassword API.
  6064. properties:
  6065. serviceAccountSecretRef:
  6066. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6067. properties:
  6068. key:
  6069. description: |-
  6070. A key in the referenced Secret.
  6071. Some instances of this field may be defaulted, in others it may be required.
  6072. maxLength: 253
  6073. minLength: 1
  6074. pattern: ^[-._a-zA-Z0-9]+$
  6075. type: string
  6076. name:
  6077. description: The name of the Secret resource being referred to.
  6078. maxLength: 253
  6079. minLength: 1
  6080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6081. type: string
  6082. namespace:
  6083. description: |-
  6084. The namespace of the Secret resource being referred to.
  6085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6086. maxLength: 63
  6087. minLength: 1
  6088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6089. type: string
  6090. type: object
  6091. required:
  6092. - serviceAccountSecretRef
  6093. type: object
  6094. cache:
  6095. description: |-
  6096. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6097. When enabled, secrets are cached with the specified TTL.
  6098. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6099. If omitted, caching is disabled (default).
  6100. cache: {} is a valid option to set.
  6101. properties:
  6102. maxSize:
  6103. default: 100
  6104. description: |-
  6105. MaxSize is the maximum number of secrets to cache.
  6106. When the cache is full, least-recently-used entries are evicted.
  6107. minimum: 1
  6108. type: integer
  6109. ttl:
  6110. default: 5m
  6111. description: |-
  6112. TTL is the time-to-live for cached secrets.
  6113. Format: duration string (e.g., "5m", "1h", "30s")
  6114. type: string
  6115. type: object
  6116. integrationInfo:
  6117. description: |-
  6118. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6119. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6120. properties:
  6121. name:
  6122. default: 1Password SDK
  6123. description: Name defaults to "1Password SDK".
  6124. type: string
  6125. version:
  6126. default: v1.0.0
  6127. description: Version defaults to "v1.0.0".
  6128. type: string
  6129. type: object
  6130. vault:
  6131. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6132. type: string
  6133. required:
  6134. - auth
  6135. - vault
  6136. type: object
  6137. openBao:
  6138. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6139. properties:
  6140. auth:
  6141. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6142. maxProperties: 1
  6143. properties:
  6144. tokenSecretRef:
  6145. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6146. properties:
  6147. key:
  6148. description: |-
  6149. A key in the referenced Secret.
  6150. Some instances of this field may be defaulted, in others it may be required.
  6151. maxLength: 253
  6152. minLength: 1
  6153. pattern: ^[-._a-zA-Z0-9]+$
  6154. type: string
  6155. name:
  6156. description: The name of the Secret resource being referred to.
  6157. maxLength: 253
  6158. minLength: 1
  6159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6160. type: string
  6161. namespace:
  6162. description: |-
  6163. The namespace of the Secret resource being referred to.
  6164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6165. maxLength: 63
  6166. minLength: 1
  6167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6168. type: string
  6169. type: object
  6170. userPass:
  6171. description: UserPass authenticates with OpenBao by passing a username/password pair
  6172. properties:
  6173. path:
  6174. default: userpass
  6175. description: |-
  6176. Path where the UserPassword authentication backend is mounted
  6177. in OpenBao, e.g: "userpass"
  6178. type: string
  6179. secretRef:
  6180. description: |-
  6181. SecretRef to a key in a Secret resource containing password for the user
  6182. used to authenticate with OpenBao using the [UserPass authentication
  6183. method]
  6184. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6185. properties:
  6186. key:
  6187. description: |-
  6188. A key in the referenced Secret.
  6189. Some instances of this field may be defaulted, in others it may be required.
  6190. maxLength: 253
  6191. minLength: 1
  6192. pattern: ^[-._a-zA-Z0-9]+$
  6193. type: string
  6194. name:
  6195. description: The name of the Secret resource being referred to.
  6196. maxLength: 253
  6197. minLength: 1
  6198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6199. type: string
  6200. namespace:
  6201. description: |-
  6202. The namespace of the Secret resource being referred to.
  6203. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6204. maxLength: 63
  6205. minLength: 1
  6206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6207. type: string
  6208. type: object
  6209. username:
  6210. description: |-
  6211. Username is a username used to authenticate using the [UserPass
  6212. authentication method]
  6213. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6214. type: string
  6215. required:
  6216. - path
  6217. - username
  6218. type: object
  6219. type: object
  6220. caBundle:
  6221. description: |-
  6222. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  6223. this and `caProvider` are not set the system root certificates are used
  6224. to validate the TLS connection.
  6225. format: byte
  6226. type: string
  6227. caProvider:
  6228. description: |-
  6229. The provider for the CA bundle to use to validate OpenBao server
  6230. certificate. If this and `caBundle` are not set the system root
  6231. certificates are used to validate the TLS connection.
  6232. properties:
  6233. key:
  6234. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6235. maxLength: 253
  6236. minLength: 1
  6237. pattern: ^[-._a-zA-Z0-9]+$
  6238. type: string
  6239. name:
  6240. description: The name of the object located at the provider type.
  6241. maxLength: 253
  6242. minLength: 1
  6243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6244. type: string
  6245. namespace:
  6246. description: |-
  6247. The namespace the Provider type is in.
  6248. Can only be defined when used in a ClusterSecretStore.
  6249. maxLength: 63
  6250. minLength: 1
  6251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6252. type: string
  6253. type:
  6254. description: The type of provider to use such as "Secret", or "ConfigMap".
  6255. enum:
  6256. - Secret
  6257. - ConfigMap
  6258. type: string
  6259. required:
  6260. - name
  6261. - type
  6262. type: object
  6263. path:
  6264. description: |-
  6265. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6266. "secret". The v2 KV secret engine version specific "/data" path suffix
  6267. for fetching secrets from OpenBao is optional and will be appended
  6268. if not present in specified path.
  6269. type: string
  6270. server:
  6271. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6272. type: string
  6273. version:
  6274. default: v2
  6275. description: |-
  6276. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6277. "v2". Version defaults to "v2".
  6278. enum:
  6279. - v1
  6280. - v2
  6281. type: string
  6282. required:
  6283. - server
  6284. type: object
  6285. x-kubernetes-validations:
  6286. - message: at most one of the fields in [caBundle caProvider] may be set
  6287. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  6288. oracle:
  6289. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6290. properties:
  6291. auth:
  6292. description: |-
  6293. Auth configures how secret-manager authenticates with the Oracle Vault.
  6294. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6295. properties:
  6296. secretRef:
  6297. description: SecretRef to pass through sensitive information.
  6298. properties:
  6299. fingerprint:
  6300. description: Fingerprint is the fingerprint of the API private key.
  6301. properties:
  6302. key:
  6303. description: |-
  6304. A key in the referenced Secret.
  6305. Some instances of this field may be defaulted, in others it may be required.
  6306. maxLength: 253
  6307. minLength: 1
  6308. pattern: ^[-._a-zA-Z0-9]+$
  6309. type: string
  6310. name:
  6311. description: The name of the Secret resource being referred to.
  6312. maxLength: 253
  6313. minLength: 1
  6314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6315. type: string
  6316. namespace:
  6317. description: |-
  6318. The namespace of the Secret resource being referred to.
  6319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6320. maxLength: 63
  6321. minLength: 1
  6322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6323. type: string
  6324. type: object
  6325. privatekey:
  6326. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6327. properties:
  6328. key:
  6329. description: |-
  6330. A key in the referenced Secret.
  6331. Some instances of this field may be defaulted, in others it may be required.
  6332. maxLength: 253
  6333. minLength: 1
  6334. pattern: ^[-._a-zA-Z0-9]+$
  6335. type: string
  6336. name:
  6337. description: The name of the Secret resource being referred to.
  6338. maxLength: 253
  6339. minLength: 1
  6340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6341. type: string
  6342. namespace:
  6343. description: |-
  6344. The namespace of the Secret resource being referred to.
  6345. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6346. maxLength: 63
  6347. minLength: 1
  6348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6349. type: string
  6350. type: object
  6351. required:
  6352. - fingerprint
  6353. - privatekey
  6354. type: object
  6355. tenancy:
  6356. description: Tenancy is the tenancy OCID where user is located.
  6357. type: string
  6358. user:
  6359. description: User is an access OCID specific to the account.
  6360. type: string
  6361. required:
  6362. - secretRef
  6363. - tenancy
  6364. - user
  6365. type: object
  6366. compartment:
  6367. description: |-
  6368. Compartment is the vault compartment OCID.
  6369. Required for PushSecret
  6370. type: string
  6371. encryptionKey:
  6372. description: |-
  6373. EncryptionKey is the OCID of the encryption key within the vault.
  6374. Required for PushSecret
  6375. type: string
  6376. principalType:
  6377. description: |-
  6378. The type of principal to use for authentication. If left blank, the Auth struct will
  6379. determine the principal type. This optional field must be specified if using
  6380. workload identity.
  6381. enum:
  6382. - ""
  6383. - UserPrincipal
  6384. - InstancePrincipal
  6385. - Workload
  6386. type: string
  6387. region:
  6388. description: Region is the region where vault is located.
  6389. type: string
  6390. serviceAccountRef:
  6391. description: |-
  6392. ServiceAccountRef specified the service account
  6393. that should be used when authenticating with WorkloadIdentity.
  6394. properties:
  6395. audiences:
  6396. description: |-
  6397. Audience specifies the `aud` claim for the service account token
  6398. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6399. then this audiences will be appended to the list
  6400. items:
  6401. type: string
  6402. type: array
  6403. name:
  6404. description: The name of the ServiceAccount resource being referred to.
  6405. maxLength: 253
  6406. minLength: 1
  6407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6408. type: string
  6409. namespace:
  6410. description: |-
  6411. Namespace of the resource being referred to.
  6412. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6413. maxLength: 63
  6414. minLength: 1
  6415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6416. type: string
  6417. required:
  6418. - name
  6419. type: object
  6420. vault:
  6421. description: Vault is the vault's OCID of the specific vault where secret is located.
  6422. type: string
  6423. required:
  6424. - region
  6425. - vault
  6426. type: object
  6427. ovh:
  6428. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6429. properties:
  6430. auth:
  6431. description: Authentication method (mtls or token).
  6432. properties:
  6433. mtls:
  6434. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6435. properties:
  6436. caBundle:
  6437. format: byte
  6438. type: string
  6439. caProvider:
  6440. description: |-
  6441. CAProvider provides a custom certificate authority for accessing the provider's store.
  6442. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6443. properties:
  6444. key:
  6445. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6446. maxLength: 253
  6447. minLength: 1
  6448. pattern: ^[-._a-zA-Z0-9]+$
  6449. type: string
  6450. name:
  6451. description: The name of the object located at the provider type.
  6452. maxLength: 253
  6453. minLength: 1
  6454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6455. type: string
  6456. namespace:
  6457. description: |-
  6458. The namespace the Provider type is in.
  6459. Can only be defined when used in a ClusterSecretStore.
  6460. maxLength: 63
  6461. minLength: 1
  6462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6463. type: string
  6464. type:
  6465. description: The type of provider to use such as "Secret", or "ConfigMap".
  6466. enum:
  6467. - Secret
  6468. - ConfigMap
  6469. type: string
  6470. required:
  6471. - name
  6472. - type
  6473. type: object
  6474. certSecretRef:
  6475. description: |-
  6476. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6477. In some instances, `key` is a required field.
  6478. properties:
  6479. key:
  6480. description: |-
  6481. A key in the referenced Secret.
  6482. Some instances of this field may be defaulted, in others it may be required.
  6483. maxLength: 253
  6484. minLength: 1
  6485. pattern: ^[-._a-zA-Z0-9]+$
  6486. type: string
  6487. name:
  6488. description: The name of the Secret resource being referred to.
  6489. maxLength: 253
  6490. minLength: 1
  6491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6492. type: string
  6493. namespace:
  6494. description: |-
  6495. The namespace of the Secret resource being referred to.
  6496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6497. maxLength: 63
  6498. minLength: 1
  6499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6500. type: string
  6501. type: object
  6502. keySecretRef:
  6503. description: |-
  6504. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6505. In some instances, `key` is a required field.
  6506. properties:
  6507. key:
  6508. description: |-
  6509. A key in the referenced Secret.
  6510. Some instances of this field may be defaulted, in others it may be required.
  6511. maxLength: 253
  6512. minLength: 1
  6513. pattern: ^[-._a-zA-Z0-9]+$
  6514. type: string
  6515. name:
  6516. description: The name of the Secret resource being referred to.
  6517. maxLength: 253
  6518. minLength: 1
  6519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6520. type: string
  6521. namespace:
  6522. description: |-
  6523. The namespace of the Secret resource being referred to.
  6524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6525. maxLength: 63
  6526. minLength: 1
  6527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6528. type: string
  6529. type: object
  6530. required:
  6531. - certSecretRef
  6532. - keySecretRef
  6533. type: object
  6534. token:
  6535. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6536. properties:
  6537. tokenSecretRef:
  6538. description: |-
  6539. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6540. In some instances, `key` is a required field.
  6541. properties:
  6542. key:
  6543. description: |-
  6544. A key in the referenced Secret.
  6545. Some instances of this field may be defaulted, in others it may be required.
  6546. maxLength: 253
  6547. minLength: 1
  6548. pattern: ^[-._a-zA-Z0-9]+$
  6549. type: string
  6550. name:
  6551. description: The name of the Secret resource being referred to.
  6552. maxLength: 253
  6553. minLength: 1
  6554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6555. type: string
  6556. namespace:
  6557. description: |-
  6558. The namespace of the Secret resource being referred to.
  6559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6560. maxLength: 63
  6561. minLength: 1
  6562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6563. type: string
  6564. type: object
  6565. required:
  6566. - tokenSecretRef
  6567. type: object
  6568. type: object
  6569. casRequired:
  6570. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6571. type: boolean
  6572. okmsTimeout:
  6573. default: 30
  6574. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6575. format: int32
  6576. minimum: 1
  6577. type: integer
  6578. okmsid:
  6579. description: specifies the OKMS ID.
  6580. type: string
  6581. server:
  6582. description: specifies the OKMS server endpoint.
  6583. type: string
  6584. required:
  6585. - auth
  6586. - okmsid
  6587. - server
  6588. type: object
  6589. passbolt:
  6590. description: |-
  6591. PassboltProvider provides access to Passbolt secrets manager.
  6592. See: https://www.passbolt.com.
  6593. properties:
  6594. auth:
  6595. description: Auth defines the information necessary to authenticate against Passbolt Server
  6596. properties:
  6597. passwordSecretRef:
  6598. description: |-
  6599. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6600. In some instances, `key` is a required field.
  6601. properties:
  6602. key:
  6603. description: |-
  6604. A key in the referenced Secret.
  6605. Some instances of this field may be defaulted, in others it may be required.
  6606. maxLength: 253
  6607. minLength: 1
  6608. pattern: ^[-._a-zA-Z0-9]+$
  6609. type: string
  6610. name:
  6611. description: The name of the Secret resource being referred to.
  6612. maxLength: 253
  6613. minLength: 1
  6614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6615. type: string
  6616. namespace:
  6617. description: |-
  6618. The namespace of the Secret resource being referred to.
  6619. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6620. maxLength: 63
  6621. minLength: 1
  6622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6623. type: string
  6624. type: object
  6625. privateKeySecretRef:
  6626. description: |-
  6627. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6628. In some instances, `key` is a required field.
  6629. properties:
  6630. key:
  6631. description: |-
  6632. A key in the referenced Secret.
  6633. Some instances of this field may be defaulted, in others it may be required.
  6634. maxLength: 253
  6635. minLength: 1
  6636. pattern: ^[-._a-zA-Z0-9]+$
  6637. type: string
  6638. name:
  6639. description: The name of the Secret resource being referred to.
  6640. maxLength: 253
  6641. minLength: 1
  6642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6643. type: string
  6644. namespace:
  6645. description: |-
  6646. The namespace of the Secret resource being referred to.
  6647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6648. maxLength: 63
  6649. minLength: 1
  6650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6651. type: string
  6652. type: object
  6653. required:
  6654. - passwordSecretRef
  6655. - privateKeySecretRef
  6656. type: object
  6657. caBundle:
  6658. description: |-
  6659. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6660. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6661. are used to validate the TLS connection.
  6662. format: byte
  6663. type: string
  6664. caProvider:
  6665. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6666. properties:
  6667. key:
  6668. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6669. maxLength: 253
  6670. minLength: 1
  6671. pattern: ^[-._a-zA-Z0-9]+$
  6672. type: string
  6673. name:
  6674. description: The name of the object located at the provider type.
  6675. maxLength: 253
  6676. minLength: 1
  6677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6678. type: string
  6679. namespace:
  6680. description: |-
  6681. The namespace the Provider type is in.
  6682. Can only be defined when used in a ClusterSecretStore.
  6683. maxLength: 63
  6684. minLength: 1
  6685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6686. type: string
  6687. type:
  6688. description: The type of provider to use such as "Secret", or "ConfigMap".
  6689. enum:
  6690. - Secret
  6691. - ConfigMap
  6692. type: string
  6693. required:
  6694. - name
  6695. - type
  6696. type: object
  6697. host:
  6698. description: Host defines the Passbolt Server to connect to
  6699. type: string
  6700. required:
  6701. - auth
  6702. - host
  6703. type: object
  6704. passworddepot:
  6705. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6706. properties:
  6707. auth:
  6708. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6709. properties:
  6710. secretRef:
  6711. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6712. properties:
  6713. credentials:
  6714. description: Username / Password is used for authentication.
  6715. properties:
  6716. key:
  6717. description: |-
  6718. A key in the referenced Secret.
  6719. Some instances of this field may be defaulted, in others it may be required.
  6720. maxLength: 253
  6721. minLength: 1
  6722. pattern: ^[-._a-zA-Z0-9]+$
  6723. type: string
  6724. name:
  6725. description: The name of the Secret resource being referred to.
  6726. maxLength: 253
  6727. minLength: 1
  6728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6729. type: string
  6730. namespace:
  6731. description: |-
  6732. The namespace of the Secret resource being referred to.
  6733. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6734. maxLength: 63
  6735. minLength: 1
  6736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6737. type: string
  6738. type: object
  6739. type: object
  6740. required:
  6741. - secretRef
  6742. type: object
  6743. database:
  6744. description: Database to use as source
  6745. type: string
  6746. host:
  6747. description: URL configures the Password Depot instance URL.
  6748. type: string
  6749. required:
  6750. - auth
  6751. - database
  6752. - host
  6753. type: object
  6754. previder:
  6755. description: Previder configures this store to sync secrets using the Previder provider
  6756. properties:
  6757. auth:
  6758. description: PreviderAuth contains a secretRef for credentials.
  6759. properties:
  6760. secretRef:
  6761. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6762. properties:
  6763. accessToken:
  6764. description: The AccessToken is used for authentication
  6765. properties:
  6766. key:
  6767. description: |-
  6768. A key in the referenced Secret.
  6769. Some instances of this field may be defaulted, in others it may be required.
  6770. maxLength: 253
  6771. minLength: 1
  6772. pattern: ^[-._a-zA-Z0-9]+$
  6773. type: string
  6774. name:
  6775. description: The name of the Secret resource being referred to.
  6776. maxLength: 253
  6777. minLength: 1
  6778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6779. type: string
  6780. namespace:
  6781. description: |-
  6782. The namespace of the Secret resource being referred to.
  6783. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6784. maxLength: 63
  6785. minLength: 1
  6786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6787. type: string
  6788. type: object
  6789. required:
  6790. - accessToken
  6791. type: object
  6792. type: object
  6793. baseUri:
  6794. type: string
  6795. required:
  6796. - auth
  6797. type: object
  6798. pulumi:
  6799. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6800. properties:
  6801. accessToken:
  6802. description: |-
  6803. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6804. Deprecated: Use auth.accessToken instead.
  6805. properties:
  6806. secretRef:
  6807. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6808. properties:
  6809. key:
  6810. description: |-
  6811. A key in the referenced Secret.
  6812. Some instances of this field may be defaulted, in others it may be required.
  6813. maxLength: 253
  6814. minLength: 1
  6815. pattern: ^[-._a-zA-Z0-9]+$
  6816. type: string
  6817. name:
  6818. description: The name of the Secret resource being referred to.
  6819. maxLength: 253
  6820. minLength: 1
  6821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6822. type: string
  6823. namespace:
  6824. description: |-
  6825. The namespace of the Secret resource being referred to.
  6826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6827. maxLength: 63
  6828. minLength: 1
  6829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6830. type: string
  6831. type: object
  6832. type: object
  6833. apiUrl:
  6834. default: https://api.pulumi.com/api/esc
  6835. description: APIURL is the URL of the Pulumi API.
  6836. type: string
  6837. auth:
  6838. description: |-
  6839. Auth configures how the Operator authenticates with the Pulumi API.
  6840. Either auth or the deprecated accessToken field must be specified.
  6841. properties:
  6842. accessToken:
  6843. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  6844. properties:
  6845. secretRef:
  6846. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6847. properties:
  6848. key:
  6849. description: |-
  6850. A key in the referenced Secret.
  6851. Some instances of this field may be defaulted, in others it may be required.
  6852. maxLength: 253
  6853. minLength: 1
  6854. pattern: ^[-._a-zA-Z0-9]+$
  6855. type: string
  6856. name:
  6857. description: The name of the Secret resource being referred to.
  6858. maxLength: 253
  6859. minLength: 1
  6860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6861. type: string
  6862. namespace:
  6863. description: |-
  6864. The namespace of the Secret resource being referred to.
  6865. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6866. maxLength: 63
  6867. minLength: 1
  6868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6869. type: string
  6870. type: object
  6871. type: object
  6872. oidcConfig:
  6873. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  6874. properties:
  6875. expirationSeconds:
  6876. default: 600
  6877. description: |-
  6878. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  6879. Defaults to 10 minutes.
  6880. format: int64
  6881. minimum: 600
  6882. type: integer
  6883. organization:
  6884. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  6885. type: string
  6886. serviceAccountRef:
  6887. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  6888. properties:
  6889. audiences:
  6890. description: |-
  6891. Audience specifies the `aud` claim for the service account token
  6892. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6893. then this audiences will be appended to the list
  6894. items:
  6895. type: string
  6896. type: array
  6897. name:
  6898. description: The name of the ServiceAccount resource being referred to.
  6899. maxLength: 253
  6900. minLength: 1
  6901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6902. type: string
  6903. namespace:
  6904. description: |-
  6905. Namespace of the resource being referred to.
  6906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6907. maxLength: 63
  6908. minLength: 1
  6909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6910. type: string
  6911. required:
  6912. - name
  6913. type: object
  6914. required:
  6915. - organization
  6916. - serviceAccountRef
  6917. type: object
  6918. type: object
  6919. x-kubernetes-validations:
  6920. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  6921. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  6922. environment:
  6923. description: |-
  6924. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  6925. dynamically retrieved values from supported providers including all major clouds,
  6926. and other Pulumi ESC environments.
  6927. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  6928. type: string
  6929. organization:
  6930. description: |-
  6931. Organization are a space to collaborate on shared projects and stacks.
  6932. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  6933. type: string
  6934. project:
  6935. description: Project is the name of the Pulumi ESC project the environment belongs to.
  6936. type: string
  6937. required:
  6938. - environment
  6939. - organization
  6940. - project
  6941. type: object
  6942. x-kubernetes-validations:
  6943. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  6944. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  6945. scaleway:
  6946. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  6947. properties:
  6948. accessKey:
  6949. description: AccessKey is the non-secret part of the api key.
  6950. properties:
  6951. secretRef:
  6952. description: SecretRef references a key in a secret that will be used as value.
  6953. properties:
  6954. key:
  6955. description: |-
  6956. A key in the referenced Secret.
  6957. Some instances of this field may be defaulted, in others it may be required.
  6958. maxLength: 253
  6959. minLength: 1
  6960. pattern: ^[-._a-zA-Z0-9]+$
  6961. type: string
  6962. name:
  6963. description: The name of the Secret resource being referred to.
  6964. maxLength: 253
  6965. minLength: 1
  6966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6967. type: string
  6968. namespace:
  6969. description: |-
  6970. The namespace of the Secret resource being referred to.
  6971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6972. maxLength: 63
  6973. minLength: 1
  6974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6975. type: string
  6976. type: object
  6977. value:
  6978. description: Value can be specified directly to set a value without using a secret.
  6979. type: string
  6980. type: object
  6981. apiUrl:
  6982. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  6983. type: string
  6984. projectId:
  6985. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  6986. type: string
  6987. region:
  6988. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  6989. type: string
  6990. secretKey:
  6991. description: SecretKey is the non-secret part of the api key.
  6992. properties:
  6993. secretRef:
  6994. description: SecretRef references a key in a secret that will be used as value.
  6995. properties:
  6996. key:
  6997. description: |-
  6998. A key in the referenced Secret.
  6999. Some instances of this field may be defaulted, in others it may be required.
  7000. maxLength: 253
  7001. minLength: 1
  7002. pattern: ^[-._a-zA-Z0-9]+$
  7003. type: string
  7004. name:
  7005. description: The name of the Secret resource being referred to.
  7006. maxLength: 253
  7007. minLength: 1
  7008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7009. type: string
  7010. namespace:
  7011. description: |-
  7012. The namespace of the Secret resource being referred to.
  7013. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7014. maxLength: 63
  7015. minLength: 1
  7016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7017. type: string
  7018. type: object
  7019. value:
  7020. description: Value can be specified directly to set a value without using a secret.
  7021. type: string
  7022. type: object
  7023. required:
  7024. - accessKey
  7025. - projectId
  7026. - region
  7027. - secretKey
  7028. type: object
  7029. secretserver:
  7030. description: |-
  7031. SecretServer configures this store to sync secrets using SecretServer provider
  7032. https://docs.delinea.com/online-help/secret-server/start.htm
  7033. properties:
  7034. caBundle:
  7035. description: |-
  7036. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  7037. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  7038. are used to validate the TLS connection.
  7039. format: byte
  7040. type: string
  7041. caProvider:
  7042. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  7043. properties:
  7044. key:
  7045. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7046. maxLength: 253
  7047. minLength: 1
  7048. pattern: ^[-._a-zA-Z0-9]+$
  7049. type: string
  7050. name:
  7051. description: The name of the object located at the provider type.
  7052. maxLength: 253
  7053. minLength: 1
  7054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7055. type: string
  7056. namespace:
  7057. description: |-
  7058. The namespace the Provider type is in.
  7059. Can only be defined when used in a ClusterSecretStore.
  7060. maxLength: 63
  7061. minLength: 1
  7062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7063. type: string
  7064. type:
  7065. description: The type of provider to use such as "Secret", or "ConfigMap".
  7066. enum:
  7067. - Secret
  7068. - ConfigMap
  7069. type: string
  7070. required:
  7071. - name
  7072. - type
  7073. type: object
  7074. domain:
  7075. description: Domain is the secret server domain.
  7076. type: string
  7077. password:
  7078. description: Password is the secret server account password.
  7079. properties:
  7080. secretRef:
  7081. description: SecretRef references a key in a secret that will be used as value.
  7082. properties:
  7083. key:
  7084. description: |-
  7085. A key in the referenced Secret.
  7086. Some instances of this field may be defaulted, in others it may be required.
  7087. maxLength: 253
  7088. minLength: 1
  7089. pattern: ^[-._a-zA-Z0-9]+$
  7090. type: string
  7091. name:
  7092. description: The name of the Secret resource being referred to.
  7093. maxLength: 253
  7094. minLength: 1
  7095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7096. type: string
  7097. namespace:
  7098. description: |-
  7099. The namespace of the Secret resource being referred to.
  7100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7101. maxLength: 63
  7102. minLength: 1
  7103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7104. type: string
  7105. type: object
  7106. value:
  7107. description: Value can be specified directly to set a value without using a secret.
  7108. type: string
  7109. type: object
  7110. serverURL:
  7111. description: |-
  7112. ServerURL
  7113. URL to your secret server installation
  7114. type: string
  7115. username:
  7116. description: Username is the secret server account username.
  7117. properties:
  7118. secretRef:
  7119. description: SecretRef references a key in a secret that will be used as value.
  7120. properties:
  7121. key:
  7122. description: |-
  7123. A key in the referenced Secret.
  7124. Some instances of this field may be defaulted, in others it may be required.
  7125. maxLength: 253
  7126. minLength: 1
  7127. pattern: ^[-._a-zA-Z0-9]+$
  7128. type: string
  7129. name:
  7130. description: The name of the Secret resource being referred to.
  7131. maxLength: 253
  7132. minLength: 1
  7133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7134. type: string
  7135. namespace:
  7136. description: |-
  7137. The namespace of the Secret resource being referred to.
  7138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7139. maxLength: 63
  7140. minLength: 1
  7141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7142. type: string
  7143. type: object
  7144. value:
  7145. description: Value can be specified directly to set a value without using a secret.
  7146. type: string
  7147. type: object
  7148. required:
  7149. - password
  7150. - serverURL
  7151. - username
  7152. type: object
  7153. senhasegura:
  7154. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7155. properties:
  7156. auth:
  7157. description: Auth defines parameters to authenticate in senhasegura
  7158. properties:
  7159. clientId:
  7160. type: string
  7161. clientSecretSecretRef:
  7162. description: |-
  7163. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7164. In some instances, `key` is a required field.
  7165. properties:
  7166. key:
  7167. description: |-
  7168. A key in the referenced Secret.
  7169. Some instances of this field may be defaulted, in others it may be required.
  7170. maxLength: 253
  7171. minLength: 1
  7172. pattern: ^[-._a-zA-Z0-9]+$
  7173. type: string
  7174. name:
  7175. description: The name of the Secret resource being referred to.
  7176. maxLength: 253
  7177. minLength: 1
  7178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7179. type: string
  7180. namespace:
  7181. description: |-
  7182. The namespace of the Secret resource being referred to.
  7183. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7184. maxLength: 63
  7185. minLength: 1
  7186. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7187. type: string
  7188. type: object
  7189. required:
  7190. - clientId
  7191. - clientSecretSecretRef
  7192. type: object
  7193. ignoreSslCertificate:
  7194. default: false
  7195. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7196. type: boolean
  7197. module:
  7198. description: Module defines which senhasegura module should be used to get secrets
  7199. type: string
  7200. url:
  7201. description: URL of senhasegura
  7202. type: string
  7203. required:
  7204. - auth
  7205. - module
  7206. - url
  7207. type: object
  7208. vault:
  7209. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7210. properties:
  7211. auth:
  7212. description: Auth configures how secret-manager authenticates with the Vault server.
  7213. properties:
  7214. appRole:
  7215. description: |-
  7216. AppRole authenticates with Vault using the App Role auth mechanism,
  7217. with the role and secret stored in a Kubernetes Secret resource.
  7218. properties:
  7219. path:
  7220. default: approle
  7221. description: |-
  7222. Path where the App Role authentication backend is mounted
  7223. in Vault, e.g: "approle"
  7224. type: string
  7225. roleId:
  7226. description: |-
  7227. RoleID configured in the App Role authentication backend when setting
  7228. up the authentication backend in Vault.
  7229. type: string
  7230. roleRef:
  7231. description: |-
  7232. Reference to a key in a Secret that contains the App Role ID used
  7233. to authenticate with Vault.
  7234. The `key` field must be specified and denotes which entry within the Secret
  7235. resource is used as the app role id.
  7236. properties:
  7237. key:
  7238. description: |-
  7239. A key in the referenced Secret.
  7240. Some instances of this field may be defaulted, in others it may be required.
  7241. maxLength: 253
  7242. minLength: 1
  7243. pattern: ^[-._a-zA-Z0-9]+$
  7244. type: string
  7245. name:
  7246. description: The name of the Secret resource being referred to.
  7247. maxLength: 253
  7248. minLength: 1
  7249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7250. type: string
  7251. namespace:
  7252. description: |-
  7253. The namespace of the Secret resource being referred to.
  7254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7255. maxLength: 63
  7256. minLength: 1
  7257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7258. type: string
  7259. type: object
  7260. secretRef:
  7261. description: |-
  7262. Reference to a key in a Secret that contains the App Role secret used
  7263. to authenticate with Vault.
  7264. The `key` field must be specified and denotes which entry within the Secret
  7265. resource is used as the app role secret.
  7266. properties:
  7267. key:
  7268. description: |-
  7269. A key in the referenced Secret.
  7270. Some instances of this field may be defaulted, in others it may be required.
  7271. maxLength: 253
  7272. minLength: 1
  7273. pattern: ^[-._a-zA-Z0-9]+$
  7274. type: string
  7275. name:
  7276. description: The name of the Secret resource being referred to.
  7277. maxLength: 253
  7278. minLength: 1
  7279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7280. type: string
  7281. namespace:
  7282. description: |-
  7283. The namespace of the Secret resource being referred to.
  7284. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7285. maxLength: 63
  7286. minLength: 1
  7287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7288. type: string
  7289. type: object
  7290. required:
  7291. - path
  7292. - secretRef
  7293. type: object
  7294. cert:
  7295. description: |-
  7296. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7297. Cert authentication method
  7298. properties:
  7299. clientCert:
  7300. description: |-
  7301. ClientCert is a certificate to authenticate using the Cert Vault
  7302. authentication method
  7303. properties:
  7304. key:
  7305. description: |-
  7306. A key in the referenced Secret.
  7307. Some instances of this field may be defaulted, in others it may be required.
  7308. maxLength: 253
  7309. minLength: 1
  7310. pattern: ^[-._a-zA-Z0-9]+$
  7311. type: string
  7312. name:
  7313. description: The name of the Secret resource being referred to.
  7314. maxLength: 253
  7315. minLength: 1
  7316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7317. type: string
  7318. namespace:
  7319. description: |-
  7320. The namespace of the Secret resource being referred to.
  7321. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7322. maxLength: 63
  7323. minLength: 1
  7324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7325. type: string
  7326. type: object
  7327. path:
  7328. default: cert
  7329. description: |-
  7330. Path where the Certificate authentication backend is mounted
  7331. in Vault, e.g: "cert"
  7332. type: string
  7333. secretRef:
  7334. description: |-
  7335. SecretRef to a key in a Secret resource containing client private key to
  7336. authenticate with Vault using the Cert authentication method
  7337. properties:
  7338. key:
  7339. description: |-
  7340. A key in the referenced Secret.
  7341. Some instances of this field may be defaulted, in others it may be required.
  7342. maxLength: 253
  7343. minLength: 1
  7344. pattern: ^[-._a-zA-Z0-9]+$
  7345. type: string
  7346. name:
  7347. description: The name of the Secret resource being referred to.
  7348. maxLength: 253
  7349. minLength: 1
  7350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7351. type: string
  7352. namespace:
  7353. description: |-
  7354. The namespace of the Secret resource being referred to.
  7355. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7356. maxLength: 63
  7357. minLength: 1
  7358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7359. type: string
  7360. type: object
  7361. vaultRole:
  7362. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7363. type: string
  7364. type: object
  7365. gcp:
  7366. description: |-
  7367. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7368. GCP authentication method
  7369. properties:
  7370. location:
  7371. description: Location optionally defines a location/region for the secret
  7372. type: string
  7373. path:
  7374. default: gcp
  7375. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7376. type: string
  7377. projectID:
  7378. description: Project ID of the Google Cloud Platform project
  7379. type: string
  7380. role:
  7381. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7382. type: string
  7383. secretRef:
  7384. description: Specify credentials in a Secret object
  7385. properties:
  7386. secretAccessKeySecretRef:
  7387. description: The SecretAccessKey is used for authentication
  7388. properties:
  7389. key:
  7390. description: |-
  7391. A key in the referenced Secret.
  7392. Some instances of this field may be defaulted, in others it may be required.
  7393. maxLength: 253
  7394. minLength: 1
  7395. pattern: ^[-._a-zA-Z0-9]+$
  7396. type: string
  7397. name:
  7398. description: The name of the Secret resource being referred to.
  7399. maxLength: 253
  7400. minLength: 1
  7401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7402. type: string
  7403. namespace:
  7404. description: |-
  7405. The namespace of the Secret resource being referred to.
  7406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7407. maxLength: 63
  7408. minLength: 1
  7409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7410. type: string
  7411. type: object
  7412. type: object
  7413. serviceAccountRef:
  7414. description: ServiceAccountRef to a service account for impersonation
  7415. properties:
  7416. audiences:
  7417. description: |-
  7418. Audience specifies the `aud` claim for the service account token
  7419. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7420. then this audiences will be appended to the list
  7421. items:
  7422. type: string
  7423. type: array
  7424. name:
  7425. description: The name of the ServiceAccount resource being referred to.
  7426. maxLength: 253
  7427. minLength: 1
  7428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7429. type: string
  7430. namespace:
  7431. description: |-
  7432. Namespace of the resource being referred to.
  7433. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7434. maxLength: 63
  7435. minLength: 1
  7436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7437. type: string
  7438. required:
  7439. - name
  7440. type: object
  7441. workloadIdentity:
  7442. description: Specify a service account with Workload Identity
  7443. properties:
  7444. clusterLocation:
  7445. description: |-
  7446. ClusterLocation is the location of the cluster
  7447. If not specified, it fetches information from the metadata server
  7448. type: string
  7449. clusterName:
  7450. description: |-
  7451. ClusterName is the name of the cluster
  7452. If not specified, it fetches information from the metadata server
  7453. type: string
  7454. clusterProjectID:
  7455. description: |-
  7456. ClusterProjectID is the project ID of the cluster
  7457. If not specified, it fetches information from the metadata server
  7458. type: string
  7459. serviceAccountRef:
  7460. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7461. properties:
  7462. audiences:
  7463. description: |-
  7464. Audience specifies the `aud` claim for the service account token
  7465. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7466. then this audiences will be appended to the list
  7467. items:
  7468. type: string
  7469. type: array
  7470. name:
  7471. description: The name of the ServiceAccount resource being referred to.
  7472. maxLength: 253
  7473. minLength: 1
  7474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7475. type: string
  7476. namespace:
  7477. description: |-
  7478. Namespace of the resource being referred to.
  7479. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7480. maxLength: 63
  7481. minLength: 1
  7482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7483. type: string
  7484. required:
  7485. - name
  7486. type: object
  7487. required:
  7488. - serviceAccountRef
  7489. type: object
  7490. required:
  7491. - role
  7492. type: object
  7493. iam:
  7494. description: |-
  7495. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7496. AWS IAM authentication method
  7497. properties:
  7498. externalID:
  7499. description: AWS External ID set on assumed IAM roles
  7500. type: string
  7501. jwt:
  7502. description: Specify a service account with IRSA enabled
  7503. properties:
  7504. serviceAccountRef:
  7505. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7506. properties:
  7507. audiences:
  7508. description: |-
  7509. Audience specifies the `aud` claim for the service account token
  7510. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7511. then this audiences will be appended to the list
  7512. items:
  7513. type: string
  7514. type: array
  7515. name:
  7516. description: The name of the ServiceAccount resource being referred to.
  7517. maxLength: 253
  7518. minLength: 1
  7519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7520. type: string
  7521. namespace:
  7522. description: |-
  7523. Namespace of the resource being referred to.
  7524. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7525. maxLength: 63
  7526. minLength: 1
  7527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7528. type: string
  7529. required:
  7530. - name
  7531. type: object
  7532. type: object
  7533. path:
  7534. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7535. type: string
  7536. region:
  7537. description: AWS region
  7538. type: string
  7539. role:
  7540. description: This is the AWS role to be assumed before talking to vault
  7541. type: string
  7542. secretRef:
  7543. description: Specify credentials in a Secret object
  7544. properties:
  7545. accessKeyIDSecretRef:
  7546. description: The AccessKeyID is used for authentication
  7547. properties:
  7548. key:
  7549. description: |-
  7550. A key in the referenced Secret.
  7551. Some instances of this field may be defaulted, in others it may be required.
  7552. maxLength: 253
  7553. minLength: 1
  7554. pattern: ^[-._a-zA-Z0-9]+$
  7555. type: string
  7556. name:
  7557. description: The name of the Secret resource being referred to.
  7558. maxLength: 253
  7559. minLength: 1
  7560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7561. type: string
  7562. namespace:
  7563. description: |-
  7564. The namespace of the Secret resource being referred to.
  7565. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7566. maxLength: 63
  7567. minLength: 1
  7568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7569. type: string
  7570. type: object
  7571. secretAccessKeySecretRef:
  7572. description: The SecretAccessKey is used for authentication
  7573. properties:
  7574. key:
  7575. description: |-
  7576. A key in the referenced Secret.
  7577. Some instances of this field may be defaulted, in others it may be required.
  7578. maxLength: 253
  7579. minLength: 1
  7580. pattern: ^[-._a-zA-Z0-9]+$
  7581. type: string
  7582. name:
  7583. description: The name of the Secret resource being referred to.
  7584. maxLength: 253
  7585. minLength: 1
  7586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7587. type: string
  7588. namespace:
  7589. description: |-
  7590. The namespace of the Secret resource being referred to.
  7591. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7592. maxLength: 63
  7593. minLength: 1
  7594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7595. type: string
  7596. type: object
  7597. sessionTokenSecretRef:
  7598. description: |-
  7599. The SessionToken used for authentication
  7600. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7601. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7602. properties:
  7603. key:
  7604. description: |-
  7605. A key in the referenced Secret.
  7606. Some instances of this field may be defaulted, in others it may be required.
  7607. maxLength: 253
  7608. minLength: 1
  7609. pattern: ^[-._a-zA-Z0-9]+$
  7610. type: string
  7611. name:
  7612. description: The name of the Secret resource being referred to.
  7613. maxLength: 253
  7614. minLength: 1
  7615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7616. type: string
  7617. namespace:
  7618. description: |-
  7619. The namespace of the Secret resource being referred to.
  7620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7621. maxLength: 63
  7622. minLength: 1
  7623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7624. type: string
  7625. type: object
  7626. type: object
  7627. vaultAwsIamServerID:
  7628. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7629. type: string
  7630. vaultRole:
  7631. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7632. type: string
  7633. required:
  7634. - vaultRole
  7635. type: object
  7636. jwt:
  7637. description: |-
  7638. Jwt authenticates with Vault by passing role and JWT token using the
  7639. JWT/OIDC authentication method
  7640. properties:
  7641. kubernetesServiceAccountToken:
  7642. description: |-
  7643. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7644. a token for with the `TokenRequest` API.
  7645. properties:
  7646. audiences:
  7647. description: |-
  7648. Optional audiences field that will be used to request a temporary Kubernetes service
  7649. account token for the service account referenced by `serviceAccountRef`.
  7650. Defaults to a single audience `vault` it not specified.
  7651. Deprecated: use serviceAccountRef.Audiences instead
  7652. items:
  7653. type: string
  7654. type: array
  7655. expirationSeconds:
  7656. description: |-
  7657. Optional expiration time in seconds that will be used to request a temporary
  7658. Kubernetes service account token for the service account referenced by
  7659. `serviceAccountRef`.
  7660. Deprecated: this will be removed in the future.
  7661. Defaults to 10 minutes.
  7662. format: int64
  7663. type: integer
  7664. serviceAccountRef:
  7665. description: Service account field containing the name of a kubernetes ServiceAccount.
  7666. properties:
  7667. audiences:
  7668. description: |-
  7669. Audience specifies the `aud` claim for the service account token
  7670. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7671. then this audiences will be appended to the list
  7672. items:
  7673. type: string
  7674. type: array
  7675. name:
  7676. description: The name of the ServiceAccount resource being referred to.
  7677. maxLength: 253
  7678. minLength: 1
  7679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7680. type: string
  7681. namespace:
  7682. description: |-
  7683. Namespace of the resource being referred to.
  7684. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7685. maxLength: 63
  7686. minLength: 1
  7687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7688. type: string
  7689. required:
  7690. - name
  7691. type: object
  7692. required:
  7693. - serviceAccountRef
  7694. type: object
  7695. path:
  7696. default: jwt
  7697. description: |-
  7698. Path where the JWT authentication backend is mounted
  7699. in Vault, e.g: "jwt"
  7700. type: string
  7701. role:
  7702. description: |-
  7703. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7704. authentication method
  7705. type: string
  7706. secretRef:
  7707. description: |-
  7708. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7709. authenticate with Vault using the JWT/OIDC authentication method.
  7710. properties:
  7711. key:
  7712. description: |-
  7713. A key in the referenced Secret.
  7714. Some instances of this field may be defaulted, in others it may be required.
  7715. maxLength: 253
  7716. minLength: 1
  7717. pattern: ^[-._a-zA-Z0-9]+$
  7718. type: string
  7719. name:
  7720. description: The name of the Secret resource being referred to.
  7721. maxLength: 253
  7722. minLength: 1
  7723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7724. type: string
  7725. namespace:
  7726. description: |-
  7727. The namespace of the Secret resource being referred to.
  7728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7729. maxLength: 63
  7730. minLength: 1
  7731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7732. type: string
  7733. type: object
  7734. required:
  7735. - path
  7736. type: object
  7737. kubernetes:
  7738. description: |-
  7739. Kubernetes authenticates with Vault by passing the ServiceAccount
  7740. token stored in the named Secret resource to the Vault server.
  7741. properties:
  7742. mountPath:
  7743. default: kubernetes
  7744. description: |-
  7745. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7746. "kubernetes"
  7747. type: string
  7748. role:
  7749. description: |-
  7750. A required field containing the Vault Role to assume. A Role binds a
  7751. Kubernetes ServiceAccount with a set of Vault policies.
  7752. type: string
  7753. secretRef:
  7754. description: |-
  7755. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7756. for authenticating with Vault. If a name is specified without a key,
  7757. `token` is the default. If one is not specified, the one bound to
  7758. the controller will be used.
  7759. properties:
  7760. key:
  7761. description: |-
  7762. A key in the referenced Secret.
  7763. Some instances of this field may be defaulted, in others it may be required.
  7764. maxLength: 253
  7765. minLength: 1
  7766. pattern: ^[-._a-zA-Z0-9]+$
  7767. type: string
  7768. name:
  7769. description: The name of the Secret resource being referred to.
  7770. maxLength: 253
  7771. minLength: 1
  7772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7773. type: string
  7774. namespace:
  7775. description: |-
  7776. The namespace of the Secret resource being referred to.
  7777. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7778. maxLength: 63
  7779. minLength: 1
  7780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7781. type: string
  7782. type: object
  7783. serviceAccountRef:
  7784. description: |-
  7785. Optional service account field containing the name of a kubernetes ServiceAccount.
  7786. If the service account is specified, the service account secret token JWT will be used
  7787. for authenticating with Vault. If the service account selector is not supplied,
  7788. the secretRef will be used instead.
  7789. properties:
  7790. audiences:
  7791. description: |-
  7792. Audience specifies the `aud` claim for the service account token
  7793. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7794. then this audiences will be appended to the list
  7795. items:
  7796. type: string
  7797. type: array
  7798. name:
  7799. description: The name of the ServiceAccount resource being referred to.
  7800. maxLength: 253
  7801. minLength: 1
  7802. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7803. type: string
  7804. namespace:
  7805. description: |-
  7806. Namespace of the resource being referred to.
  7807. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7808. maxLength: 63
  7809. minLength: 1
  7810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7811. type: string
  7812. required:
  7813. - name
  7814. type: object
  7815. required:
  7816. - mountPath
  7817. - role
  7818. type: object
  7819. ldap:
  7820. description: |-
  7821. Ldap authenticates with Vault by passing username/password pair using
  7822. the LDAP authentication method
  7823. properties:
  7824. path:
  7825. default: ldap
  7826. description: |-
  7827. Path where the LDAP authentication backend is mounted
  7828. in Vault, e.g: "ldap"
  7829. type: string
  7830. secretRef:
  7831. description: |-
  7832. SecretRef to a key in a Secret resource containing password for the LDAP
  7833. user used to authenticate with Vault using the LDAP authentication
  7834. method
  7835. properties:
  7836. key:
  7837. description: |-
  7838. A key in the referenced Secret.
  7839. Some instances of this field may be defaulted, in others it may be required.
  7840. maxLength: 253
  7841. minLength: 1
  7842. pattern: ^[-._a-zA-Z0-9]+$
  7843. type: string
  7844. name:
  7845. description: The name of the Secret resource being referred to.
  7846. maxLength: 253
  7847. minLength: 1
  7848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7849. type: string
  7850. namespace:
  7851. description: |-
  7852. The namespace of the Secret resource being referred to.
  7853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7854. maxLength: 63
  7855. minLength: 1
  7856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7857. type: string
  7858. type: object
  7859. username:
  7860. description: |-
  7861. Username is an LDAP username used to authenticate using the LDAP Vault
  7862. authentication method
  7863. type: string
  7864. required:
  7865. - path
  7866. - username
  7867. type: object
  7868. namespace:
  7869. description: |-
  7870. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  7871. Namespaces is a set of features within Vault Enterprise that allows
  7872. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7873. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7874. This will default to Vault.Namespace field if set, or empty otherwise
  7875. type: string
  7876. tokenSecretRef:
  7877. description: TokenSecretRef authenticates with Vault by presenting a token.
  7878. properties:
  7879. key:
  7880. description: |-
  7881. A key in the referenced Secret.
  7882. Some instances of this field may be defaulted, in others it may be required.
  7883. maxLength: 253
  7884. minLength: 1
  7885. pattern: ^[-._a-zA-Z0-9]+$
  7886. type: string
  7887. name:
  7888. description: The name of the Secret resource being referred to.
  7889. maxLength: 253
  7890. minLength: 1
  7891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7892. type: string
  7893. namespace:
  7894. description: |-
  7895. The namespace of the Secret resource being referred to.
  7896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7897. maxLength: 63
  7898. minLength: 1
  7899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7900. type: string
  7901. type: object
  7902. userPass:
  7903. description: UserPass authenticates with Vault by passing username/password pair
  7904. properties:
  7905. path:
  7906. default: userpass
  7907. description: |-
  7908. Path where the UserPassword authentication backend is mounted
  7909. in Vault, e.g: "userpass"
  7910. type: string
  7911. secretRef:
  7912. description: |-
  7913. SecretRef to a key in a Secret resource containing password for the
  7914. user used to authenticate with Vault using the UserPass authentication
  7915. method
  7916. properties:
  7917. key:
  7918. description: |-
  7919. A key in the referenced Secret.
  7920. Some instances of this field may be defaulted, in others it may be required.
  7921. maxLength: 253
  7922. minLength: 1
  7923. pattern: ^[-._a-zA-Z0-9]+$
  7924. type: string
  7925. name:
  7926. description: The name of the Secret resource being referred to.
  7927. maxLength: 253
  7928. minLength: 1
  7929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7930. type: string
  7931. namespace:
  7932. description: |-
  7933. The namespace of the Secret resource being referred to.
  7934. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7935. maxLength: 63
  7936. minLength: 1
  7937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7938. type: string
  7939. type: object
  7940. username:
  7941. description: |-
  7942. Username is a username used to authenticate using the UserPass Vault
  7943. authentication method
  7944. type: string
  7945. required:
  7946. - path
  7947. - username
  7948. type: object
  7949. type: object
  7950. caBundle:
  7951. description: |-
  7952. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7953. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7954. plain HTTP protocol connection. If not set the system root certificates
  7955. are used to validate the TLS connection.
  7956. format: byte
  7957. type: string
  7958. caProvider:
  7959. description: The provider for the CA bundle to use to validate Vault server certificate.
  7960. properties:
  7961. key:
  7962. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7963. maxLength: 253
  7964. minLength: 1
  7965. pattern: ^[-._a-zA-Z0-9]+$
  7966. type: string
  7967. name:
  7968. description: The name of the object located at the provider type.
  7969. maxLength: 253
  7970. minLength: 1
  7971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7972. type: string
  7973. namespace:
  7974. description: |-
  7975. The namespace the Provider type is in.
  7976. Can only be defined when used in a ClusterSecretStore.
  7977. maxLength: 63
  7978. minLength: 1
  7979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7980. type: string
  7981. type:
  7982. description: The type of provider to use such as "Secret", or "ConfigMap".
  7983. enum:
  7984. - Secret
  7985. - ConfigMap
  7986. type: string
  7987. required:
  7988. - name
  7989. - type
  7990. type: object
  7991. checkAndSet:
  7992. description: |-
  7993. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  7994. Only applies to Vault KV v2 stores. When enabled, write operations must include
  7995. the current version of the secret to prevent unintentional overwrites.
  7996. properties:
  7997. required:
  7998. description: |-
  7999. Required when true, all write operations must include a check-and-set parameter.
  8000. This helps prevent unintentional overwrites of secrets.
  8001. type: boolean
  8002. type: object
  8003. forwardInconsistent:
  8004. description: |-
  8005. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8006. leader instead of simply retrying within a loop. This can increase performance if
  8007. the option is enabled serverside.
  8008. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8009. type: boolean
  8010. headers:
  8011. additionalProperties:
  8012. type: string
  8013. description: Headers to be added in Vault request
  8014. type: object
  8015. namespace:
  8016. description: |-
  8017. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8018. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8019. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8020. type: string
  8021. path:
  8022. description: |-
  8023. Path is the mount path of the Vault KV backend endpoint, e.g:
  8024. "secret". The v2 KV secret engine version specific "/data" path suffix
  8025. for fetching secrets from Vault is optional and will be appended
  8026. if not present in specified path.
  8027. type: string
  8028. readYourWrites:
  8029. description: |-
  8030. ReadYourWrites ensures isolated read-after-write semantics by
  8031. providing discovered cluster replication states in each request.
  8032. More information about eventual consistency in Vault can be found here
  8033. https://www.vaultproject.io/docs/enterprise/consistency
  8034. type: boolean
  8035. server:
  8036. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8037. type: string
  8038. tls:
  8039. description: |-
  8040. The configuration used for client side related TLS communication, when the Vault server
  8041. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  8042. This parameter is ignored for plain HTTP protocol connection.
  8043. It's worth noting this configuration is different from the "TLS certificates auth method",
  8044. which is available under the `auth.cert` section.
  8045. properties:
  8046. certSecretRef:
  8047. description: |-
  8048. CertSecretRef is a certificate added to the transport layer
  8049. when communicating with the Vault server.
  8050. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  8051. properties:
  8052. key:
  8053. description: |-
  8054. A key in the referenced Secret.
  8055. Some instances of this field may be defaulted, in others it may be required.
  8056. maxLength: 253
  8057. minLength: 1
  8058. pattern: ^[-._a-zA-Z0-9]+$
  8059. type: string
  8060. name:
  8061. description: The name of the Secret resource being referred to.
  8062. maxLength: 253
  8063. minLength: 1
  8064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8065. type: string
  8066. namespace:
  8067. description: |-
  8068. The namespace of the Secret resource being referred to.
  8069. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8070. maxLength: 63
  8071. minLength: 1
  8072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8073. type: string
  8074. type: object
  8075. keySecretRef:
  8076. description: |-
  8077. KeySecretRef to a key in a Secret resource containing client private key
  8078. added to the transport layer when communicating with the Vault server.
  8079. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  8080. properties:
  8081. key:
  8082. description: |-
  8083. A key in the referenced Secret.
  8084. Some instances of this field may be defaulted, in others it may be required.
  8085. maxLength: 253
  8086. minLength: 1
  8087. pattern: ^[-._a-zA-Z0-9]+$
  8088. type: string
  8089. name:
  8090. description: The name of the Secret resource being referred to.
  8091. maxLength: 253
  8092. minLength: 1
  8093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8094. type: string
  8095. namespace:
  8096. description: |-
  8097. The namespace of the Secret resource being referred to.
  8098. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8099. maxLength: 63
  8100. minLength: 1
  8101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8102. type: string
  8103. type: object
  8104. type: object
  8105. version:
  8106. default: v2
  8107. description: |-
  8108. Version is the Vault KV secret engine version. This can be either "v1" or
  8109. "v2". Version defaults to "v2".
  8110. enum:
  8111. - v1
  8112. - v2
  8113. type: string
  8114. required:
  8115. - server
  8116. type: object
  8117. volcengine:
  8118. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8119. properties:
  8120. auth:
  8121. description: |-
  8122. Auth defines the authentication method to use.
  8123. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8124. properties:
  8125. secretRef:
  8126. description: |-
  8127. SecretRef defines the static credentials to use for authentication.
  8128. If not set, IRSA is used.
  8129. properties:
  8130. accessKeyID:
  8131. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8132. properties:
  8133. key:
  8134. description: |-
  8135. A key in the referenced Secret.
  8136. Some instances of this field may be defaulted, in others it may be required.
  8137. maxLength: 253
  8138. minLength: 1
  8139. pattern: ^[-._a-zA-Z0-9]+$
  8140. type: string
  8141. name:
  8142. description: The name of the Secret resource being referred to.
  8143. maxLength: 253
  8144. minLength: 1
  8145. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8146. type: string
  8147. namespace:
  8148. description: |-
  8149. The namespace of the Secret resource being referred to.
  8150. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8151. maxLength: 63
  8152. minLength: 1
  8153. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8154. type: string
  8155. type: object
  8156. secretAccessKey:
  8157. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8158. properties:
  8159. key:
  8160. description: |-
  8161. A key in the referenced Secret.
  8162. Some instances of this field may be defaulted, in others it may be required.
  8163. maxLength: 253
  8164. minLength: 1
  8165. pattern: ^[-._a-zA-Z0-9]+$
  8166. type: string
  8167. name:
  8168. description: The name of the Secret resource being referred to.
  8169. maxLength: 253
  8170. minLength: 1
  8171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8172. type: string
  8173. namespace:
  8174. description: |-
  8175. The namespace of the Secret resource being referred to.
  8176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8177. maxLength: 63
  8178. minLength: 1
  8179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8180. type: string
  8181. type: object
  8182. token:
  8183. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8184. properties:
  8185. key:
  8186. description: |-
  8187. A key in the referenced Secret.
  8188. Some instances of this field may be defaulted, in others it may be required.
  8189. maxLength: 253
  8190. minLength: 1
  8191. pattern: ^[-._a-zA-Z0-9]+$
  8192. type: string
  8193. name:
  8194. description: The name of the Secret resource being referred to.
  8195. maxLength: 253
  8196. minLength: 1
  8197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8198. type: string
  8199. namespace:
  8200. description: |-
  8201. The namespace of the Secret resource being referred to.
  8202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8203. maxLength: 63
  8204. minLength: 1
  8205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8206. type: string
  8207. type: object
  8208. required:
  8209. - accessKeyID
  8210. - secretAccessKey
  8211. type: object
  8212. type: object
  8213. region:
  8214. description: Region specifies the Volcengine region to connect to.
  8215. type: string
  8216. required:
  8217. - region
  8218. type: object
  8219. webhook:
  8220. description: Webhook configures this store to sync secrets using a generic templated webhook
  8221. properties:
  8222. auth:
  8223. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8224. maxProperties: 1
  8225. minProperties: 1
  8226. properties:
  8227. ntlm:
  8228. description: NTLMProtocol configures the store to use NTLM for auth
  8229. properties:
  8230. passwordSecret:
  8231. description: |-
  8232. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8233. In some instances, `key` is a required field.
  8234. properties:
  8235. key:
  8236. description: |-
  8237. A key in the referenced Secret.
  8238. Some instances of this field may be defaulted, in others it may be required.
  8239. maxLength: 253
  8240. minLength: 1
  8241. pattern: ^[-._a-zA-Z0-9]+$
  8242. type: string
  8243. name:
  8244. description: The name of the Secret resource being referred to.
  8245. maxLength: 253
  8246. minLength: 1
  8247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8248. type: string
  8249. namespace:
  8250. description: |-
  8251. The namespace of the Secret resource being referred to.
  8252. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8253. maxLength: 63
  8254. minLength: 1
  8255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8256. type: string
  8257. type: object
  8258. usernameSecret:
  8259. description: |-
  8260. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8261. In some instances, `key` is a required field.
  8262. properties:
  8263. key:
  8264. description: |-
  8265. A key in the referenced Secret.
  8266. Some instances of this field may be defaulted, in others it may be required.
  8267. maxLength: 253
  8268. minLength: 1
  8269. pattern: ^[-._a-zA-Z0-9]+$
  8270. type: string
  8271. name:
  8272. description: The name of the Secret resource being referred to.
  8273. maxLength: 253
  8274. minLength: 1
  8275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8276. type: string
  8277. namespace:
  8278. description: |-
  8279. The namespace of the Secret resource being referred to.
  8280. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8281. maxLength: 63
  8282. minLength: 1
  8283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8284. type: string
  8285. type: object
  8286. required:
  8287. - passwordSecret
  8288. - usernameSecret
  8289. type: object
  8290. type: object
  8291. body:
  8292. description: Body
  8293. type: string
  8294. caBundle:
  8295. description: |-
  8296. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8297. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8298. plain HTTP protocol connection. If not set the system root certificates
  8299. are used to validate the TLS connection.
  8300. format: byte
  8301. type: string
  8302. caProvider:
  8303. description: The provider for the CA bundle to use to validate webhook server certificate.
  8304. properties:
  8305. key:
  8306. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8307. maxLength: 253
  8308. minLength: 1
  8309. pattern: ^[-._a-zA-Z0-9]+$
  8310. type: string
  8311. name:
  8312. description: The name of the object located at the provider type.
  8313. maxLength: 253
  8314. minLength: 1
  8315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8316. type: string
  8317. namespace:
  8318. description: The namespace the Provider type is in.
  8319. maxLength: 63
  8320. minLength: 1
  8321. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8322. type: string
  8323. type:
  8324. description: The type of provider to use such as "Secret", or "ConfigMap".
  8325. enum:
  8326. - Secret
  8327. - ConfigMap
  8328. type: string
  8329. required:
  8330. - name
  8331. - type
  8332. type: object
  8333. headers:
  8334. additionalProperties:
  8335. type: string
  8336. description: Headers
  8337. type: object
  8338. method:
  8339. description: Webhook Method
  8340. type: string
  8341. result:
  8342. description: Result formatting
  8343. properties:
  8344. jsonPath:
  8345. description: Json path of return value
  8346. type: string
  8347. type: object
  8348. secrets:
  8349. description: |-
  8350. Secrets to fill in templates
  8351. These secrets will be passed to the templating function as key value pairs under the given name
  8352. items:
  8353. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8354. properties:
  8355. name:
  8356. description: Name of this secret in templates
  8357. type: string
  8358. secretRef:
  8359. description: Secret ref to fill in credentials
  8360. properties:
  8361. key:
  8362. description: |-
  8363. A key in the referenced Secret.
  8364. Some instances of this field may be defaulted, in others it may be required.
  8365. maxLength: 253
  8366. minLength: 1
  8367. pattern: ^[-._a-zA-Z0-9]+$
  8368. type: string
  8369. name:
  8370. description: The name of the Secret resource being referred to.
  8371. maxLength: 253
  8372. minLength: 1
  8373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8374. type: string
  8375. namespace:
  8376. description: |-
  8377. The namespace of the Secret resource being referred to.
  8378. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8379. maxLength: 63
  8380. minLength: 1
  8381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8382. type: string
  8383. type: object
  8384. required:
  8385. - name
  8386. - secretRef
  8387. type: object
  8388. type: array
  8389. timeout:
  8390. description: Timeout
  8391. type: string
  8392. url:
  8393. description: Webhook url to call
  8394. type: string
  8395. required:
  8396. - url
  8397. type: object
  8398. yandexcertificatemanager:
  8399. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8400. properties:
  8401. apiEndpoint:
  8402. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8403. type: string
  8404. auth:
  8405. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8406. properties:
  8407. authorizedKeySecretRef:
  8408. description: The authorized key used for authentication
  8409. properties:
  8410. key:
  8411. description: |-
  8412. A key in the referenced Secret.
  8413. Some instances of this field may be defaulted, in others it may be required.
  8414. maxLength: 253
  8415. minLength: 1
  8416. pattern: ^[-._a-zA-Z0-9]+$
  8417. type: string
  8418. name:
  8419. description: The name of the Secret resource being referred to.
  8420. maxLength: 253
  8421. minLength: 1
  8422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8423. type: string
  8424. namespace:
  8425. description: |-
  8426. The namespace of the Secret resource being referred to.
  8427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8428. maxLength: 63
  8429. minLength: 1
  8430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8431. type: string
  8432. type: object
  8433. type: object
  8434. caProvider:
  8435. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8436. properties:
  8437. certSecretRef:
  8438. description: |-
  8439. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8440. In some instances, `key` is a required field.
  8441. properties:
  8442. key:
  8443. description: |-
  8444. A key in the referenced Secret.
  8445. Some instances of this field may be defaulted, in others it may be required.
  8446. maxLength: 253
  8447. minLength: 1
  8448. pattern: ^[-._a-zA-Z0-9]+$
  8449. type: string
  8450. name:
  8451. description: The name of the Secret resource being referred to.
  8452. maxLength: 253
  8453. minLength: 1
  8454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8455. type: string
  8456. namespace:
  8457. description: |-
  8458. The namespace of the Secret resource being referred to.
  8459. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8460. maxLength: 63
  8461. minLength: 1
  8462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8463. type: string
  8464. type: object
  8465. type: object
  8466. fetching:
  8467. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8468. maxProperties: 1
  8469. minProperties: 1
  8470. properties:
  8471. byID:
  8472. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8473. type: object
  8474. byName:
  8475. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8476. properties:
  8477. folderID:
  8478. description: The folder to fetch secrets from
  8479. type: string
  8480. required:
  8481. - folderID
  8482. type: object
  8483. type: object
  8484. required:
  8485. - auth
  8486. type: object
  8487. yandexlockbox:
  8488. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8489. properties:
  8490. apiEndpoint:
  8491. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8492. type: string
  8493. auth:
  8494. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8495. properties:
  8496. authorizedKeySecretRef:
  8497. description: The authorized key used for authentication
  8498. properties:
  8499. key:
  8500. description: |-
  8501. A key in the referenced Secret.
  8502. Some instances of this field may be defaulted, in others it may be required.
  8503. maxLength: 253
  8504. minLength: 1
  8505. pattern: ^[-._a-zA-Z0-9]+$
  8506. type: string
  8507. name:
  8508. description: The name of the Secret resource being referred to.
  8509. maxLength: 253
  8510. minLength: 1
  8511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8512. type: string
  8513. namespace:
  8514. description: |-
  8515. The namespace of the Secret resource being referred to.
  8516. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8517. maxLength: 63
  8518. minLength: 1
  8519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8520. type: string
  8521. type: object
  8522. type: object
  8523. caProvider:
  8524. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8525. properties:
  8526. certSecretRef:
  8527. description: |-
  8528. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8529. In some instances, `key` is a required field.
  8530. properties:
  8531. key:
  8532. description: |-
  8533. A key in the referenced Secret.
  8534. Some instances of this field may be defaulted, in others it may be required.
  8535. maxLength: 253
  8536. minLength: 1
  8537. pattern: ^[-._a-zA-Z0-9]+$
  8538. type: string
  8539. name:
  8540. description: The name of the Secret resource being referred to.
  8541. maxLength: 253
  8542. minLength: 1
  8543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8544. type: string
  8545. namespace:
  8546. description: |-
  8547. The namespace of the Secret resource being referred to.
  8548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8549. maxLength: 63
  8550. minLength: 1
  8551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8552. type: string
  8553. type: object
  8554. type: object
  8555. fetching:
  8556. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8557. maxProperties: 1
  8558. minProperties: 1
  8559. properties:
  8560. byID:
  8561. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8562. type: object
  8563. byName:
  8564. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8565. properties:
  8566. folderID:
  8567. description: The folder to fetch secrets from
  8568. type: string
  8569. required:
  8570. - folderID
  8571. type: object
  8572. type: object
  8573. required:
  8574. - auth
  8575. type: object
  8576. type: object
  8577. refreshInterval:
  8578. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8579. type: integer
  8580. retrySettings:
  8581. description: Used to configure HTTP retries on failures.
  8582. properties:
  8583. maxRetries:
  8584. format: int32
  8585. type: integer
  8586. retryInterval:
  8587. type: string
  8588. type: object
  8589. required:
  8590. - provider
  8591. type: object
  8592. status:
  8593. description: SecretStoreStatus defines the observed state of the SecretStore.
  8594. properties:
  8595. capabilities:
  8596. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8597. type: string
  8598. conditions:
  8599. items:
  8600. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8601. properties:
  8602. lastTransitionTime:
  8603. format: date-time
  8604. type: string
  8605. message:
  8606. type: string
  8607. reason:
  8608. type: string
  8609. status:
  8610. type: string
  8611. type:
  8612. description: SecretStoreConditionType represents the condition of the SecretStore.
  8613. type: string
  8614. required:
  8615. - status
  8616. - type
  8617. type: object
  8618. type: array
  8619. type: object
  8620. type: object
  8621. served: true
  8622. storage: true
  8623. subresources:
  8624. status: {}
  8625. - additionalPrinterColumns:
  8626. - jsonPath: .metadata.creationTimestamp
  8627. name: AGE
  8628. type: date
  8629. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8630. name: Status
  8631. type: string
  8632. - jsonPath: .status.capabilities
  8633. name: Capabilities
  8634. type: string
  8635. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8636. name: Ready
  8637. type: string
  8638. deprecated: true
  8639. name: v1beta1
  8640. schema:
  8641. openAPIV3Schema:
  8642. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8643. properties:
  8644. apiVersion:
  8645. description: |-
  8646. APIVersion defines the versioned schema of this representation of an object.
  8647. Servers should convert recognized schemas to the latest internal value, and
  8648. may reject unrecognized values.
  8649. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8650. type: string
  8651. kind:
  8652. description: |-
  8653. Kind is a string value representing the REST resource this object represents.
  8654. Servers may infer this from the endpoint the client submits requests to.
  8655. Cannot be updated.
  8656. In CamelCase.
  8657. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8658. type: string
  8659. metadata:
  8660. type: object
  8661. spec:
  8662. description: SecretStoreSpec defines the desired state of SecretStore.
  8663. properties:
  8664. conditions:
  8665. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8666. items:
  8667. description: |-
  8668. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8669. for a ClusterSecretStore instance.
  8670. properties:
  8671. namespaceRegexes:
  8672. description: Choose namespaces by using regex matching
  8673. items:
  8674. type: string
  8675. type: array
  8676. namespaceSelector:
  8677. description: Choose namespace using a labelSelector
  8678. properties:
  8679. matchExpressions:
  8680. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8681. items:
  8682. description: |-
  8683. A label selector requirement is a selector that contains values, a key, and an operator that
  8684. relates the key and values.
  8685. properties:
  8686. key:
  8687. description: key is the label key that the selector applies to.
  8688. type: string
  8689. operator:
  8690. description: |-
  8691. operator represents a key's relationship to a set of values.
  8692. Valid operators are In, NotIn, Exists and DoesNotExist.
  8693. type: string
  8694. values:
  8695. description: |-
  8696. values is an array of string values. If the operator is In or NotIn,
  8697. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8698. the values array must be empty. This array is replaced during a strategic
  8699. merge patch.
  8700. items:
  8701. type: string
  8702. type: array
  8703. x-kubernetes-list-type: atomic
  8704. required:
  8705. - key
  8706. - operator
  8707. type: object
  8708. type: array
  8709. x-kubernetes-list-type: atomic
  8710. matchLabels:
  8711. additionalProperties:
  8712. type: string
  8713. description: |-
  8714. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8715. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8716. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8717. type: object
  8718. type: object
  8719. x-kubernetes-map-type: atomic
  8720. namespaces:
  8721. description: Choose namespaces by name
  8722. items:
  8723. maxLength: 63
  8724. minLength: 1
  8725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8726. type: string
  8727. type: array
  8728. type: object
  8729. type: array
  8730. controller:
  8731. description: |-
  8732. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8733. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8734. type: string
  8735. provider:
  8736. description: Used to configure the provider. Only one provider may be set
  8737. maxProperties: 1
  8738. minProperties: 1
  8739. properties:
  8740. akeyless:
  8741. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8742. properties:
  8743. akeylessGWApiURL:
  8744. description: Akeyless GW API Url from which the secrets to be fetched from.
  8745. type: string
  8746. authSecretRef:
  8747. description: Auth configures how the operator authenticates with Akeyless.
  8748. properties:
  8749. kubernetesAuth:
  8750. description: |-
  8751. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8752. token stored in the named Secret resource.
  8753. properties:
  8754. accessID:
  8755. description: the Akeyless Kubernetes auth-method access-id
  8756. type: string
  8757. k8sConfName:
  8758. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8759. type: string
  8760. secretRef:
  8761. description: |-
  8762. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8763. for authenticating with Akeyless. If a name is specified without a key,
  8764. `token` is the default. If one is not specified, the one bound to
  8765. the controller will be used.
  8766. properties:
  8767. key:
  8768. description: |-
  8769. A key in the referenced Secret.
  8770. Some instances of this field may be defaulted, in others it may be required.
  8771. maxLength: 253
  8772. minLength: 1
  8773. pattern: ^[-._a-zA-Z0-9]+$
  8774. type: string
  8775. name:
  8776. description: The name of the Secret resource being referred to.
  8777. maxLength: 253
  8778. minLength: 1
  8779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8780. type: string
  8781. namespace:
  8782. description: |-
  8783. The namespace of the Secret resource being referred to.
  8784. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8785. maxLength: 63
  8786. minLength: 1
  8787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8788. type: string
  8789. type: object
  8790. serviceAccountRef:
  8791. description: |-
  8792. Optional service account field containing the name of a kubernetes ServiceAccount.
  8793. If the service account is specified, the service account secret token JWT will be used
  8794. for authenticating with Akeyless. If the service account selector is not supplied,
  8795. the secretRef will be used instead.
  8796. properties:
  8797. audiences:
  8798. description: |-
  8799. Audience specifies the `aud` claim for the service account token
  8800. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8801. then this audiences will be appended to the list
  8802. items:
  8803. type: string
  8804. type: array
  8805. name:
  8806. description: The name of the ServiceAccount resource being referred to.
  8807. maxLength: 253
  8808. minLength: 1
  8809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8810. type: string
  8811. namespace:
  8812. description: |-
  8813. Namespace of the resource being referred to.
  8814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8815. maxLength: 63
  8816. minLength: 1
  8817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8818. type: string
  8819. required:
  8820. - name
  8821. type: object
  8822. required:
  8823. - accessID
  8824. - k8sConfName
  8825. type: object
  8826. secretRef:
  8827. description: |-
  8828. Reference to a Secret that contains the details
  8829. to authenticate with Akeyless.
  8830. properties:
  8831. accessID:
  8832. description: The SecretAccessID is used for authentication
  8833. properties:
  8834. key:
  8835. description: |-
  8836. A key in the referenced Secret.
  8837. Some instances of this field may be defaulted, in others it may be required.
  8838. maxLength: 253
  8839. minLength: 1
  8840. pattern: ^[-._a-zA-Z0-9]+$
  8841. type: string
  8842. name:
  8843. description: The name of the Secret resource being referred to.
  8844. maxLength: 253
  8845. minLength: 1
  8846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8847. type: string
  8848. namespace:
  8849. description: |-
  8850. The namespace of the Secret resource being referred to.
  8851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8852. maxLength: 63
  8853. minLength: 1
  8854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8855. type: string
  8856. type: object
  8857. accessType:
  8858. description: |-
  8859. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8860. In some instances, `key` is a required field.
  8861. properties:
  8862. key:
  8863. description: |-
  8864. A key in the referenced Secret.
  8865. Some instances of this field may be defaulted, in others it may be required.
  8866. maxLength: 253
  8867. minLength: 1
  8868. pattern: ^[-._a-zA-Z0-9]+$
  8869. type: string
  8870. name:
  8871. description: The name of the Secret resource being referred to.
  8872. maxLength: 253
  8873. minLength: 1
  8874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8875. type: string
  8876. namespace:
  8877. description: |-
  8878. The namespace of the Secret resource being referred to.
  8879. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8880. maxLength: 63
  8881. minLength: 1
  8882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8883. type: string
  8884. type: object
  8885. accessTypeParam:
  8886. description: |-
  8887. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8888. In some instances, `key` is a required field.
  8889. properties:
  8890. key:
  8891. description: |-
  8892. A key in the referenced Secret.
  8893. Some instances of this field may be defaulted, in others it may be required.
  8894. maxLength: 253
  8895. minLength: 1
  8896. pattern: ^[-._a-zA-Z0-9]+$
  8897. type: string
  8898. name:
  8899. description: The name of the Secret resource being referred to.
  8900. maxLength: 253
  8901. minLength: 1
  8902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8903. type: string
  8904. namespace:
  8905. description: |-
  8906. The namespace of the Secret resource being referred to.
  8907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8908. maxLength: 63
  8909. minLength: 1
  8910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8911. type: string
  8912. type: object
  8913. type: object
  8914. type: object
  8915. caBundle:
  8916. description: |-
  8917. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  8918. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  8919. are used to validate the TLS connection.
  8920. format: byte
  8921. type: string
  8922. caProvider:
  8923. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  8924. properties:
  8925. key:
  8926. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8927. maxLength: 253
  8928. minLength: 1
  8929. pattern: ^[-._a-zA-Z0-9]+$
  8930. type: string
  8931. name:
  8932. description: The name of the object located at the provider type.
  8933. maxLength: 253
  8934. minLength: 1
  8935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8936. type: string
  8937. namespace:
  8938. description: |-
  8939. The namespace the Provider type is in.
  8940. Can only be defined when used in a ClusterSecretStore.
  8941. maxLength: 63
  8942. minLength: 1
  8943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8944. type: string
  8945. type:
  8946. description: The type of provider to use such as "Secret", or "ConfigMap".
  8947. enum:
  8948. - Secret
  8949. - ConfigMap
  8950. type: string
  8951. required:
  8952. - name
  8953. - type
  8954. type: object
  8955. required:
  8956. - akeylessGWApiURL
  8957. - authSecretRef
  8958. type: object
  8959. alibaba:
  8960. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  8961. properties:
  8962. auth:
  8963. description: AlibabaAuth contains a secretRef for credentials.
  8964. properties:
  8965. rrsa:
  8966. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  8967. properties:
  8968. oidcProviderArn:
  8969. type: string
  8970. oidcTokenFilePath:
  8971. type: string
  8972. roleArn:
  8973. type: string
  8974. sessionName:
  8975. type: string
  8976. required:
  8977. - oidcProviderArn
  8978. - oidcTokenFilePath
  8979. - roleArn
  8980. - sessionName
  8981. type: object
  8982. secretRef:
  8983. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  8984. properties:
  8985. accessKeyIDSecretRef:
  8986. description: The AccessKeyID is used for authentication
  8987. properties:
  8988. key:
  8989. description: |-
  8990. A key in the referenced Secret.
  8991. Some instances of this field may be defaulted, in others it may be required.
  8992. maxLength: 253
  8993. minLength: 1
  8994. pattern: ^[-._a-zA-Z0-9]+$
  8995. type: string
  8996. name:
  8997. description: The name of the Secret resource being referred to.
  8998. maxLength: 253
  8999. minLength: 1
  9000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9001. type: string
  9002. namespace:
  9003. description: |-
  9004. The namespace of the Secret resource being referred to.
  9005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9006. maxLength: 63
  9007. minLength: 1
  9008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9009. type: string
  9010. type: object
  9011. accessKeySecretSecretRef:
  9012. description: The AccessKeySecret is used for authentication
  9013. properties:
  9014. key:
  9015. description: |-
  9016. A key in the referenced Secret.
  9017. Some instances of this field may be defaulted, in others it may be required.
  9018. maxLength: 253
  9019. minLength: 1
  9020. pattern: ^[-._a-zA-Z0-9]+$
  9021. type: string
  9022. name:
  9023. description: The name of the Secret resource being referred to.
  9024. maxLength: 253
  9025. minLength: 1
  9026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9027. type: string
  9028. namespace:
  9029. description: |-
  9030. The namespace of the Secret resource being referred to.
  9031. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9032. maxLength: 63
  9033. minLength: 1
  9034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9035. type: string
  9036. type: object
  9037. required:
  9038. - accessKeyIDSecretRef
  9039. - accessKeySecretSecretRef
  9040. type: object
  9041. type: object
  9042. regionID:
  9043. description: Alibaba Region to be used for the provider
  9044. type: string
  9045. required:
  9046. - auth
  9047. - regionID
  9048. type: object
  9049. aws:
  9050. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  9051. properties:
  9052. additionalRoles:
  9053. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  9054. items:
  9055. type: string
  9056. type: array
  9057. auth:
  9058. description: |-
  9059. Auth defines the information necessary to authenticate against AWS
  9060. if not set aws sdk will infer credentials from your environment
  9061. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  9062. properties:
  9063. jwt:
  9064. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  9065. properties:
  9066. serviceAccountRef:
  9067. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  9068. properties:
  9069. audiences:
  9070. description: |-
  9071. Audience specifies the `aud` claim for the service account token
  9072. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9073. then this audiences will be appended to the list
  9074. items:
  9075. type: string
  9076. type: array
  9077. name:
  9078. description: The name of the ServiceAccount resource being referred to.
  9079. maxLength: 253
  9080. minLength: 1
  9081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9082. type: string
  9083. namespace:
  9084. description: |-
  9085. Namespace of the resource being referred to.
  9086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9087. maxLength: 63
  9088. minLength: 1
  9089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9090. type: string
  9091. required:
  9092. - name
  9093. type: object
  9094. type: object
  9095. secretRef:
  9096. description: |-
  9097. AWSAuthSecretRef holds secret references for AWS credentials
  9098. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9099. properties:
  9100. accessKeyIDSecretRef:
  9101. description: The AccessKeyID is used for authentication
  9102. properties:
  9103. key:
  9104. description: |-
  9105. A key in the referenced Secret.
  9106. Some instances of this field may be defaulted, in others it may be required.
  9107. maxLength: 253
  9108. minLength: 1
  9109. pattern: ^[-._a-zA-Z0-9]+$
  9110. type: string
  9111. name:
  9112. description: The name of the Secret resource being referred to.
  9113. maxLength: 253
  9114. minLength: 1
  9115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9116. type: string
  9117. namespace:
  9118. description: |-
  9119. The namespace of the Secret resource being referred to.
  9120. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9121. maxLength: 63
  9122. minLength: 1
  9123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9124. type: string
  9125. type: object
  9126. secretAccessKeySecretRef:
  9127. description: The SecretAccessKey is used for authentication
  9128. properties:
  9129. key:
  9130. description: |-
  9131. A key in the referenced Secret.
  9132. Some instances of this field may be defaulted, in others it may be required.
  9133. maxLength: 253
  9134. minLength: 1
  9135. pattern: ^[-._a-zA-Z0-9]+$
  9136. type: string
  9137. name:
  9138. description: The name of the Secret resource being referred to.
  9139. maxLength: 253
  9140. minLength: 1
  9141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9142. type: string
  9143. namespace:
  9144. description: |-
  9145. The namespace of the Secret resource being referred to.
  9146. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9147. maxLength: 63
  9148. minLength: 1
  9149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9150. type: string
  9151. type: object
  9152. sessionTokenSecretRef:
  9153. description: |-
  9154. The SessionToken used for authentication
  9155. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9156. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9157. properties:
  9158. key:
  9159. description: |-
  9160. A key in the referenced Secret.
  9161. Some instances of this field may be defaulted, in others it may be required.
  9162. maxLength: 253
  9163. minLength: 1
  9164. pattern: ^[-._a-zA-Z0-9]+$
  9165. type: string
  9166. name:
  9167. description: The name of the Secret resource being referred to.
  9168. maxLength: 253
  9169. minLength: 1
  9170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9171. type: string
  9172. namespace:
  9173. description: |-
  9174. The namespace of the Secret resource being referred to.
  9175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9176. maxLength: 63
  9177. minLength: 1
  9178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9179. type: string
  9180. type: object
  9181. type: object
  9182. type: object
  9183. externalID:
  9184. description: AWS External ID set on assumed IAM roles
  9185. type: string
  9186. prefix:
  9187. description: Prefix adds a prefix to all retrieved values.
  9188. type: string
  9189. region:
  9190. description: AWS Region to be used for the provider
  9191. type: string
  9192. role:
  9193. description: Role is a Role ARN which the provider will assume
  9194. type: string
  9195. secretsManager:
  9196. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9197. properties:
  9198. forceDeleteWithoutRecovery:
  9199. description: |-
  9200. Specifies whether to delete the secret without any recovery window. You
  9201. can't use both this parameter and RecoveryWindowInDays in the same call.
  9202. If you don't use either, then by default Secrets Manager uses a 30 day
  9203. recovery window.
  9204. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9205. type: boolean
  9206. recoveryWindowInDays:
  9207. description: |-
  9208. The number of days from 7 to 30 that Secrets Manager waits before
  9209. permanently deleting the secret. You can't use both this parameter and
  9210. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9211. then by default Secrets Manager uses a 30 day recovery window.
  9212. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9213. format: int64
  9214. type: integer
  9215. type: object
  9216. service:
  9217. description: Service defines which service should be used to fetch the secrets
  9218. enum:
  9219. - SecretsManager
  9220. - ParameterStore
  9221. type: string
  9222. sessionTags:
  9223. description: AWS STS assume role session tags
  9224. items:
  9225. description: Tag defines a tag key and value for AWS resources.
  9226. properties:
  9227. key:
  9228. type: string
  9229. value:
  9230. type: string
  9231. required:
  9232. - key
  9233. - value
  9234. type: object
  9235. type: array
  9236. transitiveTagKeys:
  9237. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9238. items:
  9239. type: string
  9240. type: array
  9241. required:
  9242. - region
  9243. - service
  9244. type: object
  9245. azurekv:
  9246. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9247. properties:
  9248. authSecretRef:
  9249. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9250. properties:
  9251. clientCertificate:
  9252. description: The Azure ClientCertificate of the service principle used for authentication.
  9253. properties:
  9254. key:
  9255. description: |-
  9256. A key in the referenced Secret.
  9257. Some instances of this field may be defaulted, in others it may be required.
  9258. maxLength: 253
  9259. minLength: 1
  9260. pattern: ^[-._a-zA-Z0-9]+$
  9261. type: string
  9262. name:
  9263. description: The name of the Secret resource being referred to.
  9264. maxLength: 253
  9265. minLength: 1
  9266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9267. type: string
  9268. namespace:
  9269. description: |-
  9270. The namespace of the Secret resource being referred to.
  9271. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9272. maxLength: 63
  9273. minLength: 1
  9274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9275. type: string
  9276. type: object
  9277. clientId:
  9278. description: The Azure clientId of the service principle or managed identity used for authentication.
  9279. properties:
  9280. key:
  9281. description: |-
  9282. A key in the referenced Secret.
  9283. Some instances of this field may be defaulted, in others it may be required.
  9284. maxLength: 253
  9285. minLength: 1
  9286. pattern: ^[-._a-zA-Z0-9]+$
  9287. type: string
  9288. name:
  9289. description: The name of the Secret resource being referred to.
  9290. maxLength: 253
  9291. minLength: 1
  9292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9293. type: string
  9294. namespace:
  9295. description: |-
  9296. The namespace of the Secret resource being referred to.
  9297. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9298. maxLength: 63
  9299. minLength: 1
  9300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9301. type: string
  9302. type: object
  9303. clientSecret:
  9304. description: The Azure ClientSecret of the service principle used for authentication.
  9305. properties:
  9306. key:
  9307. description: |-
  9308. A key in the referenced Secret.
  9309. Some instances of this field may be defaulted, in others it may be required.
  9310. maxLength: 253
  9311. minLength: 1
  9312. pattern: ^[-._a-zA-Z0-9]+$
  9313. type: string
  9314. name:
  9315. description: The name of the Secret resource being referred to.
  9316. maxLength: 253
  9317. minLength: 1
  9318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9319. type: string
  9320. namespace:
  9321. description: |-
  9322. The namespace of the Secret resource being referred to.
  9323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9324. maxLength: 63
  9325. minLength: 1
  9326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9327. type: string
  9328. type: object
  9329. tenantId:
  9330. description: The Azure tenantId of the managed identity used for authentication.
  9331. properties:
  9332. key:
  9333. description: |-
  9334. A key in the referenced Secret.
  9335. Some instances of this field may be defaulted, in others it may be required.
  9336. maxLength: 253
  9337. minLength: 1
  9338. pattern: ^[-._a-zA-Z0-9]+$
  9339. type: string
  9340. name:
  9341. description: The name of the Secret resource being referred to.
  9342. maxLength: 253
  9343. minLength: 1
  9344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9345. type: string
  9346. namespace:
  9347. description: |-
  9348. The namespace of the Secret resource being referred to.
  9349. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9350. maxLength: 63
  9351. minLength: 1
  9352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9353. type: string
  9354. type: object
  9355. type: object
  9356. authType:
  9357. default: ServicePrincipal
  9358. description: |-
  9359. Auth type defines how to authenticate to the keyvault service.
  9360. Valid values are:
  9361. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9362. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9363. enum:
  9364. - ServicePrincipal
  9365. - ManagedIdentity
  9366. - WorkloadIdentity
  9367. type: string
  9368. environmentType:
  9369. default: PublicCloud
  9370. description: |-
  9371. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9372. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9373. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9374. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9375. enum:
  9376. - PublicCloud
  9377. - USGovernmentCloud
  9378. - ChinaCloud
  9379. - GermanCloud
  9380. type: string
  9381. identityId:
  9382. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9383. type: string
  9384. serviceAccountRef:
  9385. description: |-
  9386. ServiceAccountRef specified the service account
  9387. that should be used when authenticating with WorkloadIdentity.
  9388. properties:
  9389. audiences:
  9390. description: |-
  9391. Audience specifies the `aud` claim for the service account token
  9392. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9393. then this audiences will be appended to the list
  9394. items:
  9395. type: string
  9396. type: array
  9397. name:
  9398. description: The name of the ServiceAccount resource being referred to.
  9399. maxLength: 253
  9400. minLength: 1
  9401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9402. type: string
  9403. namespace:
  9404. description: |-
  9405. Namespace of the resource being referred to.
  9406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9407. maxLength: 63
  9408. minLength: 1
  9409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9410. type: string
  9411. required:
  9412. - name
  9413. type: object
  9414. tenantId:
  9415. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9416. type: string
  9417. vaultUrl:
  9418. description: Vault Url from which the secrets to be fetched from.
  9419. type: string
  9420. required:
  9421. - vaultUrl
  9422. type: object
  9423. beyondtrust:
  9424. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9425. properties:
  9426. auth:
  9427. description: Auth configures how the operator authenticates with Beyondtrust.
  9428. properties:
  9429. apiKey:
  9430. description: APIKey If not provided then ClientID/ClientSecret become required.
  9431. properties:
  9432. secretRef:
  9433. description: SecretRef references a key in a secret that will be used as value.
  9434. properties:
  9435. key:
  9436. description: |-
  9437. A key in the referenced Secret.
  9438. Some instances of this field may be defaulted, in others it may be required.
  9439. maxLength: 253
  9440. minLength: 1
  9441. pattern: ^[-._a-zA-Z0-9]+$
  9442. type: string
  9443. name:
  9444. description: The name of the Secret resource being referred to.
  9445. maxLength: 253
  9446. minLength: 1
  9447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9448. type: string
  9449. namespace:
  9450. description: |-
  9451. The namespace of the Secret resource being referred to.
  9452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9453. maxLength: 63
  9454. minLength: 1
  9455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9456. type: string
  9457. type: object
  9458. value:
  9459. description: Value can be specified directly to set a value without using a secret.
  9460. type: string
  9461. type: object
  9462. certificate:
  9463. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9464. properties:
  9465. secretRef:
  9466. description: SecretRef references a key in a secret that will be used as value.
  9467. properties:
  9468. key:
  9469. description: |-
  9470. A key in the referenced Secret.
  9471. Some instances of this field may be defaulted, in others it may be required.
  9472. maxLength: 253
  9473. minLength: 1
  9474. pattern: ^[-._a-zA-Z0-9]+$
  9475. type: string
  9476. name:
  9477. description: The name of the Secret resource being referred to.
  9478. maxLength: 253
  9479. minLength: 1
  9480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9481. type: string
  9482. namespace:
  9483. description: |-
  9484. The namespace of the Secret resource being referred to.
  9485. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9486. maxLength: 63
  9487. minLength: 1
  9488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9489. type: string
  9490. type: object
  9491. value:
  9492. description: Value can be specified directly to set a value without using a secret.
  9493. type: string
  9494. type: object
  9495. certificateKey:
  9496. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9497. properties:
  9498. secretRef:
  9499. description: SecretRef references a key in a secret that will be used as value.
  9500. properties:
  9501. key:
  9502. description: |-
  9503. A key in the referenced Secret.
  9504. Some instances of this field may be defaulted, in others it may be required.
  9505. maxLength: 253
  9506. minLength: 1
  9507. pattern: ^[-._a-zA-Z0-9]+$
  9508. type: string
  9509. name:
  9510. description: The name of the Secret resource being referred to.
  9511. maxLength: 253
  9512. minLength: 1
  9513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9514. type: string
  9515. namespace:
  9516. description: |-
  9517. The namespace of the Secret resource being referred to.
  9518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9519. maxLength: 63
  9520. minLength: 1
  9521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9522. type: string
  9523. type: object
  9524. value:
  9525. description: Value can be specified directly to set a value without using a secret.
  9526. type: string
  9527. type: object
  9528. clientId:
  9529. description: ClientID is the API OAuth Client ID.
  9530. properties:
  9531. secretRef:
  9532. description: SecretRef references a key in a secret that will be used as value.
  9533. properties:
  9534. key:
  9535. description: |-
  9536. A key in the referenced Secret.
  9537. Some instances of this field may be defaulted, in others it may be required.
  9538. maxLength: 253
  9539. minLength: 1
  9540. pattern: ^[-._a-zA-Z0-9]+$
  9541. type: string
  9542. name:
  9543. description: The name of the Secret resource being referred to.
  9544. maxLength: 253
  9545. minLength: 1
  9546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9547. type: string
  9548. namespace:
  9549. description: |-
  9550. The namespace of the Secret resource being referred to.
  9551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9552. maxLength: 63
  9553. minLength: 1
  9554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9555. type: string
  9556. type: object
  9557. value:
  9558. description: Value can be specified directly to set a value without using a secret.
  9559. type: string
  9560. type: object
  9561. clientSecret:
  9562. description: ClientSecret is the API OAuth Client Secret.
  9563. properties:
  9564. secretRef:
  9565. description: SecretRef references a key in a secret that will be used as value.
  9566. properties:
  9567. key:
  9568. description: |-
  9569. A key in the referenced Secret.
  9570. Some instances of this field may be defaulted, in others it may be required.
  9571. maxLength: 253
  9572. minLength: 1
  9573. pattern: ^[-._a-zA-Z0-9]+$
  9574. type: string
  9575. name:
  9576. description: The name of the Secret resource being referred to.
  9577. maxLength: 253
  9578. minLength: 1
  9579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9580. type: string
  9581. namespace:
  9582. description: |-
  9583. The namespace of the Secret resource being referred to.
  9584. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9585. maxLength: 63
  9586. minLength: 1
  9587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9588. type: string
  9589. type: object
  9590. value:
  9591. description: Value can be specified directly to set a value without using a secret.
  9592. type: string
  9593. type: object
  9594. type: object
  9595. server:
  9596. description: Auth configures how API server works.
  9597. properties:
  9598. apiUrl:
  9599. type: string
  9600. apiVersion:
  9601. type: string
  9602. clientTimeOutSeconds:
  9603. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9604. type: integer
  9605. decrypt:
  9606. default: true
  9607. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9608. type: boolean
  9609. retrievalType:
  9610. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9611. type: string
  9612. separator:
  9613. description: A character that separates the folder names.
  9614. type: string
  9615. verifyCA:
  9616. type: boolean
  9617. required:
  9618. - apiUrl
  9619. - verifyCA
  9620. type: object
  9621. required:
  9622. - auth
  9623. - server
  9624. type: object
  9625. bitwardensecretsmanager:
  9626. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9627. properties:
  9628. apiURL:
  9629. type: string
  9630. auth:
  9631. description: |-
  9632. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9633. Make sure that the token being used has permissions on the given secret.
  9634. properties:
  9635. secretRef:
  9636. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9637. properties:
  9638. credentials:
  9639. description: AccessToken used for the bitwarden instance.
  9640. properties:
  9641. key:
  9642. description: |-
  9643. A key in the referenced Secret.
  9644. Some instances of this field may be defaulted, in others it may be required.
  9645. maxLength: 253
  9646. minLength: 1
  9647. pattern: ^[-._a-zA-Z0-9]+$
  9648. type: string
  9649. name:
  9650. description: The name of the Secret resource being referred to.
  9651. maxLength: 253
  9652. minLength: 1
  9653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9654. type: string
  9655. namespace:
  9656. description: |-
  9657. The namespace of the Secret resource being referred to.
  9658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9659. maxLength: 63
  9660. minLength: 1
  9661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9662. type: string
  9663. type: object
  9664. required:
  9665. - credentials
  9666. type: object
  9667. required:
  9668. - secretRef
  9669. type: object
  9670. bitwardenServerSDKURL:
  9671. type: string
  9672. caBundle:
  9673. description: |-
  9674. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9675. can be performed.
  9676. type: string
  9677. caProvider:
  9678. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9679. properties:
  9680. key:
  9681. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9682. maxLength: 253
  9683. minLength: 1
  9684. pattern: ^[-._a-zA-Z0-9]+$
  9685. type: string
  9686. name:
  9687. description: The name of the object located at the provider type.
  9688. maxLength: 253
  9689. minLength: 1
  9690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9691. type: string
  9692. namespace:
  9693. description: |-
  9694. The namespace the Provider type is in.
  9695. Can only be defined when used in a ClusterSecretStore.
  9696. maxLength: 63
  9697. minLength: 1
  9698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9699. type: string
  9700. type:
  9701. description: The type of provider to use such as "Secret", or "ConfigMap".
  9702. enum:
  9703. - Secret
  9704. - ConfigMap
  9705. type: string
  9706. required:
  9707. - name
  9708. - type
  9709. type: object
  9710. identityURL:
  9711. type: string
  9712. organizationID:
  9713. description: OrganizationID determines which organization this secret store manages.
  9714. type: string
  9715. projectID:
  9716. description: ProjectID determines which project this secret store manages.
  9717. type: string
  9718. required:
  9719. - auth
  9720. - organizationID
  9721. - projectID
  9722. type: object
  9723. chef:
  9724. description: Chef configures this store to sync secrets with chef server
  9725. properties:
  9726. auth:
  9727. description: Auth defines the information necessary to authenticate against chef Server
  9728. properties:
  9729. secretRef:
  9730. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9731. properties:
  9732. privateKeySecretRef:
  9733. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9734. properties:
  9735. key:
  9736. description: |-
  9737. A key in the referenced Secret.
  9738. Some instances of this field may be defaulted, in others it may be required.
  9739. maxLength: 253
  9740. minLength: 1
  9741. pattern: ^[-._a-zA-Z0-9]+$
  9742. type: string
  9743. name:
  9744. description: The name of the Secret resource being referred to.
  9745. maxLength: 253
  9746. minLength: 1
  9747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9748. type: string
  9749. namespace:
  9750. description: |-
  9751. The namespace of the Secret resource being referred to.
  9752. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9753. maxLength: 63
  9754. minLength: 1
  9755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9756. type: string
  9757. type: object
  9758. required:
  9759. - privateKeySecretRef
  9760. type: object
  9761. required:
  9762. - secretRef
  9763. type: object
  9764. serverUrl:
  9765. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9766. type: string
  9767. username:
  9768. description: UserName should be the user ID on the chef server
  9769. type: string
  9770. required:
  9771. - auth
  9772. - serverUrl
  9773. - username
  9774. type: object
  9775. cloudrusm:
  9776. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9777. properties:
  9778. auth:
  9779. description: CSMAuth contains a secretRef for credentials.
  9780. properties:
  9781. secretRef:
  9782. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9783. properties:
  9784. accessKeyIDSecretRef:
  9785. description: The AccessKeyID is used for authentication
  9786. properties:
  9787. key:
  9788. description: |-
  9789. A key in the referenced Secret.
  9790. Some instances of this field may be defaulted, in others it may be required.
  9791. maxLength: 253
  9792. minLength: 1
  9793. pattern: ^[-._a-zA-Z0-9]+$
  9794. type: string
  9795. name:
  9796. description: The name of the Secret resource being referred to.
  9797. maxLength: 253
  9798. minLength: 1
  9799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9800. type: string
  9801. namespace:
  9802. description: |-
  9803. The namespace of the Secret resource being referred to.
  9804. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9805. maxLength: 63
  9806. minLength: 1
  9807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9808. type: string
  9809. type: object
  9810. accessKeySecretSecretRef:
  9811. description: The AccessKeySecret is used for authentication
  9812. properties:
  9813. key:
  9814. description: |-
  9815. A key in the referenced Secret.
  9816. Some instances of this field may be defaulted, in others it may be required.
  9817. maxLength: 253
  9818. minLength: 1
  9819. pattern: ^[-._a-zA-Z0-9]+$
  9820. type: string
  9821. name:
  9822. description: The name of the Secret resource being referred to.
  9823. maxLength: 253
  9824. minLength: 1
  9825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9826. type: string
  9827. namespace:
  9828. description: |-
  9829. The namespace of the Secret resource being referred to.
  9830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9831. maxLength: 63
  9832. minLength: 1
  9833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9834. type: string
  9835. type: object
  9836. required:
  9837. - accessKeyIDSecretRef
  9838. - accessKeySecretSecretRef
  9839. type: object
  9840. type: object
  9841. projectID:
  9842. description: ProjectID is the project, which the secrets are stored in.
  9843. type: string
  9844. required:
  9845. - auth
  9846. type: object
  9847. conjur:
  9848. description: Conjur configures this store to sync secrets using conjur provider
  9849. properties:
  9850. auth:
  9851. description: Defines authentication settings for connecting to Conjur.
  9852. properties:
  9853. apikey:
  9854. description: Authenticates with Conjur using an API key.
  9855. properties:
  9856. account:
  9857. description: Account is the Conjur organization account name.
  9858. type: string
  9859. apiKeyRef:
  9860. description: |-
  9861. A reference to a specific 'key' containing the Conjur API key
  9862. within a Secret resource. In some instances, `key` is a required field.
  9863. properties:
  9864. key:
  9865. description: |-
  9866. A key in the referenced Secret.
  9867. Some instances of this field may be defaulted, in others it may be required.
  9868. maxLength: 253
  9869. minLength: 1
  9870. pattern: ^[-._a-zA-Z0-9]+$
  9871. type: string
  9872. name:
  9873. description: The name of the Secret resource being referred to.
  9874. maxLength: 253
  9875. minLength: 1
  9876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9877. type: string
  9878. namespace:
  9879. description: |-
  9880. The namespace of the Secret resource being referred to.
  9881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9882. maxLength: 63
  9883. minLength: 1
  9884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9885. type: string
  9886. type: object
  9887. userRef:
  9888. description: |-
  9889. A reference to a specific 'key' containing the Conjur username
  9890. within a Secret resource. In some instances, `key` is a required field.
  9891. properties:
  9892. key:
  9893. description: |-
  9894. A key in the referenced Secret.
  9895. Some instances of this field may be defaulted, in others it may be required.
  9896. maxLength: 253
  9897. minLength: 1
  9898. pattern: ^[-._a-zA-Z0-9]+$
  9899. type: string
  9900. name:
  9901. description: The name of the Secret resource being referred to.
  9902. maxLength: 253
  9903. minLength: 1
  9904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9905. type: string
  9906. namespace:
  9907. description: |-
  9908. The namespace of the Secret resource being referred to.
  9909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9910. maxLength: 63
  9911. minLength: 1
  9912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9913. type: string
  9914. type: object
  9915. required:
  9916. - account
  9917. - apiKeyRef
  9918. - userRef
  9919. type: object
  9920. jwt:
  9921. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  9922. properties:
  9923. account:
  9924. description: Account is the Conjur organization account name.
  9925. type: string
  9926. hostId:
  9927. description: |-
  9928. Optional HostID for JWT authentication. This may be used depending
  9929. on how the Conjur JWT authenticator policy is configured.
  9930. type: string
  9931. secretRef:
  9932. description: |-
  9933. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9934. authenticate with Conjur using the JWT authentication method.
  9935. properties:
  9936. key:
  9937. description: |-
  9938. A key in the referenced Secret.
  9939. Some instances of this field may be defaulted, in others it may be required.
  9940. maxLength: 253
  9941. minLength: 1
  9942. pattern: ^[-._a-zA-Z0-9]+$
  9943. type: string
  9944. name:
  9945. description: The name of the Secret resource being referred to.
  9946. maxLength: 253
  9947. minLength: 1
  9948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9949. type: string
  9950. namespace:
  9951. description: |-
  9952. The namespace of the Secret resource being referred to.
  9953. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9954. maxLength: 63
  9955. minLength: 1
  9956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9957. type: string
  9958. type: object
  9959. serviceAccountRef:
  9960. description: |-
  9961. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  9962. a token for with the `TokenRequest` API.
  9963. properties:
  9964. audiences:
  9965. description: |-
  9966. Audience specifies the `aud` claim for the service account token
  9967. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9968. then this audiences will be appended to the list
  9969. items:
  9970. type: string
  9971. type: array
  9972. name:
  9973. description: The name of the ServiceAccount resource being referred to.
  9974. maxLength: 253
  9975. minLength: 1
  9976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9977. type: string
  9978. namespace:
  9979. description: |-
  9980. Namespace of the resource being referred to.
  9981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9982. maxLength: 63
  9983. minLength: 1
  9984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9985. type: string
  9986. required:
  9987. - name
  9988. type: object
  9989. serviceID:
  9990. description: The conjur authn jwt webservice id
  9991. type: string
  9992. required:
  9993. - account
  9994. - serviceID
  9995. type: object
  9996. type: object
  9997. caBundle:
  9998. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  9999. type: string
  10000. caProvider:
  10001. description: |-
  10002. Used to provide custom certificate authority (CA) certificates
  10003. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  10004. that contains a PEM-encoded certificate.
  10005. properties:
  10006. key:
  10007. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10008. maxLength: 253
  10009. minLength: 1
  10010. pattern: ^[-._a-zA-Z0-9]+$
  10011. type: string
  10012. name:
  10013. description: The name of the object located at the provider type.
  10014. maxLength: 253
  10015. minLength: 1
  10016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10017. type: string
  10018. namespace:
  10019. description: |-
  10020. The namespace the Provider type is in.
  10021. Can only be defined when used in a ClusterSecretStore.
  10022. maxLength: 63
  10023. minLength: 1
  10024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10025. type: string
  10026. type:
  10027. description: The type of provider to use such as "Secret", or "ConfigMap".
  10028. enum:
  10029. - Secret
  10030. - ConfigMap
  10031. type: string
  10032. required:
  10033. - name
  10034. - type
  10035. type: object
  10036. url:
  10037. description: URL is the endpoint of the Conjur instance.
  10038. type: string
  10039. required:
  10040. - auth
  10041. - url
  10042. type: object
  10043. delinea:
  10044. description: |-
  10045. Delinea DevOps Secrets Vault
  10046. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  10047. properties:
  10048. clientId:
  10049. description: ClientID is the non-secret part of the credential.
  10050. properties:
  10051. secretRef:
  10052. description: SecretRef references a key in a secret that will be used as value.
  10053. properties:
  10054. key:
  10055. description: |-
  10056. A key in the referenced Secret.
  10057. Some instances of this field may be defaulted, in others it may be required.
  10058. maxLength: 253
  10059. minLength: 1
  10060. pattern: ^[-._a-zA-Z0-9]+$
  10061. type: string
  10062. name:
  10063. description: The name of the Secret resource being referred to.
  10064. maxLength: 253
  10065. minLength: 1
  10066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10067. type: string
  10068. namespace:
  10069. description: |-
  10070. The namespace of the Secret resource being referred to.
  10071. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10072. maxLength: 63
  10073. minLength: 1
  10074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10075. type: string
  10076. type: object
  10077. value:
  10078. description: Value can be specified directly to set a value without using a secret.
  10079. type: string
  10080. type: object
  10081. clientSecret:
  10082. description: ClientSecret is the secret part of the credential.
  10083. properties:
  10084. secretRef:
  10085. description: SecretRef references a key in a secret that will be used as value.
  10086. properties:
  10087. key:
  10088. description: |-
  10089. A key in the referenced Secret.
  10090. Some instances of this field may be defaulted, in others it may be required.
  10091. maxLength: 253
  10092. minLength: 1
  10093. pattern: ^[-._a-zA-Z0-9]+$
  10094. type: string
  10095. name:
  10096. description: The name of the Secret resource being referred to.
  10097. maxLength: 253
  10098. minLength: 1
  10099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10100. type: string
  10101. namespace:
  10102. description: |-
  10103. The namespace of the Secret resource being referred to.
  10104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10105. maxLength: 63
  10106. minLength: 1
  10107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10108. type: string
  10109. type: object
  10110. value:
  10111. description: Value can be specified directly to set a value without using a secret.
  10112. type: string
  10113. type: object
  10114. tenant:
  10115. description: Tenant is the chosen hostname / site name.
  10116. type: string
  10117. tld:
  10118. description: |-
  10119. TLD is based on the server location that was chosen during provisioning.
  10120. If unset, defaults to "com".
  10121. type: string
  10122. urlTemplate:
  10123. description: |-
  10124. URLTemplate
  10125. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10126. type: string
  10127. required:
  10128. - clientId
  10129. - clientSecret
  10130. - tenant
  10131. type: object
  10132. device42:
  10133. description: Device42 configures this store to sync secrets using the Device42 provider
  10134. properties:
  10135. auth:
  10136. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10137. properties:
  10138. secretRef:
  10139. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10140. properties:
  10141. credentials:
  10142. description: Username / Password is used for authentication.
  10143. properties:
  10144. key:
  10145. description: |-
  10146. A key in the referenced Secret.
  10147. Some instances of this field may be defaulted, in others it may be required.
  10148. maxLength: 253
  10149. minLength: 1
  10150. pattern: ^[-._a-zA-Z0-9]+$
  10151. type: string
  10152. name:
  10153. description: The name of the Secret resource being referred to.
  10154. maxLength: 253
  10155. minLength: 1
  10156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10157. type: string
  10158. namespace:
  10159. description: |-
  10160. The namespace of the Secret resource being referred to.
  10161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10162. maxLength: 63
  10163. minLength: 1
  10164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10165. type: string
  10166. type: object
  10167. type: object
  10168. required:
  10169. - secretRef
  10170. type: object
  10171. host:
  10172. description: URL configures the Device42 instance URL.
  10173. type: string
  10174. required:
  10175. - auth
  10176. - host
  10177. type: object
  10178. doppler:
  10179. description: Doppler configures this store to sync secrets using the Doppler provider
  10180. properties:
  10181. auth:
  10182. description: Auth configures how the Operator authenticates with the Doppler API
  10183. properties:
  10184. secretRef:
  10185. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10186. properties:
  10187. dopplerToken:
  10188. description: |-
  10189. The DopplerToken is used for authentication.
  10190. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10191. The Key attribute defaults to dopplerToken if not specified.
  10192. properties:
  10193. key:
  10194. description: |-
  10195. A key in the referenced Secret.
  10196. Some instances of this field may be defaulted, in others it may be required.
  10197. maxLength: 253
  10198. minLength: 1
  10199. pattern: ^[-._a-zA-Z0-9]+$
  10200. type: string
  10201. name:
  10202. description: The name of the Secret resource being referred to.
  10203. maxLength: 253
  10204. minLength: 1
  10205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10206. type: string
  10207. namespace:
  10208. description: |-
  10209. The namespace of the Secret resource being referred to.
  10210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10211. maxLength: 63
  10212. minLength: 1
  10213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10214. type: string
  10215. type: object
  10216. required:
  10217. - dopplerToken
  10218. type: object
  10219. required:
  10220. - secretRef
  10221. type: object
  10222. config:
  10223. description: Doppler config (required if not using a Service Token)
  10224. type: string
  10225. format:
  10226. description: Format enables the downloading of secrets as a file (string)
  10227. enum:
  10228. - json
  10229. - dotnet-json
  10230. - env
  10231. - yaml
  10232. - docker
  10233. type: string
  10234. nameTransformer:
  10235. description: Environment variable compatible name transforms that change secret names to a different format
  10236. enum:
  10237. - upper-camel
  10238. - camel
  10239. - lower-snake
  10240. - tf-var
  10241. - dotnet-env
  10242. - lower-kebab
  10243. type: string
  10244. project:
  10245. description: Doppler project (required if not using a Service Token)
  10246. type: string
  10247. required:
  10248. - auth
  10249. type: object
  10250. fake:
  10251. description: Fake configures a store with static key/value pairs
  10252. properties:
  10253. data:
  10254. items:
  10255. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10256. properties:
  10257. key:
  10258. type: string
  10259. value:
  10260. type: string
  10261. version:
  10262. type: string
  10263. required:
  10264. - key
  10265. - value
  10266. type: object
  10267. type: array
  10268. required:
  10269. - data
  10270. type: object
  10271. fortanix:
  10272. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10273. properties:
  10274. apiKey:
  10275. description: APIKey is the API token to access SDKMS Applications.
  10276. properties:
  10277. secretRef:
  10278. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10279. properties:
  10280. key:
  10281. description: |-
  10282. A key in the referenced Secret.
  10283. Some instances of this field may be defaulted, in others it may be required.
  10284. maxLength: 253
  10285. minLength: 1
  10286. pattern: ^[-._a-zA-Z0-9]+$
  10287. type: string
  10288. name:
  10289. description: The name of the Secret resource being referred to.
  10290. maxLength: 253
  10291. minLength: 1
  10292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10293. type: string
  10294. namespace:
  10295. description: |-
  10296. The namespace of the Secret resource being referred to.
  10297. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10298. maxLength: 63
  10299. minLength: 1
  10300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10301. type: string
  10302. type: object
  10303. type: object
  10304. apiUrl:
  10305. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10306. type: string
  10307. type: object
  10308. gcpsm:
  10309. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10310. properties:
  10311. auth:
  10312. description: Auth defines the information necessary to authenticate against GCP
  10313. properties:
  10314. secretRef:
  10315. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10316. properties:
  10317. secretAccessKeySecretRef:
  10318. description: The SecretAccessKey is used for authentication
  10319. properties:
  10320. key:
  10321. description: |-
  10322. A key in the referenced Secret.
  10323. Some instances of this field may be defaulted, in others it may be required.
  10324. maxLength: 253
  10325. minLength: 1
  10326. pattern: ^[-._a-zA-Z0-9]+$
  10327. type: string
  10328. name:
  10329. description: The name of the Secret resource being referred to.
  10330. maxLength: 253
  10331. minLength: 1
  10332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10333. type: string
  10334. namespace:
  10335. description: |-
  10336. The namespace of the Secret resource being referred to.
  10337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10338. maxLength: 63
  10339. minLength: 1
  10340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10341. type: string
  10342. type: object
  10343. type: object
  10344. workloadIdentity:
  10345. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10346. properties:
  10347. clusterLocation:
  10348. description: |-
  10349. ClusterLocation is the location of the cluster
  10350. If not specified, it fetches information from the metadata server
  10351. type: string
  10352. clusterName:
  10353. description: |-
  10354. ClusterName is the name of the cluster
  10355. If not specified, it fetches information from the metadata server
  10356. type: string
  10357. clusterProjectID:
  10358. description: |-
  10359. ClusterProjectID is the project ID of the cluster
  10360. If not specified, it fetches information from the metadata server
  10361. type: string
  10362. serviceAccountRef:
  10363. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10364. properties:
  10365. audiences:
  10366. description: |-
  10367. Audience specifies the `aud` claim for the service account token
  10368. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10369. then this audiences will be appended to the list
  10370. items:
  10371. type: string
  10372. type: array
  10373. name:
  10374. description: The name of the ServiceAccount resource being referred to.
  10375. maxLength: 253
  10376. minLength: 1
  10377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10378. type: string
  10379. namespace:
  10380. description: |-
  10381. Namespace of the resource being referred to.
  10382. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10383. maxLength: 63
  10384. minLength: 1
  10385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10386. type: string
  10387. required:
  10388. - name
  10389. type: object
  10390. required:
  10391. - serviceAccountRef
  10392. type: object
  10393. type: object
  10394. location:
  10395. description: Location optionally defines a location for a secret
  10396. type: string
  10397. projectID:
  10398. description: ProjectID project where secret is located
  10399. type: string
  10400. type: object
  10401. github:
  10402. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10403. properties:
  10404. appID:
  10405. description: appID specifies the Github APP that will be used to authenticate the client
  10406. format: int64
  10407. type: integer
  10408. auth:
  10409. description: auth configures how secret-manager authenticates with a Github instance.
  10410. properties:
  10411. privateKey:
  10412. description: |-
  10413. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10414. In some instances, `key` is a required field.
  10415. properties:
  10416. key:
  10417. description: |-
  10418. A key in the referenced Secret.
  10419. Some instances of this field may be defaulted, in others it may be required.
  10420. maxLength: 253
  10421. minLength: 1
  10422. pattern: ^[-._a-zA-Z0-9]+$
  10423. type: string
  10424. name:
  10425. description: The name of the Secret resource being referred to.
  10426. maxLength: 253
  10427. minLength: 1
  10428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10429. type: string
  10430. namespace:
  10431. description: |-
  10432. The namespace of the Secret resource being referred to.
  10433. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10434. maxLength: 63
  10435. minLength: 1
  10436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10437. type: string
  10438. type: object
  10439. required:
  10440. - privateKey
  10441. type: object
  10442. environment:
  10443. description: environment will be used to fetch secrets from a particular environment within a github repository
  10444. type: string
  10445. installationID:
  10446. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10447. format: int64
  10448. type: integer
  10449. organization:
  10450. description: organization will be used to fetch secrets from the Github organization
  10451. type: string
  10452. repository:
  10453. description: repository will be used to fetch secrets from the Github repository within an organization
  10454. type: string
  10455. uploadURL:
  10456. description: Upload URL for enterprise instances. Default to URL.
  10457. type: string
  10458. url:
  10459. default: https://github.com/
  10460. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10461. type: string
  10462. required:
  10463. - appID
  10464. - auth
  10465. - installationID
  10466. - organization
  10467. type: object
  10468. gitlab:
  10469. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10470. properties:
  10471. auth:
  10472. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10473. properties:
  10474. SecretRef:
  10475. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10476. properties:
  10477. accessToken:
  10478. description: AccessToken is used for authentication.
  10479. properties:
  10480. key:
  10481. description: |-
  10482. A key in the referenced Secret.
  10483. Some instances of this field may be defaulted, in others it may be required.
  10484. maxLength: 253
  10485. minLength: 1
  10486. pattern: ^[-._a-zA-Z0-9]+$
  10487. type: string
  10488. name:
  10489. description: The name of the Secret resource being referred to.
  10490. maxLength: 253
  10491. minLength: 1
  10492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10493. type: string
  10494. namespace:
  10495. description: |-
  10496. The namespace of the Secret resource being referred to.
  10497. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10498. maxLength: 63
  10499. minLength: 1
  10500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10501. type: string
  10502. type: object
  10503. type: object
  10504. required:
  10505. - SecretRef
  10506. type: object
  10507. caBundle:
  10508. description: |-
  10509. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10510. can be performed.
  10511. format: byte
  10512. type: string
  10513. caProvider:
  10514. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10515. properties:
  10516. key:
  10517. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10518. maxLength: 253
  10519. minLength: 1
  10520. pattern: ^[-._a-zA-Z0-9]+$
  10521. type: string
  10522. name:
  10523. description: The name of the object located at the provider type.
  10524. maxLength: 253
  10525. minLength: 1
  10526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10527. type: string
  10528. namespace:
  10529. description: |-
  10530. The namespace the Provider type is in.
  10531. Can only be defined when used in a ClusterSecretStore.
  10532. maxLength: 63
  10533. minLength: 1
  10534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10535. type: string
  10536. type:
  10537. description: The type of provider to use such as "Secret", or "ConfigMap".
  10538. enum:
  10539. - Secret
  10540. - ConfigMap
  10541. type: string
  10542. required:
  10543. - name
  10544. - type
  10545. type: object
  10546. environment:
  10547. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10548. type: string
  10549. groupIDs:
  10550. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10551. items:
  10552. type: string
  10553. type: array
  10554. inheritFromGroups:
  10555. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10556. type: boolean
  10557. projectID:
  10558. description: ProjectID specifies a project where secrets are located.
  10559. type: string
  10560. url:
  10561. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10562. type: string
  10563. required:
  10564. - auth
  10565. type: object
  10566. ibm:
  10567. description: IBM configures this store to sync secrets using IBM Cloud provider
  10568. properties:
  10569. auth:
  10570. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10571. maxProperties: 1
  10572. minProperties: 1
  10573. properties:
  10574. containerAuth:
  10575. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10576. properties:
  10577. iamEndpoint:
  10578. type: string
  10579. profile:
  10580. description: the IBM Trusted Profile
  10581. type: string
  10582. tokenLocation:
  10583. description: Location the token is mounted on the pod
  10584. type: string
  10585. required:
  10586. - profile
  10587. type: object
  10588. secretRef:
  10589. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10590. properties:
  10591. secretApiKeySecretRef:
  10592. description: The SecretAccessKey is used for authentication
  10593. properties:
  10594. key:
  10595. description: |-
  10596. A key in the referenced Secret.
  10597. Some instances of this field may be defaulted, in others it may be required.
  10598. maxLength: 253
  10599. minLength: 1
  10600. pattern: ^[-._a-zA-Z0-9]+$
  10601. type: string
  10602. name:
  10603. description: The name of the Secret resource being referred to.
  10604. maxLength: 253
  10605. minLength: 1
  10606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10607. type: string
  10608. namespace:
  10609. description: |-
  10610. The namespace of the Secret resource being referred to.
  10611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10612. maxLength: 63
  10613. minLength: 1
  10614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10615. type: string
  10616. type: object
  10617. type: object
  10618. type: object
  10619. serviceUrl:
  10620. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10621. type: string
  10622. required:
  10623. - auth
  10624. type: object
  10625. infisical:
  10626. description: Infisical configures this store to sync secrets using the Infisical provider
  10627. properties:
  10628. auth:
  10629. description: Auth configures how the Operator authenticates with the Infisical API
  10630. properties:
  10631. universalAuthCredentials:
  10632. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10633. properties:
  10634. clientId:
  10635. description: |-
  10636. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10637. In some instances, `key` is a required field.
  10638. properties:
  10639. key:
  10640. description: |-
  10641. A key in the referenced Secret.
  10642. Some instances of this field may be defaulted, in others it may be required.
  10643. maxLength: 253
  10644. minLength: 1
  10645. pattern: ^[-._a-zA-Z0-9]+$
  10646. type: string
  10647. name:
  10648. description: The name of the Secret resource being referred to.
  10649. maxLength: 253
  10650. minLength: 1
  10651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10652. type: string
  10653. namespace:
  10654. description: |-
  10655. The namespace of the Secret resource being referred to.
  10656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10657. maxLength: 63
  10658. minLength: 1
  10659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10660. type: string
  10661. type: object
  10662. clientSecret:
  10663. description: |-
  10664. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10665. In some instances, `key` is a required field.
  10666. properties:
  10667. key:
  10668. description: |-
  10669. A key in the referenced Secret.
  10670. Some instances of this field may be defaulted, in others it may be required.
  10671. maxLength: 253
  10672. minLength: 1
  10673. pattern: ^[-._a-zA-Z0-9]+$
  10674. type: string
  10675. name:
  10676. description: The name of the Secret resource being referred to.
  10677. maxLength: 253
  10678. minLength: 1
  10679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10680. type: string
  10681. namespace:
  10682. description: |-
  10683. The namespace of the Secret resource being referred to.
  10684. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10685. maxLength: 63
  10686. minLength: 1
  10687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10688. type: string
  10689. type: object
  10690. required:
  10691. - clientId
  10692. - clientSecret
  10693. type: object
  10694. type: object
  10695. hostAPI:
  10696. default: https://app.infisical.com/api
  10697. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10698. type: string
  10699. secretsScope:
  10700. description: SecretsScope defines the scope of the secrets within the workspace
  10701. properties:
  10702. environmentSlug:
  10703. description: EnvironmentSlug is the required slug identifier for the environment.
  10704. type: string
  10705. expandSecretReferences:
  10706. default: true
  10707. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10708. type: boolean
  10709. projectSlug:
  10710. description: ProjectSlug is the required slug identifier for the project.
  10711. type: string
  10712. recursive:
  10713. default: false
  10714. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10715. type: boolean
  10716. secretsPath:
  10717. default: /
  10718. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10719. type: string
  10720. required:
  10721. - environmentSlug
  10722. - projectSlug
  10723. type: object
  10724. required:
  10725. - auth
  10726. - secretsScope
  10727. type: object
  10728. keepersecurity:
  10729. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10730. properties:
  10731. authRef:
  10732. description: |-
  10733. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10734. In some instances, `key` is a required field.
  10735. properties:
  10736. key:
  10737. description: |-
  10738. A key in the referenced Secret.
  10739. Some instances of this field may be defaulted, in others it may be required.
  10740. maxLength: 253
  10741. minLength: 1
  10742. pattern: ^[-._a-zA-Z0-9]+$
  10743. type: string
  10744. name:
  10745. description: The name of the Secret resource being referred to.
  10746. maxLength: 253
  10747. minLength: 1
  10748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10749. type: string
  10750. namespace:
  10751. description: |-
  10752. The namespace of the Secret resource being referred to.
  10753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10754. maxLength: 63
  10755. minLength: 1
  10756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10757. type: string
  10758. type: object
  10759. folderID:
  10760. type: string
  10761. required:
  10762. - authRef
  10763. - folderID
  10764. type: object
  10765. kubernetes:
  10766. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10767. properties:
  10768. auth:
  10769. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10770. maxProperties: 1
  10771. minProperties: 1
  10772. properties:
  10773. cert:
  10774. description: has both clientCert and clientKey as secretKeySelector
  10775. properties:
  10776. clientCert:
  10777. description: |-
  10778. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10779. In some instances, `key` is a required field.
  10780. properties:
  10781. key:
  10782. description: |-
  10783. A key in the referenced Secret.
  10784. Some instances of this field may be defaulted, in others it may be required.
  10785. maxLength: 253
  10786. minLength: 1
  10787. pattern: ^[-._a-zA-Z0-9]+$
  10788. type: string
  10789. name:
  10790. description: The name of the Secret resource being referred to.
  10791. maxLength: 253
  10792. minLength: 1
  10793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10794. type: string
  10795. namespace:
  10796. description: |-
  10797. The namespace of the Secret resource being referred to.
  10798. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10799. maxLength: 63
  10800. minLength: 1
  10801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10802. type: string
  10803. type: object
  10804. clientKey:
  10805. description: |-
  10806. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10807. In some instances, `key` is a required field.
  10808. properties:
  10809. key:
  10810. description: |-
  10811. A key in the referenced Secret.
  10812. Some instances of this field may be defaulted, in others it may be required.
  10813. maxLength: 253
  10814. minLength: 1
  10815. pattern: ^[-._a-zA-Z0-9]+$
  10816. type: string
  10817. name:
  10818. description: The name of the Secret resource being referred to.
  10819. maxLength: 253
  10820. minLength: 1
  10821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10822. type: string
  10823. namespace:
  10824. description: |-
  10825. The namespace of the Secret resource being referred to.
  10826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10827. maxLength: 63
  10828. minLength: 1
  10829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10830. type: string
  10831. type: object
  10832. type: object
  10833. serviceAccount:
  10834. description: points to a service account that should be used for authentication
  10835. properties:
  10836. audiences:
  10837. description: |-
  10838. Audience specifies the `aud` claim for the service account token
  10839. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10840. then this audiences will be appended to the list
  10841. items:
  10842. type: string
  10843. type: array
  10844. name:
  10845. description: The name of the ServiceAccount resource being referred to.
  10846. maxLength: 253
  10847. minLength: 1
  10848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10849. type: string
  10850. namespace:
  10851. description: |-
  10852. Namespace of the resource being referred to.
  10853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10854. maxLength: 63
  10855. minLength: 1
  10856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10857. type: string
  10858. required:
  10859. - name
  10860. type: object
  10861. token:
  10862. description: use static token to authenticate with
  10863. properties:
  10864. bearerToken:
  10865. description: |-
  10866. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10867. In some instances, `key` is a required field.
  10868. properties:
  10869. key:
  10870. description: |-
  10871. A key in the referenced Secret.
  10872. Some instances of this field may be defaulted, in others it may be required.
  10873. maxLength: 253
  10874. minLength: 1
  10875. pattern: ^[-._a-zA-Z0-9]+$
  10876. type: string
  10877. name:
  10878. description: The name of the Secret resource being referred to.
  10879. maxLength: 253
  10880. minLength: 1
  10881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10882. type: string
  10883. namespace:
  10884. description: |-
  10885. The namespace of the Secret resource being referred to.
  10886. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10887. maxLength: 63
  10888. minLength: 1
  10889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10890. type: string
  10891. type: object
  10892. type: object
  10893. type: object
  10894. authRef:
  10895. description: A reference to a secret that contains the auth information.
  10896. properties:
  10897. key:
  10898. description: |-
  10899. A key in the referenced Secret.
  10900. Some instances of this field may be defaulted, in others it may be required.
  10901. maxLength: 253
  10902. minLength: 1
  10903. pattern: ^[-._a-zA-Z0-9]+$
  10904. type: string
  10905. name:
  10906. description: The name of the Secret resource being referred to.
  10907. maxLength: 253
  10908. minLength: 1
  10909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10910. type: string
  10911. namespace:
  10912. description: |-
  10913. The namespace of the Secret resource being referred to.
  10914. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10915. maxLength: 63
  10916. minLength: 1
  10917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10918. type: string
  10919. type: object
  10920. remoteNamespace:
  10921. default: default
  10922. description: Remote namespace to fetch the secrets from
  10923. maxLength: 63
  10924. minLength: 1
  10925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10926. type: string
  10927. server:
  10928. description: configures the Kubernetes server Address.
  10929. properties:
  10930. caBundle:
  10931. description: CABundle is a base64-encoded CA certificate
  10932. format: byte
  10933. type: string
  10934. caProvider:
  10935. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  10936. properties:
  10937. key:
  10938. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10939. maxLength: 253
  10940. minLength: 1
  10941. pattern: ^[-._a-zA-Z0-9]+$
  10942. type: string
  10943. name:
  10944. description: The name of the object located at the provider type.
  10945. maxLength: 253
  10946. minLength: 1
  10947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10948. type: string
  10949. namespace:
  10950. description: |-
  10951. The namespace the Provider type is in.
  10952. Can only be defined when used in a ClusterSecretStore.
  10953. maxLength: 63
  10954. minLength: 1
  10955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10956. type: string
  10957. type:
  10958. description: The type of provider to use such as "Secret", or "ConfigMap".
  10959. enum:
  10960. - Secret
  10961. - ConfigMap
  10962. type: string
  10963. required:
  10964. - name
  10965. - type
  10966. type: object
  10967. url:
  10968. default: kubernetes.default
  10969. description: configures the Kubernetes server Address.
  10970. type: string
  10971. type: object
  10972. type: object
  10973. onboardbase:
  10974. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  10975. properties:
  10976. apiHost:
  10977. default: https://public.onboardbase.com/api/v1/
  10978. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  10979. type: string
  10980. auth:
  10981. description: Auth configures how the Operator authenticates with the Onboardbase API
  10982. properties:
  10983. apiKeyRef:
  10984. description: |-
  10985. OnboardbaseAPIKey is the APIKey generated by an admin account.
  10986. It is used to recognize and authorize access to a project and environment within onboardbase
  10987. properties:
  10988. key:
  10989. description: |-
  10990. A key in the referenced Secret.
  10991. Some instances of this field may be defaulted, in others it may be required.
  10992. maxLength: 253
  10993. minLength: 1
  10994. pattern: ^[-._a-zA-Z0-9]+$
  10995. type: string
  10996. name:
  10997. description: The name of the Secret resource being referred to.
  10998. maxLength: 253
  10999. minLength: 1
  11000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11001. type: string
  11002. namespace:
  11003. description: |-
  11004. The namespace of the Secret resource being referred to.
  11005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11006. maxLength: 63
  11007. minLength: 1
  11008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11009. type: string
  11010. type: object
  11011. passcodeRef:
  11012. description: OnboardbasePasscode is the passcode attached to the API Key
  11013. properties:
  11014. key:
  11015. description: |-
  11016. A key in the referenced Secret.
  11017. Some instances of this field may be defaulted, in others it may be required.
  11018. maxLength: 253
  11019. minLength: 1
  11020. pattern: ^[-._a-zA-Z0-9]+$
  11021. type: string
  11022. name:
  11023. description: The name of the Secret resource being referred to.
  11024. maxLength: 253
  11025. minLength: 1
  11026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11027. type: string
  11028. namespace:
  11029. description: |-
  11030. The namespace of the Secret resource being referred to.
  11031. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11032. maxLength: 63
  11033. minLength: 1
  11034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11035. type: string
  11036. type: object
  11037. required:
  11038. - apiKeyRef
  11039. - passcodeRef
  11040. type: object
  11041. environment:
  11042. default: development
  11043. description: Environment is the name of an environmnent within a project to pull the secrets from
  11044. type: string
  11045. project:
  11046. default: development
  11047. description: Project is an onboardbase project that the secrets should be pulled from
  11048. type: string
  11049. required:
  11050. - apiHost
  11051. - auth
  11052. - environment
  11053. - project
  11054. type: object
  11055. onepassword:
  11056. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  11057. properties:
  11058. auth:
  11059. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  11060. properties:
  11061. secretRef:
  11062. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  11063. properties:
  11064. connectTokenSecretRef:
  11065. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  11066. properties:
  11067. key:
  11068. description: |-
  11069. A key in the referenced Secret.
  11070. Some instances of this field may be defaulted, in others it may be required.
  11071. maxLength: 253
  11072. minLength: 1
  11073. pattern: ^[-._a-zA-Z0-9]+$
  11074. type: string
  11075. name:
  11076. description: The name of the Secret resource being referred to.
  11077. maxLength: 253
  11078. minLength: 1
  11079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11080. type: string
  11081. namespace:
  11082. description: |-
  11083. The namespace of the Secret resource being referred to.
  11084. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11085. maxLength: 63
  11086. minLength: 1
  11087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11088. type: string
  11089. type: object
  11090. required:
  11091. - connectTokenSecretRef
  11092. type: object
  11093. required:
  11094. - secretRef
  11095. type: object
  11096. connectHost:
  11097. description: ConnectHost defines the OnePassword Connect Server to connect to
  11098. type: string
  11099. vaults:
  11100. additionalProperties:
  11101. type: integer
  11102. description: Vaults defines which OnePassword vaults to search in which order
  11103. type: object
  11104. required:
  11105. - auth
  11106. - connectHost
  11107. - vaults
  11108. type: object
  11109. oracle:
  11110. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11111. properties:
  11112. auth:
  11113. description: |-
  11114. Auth configures how secret-manager authenticates with the Oracle Vault.
  11115. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11116. properties:
  11117. secretRef:
  11118. description: SecretRef to pass through sensitive information.
  11119. properties:
  11120. fingerprint:
  11121. description: Fingerprint is the fingerprint of the API private key.
  11122. properties:
  11123. key:
  11124. description: |-
  11125. A key in the referenced Secret.
  11126. Some instances of this field may be defaulted, in others it may be required.
  11127. maxLength: 253
  11128. minLength: 1
  11129. pattern: ^[-._a-zA-Z0-9]+$
  11130. type: string
  11131. name:
  11132. description: The name of the Secret resource being referred to.
  11133. maxLength: 253
  11134. minLength: 1
  11135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11136. type: string
  11137. namespace:
  11138. description: |-
  11139. The namespace of the Secret resource being referred to.
  11140. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11141. maxLength: 63
  11142. minLength: 1
  11143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11144. type: string
  11145. type: object
  11146. privatekey:
  11147. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11148. properties:
  11149. key:
  11150. description: |-
  11151. A key in the referenced Secret.
  11152. Some instances of this field may be defaulted, in others it may be required.
  11153. maxLength: 253
  11154. minLength: 1
  11155. pattern: ^[-._a-zA-Z0-9]+$
  11156. type: string
  11157. name:
  11158. description: The name of the Secret resource being referred to.
  11159. maxLength: 253
  11160. minLength: 1
  11161. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11162. type: string
  11163. namespace:
  11164. description: |-
  11165. The namespace of the Secret resource being referred to.
  11166. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11167. maxLength: 63
  11168. minLength: 1
  11169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11170. type: string
  11171. type: object
  11172. required:
  11173. - fingerprint
  11174. - privatekey
  11175. type: object
  11176. tenancy:
  11177. description: Tenancy is the tenancy OCID where user is located.
  11178. type: string
  11179. user:
  11180. description: User is an access OCID specific to the account.
  11181. type: string
  11182. required:
  11183. - secretRef
  11184. - tenancy
  11185. - user
  11186. type: object
  11187. compartment:
  11188. description: |-
  11189. Compartment is the vault compartment OCID.
  11190. Required for PushSecret
  11191. type: string
  11192. encryptionKey:
  11193. description: |-
  11194. EncryptionKey is the OCID of the encryption key within the vault.
  11195. Required for PushSecret
  11196. type: string
  11197. principalType:
  11198. description: |-
  11199. The type of principal to use for authentication. If left blank, the Auth struct will
  11200. determine the principal type. This optional field must be specified if using
  11201. workload identity.
  11202. enum:
  11203. - ""
  11204. - UserPrincipal
  11205. - InstancePrincipal
  11206. - Workload
  11207. type: string
  11208. region:
  11209. description: Region is the region where vault is located.
  11210. type: string
  11211. serviceAccountRef:
  11212. description: |-
  11213. ServiceAccountRef specified the service account
  11214. that should be used when authenticating with WorkloadIdentity.
  11215. properties:
  11216. audiences:
  11217. description: |-
  11218. Audience specifies the `aud` claim for the service account token
  11219. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11220. then this audiences will be appended to the list
  11221. items:
  11222. type: string
  11223. type: array
  11224. name:
  11225. description: The name of the ServiceAccount resource being referred to.
  11226. maxLength: 253
  11227. minLength: 1
  11228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11229. type: string
  11230. namespace:
  11231. description: |-
  11232. Namespace of the resource being referred to.
  11233. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11234. maxLength: 63
  11235. minLength: 1
  11236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11237. type: string
  11238. required:
  11239. - name
  11240. type: object
  11241. vault:
  11242. description: Vault is the vault's OCID of the specific vault where secret is located.
  11243. type: string
  11244. required:
  11245. - region
  11246. - vault
  11247. type: object
  11248. passbolt:
  11249. description: PassboltProvider defines configuration for the Passbolt provider.
  11250. properties:
  11251. auth:
  11252. description: Auth defines the information necessary to authenticate against Passbolt Server
  11253. properties:
  11254. passwordSecretRef:
  11255. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11256. properties:
  11257. key:
  11258. description: |-
  11259. A key in the referenced Secret.
  11260. Some instances of this field may be defaulted, in others it may be required.
  11261. maxLength: 253
  11262. minLength: 1
  11263. pattern: ^[-._a-zA-Z0-9]+$
  11264. type: string
  11265. name:
  11266. description: The name of the Secret resource being referred to.
  11267. maxLength: 253
  11268. minLength: 1
  11269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11270. type: string
  11271. namespace:
  11272. description: |-
  11273. The namespace of the Secret resource being referred to.
  11274. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11275. maxLength: 63
  11276. minLength: 1
  11277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11278. type: string
  11279. type: object
  11280. privateKeySecretRef:
  11281. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11282. properties:
  11283. key:
  11284. description: |-
  11285. A key in the referenced Secret.
  11286. Some instances of this field may be defaulted, in others it may be required.
  11287. maxLength: 253
  11288. minLength: 1
  11289. pattern: ^[-._a-zA-Z0-9]+$
  11290. type: string
  11291. name:
  11292. description: The name of the Secret resource being referred to.
  11293. maxLength: 253
  11294. minLength: 1
  11295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11296. type: string
  11297. namespace:
  11298. description: |-
  11299. The namespace of the Secret resource being referred to.
  11300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11301. maxLength: 63
  11302. minLength: 1
  11303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11304. type: string
  11305. type: object
  11306. required:
  11307. - passwordSecretRef
  11308. - privateKeySecretRef
  11309. type: object
  11310. host:
  11311. description: Host defines the Passbolt Server to connect to
  11312. type: string
  11313. required:
  11314. - auth
  11315. - host
  11316. type: object
  11317. passworddepot:
  11318. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11319. properties:
  11320. auth:
  11321. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11322. properties:
  11323. secretRef:
  11324. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11325. properties:
  11326. credentials:
  11327. description: Username / Password is used for authentication.
  11328. properties:
  11329. key:
  11330. description: |-
  11331. A key in the referenced Secret.
  11332. Some instances of this field may be defaulted, in others it may be required.
  11333. maxLength: 253
  11334. minLength: 1
  11335. pattern: ^[-._a-zA-Z0-9]+$
  11336. type: string
  11337. name:
  11338. description: The name of the Secret resource being referred to.
  11339. maxLength: 253
  11340. minLength: 1
  11341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11342. type: string
  11343. namespace:
  11344. description: |-
  11345. The namespace of the Secret resource being referred to.
  11346. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11347. maxLength: 63
  11348. minLength: 1
  11349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11350. type: string
  11351. type: object
  11352. type: object
  11353. required:
  11354. - secretRef
  11355. type: object
  11356. database:
  11357. description: Database to use as source
  11358. type: string
  11359. host:
  11360. description: URL configures the Password Depot instance URL.
  11361. type: string
  11362. required:
  11363. - auth
  11364. - database
  11365. - host
  11366. type: object
  11367. previder:
  11368. description: Previder configures this store to sync secrets using the Previder provider
  11369. properties:
  11370. auth:
  11371. description: PreviderAuth contains a secretRef for credentials.
  11372. properties:
  11373. secretRef:
  11374. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11375. properties:
  11376. accessToken:
  11377. description: The AccessToken is used for authentication
  11378. properties:
  11379. key:
  11380. description: |-
  11381. A key in the referenced Secret.
  11382. Some instances of this field may be defaulted, in others it may be required.
  11383. maxLength: 253
  11384. minLength: 1
  11385. pattern: ^[-._a-zA-Z0-9]+$
  11386. type: string
  11387. name:
  11388. description: The name of the Secret resource being referred to.
  11389. maxLength: 253
  11390. minLength: 1
  11391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11392. type: string
  11393. namespace:
  11394. description: |-
  11395. The namespace of the Secret resource being referred to.
  11396. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11397. maxLength: 63
  11398. minLength: 1
  11399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11400. type: string
  11401. type: object
  11402. required:
  11403. - accessToken
  11404. type: object
  11405. type: object
  11406. baseUri:
  11407. type: string
  11408. required:
  11409. - auth
  11410. type: object
  11411. pulumi:
  11412. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11413. properties:
  11414. accessToken:
  11415. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11416. properties:
  11417. secretRef:
  11418. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11419. properties:
  11420. key:
  11421. description: |-
  11422. A key in the referenced Secret.
  11423. Some instances of this field may be defaulted, in others it may be required.
  11424. maxLength: 253
  11425. minLength: 1
  11426. pattern: ^[-._a-zA-Z0-9]+$
  11427. type: string
  11428. name:
  11429. description: The name of the Secret resource being referred to.
  11430. maxLength: 253
  11431. minLength: 1
  11432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11433. type: string
  11434. namespace:
  11435. description: |-
  11436. The namespace of the Secret resource being referred to.
  11437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11438. maxLength: 63
  11439. minLength: 1
  11440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11441. type: string
  11442. type: object
  11443. type: object
  11444. apiUrl:
  11445. default: https://api.pulumi.com/api/esc
  11446. description: APIURL is the URL of the Pulumi API.
  11447. type: string
  11448. environment:
  11449. description: |-
  11450. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11451. dynamically retrieved values from supported providers including all major clouds,
  11452. and other Pulumi ESC environments.
  11453. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11454. type: string
  11455. organization:
  11456. description: |-
  11457. Organization are a space to collaborate on shared projects and stacks.
  11458. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11459. type: string
  11460. project:
  11461. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11462. type: string
  11463. required:
  11464. - accessToken
  11465. - environment
  11466. - organization
  11467. - project
  11468. type: object
  11469. scaleway:
  11470. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11471. properties:
  11472. accessKey:
  11473. description: AccessKey is the non-secret part of the api key.
  11474. properties:
  11475. secretRef:
  11476. description: SecretRef references a key in a secret that will be used as value.
  11477. properties:
  11478. key:
  11479. description: |-
  11480. A key in the referenced Secret.
  11481. Some instances of this field may be defaulted, in others it may be required.
  11482. maxLength: 253
  11483. minLength: 1
  11484. pattern: ^[-._a-zA-Z0-9]+$
  11485. type: string
  11486. name:
  11487. description: The name of the Secret resource being referred to.
  11488. maxLength: 253
  11489. minLength: 1
  11490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11491. type: string
  11492. namespace:
  11493. description: |-
  11494. The namespace of the Secret resource being referred to.
  11495. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11496. maxLength: 63
  11497. minLength: 1
  11498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11499. type: string
  11500. type: object
  11501. value:
  11502. description: Value can be specified directly to set a value without using a secret.
  11503. type: string
  11504. type: object
  11505. apiUrl:
  11506. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11507. type: string
  11508. projectId:
  11509. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11510. type: string
  11511. region:
  11512. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11513. type: string
  11514. secretKey:
  11515. description: SecretKey is the non-secret part of the api key.
  11516. properties:
  11517. secretRef:
  11518. description: SecretRef references a key in a secret that will be used as value.
  11519. properties:
  11520. key:
  11521. description: |-
  11522. A key in the referenced Secret.
  11523. Some instances of this field may be defaulted, in others it may be required.
  11524. maxLength: 253
  11525. minLength: 1
  11526. pattern: ^[-._a-zA-Z0-9]+$
  11527. type: string
  11528. name:
  11529. description: The name of the Secret resource being referred to.
  11530. maxLength: 253
  11531. minLength: 1
  11532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11533. type: string
  11534. namespace:
  11535. description: |-
  11536. The namespace of the Secret resource being referred to.
  11537. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11538. maxLength: 63
  11539. minLength: 1
  11540. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11541. type: string
  11542. type: object
  11543. value:
  11544. description: Value can be specified directly to set a value without using a secret.
  11545. type: string
  11546. type: object
  11547. required:
  11548. - accessKey
  11549. - projectId
  11550. - region
  11551. - secretKey
  11552. type: object
  11553. secretserver:
  11554. description: |-
  11555. SecretServer configures this store to sync secrets using SecretServer provider
  11556. https://docs.delinea.com/online-help/secret-server/start.htm
  11557. properties:
  11558. password:
  11559. description: Password is the secret server account password.
  11560. properties:
  11561. secretRef:
  11562. description: SecretRef references a key in a secret that will be used as value.
  11563. properties:
  11564. key:
  11565. description: |-
  11566. A key in the referenced Secret.
  11567. Some instances of this field may be defaulted, in others it may be required.
  11568. maxLength: 253
  11569. minLength: 1
  11570. pattern: ^[-._a-zA-Z0-9]+$
  11571. type: string
  11572. name:
  11573. description: The name of the Secret resource being referred to.
  11574. maxLength: 253
  11575. minLength: 1
  11576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11577. type: string
  11578. namespace:
  11579. description: |-
  11580. The namespace of the Secret resource being referred to.
  11581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11582. maxLength: 63
  11583. minLength: 1
  11584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11585. type: string
  11586. type: object
  11587. value:
  11588. description: Value can be specified directly to set a value without using a secret.
  11589. type: string
  11590. type: object
  11591. serverURL:
  11592. description: |-
  11593. ServerURL
  11594. URL to your secret server installation
  11595. type: string
  11596. username:
  11597. description: Username is the secret server account username.
  11598. properties:
  11599. secretRef:
  11600. description: SecretRef references a key in a secret that will be used as value.
  11601. properties:
  11602. key:
  11603. description: |-
  11604. A key in the referenced Secret.
  11605. Some instances of this field may be defaulted, in others it may be required.
  11606. maxLength: 253
  11607. minLength: 1
  11608. pattern: ^[-._a-zA-Z0-9]+$
  11609. type: string
  11610. name:
  11611. description: The name of the Secret resource being referred to.
  11612. maxLength: 253
  11613. minLength: 1
  11614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11615. type: string
  11616. namespace:
  11617. description: |-
  11618. The namespace of the Secret resource being referred to.
  11619. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11620. maxLength: 63
  11621. minLength: 1
  11622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11623. type: string
  11624. type: object
  11625. value:
  11626. description: Value can be specified directly to set a value without using a secret.
  11627. type: string
  11628. type: object
  11629. required:
  11630. - password
  11631. - serverURL
  11632. - username
  11633. type: object
  11634. senhasegura:
  11635. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11636. properties:
  11637. auth:
  11638. description: Auth defines parameters to authenticate in senhasegura
  11639. properties:
  11640. clientId:
  11641. type: string
  11642. clientSecretSecretRef:
  11643. description: |-
  11644. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11645. In some instances, `key` is a required field.
  11646. properties:
  11647. key:
  11648. description: |-
  11649. A key in the referenced Secret.
  11650. Some instances of this field may be defaulted, in others it may be required.
  11651. maxLength: 253
  11652. minLength: 1
  11653. pattern: ^[-._a-zA-Z0-9]+$
  11654. type: string
  11655. name:
  11656. description: The name of the Secret resource being referred to.
  11657. maxLength: 253
  11658. minLength: 1
  11659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11660. type: string
  11661. namespace:
  11662. description: |-
  11663. The namespace of the Secret resource being referred to.
  11664. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11665. maxLength: 63
  11666. minLength: 1
  11667. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11668. type: string
  11669. type: object
  11670. required:
  11671. - clientId
  11672. - clientSecretSecretRef
  11673. type: object
  11674. ignoreSslCertificate:
  11675. default: false
  11676. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11677. type: boolean
  11678. module:
  11679. description: Module defines which senhasegura module should be used to get secrets
  11680. type: string
  11681. url:
  11682. description: URL of senhasegura
  11683. type: string
  11684. required:
  11685. - auth
  11686. - module
  11687. - url
  11688. type: object
  11689. vault:
  11690. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11691. properties:
  11692. auth:
  11693. description: Auth configures how secret-manager authenticates with the Vault server.
  11694. properties:
  11695. appRole:
  11696. description: |-
  11697. AppRole authenticates with Vault using the App Role auth mechanism,
  11698. with the role and secret stored in a Kubernetes Secret resource.
  11699. properties:
  11700. path:
  11701. default: approle
  11702. description: |-
  11703. Path where the App Role authentication backend is mounted
  11704. in Vault, e.g: "approle"
  11705. type: string
  11706. roleId:
  11707. description: |-
  11708. RoleID configured in the App Role authentication backend when setting
  11709. up the authentication backend in Vault.
  11710. type: string
  11711. roleRef:
  11712. description: |-
  11713. Reference to a key in a Secret that contains the App Role ID used
  11714. to authenticate with Vault.
  11715. The `key` field must be specified and denotes which entry within the Secret
  11716. resource is used as the app role id.
  11717. properties:
  11718. key:
  11719. description: |-
  11720. A key in the referenced Secret.
  11721. Some instances of this field may be defaulted, in others it may be required.
  11722. maxLength: 253
  11723. minLength: 1
  11724. pattern: ^[-._a-zA-Z0-9]+$
  11725. type: string
  11726. name:
  11727. description: The name of the Secret resource being referred to.
  11728. maxLength: 253
  11729. minLength: 1
  11730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11731. type: string
  11732. namespace:
  11733. description: |-
  11734. The namespace of the Secret resource being referred to.
  11735. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11736. maxLength: 63
  11737. minLength: 1
  11738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11739. type: string
  11740. type: object
  11741. secretRef:
  11742. description: |-
  11743. Reference to a key in a Secret that contains the App Role secret used
  11744. to authenticate with Vault.
  11745. The `key` field must be specified and denotes which entry within the Secret
  11746. resource is used as the app role secret.
  11747. properties:
  11748. key:
  11749. description: |-
  11750. A key in the referenced Secret.
  11751. Some instances of this field may be defaulted, in others it may be required.
  11752. maxLength: 253
  11753. minLength: 1
  11754. pattern: ^[-._a-zA-Z0-9]+$
  11755. type: string
  11756. name:
  11757. description: The name of the Secret resource being referred to.
  11758. maxLength: 253
  11759. minLength: 1
  11760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11761. type: string
  11762. namespace:
  11763. description: |-
  11764. The namespace of the Secret resource being referred to.
  11765. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11766. maxLength: 63
  11767. minLength: 1
  11768. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11769. type: string
  11770. type: object
  11771. required:
  11772. - path
  11773. - secretRef
  11774. type: object
  11775. cert:
  11776. description: |-
  11777. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11778. Cert authentication method
  11779. properties:
  11780. clientCert:
  11781. description: |-
  11782. ClientCert is a certificate to authenticate using the Cert Vault
  11783. authentication method
  11784. properties:
  11785. key:
  11786. description: |-
  11787. A key in the referenced Secret.
  11788. Some instances of this field may be defaulted, in others it may be required.
  11789. maxLength: 253
  11790. minLength: 1
  11791. pattern: ^[-._a-zA-Z0-9]+$
  11792. type: string
  11793. name:
  11794. description: The name of the Secret resource being referred to.
  11795. maxLength: 253
  11796. minLength: 1
  11797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11798. type: string
  11799. namespace:
  11800. description: |-
  11801. The namespace of the Secret resource being referred to.
  11802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11803. maxLength: 63
  11804. minLength: 1
  11805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11806. type: string
  11807. type: object
  11808. secretRef:
  11809. description: |-
  11810. SecretRef to a key in a Secret resource containing client private key to
  11811. authenticate with Vault using the Cert authentication method
  11812. properties:
  11813. key:
  11814. description: |-
  11815. A key in the referenced Secret.
  11816. Some instances of this field may be defaulted, in others it may be required.
  11817. maxLength: 253
  11818. minLength: 1
  11819. pattern: ^[-._a-zA-Z0-9]+$
  11820. type: string
  11821. name:
  11822. description: The name of the Secret resource being referred to.
  11823. maxLength: 253
  11824. minLength: 1
  11825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11826. type: string
  11827. namespace:
  11828. description: |-
  11829. The namespace of the Secret resource being referred to.
  11830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11831. maxLength: 63
  11832. minLength: 1
  11833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11834. type: string
  11835. type: object
  11836. type: object
  11837. iam:
  11838. description: |-
  11839. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11840. AWS IAM authentication method
  11841. properties:
  11842. externalID:
  11843. description: AWS External ID set on assumed IAM roles
  11844. type: string
  11845. jwt:
  11846. description: Specify a service account with IRSA enabled
  11847. properties:
  11848. serviceAccountRef:
  11849. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  11850. properties:
  11851. audiences:
  11852. description: |-
  11853. Audience specifies the `aud` claim for the service account token
  11854. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11855. then this audiences will be appended to the list
  11856. items:
  11857. type: string
  11858. type: array
  11859. name:
  11860. description: The name of the ServiceAccount resource being referred to.
  11861. maxLength: 253
  11862. minLength: 1
  11863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11864. type: string
  11865. namespace:
  11866. description: |-
  11867. Namespace of the resource being referred to.
  11868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11869. maxLength: 63
  11870. minLength: 1
  11871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11872. type: string
  11873. required:
  11874. - name
  11875. type: object
  11876. type: object
  11877. path:
  11878. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11879. type: string
  11880. region:
  11881. description: AWS region
  11882. type: string
  11883. role:
  11884. description: This is the AWS role to be assumed before talking to vault
  11885. type: string
  11886. secretRef:
  11887. description: Specify credentials in a Secret object
  11888. properties:
  11889. accessKeyIDSecretRef:
  11890. description: The AccessKeyID is used for authentication
  11891. properties:
  11892. key:
  11893. description: |-
  11894. A key in the referenced Secret.
  11895. Some instances of this field may be defaulted, in others it may be required.
  11896. maxLength: 253
  11897. minLength: 1
  11898. pattern: ^[-._a-zA-Z0-9]+$
  11899. type: string
  11900. name:
  11901. description: The name of the Secret resource being referred to.
  11902. maxLength: 253
  11903. minLength: 1
  11904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11905. type: string
  11906. namespace:
  11907. description: |-
  11908. The namespace of the Secret resource being referred to.
  11909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11910. maxLength: 63
  11911. minLength: 1
  11912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11913. type: string
  11914. type: object
  11915. secretAccessKeySecretRef:
  11916. description: The SecretAccessKey is used for authentication
  11917. properties:
  11918. key:
  11919. description: |-
  11920. A key in the referenced Secret.
  11921. Some instances of this field may be defaulted, in others it may be required.
  11922. maxLength: 253
  11923. minLength: 1
  11924. pattern: ^[-._a-zA-Z0-9]+$
  11925. type: string
  11926. name:
  11927. description: The name of the Secret resource being referred to.
  11928. maxLength: 253
  11929. minLength: 1
  11930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11931. type: string
  11932. namespace:
  11933. description: |-
  11934. The namespace of the Secret resource being referred to.
  11935. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11936. maxLength: 63
  11937. minLength: 1
  11938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11939. type: string
  11940. type: object
  11941. sessionTokenSecretRef:
  11942. description: |-
  11943. The SessionToken used for authentication
  11944. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11945. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11946. properties:
  11947. key:
  11948. description: |-
  11949. A key in the referenced Secret.
  11950. Some instances of this field may be defaulted, in others it may be required.
  11951. maxLength: 253
  11952. minLength: 1
  11953. pattern: ^[-._a-zA-Z0-9]+$
  11954. type: string
  11955. name:
  11956. description: The name of the Secret resource being referred to.
  11957. maxLength: 253
  11958. minLength: 1
  11959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11960. type: string
  11961. namespace:
  11962. description: |-
  11963. The namespace of the Secret resource being referred to.
  11964. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11965. maxLength: 63
  11966. minLength: 1
  11967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11968. type: string
  11969. type: object
  11970. type: object
  11971. vaultAwsIamServerID:
  11972. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11973. type: string
  11974. vaultRole:
  11975. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11976. type: string
  11977. required:
  11978. - vaultRole
  11979. type: object
  11980. jwt:
  11981. description: |-
  11982. Jwt authenticates with Vault by passing role and JWT token using the
  11983. JWT/OIDC authentication method
  11984. properties:
  11985. kubernetesServiceAccountToken:
  11986. description: |-
  11987. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11988. a token for with the `TokenRequest` API.
  11989. properties:
  11990. audiences:
  11991. description: |-
  11992. Optional audiences field that will be used to request a temporary Kubernetes service
  11993. account token for the service account referenced by `serviceAccountRef`.
  11994. Defaults to a single audience `vault` it not specified.
  11995. Deprecated: use serviceAccountRef.Audiences instead
  11996. items:
  11997. type: string
  11998. type: array
  11999. expirationSeconds:
  12000. description: |-
  12001. Optional expiration time in seconds that will be used to request a temporary
  12002. Kubernetes service account token for the service account referenced by
  12003. `serviceAccountRef`.
  12004. Deprecated: this will be removed in the future.
  12005. Defaults to 10 minutes.
  12006. format: int64
  12007. type: integer
  12008. serviceAccountRef:
  12009. description: Service account field containing the name of a kubernetes ServiceAccount.
  12010. properties:
  12011. audiences:
  12012. description: |-
  12013. Audience specifies the `aud` claim for the service account token
  12014. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12015. then this audiences will be appended to the list
  12016. items:
  12017. type: string
  12018. type: array
  12019. name:
  12020. description: The name of the ServiceAccount resource being referred to.
  12021. maxLength: 253
  12022. minLength: 1
  12023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12024. type: string
  12025. namespace:
  12026. description: |-
  12027. Namespace of the resource being referred to.
  12028. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12029. maxLength: 63
  12030. minLength: 1
  12031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12032. type: string
  12033. required:
  12034. - name
  12035. type: object
  12036. required:
  12037. - serviceAccountRef
  12038. type: object
  12039. path:
  12040. default: jwt
  12041. description: |-
  12042. Path where the JWT authentication backend is mounted
  12043. in Vault, e.g: "jwt"
  12044. type: string
  12045. role:
  12046. description: |-
  12047. Role is a JWT role to authenticate using the JWT/OIDC Vault
  12048. authentication method
  12049. type: string
  12050. secretRef:
  12051. description: |-
  12052. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  12053. authenticate with Vault using the JWT/OIDC authentication method.
  12054. properties:
  12055. key:
  12056. description: |-
  12057. A key in the referenced Secret.
  12058. Some instances of this field may be defaulted, in others it may be required.
  12059. maxLength: 253
  12060. minLength: 1
  12061. pattern: ^[-._a-zA-Z0-9]+$
  12062. type: string
  12063. name:
  12064. description: The name of the Secret resource being referred to.
  12065. maxLength: 253
  12066. minLength: 1
  12067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12068. type: string
  12069. namespace:
  12070. description: |-
  12071. The namespace of the Secret resource being referred to.
  12072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12073. maxLength: 63
  12074. minLength: 1
  12075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12076. type: string
  12077. type: object
  12078. required:
  12079. - path
  12080. type: object
  12081. kubernetes:
  12082. description: |-
  12083. Kubernetes authenticates with Vault by passing the ServiceAccount
  12084. token stored in the named Secret resource to the Vault server.
  12085. properties:
  12086. mountPath:
  12087. default: kubernetes
  12088. description: |-
  12089. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  12090. "kubernetes"
  12091. type: string
  12092. role:
  12093. description: |-
  12094. A required field containing the Vault Role to assume. A Role binds a
  12095. Kubernetes ServiceAccount with a set of Vault policies.
  12096. type: string
  12097. secretRef:
  12098. description: |-
  12099. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12100. for authenticating with Vault. If a name is specified without a key,
  12101. `token` is the default. If one is not specified, the one bound to
  12102. the controller will be used.
  12103. properties:
  12104. key:
  12105. description: |-
  12106. A key in the referenced Secret.
  12107. Some instances of this field may be defaulted, in others it may be required.
  12108. maxLength: 253
  12109. minLength: 1
  12110. pattern: ^[-._a-zA-Z0-9]+$
  12111. type: string
  12112. name:
  12113. description: The name of the Secret resource being referred to.
  12114. maxLength: 253
  12115. minLength: 1
  12116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12117. type: string
  12118. namespace:
  12119. description: |-
  12120. The namespace of the Secret resource being referred to.
  12121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12122. maxLength: 63
  12123. minLength: 1
  12124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12125. type: string
  12126. type: object
  12127. serviceAccountRef:
  12128. description: |-
  12129. Optional service account field containing the name of a kubernetes ServiceAccount.
  12130. If the service account is specified, the service account secret token JWT will be used
  12131. for authenticating with Vault. If the service account selector is not supplied,
  12132. the secretRef will be used instead.
  12133. properties:
  12134. audiences:
  12135. description: |-
  12136. Audience specifies the `aud` claim for the service account token
  12137. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12138. then this audiences will be appended to the list
  12139. items:
  12140. type: string
  12141. type: array
  12142. name:
  12143. description: The name of the ServiceAccount resource being referred to.
  12144. maxLength: 253
  12145. minLength: 1
  12146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12147. type: string
  12148. namespace:
  12149. description: |-
  12150. Namespace of the resource being referred to.
  12151. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12152. maxLength: 63
  12153. minLength: 1
  12154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12155. type: string
  12156. required:
  12157. - name
  12158. type: object
  12159. required:
  12160. - mountPath
  12161. - role
  12162. type: object
  12163. ldap:
  12164. description: |-
  12165. Ldap authenticates with Vault by passing username/password pair using
  12166. the LDAP authentication method
  12167. properties:
  12168. path:
  12169. default: ldap
  12170. description: |-
  12171. Path where the LDAP authentication backend is mounted
  12172. in Vault, e.g: "ldap"
  12173. type: string
  12174. secretRef:
  12175. description: |-
  12176. SecretRef to a key in a Secret resource containing password for the LDAP
  12177. user used to authenticate with Vault using the LDAP authentication
  12178. method
  12179. properties:
  12180. key:
  12181. description: |-
  12182. A key in the referenced Secret.
  12183. Some instances of this field may be defaulted, in others it may be required.
  12184. maxLength: 253
  12185. minLength: 1
  12186. pattern: ^[-._a-zA-Z0-9]+$
  12187. type: string
  12188. name:
  12189. description: The name of the Secret resource being referred to.
  12190. maxLength: 253
  12191. minLength: 1
  12192. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12193. type: string
  12194. namespace:
  12195. description: |-
  12196. The namespace of the Secret resource being referred to.
  12197. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12198. maxLength: 63
  12199. minLength: 1
  12200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12201. type: string
  12202. type: object
  12203. username:
  12204. description: |-
  12205. Username is an LDAP username used to authenticate using the LDAP Vault
  12206. authentication method
  12207. type: string
  12208. required:
  12209. - path
  12210. - username
  12211. type: object
  12212. namespace:
  12213. description: |-
  12214. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12215. Namespaces is a set of features within Vault Enterprise that allows
  12216. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12217. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12218. This will default to Vault.Namespace field if set, or empty otherwise
  12219. type: string
  12220. tokenSecretRef:
  12221. description: TokenSecretRef authenticates with Vault by presenting a token.
  12222. properties:
  12223. key:
  12224. description: |-
  12225. A key in the referenced Secret.
  12226. Some instances of this field may be defaulted, in others it may be required.
  12227. maxLength: 253
  12228. minLength: 1
  12229. pattern: ^[-._a-zA-Z0-9]+$
  12230. type: string
  12231. name:
  12232. description: The name of the Secret resource being referred to.
  12233. maxLength: 253
  12234. minLength: 1
  12235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12236. type: string
  12237. namespace:
  12238. description: |-
  12239. The namespace of the Secret resource being referred to.
  12240. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12241. maxLength: 63
  12242. minLength: 1
  12243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12244. type: string
  12245. type: object
  12246. userPass:
  12247. description: UserPass authenticates with Vault by passing username/password pair
  12248. properties:
  12249. path:
  12250. default: userpass
  12251. description: |-
  12252. Path where the UserPassword authentication backend is mounted
  12253. in Vault, e.g: "userpass"
  12254. type: string
  12255. secretRef:
  12256. description: |-
  12257. SecretRef to a key in a Secret resource containing password for the
  12258. user used to authenticate with Vault using the UserPass authentication
  12259. method
  12260. properties:
  12261. key:
  12262. description: |-
  12263. A key in the referenced Secret.
  12264. Some instances of this field may be defaulted, in others it may be required.
  12265. maxLength: 253
  12266. minLength: 1
  12267. pattern: ^[-._a-zA-Z0-9]+$
  12268. type: string
  12269. name:
  12270. description: The name of the Secret resource being referred to.
  12271. maxLength: 253
  12272. minLength: 1
  12273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12274. type: string
  12275. namespace:
  12276. description: |-
  12277. The namespace of the Secret resource being referred to.
  12278. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12279. maxLength: 63
  12280. minLength: 1
  12281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12282. type: string
  12283. type: object
  12284. username:
  12285. description: |-
  12286. Username is a username used to authenticate using the UserPass Vault
  12287. authentication method
  12288. type: string
  12289. required:
  12290. - path
  12291. - username
  12292. type: object
  12293. type: object
  12294. caBundle:
  12295. description: |-
  12296. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12297. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12298. plain HTTP protocol connection. If not set the system root certificates
  12299. are used to validate the TLS connection.
  12300. format: byte
  12301. type: string
  12302. caProvider:
  12303. description: The provider for the CA bundle to use to validate Vault server certificate.
  12304. properties:
  12305. key:
  12306. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12307. maxLength: 253
  12308. minLength: 1
  12309. pattern: ^[-._a-zA-Z0-9]+$
  12310. type: string
  12311. name:
  12312. description: The name of the object located at the provider type.
  12313. maxLength: 253
  12314. minLength: 1
  12315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12316. type: string
  12317. namespace:
  12318. description: |-
  12319. The namespace the Provider type is in.
  12320. Can only be defined when used in a ClusterSecretStore.
  12321. maxLength: 63
  12322. minLength: 1
  12323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12324. type: string
  12325. type:
  12326. description: The type of provider to use such as "Secret", or "ConfigMap".
  12327. enum:
  12328. - Secret
  12329. - ConfigMap
  12330. type: string
  12331. required:
  12332. - name
  12333. - type
  12334. type: object
  12335. forwardInconsistent:
  12336. description: |-
  12337. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12338. leader instead of simply retrying within a loop. This can increase performance if
  12339. the option is enabled serverside.
  12340. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12341. type: boolean
  12342. headers:
  12343. additionalProperties:
  12344. type: string
  12345. description: Headers to be added in Vault request
  12346. type: object
  12347. namespace:
  12348. description: |-
  12349. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12350. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12351. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12352. type: string
  12353. path:
  12354. description: |-
  12355. Path is the mount path of the Vault KV backend endpoint, e.g:
  12356. "secret". The v2 KV secret engine version specific "/data" path suffix
  12357. for fetching secrets from Vault is optional and will be appended
  12358. if not present in specified path.
  12359. type: string
  12360. readYourWrites:
  12361. description: |-
  12362. ReadYourWrites ensures isolated read-after-write semantics by
  12363. providing discovered cluster replication states in each request.
  12364. More information about eventual consistency in Vault can be found here
  12365. https://www.vaultproject.io/docs/enterprise/consistency
  12366. type: boolean
  12367. server:
  12368. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12369. type: string
  12370. tls:
  12371. description: |-
  12372. The configuration used for client side related TLS communication, when the Vault server
  12373. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12374. This parameter is ignored for plain HTTP protocol connection.
  12375. It's worth noting this configuration is different from the "TLS certificates auth method",
  12376. which is available under the `auth.cert` section.
  12377. properties:
  12378. certSecretRef:
  12379. description: |-
  12380. CertSecretRef is a certificate added to the transport layer
  12381. when communicating with the Vault server.
  12382. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12383. properties:
  12384. key:
  12385. description: |-
  12386. A key in the referenced Secret.
  12387. Some instances of this field may be defaulted, in others it may be required.
  12388. maxLength: 253
  12389. minLength: 1
  12390. pattern: ^[-._a-zA-Z0-9]+$
  12391. type: string
  12392. name:
  12393. description: The name of the Secret resource being referred to.
  12394. maxLength: 253
  12395. minLength: 1
  12396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12397. type: string
  12398. namespace:
  12399. description: |-
  12400. The namespace of the Secret resource being referred to.
  12401. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12402. maxLength: 63
  12403. minLength: 1
  12404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12405. type: string
  12406. type: object
  12407. keySecretRef:
  12408. description: |-
  12409. KeySecretRef to a key in a Secret resource containing client private key
  12410. added to the transport layer when communicating with the Vault server.
  12411. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12412. properties:
  12413. key:
  12414. description: |-
  12415. A key in the referenced Secret.
  12416. Some instances of this field may be defaulted, in others it may be required.
  12417. maxLength: 253
  12418. minLength: 1
  12419. pattern: ^[-._a-zA-Z0-9]+$
  12420. type: string
  12421. name:
  12422. description: The name of the Secret resource being referred to.
  12423. maxLength: 253
  12424. minLength: 1
  12425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12426. type: string
  12427. namespace:
  12428. description: |-
  12429. The namespace of the Secret resource being referred to.
  12430. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12431. maxLength: 63
  12432. minLength: 1
  12433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12434. type: string
  12435. type: object
  12436. type: object
  12437. version:
  12438. default: v2
  12439. description: |-
  12440. Version is the Vault KV secret engine version. This can be either "v1" or
  12441. "v2". Version defaults to "v2".
  12442. enum:
  12443. - v1
  12444. - v2
  12445. type: string
  12446. required:
  12447. - server
  12448. type: object
  12449. webhook:
  12450. description: Webhook configures this store to sync secrets using a generic templated webhook
  12451. properties:
  12452. auth:
  12453. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12454. maxProperties: 1
  12455. minProperties: 1
  12456. properties:
  12457. ntlm:
  12458. description: NTLMProtocol configures the store to use NTLM for auth
  12459. properties:
  12460. passwordSecret:
  12461. description: |-
  12462. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12463. In some instances, `key` is a required field.
  12464. properties:
  12465. key:
  12466. description: |-
  12467. A key in the referenced Secret.
  12468. Some instances of this field may be defaulted, in others it may be required.
  12469. maxLength: 253
  12470. minLength: 1
  12471. pattern: ^[-._a-zA-Z0-9]+$
  12472. type: string
  12473. name:
  12474. description: The name of the Secret resource being referred to.
  12475. maxLength: 253
  12476. minLength: 1
  12477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12478. type: string
  12479. namespace:
  12480. description: |-
  12481. The namespace of the Secret resource being referred to.
  12482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12483. maxLength: 63
  12484. minLength: 1
  12485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12486. type: string
  12487. type: object
  12488. usernameSecret:
  12489. description: |-
  12490. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12491. In some instances, `key` is a required field.
  12492. properties:
  12493. key:
  12494. description: |-
  12495. A key in the referenced Secret.
  12496. Some instances of this field may be defaulted, in others it may be required.
  12497. maxLength: 253
  12498. minLength: 1
  12499. pattern: ^[-._a-zA-Z0-9]+$
  12500. type: string
  12501. name:
  12502. description: The name of the Secret resource being referred to.
  12503. maxLength: 253
  12504. minLength: 1
  12505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12506. type: string
  12507. namespace:
  12508. description: |-
  12509. The namespace of the Secret resource being referred to.
  12510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12511. maxLength: 63
  12512. minLength: 1
  12513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12514. type: string
  12515. type: object
  12516. required:
  12517. - passwordSecret
  12518. - usernameSecret
  12519. type: object
  12520. type: object
  12521. body:
  12522. description: Body
  12523. type: string
  12524. caBundle:
  12525. description: |-
  12526. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12527. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12528. plain HTTP protocol connection. If not set the system root certificates
  12529. are used to validate the TLS connection.
  12530. format: byte
  12531. type: string
  12532. caProvider:
  12533. description: The provider for the CA bundle to use to validate webhook server certificate.
  12534. properties:
  12535. key:
  12536. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12537. maxLength: 253
  12538. minLength: 1
  12539. pattern: ^[-._a-zA-Z0-9]+$
  12540. type: string
  12541. name:
  12542. description: The name of the object located at the provider type.
  12543. maxLength: 253
  12544. minLength: 1
  12545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12546. type: string
  12547. namespace:
  12548. description: The namespace the Provider type is in.
  12549. maxLength: 63
  12550. minLength: 1
  12551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12552. type: string
  12553. type:
  12554. description: The type of provider to use such as "Secret", or "ConfigMap".
  12555. enum:
  12556. - Secret
  12557. - ConfigMap
  12558. type: string
  12559. required:
  12560. - name
  12561. - type
  12562. type: object
  12563. headers:
  12564. additionalProperties:
  12565. type: string
  12566. description: Headers
  12567. type: object
  12568. method:
  12569. description: Webhook Method
  12570. type: string
  12571. result:
  12572. description: Result formatting
  12573. properties:
  12574. jsonPath:
  12575. description: Json path of return value
  12576. type: string
  12577. type: object
  12578. secrets:
  12579. description: |-
  12580. Secrets to fill in templates
  12581. These secrets will be passed to the templating function as key value pairs under the given name
  12582. items:
  12583. description: WebhookSecret defines a secret to be used in webhook templates.
  12584. properties:
  12585. name:
  12586. description: Name of this secret in templates
  12587. type: string
  12588. secretRef:
  12589. description: Secret ref to fill in credentials
  12590. properties:
  12591. key:
  12592. description: |-
  12593. A key in the referenced Secret.
  12594. Some instances of this field may be defaulted, in others it may be required.
  12595. maxLength: 253
  12596. minLength: 1
  12597. pattern: ^[-._a-zA-Z0-9]+$
  12598. type: string
  12599. name:
  12600. description: The name of the Secret resource being referred to.
  12601. maxLength: 253
  12602. minLength: 1
  12603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12604. type: string
  12605. namespace:
  12606. description: |-
  12607. The namespace of the Secret resource being referred to.
  12608. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12609. maxLength: 63
  12610. minLength: 1
  12611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12612. type: string
  12613. type: object
  12614. required:
  12615. - name
  12616. - secretRef
  12617. type: object
  12618. type: array
  12619. timeout:
  12620. description: Timeout
  12621. type: string
  12622. url:
  12623. description: Webhook url to call
  12624. type: string
  12625. required:
  12626. - result
  12627. - url
  12628. type: object
  12629. yandexcertificatemanager:
  12630. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12631. properties:
  12632. apiEndpoint:
  12633. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12634. type: string
  12635. auth:
  12636. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12637. properties:
  12638. authorizedKeySecretRef:
  12639. description: The authorized key used for authentication
  12640. properties:
  12641. key:
  12642. description: |-
  12643. A key in the referenced Secret.
  12644. Some instances of this field may be defaulted, in others it may be required.
  12645. maxLength: 253
  12646. minLength: 1
  12647. pattern: ^[-._a-zA-Z0-9]+$
  12648. type: string
  12649. name:
  12650. description: The name of the Secret resource being referred to.
  12651. maxLength: 253
  12652. minLength: 1
  12653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12654. type: string
  12655. namespace:
  12656. description: |-
  12657. The namespace of the Secret resource being referred to.
  12658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12659. maxLength: 63
  12660. minLength: 1
  12661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12662. type: string
  12663. type: object
  12664. type: object
  12665. caProvider:
  12666. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12667. properties:
  12668. certSecretRef:
  12669. description: |-
  12670. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12671. In some instances, `key` is a required field.
  12672. properties:
  12673. key:
  12674. description: |-
  12675. A key in the referenced Secret.
  12676. Some instances of this field may be defaulted, in others it may be required.
  12677. maxLength: 253
  12678. minLength: 1
  12679. pattern: ^[-._a-zA-Z0-9]+$
  12680. type: string
  12681. name:
  12682. description: The name of the Secret resource being referred to.
  12683. maxLength: 253
  12684. minLength: 1
  12685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12686. type: string
  12687. namespace:
  12688. description: |-
  12689. The namespace of the Secret resource being referred to.
  12690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12691. maxLength: 63
  12692. minLength: 1
  12693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12694. type: string
  12695. type: object
  12696. type: object
  12697. required:
  12698. - auth
  12699. type: object
  12700. yandexlockbox:
  12701. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12702. properties:
  12703. apiEndpoint:
  12704. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12705. type: string
  12706. auth:
  12707. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12708. properties:
  12709. authorizedKeySecretRef:
  12710. description: The authorized key used for authentication
  12711. properties:
  12712. key:
  12713. description: |-
  12714. A key in the referenced Secret.
  12715. Some instances of this field may be defaulted, in others it may be required.
  12716. maxLength: 253
  12717. minLength: 1
  12718. pattern: ^[-._a-zA-Z0-9]+$
  12719. type: string
  12720. name:
  12721. description: The name of the Secret resource being referred to.
  12722. maxLength: 253
  12723. minLength: 1
  12724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12725. type: string
  12726. namespace:
  12727. description: |-
  12728. The namespace of the Secret resource being referred to.
  12729. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12730. maxLength: 63
  12731. minLength: 1
  12732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12733. type: string
  12734. type: object
  12735. type: object
  12736. caProvider:
  12737. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12738. properties:
  12739. certSecretRef:
  12740. description: |-
  12741. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12742. In some instances, `key` is a required field.
  12743. properties:
  12744. key:
  12745. description: |-
  12746. A key in the referenced Secret.
  12747. Some instances of this field may be defaulted, in others it may be required.
  12748. maxLength: 253
  12749. minLength: 1
  12750. pattern: ^[-._a-zA-Z0-9]+$
  12751. type: string
  12752. name:
  12753. description: The name of the Secret resource being referred to.
  12754. maxLength: 253
  12755. minLength: 1
  12756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12757. type: string
  12758. namespace:
  12759. description: |-
  12760. The namespace of the Secret resource being referred to.
  12761. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12762. maxLength: 63
  12763. minLength: 1
  12764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12765. type: string
  12766. type: object
  12767. type: object
  12768. required:
  12769. - auth
  12770. type: object
  12771. type: object
  12772. refreshInterval:
  12773. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12774. type: integer
  12775. retrySettings:
  12776. description: Used to configure HTTP retries on failures.
  12777. properties:
  12778. maxRetries:
  12779. description: MaxRetries is the maximum number of retry attempts.
  12780. format: int32
  12781. type: integer
  12782. retryInterval:
  12783. description: RetryInterval is the interval between retry attempts.
  12784. type: string
  12785. type: object
  12786. required:
  12787. - provider
  12788. type: object
  12789. status:
  12790. description: SecretStoreStatus defines the observed state of the SecretStore.
  12791. properties:
  12792. capabilities:
  12793. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12794. type: string
  12795. conditions:
  12796. items:
  12797. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12798. properties:
  12799. lastTransitionTime:
  12800. format: date-time
  12801. type: string
  12802. message:
  12803. type: string
  12804. reason:
  12805. type: string
  12806. status:
  12807. type: string
  12808. type:
  12809. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12810. type: string
  12811. required:
  12812. - status
  12813. - type
  12814. type: object
  12815. type: array
  12816. type: object
  12817. type: object
  12818. served: false
  12819. storage: false
  12820. subresources:
  12821. status: {}
  12822. ---
  12823. apiVersion: apiextensions.k8s.io/v1
  12824. kind: CustomResourceDefinition
  12825. metadata:
  12826. annotations:
  12827. controller-gen.kubebuilder.io/version: v0.19.0
  12828. labels:
  12829. external-secrets.io/component: controller
  12830. name: externalsecrets.external-secrets.io
  12831. spec:
  12832. group: external-secrets.io
  12833. names:
  12834. categories:
  12835. - external-secrets
  12836. kind: ExternalSecret
  12837. listKind: ExternalSecretList
  12838. plural: externalsecrets
  12839. shortNames:
  12840. - es
  12841. singular: externalsecret
  12842. scope: Namespaced
  12843. versions:
  12844. - additionalPrinterColumns:
  12845. - jsonPath: .spec.secretStoreRef.kind
  12846. name: StoreType
  12847. type: string
  12848. - jsonPath: .spec.secretStoreRef.name
  12849. name: Store
  12850. type: string
  12851. - jsonPath: .spec.refreshInterval
  12852. name: Refresh Interval
  12853. type: string
  12854. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  12855. name: Status
  12856. type: string
  12857. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  12858. name: Ready
  12859. type: string
  12860. - jsonPath: .status.refreshTime
  12861. name: Last Sync
  12862. type: date
  12863. name: v1
  12864. schema:
  12865. openAPIV3Schema:
  12866. description: |-
  12867. ExternalSecret is the Schema for the external-secrets API.
  12868. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  12869. properties:
  12870. apiVersion:
  12871. description: |-
  12872. APIVersion defines the versioned schema of this representation of an object.
  12873. Servers should convert recognized schemas to the latest internal value, and
  12874. may reject unrecognized values.
  12875. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12876. type: string
  12877. kind:
  12878. description: |-
  12879. Kind is a string value representing the REST resource this object represents.
  12880. Servers may infer this from the endpoint the client submits requests to.
  12881. Cannot be updated.
  12882. In CamelCase.
  12883. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12884. type: string
  12885. metadata:
  12886. type: object
  12887. spec:
  12888. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  12889. properties:
  12890. data:
  12891. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  12892. items:
  12893. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  12894. properties:
  12895. remoteRef:
  12896. description: |-
  12897. RemoteRef points to the remote secret and defines
  12898. which secret (version/property/..) to fetch.
  12899. properties:
  12900. conversionStrategy:
  12901. default: Default
  12902. description: Used to define a conversion Strategy
  12903. enum:
  12904. - Default
  12905. - Unicode
  12906. type: string
  12907. decodingStrategy:
  12908. default: None
  12909. description: Used to define a decoding Strategy
  12910. enum:
  12911. - Auto
  12912. - Base64
  12913. - Base64URL
  12914. - None
  12915. type: string
  12916. key:
  12917. description: Key is the key used in the Provider, mandatory
  12918. type: string
  12919. metadataPolicy:
  12920. default: None
  12921. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12922. enum:
  12923. - None
  12924. - Fetch
  12925. type: string
  12926. nullBytePolicy:
  12927. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12928. enum:
  12929. - Ignore
  12930. - Fail
  12931. type: string
  12932. property:
  12933. description: Used to select a specific property of the Provider value (if a map), if supported
  12934. type: string
  12935. version:
  12936. description: Used to select a specific version of the Provider value, if supported
  12937. type: string
  12938. required:
  12939. - key
  12940. type: object
  12941. secretKey:
  12942. description: The key in the Kubernetes Secret to store the value.
  12943. maxLength: 253
  12944. minLength: 1
  12945. pattern: ^[-._a-zA-Z0-9]+$
  12946. type: string
  12947. sourceRef:
  12948. description: |-
  12949. SourceRef allows you to override the source
  12950. from which the value will be pulled.
  12951. maxProperties: 1
  12952. minProperties: 1
  12953. properties:
  12954. generatorRef:
  12955. description: |-
  12956. GeneratorRef points to a generator custom resource.
  12957. Deprecated: The generatorRef is not implemented in .data[].
  12958. this will be removed with v1.
  12959. properties:
  12960. apiVersion:
  12961. default: generators.external-secrets.io/v1alpha1
  12962. description: Specify the apiVersion of the generator resource
  12963. type: string
  12964. kind:
  12965. description: Specify the Kind of the generator resource
  12966. enum:
  12967. - ACRAccessToken
  12968. - BeyondtrustWorkloadCredentialsDynamicSecret
  12969. - ClusterGenerator
  12970. - CloudsmithAccessToken
  12971. - ECRAuthorizationToken
  12972. - Fake
  12973. - GCRAccessToken
  12974. - GithubAccessToken
  12975. - QuayAccessToken
  12976. - Password
  12977. - SSHKey
  12978. - STSSessionToken
  12979. - UUID
  12980. - VaultDynamicSecret
  12981. - Webhook
  12982. - Grafana
  12983. - MFA
  12984. type: string
  12985. name:
  12986. description: Specify the name of the generator resource
  12987. maxLength: 253
  12988. minLength: 1
  12989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12990. type: string
  12991. required:
  12992. - kind
  12993. - name
  12994. type: object
  12995. storeRef:
  12996. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  12997. properties:
  12998. kind:
  12999. description: |-
  13000. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13001. Defaults to `SecretStore`
  13002. enum:
  13003. - SecretStore
  13004. - ClusterSecretStore
  13005. type: string
  13006. name:
  13007. description: Name of the SecretStore resource
  13008. maxLength: 253
  13009. minLength: 1
  13010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13011. type: string
  13012. type: object
  13013. type: object
  13014. required:
  13015. - remoteRef
  13016. - secretKey
  13017. type: object
  13018. type: array
  13019. dataFrom:
  13020. description: |-
  13021. DataFrom is used to fetch all properties from a specific Provider data
  13022. If multiple entries are specified, the Secret keys are merged in the specified order
  13023. items:
  13024. description: |-
  13025. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  13026. when using DataFrom to fetch multiple values from a Provider.
  13027. properties:
  13028. extract:
  13029. description: |-
  13030. Used to extract multiple key/value pairs from one secret
  13031. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13032. properties:
  13033. conversionStrategy:
  13034. default: Default
  13035. description: Used to define a conversion Strategy
  13036. enum:
  13037. - Default
  13038. - Unicode
  13039. type: string
  13040. decodingStrategy:
  13041. default: None
  13042. description: Used to define a decoding Strategy
  13043. enum:
  13044. - Auto
  13045. - Base64
  13046. - Base64URL
  13047. - None
  13048. type: string
  13049. key:
  13050. description: Key is the key used in the Provider, mandatory
  13051. type: string
  13052. metadataPolicy:
  13053. default: None
  13054. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13055. enum:
  13056. - None
  13057. - Fetch
  13058. type: string
  13059. nullBytePolicy:
  13060. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13061. enum:
  13062. - Ignore
  13063. - Fail
  13064. type: string
  13065. property:
  13066. description: Used to select a specific property of the Provider value (if a map), if supported
  13067. type: string
  13068. version:
  13069. description: Used to select a specific version of the Provider value, if supported
  13070. type: string
  13071. required:
  13072. - key
  13073. type: object
  13074. find:
  13075. description: |-
  13076. Used to find secrets based on tags or regular expressions
  13077. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13078. properties:
  13079. conversionStrategy:
  13080. default: Default
  13081. description: Used to define a conversion Strategy
  13082. enum:
  13083. - Default
  13084. - Unicode
  13085. type: string
  13086. decodingStrategy:
  13087. default: None
  13088. description: Used to define a decoding Strategy
  13089. enum:
  13090. - Auto
  13091. - Base64
  13092. - Base64URL
  13093. - None
  13094. type: string
  13095. name:
  13096. description: Finds secrets based on the name.
  13097. properties:
  13098. regexp:
  13099. description: Finds secrets base
  13100. type: string
  13101. type: object
  13102. nullBytePolicy:
  13103. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13104. enum:
  13105. - Ignore
  13106. - Fail
  13107. type: string
  13108. path:
  13109. description: A root path to start the find operations.
  13110. type: string
  13111. tags:
  13112. additionalProperties:
  13113. type: string
  13114. description: Find secrets based on tags.
  13115. type: object
  13116. type: object
  13117. rewrite:
  13118. description: |-
  13119. Used to rewrite secret Keys after getting them from the secret Provider
  13120. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13121. items:
  13122. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13123. maxProperties: 1
  13124. minProperties: 1
  13125. properties:
  13126. merge:
  13127. description: |-
  13128. Used to merge key/values in one single Secret
  13129. The resulting key will contain all values from the specified secrets
  13130. properties:
  13131. conflictPolicy:
  13132. default: Error
  13133. description: Used to define the policy to use in conflict resolution.
  13134. enum:
  13135. - Ignore
  13136. - Error
  13137. type: string
  13138. into:
  13139. default: ""
  13140. description: |-
  13141. Used to define the target key of the merge operation.
  13142. Required if strategy is JSON. Ignored otherwise.
  13143. type: string
  13144. priority:
  13145. description: Used to define key priority in conflict resolution.
  13146. items:
  13147. type: string
  13148. type: array
  13149. priorityPolicy:
  13150. default: Strict
  13151. description: Used to define the policy when a key in the priority list does not exist in the input.
  13152. enum:
  13153. - IgnoreNotFound
  13154. - Strict
  13155. type: string
  13156. strategy:
  13157. default: Extract
  13158. description: Used to define the strategy to use in the merge operation.
  13159. enum:
  13160. - Extract
  13161. - JSON
  13162. type: string
  13163. type: object
  13164. regexp:
  13165. description: |-
  13166. Used to rewrite with regular expressions.
  13167. The resulting key will be the output of a regexp.ReplaceAll operation.
  13168. properties:
  13169. source:
  13170. description: Used to define the regular expression of a re.Compiler.
  13171. type: string
  13172. target:
  13173. description: Used to define the target pattern of a ReplaceAll operation.
  13174. type: string
  13175. required:
  13176. - source
  13177. - target
  13178. type: object
  13179. transform:
  13180. description: |-
  13181. Used to apply string transformation on the secrets.
  13182. The resulting key will be the output of the template applied by the operation.
  13183. properties:
  13184. template:
  13185. description: |-
  13186. Used to define the template to apply on the secret name.
  13187. `.value ` will specify the secret name in the template.
  13188. type: string
  13189. required:
  13190. - template
  13191. type: object
  13192. type: object
  13193. type: array
  13194. sourceRef:
  13195. description: |-
  13196. SourceRef points to a store or generator
  13197. which contains secret values ready to use.
  13198. Use this in combination with Extract or Find pull values out of
  13199. a specific SecretStore.
  13200. When sourceRef points to a generator Extract or Find is not supported.
  13201. The generator returns a static map of values
  13202. maxProperties: 1
  13203. minProperties: 1
  13204. properties:
  13205. generatorRef:
  13206. description: GeneratorRef points to a generator custom resource.
  13207. properties:
  13208. apiVersion:
  13209. default: generators.external-secrets.io/v1alpha1
  13210. description: Specify the apiVersion of the generator resource
  13211. type: string
  13212. kind:
  13213. description: Specify the Kind of the generator resource
  13214. enum:
  13215. - ACRAccessToken
  13216. - BeyondtrustWorkloadCredentialsDynamicSecret
  13217. - ClusterGenerator
  13218. - CloudsmithAccessToken
  13219. - ECRAuthorizationToken
  13220. - Fake
  13221. - GCRAccessToken
  13222. - GithubAccessToken
  13223. - QuayAccessToken
  13224. - Password
  13225. - SSHKey
  13226. - STSSessionToken
  13227. - UUID
  13228. - VaultDynamicSecret
  13229. - Webhook
  13230. - Grafana
  13231. - MFA
  13232. type: string
  13233. name:
  13234. description: Specify the name of the generator resource
  13235. maxLength: 253
  13236. minLength: 1
  13237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13238. type: string
  13239. required:
  13240. - kind
  13241. - name
  13242. type: object
  13243. storeRef:
  13244. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13245. properties:
  13246. kind:
  13247. description: |-
  13248. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13249. Defaults to `SecretStore`
  13250. enum:
  13251. - SecretStore
  13252. - ClusterSecretStore
  13253. type: string
  13254. name:
  13255. description: Name of the SecretStore resource
  13256. maxLength: 253
  13257. minLength: 1
  13258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13259. type: string
  13260. type: object
  13261. type: object
  13262. type: object
  13263. type: array
  13264. refreshInterval:
  13265. default: 1h0m0s
  13266. description: |-
  13267. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13268. specified as Golang Duration strings.
  13269. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13270. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13271. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13272. type: string
  13273. refreshPolicy:
  13274. description: |-
  13275. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13276. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13277. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13278. No periodic updates occur if refreshInterval is 0.
  13279. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13280. enum:
  13281. - CreatedOnce
  13282. - Periodic
  13283. - OnChange
  13284. type: string
  13285. secretStoreRef:
  13286. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13287. properties:
  13288. kind:
  13289. description: |-
  13290. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13291. Defaults to `SecretStore`
  13292. enum:
  13293. - SecretStore
  13294. - ClusterSecretStore
  13295. type: string
  13296. name:
  13297. description: Name of the SecretStore resource
  13298. maxLength: 253
  13299. minLength: 1
  13300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13301. type: string
  13302. type: object
  13303. target:
  13304. default:
  13305. creationPolicy: Owner
  13306. deletionPolicy: Retain
  13307. description: |-
  13308. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13309. there can be only one target per ExternalSecret.
  13310. properties:
  13311. creationPolicy:
  13312. default: Owner
  13313. description: |-
  13314. CreationPolicy defines rules on how to create the resulting Secret.
  13315. Defaults to "Owner"
  13316. enum:
  13317. - Owner
  13318. - Orphan
  13319. - Merge
  13320. - None
  13321. type: string
  13322. deletionPolicy:
  13323. default: Retain
  13324. description: |-
  13325. DeletionPolicy defines rules on how to delete the resulting Secret.
  13326. Defaults to "Retain"
  13327. enum:
  13328. - Delete
  13329. - Merge
  13330. - Retain
  13331. type: string
  13332. immutable:
  13333. description: Immutable defines if the final secret will be immutable
  13334. type: boolean
  13335. manifest:
  13336. description: |-
  13337. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13338. When specified, ExternalSecret will create the resource type defined here
  13339. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13340. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13341. properties:
  13342. apiVersion:
  13343. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13344. minLength: 1
  13345. type: string
  13346. kind:
  13347. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13348. minLength: 1
  13349. type: string
  13350. required:
  13351. - apiVersion
  13352. - kind
  13353. type: object
  13354. name:
  13355. description: |-
  13356. The name of the Secret resource to be managed.
  13357. Defaults to the .metadata.name of the ExternalSecret resource
  13358. maxLength: 253
  13359. minLength: 1
  13360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13361. type: string
  13362. template:
  13363. description: Template defines a blueprint for the created Secret resource.
  13364. properties:
  13365. data:
  13366. additionalProperties:
  13367. type: string
  13368. type: object
  13369. engineVersion:
  13370. default: v2
  13371. description: |-
  13372. EngineVersion specifies the template engine version
  13373. that should be used to compile/execute the
  13374. template specified in .data and .templateFrom[].
  13375. enum:
  13376. - v2
  13377. type: string
  13378. mergePolicy:
  13379. default: Replace
  13380. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13381. enum:
  13382. - Replace
  13383. - Merge
  13384. type: string
  13385. metadata:
  13386. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13387. properties:
  13388. annotations:
  13389. additionalProperties:
  13390. type: string
  13391. type: object
  13392. finalizers:
  13393. items:
  13394. type: string
  13395. type: array
  13396. labels:
  13397. additionalProperties:
  13398. type: string
  13399. type: object
  13400. type: object
  13401. templateFrom:
  13402. items:
  13403. description: |-
  13404. TemplateFrom specifies a source for templates.
  13405. Each item in the list can either reference a ConfigMap or a Secret resource.
  13406. properties:
  13407. configMap:
  13408. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13409. properties:
  13410. items:
  13411. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13412. items:
  13413. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13414. properties:
  13415. key:
  13416. description: A key in the ConfigMap/Secret
  13417. maxLength: 253
  13418. minLength: 1
  13419. pattern: ^[-._a-zA-Z0-9]+$
  13420. type: string
  13421. templateAs:
  13422. default: Values
  13423. description: TemplateScope specifies how the template keys should be interpreted.
  13424. enum:
  13425. - Values
  13426. - KeysAndValues
  13427. type: string
  13428. required:
  13429. - key
  13430. type: object
  13431. type: array
  13432. name:
  13433. description: The name of the ConfigMap/Secret resource
  13434. maxLength: 253
  13435. minLength: 1
  13436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13437. type: string
  13438. required:
  13439. - items
  13440. - name
  13441. type: object
  13442. literal:
  13443. type: string
  13444. secret:
  13445. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13446. properties:
  13447. items:
  13448. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13449. items:
  13450. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13451. properties:
  13452. key:
  13453. description: A key in the ConfigMap/Secret
  13454. maxLength: 253
  13455. minLength: 1
  13456. pattern: ^[-._a-zA-Z0-9]+$
  13457. type: string
  13458. templateAs:
  13459. default: Values
  13460. description: TemplateScope specifies how the template keys should be interpreted.
  13461. enum:
  13462. - Values
  13463. - KeysAndValues
  13464. type: string
  13465. required:
  13466. - key
  13467. type: object
  13468. type: array
  13469. name:
  13470. description: The name of the ConfigMap/Secret resource
  13471. maxLength: 253
  13472. minLength: 1
  13473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13474. type: string
  13475. required:
  13476. - items
  13477. - name
  13478. type: object
  13479. target:
  13480. default: Data
  13481. description: |-
  13482. Target specifies where to place the template result.
  13483. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13484. For custom resources (when spec.target.manifest is set), this supports
  13485. nested paths like "spec.database.config" or "data".
  13486. type: string
  13487. type: object
  13488. type: array
  13489. type:
  13490. type: string
  13491. type: object
  13492. type: object
  13493. type: object
  13494. status:
  13495. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13496. properties:
  13497. binding:
  13498. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13499. properties:
  13500. name:
  13501. default: ""
  13502. description: |-
  13503. Name of the referent.
  13504. This field is effectively required, but due to backwards compatibility is
  13505. allowed to be empty. Instances of this type with an empty value here are
  13506. almost certainly wrong.
  13507. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13508. type: string
  13509. type: object
  13510. x-kubernetes-map-type: atomic
  13511. conditions:
  13512. items:
  13513. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13514. properties:
  13515. lastTransitionTime:
  13516. format: date-time
  13517. type: string
  13518. message:
  13519. type: string
  13520. reason:
  13521. type: string
  13522. status:
  13523. type: string
  13524. type:
  13525. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13526. enum:
  13527. - Ready
  13528. - Deleted
  13529. type: string
  13530. required:
  13531. - status
  13532. - type
  13533. type: object
  13534. type: array
  13535. refreshTime:
  13536. description: |-
  13537. refreshTime is the time and date the external secret was fetched and
  13538. the target secret updated
  13539. format: date-time
  13540. nullable: true
  13541. type: string
  13542. syncedResourceVersion:
  13543. description: SyncedResourceVersion keeps track of the last synced version
  13544. type: string
  13545. type: object
  13546. type: object
  13547. selectableFields:
  13548. - jsonPath: .spec.secretStoreRef.name
  13549. - jsonPath: .spec.secretStoreRef.kind
  13550. - jsonPath: .spec.target.name
  13551. - jsonPath: .spec.refreshInterval
  13552. served: true
  13553. storage: true
  13554. subresources:
  13555. status: {}
  13556. - additionalPrinterColumns:
  13557. - jsonPath: .spec.secretStoreRef.kind
  13558. name: StoreType
  13559. type: string
  13560. - jsonPath: .spec.secretStoreRef.name
  13561. name: Store
  13562. type: string
  13563. - jsonPath: .spec.refreshInterval
  13564. name: Refresh Interval
  13565. type: string
  13566. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13567. name: Status
  13568. type: string
  13569. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13570. name: Ready
  13571. type: string
  13572. - jsonPath: .status.refreshTime
  13573. name: Last Sync
  13574. type: date
  13575. deprecated: true
  13576. name: v1beta1
  13577. schema:
  13578. openAPIV3Schema:
  13579. description: ExternalSecret is the schema for the external-secrets API.
  13580. properties:
  13581. apiVersion:
  13582. description: |-
  13583. APIVersion defines the versioned schema of this representation of an object.
  13584. Servers should convert recognized schemas to the latest internal value, and
  13585. may reject unrecognized values.
  13586. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13587. type: string
  13588. kind:
  13589. description: |-
  13590. Kind is a string value representing the REST resource this object represents.
  13591. Servers may infer this from the endpoint the client submits requests to.
  13592. Cannot be updated.
  13593. In CamelCase.
  13594. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13595. type: string
  13596. metadata:
  13597. type: object
  13598. spec:
  13599. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13600. properties:
  13601. data:
  13602. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13603. items:
  13604. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13605. properties:
  13606. remoteRef:
  13607. description: |-
  13608. RemoteRef points to the remote secret and defines
  13609. which secret (version/property/..) to fetch.
  13610. properties:
  13611. conversionStrategy:
  13612. default: Default
  13613. description: Used to define a conversion Strategy
  13614. enum:
  13615. - Default
  13616. - Unicode
  13617. type: string
  13618. decodingStrategy:
  13619. default: None
  13620. description: Used to define a decoding Strategy
  13621. enum:
  13622. - Auto
  13623. - Base64
  13624. - Base64URL
  13625. - None
  13626. type: string
  13627. key:
  13628. description: Key is the key used in the Provider, mandatory
  13629. type: string
  13630. metadataPolicy:
  13631. default: None
  13632. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13633. enum:
  13634. - None
  13635. - Fetch
  13636. type: string
  13637. property:
  13638. description: Used to select a specific property of the Provider value (if a map), if supported
  13639. type: string
  13640. version:
  13641. description: Used to select a specific version of the Provider value, if supported
  13642. type: string
  13643. required:
  13644. - key
  13645. type: object
  13646. secretKey:
  13647. description: The key in the Kubernetes Secret to store the value.
  13648. maxLength: 253
  13649. minLength: 1
  13650. pattern: ^[-._a-zA-Z0-9]+$
  13651. type: string
  13652. sourceRef:
  13653. description: |-
  13654. SourceRef allows you to override the source
  13655. from which the value will be pulled.
  13656. maxProperties: 1
  13657. minProperties: 1
  13658. properties:
  13659. generatorRef:
  13660. description: |-
  13661. GeneratorRef points to a generator custom resource.
  13662. Deprecated: The generatorRef is not implemented in .data[].
  13663. this will be removed with v1.
  13664. properties:
  13665. apiVersion:
  13666. default: generators.external-secrets.io/v1alpha1
  13667. description: Specify the apiVersion of the generator resource
  13668. type: string
  13669. kind:
  13670. description: Specify the Kind of the generator resource
  13671. enum:
  13672. - ACRAccessToken
  13673. - ClusterGenerator
  13674. - ECRAuthorizationToken
  13675. - Fake
  13676. - GCRAccessToken
  13677. - GithubAccessToken
  13678. - QuayAccessToken
  13679. - Password
  13680. - SSHKey
  13681. - STSSessionToken
  13682. - UUID
  13683. - VaultDynamicSecret
  13684. - Webhook
  13685. - Grafana
  13686. type: string
  13687. name:
  13688. description: Specify the name of the generator resource
  13689. maxLength: 253
  13690. minLength: 1
  13691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13692. type: string
  13693. required:
  13694. - kind
  13695. - name
  13696. type: object
  13697. storeRef:
  13698. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13699. properties:
  13700. kind:
  13701. description: |-
  13702. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13703. Defaults to `SecretStore`
  13704. enum:
  13705. - SecretStore
  13706. - ClusterSecretStore
  13707. type: string
  13708. name:
  13709. description: Name of the SecretStore resource
  13710. maxLength: 253
  13711. minLength: 1
  13712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13713. type: string
  13714. type: object
  13715. type: object
  13716. required:
  13717. - remoteRef
  13718. - secretKey
  13719. type: object
  13720. type: array
  13721. dataFrom:
  13722. description: |-
  13723. DataFrom is used to fetch all properties from a specific Provider data
  13724. If multiple entries are specified, the Secret keys are merged in the specified order
  13725. items:
  13726. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13727. properties:
  13728. extract:
  13729. description: |-
  13730. Used to extract multiple key/value pairs from one secret
  13731. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13732. properties:
  13733. conversionStrategy:
  13734. default: Default
  13735. description: Used to define a conversion Strategy
  13736. enum:
  13737. - Default
  13738. - Unicode
  13739. type: string
  13740. decodingStrategy:
  13741. default: None
  13742. description: Used to define a decoding Strategy
  13743. enum:
  13744. - Auto
  13745. - Base64
  13746. - Base64URL
  13747. - None
  13748. type: string
  13749. key:
  13750. description: Key is the key used in the Provider, mandatory
  13751. type: string
  13752. metadataPolicy:
  13753. default: None
  13754. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13755. enum:
  13756. - None
  13757. - Fetch
  13758. type: string
  13759. property:
  13760. description: Used to select a specific property of the Provider value (if a map), if supported
  13761. type: string
  13762. version:
  13763. description: Used to select a specific version of the Provider value, if supported
  13764. type: string
  13765. required:
  13766. - key
  13767. type: object
  13768. find:
  13769. description: |-
  13770. Used to find secrets based on tags or regular expressions
  13771. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13772. properties:
  13773. conversionStrategy:
  13774. default: Default
  13775. description: Used to define a conversion Strategy
  13776. enum:
  13777. - Default
  13778. - Unicode
  13779. type: string
  13780. decodingStrategy:
  13781. default: None
  13782. description: Used to define a decoding Strategy
  13783. enum:
  13784. - Auto
  13785. - Base64
  13786. - Base64URL
  13787. - None
  13788. type: string
  13789. name:
  13790. description: Finds secrets based on the name.
  13791. properties:
  13792. regexp:
  13793. description: Finds secrets base
  13794. type: string
  13795. type: object
  13796. path:
  13797. description: A root path to start the find operations.
  13798. type: string
  13799. tags:
  13800. additionalProperties:
  13801. type: string
  13802. description: Find secrets based on tags.
  13803. type: object
  13804. type: object
  13805. rewrite:
  13806. description: |-
  13807. Used to rewrite secret Keys after getting them from the secret Provider
  13808. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13809. items:
  13810. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  13811. maxProperties: 1
  13812. minProperties: 1
  13813. properties:
  13814. regexp:
  13815. description: |-
  13816. Used to rewrite with regular expressions.
  13817. The resulting key will be the output of a regexp.ReplaceAll operation.
  13818. properties:
  13819. source:
  13820. description: Used to define the regular expression of a re.Compiler.
  13821. type: string
  13822. target:
  13823. description: Used to define the target pattern of a ReplaceAll operation.
  13824. type: string
  13825. required:
  13826. - source
  13827. - target
  13828. type: object
  13829. transform:
  13830. description: |-
  13831. Used to apply string transformation on the secrets.
  13832. The resulting key will be the output of the template applied by the operation.
  13833. properties:
  13834. template:
  13835. description: |-
  13836. Used to define the template to apply on the secret name.
  13837. `.value ` will specify the secret name in the template.
  13838. type: string
  13839. required:
  13840. - template
  13841. type: object
  13842. type: object
  13843. type: array
  13844. sourceRef:
  13845. description: |-
  13846. SourceRef points to a store or generator
  13847. which contains secret values ready to use.
  13848. Use this in combination with Extract or Find pull values out of
  13849. a specific SecretStore.
  13850. When sourceRef points to a generator Extract or Find is not supported.
  13851. The generator returns a static map of values
  13852. maxProperties: 1
  13853. minProperties: 1
  13854. properties:
  13855. generatorRef:
  13856. description: GeneratorRef points to a generator custom resource.
  13857. properties:
  13858. apiVersion:
  13859. default: generators.external-secrets.io/v1alpha1
  13860. description: Specify the apiVersion of the generator resource
  13861. type: string
  13862. kind:
  13863. description: Specify the Kind of the generator resource
  13864. enum:
  13865. - ACRAccessToken
  13866. - ClusterGenerator
  13867. - ECRAuthorizationToken
  13868. - Fake
  13869. - GCRAccessToken
  13870. - GithubAccessToken
  13871. - QuayAccessToken
  13872. - Password
  13873. - SSHKey
  13874. - STSSessionToken
  13875. - UUID
  13876. - VaultDynamicSecret
  13877. - Webhook
  13878. - Grafana
  13879. type: string
  13880. name:
  13881. description: Specify the name of the generator resource
  13882. maxLength: 253
  13883. minLength: 1
  13884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13885. type: string
  13886. required:
  13887. - kind
  13888. - name
  13889. type: object
  13890. storeRef:
  13891. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13892. properties:
  13893. kind:
  13894. description: |-
  13895. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13896. Defaults to `SecretStore`
  13897. enum:
  13898. - SecretStore
  13899. - ClusterSecretStore
  13900. type: string
  13901. name:
  13902. description: Name of the SecretStore resource
  13903. maxLength: 253
  13904. minLength: 1
  13905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13906. type: string
  13907. type: object
  13908. type: object
  13909. type: object
  13910. type: array
  13911. refreshInterval:
  13912. default: 1h0m0s
  13913. description: |-
  13914. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13915. specified as Golang Duration strings.
  13916. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13917. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13918. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13919. type: string
  13920. refreshPolicy:
  13921. description: |-
  13922. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13923. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13924. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13925. No periodic updates occur if refreshInterval is 0.
  13926. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13927. enum:
  13928. - CreatedOnce
  13929. - Periodic
  13930. - OnChange
  13931. type: string
  13932. secretStoreRef:
  13933. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13934. properties:
  13935. kind:
  13936. description: |-
  13937. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13938. Defaults to `SecretStore`
  13939. enum:
  13940. - SecretStore
  13941. - ClusterSecretStore
  13942. type: string
  13943. name:
  13944. description: Name of the SecretStore resource
  13945. maxLength: 253
  13946. minLength: 1
  13947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13948. type: string
  13949. type: object
  13950. target:
  13951. default:
  13952. creationPolicy: Owner
  13953. deletionPolicy: Retain
  13954. description: |-
  13955. ExternalSecretTarget defines the Kubernetes Secret to be created
  13956. There can be only one target per ExternalSecret.
  13957. properties:
  13958. creationPolicy:
  13959. default: Owner
  13960. description: |-
  13961. CreationPolicy defines rules on how to create the resulting Secret.
  13962. Defaults to "Owner"
  13963. enum:
  13964. - Owner
  13965. - Orphan
  13966. - Merge
  13967. - None
  13968. type: string
  13969. deletionPolicy:
  13970. default: Retain
  13971. description: |-
  13972. DeletionPolicy defines rules on how to delete the resulting Secret.
  13973. Defaults to "Retain"
  13974. enum:
  13975. - Delete
  13976. - Merge
  13977. - Retain
  13978. type: string
  13979. immutable:
  13980. description: Immutable defines if the final secret will be immutable
  13981. type: boolean
  13982. name:
  13983. description: |-
  13984. The name of the Secret resource to be managed.
  13985. Defaults to the .metadata.name of the ExternalSecret resource
  13986. maxLength: 253
  13987. minLength: 1
  13988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13989. type: string
  13990. template:
  13991. description: Template defines a blueprint for the created Secret resource.
  13992. properties:
  13993. data:
  13994. additionalProperties:
  13995. type: string
  13996. type: object
  13997. engineVersion:
  13998. default: v2
  13999. description: |-
  14000. EngineVersion specifies the template engine version
  14001. that should be used to compile/execute the
  14002. template specified in .data and .templateFrom[].
  14003. enum:
  14004. - v2
  14005. type: string
  14006. mergePolicy:
  14007. default: Replace
  14008. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  14009. enum:
  14010. - Replace
  14011. - Merge
  14012. type: string
  14013. metadata:
  14014. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14015. properties:
  14016. annotations:
  14017. additionalProperties:
  14018. type: string
  14019. type: object
  14020. labels:
  14021. additionalProperties:
  14022. type: string
  14023. type: object
  14024. type: object
  14025. templateFrom:
  14026. items:
  14027. description: TemplateFrom defines a source for template data.
  14028. properties:
  14029. configMap:
  14030. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14031. properties:
  14032. items:
  14033. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14034. items:
  14035. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14036. properties:
  14037. key:
  14038. description: A key in the ConfigMap/Secret
  14039. maxLength: 253
  14040. minLength: 1
  14041. pattern: ^[-._a-zA-Z0-9]+$
  14042. type: string
  14043. templateAs:
  14044. default: Values
  14045. description: TemplateScope defines the scope of the template when processing template data.
  14046. enum:
  14047. - Values
  14048. - KeysAndValues
  14049. type: string
  14050. required:
  14051. - key
  14052. type: object
  14053. type: array
  14054. name:
  14055. description: The name of the ConfigMap/Secret resource
  14056. maxLength: 253
  14057. minLength: 1
  14058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14059. type: string
  14060. required:
  14061. - items
  14062. - name
  14063. type: object
  14064. literal:
  14065. type: string
  14066. secret:
  14067. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14068. properties:
  14069. items:
  14070. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14071. items:
  14072. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14073. properties:
  14074. key:
  14075. description: A key in the ConfigMap/Secret
  14076. maxLength: 253
  14077. minLength: 1
  14078. pattern: ^[-._a-zA-Z0-9]+$
  14079. type: string
  14080. templateAs:
  14081. default: Values
  14082. description: TemplateScope defines the scope of the template when processing template data.
  14083. enum:
  14084. - Values
  14085. - KeysAndValues
  14086. type: string
  14087. required:
  14088. - key
  14089. type: object
  14090. type: array
  14091. name:
  14092. description: The name of the ConfigMap/Secret resource
  14093. maxLength: 253
  14094. minLength: 1
  14095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14096. type: string
  14097. required:
  14098. - items
  14099. - name
  14100. type: object
  14101. target:
  14102. default: Data
  14103. description: TemplateTarget defines the target field where the template result will be stored.
  14104. enum:
  14105. - Data
  14106. - Annotations
  14107. - Labels
  14108. type: string
  14109. type: object
  14110. type: array
  14111. type:
  14112. type: string
  14113. type: object
  14114. type: object
  14115. type: object
  14116. status:
  14117. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14118. properties:
  14119. binding:
  14120. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14121. properties:
  14122. name:
  14123. default: ""
  14124. description: |-
  14125. Name of the referent.
  14126. This field is effectively required, but due to backwards compatibility is
  14127. allowed to be empty. Instances of this type with an empty value here are
  14128. almost certainly wrong.
  14129. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14130. type: string
  14131. type: object
  14132. x-kubernetes-map-type: atomic
  14133. conditions:
  14134. items:
  14135. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14136. properties:
  14137. lastTransitionTime:
  14138. format: date-time
  14139. type: string
  14140. message:
  14141. type: string
  14142. reason:
  14143. type: string
  14144. status:
  14145. type: string
  14146. type:
  14147. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14148. type: string
  14149. required:
  14150. - status
  14151. - type
  14152. type: object
  14153. type: array
  14154. refreshTime:
  14155. description: |-
  14156. refreshTime is the time and date the external secret was fetched and
  14157. the target secret updated
  14158. format: date-time
  14159. nullable: true
  14160. type: string
  14161. syncedResourceVersion:
  14162. description: SyncedResourceVersion keeps track of the last synced version
  14163. type: string
  14164. type: object
  14165. type: object
  14166. served: false
  14167. storage: false
  14168. subresources:
  14169. status: {}
  14170. ---
  14171. apiVersion: apiextensions.k8s.io/v1
  14172. kind: CustomResourceDefinition
  14173. metadata:
  14174. annotations:
  14175. controller-gen.kubebuilder.io/version: v0.19.0
  14176. labels:
  14177. external-secrets.io/component: controller
  14178. name: pushsecrets.external-secrets.io
  14179. spec:
  14180. group: external-secrets.io
  14181. names:
  14182. categories:
  14183. - external-secrets
  14184. kind: PushSecret
  14185. listKind: PushSecretList
  14186. plural: pushsecrets
  14187. shortNames:
  14188. - ps
  14189. singular: pushsecret
  14190. scope: Namespaced
  14191. versions:
  14192. - additionalPrinterColumns:
  14193. - jsonPath: .metadata.creationTimestamp
  14194. name: AGE
  14195. type: date
  14196. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14197. name: Status
  14198. type: string
  14199. - jsonPath: .status.refreshTime
  14200. name: Last Sync
  14201. type: date
  14202. name: v1alpha1
  14203. schema:
  14204. openAPIV3Schema:
  14205. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14206. properties:
  14207. apiVersion:
  14208. description: |-
  14209. APIVersion defines the versioned schema of this representation of an object.
  14210. Servers should convert recognized schemas to the latest internal value, and
  14211. may reject unrecognized values.
  14212. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14213. type: string
  14214. kind:
  14215. description: |-
  14216. Kind is a string value representing the REST resource this object represents.
  14217. Servers may infer this from the endpoint the client submits requests to.
  14218. Cannot be updated.
  14219. In CamelCase.
  14220. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14221. type: string
  14222. metadata:
  14223. type: object
  14224. spec:
  14225. description: PushSecretSpec configures the behavior of the PushSecret.
  14226. properties:
  14227. data:
  14228. description: Secret Data that should be pushed to providers
  14229. items:
  14230. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14231. properties:
  14232. conversionStrategy:
  14233. default: None
  14234. description: Used to define a conversion Strategy for the secret keys
  14235. enum:
  14236. - None
  14237. - ReverseUnicode
  14238. type: string
  14239. match:
  14240. description: Match a given Secret Key to be pushed to the provider.
  14241. properties:
  14242. remoteRef:
  14243. description: Remote Refs to push to providers.
  14244. properties:
  14245. property:
  14246. description: Name of the property in the resulting secret
  14247. type: string
  14248. remoteKey:
  14249. description: Name of the resulting provider secret.
  14250. type: string
  14251. required:
  14252. - remoteKey
  14253. type: object
  14254. secretKey:
  14255. description: Secret Key to be pushed
  14256. type: string
  14257. required:
  14258. - remoteRef
  14259. type: object
  14260. metadata:
  14261. description: |-
  14262. Metadata is metadata attached to the secret.
  14263. The structure of metadata is provider specific, please look it up in the provider documentation.
  14264. x-kubernetes-preserve-unknown-fields: true
  14265. required:
  14266. - match
  14267. type: object
  14268. type: array
  14269. dataTo:
  14270. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14271. items:
  14272. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14273. properties:
  14274. conversionStrategy:
  14275. default: None
  14276. description: Used to define a conversion Strategy for the secret keys
  14277. enum:
  14278. - None
  14279. - ReverseUnicode
  14280. type: string
  14281. match:
  14282. description: |-
  14283. Match pattern for selecting keys from the source Secret.
  14284. If not specified, all keys are selected.
  14285. properties:
  14286. regexp:
  14287. description: |-
  14288. Regexp matches keys by regular expression.
  14289. If not specified, all keys are matched.
  14290. type: string
  14291. type: object
  14292. metadata:
  14293. description: |-
  14294. Metadata is metadata attached to the secret.
  14295. The structure of metadata is provider specific, please look it up in the provider documentation.
  14296. x-kubernetes-preserve-unknown-fields: true
  14297. remoteKey:
  14298. description: |-
  14299. RemoteKey is the name of the single provider secret that will receive ALL
  14300. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14301. When set, per-key expansion is skipped and a single push is performed.
  14302. The provider's store prefix (if any) is still prepended to this value.
  14303. When not set, each matched key is pushed as its own individual provider secret.
  14304. type: string
  14305. rewrite:
  14306. description: |-
  14307. Rewrite operations to transform keys before pushing to the provider.
  14308. Operations are applied sequentially.
  14309. items:
  14310. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14311. properties:
  14312. regexp:
  14313. description: Used to rewrite with regular expressions.
  14314. properties:
  14315. source:
  14316. description: Used to define the regular expression of a re.Compiler.
  14317. type: string
  14318. target:
  14319. description: Used to define the target pattern of a ReplaceAll operation.
  14320. type: string
  14321. required:
  14322. - source
  14323. - target
  14324. type: object
  14325. transform:
  14326. description: Used to apply string transformation on the secrets.
  14327. properties:
  14328. template:
  14329. description: |-
  14330. Used to define the template to apply on the secret name.
  14331. `.value ` will specify the secret name in the template.
  14332. type: string
  14333. required:
  14334. - template
  14335. type: object
  14336. type: object
  14337. x-kubernetes-validations:
  14338. - message: exactly one of regexp or transform must be set
  14339. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14340. type: array
  14341. storeRef:
  14342. description: StoreRef specifies which SecretStore to push to. Required.
  14343. properties:
  14344. kind:
  14345. default: SecretStore
  14346. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14347. enum:
  14348. - SecretStore
  14349. - ClusterSecretStore
  14350. type: string
  14351. labelSelector:
  14352. description: Optionally, sync to secret stores with label selector
  14353. properties:
  14354. matchExpressions:
  14355. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14356. items:
  14357. description: |-
  14358. A label selector requirement is a selector that contains values, a key, and an operator that
  14359. relates the key and values.
  14360. properties:
  14361. key:
  14362. description: key is the label key that the selector applies to.
  14363. type: string
  14364. operator:
  14365. description: |-
  14366. operator represents a key's relationship to a set of values.
  14367. Valid operators are In, NotIn, Exists and DoesNotExist.
  14368. type: string
  14369. values:
  14370. description: |-
  14371. values is an array of string values. If the operator is In or NotIn,
  14372. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14373. the values array must be empty. This array is replaced during a strategic
  14374. merge patch.
  14375. items:
  14376. type: string
  14377. type: array
  14378. x-kubernetes-list-type: atomic
  14379. required:
  14380. - key
  14381. - operator
  14382. type: object
  14383. type: array
  14384. x-kubernetes-list-type: atomic
  14385. matchLabels:
  14386. additionalProperties:
  14387. type: string
  14388. description: |-
  14389. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14390. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14391. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14392. type: object
  14393. type: object
  14394. x-kubernetes-map-type: atomic
  14395. name:
  14396. description: Optionally, sync to the SecretStore of the given name
  14397. maxLength: 253
  14398. minLength: 1
  14399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14400. type: string
  14401. type: object
  14402. type: object
  14403. x-kubernetes-validations:
  14404. - message: storeRef must specify either name or labelSelector
  14405. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14406. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14407. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14408. type: array
  14409. deletionPolicy:
  14410. default: None
  14411. description: Deletion Policy to handle Secrets in the provider.
  14412. enum:
  14413. - Delete
  14414. - None
  14415. type: string
  14416. refreshInterval:
  14417. default: 1h0m0s
  14418. description: The Interval to which External Secrets will try to push a secret definition
  14419. type: string
  14420. secretStoreRefs:
  14421. items:
  14422. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14423. properties:
  14424. kind:
  14425. default: SecretStore
  14426. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14427. enum:
  14428. - SecretStore
  14429. - ClusterSecretStore
  14430. type: string
  14431. labelSelector:
  14432. description: Optionally, sync to secret stores with label selector
  14433. properties:
  14434. matchExpressions:
  14435. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14436. items:
  14437. description: |-
  14438. A label selector requirement is a selector that contains values, a key, and an operator that
  14439. relates the key and values.
  14440. properties:
  14441. key:
  14442. description: key is the label key that the selector applies to.
  14443. type: string
  14444. operator:
  14445. description: |-
  14446. operator represents a key's relationship to a set of values.
  14447. Valid operators are In, NotIn, Exists and DoesNotExist.
  14448. type: string
  14449. values:
  14450. description: |-
  14451. values is an array of string values. If the operator is In or NotIn,
  14452. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14453. the values array must be empty. This array is replaced during a strategic
  14454. merge patch.
  14455. items:
  14456. type: string
  14457. type: array
  14458. x-kubernetes-list-type: atomic
  14459. required:
  14460. - key
  14461. - operator
  14462. type: object
  14463. type: array
  14464. x-kubernetes-list-type: atomic
  14465. matchLabels:
  14466. additionalProperties:
  14467. type: string
  14468. description: |-
  14469. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14470. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14471. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14472. type: object
  14473. type: object
  14474. x-kubernetes-map-type: atomic
  14475. name:
  14476. description: Optionally, sync to the SecretStore of the given name
  14477. maxLength: 253
  14478. minLength: 1
  14479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14480. type: string
  14481. type: object
  14482. type: array
  14483. selector:
  14484. description: The Secret Selector (k8s source) for the Push Secret
  14485. maxProperties: 1
  14486. minProperties: 1
  14487. properties:
  14488. generatorRef:
  14489. description: Point to a generator to create a Secret.
  14490. properties:
  14491. apiVersion:
  14492. default: generators.external-secrets.io/v1alpha1
  14493. description: Specify the apiVersion of the generator resource
  14494. type: string
  14495. kind:
  14496. description: Specify the Kind of the generator resource
  14497. enum:
  14498. - ACRAccessToken
  14499. - BeyondtrustWorkloadCredentialsDynamicSecret
  14500. - ClusterGenerator
  14501. - CloudsmithAccessToken
  14502. - ECRAuthorizationToken
  14503. - Fake
  14504. - GCRAccessToken
  14505. - GithubAccessToken
  14506. - QuayAccessToken
  14507. - Password
  14508. - SSHKey
  14509. - STSSessionToken
  14510. - UUID
  14511. - VaultDynamicSecret
  14512. - Webhook
  14513. - Grafana
  14514. - MFA
  14515. type: string
  14516. name:
  14517. description: Specify the name of the generator resource
  14518. maxLength: 253
  14519. minLength: 1
  14520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14521. type: string
  14522. required:
  14523. - kind
  14524. - name
  14525. type: object
  14526. secret:
  14527. description: Select a Secret to Push.
  14528. properties:
  14529. name:
  14530. description: |-
  14531. Name of the Secret.
  14532. The Secret must exist in the same namespace as the PushSecret manifest.
  14533. maxLength: 253
  14534. minLength: 1
  14535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14536. type: string
  14537. selector:
  14538. description: Selector chooses secrets using a labelSelector.
  14539. properties:
  14540. matchExpressions:
  14541. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14542. items:
  14543. description: |-
  14544. A label selector requirement is a selector that contains values, a key, and an operator that
  14545. relates the key and values.
  14546. properties:
  14547. key:
  14548. description: key is the label key that the selector applies to.
  14549. type: string
  14550. operator:
  14551. description: |-
  14552. operator represents a key's relationship to a set of values.
  14553. Valid operators are In, NotIn, Exists and DoesNotExist.
  14554. type: string
  14555. values:
  14556. description: |-
  14557. values is an array of string values. If the operator is In or NotIn,
  14558. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14559. the values array must be empty. This array is replaced during a strategic
  14560. merge patch.
  14561. items:
  14562. type: string
  14563. type: array
  14564. x-kubernetes-list-type: atomic
  14565. required:
  14566. - key
  14567. - operator
  14568. type: object
  14569. type: array
  14570. x-kubernetes-list-type: atomic
  14571. matchLabels:
  14572. additionalProperties:
  14573. type: string
  14574. description: |-
  14575. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14576. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14577. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14578. type: object
  14579. type: object
  14580. x-kubernetes-map-type: atomic
  14581. type: object
  14582. type: object
  14583. template:
  14584. description: Template defines a blueprint for the created Secret resource.
  14585. properties:
  14586. data:
  14587. additionalProperties:
  14588. type: string
  14589. type: object
  14590. engineVersion:
  14591. default: v2
  14592. description: |-
  14593. EngineVersion specifies the template engine version
  14594. that should be used to compile/execute the
  14595. template specified in .data and .templateFrom[].
  14596. enum:
  14597. - v2
  14598. type: string
  14599. mergePolicy:
  14600. default: Replace
  14601. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14602. enum:
  14603. - Replace
  14604. - Merge
  14605. type: string
  14606. metadata:
  14607. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14608. properties:
  14609. annotations:
  14610. additionalProperties:
  14611. type: string
  14612. type: object
  14613. finalizers:
  14614. items:
  14615. type: string
  14616. type: array
  14617. labels:
  14618. additionalProperties:
  14619. type: string
  14620. type: object
  14621. type: object
  14622. templateFrom:
  14623. items:
  14624. description: |-
  14625. TemplateFrom specifies a source for templates.
  14626. Each item in the list can either reference a ConfigMap or a Secret resource.
  14627. properties:
  14628. configMap:
  14629. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14630. properties:
  14631. items:
  14632. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14633. items:
  14634. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14635. properties:
  14636. key:
  14637. description: A key in the ConfigMap/Secret
  14638. maxLength: 253
  14639. minLength: 1
  14640. pattern: ^[-._a-zA-Z0-9]+$
  14641. type: string
  14642. templateAs:
  14643. default: Values
  14644. description: TemplateScope specifies how the template keys should be interpreted.
  14645. enum:
  14646. - Values
  14647. - KeysAndValues
  14648. type: string
  14649. required:
  14650. - key
  14651. type: object
  14652. type: array
  14653. name:
  14654. description: The name of the ConfigMap/Secret resource
  14655. maxLength: 253
  14656. minLength: 1
  14657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14658. type: string
  14659. required:
  14660. - items
  14661. - name
  14662. type: object
  14663. literal:
  14664. type: string
  14665. secret:
  14666. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14667. properties:
  14668. items:
  14669. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14670. items:
  14671. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14672. properties:
  14673. key:
  14674. description: A key in the ConfigMap/Secret
  14675. maxLength: 253
  14676. minLength: 1
  14677. pattern: ^[-._a-zA-Z0-9]+$
  14678. type: string
  14679. templateAs:
  14680. default: Values
  14681. description: TemplateScope specifies how the template keys should be interpreted.
  14682. enum:
  14683. - Values
  14684. - KeysAndValues
  14685. type: string
  14686. required:
  14687. - key
  14688. type: object
  14689. type: array
  14690. name:
  14691. description: The name of the ConfigMap/Secret resource
  14692. maxLength: 253
  14693. minLength: 1
  14694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14695. type: string
  14696. required:
  14697. - items
  14698. - name
  14699. type: object
  14700. target:
  14701. default: Data
  14702. description: |-
  14703. Target specifies where to place the template result.
  14704. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14705. For custom resources (when spec.target.manifest is set), this supports
  14706. nested paths like "spec.database.config" or "data".
  14707. type: string
  14708. type: object
  14709. type: array
  14710. type:
  14711. type: string
  14712. type: object
  14713. updatePolicy:
  14714. default: Replace
  14715. description: UpdatePolicy to handle Secrets in the provider.
  14716. enum:
  14717. - Replace
  14718. - IfNotExists
  14719. type: string
  14720. required:
  14721. - secretStoreRefs
  14722. - selector
  14723. type: object
  14724. status:
  14725. description: PushSecretStatus indicates the history of the status of PushSecret.
  14726. properties:
  14727. conditions:
  14728. items:
  14729. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14730. properties:
  14731. lastTransitionTime:
  14732. format: date-time
  14733. type: string
  14734. message:
  14735. type: string
  14736. reason:
  14737. type: string
  14738. status:
  14739. type: string
  14740. type:
  14741. description: PushSecretConditionType indicates the condition of the PushSecret.
  14742. type: string
  14743. required:
  14744. - status
  14745. - type
  14746. type: object
  14747. type: array
  14748. refreshTime:
  14749. description: |-
  14750. refreshTime is the time and date the external secret was fetched and
  14751. the target secret updated
  14752. format: date-time
  14753. nullable: true
  14754. type: string
  14755. syncedPushSecrets:
  14756. additionalProperties:
  14757. additionalProperties:
  14758. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14759. properties:
  14760. conversionStrategy:
  14761. default: None
  14762. description: Used to define a conversion Strategy for the secret keys
  14763. enum:
  14764. - None
  14765. - ReverseUnicode
  14766. type: string
  14767. match:
  14768. description: Match a given Secret Key to be pushed to the provider.
  14769. properties:
  14770. remoteRef:
  14771. description: Remote Refs to push to providers.
  14772. properties:
  14773. property:
  14774. description: Name of the property in the resulting secret
  14775. type: string
  14776. remoteKey:
  14777. description: Name of the resulting provider secret.
  14778. type: string
  14779. required:
  14780. - remoteKey
  14781. type: object
  14782. secretKey:
  14783. description: Secret Key to be pushed
  14784. type: string
  14785. required:
  14786. - remoteRef
  14787. type: object
  14788. metadata:
  14789. description: |-
  14790. Metadata is metadata attached to the secret.
  14791. The structure of metadata is provider specific, please look it up in the provider documentation.
  14792. x-kubernetes-preserve-unknown-fields: true
  14793. required:
  14794. - match
  14795. type: object
  14796. type: object
  14797. description: |-
  14798. Synced PushSecrets, including secrets that already exist in provider.
  14799. Matches secret stores to PushSecretData that was stored to that secret store.
  14800. type: object
  14801. syncedResourceVersion:
  14802. description: SyncedResourceVersion keeps track of the last synced version.
  14803. type: string
  14804. type: object
  14805. type: object
  14806. served: true
  14807. storage: true
  14808. subresources:
  14809. status: {}
  14810. ---
  14811. apiVersion: apiextensions.k8s.io/v1
  14812. kind: CustomResourceDefinition
  14813. metadata:
  14814. annotations:
  14815. controller-gen.kubebuilder.io/version: v0.19.0
  14816. labels:
  14817. external-secrets.io/component: controller
  14818. name: secretstores.external-secrets.io
  14819. spec:
  14820. group: external-secrets.io
  14821. names:
  14822. categories:
  14823. - external-secrets
  14824. kind: SecretStore
  14825. listKind: SecretStoreList
  14826. plural: secretstores
  14827. shortNames:
  14828. - ss
  14829. singular: secretstore
  14830. scope: Namespaced
  14831. versions:
  14832. - additionalPrinterColumns:
  14833. - jsonPath: .metadata.creationTimestamp
  14834. name: AGE
  14835. type: date
  14836. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14837. name: Status
  14838. type: string
  14839. - jsonPath: .status.capabilities
  14840. name: Capabilities
  14841. type: string
  14842. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  14843. name: Ready
  14844. type: string
  14845. name: v1
  14846. schema:
  14847. openAPIV3Schema:
  14848. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  14849. properties:
  14850. apiVersion:
  14851. description: |-
  14852. APIVersion defines the versioned schema of this representation of an object.
  14853. Servers should convert recognized schemas to the latest internal value, and
  14854. may reject unrecognized values.
  14855. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14856. type: string
  14857. kind:
  14858. description: |-
  14859. Kind is a string value representing the REST resource this object represents.
  14860. Servers may infer this from the endpoint the client submits requests to.
  14861. Cannot be updated.
  14862. In CamelCase.
  14863. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14864. type: string
  14865. metadata:
  14866. type: object
  14867. spec:
  14868. description: SecretStoreSpec defines the desired state of SecretStore.
  14869. properties:
  14870. conditions:
  14871. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  14872. items:
  14873. description: |-
  14874. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  14875. for a ClusterSecretStore instance.
  14876. properties:
  14877. namespaceRegexes:
  14878. description: Choose namespaces by using regex matching
  14879. items:
  14880. type: string
  14881. type: array
  14882. namespaceSelector:
  14883. description: Choose namespace using a labelSelector
  14884. properties:
  14885. matchExpressions:
  14886. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14887. items:
  14888. description: |-
  14889. A label selector requirement is a selector that contains values, a key, and an operator that
  14890. relates the key and values.
  14891. properties:
  14892. key:
  14893. description: key is the label key that the selector applies to.
  14894. type: string
  14895. operator:
  14896. description: |-
  14897. operator represents a key's relationship to a set of values.
  14898. Valid operators are In, NotIn, Exists and DoesNotExist.
  14899. type: string
  14900. values:
  14901. description: |-
  14902. values is an array of string values. If the operator is In or NotIn,
  14903. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14904. the values array must be empty. This array is replaced during a strategic
  14905. merge patch.
  14906. items:
  14907. type: string
  14908. type: array
  14909. x-kubernetes-list-type: atomic
  14910. required:
  14911. - key
  14912. - operator
  14913. type: object
  14914. type: array
  14915. x-kubernetes-list-type: atomic
  14916. matchLabels:
  14917. additionalProperties:
  14918. type: string
  14919. description: |-
  14920. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14921. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14922. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14923. type: object
  14924. type: object
  14925. x-kubernetes-map-type: atomic
  14926. namespaces:
  14927. description: Choose namespaces by name
  14928. items:
  14929. maxLength: 63
  14930. minLength: 1
  14931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14932. type: string
  14933. type: array
  14934. type: object
  14935. type: array
  14936. controller:
  14937. description: |-
  14938. Used to select the correct ESO controller (think: ingress.ingressClassName)
  14939. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  14940. type: string
  14941. provider:
  14942. description: Used to configure the provider. Only one provider may be set
  14943. maxProperties: 1
  14944. minProperties: 1
  14945. properties:
  14946. akeyless:
  14947. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  14948. properties:
  14949. akeylessGWApiURL:
  14950. description: Akeyless GW API Url from which the secrets to be fetched from.
  14951. type: string
  14952. authSecretRef:
  14953. description: Auth configures how the operator authenticates with Akeyless.
  14954. properties:
  14955. kubernetesAuth:
  14956. description: |-
  14957. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  14958. token stored in the named Secret resource.
  14959. properties:
  14960. accessID:
  14961. description: the Akeyless Kubernetes auth-method access-id
  14962. type: string
  14963. k8sConfName:
  14964. description: Kubernetes-auth configuration name in Akeyless-Gateway
  14965. type: string
  14966. secretRef:
  14967. description: |-
  14968. Optional secret field containing a Kubernetes ServiceAccount JWT used
  14969. for authenticating with Akeyless. If a name is specified without a key,
  14970. `token` is the default. If one is not specified, the one bound to
  14971. the controller will be used.
  14972. properties:
  14973. key:
  14974. description: |-
  14975. A key in the referenced Secret.
  14976. Some instances of this field may be defaulted, in others it may be required.
  14977. maxLength: 253
  14978. minLength: 1
  14979. pattern: ^[-._a-zA-Z0-9]+$
  14980. type: string
  14981. name:
  14982. description: The name of the Secret resource being referred to.
  14983. maxLength: 253
  14984. minLength: 1
  14985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14986. type: string
  14987. namespace:
  14988. description: |-
  14989. The namespace of the Secret resource being referred to.
  14990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14991. maxLength: 63
  14992. minLength: 1
  14993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14994. type: string
  14995. type: object
  14996. serviceAccountRef:
  14997. description: |-
  14998. Optional service account field containing the name of a kubernetes ServiceAccount.
  14999. If the service account is specified, the service account secret token JWT will be used
  15000. for authenticating with Akeyless. If the service account selector is not supplied,
  15001. the secretRef will be used instead.
  15002. properties:
  15003. audiences:
  15004. description: |-
  15005. Audience specifies the `aud` claim for the service account token
  15006. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15007. then this audiences will be appended to the list
  15008. items:
  15009. type: string
  15010. type: array
  15011. name:
  15012. description: The name of the ServiceAccount resource being referred to.
  15013. maxLength: 253
  15014. minLength: 1
  15015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15016. type: string
  15017. namespace:
  15018. description: |-
  15019. Namespace of the resource being referred to.
  15020. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15021. maxLength: 63
  15022. minLength: 1
  15023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15024. type: string
  15025. required:
  15026. - name
  15027. type: object
  15028. required:
  15029. - accessID
  15030. - k8sConfName
  15031. type: object
  15032. secretRef:
  15033. description: |-
  15034. Reference to a Secret that contains the details
  15035. to authenticate with Akeyless.
  15036. properties:
  15037. accessID:
  15038. description: The SecretAccessID is used for authentication
  15039. properties:
  15040. key:
  15041. description: |-
  15042. A key in the referenced Secret.
  15043. Some instances of this field may be defaulted, in others it may be required.
  15044. maxLength: 253
  15045. minLength: 1
  15046. pattern: ^[-._a-zA-Z0-9]+$
  15047. type: string
  15048. name:
  15049. description: The name of the Secret resource being referred to.
  15050. maxLength: 253
  15051. minLength: 1
  15052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15053. type: string
  15054. namespace:
  15055. description: |-
  15056. The namespace of the Secret resource being referred to.
  15057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15058. maxLength: 63
  15059. minLength: 1
  15060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15061. type: string
  15062. type: object
  15063. accessType:
  15064. description: |-
  15065. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15066. In some instances, `key` is a required field.
  15067. properties:
  15068. key:
  15069. description: |-
  15070. A key in the referenced Secret.
  15071. Some instances of this field may be defaulted, in others it may be required.
  15072. maxLength: 253
  15073. minLength: 1
  15074. pattern: ^[-._a-zA-Z0-9]+$
  15075. type: string
  15076. name:
  15077. description: The name of the Secret resource being referred to.
  15078. maxLength: 253
  15079. minLength: 1
  15080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15081. type: string
  15082. namespace:
  15083. description: |-
  15084. The namespace of the Secret resource being referred to.
  15085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15086. maxLength: 63
  15087. minLength: 1
  15088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15089. type: string
  15090. type: object
  15091. accessTypeParam:
  15092. description: |-
  15093. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15094. In some instances, `key` is a required field.
  15095. properties:
  15096. key:
  15097. description: |-
  15098. A key in the referenced Secret.
  15099. Some instances of this field may be defaulted, in others it may be required.
  15100. maxLength: 253
  15101. minLength: 1
  15102. pattern: ^[-._a-zA-Z0-9]+$
  15103. type: string
  15104. name:
  15105. description: The name of the Secret resource being referred to.
  15106. maxLength: 253
  15107. minLength: 1
  15108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15109. type: string
  15110. namespace:
  15111. description: |-
  15112. The namespace of the Secret resource being referred to.
  15113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15114. maxLength: 63
  15115. minLength: 1
  15116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15117. type: string
  15118. type: object
  15119. type: object
  15120. type: object
  15121. caBundle:
  15122. description: |-
  15123. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15124. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15125. are used to validate the TLS connection.
  15126. format: byte
  15127. type: string
  15128. caProvider:
  15129. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15130. properties:
  15131. key:
  15132. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15133. maxLength: 253
  15134. minLength: 1
  15135. pattern: ^[-._a-zA-Z0-9]+$
  15136. type: string
  15137. name:
  15138. description: The name of the object located at the provider type.
  15139. maxLength: 253
  15140. minLength: 1
  15141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15142. type: string
  15143. namespace:
  15144. description: |-
  15145. The namespace the Provider type is in.
  15146. Can only be defined when used in a ClusterSecretStore.
  15147. maxLength: 63
  15148. minLength: 1
  15149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15150. type: string
  15151. type:
  15152. description: The type of provider to use such as "Secret", or "ConfigMap".
  15153. enum:
  15154. - Secret
  15155. - ConfigMap
  15156. type: string
  15157. required:
  15158. - name
  15159. - type
  15160. type: object
  15161. required:
  15162. - akeylessGWApiURL
  15163. - authSecretRef
  15164. type: object
  15165. aws:
  15166. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15167. properties:
  15168. additionalRoles:
  15169. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15170. items:
  15171. type: string
  15172. type: array
  15173. auth:
  15174. description: |-
  15175. Auth defines the information necessary to authenticate against AWS
  15176. if not set aws sdk will infer credentials from your environment
  15177. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15178. properties:
  15179. jwt:
  15180. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15181. properties:
  15182. serviceAccountRef:
  15183. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15184. properties:
  15185. audiences:
  15186. description: |-
  15187. Audience specifies the `aud` claim for the service account token
  15188. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15189. then this audiences will be appended to the list
  15190. items:
  15191. type: string
  15192. type: array
  15193. name:
  15194. description: The name of the ServiceAccount resource being referred to.
  15195. maxLength: 253
  15196. minLength: 1
  15197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15198. type: string
  15199. namespace:
  15200. description: |-
  15201. Namespace of the resource being referred to.
  15202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15203. maxLength: 63
  15204. minLength: 1
  15205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15206. type: string
  15207. required:
  15208. - name
  15209. type: object
  15210. type: object
  15211. secretRef:
  15212. description: |-
  15213. AWSAuthSecretRef holds secret references for AWS credentials
  15214. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15215. properties:
  15216. accessKeyIDSecretRef:
  15217. description: The AccessKeyID is used for authentication
  15218. properties:
  15219. key:
  15220. description: |-
  15221. A key in the referenced Secret.
  15222. Some instances of this field may be defaulted, in others it may be required.
  15223. maxLength: 253
  15224. minLength: 1
  15225. pattern: ^[-._a-zA-Z0-9]+$
  15226. type: string
  15227. name:
  15228. description: The name of the Secret resource being referred to.
  15229. maxLength: 253
  15230. minLength: 1
  15231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15232. type: string
  15233. namespace:
  15234. description: |-
  15235. The namespace of the Secret resource being referred to.
  15236. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15237. maxLength: 63
  15238. minLength: 1
  15239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15240. type: string
  15241. type: object
  15242. secretAccessKeySecretRef:
  15243. description: The SecretAccessKey is used for authentication
  15244. properties:
  15245. key:
  15246. description: |-
  15247. A key in the referenced Secret.
  15248. Some instances of this field may be defaulted, in others it may be required.
  15249. maxLength: 253
  15250. minLength: 1
  15251. pattern: ^[-._a-zA-Z0-9]+$
  15252. type: string
  15253. name:
  15254. description: The name of the Secret resource being referred to.
  15255. maxLength: 253
  15256. minLength: 1
  15257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15258. type: string
  15259. namespace:
  15260. description: |-
  15261. The namespace of the Secret resource being referred to.
  15262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15263. maxLength: 63
  15264. minLength: 1
  15265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15266. type: string
  15267. type: object
  15268. sessionTokenSecretRef:
  15269. description: |-
  15270. The SessionToken used for authentication
  15271. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15272. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15273. properties:
  15274. key:
  15275. description: |-
  15276. A key in the referenced Secret.
  15277. Some instances of this field may be defaulted, in others it may be required.
  15278. maxLength: 253
  15279. minLength: 1
  15280. pattern: ^[-._a-zA-Z0-9]+$
  15281. type: string
  15282. name:
  15283. description: The name of the Secret resource being referred to.
  15284. maxLength: 253
  15285. minLength: 1
  15286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15287. type: string
  15288. namespace:
  15289. description: |-
  15290. The namespace of the Secret resource being referred to.
  15291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15292. maxLength: 63
  15293. minLength: 1
  15294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15295. type: string
  15296. type: object
  15297. type: object
  15298. type: object
  15299. customSessionTags:
  15300. additionalProperties:
  15301. type: string
  15302. description: |-
  15303. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15304. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15305. type: object
  15306. x-kubernetes-validations:
  15307. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15308. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15309. externalID:
  15310. description: AWS External ID set on assumed IAM roles
  15311. type: string
  15312. prefix:
  15313. description: Prefix adds a prefix to all retrieved values.
  15314. type: string
  15315. region:
  15316. description: AWS Region to be used for the provider
  15317. type: string
  15318. role:
  15319. description: Role is a Role ARN which the provider will assume
  15320. type: string
  15321. secretsManager:
  15322. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15323. properties:
  15324. forceDeleteWithoutRecovery:
  15325. description: |-
  15326. Specifies whether to delete the secret without any recovery window. You
  15327. can't use both this parameter and RecoveryWindowInDays in the same call.
  15328. If you don't use either, then by default Secrets Manager uses a 30 day
  15329. recovery window.
  15330. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15331. type: boolean
  15332. recoveryWindowInDays:
  15333. description: |-
  15334. The number of days from 7 to 30 that Secrets Manager waits before
  15335. permanently deleting the secret. You can't use both this parameter and
  15336. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15337. then by default Secrets Manager uses a 30-day recovery window.
  15338. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15339. format: int64
  15340. type: integer
  15341. type: object
  15342. service:
  15343. description: Service defines which service should be used to fetch the secrets
  15344. enum:
  15345. - SecretsManager
  15346. - ParameterStore
  15347. type: string
  15348. sessionTags:
  15349. description: AWS STS assume role session tags
  15350. items:
  15351. description: |-
  15352. Tag is a key-value pair that can be attached to an AWS resource.
  15353. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15354. properties:
  15355. key:
  15356. type: string
  15357. value:
  15358. type: string
  15359. required:
  15360. - key
  15361. - value
  15362. type: object
  15363. type: array
  15364. sessionTagsPolicy:
  15365. default: None
  15366. description: |-
  15367. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15368. None (default): no tags are added.
  15369. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15370. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15371. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15372. enum:
  15373. - None
  15374. - Simple
  15375. - Custom
  15376. type: string
  15377. transitiveTagKeys:
  15378. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15379. items:
  15380. type: string
  15381. type: array
  15382. required:
  15383. - region
  15384. - service
  15385. type: object
  15386. azurekv:
  15387. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15388. properties:
  15389. authSecretRef:
  15390. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15391. properties:
  15392. clientCertificate:
  15393. description: The Azure ClientCertificate of the service principle used for authentication.
  15394. properties:
  15395. key:
  15396. description: |-
  15397. A key in the referenced Secret.
  15398. Some instances of this field may be defaulted, in others it may be required.
  15399. maxLength: 253
  15400. minLength: 1
  15401. pattern: ^[-._a-zA-Z0-9]+$
  15402. type: string
  15403. name:
  15404. description: The name of the Secret resource being referred to.
  15405. maxLength: 253
  15406. minLength: 1
  15407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15408. type: string
  15409. namespace:
  15410. description: |-
  15411. The namespace of the Secret resource being referred to.
  15412. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15413. maxLength: 63
  15414. minLength: 1
  15415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15416. type: string
  15417. type: object
  15418. clientId:
  15419. description: The Azure clientId of the service principle or managed identity used for authentication.
  15420. properties:
  15421. key:
  15422. description: |-
  15423. A key in the referenced Secret.
  15424. Some instances of this field may be defaulted, in others it may be required.
  15425. maxLength: 253
  15426. minLength: 1
  15427. pattern: ^[-._a-zA-Z0-9]+$
  15428. type: string
  15429. name:
  15430. description: The name of the Secret resource being referred to.
  15431. maxLength: 253
  15432. minLength: 1
  15433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15434. type: string
  15435. namespace:
  15436. description: |-
  15437. The namespace of the Secret resource being referred to.
  15438. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15439. maxLength: 63
  15440. minLength: 1
  15441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15442. type: string
  15443. type: object
  15444. clientSecret:
  15445. description: The Azure ClientSecret of the service principle used for authentication.
  15446. properties:
  15447. key:
  15448. description: |-
  15449. A key in the referenced Secret.
  15450. Some instances of this field may be defaulted, in others it may be required.
  15451. maxLength: 253
  15452. minLength: 1
  15453. pattern: ^[-._a-zA-Z0-9]+$
  15454. type: string
  15455. name:
  15456. description: The name of the Secret resource being referred to.
  15457. maxLength: 253
  15458. minLength: 1
  15459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15460. type: string
  15461. namespace:
  15462. description: |-
  15463. The namespace of the Secret resource being referred to.
  15464. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15465. maxLength: 63
  15466. minLength: 1
  15467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15468. type: string
  15469. type: object
  15470. tenantId:
  15471. description: The Azure tenantId of the managed identity used for authentication.
  15472. properties:
  15473. key:
  15474. description: |-
  15475. A key in the referenced Secret.
  15476. Some instances of this field may be defaulted, in others it may be required.
  15477. maxLength: 253
  15478. minLength: 1
  15479. pattern: ^[-._a-zA-Z0-9]+$
  15480. type: string
  15481. name:
  15482. description: The name of the Secret resource being referred to.
  15483. maxLength: 253
  15484. minLength: 1
  15485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15486. type: string
  15487. namespace:
  15488. description: |-
  15489. The namespace of the Secret resource being referred to.
  15490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15491. maxLength: 63
  15492. minLength: 1
  15493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15494. type: string
  15495. type: object
  15496. type: object
  15497. authType:
  15498. default: ServicePrincipal
  15499. description: |-
  15500. Auth type defines how to authenticate to the keyvault service.
  15501. Valid values are:
  15502. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15503. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15504. enum:
  15505. - ServicePrincipal
  15506. - ManagedIdentity
  15507. - WorkloadIdentity
  15508. type: string
  15509. customCloudConfig:
  15510. description: |-
  15511. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15512. Required when EnvironmentType is AzureStackCloud.
  15513. Optional for other environment types - useful for Azure China when using Workload Identity
  15514. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15515. standard China Cloud endpoint (login.chinacloudapi.cn).
  15516. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15517. configuration is not supported with the legacy go-autorest SDK.
  15518. properties:
  15519. activeDirectoryEndpoint:
  15520. description: |-
  15521. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15522. Required when using custom cloud configuration
  15523. type: string
  15524. keyVaultDNSSuffix:
  15525. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15526. type: string
  15527. keyVaultEndpoint:
  15528. description: KeyVaultEndpoint is the Key Vault service endpoint
  15529. type: string
  15530. resourceManagerEndpoint:
  15531. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15532. type: string
  15533. required:
  15534. - activeDirectoryEndpoint
  15535. type: object
  15536. environmentType:
  15537. default: PublicCloud
  15538. description: |-
  15539. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15540. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15541. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15542. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15543. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15544. enum:
  15545. - PublicCloud
  15546. - USGovernmentCloud
  15547. - ChinaCloud
  15548. - GermanCloud
  15549. - AzureStackCloud
  15550. type: string
  15551. identityId:
  15552. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15553. type: string
  15554. serviceAccountRef:
  15555. description: |-
  15556. ServiceAccountRef specified the service account
  15557. that should be used when authenticating with WorkloadIdentity.
  15558. properties:
  15559. audiences:
  15560. description: |-
  15561. Audience specifies the `aud` claim for the service account token
  15562. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15563. then this audiences will be appended to the list
  15564. items:
  15565. type: string
  15566. type: array
  15567. name:
  15568. description: The name of the ServiceAccount resource being referred to.
  15569. maxLength: 253
  15570. minLength: 1
  15571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15572. type: string
  15573. namespace:
  15574. description: |-
  15575. Namespace of the resource being referred to.
  15576. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15577. maxLength: 63
  15578. minLength: 1
  15579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15580. type: string
  15581. required:
  15582. - name
  15583. type: object
  15584. tenantId:
  15585. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15586. type: string
  15587. useAzureSDK:
  15588. default: false
  15589. description: |-
  15590. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15591. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15592. type: boolean
  15593. vaultUrl:
  15594. description: Vault Url from which the secrets to be fetched from.
  15595. type: string
  15596. required:
  15597. - vaultUrl
  15598. type: object
  15599. barbican:
  15600. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15601. properties:
  15602. auth:
  15603. description: BarbicanAuth contains the authentication information for Barbican.
  15604. properties:
  15605. password:
  15606. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15607. properties:
  15608. secretRef:
  15609. description: |-
  15610. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15611. In some instances, `key` is a required field.
  15612. properties:
  15613. key:
  15614. description: |-
  15615. A key in the referenced Secret.
  15616. Some instances of this field may be defaulted, in others it may be required.
  15617. maxLength: 253
  15618. minLength: 1
  15619. pattern: ^[-._a-zA-Z0-9]+$
  15620. type: string
  15621. name:
  15622. description: The name of the Secret resource being referred to.
  15623. maxLength: 253
  15624. minLength: 1
  15625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15626. type: string
  15627. namespace:
  15628. description: |-
  15629. The namespace of the Secret resource being referred to.
  15630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15631. maxLength: 63
  15632. minLength: 1
  15633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15634. type: string
  15635. type: object
  15636. required:
  15637. - secretRef
  15638. type: object
  15639. username:
  15640. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15641. maxProperties: 1
  15642. minProperties: 1
  15643. properties:
  15644. secretRef:
  15645. description: |-
  15646. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15647. In some instances, `key` is a required field.
  15648. properties:
  15649. key:
  15650. description: |-
  15651. A key in the referenced Secret.
  15652. Some instances of this field may be defaulted, in others it may be required.
  15653. maxLength: 253
  15654. minLength: 1
  15655. pattern: ^[-._a-zA-Z0-9]+$
  15656. type: string
  15657. name:
  15658. description: The name of the Secret resource being referred to.
  15659. maxLength: 253
  15660. minLength: 1
  15661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15662. type: string
  15663. namespace:
  15664. description: |-
  15665. The namespace of the Secret resource being referred to.
  15666. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15667. maxLength: 63
  15668. minLength: 1
  15669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15670. type: string
  15671. type: object
  15672. value:
  15673. type: string
  15674. type: object
  15675. required:
  15676. - password
  15677. - username
  15678. type: object
  15679. authURL:
  15680. type: string
  15681. domainName:
  15682. type: string
  15683. region:
  15684. type: string
  15685. tenantName:
  15686. type: string
  15687. required:
  15688. - auth
  15689. type: object
  15690. beyondtrust:
  15691. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15692. properties:
  15693. auth:
  15694. description: Auth configures how the operator authenticates with Beyondtrust.
  15695. properties:
  15696. apiKey:
  15697. description: APIKey If not provided then ClientID/ClientSecret become required.
  15698. properties:
  15699. secretRef:
  15700. description: SecretRef references a key in a secret that will be used as value.
  15701. properties:
  15702. key:
  15703. description: |-
  15704. A key in the referenced Secret.
  15705. Some instances of this field may be defaulted, in others it may be required.
  15706. maxLength: 253
  15707. minLength: 1
  15708. pattern: ^[-._a-zA-Z0-9]+$
  15709. type: string
  15710. name:
  15711. description: The name of the Secret resource being referred to.
  15712. maxLength: 253
  15713. minLength: 1
  15714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15715. type: string
  15716. namespace:
  15717. description: |-
  15718. The namespace of the Secret resource being referred to.
  15719. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15720. maxLength: 63
  15721. minLength: 1
  15722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15723. type: string
  15724. type: object
  15725. value:
  15726. description: Value can be specified directly to set a value without using a secret.
  15727. type: string
  15728. type: object
  15729. certificate:
  15730. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15731. properties:
  15732. secretRef:
  15733. description: SecretRef references a key in a secret that will be used as value.
  15734. properties:
  15735. key:
  15736. description: |-
  15737. A key in the referenced Secret.
  15738. Some instances of this field may be defaulted, in others it may be required.
  15739. maxLength: 253
  15740. minLength: 1
  15741. pattern: ^[-._a-zA-Z0-9]+$
  15742. type: string
  15743. name:
  15744. description: The name of the Secret resource being referred to.
  15745. maxLength: 253
  15746. minLength: 1
  15747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15748. type: string
  15749. namespace:
  15750. description: |-
  15751. The namespace of the Secret resource being referred to.
  15752. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15753. maxLength: 63
  15754. minLength: 1
  15755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15756. type: string
  15757. type: object
  15758. value:
  15759. description: Value can be specified directly to set a value without using a secret.
  15760. type: string
  15761. type: object
  15762. certificateKey:
  15763. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  15764. properties:
  15765. secretRef:
  15766. description: SecretRef references a key in a secret that will be used as value.
  15767. properties:
  15768. key:
  15769. description: |-
  15770. A key in the referenced Secret.
  15771. Some instances of this field may be defaulted, in others it may be required.
  15772. maxLength: 253
  15773. minLength: 1
  15774. pattern: ^[-._a-zA-Z0-9]+$
  15775. type: string
  15776. name:
  15777. description: The name of the Secret resource being referred to.
  15778. maxLength: 253
  15779. minLength: 1
  15780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15781. type: string
  15782. namespace:
  15783. description: |-
  15784. The namespace of the Secret resource being referred to.
  15785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15786. maxLength: 63
  15787. minLength: 1
  15788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15789. type: string
  15790. type: object
  15791. value:
  15792. description: Value can be specified directly to set a value without using a secret.
  15793. type: string
  15794. type: object
  15795. clientId:
  15796. description: ClientID is the API OAuth Client ID.
  15797. properties:
  15798. secretRef:
  15799. description: SecretRef references a key in a secret that will be used as value.
  15800. properties:
  15801. key:
  15802. description: |-
  15803. A key in the referenced Secret.
  15804. Some instances of this field may be defaulted, in others it may be required.
  15805. maxLength: 253
  15806. minLength: 1
  15807. pattern: ^[-._a-zA-Z0-9]+$
  15808. type: string
  15809. name:
  15810. description: The name of the Secret resource being referred to.
  15811. maxLength: 253
  15812. minLength: 1
  15813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15814. type: string
  15815. namespace:
  15816. description: |-
  15817. The namespace of the Secret resource being referred to.
  15818. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15819. maxLength: 63
  15820. minLength: 1
  15821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15822. type: string
  15823. type: object
  15824. value:
  15825. description: Value can be specified directly to set a value without using a secret.
  15826. type: string
  15827. type: object
  15828. clientSecret:
  15829. description: ClientSecret is the API OAuth Client Secret.
  15830. properties:
  15831. secretRef:
  15832. description: SecretRef references a key in a secret that will be used as value.
  15833. properties:
  15834. key:
  15835. description: |-
  15836. A key in the referenced Secret.
  15837. Some instances of this field may be defaulted, in others it may be required.
  15838. maxLength: 253
  15839. minLength: 1
  15840. pattern: ^[-._a-zA-Z0-9]+$
  15841. type: string
  15842. name:
  15843. description: The name of the Secret resource being referred to.
  15844. maxLength: 253
  15845. minLength: 1
  15846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15847. type: string
  15848. namespace:
  15849. description: |-
  15850. The namespace of the Secret resource being referred to.
  15851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15852. maxLength: 63
  15853. minLength: 1
  15854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15855. type: string
  15856. type: object
  15857. value:
  15858. description: Value can be specified directly to set a value without using a secret.
  15859. type: string
  15860. type: object
  15861. type: object
  15862. server:
  15863. description: Auth configures how API server works.
  15864. properties:
  15865. apiUrl:
  15866. type: string
  15867. apiVersion:
  15868. type: string
  15869. clientTimeOutSeconds:
  15870. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  15871. type: integer
  15872. decrypt:
  15873. default: true
  15874. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  15875. type: boolean
  15876. retrievalType:
  15877. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  15878. type: string
  15879. separator:
  15880. description: A character that separates the folder names.
  15881. type: string
  15882. verifyCA:
  15883. type: boolean
  15884. required:
  15885. - apiUrl
  15886. - verifyCA
  15887. type: object
  15888. required:
  15889. - auth
  15890. - server
  15891. type: object
  15892. beyondtrustworkloadcredentials:
  15893. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  15894. properties:
  15895. auth:
  15896. description: |-
  15897. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  15898. Currently supports API key authentication via Kubernetes secret reference.
  15899. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  15900. properties:
  15901. apikey:
  15902. description: |-
  15903. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  15904. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  15905. properties:
  15906. token:
  15907. description: |-
  15908. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  15909. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  15910. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  15911. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  15912. properties:
  15913. key:
  15914. description: |-
  15915. A key in the referenced Secret.
  15916. Some instances of this field may be defaulted, in others it may be required.
  15917. maxLength: 253
  15918. minLength: 1
  15919. pattern: ^[-._a-zA-Z0-9]+$
  15920. type: string
  15921. name:
  15922. description: The name of the Secret resource being referred to.
  15923. maxLength: 253
  15924. minLength: 1
  15925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15926. type: string
  15927. namespace:
  15928. description: |-
  15929. The namespace of the Secret resource being referred to.
  15930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15931. maxLength: 63
  15932. minLength: 1
  15933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15934. type: string
  15935. type: object
  15936. required:
  15937. - token
  15938. type: object
  15939. required:
  15940. - apikey
  15941. type: object
  15942. caBundle:
  15943. description: |-
  15944. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  15945. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  15946. If not set, the system's trusted root certificates are used.
  15947. format: byte
  15948. type: string
  15949. caProvider:
  15950. description: |-
  15951. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  15952. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  15953. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  15954. properties:
  15955. key:
  15956. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15957. maxLength: 253
  15958. minLength: 1
  15959. pattern: ^[-._a-zA-Z0-9]+$
  15960. type: string
  15961. name:
  15962. description: The name of the object located at the provider type.
  15963. maxLength: 253
  15964. minLength: 1
  15965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15966. type: string
  15967. namespace:
  15968. description: |-
  15969. The namespace the Provider type is in.
  15970. Can only be defined when used in a ClusterSecretStore.
  15971. maxLength: 63
  15972. minLength: 1
  15973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15974. type: string
  15975. type:
  15976. description: The type of provider to use such as "Secret", or "ConfigMap".
  15977. enum:
  15978. - Secret
  15979. - ConfigMap
  15980. type: string
  15981. required:
  15982. - name
  15983. - type
  15984. type: object
  15985. folderPath:
  15986. description: |-
  15987. FolderPath specifies the default folder path for secret retrieval.
  15988. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  15989. Example: "production/database" or "dev/api-keys"
  15990. Leave empty to retrieve secrets from the root folder.
  15991. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  15992. type: string
  15993. server:
  15994. description: |-
  15995. Server configures the BeyondTrust Workload Credentials server connection details.
  15996. Includes the API URL and Site ID for your BeyondTrust instance.
  15997. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  15998. properties:
  15999. apiUrl:
  16000. description: |-
  16001. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  16002. This should be the full URL to your BeyondTrust instance.
  16003. Example: https://api.beyondtrust.io/siie
  16004. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  16005. type: string
  16006. siteId:
  16007. description: |-
  16008. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  16009. This identifier is unique to your BeyondTrust Workload Credentials instance.
  16010. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  16011. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  16012. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16013. type: string
  16014. required:
  16015. - apiUrl
  16016. - siteId
  16017. type: object
  16018. required:
  16019. - auth
  16020. - server
  16021. type: object
  16022. bitwardensecretsmanager:
  16023. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16024. properties:
  16025. apiURL:
  16026. type: string
  16027. auth:
  16028. description: |-
  16029. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16030. Make sure that the token being used has permissions on the given secret.
  16031. properties:
  16032. secretRef:
  16033. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16034. properties:
  16035. credentials:
  16036. description: AccessToken used for the bitwarden instance.
  16037. properties:
  16038. key:
  16039. description: |-
  16040. A key in the referenced Secret.
  16041. Some instances of this field may be defaulted, in others it may be required.
  16042. maxLength: 253
  16043. minLength: 1
  16044. pattern: ^[-._a-zA-Z0-9]+$
  16045. type: string
  16046. name:
  16047. description: The name of the Secret resource being referred to.
  16048. maxLength: 253
  16049. minLength: 1
  16050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16051. type: string
  16052. namespace:
  16053. description: |-
  16054. The namespace of the Secret resource being referred to.
  16055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16056. maxLength: 63
  16057. minLength: 1
  16058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16059. type: string
  16060. type: object
  16061. required:
  16062. - credentials
  16063. type: object
  16064. required:
  16065. - secretRef
  16066. type: object
  16067. bitwardenServerSDKURL:
  16068. type: string
  16069. caBundle:
  16070. description: |-
  16071. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16072. can be performed.
  16073. type: string
  16074. caProvider:
  16075. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16076. properties:
  16077. key:
  16078. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16079. maxLength: 253
  16080. minLength: 1
  16081. pattern: ^[-._a-zA-Z0-9]+$
  16082. type: string
  16083. name:
  16084. description: The name of the object located at the provider type.
  16085. maxLength: 253
  16086. minLength: 1
  16087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16088. type: string
  16089. namespace:
  16090. description: |-
  16091. The namespace the Provider type is in.
  16092. Can only be defined when used in a ClusterSecretStore.
  16093. maxLength: 63
  16094. minLength: 1
  16095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16096. type: string
  16097. type:
  16098. description: The type of provider to use such as "Secret", or "ConfigMap".
  16099. enum:
  16100. - Secret
  16101. - ConfigMap
  16102. type: string
  16103. required:
  16104. - name
  16105. - type
  16106. type: object
  16107. identityURL:
  16108. type: string
  16109. organizationID:
  16110. description: OrganizationID determines which organization this secret store manages.
  16111. type: string
  16112. projectID:
  16113. description: ProjectID determines which project this secret store manages.
  16114. type: string
  16115. required:
  16116. - auth
  16117. - organizationID
  16118. - projectID
  16119. type: object
  16120. chef:
  16121. description: Chef configures this store to sync secrets with chef server
  16122. properties:
  16123. auth:
  16124. description: Auth defines the information necessary to authenticate against chef Server
  16125. properties:
  16126. secretRef:
  16127. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16128. properties:
  16129. privateKeySecretRef:
  16130. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16131. properties:
  16132. key:
  16133. description: |-
  16134. A key in the referenced Secret.
  16135. Some instances of this field may be defaulted, in others it may be required.
  16136. maxLength: 253
  16137. minLength: 1
  16138. pattern: ^[-._a-zA-Z0-9]+$
  16139. type: string
  16140. name:
  16141. description: The name of the Secret resource being referred to.
  16142. maxLength: 253
  16143. minLength: 1
  16144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16145. type: string
  16146. namespace:
  16147. description: |-
  16148. The namespace of the Secret resource being referred to.
  16149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16150. maxLength: 63
  16151. minLength: 1
  16152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16153. type: string
  16154. type: object
  16155. required:
  16156. - privateKeySecretRef
  16157. type: object
  16158. required:
  16159. - secretRef
  16160. type: object
  16161. serverUrl:
  16162. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16163. type: string
  16164. username:
  16165. description: UserName should be the user ID on the chef server
  16166. type: string
  16167. required:
  16168. - auth
  16169. - serverUrl
  16170. - username
  16171. type: object
  16172. cloudrusm:
  16173. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16174. properties:
  16175. auth:
  16176. description: CSMAuth contains a secretRef for credentials.
  16177. properties:
  16178. secretRef:
  16179. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16180. properties:
  16181. accessKeyIDSecretRef:
  16182. description: The AccessKeyID is used for authentication
  16183. properties:
  16184. key:
  16185. description: |-
  16186. A key in the referenced Secret.
  16187. Some instances of this field may be defaulted, in others it may be required.
  16188. maxLength: 253
  16189. minLength: 1
  16190. pattern: ^[-._a-zA-Z0-9]+$
  16191. type: string
  16192. name:
  16193. description: The name of the Secret resource being referred to.
  16194. maxLength: 253
  16195. minLength: 1
  16196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16197. type: string
  16198. namespace:
  16199. description: |-
  16200. The namespace of the Secret resource being referred to.
  16201. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16202. maxLength: 63
  16203. minLength: 1
  16204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16205. type: string
  16206. type: object
  16207. accessKeySecretSecretRef:
  16208. description: The AccessKeySecret is used for authentication
  16209. properties:
  16210. key:
  16211. description: |-
  16212. A key in the referenced Secret.
  16213. Some instances of this field may be defaulted, in others it may be required.
  16214. maxLength: 253
  16215. minLength: 1
  16216. pattern: ^[-._a-zA-Z0-9]+$
  16217. type: string
  16218. name:
  16219. description: The name of the Secret resource being referred to.
  16220. maxLength: 253
  16221. minLength: 1
  16222. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16223. type: string
  16224. namespace:
  16225. description: |-
  16226. The namespace of the Secret resource being referred to.
  16227. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16228. maxLength: 63
  16229. minLength: 1
  16230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16231. type: string
  16232. type: object
  16233. required:
  16234. - accessKeyIDSecretRef
  16235. - accessKeySecretSecretRef
  16236. type: object
  16237. type: object
  16238. projectID:
  16239. description: ProjectID is the project, which the secrets are stored in.
  16240. type: string
  16241. required:
  16242. - auth
  16243. type: object
  16244. conjur:
  16245. description: Conjur configures this store to sync secrets using conjur provider
  16246. properties:
  16247. auth:
  16248. description: Defines authentication settings for connecting to Conjur.
  16249. properties:
  16250. apikey:
  16251. description: Authenticates with Conjur using an API key.
  16252. properties:
  16253. account:
  16254. description: Account is the Conjur organization account name.
  16255. type: string
  16256. apiKeyRef:
  16257. description: |-
  16258. A reference to a specific 'key' containing the Conjur API key
  16259. within a Secret resource. In some instances, `key` is a required field.
  16260. properties:
  16261. key:
  16262. description: |-
  16263. A key in the referenced Secret.
  16264. Some instances of this field may be defaulted, in others it may be required.
  16265. maxLength: 253
  16266. minLength: 1
  16267. pattern: ^[-._a-zA-Z0-9]+$
  16268. type: string
  16269. name:
  16270. description: The name of the Secret resource being referred to.
  16271. maxLength: 253
  16272. minLength: 1
  16273. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16274. type: string
  16275. namespace:
  16276. description: |-
  16277. The namespace of the Secret resource being referred to.
  16278. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16279. maxLength: 63
  16280. minLength: 1
  16281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16282. type: string
  16283. type: object
  16284. userRef:
  16285. description: |-
  16286. A reference to a specific 'key' containing the Conjur username
  16287. within a Secret resource. In some instances, `key` is a required field.
  16288. properties:
  16289. key:
  16290. description: |-
  16291. A key in the referenced Secret.
  16292. Some instances of this field may be defaulted, in others it may be required.
  16293. maxLength: 253
  16294. minLength: 1
  16295. pattern: ^[-._a-zA-Z0-9]+$
  16296. type: string
  16297. name:
  16298. description: The name of the Secret resource being referred to.
  16299. maxLength: 253
  16300. minLength: 1
  16301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16302. type: string
  16303. namespace:
  16304. description: |-
  16305. The namespace of the Secret resource being referred to.
  16306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16307. maxLength: 63
  16308. minLength: 1
  16309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16310. type: string
  16311. type: object
  16312. required:
  16313. - account
  16314. - apiKeyRef
  16315. - userRef
  16316. type: object
  16317. jwt:
  16318. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16319. properties:
  16320. account:
  16321. description: Account is the Conjur organization account name.
  16322. type: string
  16323. hostId:
  16324. description: |-
  16325. Optional HostID for JWT authentication. This may be used depending
  16326. on how the Conjur JWT authenticator policy is configured.
  16327. type: string
  16328. secretRef:
  16329. description: |-
  16330. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16331. authenticate with Conjur using the JWT authentication method.
  16332. properties:
  16333. key:
  16334. description: |-
  16335. A key in the referenced Secret.
  16336. Some instances of this field may be defaulted, in others it may be required.
  16337. maxLength: 253
  16338. minLength: 1
  16339. pattern: ^[-._a-zA-Z0-9]+$
  16340. type: string
  16341. name:
  16342. description: The name of the Secret resource being referred to.
  16343. maxLength: 253
  16344. minLength: 1
  16345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16346. type: string
  16347. namespace:
  16348. description: |-
  16349. The namespace of the Secret resource being referred to.
  16350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16351. maxLength: 63
  16352. minLength: 1
  16353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16354. type: string
  16355. type: object
  16356. serviceAccountRef:
  16357. description: |-
  16358. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16359. a token for with the `TokenRequest` API.
  16360. properties:
  16361. audiences:
  16362. description: |-
  16363. Audience specifies the `aud` claim for the service account token
  16364. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16365. then this audiences will be appended to the list
  16366. items:
  16367. type: string
  16368. type: array
  16369. name:
  16370. description: The name of the ServiceAccount resource being referred to.
  16371. maxLength: 253
  16372. minLength: 1
  16373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16374. type: string
  16375. namespace:
  16376. description: |-
  16377. Namespace of the resource being referred to.
  16378. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16379. maxLength: 63
  16380. minLength: 1
  16381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16382. type: string
  16383. required:
  16384. - name
  16385. type: object
  16386. serviceID:
  16387. description: The conjur authn jwt webservice id
  16388. type: string
  16389. required:
  16390. - account
  16391. - serviceID
  16392. type: object
  16393. type: object
  16394. caBundle:
  16395. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16396. type: string
  16397. caProvider:
  16398. description: |-
  16399. Used to provide custom certificate authority (CA) certificates
  16400. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16401. that contains a PEM-encoded certificate.
  16402. properties:
  16403. key:
  16404. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16405. maxLength: 253
  16406. minLength: 1
  16407. pattern: ^[-._a-zA-Z0-9]+$
  16408. type: string
  16409. name:
  16410. description: The name of the object located at the provider type.
  16411. maxLength: 253
  16412. minLength: 1
  16413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16414. type: string
  16415. namespace:
  16416. description: |-
  16417. The namespace the Provider type is in.
  16418. Can only be defined when used in a ClusterSecretStore.
  16419. maxLength: 63
  16420. minLength: 1
  16421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16422. type: string
  16423. type:
  16424. description: The type of provider to use such as "Secret", or "ConfigMap".
  16425. enum:
  16426. - Secret
  16427. - ConfigMap
  16428. type: string
  16429. required:
  16430. - name
  16431. - type
  16432. type: object
  16433. url:
  16434. description: URL is the endpoint of the Conjur instance.
  16435. type: string
  16436. required:
  16437. - auth
  16438. - url
  16439. type: object
  16440. delinea:
  16441. description: |-
  16442. Delinea DevOps Secrets Vault
  16443. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16444. properties:
  16445. clientId:
  16446. description: ClientID is the non-secret part of the credential.
  16447. properties:
  16448. secretRef:
  16449. description: SecretRef references a key in a secret that will be used as value.
  16450. properties:
  16451. key:
  16452. description: |-
  16453. A key in the referenced Secret.
  16454. Some instances of this field may be defaulted, in others it may be required.
  16455. maxLength: 253
  16456. minLength: 1
  16457. pattern: ^[-._a-zA-Z0-9]+$
  16458. type: string
  16459. name:
  16460. description: The name of the Secret resource being referred to.
  16461. maxLength: 253
  16462. minLength: 1
  16463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16464. type: string
  16465. namespace:
  16466. description: |-
  16467. The namespace of the Secret resource being referred to.
  16468. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16469. maxLength: 63
  16470. minLength: 1
  16471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16472. type: string
  16473. type: object
  16474. value:
  16475. description: Value can be specified directly to set a value without using a secret.
  16476. type: string
  16477. type: object
  16478. clientSecret:
  16479. description: ClientSecret is the secret part of the credential.
  16480. properties:
  16481. secretRef:
  16482. description: SecretRef references a key in a secret that will be used as value.
  16483. properties:
  16484. key:
  16485. description: |-
  16486. A key in the referenced Secret.
  16487. Some instances of this field may be defaulted, in others it may be required.
  16488. maxLength: 253
  16489. minLength: 1
  16490. pattern: ^[-._a-zA-Z0-9]+$
  16491. type: string
  16492. name:
  16493. description: The name of the Secret resource being referred to.
  16494. maxLength: 253
  16495. minLength: 1
  16496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16497. type: string
  16498. namespace:
  16499. description: |-
  16500. The namespace of the Secret resource being referred to.
  16501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16502. maxLength: 63
  16503. minLength: 1
  16504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16505. type: string
  16506. type: object
  16507. value:
  16508. description: Value can be specified directly to set a value without using a secret.
  16509. type: string
  16510. type: object
  16511. tenant:
  16512. description: Tenant is the chosen hostname / site name.
  16513. type: string
  16514. tld:
  16515. description: |-
  16516. TLD is based on the server location that was chosen during provisioning.
  16517. If unset, defaults to "com".
  16518. type: string
  16519. urlTemplate:
  16520. description: |-
  16521. URLTemplate
  16522. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16523. type: string
  16524. required:
  16525. - clientId
  16526. - clientSecret
  16527. - tenant
  16528. type: object
  16529. doppler:
  16530. description: Doppler configures this store to sync secrets using the Doppler provider
  16531. properties:
  16532. auth:
  16533. description: Auth configures how the Operator authenticates with the Doppler API
  16534. properties:
  16535. oidcConfig:
  16536. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16537. properties:
  16538. expirationSeconds:
  16539. default: 600
  16540. description: |-
  16541. ExpirationSeconds sets the ServiceAccount token validity duration.
  16542. Defaults to 10 minutes.
  16543. format: int64
  16544. type: integer
  16545. identity:
  16546. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16547. type: string
  16548. serviceAccountRef:
  16549. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16550. properties:
  16551. audiences:
  16552. description: |-
  16553. Audience specifies the `aud` claim for the service account token
  16554. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16555. then this audiences will be appended to the list
  16556. items:
  16557. type: string
  16558. type: array
  16559. name:
  16560. description: The name of the ServiceAccount resource being referred to.
  16561. maxLength: 253
  16562. minLength: 1
  16563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16564. type: string
  16565. namespace:
  16566. description: |-
  16567. Namespace of the resource being referred to.
  16568. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16569. maxLength: 63
  16570. minLength: 1
  16571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16572. type: string
  16573. required:
  16574. - name
  16575. type: object
  16576. required:
  16577. - identity
  16578. - serviceAccountRef
  16579. type: object
  16580. secretRef:
  16581. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16582. properties:
  16583. dopplerToken:
  16584. description: |-
  16585. The DopplerToken is used for authentication.
  16586. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16587. The Key attribute defaults to dopplerToken if not specified.
  16588. properties:
  16589. key:
  16590. description: |-
  16591. A key in the referenced Secret.
  16592. Some instances of this field may be defaulted, in others it may be required.
  16593. maxLength: 253
  16594. minLength: 1
  16595. pattern: ^[-._a-zA-Z0-9]+$
  16596. type: string
  16597. name:
  16598. description: The name of the Secret resource being referred to.
  16599. maxLength: 253
  16600. minLength: 1
  16601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16602. type: string
  16603. namespace:
  16604. description: |-
  16605. The namespace of the Secret resource being referred to.
  16606. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16607. maxLength: 63
  16608. minLength: 1
  16609. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16610. type: string
  16611. type: object
  16612. required:
  16613. - dopplerToken
  16614. type: object
  16615. type: object
  16616. x-kubernetes-validations:
  16617. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16618. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16619. config:
  16620. description: Doppler config (required if not using a Service Token)
  16621. type: string
  16622. format:
  16623. description: Format enables the downloading of secrets as a file (string)
  16624. enum:
  16625. - json
  16626. - dotnet-json
  16627. - env
  16628. - yaml
  16629. - docker
  16630. type: string
  16631. nameTransformer:
  16632. description: Environment variable compatible name transforms that change secret names to a different format
  16633. enum:
  16634. - upper-camel
  16635. - camel
  16636. - lower-snake
  16637. - tf-var
  16638. - dotnet-env
  16639. - lower-kebab
  16640. type: string
  16641. project:
  16642. description: Doppler project (required if not using a Service Token)
  16643. type: string
  16644. required:
  16645. - auth
  16646. type: object
  16647. dvls:
  16648. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16649. properties:
  16650. auth:
  16651. description: Auth defines the authentication method to use.
  16652. properties:
  16653. secretRef:
  16654. description: SecretRef contains the Application ID and Application Secret for authentication.
  16655. properties:
  16656. appId:
  16657. description: AppID is the reference to the secret containing the Application ID.
  16658. properties:
  16659. key:
  16660. description: |-
  16661. A key in the referenced Secret.
  16662. Some instances of this field may be defaulted, in others it may be required.
  16663. maxLength: 253
  16664. minLength: 1
  16665. pattern: ^[-._a-zA-Z0-9]+$
  16666. type: string
  16667. name:
  16668. description: The name of the Secret resource being referred to.
  16669. maxLength: 253
  16670. minLength: 1
  16671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16672. type: string
  16673. namespace:
  16674. description: |-
  16675. The namespace of the Secret resource being referred to.
  16676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16677. maxLength: 63
  16678. minLength: 1
  16679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16680. type: string
  16681. type: object
  16682. appSecret:
  16683. description: AppSecret is the reference to the secret containing the Application Secret.
  16684. properties:
  16685. key:
  16686. description: |-
  16687. A key in the referenced Secret.
  16688. Some instances of this field may be defaulted, in others it may be required.
  16689. maxLength: 253
  16690. minLength: 1
  16691. pattern: ^[-._a-zA-Z0-9]+$
  16692. type: string
  16693. name:
  16694. description: The name of the Secret resource being referred to.
  16695. maxLength: 253
  16696. minLength: 1
  16697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16698. type: string
  16699. namespace:
  16700. description: |-
  16701. The namespace of the Secret resource being referred to.
  16702. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16703. maxLength: 63
  16704. minLength: 1
  16705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16706. type: string
  16707. type: object
  16708. required:
  16709. - appId
  16710. - appSecret
  16711. type: object
  16712. required:
  16713. - secretRef
  16714. type: object
  16715. insecure:
  16716. description: |-
  16717. Insecure allows connecting to DVLS over plain HTTP.
  16718. This is NOT RECOMMENDED for production use.
  16719. Set to true only if you understand the security implications.
  16720. type: boolean
  16721. serverUrl:
  16722. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16723. type: string
  16724. vault:
  16725. description: |-
  16726. Vault is the name or UUID of the vault to fetch secrets from.
  16727. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16728. type: string
  16729. required:
  16730. - auth
  16731. - serverUrl
  16732. type: object
  16733. fake:
  16734. description: Fake configures a store with static key/value pairs
  16735. properties:
  16736. data:
  16737. items:
  16738. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16739. properties:
  16740. key:
  16741. type: string
  16742. value:
  16743. type: string
  16744. version:
  16745. type: string
  16746. required:
  16747. - key
  16748. - value
  16749. type: object
  16750. type: array
  16751. validationResult:
  16752. description: ValidationResult is defined type for the number of validation results.
  16753. type: integer
  16754. required:
  16755. - data
  16756. type: object
  16757. fortanix:
  16758. description: Fortanix configures this store to sync secrets using the Fortanix provider
  16759. properties:
  16760. apiKey:
  16761. description: APIKey is the API token to access SDKMS Applications.
  16762. properties:
  16763. secretRef:
  16764. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  16765. properties:
  16766. key:
  16767. description: |-
  16768. A key in the referenced Secret.
  16769. Some instances of this field may be defaulted, in others it may be required.
  16770. maxLength: 253
  16771. minLength: 1
  16772. pattern: ^[-._a-zA-Z0-9]+$
  16773. type: string
  16774. name:
  16775. description: The name of the Secret resource being referred to.
  16776. maxLength: 253
  16777. minLength: 1
  16778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16779. type: string
  16780. namespace:
  16781. description: |-
  16782. The namespace of the Secret resource being referred to.
  16783. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16784. maxLength: 63
  16785. minLength: 1
  16786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16787. type: string
  16788. type: object
  16789. type: object
  16790. apiUrl:
  16791. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  16792. type: string
  16793. type: object
  16794. gcpsm:
  16795. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  16796. properties:
  16797. auth:
  16798. description: Auth defines the information necessary to authenticate against GCP
  16799. properties:
  16800. secretRef:
  16801. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  16802. properties:
  16803. secretAccessKeySecretRef:
  16804. description: The SecretAccessKey is used for authentication
  16805. properties:
  16806. key:
  16807. description: |-
  16808. A key in the referenced Secret.
  16809. Some instances of this field may be defaulted, in others it may be required.
  16810. maxLength: 253
  16811. minLength: 1
  16812. pattern: ^[-._a-zA-Z0-9]+$
  16813. type: string
  16814. name:
  16815. description: The name of the Secret resource being referred to.
  16816. maxLength: 253
  16817. minLength: 1
  16818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16819. type: string
  16820. namespace:
  16821. description: |-
  16822. The namespace of the Secret resource being referred to.
  16823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16824. maxLength: 63
  16825. minLength: 1
  16826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16827. type: string
  16828. type: object
  16829. type: object
  16830. workloadIdentity:
  16831. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  16832. properties:
  16833. clusterLocation:
  16834. description: |-
  16835. ClusterLocation is the location of the cluster
  16836. If not specified, it fetches information from the metadata server
  16837. type: string
  16838. clusterName:
  16839. description: |-
  16840. ClusterName is the name of the cluster
  16841. If not specified, it fetches information from the metadata server
  16842. type: string
  16843. clusterProjectID:
  16844. description: |-
  16845. ClusterProjectID is the project ID of the cluster
  16846. If not specified, it fetches information from the metadata server
  16847. type: string
  16848. serviceAccountRef:
  16849. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  16850. properties:
  16851. audiences:
  16852. description: |-
  16853. Audience specifies the `aud` claim for the service account token
  16854. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16855. then this audiences will be appended to the list
  16856. items:
  16857. type: string
  16858. type: array
  16859. name:
  16860. description: The name of the ServiceAccount resource being referred to.
  16861. maxLength: 253
  16862. minLength: 1
  16863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16864. type: string
  16865. namespace:
  16866. description: |-
  16867. Namespace of the resource being referred to.
  16868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16869. maxLength: 63
  16870. minLength: 1
  16871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16872. type: string
  16873. required:
  16874. - name
  16875. type: object
  16876. required:
  16877. - serviceAccountRef
  16878. type: object
  16879. workloadIdentityFederation:
  16880. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  16881. properties:
  16882. audience:
  16883. description: |-
  16884. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  16885. If specified, Audience found in the external account credential config will be overridden with the configured value.
  16886. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  16887. type: string
  16888. awsSecurityCredentials:
  16889. description: |-
  16890. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  16891. when using the AWS metadata server is not an option.
  16892. properties:
  16893. awsCredentialsSecretRef:
  16894. description: |-
  16895. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  16896. Secret should be created with below names for keys
  16897. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  16898. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  16899. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  16900. properties:
  16901. name:
  16902. description: name of the secret.
  16903. maxLength: 253
  16904. minLength: 1
  16905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16906. type: string
  16907. namespace:
  16908. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  16909. maxLength: 63
  16910. minLength: 1
  16911. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16912. type: string
  16913. required:
  16914. - name
  16915. type: object
  16916. region:
  16917. description: region is for configuring the AWS region to be used.
  16918. example: ap-south-1
  16919. maxLength: 50
  16920. minLength: 1
  16921. pattern: ^[a-z0-9-]+$
  16922. type: string
  16923. required:
  16924. - awsCredentialsSecretRef
  16925. - region
  16926. type: object
  16927. credConfig:
  16928. description: |-
  16929. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  16930. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  16931. serviceAccountRef must be used by providing operators service account details.
  16932. properties:
  16933. key:
  16934. description: key name holding the external account credential config.
  16935. maxLength: 253
  16936. minLength: 1
  16937. pattern: ^[-._a-zA-Z0-9]+$
  16938. type: string
  16939. name:
  16940. description: name of the configmap.
  16941. maxLength: 253
  16942. minLength: 1
  16943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16944. type: string
  16945. namespace:
  16946. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  16947. maxLength: 63
  16948. minLength: 1
  16949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16950. type: string
  16951. required:
  16952. - key
  16953. - name
  16954. type: object
  16955. externalTokenEndpoint:
  16956. description: |-
  16957. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  16958. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  16959. URL is having the expected value.
  16960. type: string
  16961. gcpServiceAccountEmail:
  16962. description: |-
  16963. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  16964. after Workload Identity Federation. Use this to grant access through the service account's
  16965. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  16966. service_account_impersonation_url in the external account JSON from credConfig;
  16967. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  16968. on that ServiceAccount.
  16969. example: my-gsa@my-project.iam.gserviceaccount.com
  16970. minLength: 1
  16971. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  16972. type: string
  16973. serviceAccountRef:
  16974. description: |-
  16975. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  16976. when Kubernetes is configured as provider in workload identity pool.
  16977. properties:
  16978. audiences:
  16979. description: |-
  16980. Audience specifies the `aud` claim for the service account token
  16981. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16982. then this audiences will be appended to the list
  16983. items:
  16984. type: string
  16985. type: array
  16986. name:
  16987. description: The name of the ServiceAccount resource being referred to.
  16988. maxLength: 253
  16989. minLength: 1
  16990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16991. type: string
  16992. namespace:
  16993. description: |-
  16994. Namespace of the resource being referred to.
  16995. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16996. maxLength: 63
  16997. minLength: 1
  16998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16999. type: string
  17000. required:
  17001. - name
  17002. type: object
  17003. type: object
  17004. type: object
  17005. location:
  17006. description: Location optionally defines a location for a secret
  17007. type: string
  17008. projectID:
  17009. description: ProjectID project where secret is located
  17010. type: string
  17011. secretVersionSelectionPolicy:
  17012. default: LatestOrFail
  17013. description: |-
  17014. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  17015. when "latest" is disabled or destroyed.
  17016. Possible values are:
  17017. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  17018. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  17019. type: string
  17020. type: object
  17021. github:
  17022. description: |-
  17023. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  17024. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  17025. properties:
  17026. appID:
  17027. description: appID specifies the Github APP that will be used to authenticate the client
  17028. format: int64
  17029. type: integer
  17030. auth:
  17031. description: auth configures how secret-manager authenticates with a Github instance.
  17032. properties:
  17033. privateKey:
  17034. description: |-
  17035. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17036. In some instances, `key` is a required field.
  17037. properties:
  17038. key:
  17039. description: |-
  17040. A key in the referenced Secret.
  17041. Some instances of this field may be defaulted, in others it may be required.
  17042. maxLength: 253
  17043. minLength: 1
  17044. pattern: ^[-._a-zA-Z0-9]+$
  17045. type: string
  17046. name:
  17047. description: The name of the Secret resource being referred to.
  17048. maxLength: 253
  17049. minLength: 1
  17050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17051. type: string
  17052. namespace:
  17053. description: |-
  17054. The namespace of the Secret resource being referred to.
  17055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17056. maxLength: 63
  17057. minLength: 1
  17058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17059. type: string
  17060. type: object
  17061. required:
  17062. - privateKey
  17063. type: object
  17064. environment:
  17065. description: environment will be used to fetch secrets from a particular environment within a github repository
  17066. type: string
  17067. installationID:
  17068. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17069. format: int64
  17070. type: integer
  17071. orgSecretVisibility:
  17072. description: |-
  17073. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  17074. Valid values are "all" or "private".
  17075. When unset, new secrets are created with visibility "all" and existing secrets preserve
  17076. whatever visibility they already have in GitHub.
  17077. enum:
  17078. - all
  17079. - private
  17080. type: string
  17081. organization:
  17082. description: organization will be used to fetch secrets from the Github organization
  17083. type: string
  17084. repository:
  17085. description: repository will be used to fetch secrets from the Github repository within an organization
  17086. type: string
  17087. uploadURL:
  17088. description: Upload URL for enterprise instances. Default to URL.
  17089. type: string
  17090. url:
  17091. default: https://github.com/
  17092. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17093. type: string
  17094. required:
  17095. - appID
  17096. - auth
  17097. - installationID
  17098. - organization
  17099. type: object
  17100. gitlab:
  17101. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17102. properties:
  17103. auth:
  17104. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17105. properties:
  17106. SecretRef:
  17107. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17108. properties:
  17109. accessToken:
  17110. description: AccessToken is used for authentication.
  17111. properties:
  17112. key:
  17113. description: |-
  17114. A key in the referenced Secret.
  17115. Some instances of this field may be defaulted, in others it may be required.
  17116. maxLength: 253
  17117. minLength: 1
  17118. pattern: ^[-._a-zA-Z0-9]+$
  17119. type: string
  17120. name:
  17121. description: The name of the Secret resource being referred to.
  17122. maxLength: 253
  17123. minLength: 1
  17124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17125. type: string
  17126. namespace:
  17127. description: |-
  17128. The namespace of the Secret resource being referred to.
  17129. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17130. maxLength: 63
  17131. minLength: 1
  17132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17133. type: string
  17134. type: object
  17135. type: object
  17136. required:
  17137. - SecretRef
  17138. type: object
  17139. caBundle:
  17140. description: |-
  17141. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17142. can be performed.
  17143. format: byte
  17144. type: string
  17145. caProvider:
  17146. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17147. properties:
  17148. key:
  17149. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17150. maxLength: 253
  17151. minLength: 1
  17152. pattern: ^[-._a-zA-Z0-9]+$
  17153. type: string
  17154. name:
  17155. description: The name of the object located at the provider type.
  17156. maxLength: 253
  17157. minLength: 1
  17158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17159. type: string
  17160. namespace:
  17161. description: |-
  17162. The namespace the Provider type is in.
  17163. Can only be defined when used in a ClusterSecretStore.
  17164. maxLength: 63
  17165. minLength: 1
  17166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17167. type: string
  17168. type:
  17169. description: The type of provider to use such as "Secret", or "ConfigMap".
  17170. enum:
  17171. - Secret
  17172. - ConfigMap
  17173. type: string
  17174. required:
  17175. - name
  17176. - type
  17177. type: object
  17178. environment:
  17179. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17180. type: string
  17181. groupIDs:
  17182. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17183. items:
  17184. type: string
  17185. type: array
  17186. inheritFromGroups:
  17187. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17188. type: boolean
  17189. projectID:
  17190. description: ProjectID specifies a project where secrets are located.
  17191. type: string
  17192. url:
  17193. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17194. type: string
  17195. required:
  17196. - auth
  17197. type: object
  17198. ibm:
  17199. description: IBM configures this store to sync secrets using IBM Cloud provider
  17200. properties:
  17201. auth:
  17202. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17203. maxProperties: 1
  17204. minProperties: 1
  17205. properties:
  17206. containerAuth:
  17207. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17208. properties:
  17209. iamEndpoint:
  17210. type: string
  17211. profile:
  17212. description: the IBM Trusted Profile
  17213. type: string
  17214. tokenLocation:
  17215. description: Location the token is mounted on the pod
  17216. type: string
  17217. required:
  17218. - profile
  17219. type: object
  17220. secretRef:
  17221. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17222. properties:
  17223. iamEndpoint:
  17224. description: The IAM endpoint used to obain a token
  17225. type: string
  17226. secretApiKeySecretRef:
  17227. description: The SecretAccessKey is used for authentication
  17228. properties:
  17229. key:
  17230. description: |-
  17231. A key in the referenced Secret.
  17232. Some instances of this field may be defaulted, in others it may be required.
  17233. maxLength: 253
  17234. minLength: 1
  17235. pattern: ^[-._a-zA-Z0-9]+$
  17236. type: string
  17237. name:
  17238. description: The name of the Secret resource being referred to.
  17239. maxLength: 253
  17240. minLength: 1
  17241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17242. type: string
  17243. namespace:
  17244. description: |-
  17245. The namespace of the Secret resource being referred to.
  17246. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17247. maxLength: 63
  17248. minLength: 1
  17249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17250. type: string
  17251. type: object
  17252. type: object
  17253. type: object
  17254. serviceUrl:
  17255. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17256. type: string
  17257. required:
  17258. - auth
  17259. type: object
  17260. infisical:
  17261. description: Infisical configures this store to sync secrets using the Infisical provider
  17262. properties:
  17263. auth:
  17264. description: Auth configures how the Operator authenticates with the Infisical API
  17265. properties:
  17266. awsAuthCredentials:
  17267. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17268. properties:
  17269. identityId:
  17270. description: |-
  17271. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17272. In some instances, `key` is a required field.
  17273. properties:
  17274. key:
  17275. description: |-
  17276. A key in the referenced Secret.
  17277. Some instances of this field may be defaulted, in others it may be required.
  17278. maxLength: 253
  17279. minLength: 1
  17280. pattern: ^[-._a-zA-Z0-9]+$
  17281. type: string
  17282. name:
  17283. description: The name of the Secret resource being referred to.
  17284. maxLength: 253
  17285. minLength: 1
  17286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17287. type: string
  17288. namespace:
  17289. description: |-
  17290. The namespace of the Secret resource being referred to.
  17291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17292. maxLength: 63
  17293. minLength: 1
  17294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17295. type: string
  17296. type: object
  17297. required:
  17298. - identityId
  17299. type: object
  17300. azureAuthCredentials:
  17301. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17302. properties:
  17303. identityId:
  17304. description: |-
  17305. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17306. In some instances, `key` is a required field.
  17307. properties:
  17308. key:
  17309. description: |-
  17310. A key in the referenced Secret.
  17311. Some instances of this field may be defaulted, in others it may be required.
  17312. maxLength: 253
  17313. minLength: 1
  17314. pattern: ^[-._a-zA-Z0-9]+$
  17315. type: string
  17316. name:
  17317. description: The name of the Secret resource being referred to.
  17318. maxLength: 253
  17319. minLength: 1
  17320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17321. type: string
  17322. namespace:
  17323. description: |-
  17324. The namespace of the Secret resource being referred to.
  17325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17326. maxLength: 63
  17327. minLength: 1
  17328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17329. type: string
  17330. type: object
  17331. resource:
  17332. description: |-
  17333. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17334. In some instances, `key` is a required field.
  17335. properties:
  17336. key:
  17337. description: |-
  17338. A key in the referenced Secret.
  17339. Some instances of this field may be defaulted, in others it may be required.
  17340. maxLength: 253
  17341. minLength: 1
  17342. pattern: ^[-._a-zA-Z0-9]+$
  17343. type: string
  17344. name:
  17345. description: The name of the Secret resource being referred to.
  17346. maxLength: 253
  17347. minLength: 1
  17348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17349. type: string
  17350. namespace:
  17351. description: |-
  17352. The namespace of the Secret resource being referred to.
  17353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17354. maxLength: 63
  17355. minLength: 1
  17356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17357. type: string
  17358. type: object
  17359. required:
  17360. - identityId
  17361. type: object
  17362. gcpIamAuthCredentials:
  17363. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17364. properties:
  17365. identityId:
  17366. description: |-
  17367. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17368. In some instances, `key` is a required field.
  17369. properties:
  17370. key:
  17371. description: |-
  17372. A key in the referenced Secret.
  17373. Some instances of this field may be defaulted, in others it may be required.
  17374. maxLength: 253
  17375. minLength: 1
  17376. pattern: ^[-._a-zA-Z0-9]+$
  17377. type: string
  17378. name:
  17379. description: The name of the Secret resource being referred to.
  17380. maxLength: 253
  17381. minLength: 1
  17382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17383. type: string
  17384. namespace:
  17385. description: |-
  17386. The namespace of the Secret resource being referred to.
  17387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17388. maxLength: 63
  17389. minLength: 1
  17390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17391. type: string
  17392. type: object
  17393. serviceAccountKeyFilePath:
  17394. description: |-
  17395. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17396. In some instances, `key` is a required field.
  17397. properties:
  17398. key:
  17399. description: |-
  17400. A key in the referenced Secret.
  17401. Some instances of this field may be defaulted, in others it may be required.
  17402. maxLength: 253
  17403. minLength: 1
  17404. pattern: ^[-._a-zA-Z0-9]+$
  17405. type: string
  17406. name:
  17407. description: The name of the Secret resource being referred to.
  17408. maxLength: 253
  17409. minLength: 1
  17410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17411. type: string
  17412. namespace:
  17413. description: |-
  17414. The namespace of the Secret resource being referred to.
  17415. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17416. maxLength: 63
  17417. minLength: 1
  17418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17419. type: string
  17420. type: object
  17421. required:
  17422. - identityId
  17423. - serviceAccountKeyFilePath
  17424. type: object
  17425. gcpIdTokenAuthCredentials:
  17426. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17427. properties:
  17428. identityId:
  17429. description: |-
  17430. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17431. In some instances, `key` is a required field.
  17432. properties:
  17433. key:
  17434. description: |-
  17435. A key in the referenced Secret.
  17436. Some instances of this field may be defaulted, in others it may be required.
  17437. maxLength: 253
  17438. minLength: 1
  17439. pattern: ^[-._a-zA-Z0-9]+$
  17440. type: string
  17441. name:
  17442. description: The name of the Secret resource being referred to.
  17443. maxLength: 253
  17444. minLength: 1
  17445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17446. type: string
  17447. namespace:
  17448. description: |-
  17449. The namespace of the Secret resource being referred to.
  17450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17451. maxLength: 63
  17452. minLength: 1
  17453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17454. type: string
  17455. type: object
  17456. required:
  17457. - identityId
  17458. type: object
  17459. jwtAuthCredentials:
  17460. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17461. properties:
  17462. identityId:
  17463. description: |-
  17464. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17465. In some instances, `key` is a required field.
  17466. properties:
  17467. key:
  17468. description: |-
  17469. A key in the referenced Secret.
  17470. Some instances of this field may be defaulted, in others it may be required.
  17471. maxLength: 253
  17472. minLength: 1
  17473. pattern: ^[-._a-zA-Z0-9]+$
  17474. type: string
  17475. name:
  17476. description: The name of the Secret resource being referred to.
  17477. maxLength: 253
  17478. minLength: 1
  17479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17480. type: string
  17481. namespace:
  17482. description: |-
  17483. The namespace of the Secret resource being referred to.
  17484. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17485. maxLength: 63
  17486. minLength: 1
  17487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17488. type: string
  17489. type: object
  17490. jwt:
  17491. description: |-
  17492. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17493. In some instances, `key` is a required field.
  17494. properties:
  17495. key:
  17496. description: |-
  17497. A key in the referenced Secret.
  17498. Some instances of this field may be defaulted, in others it may be required.
  17499. maxLength: 253
  17500. minLength: 1
  17501. pattern: ^[-._a-zA-Z0-9]+$
  17502. type: string
  17503. name:
  17504. description: The name of the Secret resource being referred to.
  17505. maxLength: 253
  17506. minLength: 1
  17507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17508. type: string
  17509. namespace:
  17510. description: |-
  17511. The namespace of the Secret resource being referred to.
  17512. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17513. maxLength: 63
  17514. minLength: 1
  17515. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17516. type: string
  17517. type: object
  17518. required:
  17519. - identityId
  17520. - jwt
  17521. type: object
  17522. kubernetesAuthCredentials:
  17523. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17524. properties:
  17525. identityId:
  17526. description: |-
  17527. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17528. In some instances, `key` is a required field.
  17529. properties:
  17530. key:
  17531. description: |-
  17532. A key in the referenced Secret.
  17533. Some instances of this field may be defaulted, in others it may be required.
  17534. maxLength: 253
  17535. minLength: 1
  17536. pattern: ^[-._a-zA-Z0-9]+$
  17537. type: string
  17538. name:
  17539. description: The name of the Secret resource being referred to.
  17540. maxLength: 253
  17541. minLength: 1
  17542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17543. type: string
  17544. namespace:
  17545. description: |-
  17546. The namespace of the Secret resource being referred to.
  17547. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17548. maxLength: 63
  17549. minLength: 1
  17550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17551. type: string
  17552. type: object
  17553. serviceAccountTokenPath:
  17554. description: |-
  17555. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17556. In some instances, `key` is a required field.
  17557. properties:
  17558. key:
  17559. description: |-
  17560. A key in the referenced Secret.
  17561. Some instances of this field may be defaulted, in others it may be required.
  17562. maxLength: 253
  17563. minLength: 1
  17564. pattern: ^[-._a-zA-Z0-9]+$
  17565. type: string
  17566. name:
  17567. description: The name of the Secret resource being referred to.
  17568. maxLength: 253
  17569. minLength: 1
  17570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17571. type: string
  17572. namespace:
  17573. description: |-
  17574. The namespace of the Secret resource being referred to.
  17575. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17576. maxLength: 63
  17577. minLength: 1
  17578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17579. type: string
  17580. type: object
  17581. required:
  17582. - identityId
  17583. type: object
  17584. ldapAuthCredentials:
  17585. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17586. properties:
  17587. identityId:
  17588. description: |-
  17589. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17590. In some instances, `key` is a required field.
  17591. properties:
  17592. key:
  17593. description: |-
  17594. A key in the referenced Secret.
  17595. Some instances of this field may be defaulted, in others it may be required.
  17596. maxLength: 253
  17597. minLength: 1
  17598. pattern: ^[-._a-zA-Z0-9]+$
  17599. type: string
  17600. name:
  17601. description: The name of the Secret resource being referred to.
  17602. maxLength: 253
  17603. minLength: 1
  17604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17605. type: string
  17606. namespace:
  17607. description: |-
  17608. The namespace of the Secret resource being referred to.
  17609. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17610. maxLength: 63
  17611. minLength: 1
  17612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17613. type: string
  17614. type: object
  17615. ldapPassword:
  17616. description: |-
  17617. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17618. In some instances, `key` is a required field.
  17619. properties:
  17620. key:
  17621. description: |-
  17622. A key in the referenced Secret.
  17623. Some instances of this field may be defaulted, in others it may be required.
  17624. maxLength: 253
  17625. minLength: 1
  17626. pattern: ^[-._a-zA-Z0-9]+$
  17627. type: string
  17628. name:
  17629. description: The name of the Secret resource being referred to.
  17630. maxLength: 253
  17631. minLength: 1
  17632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17633. type: string
  17634. namespace:
  17635. description: |-
  17636. The namespace of the Secret resource being referred to.
  17637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17638. maxLength: 63
  17639. minLength: 1
  17640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17641. type: string
  17642. type: object
  17643. ldapUsername:
  17644. description: |-
  17645. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17646. In some instances, `key` is a required field.
  17647. properties:
  17648. key:
  17649. description: |-
  17650. A key in the referenced Secret.
  17651. Some instances of this field may be defaulted, in others it may be required.
  17652. maxLength: 253
  17653. minLength: 1
  17654. pattern: ^[-._a-zA-Z0-9]+$
  17655. type: string
  17656. name:
  17657. description: The name of the Secret resource being referred to.
  17658. maxLength: 253
  17659. minLength: 1
  17660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17661. type: string
  17662. namespace:
  17663. description: |-
  17664. The namespace of the Secret resource being referred to.
  17665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17666. maxLength: 63
  17667. minLength: 1
  17668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17669. type: string
  17670. type: object
  17671. required:
  17672. - identityId
  17673. - ldapPassword
  17674. - ldapUsername
  17675. type: object
  17676. ociAuthCredentials:
  17677. description: OciAuthCredentials represents the credentials for OCI authentication.
  17678. properties:
  17679. fingerprint:
  17680. description: |-
  17681. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17682. In some instances, `key` is a required field.
  17683. properties:
  17684. key:
  17685. description: |-
  17686. A key in the referenced Secret.
  17687. Some instances of this field may be defaulted, in others it may be required.
  17688. maxLength: 253
  17689. minLength: 1
  17690. pattern: ^[-._a-zA-Z0-9]+$
  17691. type: string
  17692. name:
  17693. description: The name of the Secret resource being referred to.
  17694. maxLength: 253
  17695. minLength: 1
  17696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17697. type: string
  17698. namespace:
  17699. description: |-
  17700. The namespace of the Secret resource being referred to.
  17701. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17702. maxLength: 63
  17703. minLength: 1
  17704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17705. type: string
  17706. type: object
  17707. identityId:
  17708. description: |-
  17709. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17710. In some instances, `key` is a required field.
  17711. properties:
  17712. key:
  17713. description: |-
  17714. A key in the referenced Secret.
  17715. Some instances of this field may be defaulted, in others it may be required.
  17716. maxLength: 253
  17717. minLength: 1
  17718. pattern: ^[-._a-zA-Z0-9]+$
  17719. type: string
  17720. name:
  17721. description: The name of the Secret resource being referred to.
  17722. maxLength: 253
  17723. minLength: 1
  17724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17725. type: string
  17726. namespace:
  17727. description: |-
  17728. The namespace of the Secret resource being referred to.
  17729. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17730. maxLength: 63
  17731. minLength: 1
  17732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17733. type: string
  17734. type: object
  17735. privateKey:
  17736. description: |-
  17737. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17738. In some instances, `key` is a required field.
  17739. properties:
  17740. key:
  17741. description: |-
  17742. A key in the referenced Secret.
  17743. Some instances of this field may be defaulted, in others it may be required.
  17744. maxLength: 253
  17745. minLength: 1
  17746. pattern: ^[-._a-zA-Z0-9]+$
  17747. type: string
  17748. name:
  17749. description: The name of the Secret resource being referred to.
  17750. maxLength: 253
  17751. minLength: 1
  17752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17753. type: string
  17754. namespace:
  17755. description: |-
  17756. The namespace of the Secret resource being referred to.
  17757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17758. maxLength: 63
  17759. minLength: 1
  17760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17761. type: string
  17762. type: object
  17763. privateKeyPassphrase:
  17764. description: |-
  17765. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17766. In some instances, `key` is a required field.
  17767. properties:
  17768. key:
  17769. description: |-
  17770. A key in the referenced Secret.
  17771. Some instances of this field may be defaulted, in others it may be required.
  17772. maxLength: 253
  17773. minLength: 1
  17774. pattern: ^[-._a-zA-Z0-9]+$
  17775. type: string
  17776. name:
  17777. description: The name of the Secret resource being referred to.
  17778. maxLength: 253
  17779. minLength: 1
  17780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17781. type: string
  17782. namespace:
  17783. description: |-
  17784. The namespace of the Secret resource being referred to.
  17785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17786. maxLength: 63
  17787. minLength: 1
  17788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17789. type: string
  17790. type: object
  17791. region:
  17792. description: |-
  17793. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17794. In some instances, `key` is a required field.
  17795. properties:
  17796. key:
  17797. description: |-
  17798. A key in the referenced Secret.
  17799. Some instances of this field may be defaulted, in others it may be required.
  17800. maxLength: 253
  17801. minLength: 1
  17802. pattern: ^[-._a-zA-Z0-9]+$
  17803. type: string
  17804. name:
  17805. description: The name of the Secret resource being referred to.
  17806. maxLength: 253
  17807. minLength: 1
  17808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17809. type: string
  17810. namespace:
  17811. description: |-
  17812. The namespace of the Secret resource being referred to.
  17813. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17814. maxLength: 63
  17815. minLength: 1
  17816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17817. type: string
  17818. type: object
  17819. tenancyId:
  17820. description: |-
  17821. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17822. In some instances, `key` is a required field.
  17823. properties:
  17824. key:
  17825. description: |-
  17826. A key in the referenced Secret.
  17827. Some instances of this field may be defaulted, in others it may be required.
  17828. maxLength: 253
  17829. minLength: 1
  17830. pattern: ^[-._a-zA-Z0-9]+$
  17831. type: string
  17832. name:
  17833. description: The name of the Secret resource being referred to.
  17834. maxLength: 253
  17835. minLength: 1
  17836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17837. type: string
  17838. namespace:
  17839. description: |-
  17840. The namespace of the Secret resource being referred to.
  17841. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17842. maxLength: 63
  17843. minLength: 1
  17844. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17845. type: string
  17846. type: object
  17847. userId:
  17848. description: |-
  17849. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17850. In some instances, `key` is a required field.
  17851. properties:
  17852. key:
  17853. description: |-
  17854. A key in the referenced Secret.
  17855. Some instances of this field may be defaulted, in others it may be required.
  17856. maxLength: 253
  17857. minLength: 1
  17858. pattern: ^[-._a-zA-Z0-9]+$
  17859. type: string
  17860. name:
  17861. description: The name of the Secret resource being referred to.
  17862. maxLength: 253
  17863. minLength: 1
  17864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17865. type: string
  17866. namespace:
  17867. description: |-
  17868. The namespace of the Secret resource being referred to.
  17869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17870. maxLength: 63
  17871. minLength: 1
  17872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17873. type: string
  17874. type: object
  17875. required:
  17876. - fingerprint
  17877. - identityId
  17878. - privateKey
  17879. - region
  17880. - tenancyId
  17881. - userId
  17882. type: object
  17883. tokenAuthCredentials:
  17884. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  17885. properties:
  17886. accessToken:
  17887. description: |-
  17888. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17889. In some instances, `key` is a required field.
  17890. properties:
  17891. key:
  17892. description: |-
  17893. A key in the referenced Secret.
  17894. Some instances of this field may be defaulted, in others it may be required.
  17895. maxLength: 253
  17896. minLength: 1
  17897. pattern: ^[-._a-zA-Z0-9]+$
  17898. type: string
  17899. name:
  17900. description: The name of the Secret resource being referred to.
  17901. maxLength: 253
  17902. minLength: 1
  17903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17904. type: string
  17905. namespace:
  17906. description: |-
  17907. The namespace of the Secret resource being referred to.
  17908. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17909. maxLength: 63
  17910. minLength: 1
  17911. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17912. type: string
  17913. type: object
  17914. required:
  17915. - accessToken
  17916. type: object
  17917. universalAuthCredentials:
  17918. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  17919. properties:
  17920. clientId:
  17921. description: |-
  17922. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17923. In some instances, `key` is a required field.
  17924. properties:
  17925. key:
  17926. description: |-
  17927. A key in the referenced Secret.
  17928. Some instances of this field may be defaulted, in others it may be required.
  17929. maxLength: 253
  17930. minLength: 1
  17931. pattern: ^[-._a-zA-Z0-9]+$
  17932. type: string
  17933. name:
  17934. description: The name of the Secret resource being referred to.
  17935. maxLength: 253
  17936. minLength: 1
  17937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17938. type: string
  17939. namespace:
  17940. description: |-
  17941. The namespace of the Secret resource being referred to.
  17942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17943. maxLength: 63
  17944. minLength: 1
  17945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17946. type: string
  17947. type: object
  17948. clientSecret:
  17949. description: |-
  17950. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17951. In some instances, `key` is a required field.
  17952. properties:
  17953. key:
  17954. description: |-
  17955. A key in the referenced Secret.
  17956. Some instances of this field may be defaulted, in others it may be required.
  17957. maxLength: 253
  17958. minLength: 1
  17959. pattern: ^[-._a-zA-Z0-9]+$
  17960. type: string
  17961. name:
  17962. description: The name of the Secret resource being referred to.
  17963. maxLength: 253
  17964. minLength: 1
  17965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17966. type: string
  17967. namespace:
  17968. description: |-
  17969. The namespace of the Secret resource being referred to.
  17970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17971. maxLength: 63
  17972. minLength: 1
  17973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17974. type: string
  17975. type: object
  17976. required:
  17977. - clientId
  17978. - clientSecret
  17979. type: object
  17980. type: object
  17981. caBundle:
  17982. description: |-
  17983. CABundle is a PEM-encoded CA certificate bundle used to validate
  17984. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  17985. format: byte
  17986. type: string
  17987. caProvider:
  17988. description: |-
  17989. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  17990. The certificate is used to validate the Infisical server's TLS certificate.
  17991. Mutually exclusive with CABundle.
  17992. properties:
  17993. key:
  17994. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17995. maxLength: 253
  17996. minLength: 1
  17997. pattern: ^[-._a-zA-Z0-9]+$
  17998. type: string
  17999. name:
  18000. description: The name of the object located at the provider type.
  18001. maxLength: 253
  18002. minLength: 1
  18003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18004. type: string
  18005. namespace:
  18006. description: |-
  18007. The namespace the Provider type is in.
  18008. Can only be defined when used in a ClusterSecretStore.
  18009. maxLength: 63
  18010. minLength: 1
  18011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18012. type: string
  18013. type:
  18014. description: The type of provider to use such as "Secret", or "ConfigMap".
  18015. enum:
  18016. - Secret
  18017. - ConfigMap
  18018. type: string
  18019. required:
  18020. - name
  18021. - type
  18022. type: object
  18023. hostAPI:
  18024. default: https://app.infisical.com/api
  18025. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  18026. type: string
  18027. secretsScope:
  18028. description: SecretsScope defines the scope of the secrets within the workspace
  18029. properties:
  18030. environmentSlug:
  18031. description: EnvironmentSlug is the required slug identifier for the environment.
  18032. type: string
  18033. expandSecretReferences:
  18034. default: true
  18035. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  18036. type: boolean
  18037. organizationSlug:
  18038. description: |-
  18039. OrganizationSlug is the optional slug that identifies the organization that will be used
  18040. during authentication. Useful for sub-organization setups
  18041. type: string
  18042. projectSlug:
  18043. description: ProjectSlug is the required slug identifier for the project.
  18044. type: string
  18045. recursive:
  18046. default: false
  18047. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  18048. type: boolean
  18049. secretsPath:
  18050. default: /
  18051. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18052. type: string
  18053. required:
  18054. - environmentSlug
  18055. - projectSlug
  18056. type: object
  18057. required:
  18058. - auth
  18059. - secretsScope
  18060. type: object
  18061. keepersecurity:
  18062. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18063. properties:
  18064. authRef:
  18065. description: |-
  18066. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18067. In some instances, `key` is a required field.
  18068. properties:
  18069. key:
  18070. description: |-
  18071. A key in the referenced Secret.
  18072. Some instances of this field may be defaulted, in others it may be required.
  18073. maxLength: 253
  18074. minLength: 1
  18075. pattern: ^[-._a-zA-Z0-9]+$
  18076. type: string
  18077. name:
  18078. description: The name of the Secret resource being referred to.
  18079. maxLength: 253
  18080. minLength: 1
  18081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18082. type: string
  18083. namespace:
  18084. description: |-
  18085. The namespace of the Secret resource being referred to.
  18086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18087. maxLength: 63
  18088. minLength: 1
  18089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18090. type: string
  18091. type: object
  18092. folderID:
  18093. type: string
  18094. getByTitleFallback:
  18095. type: boolean
  18096. required:
  18097. - authRef
  18098. - folderID
  18099. type: object
  18100. kubernetes:
  18101. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18102. properties:
  18103. auth:
  18104. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18105. maxProperties: 1
  18106. minProperties: 1
  18107. properties:
  18108. cert:
  18109. description: has both clientCert and clientKey as secretKeySelector
  18110. properties:
  18111. clientCert:
  18112. description: |-
  18113. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18114. In some instances, `key` is a required field.
  18115. properties:
  18116. key:
  18117. description: |-
  18118. A key in the referenced Secret.
  18119. Some instances of this field may be defaulted, in others it may be required.
  18120. maxLength: 253
  18121. minLength: 1
  18122. pattern: ^[-._a-zA-Z0-9]+$
  18123. type: string
  18124. name:
  18125. description: The name of the Secret resource being referred to.
  18126. maxLength: 253
  18127. minLength: 1
  18128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18129. type: string
  18130. namespace:
  18131. description: |-
  18132. The namespace of the Secret resource being referred to.
  18133. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18134. maxLength: 63
  18135. minLength: 1
  18136. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18137. type: string
  18138. type: object
  18139. clientKey:
  18140. description: |-
  18141. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18142. In some instances, `key` is a required field.
  18143. properties:
  18144. key:
  18145. description: |-
  18146. A key in the referenced Secret.
  18147. Some instances of this field may be defaulted, in others it may be required.
  18148. maxLength: 253
  18149. minLength: 1
  18150. pattern: ^[-._a-zA-Z0-9]+$
  18151. type: string
  18152. name:
  18153. description: The name of the Secret resource being referred to.
  18154. maxLength: 253
  18155. minLength: 1
  18156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18157. type: string
  18158. namespace:
  18159. description: |-
  18160. The namespace of the Secret resource being referred to.
  18161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18162. maxLength: 63
  18163. minLength: 1
  18164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18165. type: string
  18166. type: object
  18167. type: object
  18168. serviceAccount:
  18169. description: points to a service account that should be used for authentication
  18170. properties:
  18171. audiences:
  18172. description: |-
  18173. Audience specifies the `aud` claim for the service account token
  18174. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18175. then this audiences will be appended to the list
  18176. items:
  18177. type: string
  18178. type: array
  18179. name:
  18180. description: The name of the ServiceAccount resource being referred to.
  18181. maxLength: 253
  18182. minLength: 1
  18183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18184. type: string
  18185. namespace:
  18186. description: |-
  18187. Namespace of the resource being referred to.
  18188. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18189. maxLength: 63
  18190. minLength: 1
  18191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18192. type: string
  18193. required:
  18194. - name
  18195. type: object
  18196. token:
  18197. description: use static token to authenticate with
  18198. properties:
  18199. bearerToken:
  18200. description: |-
  18201. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18202. In some instances, `key` is a required field.
  18203. properties:
  18204. key:
  18205. description: |-
  18206. A key in the referenced Secret.
  18207. Some instances of this field may be defaulted, in others it may be required.
  18208. maxLength: 253
  18209. minLength: 1
  18210. pattern: ^[-._a-zA-Z0-9]+$
  18211. type: string
  18212. name:
  18213. description: The name of the Secret resource being referred to.
  18214. maxLength: 253
  18215. minLength: 1
  18216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18217. type: string
  18218. namespace:
  18219. description: |-
  18220. The namespace of the Secret resource being referred to.
  18221. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18222. maxLength: 63
  18223. minLength: 1
  18224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18225. type: string
  18226. type: object
  18227. type: object
  18228. type: object
  18229. authRef:
  18230. description: A reference to a secret that contains the auth information.
  18231. properties:
  18232. key:
  18233. description: |-
  18234. A key in the referenced Secret.
  18235. Some instances of this field may be defaulted, in others it may be required.
  18236. maxLength: 253
  18237. minLength: 1
  18238. pattern: ^[-._a-zA-Z0-9]+$
  18239. type: string
  18240. name:
  18241. description: The name of the Secret resource being referred to.
  18242. maxLength: 253
  18243. minLength: 1
  18244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18245. type: string
  18246. namespace:
  18247. description: |-
  18248. The namespace of the Secret resource being referred to.
  18249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18250. maxLength: 63
  18251. minLength: 1
  18252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18253. type: string
  18254. type: object
  18255. remoteNamespace:
  18256. default: default
  18257. description: Remote namespace to fetch the secrets from
  18258. maxLength: 63
  18259. minLength: 1
  18260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18261. type: string
  18262. server:
  18263. description: configures the Kubernetes server Address.
  18264. properties:
  18265. caBundle:
  18266. description: CABundle is a base64-encoded CA certificate
  18267. format: byte
  18268. type: string
  18269. caProvider:
  18270. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18271. properties:
  18272. key:
  18273. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18274. maxLength: 253
  18275. minLength: 1
  18276. pattern: ^[-._a-zA-Z0-9]+$
  18277. type: string
  18278. name:
  18279. description: The name of the object located at the provider type.
  18280. maxLength: 253
  18281. minLength: 1
  18282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18283. type: string
  18284. namespace:
  18285. description: |-
  18286. The namespace the Provider type is in.
  18287. Can only be defined when used in a ClusterSecretStore.
  18288. maxLength: 63
  18289. minLength: 1
  18290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18291. type: string
  18292. type:
  18293. description: The type of provider to use such as "Secret", or "ConfigMap".
  18294. enum:
  18295. - Secret
  18296. - ConfigMap
  18297. type: string
  18298. required:
  18299. - name
  18300. - type
  18301. type: object
  18302. url:
  18303. default: kubernetes.default
  18304. description: configures the Kubernetes server Address.
  18305. type: string
  18306. type: object
  18307. type: object
  18308. nebiusmysterybox:
  18309. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18310. properties:
  18311. apiDomain:
  18312. description: NebiusMysterybox API endpoint
  18313. type: string
  18314. auth:
  18315. description: Auth defines parameters to authenticate in MysteryBox
  18316. properties:
  18317. serviceAccountCredsSecretRef:
  18318. description: |-
  18319. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18320. document with service account credentials used to get an IAM token.
  18321. Expected JSON structure:
  18322. {
  18323. "subject-credentials": {
  18324. "alg": "RS256",
  18325. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18326. "kid": "<public-key-id>",
  18327. "iss": "<issuer-service-account-id>",
  18328. "sub": "<subject-service-account-id>"
  18329. }
  18330. }
  18331. properties:
  18332. key:
  18333. description: |-
  18334. A key in the referenced Secret.
  18335. Some instances of this field may be defaulted, in others it may be required.
  18336. maxLength: 253
  18337. minLength: 1
  18338. pattern: ^[-._a-zA-Z0-9]+$
  18339. type: string
  18340. name:
  18341. description: The name of the Secret resource being referred to.
  18342. maxLength: 253
  18343. minLength: 1
  18344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18345. type: string
  18346. namespace:
  18347. description: |-
  18348. The namespace of the Secret resource being referred to.
  18349. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18350. maxLength: 63
  18351. minLength: 1
  18352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18353. type: string
  18354. type: object
  18355. tokenSecretRef:
  18356. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18357. properties:
  18358. key:
  18359. description: |-
  18360. A key in the referenced Secret.
  18361. Some instances of this field may be defaulted, in others it may be required.
  18362. maxLength: 253
  18363. minLength: 1
  18364. pattern: ^[-._a-zA-Z0-9]+$
  18365. type: string
  18366. name:
  18367. description: The name of the Secret resource being referred to.
  18368. maxLength: 253
  18369. minLength: 1
  18370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18371. type: string
  18372. namespace:
  18373. description: |-
  18374. The namespace of the Secret resource being referred to.
  18375. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18376. maxLength: 63
  18377. minLength: 1
  18378. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18379. type: string
  18380. type: object
  18381. type: object
  18382. x-kubernetes-validations:
  18383. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18384. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18385. caProvider:
  18386. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18387. properties:
  18388. certSecretRef:
  18389. description: |-
  18390. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18391. In some instances, `key` is a required field.
  18392. properties:
  18393. key:
  18394. description: |-
  18395. A key in the referenced Secret.
  18396. Some instances of this field may be defaulted, in others it may be required.
  18397. maxLength: 253
  18398. minLength: 1
  18399. pattern: ^[-._a-zA-Z0-9]+$
  18400. type: string
  18401. name:
  18402. description: The name of the Secret resource being referred to.
  18403. maxLength: 253
  18404. minLength: 1
  18405. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18406. type: string
  18407. namespace:
  18408. description: |-
  18409. The namespace of the Secret resource being referred to.
  18410. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18411. maxLength: 63
  18412. minLength: 1
  18413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18414. type: string
  18415. type: object
  18416. type: object
  18417. required:
  18418. - apiDomain
  18419. - auth
  18420. type: object
  18421. ngrok:
  18422. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18423. properties:
  18424. apiUrl:
  18425. default: https://api.ngrok.com
  18426. description: APIURL is the URL of the ngrok API.
  18427. type: string
  18428. auth:
  18429. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18430. maxProperties: 1
  18431. minProperties: 1
  18432. properties:
  18433. apiKey:
  18434. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18435. properties:
  18436. secretRef:
  18437. description: SecretRef is a reference to a secret containing the ngrok API key.
  18438. properties:
  18439. key:
  18440. description: |-
  18441. A key in the referenced Secret.
  18442. Some instances of this field may be defaulted, in others it may be required.
  18443. maxLength: 253
  18444. minLength: 1
  18445. pattern: ^[-._a-zA-Z0-9]+$
  18446. type: string
  18447. name:
  18448. description: The name of the Secret resource being referred to.
  18449. maxLength: 253
  18450. minLength: 1
  18451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18452. type: string
  18453. namespace:
  18454. description: |-
  18455. The namespace of the Secret resource being referred to.
  18456. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18457. maxLength: 63
  18458. minLength: 1
  18459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18460. type: string
  18461. type: object
  18462. type: object
  18463. type: object
  18464. vault:
  18465. description: Vault configures the ngrok vault to sync secrets with.
  18466. properties:
  18467. name:
  18468. description: Name is the name of the ngrok vault to sync secrets with.
  18469. type: string
  18470. required:
  18471. - name
  18472. type: object
  18473. required:
  18474. - auth
  18475. - vault
  18476. type: object
  18477. onboardbase:
  18478. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18479. properties:
  18480. apiHost:
  18481. default: https://public.onboardbase.com/api/v1/
  18482. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18483. type: string
  18484. auth:
  18485. description: Auth configures how the Operator authenticates with the Onboardbase API
  18486. properties:
  18487. apiKeyRef:
  18488. description: |-
  18489. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18490. It is used to recognize and authorize access to a project and environment within onboardbase
  18491. properties:
  18492. key:
  18493. description: |-
  18494. A key in the referenced Secret.
  18495. Some instances of this field may be defaulted, in others it may be required.
  18496. maxLength: 253
  18497. minLength: 1
  18498. pattern: ^[-._a-zA-Z0-9]+$
  18499. type: string
  18500. name:
  18501. description: The name of the Secret resource being referred to.
  18502. maxLength: 253
  18503. minLength: 1
  18504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18505. type: string
  18506. namespace:
  18507. description: |-
  18508. The namespace of the Secret resource being referred to.
  18509. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18510. maxLength: 63
  18511. minLength: 1
  18512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18513. type: string
  18514. type: object
  18515. passcodeRef:
  18516. description: OnboardbasePasscode is the passcode attached to the API Key
  18517. properties:
  18518. key:
  18519. description: |-
  18520. A key in the referenced Secret.
  18521. Some instances of this field may be defaulted, in others it may be required.
  18522. maxLength: 253
  18523. minLength: 1
  18524. pattern: ^[-._a-zA-Z0-9]+$
  18525. type: string
  18526. name:
  18527. description: The name of the Secret resource being referred to.
  18528. maxLength: 253
  18529. minLength: 1
  18530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18531. type: string
  18532. namespace:
  18533. description: |-
  18534. The namespace of the Secret resource being referred to.
  18535. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18536. maxLength: 63
  18537. minLength: 1
  18538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18539. type: string
  18540. type: object
  18541. required:
  18542. - apiKeyRef
  18543. - passcodeRef
  18544. type: object
  18545. environment:
  18546. default: development
  18547. description: Environment is the name of an environmnent within a project to pull the secrets from
  18548. type: string
  18549. project:
  18550. default: development
  18551. description: Project is an onboardbase project that the secrets should be pulled from
  18552. type: string
  18553. required:
  18554. - apiHost
  18555. - auth
  18556. - environment
  18557. - project
  18558. type: object
  18559. onepassword:
  18560. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18561. properties:
  18562. auth:
  18563. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18564. properties:
  18565. secretRef:
  18566. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18567. properties:
  18568. connectTokenSecretRef:
  18569. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18570. properties:
  18571. key:
  18572. description: |-
  18573. A key in the referenced Secret.
  18574. Some instances of this field may be defaulted, in others it may be required.
  18575. maxLength: 253
  18576. minLength: 1
  18577. pattern: ^[-._a-zA-Z0-9]+$
  18578. type: string
  18579. name:
  18580. description: The name of the Secret resource being referred to.
  18581. maxLength: 253
  18582. minLength: 1
  18583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18584. type: string
  18585. namespace:
  18586. description: |-
  18587. The namespace of the Secret resource being referred to.
  18588. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18589. maxLength: 63
  18590. minLength: 1
  18591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18592. type: string
  18593. type: object
  18594. required:
  18595. - connectTokenSecretRef
  18596. type: object
  18597. required:
  18598. - secretRef
  18599. type: object
  18600. connectHost:
  18601. description: ConnectHost defines the OnePassword Connect Server to connect to
  18602. type: string
  18603. vaults:
  18604. additionalProperties:
  18605. type: integer
  18606. description: Vaults defines which OnePassword vaults to search in which order
  18607. type: object
  18608. required:
  18609. - auth
  18610. - connectHost
  18611. - vaults
  18612. type: object
  18613. onepasswordSDK:
  18614. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18615. properties:
  18616. auth:
  18617. description: Auth defines the information necessary to authenticate against OnePassword API.
  18618. properties:
  18619. serviceAccountSecretRef:
  18620. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18621. properties:
  18622. key:
  18623. description: |-
  18624. A key in the referenced Secret.
  18625. Some instances of this field may be defaulted, in others it may be required.
  18626. maxLength: 253
  18627. minLength: 1
  18628. pattern: ^[-._a-zA-Z0-9]+$
  18629. type: string
  18630. name:
  18631. description: The name of the Secret resource being referred to.
  18632. maxLength: 253
  18633. minLength: 1
  18634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18635. type: string
  18636. namespace:
  18637. description: |-
  18638. The namespace of the Secret resource being referred to.
  18639. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18640. maxLength: 63
  18641. minLength: 1
  18642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18643. type: string
  18644. type: object
  18645. required:
  18646. - serviceAccountSecretRef
  18647. type: object
  18648. cache:
  18649. description: |-
  18650. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18651. When enabled, secrets are cached with the specified TTL.
  18652. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18653. If omitted, caching is disabled (default).
  18654. cache: {} is a valid option to set.
  18655. properties:
  18656. maxSize:
  18657. default: 100
  18658. description: |-
  18659. MaxSize is the maximum number of secrets to cache.
  18660. When the cache is full, least-recently-used entries are evicted.
  18661. minimum: 1
  18662. type: integer
  18663. ttl:
  18664. default: 5m
  18665. description: |-
  18666. TTL is the time-to-live for cached secrets.
  18667. Format: duration string (e.g., "5m", "1h", "30s")
  18668. type: string
  18669. type: object
  18670. integrationInfo:
  18671. description: |-
  18672. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18673. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18674. properties:
  18675. name:
  18676. default: 1Password SDK
  18677. description: Name defaults to "1Password SDK".
  18678. type: string
  18679. version:
  18680. default: v1.0.0
  18681. description: Version defaults to "v1.0.0".
  18682. type: string
  18683. type: object
  18684. vault:
  18685. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18686. type: string
  18687. required:
  18688. - auth
  18689. - vault
  18690. type: object
  18691. openBao:
  18692. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18693. properties:
  18694. auth:
  18695. description: Auth configures how secret-manager authenticates with the OpenBao server.
  18696. maxProperties: 1
  18697. properties:
  18698. tokenSecretRef:
  18699. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  18700. properties:
  18701. key:
  18702. description: |-
  18703. A key in the referenced Secret.
  18704. Some instances of this field may be defaulted, in others it may be required.
  18705. maxLength: 253
  18706. minLength: 1
  18707. pattern: ^[-._a-zA-Z0-9]+$
  18708. type: string
  18709. name:
  18710. description: The name of the Secret resource being referred to.
  18711. maxLength: 253
  18712. minLength: 1
  18713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18714. type: string
  18715. namespace:
  18716. description: |-
  18717. The namespace of the Secret resource being referred to.
  18718. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18719. maxLength: 63
  18720. minLength: 1
  18721. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18722. type: string
  18723. type: object
  18724. userPass:
  18725. description: UserPass authenticates with OpenBao by passing a username/password pair
  18726. properties:
  18727. path:
  18728. default: userpass
  18729. description: |-
  18730. Path where the UserPassword authentication backend is mounted
  18731. in OpenBao, e.g: "userpass"
  18732. type: string
  18733. secretRef:
  18734. description: |-
  18735. SecretRef to a key in a Secret resource containing password for the user
  18736. used to authenticate with OpenBao using the [UserPass authentication
  18737. method]
  18738. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  18739. properties:
  18740. key:
  18741. description: |-
  18742. A key in the referenced Secret.
  18743. Some instances of this field may be defaulted, in others it may be required.
  18744. maxLength: 253
  18745. minLength: 1
  18746. pattern: ^[-._a-zA-Z0-9]+$
  18747. type: string
  18748. name:
  18749. description: The name of the Secret resource being referred to.
  18750. maxLength: 253
  18751. minLength: 1
  18752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18753. type: string
  18754. namespace:
  18755. description: |-
  18756. The namespace of the Secret resource being referred to.
  18757. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18758. maxLength: 63
  18759. minLength: 1
  18760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18761. type: string
  18762. type: object
  18763. username:
  18764. description: |-
  18765. Username is a username used to authenticate using the [UserPass
  18766. authentication method]
  18767. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  18768. type: string
  18769. required:
  18770. - path
  18771. - username
  18772. type: object
  18773. type: object
  18774. caBundle:
  18775. description: |-
  18776. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  18777. this and `caProvider` are not set the system root certificates are used
  18778. to validate the TLS connection.
  18779. format: byte
  18780. type: string
  18781. caProvider:
  18782. description: |-
  18783. The provider for the CA bundle to use to validate OpenBao server
  18784. certificate. If this and `caBundle` are not set the system root
  18785. certificates are used to validate the TLS connection.
  18786. properties:
  18787. key:
  18788. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18789. maxLength: 253
  18790. minLength: 1
  18791. pattern: ^[-._a-zA-Z0-9]+$
  18792. type: string
  18793. name:
  18794. description: The name of the object located at the provider type.
  18795. maxLength: 253
  18796. minLength: 1
  18797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18798. type: string
  18799. namespace:
  18800. description: |-
  18801. The namespace the Provider type is in.
  18802. Can only be defined when used in a ClusterSecretStore.
  18803. maxLength: 63
  18804. minLength: 1
  18805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18806. type: string
  18807. type:
  18808. description: The type of provider to use such as "Secret", or "ConfigMap".
  18809. enum:
  18810. - Secret
  18811. - ConfigMap
  18812. type: string
  18813. required:
  18814. - name
  18815. - type
  18816. type: object
  18817. path:
  18818. description: |-
  18819. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  18820. "secret". The v2 KV secret engine version specific "/data" path suffix
  18821. for fetching secrets from OpenBao is optional and will be appended
  18822. if not present in specified path.
  18823. type: string
  18824. server:
  18825. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  18826. type: string
  18827. version:
  18828. default: v2
  18829. description: |-
  18830. Version is the OpenBao KV secret engine version. This can be either "v1" or
  18831. "v2". Version defaults to "v2".
  18832. enum:
  18833. - v1
  18834. - v2
  18835. type: string
  18836. required:
  18837. - server
  18838. type: object
  18839. x-kubernetes-validations:
  18840. - message: at most one of the fields in [caBundle caProvider] may be set
  18841. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  18842. oracle:
  18843. description: Oracle configures this store to sync secrets using Oracle Vault provider
  18844. properties:
  18845. auth:
  18846. description: |-
  18847. Auth configures how secret-manager authenticates with the Oracle Vault.
  18848. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  18849. properties:
  18850. secretRef:
  18851. description: SecretRef to pass through sensitive information.
  18852. properties:
  18853. fingerprint:
  18854. description: Fingerprint is the fingerprint of the API private key.
  18855. properties:
  18856. key:
  18857. description: |-
  18858. A key in the referenced Secret.
  18859. Some instances of this field may be defaulted, in others it may be required.
  18860. maxLength: 253
  18861. minLength: 1
  18862. pattern: ^[-._a-zA-Z0-9]+$
  18863. type: string
  18864. name:
  18865. description: The name of the Secret resource being referred to.
  18866. maxLength: 253
  18867. minLength: 1
  18868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18869. type: string
  18870. namespace:
  18871. description: |-
  18872. The namespace of the Secret resource being referred to.
  18873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18874. maxLength: 63
  18875. minLength: 1
  18876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18877. type: string
  18878. type: object
  18879. privatekey:
  18880. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  18881. properties:
  18882. key:
  18883. description: |-
  18884. A key in the referenced Secret.
  18885. Some instances of this field may be defaulted, in others it may be required.
  18886. maxLength: 253
  18887. minLength: 1
  18888. pattern: ^[-._a-zA-Z0-9]+$
  18889. type: string
  18890. name:
  18891. description: The name of the Secret resource being referred to.
  18892. maxLength: 253
  18893. minLength: 1
  18894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18895. type: string
  18896. namespace:
  18897. description: |-
  18898. The namespace of the Secret resource being referred to.
  18899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18900. maxLength: 63
  18901. minLength: 1
  18902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18903. type: string
  18904. type: object
  18905. required:
  18906. - fingerprint
  18907. - privatekey
  18908. type: object
  18909. tenancy:
  18910. description: Tenancy is the tenancy OCID where user is located.
  18911. type: string
  18912. user:
  18913. description: User is an access OCID specific to the account.
  18914. type: string
  18915. required:
  18916. - secretRef
  18917. - tenancy
  18918. - user
  18919. type: object
  18920. compartment:
  18921. description: |-
  18922. Compartment is the vault compartment OCID.
  18923. Required for PushSecret
  18924. type: string
  18925. encryptionKey:
  18926. description: |-
  18927. EncryptionKey is the OCID of the encryption key within the vault.
  18928. Required for PushSecret
  18929. type: string
  18930. principalType:
  18931. description: |-
  18932. The type of principal to use for authentication. If left blank, the Auth struct will
  18933. determine the principal type. This optional field must be specified if using
  18934. workload identity.
  18935. enum:
  18936. - ""
  18937. - UserPrincipal
  18938. - InstancePrincipal
  18939. - Workload
  18940. type: string
  18941. region:
  18942. description: Region is the region where vault is located.
  18943. type: string
  18944. serviceAccountRef:
  18945. description: |-
  18946. ServiceAccountRef specified the service account
  18947. that should be used when authenticating with WorkloadIdentity.
  18948. properties:
  18949. audiences:
  18950. description: |-
  18951. Audience specifies the `aud` claim for the service account token
  18952. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18953. then this audiences will be appended to the list
  18954. items:
  18955. type: string
  18956. type: array
  18957. name:
  18958. description: The name of the ServiceAccount resource being referred to.
  18959. maxLength: 253
  18960. minLength: 1
  18961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18962. type: string
  18963. namespace:
  18964. description: |-
  18965. Namespace of the resource being referred to.
  18966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18967. maxLength: 63
  18968. minLength: 1
  18969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18970. type: string
  18971. required:
  18972. - name
  18973. type: object
  18974. vault:
  18975. description: Vault is the vault's OCID of the specific vault where secret is located.
  18976. type: string
  18977. required:
  18978. - region
  18979. - vault
  18980. type: object
  18981. ovh:
  18982. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  18983. properties:
  18984. auth:
  18985. description: Authentication method (mtls or token).
  18986. properties:
  18987. mtls:
  18988. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  18989. properties:
  18990. caBundle:
  18991. format: byte
  18992. type: string
  18993. caProvider:
  18994. description: |-
  18995. CAProvider provides a custom certificate authority for accessing the provider's store.
  18996. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  18997. properties:
  18998. key:
  18999. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19000. maxLength: 253
  19001. minLength: 1
  19002. pattern: ^[-._a-zA-Z0-9]+$
  19003. type: string
  19004. name:
  19005. description: The name of the object located at the provider type.
  19006. maxLength: 253
  19007. minLength: 1
  19008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19009. type: string
  19010. namespace:
  19011. description: |-
  19012. The namespace the Provider type is in.
  19013. Can only be defined when used in a ClusterSecretStore.
  19014. maxLength: 63
  19015. minLength: 1
  19016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19017. type: string
  19018. type:
  19019. description: The type of provider to use such as "Secret", or "ConfigMap".
  19020. enum:
  19021. - Secret
  19022. - ConfigMap
  19023. type: string
  19024. required:
  19025. - name
  19026. - type
  19027. type: object
  19028. certSecretRef:
  19029. description: |-
  19030. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19031. In some instances, `key` is a required field.
  19032. properties:
  19033. key:
  19034. description: |-
  19035. A key in the referenced Secret.
  19036. Some instances of this field may be defaulted, in others it may be required.
  19037. maxLength: 253
  19038. minLength: 1
  19039. pattern: ^[-._a-zA-Z0-9]+$
  19040. type: string
  19041. name:
  19042. description: The name of the Secret resource being referred to.
  19043. maxLength: 253
  19044. minLength: 1
  19045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19046. type: string
  19047. namespace:
  19048. description: |-
  19049. The namespace of the Secret resource being referred to.
  19050. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19051. maxLength: 63
  19052. minLength: 1
  19053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19054. type: string
  19055. type: object
  19056. keySecretRef:
  19057. description: |-
  19058. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19059. In some instances, `key` is a required field.
  19060. properties:
  19061. key:
  19062. description: |-
  19063. A key in the referenced Secret.
  19064. Some instances of this field may be defaulted, in others it may be required.
  19065. maxLength: 253
  19066. minLength: 1
  19067. pattern: ^[-._a-zA-Z0-9]+$
  19068. type: string
  19069. name:
  19070. description: The name of the Secret resource being referred to.
  19071. maxLength: 253
  19072. minLength: 1
  19073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19074. type: string
  19075. namespace:
  19076. description: |-
  19077. The namespace of the Secret resource being referred to.
  19078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19079. maxLength: 63
  19080. minLength: 1
  19081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19082. type: string
  19083. type: object
  19084. required:
  19085. - certSecretRef
  19086. - keySecretRef
  19087. type: object
  19088. token:
  19089. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  19090. properties:
  19091. tokenSecretRef:
  19092. description: |-
  19093. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19094. In some instances, `key` is a required field.
  19095. properties:
  19096. key:
  19097. description: |-
  19098. A key in the referenced Secret.
  19099. Some instances of this field may be defaulted, in others it may be required.
  19100. maxLength: 253
  19101. minLength: 1
  19102. pattern: ^[-._a-zA-Z0-9]+$
  19103. type: string
  19104. name:
  19105. description: The name of the Secret resource being referred to.
  19106. maxLength: 253
  19107. minLength: 1
  19108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19109. type: string
  19110. namespace:
  19111. description: |-
  19112. The namespace of the Secret resource being referred to.
  19113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19114. maxLength: 63
  19115. minLength: 1
  19116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19117. type: string
  19118. type: object
  19119. required:
  19120. - tokenSecretRef
  19121. type: object
  19122. type: object
  19123. casRequired:
  19124. description: 'Enables or disables check-and-set (CAS) (default: false).'
  19125. type: boolean
  19126. okmsTimeout:
  19127. default: 30
  19128. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  19129. format: int32
  19130. minimum: 1
  19131. type: integer
  19132. okmsid:
  19133. description: specifies the OKMS ID.
  19134. type: string
  19135. server:
  19136. description: specifies the OKMS server endpoint.
  19137. type: string
  19138. required:
  19139. - auth
  19140. - okmsid
  19141. - server
  19142. type: object
  19143. passbolt:
  19144. description: |-
  19145. PassboltProvider provides access to Passbolt secrets manager.
  19146. See: https://www.passbolt.com.
  19147. properties:
  19148. auth:
  19149. description: Auth defines the information necessary to authenticate against Passbolt Server
  19150. properties:
  19151. passwordSecretRef:
  19152. description: |-
  19153. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19154. In some instances, `key` is a required field.
  19155. properties:
  19156. key:
  19157. description: |-
  19158. A key in the referenced Secret.
  19159. Some instances of this field may be defaulted, in others it may be required.
  19160. maxLength: 253
  19161. minLength: 1
  19162. pattern: ^[-._a-zA-Z0-9]+$
  19163. type: string
  19164. name:
  19165. description: The name of the Secret resource being referred to.
  19166. maxLength: 253
  19167. minLength: 1
  19168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19169. type: string
  19170. namespace:
  19171. description: |-
  19172. The namespace of the Secret resource being referred to.
  19173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19174. maxLength: 63
  19175. minLength: 1
  19176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19177. type: string
  19178. type: object
  19179. privateKeySecretRef:
  19180. description: |-
  19181. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19182. In some instances, `key` is a required field.
  19183. properties:
  19184. key:
  19185. description: |-
  19186. A key in the referenced Secret.
  19187. Some instances of this field may be defaulted, in others it may be required.
  19188. maxLength: 253
  19189. minLength: 1
  19190. pattern: ^[-._a-zA-Z0-9]+$
  19191. type: string
  19192. name:
  19193. description: The name of the Secret resource being referred to.
  19194. maxLength: 253
  19195. minLength: 1
  19196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19197. type: string
  19198. namespace:
  19199. description: |-
  19200. The namespace of the Secret resource being referred to.
  19201. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19202. maxLength: 63
  19203. minLength: 1
  19204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19205. type: string
  19206. type: object
  19207. required:
  19208. - passwordSecretRef
  19209. - privateKeySecretRef
  19210. type: object
  19211. caBundle:
  19212. description: |-
  19213. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19214. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19215. are used to validate the TLS connection.
  19216. format: byte
  19217. type: string
  19218. caProvider:
  19219. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19220. properties:
  19221. key:
  19222. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19223. maxLength: 253
  19224. minLength: 1
  19225. pattern: ^[-._a-zA-Z0-9]+$
  19226. type: string
  19227. name:
  19228. description: The name of the object located at the provider type.
  19229. maxLength: 253
  19230. minLength: 1
  19231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19232. type: string
  19233. namespace:
  19234. description: |-
  19235. The namespace the Provider type is in.
  19236. Can only be defined when used in a ClusterSecretStore.
  19237. maxLength: 63
  19238. minLength: 1
  19239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19240. type: string
  19241. type:
  19242. description: The type of provider to use such as "Secret", or "ConfigMap".
  19243. enum:
  19244. - Secret
  19245. - ConfigMap
  19246. type: string
  19247. required:
  19248. - name
  19249. - type
  19250. type: object
  19251. host:
  19252. description: Host defines the Passbolt Server to connect to
  19253. type: string
  19254. required:
  19255. - auth
  19256. - host
  19257. type: object
  19258. passworddepot:
  19259. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19260. properties:
  19261. auth:
  19262. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19263. properties:
  19264. secretRef:
  19265. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19266. properties:
  19267. credentials:
  19268. description: Username / Password is used for authentication.
  19269. properties:
  19270. key:
  19271. description: |-
  19272. A key in the referenced Secret.
  19273. Some instances of this field may be defaulted, in others it may be required.
  19274. maxLength: 253
  19275. minLength: 1
  19276. pattern: ^[-._a-zA-Z0-9]+$
  19277. type: string
  19278. name:
  19279. description: The name of the Secret resource being referred to.
  19280. maxLength: 253
  19281. minLength: 1
  19282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19283. type: string
  19284. namespace:
  19285. description: |-
  19286. The namespace of the Secret resource being referred to.
  19287. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19288. maxLength: 63
  19289. minLength: 1
  19290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19291. type: string
  19292. type: object
  19293. type: object
  19294. required:
  19295. - secretRef
  19296. type: object
  19297. database:
  19298. description: Database to use as source
  19299. type: string
  19300. host:
  19301. description: URL configures the Password Depot instance URL.
  19302. type: string
  19303. required:
  19304. - auth
  19305. - database
  19306. - host
  19307. type: object
  19308. previder:
  19309. description: Previder configures this store to sync secrets using the Previder provider
  19310. properties:
  19311. auth:
  19312. description: PreviderAuth contains a secretRef for credentials.
  19313. properties:
  19314. secretRef:
  19315. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19316. properties:
  19317. accessToken:
  19318. description: The AccessToken is used for authentication
  19319. properties:
  19320. key:
  19321. description: |-
  19322. A key in the referenced Secret.
  19323. Some instances of this field may be defaulted, in others it may be required.
  19324. maxLength: 253
  19325. minLength: 1
  19326. pattern: ^[-._a-zA-Z0-9]+$
  19327. type: string
  19328. name:
  19329. description: The name of the Secret resource being referred to.
  19330. maxLength: 253
  19331. minLength: 1
  19332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19333. type: string
  19334. namespace:
  19335. description: |-
  19336. The namespace of the Secret resource being referred to.
  19337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19338. maxLength: 63
  19339. minLength: 1
  19340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19341. type: string
  19342. type: object
  19343. required:
  19344. - accessToken
  19345. type: object
  19346. type: object
  19347. baseUri:
  19348. type: string
  19349. required:
  19350. - auth
  19351. type: object
  19352. pulumi:
  19353. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19354. properties:
  19355. accessToken:
  19356. description: |-
  19357. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19358. Deprecated: Use auth.accessToken instead.
  19359. properties:
  19360. secretRef:
  19361. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19362. properties:
  19363. key:
  19364. description: |-
  19365. A key in the referenced Secret.
  19366. Some instances of this field may be defaulted, in others it may be required.
  19367. maxLength: 253
  19368. minLength: 1
  19369. pattern: ^[-._a-zA-Z0-9]+$
  19370. type: string
  19371. name:
  19372. description: The name of the Secret resource being referred to.
  19373. maxLength: 253
  19374. minLength: 1
  19375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19376. type: string
  19377. namespace:
  19378. description: |-
  19379. The namespace of the Secret resource being referred to.
  19380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19381. maxLength: 63
  19382. minLength: 1
  19383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19384. type: string
  19385. type: object
  19386. type: object
  19387. apiUrl:
  19388. default: https://api.pulumi.com/api/esc
  19389. description: APIURL is the URL of the Pulumi API.
  19390. type: string
  19391. auth:
  19392. description: |-
  19393. Auth configures how the Operator authenticates with the Pulumi API.
  19394. Either auth or the deprecated accessToken field must be specified.
  19395. properties:
  19396. accessToken:
  19397. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19398. properties:
  19399. secretRef:
  19400. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19401. properties:
  19402. key:
  19403. description: |-
  19404. A key in the referenced Secret.
  19405. Some instances of this field may be defaulted, in others it may be required.
  19406. maxLength: 253
  19407. minLength: 1
  19408. pattern: ^[-._a-zA-Z0-9]+$
  19409. type: string
  19410. name:
  19411. description: The name of the Secret resource being referred to.
  19412. maxLength: 253
  19413. minLength: 1
  19414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19415. type: string
  19416. namespace:
  19417. description: |-
  19418. The namespace of the Secret resource being referred to.
  19419. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19420. maxLength: 63
  19421. minLength: 1
  19422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19423. type: string
  19424. type: object
  19425. type: object
  19426. oidcConfig:
  19427. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19428. properties:
  19429. expirationSeconds:
  19430. default: 600
  19431. description: |-
  19432. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19433. Defaults to 10 minutes.
  19434. format: int64
  19435. minimum: 600
  19436. type: integer
  19437. organization:
  19438. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19439. type: string
  19440. serviceAccountRef:
  19441. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19442. properties:
  19443. audiences:
  19444. description: |-
  19445. Audience specifies the `aud` claim for the service account token
  19446. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19447. then this audiences will be appended to the list
  19448. items:
  19449. type: string
  19450. type: array
  19451. name:
  19452. description: The name of the ServiceAccount resource being referred to.
  19453. maxLength: 253
  19454. minLength: 1
  19455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19456. type: string
  19457. namespace:
  19458. description: |-
  19459. Namespace of the resource being referred to.
  19460. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19461. maxLength: 63
  19462. minLength: 1
  19463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19464. type: string
  19465. required:
  19466. - name
  19467. type: object
  19468. required:
  19469. - organization
  19470. - serviceAccountRef
  19471. type: object
  19472. type: object
  19473. x-kubernetes-validations:
  19474. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19475. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19476. environment:
  19477. description: |-
  19478. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19479. dynamically retrieved values from supported providers including all major clouds,
  19480. and other Pulumi ESC environments.
  19481. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19482. type: string
  19483. organization:
  19484. description: |-
  19485. Organization are a space to collaborate on shared projects and stacks.
  19486. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19487. type: string
  19488. project:
  19489. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19490. type: string
  19491. required:
  19492. - environment
  19493. - organization
  19494. - project
  19495. type: object
  19496. x-kubernetes-validations:
  19497. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19498. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19499. scaleway:
  19500. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19501. properties:
  19502. accessKey:
  19503. description: AccessKey is the non-secret part of the api key.
  19504. properties:
  19505. secretRef:
  19506. description: SecretRef references a key in a secret that will be used as value.
  19507. properties:
  19508. key:
  19509. description: |-
  19510. A key in the referenced Secret.
  19511. Some instances of this field may be defaulted, in others it may be required.
  19512. maxLength: 253
  19513. minLength: 1
  19514. pattern: ^[-._a-zA-Z0-9]+$
  19515. type: string
  19516. name:
  19517. description: The name of the Secret resource being referred to.
  19518. maxLength: 253
  19519. minLength: 1
  19520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19521. type: string
  19522. namespace:
  19523. description: |-
  19524. The namespace of the Secret resource being referred to.
  19525. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19526. maxLength: 63
  19527. minLength: 1
  19528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19529. type: string
  19530. type: object
  19531. value:
  19532. description: Value can be specified directly to set a value without using a secret.
  19533. type: string
  19534. type: object
  19535. apiUrl:
  19536. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19537. type: string
  19538. projectId:
  19539. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19540. type: string
  19541. region:
  19542. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19543. type: string
  19544. secretKey:
  19545. description: SecretKey is the non-secret part of the api key.
  19546. properties:
  19547. secretRef:
  19548. description: SecretRef references a key in a secret that will be used as value.
  19549. properties:
  19550. key:
  19551. description: |-
  19552. A key in the referenced Secret.
  19553. Some instances of this field may be defaulted, in others it may be required.
  19554. maxLength: 253
  19555. minLength: 1
  19556. pattern: ^[-._a-zA-Z0-9]+$
  19557. type: string
  19558. name:
  19559. description: The name of the Secret resource being referred to.
  19560. maxLength: 253
  19561. minLength: 1
  19562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19563. type: string
  19564. namespace:
  19565. description: |-
  19566. The namespace of the Secret resource being referred to.
  19567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19568. maxLength: 63
  19569. minLength: 1
  19570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19571. type: string
  19572. type: object
  19573. value:
  19574. description: Value can be specified directly to set a value without using a secret.
  19575. type: string
  19576. type: object
  19577. required:
  19578. - accessKey
  19579. - projectId
  19580. - region
  19581. - secretKey
  19582. type: object
  19583. secretserver:
  19584. description: |-
  19585. SecretServer configures this store to sync secrets using SecretServer provider
  19586. https://docs.delinea.com/online-help/secret-server/start.htm
  19587. properties:
  19588. caBundle:
  19589. description: |-
  19590. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19591. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19592. are used to validate the TLS connection.
  19593. format: byte
  19594. type: string
  19595. caProvider:
  19596. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19597. properties:
  19598. key:
  19599. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19600. maxLength: 253
  19601. minLength: 1
  19602. pattern: ^[-._a-zA-Z0-9]+$
  19603. type: string
  19604. name:
  19605. description: The name of the object located at the provider type.
  19606. maxLength: 253
  19607. minLength: 1
  19608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19609. type: string
  19610. namespace:
  19611. description: |-
  19612. The namespace the Provider type is in.
  19613. Can only be defined when used in a ClusterSecretStore.
  19614. maxLength: 63
  19615. minLength: 1
  19616. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19617. type: string
  19618. type:
  19619. description: The type of provider to use such as "Secret", or "ConfigMap".
  19620. enum:
  19621. - Secret
  19622. - ConfigMap
  19623. type: string
  19624. required:
  19625. - name
  19626. - type
  19627. type: object
  19628. domain:
  19629. description: Domain is the secret server domain.
  19630. type: string
  19631. password:
  19632. description: Password is the secret server account password.
  19633. properties:
  19634. secretRef:
  19635. description: SecretRef references a key in a secret that will be used as value.
  19636. properties:
  19637. key:
  19638. description: |-
  19639. A key in the referenced Secret.
  19640. Some instances of this field may be defaulted, in others it may be required.
  19641. maxLength: 253
  19642. minLength: 1
  19643. pattern: ^[-._a-zA-Z0-9]+$
  19644. type: string
  19645. name:
  19646. description: The name of the Secret resource being referred to.
  19647. maxLength: 253
  19648. minLength: 1
  19649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19650. type: string
  19651. namespace:
  19652. description: |-
  19653. The namespace of the Secret resource being referred to.
  19654. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19655. maxLength: 63
  19656. minLength: 1
  19657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19658. type: string
  19659. type: object
  19660. value:
  19661. description: Value can be specified directly to set a value without using a secret.
  19662. type: string
  19663. type: object
  19664. serverURL:
  19665. description: |-
  19666. ServerURL
  19667. URL to your secret server installation
  19668. type: string
  19669. username:
  19670. description: Username is the secret server account username.
  19671. properties:
  19672. secretRef:
  19673. description: SecretRef references a key in a secret that will be used as value.
  19674. properties:
  19675. key:
  19676. description: |-
  19677. A key in the referenced Secret.
  19678. Some instances of this field may be defaulted, in others it may be required.
  19679. maxLength: 253
  19680. minLength: 1
  19681. pattern: ^[-._a-zA-Z0-9]+$
  19682. type: string
  19683. name:
  19684. description: The name of the Secret resource being referred to.
  19685. maxLength: 253
  19686. minLength: 1
  19687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19688. type: string
  19689. namespace:
  19690. description: |-
  19691. The namespace of the Secret resource being referred to.
  19692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19693. maxLength: 63
  19694. minLength: 1
  19695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19696. type: string
  19697. type: object
  19698. value:
  19699. description: Value can be specified directly to set a value without using a secret.
  19700. type: string
  19701. type: object
  19702. required:
  19703. - password
  19704. - serverURL
  19705. - username
  19706. type: object
  19707. senhasegura:
  19708. description: Senhasegura configures this store to sync secrets using senhasegura provider
  19709. properties:
  19710. auth:
  19711. description: Auth defines parameters to authenticate in senhasegura
  19712. properties:
  19713. clientId:
  19714. type: string
  19715. clientSecretSecretRef:
  19716. description: |-
  19717. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19718. In some instances, `key` is a required field.
  19719. properties:
  19720. key:
  19721. description: |-
  19722. A key in the referenced Secret.
  19723. Some instances of this field may be defaulted, in others it may be required.
  19724. maxLength: 253
  19725. minLength: 1
  19726. pattern: ^[-._a-zA-Z0-9]+$
  19727. type: string
  19728. name:
  19729. description: The name of the Secret resource being referred to.
  19730. maxLength: 253
  19731. minLength: 1
  19732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19733. type: string
  19734. namespace:
  19735. description: |-
  19736. The namespace of the Secret resource being referred to.
  19737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19738. maxLength: 63
  19739. minLength: 1
  19740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19741. type: string
  19742. type: object
  19743. required:
  19744. - clientId
  19745. - clientSecretSecretRef
  19746. type: object
  19747. ignoreSslCertificate:
  19748. default: false
  19749. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  19750. type: boolean
  19751. module:
  19752. description: Module defines which senhasegura module should be used to get secrets
  19753. type: string
  19754. url:
  19755. description: URL of senhasegura
  19756. type: string
  19757. required:
  19758. - auth
  19759. - module
  19760. - url
  19761. type: object
  19762. vault:
  19763. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  19764. properties:
  19765. auth:
  19766. description: Auth configures how secret-manager authenticates with the Vault server.
  19767. properties:
  19768. appRole:
  19769. description: |-
  19770. AppRole authenticates with Vault using the App Role auth mechanism,
  19771. with the role and secret stored in a Kubernetes Secret resource.
  19772. properties:
  19773. path:
  19774. default: approle
  19775. description: |-
  19776. Path where the App Role authentication backend is mounted
  19777. in Vault, e.g: "approle"
  19778. type: string
  19779. roleId:
  19780. description: |-
  19781. RoleID configured in the App Role authentication backend when setting
  19782. up the authentication backend in Vault.
  19783. type: string
  19784. roleRef:
  19785. description: |-
  19786. Reference to a key in a Secret that contains the App Role ID used
  19787. to authenticate with Vault.
  19788. The `key` field must be specified and denotes which entry within the Secret
  19789. resource is used as the app role id.
  19790. properties:
  19791. key:
  19792. description: |-
  19793. A key in the referenced Secret.
  19794. Some instances of this field may be defaulted, in others it may be required.
  19795. maxLength: 253
  19796. minLength: 1
  19797. pattern: ^[-._a-zA-Z0-9]+$
  19798. type: string
  19799. name:
  19800. description: The name of the Secret resource being referred to.
  19801. maxLength: 253
  19802. minLength: 1
  19803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19804. type: string
  19805. namespace:
  19806. description: |-
  19807. The namespace of the Secret resource being referred to.
  19808. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19809. maxLength: 63
  19810. minLength: 1
  19811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19812. type: string
  19813. type: object
  19814. secretRef:
  19815. description: |-
  19816. Reference to a key in a Secret that contains the App Role secret used
  19817. to authenticate with Vault.
  19818. The `key` field must be specified and denotes which entry within the Secret
  19819. resource is used as the app role secret.
  19820. properties:
  19821. key:
  19822. description: |-
  19823. A key in the referenced Secret.
  19824. Some instances of this field may be defaulted, in others it may be required.
  19825. maxLength: 253
  19826. minLength: 1
  19827. pattern: ^[-._a-zA-Z0-9]+$
  19828. type: string
  19829. name:
  19830. description: The name of the Secret resource being referred to.
  19831. maxLength: 253
  19832. minLength: 1
  19833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19834. type: string
  19835. namespace:
  19836. description: |-
  19837. The namespace of the Secret resource being referred to.
  19838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19839. maxLength: 63
  19840. minLength: 1
  19841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19842. type: string
  19843. type: object
  19844. required:
  19845. - path
  19846. - secretRef
  19847. type: object
  19848. cert:
  19849. description: |-
  19850. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  19851. Cert authentication method
  19852. properties:
  19853. clientCert:
  19854. description: |-
  19855. ClientCert is a certificate to authenticate using the Cert Vault
  19856. authentication method
  19857. properties:
  19858. key:
  19859. description: |-
  19860. A key in the referenced Secret.
  19861. Some instances of this field may be defaulted, in others it may be required.
  19862. maxLength: 253
  19863. minLength: 1
  19864. pattern: ^[-._a-zA-Z0-9]+$
  19865. type: string
  19866. name:
  19867. description: The name of the Secret resource being referred to.
  19868. maxLength: 253
  19869. minLength: 1
  19870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19871. type: string
  19872. namespace:
  19873. description: |-
  19874. The namespace of the Secret resource being referred to.
  19875. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19876. maxLength: 63
  19877. minLength: 1
  19878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19879. type: string
  19880. type: object
  19881. path:
  19882. default: cert
  19883. description: |-
  19884. Path where the Certificate authentication backend is mounted
  19885. in Vault, e.g: "cert"
  19886. type: string
  19887. secretRef:
  19888. description: |-
  19889. SecretRef to a key in a Secret resource containing client private key to
  19890. authenticate with Vault using the Cert authentication method
  19891. properties:
  19892. key:
  19893. description: |-
  19894. A key in the referenced Secret.
  19895. Some instances of this field may be defaulted, in others it may be required.
  19896. maxLength: 253
  19897. minLength: 1
  19898. pattern: ^[-._a-zA-Z0-9]+$
  19899. type: string
  19900. name:
  19901. description: The name of the Secret resource being referred to.
  19902. maxLength: 253
  19903. minLength: 1
  19904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19905. type: string
  19906. namespace:
  19907. description: |-
  19908. The namespace of the Secret resource being referred to.
  19909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19910. maxLength: 63
  19911. minLength: 1
  19912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19913. type: string
  19914. type: object
  19915. vaultRole:
  19916. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  19917. type: string
  19918. type: object
  19919. gcp:
  19920. description: |-
  19921. Gcp authenticates with Vault using Google Cloud Platform authentication method
  19922. GCP authentication method
  19923. properties:
  19924. location:
  19925. description: Location optionally defines a location/region for the secret
  19926. type: string
  19927. path:
  19928. default: gcp
  19929. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  19930. type: string
  19931. projectID:
  19932. description: Project ID of the Google Cloud Platform project
  19933. type: string
  19934. role:
  19935. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  19936. type: string
  19937. secretRef:
  19938. description: Specify credentials in a Secret object
  19939. properties:
  19940. secretAccessKeySecretRef:
  19941. description: The SecretAccessKey is used for authentication
  19942. properties:
  19943. key:
  19944. description: |-
  19945. A key in the referenced Secret.
  19946. Some instances of this field may be defaulted, in others it may be required.
  19947. maxLength: 253
  19948. minLength: 1
  19949. pattern: ^[-._a-zA-Z0-9]+$
  19950. type: string
  19951. name:
  19952. description: The name of the Secret resource being referred to.
  19953. maxLength: 253
  19954. minLength: 1
  19955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19956. type: string
  19957. namespace:
  19958. description: |-
  19959. The namespace of the Secret resource being referred to.
  19960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19961. maxLength: 63
  19962. minLength: 1
  19963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19964. type: string
  19965. type: object
  19966. type: object
  19967. serviceAccountRef:
  19968. description: ServiceAccountRef to a service account for impersonation
  19969. properties:
  19970. audiences:
  19971. description: |-
  19972. Audience specifies the `aud` claim for the service account token
  19973. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19974. then this audiences will be appended to the list
  19975. items:
  19976. type: string
  19977. type: array
  19978. name:
  19979. description: The name of the ServiceAccount resource being referred to.
  19980. maxLength: 253
  19981. minLength: 1
  19982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19983. type: string
  19984. namespace:
  19985. description: |-
  19986. Namespace of the resource being referred to.
  19987. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19988. maxLength: 63
  19989. minLength: 1
  19990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19991. type: string
  19992. required:
  19993. - name
  19994. type: object
  19995. workloadIdentity:
  19996. description: Specify a service account with Workload Identity
  19997. properties:
  19998. clusterLocation:
  19999. description: |-
  20000. ClusterLocation is the location of the cluster
  20001. If not specified, it fetches information from the metadata server
  20002. type: string
  20003. clusterName:
  20004. description: |-
  20005. ClusterName is the name of the cluster
  20006. If not specified, it fetches information from the metadata server
  20007. type: string
  20008. clusterProjectID:
  20009. description: |-
  20010. ClusterProjectID is the project ID of the cluster
  20011. If not specified, it fetches information from the metadata server
  20012. type: string
  20013. serviceAccountRef:
  20014. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20015. properties:
  20016. audiences:
  20017. description: |-
  20018. Audience specifies the `aud` claim for the service account token
  20019. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20020. then this audiences will be appended to the list
  20021. items:
  20022. type: string
  20023. type: array
  20024. name:
  20025. description: The name of the ServiceAccount resource being referred to.
  20026. maxLength: 253
  20027. minLength: 1
  20028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20029. type: string
  20030. namespace:
  20031. description: |-
  20032. Namespace of the resource being referred to.
  20033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20034. maxLength: 63
  20035. minLength: 1
  20036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20037. type: string
  20038. required:
  20039. - name
  20040. type: object
  20041. required:
  20042. - serviceAccountRef
  20043. type: object
  20044. required:
  20045. - role
  20046. type: object
  20047. iam:
  20048. description: |-
  20049. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  20050. AWS IAM authentication method
  20051. properties:
  20052. externalID:
  20053. description: AWS External ID set on assumed IAM roles
  20054. type: string
  20055. jwt:
  20056. description: Specify a service account with IRSA enabled
  20057. properties:
  20058. serviceAccountRef:
  20059. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20060. properties:
  20061. audiences:
  20062. description: |-
  20063. Audience specifies the `aud` claim for the service account token
  20064. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20065. then this audiences will be appended to the list
  20066. items:
  20067. type: string
  20068. type: array
  20069. name:
  20070. description: The name of the ServiceAccount resource being referred to.
  20071. maxLength: 253
  20072. minLength: 1
  20073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20074. type: string
  20075. namespace:
  20076. description: |-
  20077. Namespace of the resource being referred to.
  20078. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20079. maxLength: 63
  20080. minLength: 1
  20081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20082. type: string
  20083. required:
  20084. - name
  20085. type: object
  20086. type: object
  20087. path:
  20088. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  20089. type: string
  20090. region:
  20091. description: AWS region
  20092. type: string
  20093. role:
  20094. description: This is the AWS role to be assumed before talking to vault
  20095. type: string
  20096. secretRef:
  20097. description: Specify credentials in a Secret object
  20098. properties:
  20099. accessKeyIDSecretRef:
  20100. description: The AccessKeyID is used for authentication
  20101. properties:
  20102. key:
  20103. description: |-
  20104. A key in the referenced Secret.
  20105. Some instances of this field may be defaulted, in others it may be required.
  20106. maxLength: 253
  20107. minLength: 1
  20108. pattern: ^[-._a-zA-Z0-9]+$
  20109. type: string
  20110. name:
  20111. description: The name of the Secret resource being referred to.
  20112. maxLength: 253
  20113. minLength: 1
  20114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20115. type: string
  20116. namespace:
  20117. description: |-
  20118. The namespace of the Secret resource being referred to.
  20119. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20120. maxLength: 63
  20121. minLength: 1
  20122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20123. type: string
  20124. type: object
  20125. secretAccessKeySecretRef:
  20126. description: The SecretAccessKey is used for authentication
  20127. properties:
  20128. key:
  20129. description: |-
  20130. A key in the referenced Secret.
  20131. Some instances of this field may be defaulted, in others it may be required.
  20132. maxLength: 253
  20133. minLength: 1
  20134. pattern: ^[-._a-zA-Z0-9]+$
  20135. type: string
  20136. name:
  20137. description: The name of the Secret resource being referred to.
  20138. maxLength: 253
  20139. minLength: 1
  20140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20141. type: string
  20142. namespace:
  20143. description: |-
  20144. The namespace of the Secret resource being referred to.
  20145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20146. maxLength: 63
  20147. minLength: 1
  20148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20149. type: string
  20150. type: object
  20151. sessionTokenSecretRef:
  20152. description: |-
  20153. The SessionToken used for authentication
  20154. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20155. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20156. properties:
  20157. key:
  20158. description: |-
  20159. A key in the referenced Secret.
  20160. Some instances of this field may be defaulted, in others it may be required.
  20161. maxLength: 253
  20162. minLength: 1
  20163. pattern: ^[-._a-zA-Z0-9]+$
  20164. type: string
  20165. name:
  20166. description: The name of the Secret resource being referred to.
  20167. maxLength: 253
  20168. minLength: 1
  20169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20170. type: string
  20171. namespace:
  20172. description: |-
  20173. The namespace of the Secret resource being referred to.
  20174. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20175. maxLength: 63
  20176. minLength: 1
  20177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20178. type: string
  20179. type: object
  20180. type: object
  20181. vaultAwsIamServerID:
  20182. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  20183. type: string
  20184. vaultRole:
  20185. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  20186. type: string
  20187. required:
  20188. - vaultRole
  20189. type: object
  20190. jwt:
  20191. description: |-
  20192. Jwt authenticates with Vault by passing role and JWT token using the
  20193. JWT/OIDC authentication method
  20194. properties:
  20195. kubernetesServiceAccountToken:
  20196. description: |-
  20197. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20198. a token for with the `TokenRequest` API.
  20199. properties:
  20200. audiences:
  20201. description: |-
  20202. Optional audiences field that will be used to request a temporary Kubernetes service
  20203. account token for the service account referenced by `serviceAccountRef`.
  20204. Defaults to a single audience `vault` it not specified.
  20205. Deprecated: use serviceAccountRef.Audiences instead
  20206. items:
  20207. type: string
  20208. type: array
  20209. expirationSeconds:
  20210. description: |-
  20211. Optional expiration time in seconds that will be used to request a temporary
  20212. Kubernetes service account token for the service account referenced by
  20213. `serviceAccountRef`.
  20214. Deprecated: this will be removed in the future.
  20215. Defaults to 10 minutes.
  20216. format: int64
  20217. type: integer
  20218. serviceAccountRef:
  20219. description: Service account field containing the name of a kubernetes ServiceAccount.
  20220. properties:
  20221. audiences:
  20222. description: |-
  20223. Audience specifies the `aud` claim for the service account token
  20224. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20225. then this audiences will be appended to the list
  20226. items:
  20227. type: string
  20228. type: array
  20229. name:
  20230. description: The name of the ServiceAccount resource being referred to.
  20231. maxLength: 253
  20232. minLength: 1
  20233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20234. type: string
  20235. namespace:
  20236. description: |-
  20237. Namespace of the resource being referred to.
  20238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20239. maxLength: 63
  20240. minLength: 1
  20241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20242. type: string
  20243. required:
  20244. - name
  20245. type: object
  20246. required:
  20247. - serviceAccountRef
  20248. type: object
  20249. path:
  20250. default: jwt
  20251. description: |-
  20252. Path where the JWT authentication backend is mounted
  20253. in Vault, e.g: "jwt"
  20254. type: string
  20255. role:
  20256. description: |-
  20257. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20258. authentication method
  20259. type: string
  20260. secretRef:
  20261. description: |-
  20262. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20263. authenticate with Vault using the JWT/OIDC authentication method.
  20264. properties:
  20265. key:
  20266. description: |-
  20267. A key in the referenced Secret.
  20268. Some instances of this field may be defaulted, in others it may be required.
  20269. maxLength: 253
  20270. minLength: 1
  20271. pattern: ^[-._a-zA-Z0-9]+$
  20272. type: string
  20273. name:
  20274. description: The name of the Secret resource being referred to.
  20275. maxLength: 253
  20276. minLength: 1
  20277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20278. type: string
  20279. namespace:
  20280. description: |-
  20281. The namespace of the Secret resource being referred to.
  20282. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20283. maxLength: 63
  20284. minLength: 1
  20285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20286. type: string
  20287. type: object
  20288. required:
  20289. - path
  20290. type: object
  20291. kubernetes:
  20292. description: |-
  20293. Kubernetes authenticates with Vault by passing the ServiceAccount
  20294. token stored in the named Secret resource to the Vault server.
  20295. properties:
  20296. mountPath:
  20297. default: kubernetes
  20298. description: |-
  20299. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20300. "kubernetes"
  20301. type: string
  20302. role:
  20303. description: |-
  20304. A required field containing the Vault Role to assume. A Role binds a
  20305. Kubernetes ServiceAccount with a set of Vault policies.
  20306. type: string
  20307. secretRef:
  20308. description: |-
  20309. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20310. for authenticating with Vault. If a name is specified without a key,
  20311. `token` is the default. If one is not specified, the one bound to
  20312. the controller will be used.
  20313. properties:
  20314. key:
  20315. description: |-
  20316. A key in the referenced Secret.
  20317. Some instances of this field may be defaulted, in others it may be required.
  20318. maxLength: 253
  20319. minLength: 1
  20320. pattern: ^[-._a-zA-Z0-9]+$
  20321. type: string
  20322. name:
  20323. description: The name of the Secret resource being referred to.
  20324. maxLength: 253
  20325. minLength: 1
  20326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20327. type: string
  20328. namespace:
  20329. description: |-
  20330. The namespace of the Secret resource being referred to.
  20331. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20332. maxLength: 63
  20333. minLength: 1
  20334. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20335. type: string
  20336. type: object
  20337. serviceAccountRef:
  20338. description: |-
  20339. Optional service account field containing the name of a kubernetes ServiceAccount.
  20340. If the service account is specified, the service account secret token JWT will be used
  20341. for authenticating with Vault. If the service account selector is not supplied,
  20342. the secretRef will be used instead.
  20343. properties:
  20344. audiences:
  20345. description: |-
  20346. Audience specifies the `aud` claim for the service account token
  20347. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20348. then this audiences will be appended to the list
  20349. items:
  20350. type: string
  20351. type: array
  20352. name:
  20353. description: The name of the ServiceAccount resource being referred to.
  20354. maxLength: 253
  20355. minLength: 1
  20356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20357. type: string
  20358. namespace:
  20359. description: |-
  20360. Namespace of the resource being referred to.
  20361. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20362. maxLength: 63
  20363. minLength: 1
  20364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20365. type: string
  20366. required:
  20367. - name
  20368. type: object
  20369. required:
  20370. - mountPath
  20371. - role
  20372. type: object
  20373. ldap:
  20374. description: |-
  20375. Ldap authenticates with Vault by passing username/password pair using
  20376. the LDAP authentication method
  20377. properties:
  20378. path:
  20379. default: ldap
  20380. description: |-
  20381. Path where the LDAP authentication backend is mounted
  20382. in Vault, e.g: "ldap"
  20383. type: string
  20384. secretRef:
  20385. description: |-
  20386. SecretRef to a key in a Secret resource containing password for the LDAP
  20387. user used to authenticate with Vault using the LDAP authentication
  20388. method
  20389. properties:
  20390. key:
  20391. description: |-
  20392. A key in the referenced Secret.
  20393. Some instances of this field may be defaulted, in others it may be required.
  20394. maxLength: 253
  20395. minLength: 1
  20396. pattern: ^[-._a-zA-Z0-9]+$
  20397. type: string
  20398. name:
  20399. description: The name of the Secret resource being referred to.
  20400. maxLength: 253
  20401. minLength: 1
  20402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20403. type: string
  20404. namespace:
  20405. description: |-
  20406. The namespace of the Secret resource being referred to.
  20407. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20408. maxLength: 63
  20409. minLength: 1
  20410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20411. type: string
  20412. type: object
  20413. username:
  20414. description: |-
  20415. Username is an LDAP username used to authenticate using the LDAP Vault
  20416. authentication method
  20417. type: string
  20418. required:
  20419. - path
  20420. - username
  20421. type: object
  20422. namespace:
  20423. description: |-
  20424. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20425. Namespaces is a set of features within Vault Enterprise that allows
  20426. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20427. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20428. This will default to Vault.Namespace field if set, or empty otherwise
  20429. type: string
  20430. tokenSecretRef:
  20431. description: TokenSecretRef authenticates with Vault by presenting a token.
  20432. properties:
  20433. key:
  20434. description: |-
  20435. A key in the referenced Secret.
  20436. Some instances of this field may be defaulted, in others it may be required.
  20437. maxLength: 253
  20438. minLength: 1
  20439. pattern: ^[-._a-zA-Z0-9]+$
  20440. type: string
  20441. name:
  20442. description: The name of the Secret resource being referred to.
  20443. maxLength: 253
  20444. minLength: 1
  20445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20446. type: string
  20447. namespace:
  20448. description: |-
  20449. The namespace of the Secret resource being referred to.
  20450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20451. maxLength: 63
  20452. minLength: 1
  20453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20454. type: string
  20455. type: object
  20456. userPass:
  20457. description: UserPass authenticates with Vault by passing username/password pair
  20458. properties:
  20459. path:
  20460. default: userpass
  20461. description: |-
  20462. Path where the UserPassword authentication backend is mounted
  20463. in Vault, e.g: "userpass"
  20464. type: string
  20465. secretRef:
  20466. description: |-
  20467. SecretRef to a key in a Secret resource containing password for the
  20468. user used to authenticate with Vault using the UserPass authentication
  20469. method
  20470. properties:
  20471. key:
  20472. description: |-
  20473. A key in the referenced Secret.
  20474. Some instances of this field may be defaulted, in others it may be required.
  20475. maxLength: 253
  20476. minLength: 1
  20477. pattern: ^[-._a-zA-Z0-9]+$
  20478. type: string
  20479. name:
  20480. description: The name of the Secret resource being referred to.
  20481. maxLength: 253
  20482. minLength: 1
  20483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20484. type: string
  20485. namespace:
  20486. description: |-
  20487. The namespace of the Secret resource being referred to.
  20488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20489. maxLength: 63
  20490. minLength: 1
  20491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20492. type: string
  20493. type: object
  20494. username:
  20495. description: |-
  20496. Username is a username used to authenticate using the UserPass Vault
  20497. authentication method
  20498. type: string
  20499. required:
  20500. - path
  20501. - username
  20502. type: object
  20503. type: object
  20504. caBundle:
  20505. description: |-
  20506. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20507. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20508. plain HTTP protocol connection. If not set the system root certificates
  20509. are used to validate the TLS connection.
  20510. format: byte
  20511. type: string
  20512. caProvider:
  20513. description: The provider for the CA bundle to use to validate Vault server certificate.
  20514. properties:
  20515. key:
  20516. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20517. maxLength: 253
  20518. minLength: 1
  20519. pattern: ^[-._a-zA-Z0-9]+$
  20520. type: string
  20521. name:
  20522. description: The name of the object located at the provider type.
  20523. maxLength: 253
  20524. minLength: 1
  20525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20526. type: string
  20527. namespace:
  20528. description: |-
  20529. The namespace the Provider type is in.
  20530. Can only be defined when used in a ClusterSecretStore.
  20531. maxLength: 63
  20532. minLength: 1
  20533. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20534. type: string
  20535. type:
  20536. description: The type of provider to use such as "Secret", or "ConfigMap".
  20537. enum:
  20538. - Secret
  20539. - ConfigMap
  20540. type: string
  20541. required:
  20542. - name
  20543. - type
  20544. type: object
  20545. checkAndSet:
  20546. description: |-
  20547. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20548. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20549. the current version of the secret to prevent unintentional overwrites.
  20550. properties:
  20551. required:
  20552. description: |-
  20553. Required when true, all write operations must include a check-and-set parameter.
  20554. This helps prevent unintentional overwrites of secrets.
  20555. type: boolean
  20556. type: object
  20557. forwardInconsistent:
  20558. description: |-
  20559. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20560. leader instead of simply retrying within a loop. This can increase performance if
  20561. the option is enabled serverside.
  20562. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20563. type: boolean
  20564. headers:
  20565. additionalProperties:
  20566. type: string
  20567. description: Headers to be added in Vault request
  20568. type: object
  20569. namespace:
  20570. description: |-
  20571. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20572. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20573. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20574. type: string
  20575. path:
  20576. description: |-
  20577. Path is the mount path of the Vault KV backend endpoint, e.g:
  20578. "secret". The v2 KV secret engine version specific "/data" path suffix
  20579. for fetching secrets from Vault is optional and will be appended
  20580. if not present in specified path.
  20581. type: string
  20582. readYourWrites:
  20583. description: |-
  20584. ReadYourWrites ensures isolated read-after-write semantics by
  20585. providing discovered cluster replication states in each request.
  20586. More information about eventual consistency in Vault can be found here
  20587. https://www.vaultproject.io/docs/enterprise/consistency
  20588. type: boolean
  20589. server:
  20590. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20591. type: string
  20592. tls:
  20593. description: |-
  20594. The configuration used for client side related TLS communication, when the Vault server
  20595. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20596. This parameter is ignored for plain HTTP protocol connection.
  20597. It's worth noting this configuration is different from the "TLS certificates auth method",
  20598. which is available under the `auth.cert` section.
  20599. properties:
  20600. certSecretRef:
  20601. description: |-
  20602. CertSecretRef is a certificate added to the transport layer
  20603. when communicating with the Vault server.
  20604. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20605. properties:
  20606. key:
  20607. description: |-
  20608. A key in the referenced Secret.
  20609. Some instances of this field may be defaulted, in others it may be required.
  20610. maxLength: 253
  20611. minLength: 1
  20612. pattern: ^[-._a-zA-Z0-9]+$
  20613. type: string
  20614. name:
  20615. description: The name of the Secret resource being referred to.
  20616. maxLength: 253
  20617. minLength: 1
  20618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20619. type: string
  20620. namespace:
  20621. description: |-
  20622. The namespace of the Secret resource being referred to.
  20623. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20624. maxLength: 63
  20625. minLength: 1
  20626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20627. type: string
  20628. type: object
  20629. keySecretRef:
  20630. description: |-
  20631. KeySecretRef to a key in a Secret resource containing client private key
  20632. added to the transport layer when communicating with the Vault server.
  20633. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20634. properties:
  20635. key:
  20636. description: |-
  20637. A key in the referenced Secret.
  20638. Some instances of this field may be defaulted, in others it may be required.
  20639. maxLength: 253
  20640. minLength: 1
  20641. pattern: ^[-._a-zA-Z0-9]+$
  20642. type: string
  20643. name:
  20644. description: The name of the Secret resource being referred to.
  20645. maxLength: 253
  20646. minLength: 1
  20647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20648. type: string
  20649. namespace:
  20650. description: |-
  20651. The namespace of the Secret resource being referred to.
  20652. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20653. maxLength: 63
  20654. minLength: 1
  20655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20656. type: string
  20657. type: object
  20658. type: object
  20659. version:
  20660. default: v2
  20661. description: |-
  20662. Version is the Vault KV secret engine version. This can be either "v1" or
  20663. "v2". Version defaults to "v2".
  20664. enum:
  20665. - v1
  20666. - v2
  20667. type: string
  20668. required:
  20669. - server
  20670. type: object
  20671. volcengine:
  20672. description: Volcengine configures this store to sync secrets using the Volcengine provider
  20673. properties:
  20674. auth:
  20675. description: |-
  20676. Auth defines the authentication method to use.
  20677. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  20678. properties:
  20679. secretRef:
  20680. description: |-
  20681. SecretRef defines the static credentials to use for authentication.
  20682. If not set, IRSA is used.
  20683. properties:
  20684. accessKeyID:
  20685. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  20686. properties:
  20687. key:
  20688. description: |-
  20689. A key in the referenced Secret.
  20690. Some instances of this field may be defaulted, in others it may be required.
  20691. maxLength: 253
  20692. minLength: 1
  20693. pattern: ^[-._a-zA-Z0-9]+$
  20694. type: string
  20695. name:
  20696. description: The name of the Secret resource being referred to.
  20697. maxLength: 253
  20698. minLength: 1
  20699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20700. type: string
  20701. namespace:
  20702. description: |-
  20703. The namespace of the Secret resource being referred to.
  20704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20705. maxLength: 63
  20706. minLength: 1
  20707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20708. type: string
  20709. type: object
  20710. secretAccessKey:
  20711. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  20712. properties:
  20713. key:
  20714. description: |-
  20715. A key in the referenced Secret.
  20716. Some instances of this field may be defaulted, in others it may be required.
  20717. maxLength: 253
  20718. minLength: 1
  20719. pattern: ^[-._a-zA-Z0-9]+$
  20720. type: string
  20721. name:
  20722. description: The name of the Secret resource being referred to.
  20723. maxLength: 253
  20724. minLength: 1
  20725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20726. type: string
  20727. namespace:
  20728. description: |-
  20729. The namespace of the Secret resource being referred to.
  20730. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20731. maxLength: 63
  20732. minLength: 1
  20733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20734. type: string
  20735. type: object
  20736. token:
  20737. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  20738. properties:
  20739. key:
  20740. description: |-
  20741. A key in the referenced Secret.
  20742. Some instances of this field may be defaulted, in others it may be required.
  20743. maxLength: 253
  20744. minLength: 1
  20745. pattern: ^[-._a-zA-Z0-9]+$
  20746. type: string
  20747. name:
  20748. description: The name of the Secret resource being referred to.
  20749. maxLength: 253
  20750. minLength: 1
  20751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20752. type: string
  20753. namespace:
  20754. description: |-
  20755. The namespace of the Secret resource being referred to.
  20756. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20757. maxLength: 63
  20758. minLength: 1
  20759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20760. type: string
  20761. type: object
  20762. required:
  20763. - accessKeyID
  20764. - secretAccessKey
  20765. type: object
  20766. type: object
  20767. region:
  20768. description: Region specifies the Volcengine region to connect to.
  20769. type: string
  20770. required:
  20771. - region
  20772. type: object
  20773. webhook:
  20774. description: Webhook configures this store to sync secrets using a generic templated webhook
  20775. properties:
  20776. auth:
  20777. description: Auth specifies a authorization protocol. Only one protocol may be set.
  20778. maxProperties: 1
  20779. minProperties: 1
  20780. properties:
  20781. ntlm:
  20782. description: NTLMProtocol configures the store to use NTLM for auth
  20783. properties:
  20784. passwordSecret:
  20785. description: |-
  20786. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20787. In some instances, `key` is a required field.
  20788. properties:
  20789. key:
  20790. description: |-
  20791. A key in the referenced Secret.
  20792. Some instances of this field may be defaulted, in others it may be required.
  20793. maxLength: 253
  20794. minLength: 1
  20795. pattern: ^[-._a-zA-Z0-9]+$
  20796. type: string
  20797. name:
  20798. description: The name of the Secret resource being referred to.
  20799. maxLength: 253
  20800. minLength: 1
  20801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20802. type: string
  20803. namespace:
  20804. description: |-
  20805. The namespace of the Secret resource being referred to.
  20806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20807. maxLength: 63
  20808. minLength: 1
  20809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20810. type: string
  20811. type: object
  20812. usernameSecret:
  20813. description: |-
  20814. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20815. In some instances, `key` is a required field.
  20816. properties:
  20817. key:
  20818. description: |-
  20819. A key in the referenced Secret.
  20820. Some instances of this field may be defaulted, in others it may be required.
  20821. maxLength: 253
  20822. minLength: 1
  20823. pattern: ^[-._a-zA-Z0-9]+$
  20824. type: string
  20825. name:
  20826. description: The name of the Secret resource being referred to.
  20827. maxLength: 253
  20828. minLength: 1
  20829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20830. type: string
  20831. namespace:
  20832. description: |-
  20833. The namespace of the Secret resource being referred to.
  20834. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20835. maxLength: 63
  20836. minLength: 1
  20837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20838. type: string
  20839. type: object
  20840. required:
  20841. - passwordSecret
  20842. - usernameSecret
  20843. type: object
  20844. type: object
  20845. body:
  20846. description: Body
  20847. type: string
  20848. caBundle:
  20849. description: |-
  20850. PEM encoded CA bundle used to validate webhook server certificate. Only used
  20851. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20852. plain HTTP protocol connection. If not set the system root certificates
  20853. are used to validate the TLS connection.
  20854. format: byte
  20855. type: string
  20856. caProvider:
  20857. description: The provider for the CA bundle to use to validate webhook server certificate.
  20858. properties:
  20859. key:
  20860. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20861. maxLength: 253
  20862. minLength: 1
  20863. pattern: ^[-._a-zA-Z0-9]+$
  20864. type: string
  20865. name:
  20866. description: The name of the object located at the provider type.
  20867. maxLength: 253
  20868. minLength: 1
  20869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20870. type: string
  20871. namespace:
  20872. description: The namespace the Provider type is in.
  20873. maxLength: 63
  20874. minLength: 1
  20875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20876. type: string
  20877. type:
  20878. description: The type of provider to use such as "Secret", or "ConfigMap".
  20879. enum:
  20880. - Secret
  20881. - ConfigMap
  20882. type: string
  20883. required:
  20884. - name
  20885. - type
  20886. type: object
  20887. headers:
  20888. additionalProperties:
  20889. type: string
  20890. description: Headers
  20891. type: object
  20892. method:
  20893. description: Webhook Method
  20894. type: string
  20895. result:
  20896. description: Result formatting
  20897. properties:
  20898. jsonPath:
  20899. description: Json path of return value
  20900. type: string
  20901. type: object
  20902. secrets:
  20903. description: |-
  20904. Secrets to fill in templates
  20905. These secrets will be passed to the templating function as key value pairs under the given name
  20906. items:
  20907. description: WebhookSecret defines a secret that will be passed to the webhook request.
  20908. properties:
  20909. name:
  20910. description: Name of this secret in templates
  20911. type: string
  20912. secretRef:
  20913. description: Secret ref to fill in credentials
  20914. properties:
  20915. key:
  20916. description: |-
  20917. A key in the referenced Secret.
  20918. Some instances of this field may be defaulted, in others it may be required.
  20919. maxLength: 253
  20920. minLength: 1
  20921. pattern: ^[-._a-zA-Z0-9]+$
  20922. type: string
  20923. name:
  20924. description: The name of the Secret resource being referred to.
  20925. maxLength: 253
  20926. minLength: 1
  20927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20928. type: string
  20929. namespace:
  20930. description: |-
  20931. The namespace of the Secret resource being referred to.
  20932. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20933. maxLength: 63
  20934. minLength: 1
  20935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20936. type: string
  20937. type: object
  20938. required:
  20939. - name
  20940. - secretRef
  20941. type: object
  20942. type: array
  20943. timeout:
  20944. description: Timeout
  20945. type: string
  20946. url:
  20947. description: Webhook url to call
  20948. type: string
  20949. required:
  20950. - url
  20951. type: object
  20952. yandexcertificatemanager:
  20953. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  20954. properties:
  20955. apiEndpoint:
  20956. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20957. type: string
  20958. auth:
  20959. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20960. properties:
  20961. authorizedKeySecretRef:
  20962. description: The authorized key used for authentication
  20963. properties:
  20964. key:
  20965. description: |-
  20966. A key in the referenced Secret.
  20967. Some instances of this field may be defaulted, in others it may be required.
  20968. maxLength: 253
  20969. minLength: 1
  20970. pattern: ^[-._a-zA-Z0-9]+$
  20971. type: string
  20972. name:
  20973. description: The name of the Secret resource being referred to.
  20974. maxLength: 253
  20975. minLength: 1
  20976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20977. type: string
  20978. namespace:
  20979. description: |-
  20980. The namespace of the Secret resource being referred to.
  20981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20982. maxLength: 63
  20983. minLength: 1
  20984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20985. type: string
  20986. type: object
  20987. type: object
  20988. caProvider:
  20989. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20990. properties:
  20991. certSecretRef:
  20992. description: |-
  20993. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20994. In some instances, `key` is a required field.
  20995. properties:
  20996. key:
  20997. description: |-
  20998. A key in the referenced Secret.
  20999. Some instances of this field may be defaulted, in others it may be required.
  21000. maxLength: 253
  21001. minLength: 1
  21002. pattern: ^[-._a-zA-Z0-9]+$
  21003. type: string
  21004. name:
  21005. description: The name of the Secret resource being referred to.
  21006. maxLength: 253
  21007. minLength: 1
  21008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21009. type: string
  21010. namespace:
  21011. description: |-
  21012. The namespace of the Secret resource being referred to.
  21013. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21014. maxLength: 63
  21015. minLength: 1
  21016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21017. type: string
  21018. type: object
  21019. type: object
  21020. fetching:
  21021. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  21022. maxProperties: 1
  21023. minProperties: 1
  21024. properties:
  21025. byID:
  21026. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21027. type: object
  21028. byName:
  21029. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21030. properties:
  21031. folderID:
  21032. description: The folder to fetch secrets from
  21033. type: string
  21034. required:
  21035. - folderID
  21036. type: object
  21037. type: object
  21038. required:
  21039. - auth
  21040. type: object
  21041. yandexlockbox:
  21042. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  21043. properties:
  21044. apiEndpoint:
  21045. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21046. type: string
  21047. auth:
  21048. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21049. properties:
  21050. authorizedKeySecretRef:
  21051. description: The authorized key used for authentication
  21052. properties:
  21053. key:
  21054. description: |-
  21055. A key in the referenced Secret.
  21056. Some instances of this field may be defaulted, in others it may be required.
  21057. maxLength: 253
  21058. minLength: 1
  21059. pattern: ^[-._a-zA-Z0-9]+$
  21060. type: string
  21061. name:
  21062. description: The name of the Secret resource being referred to.
  21063. maxLength: 253
  21064. minLength: 1
  21065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21066. type: string
  21067. namespace:
  21068. description: |-
  21069. The namespace of the Secret resource being referred to.
  21070. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21071. maxLength: 63
  21072. minLength: 1
  21073. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21074. type: string
  21075. type: object
  21076. type: object
  21077. caProvider:
  21078. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21079. properties:
  21080. certSecretRef:
  21081. description: |-
  21082. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21083. In some instances, `key` is a required field.
  21084. properties:
  21085. key:
  21086. description: |-
  21087. A key in the referenced Secret.
  21088. Some instances of this field may be defaulted, in others it may be required.
  21089. maxLength: 253
  21090. minLength: 1
  21091. pattern: ^[-._a-zA-Z0-9]+$
  21092. type: string
  21093. name:
  21094. description: The name of the Secret resource being referred to.
  21095. maxLength: 253
  21096. minLength: 1
  21097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21098. type: string
  21099. namespace:
  21100. description: |-
  21101. The namespace of the Secret resource being referred to.
  21102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21103. maxLength: 63
  21104. minLength: 1
  21105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21106. type: string
  21107. type: object
  21108. type: object
  21109. fetching:
  21110. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  21111. maxProperties: 1
  21112. minProperties: 1
  21113. properties:
  21114. byID:
  21115. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21116. type: object
  21117. byName:
  21118. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21119. properties:
  21120. folderID:
  21121. description: The folder to fetch secrets from
  21122. type: string
  21123. required:
  21124. - folderID
  21125. type: object
  21126. type: object
  21127. required:
  21128. - auth
  21129. type: object
  21130. type: object
  21131. refreshInterval:
  21132. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  21133. type: integer
  21134. retrySettings:
  21135. description: Used to configure HTTP retries on failures.
  21136. properties:
  21137. maxRetries:
  21138. format: int32
  21139. type: integer
  21140. retryInterval:
  21141. type: string
  21142. type: object
  21143. required:
  21144. - provider
  21145. type: object
  21146. status:
  21147. description: SecretStoreStatus defines the observed state of the SecretStore.
  21148. properties:
  21149. capabilities:
  21150. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  21151. type: string
  21152. conditions:
  21153. items:
  21154. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  21155. properties:
  21156. lastTransitionTime:
  21157. format: date-time
  21158. type: string
  21159. message:
  21160. type: string
  21161. reason:
  21162. type: string
  21163. status:
  21164. type: string
  21165. type:
  21166. description: SecretStoreConditionType represents the condition of the SecretStore.
  21167. type: string
  21168. required:
  21169. - status
  21170. - type
  21171. type: object
  21172. type: array
  21173. type: object
  21174. type: object
  21175. served: true
  21176. storage: true
  21177. subresources:
  21178. status: {}
  21179. - additionalPrinterColumns:
  21180. - jsonPath: .metadata.creationTimestamp
  21181. name: AGE
  21182. type: date
  21183. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  21184. name: Status
  21185. type: string
  21186. - jsonPath: .status.capabilities
  21187. name: Capabilities
  21188. type: string
  21189. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  21190. name: Ready
  21191. type: string
  21192. deprecated: true
  21193. name: v1beta1
  21194. schema:
  21195. openAPIV3Schema:
  21196. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21197. properties:
  21198. apiVersion:
  21199. description: |-
  21200. APIVersion defines the versioned schema of this representation of an object.
  21201. Servers should convert recognized schemas to the latest internal value, and
  21202. may reject unrecognized values.
  21203. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21204. type: string
  21205. kind:
  21206. description: |-
  21207. Kind is a string value representing the REST resource this object represents.
  21208. Servers may infer this from the endpoint the client submits requests to.
  21209. Cannot be updated.
  21210. In CamelCase.
  21211. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21212. type: string
  21213. metadata:
  21214. type: object
  21215. spec:
  21216. description: SecretStoreSpec defines the desired state of SecretStore.
  21217. properties:
  21218. conditions:
  21219. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21220. items:
  21221. description: |-
  21222. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21223. for a ClusterSecretStore instance.
  21224. properties:
  21225. namespaceRegexes:
  21226. description: Choose namespaces by using regex matching
  21227. items:
  21228. type: string
  21229. type: array
  21230. namespaceSelector:
  21231. description: Choose namespace using a labelSelector
  21232. properties:
  21233. matchExpressions:
  21234. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21235. items:
  21236. description: |-
  21237. A label selector requirement is a selector that contains values, a key, and an operator that
  21238. relates the key and values.
  21239. properties:
  21240. key:
  21241. description: key is the label key that the selector applies to.
  21242. type: string
  21243. operator:
  21244. description: |-
  21245. operator represents a key's relationship to a set of values.
  21246. Valid operators are In, NotIn, Exists and DoesNotExist.
  21247. type: string
  21248. values:
  21249. description: |-
  21250. values is an array of string values. If the operator is In or NotIn,
  21251. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21252. the values array must be empty. This array is replaced during a strategic
  21253. merge patch.
  21254. items:
  21255. type: string
  21256. type: array
  21257. x-kubernetes-list-type: atomic
  21258. required:
  21259. - key
  21260. - operator
  21261. type: object
  21262. type: array
  21263. x-kubernetes-list-type: atomic
  21264. matchLabels:
  21265. additionalProperties:
  21266. type: string
  21267. description: |-
  21268. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21269. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21270. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21271. type: object
  21272. type: object
  21273. x-kubernetes-map-type: atomic
  21274. namespaces:
  21275. description: Choose namespaces by name
  21276. items:
  21277. maxLength: 63
  21278. minLength: 1
  21279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21280. type: string
  21281. type: array
  21282. type: object
  21283. type: array
  21284. controller:
  21285. description: |-
  21286. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21287. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21288. type: string
  21289. provider:
  21290. description: Used to configure the provider. Only one provider may be set
  21291. maxProperties: 1
  21292. minProperties: 1
  21293. properties:
  21294. akeyless:
  21295. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21296. properties:
  21297. akeylessGWApiURL:
  21298. description: Akeyless GW API Url from which the secrets to be fetched from.
  21299. type: string
  21300. authSecretRef:
  21301. description: Auth configures how the operator authenticates with Akeyless.
  21302. properties:
  21303. kubernetesAuth:
  21304. description: |-
  21305. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21306. token stored in the named Secret resource.
  21307. properties:
  21308. accessID:
  21309. description: the Akeyless Kubernetes auth-method access-id
  21310. type: string
  21311. k8sConfName:
  21312. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21313. type: string
  21314. secretRef:
  21315. description: |-
  21316. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21317. for authenticating with Akeyless. If a name is specified without a key,
  21318. `token` is the default. If one is not specified, the one bound to
  21319. the controller will be used.
  21320. properties:
  21321. key:
  21322. description: |-
  21323. A key in the referenced Secret.
  21324. Some instances of this field may be defaulted, in others it may be required.
  21325. maxLength: 253
  21326. minLength: 1
  21327. pattern: ^[-._a-zA-Z0-9]+$
  21328. type: string
  21329. name:
  21330. description: The name of the Secret resource being referred to.
  21331. maxLength: 253
  21332. minLength: 1
  21333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21334. type: string
  21335. namespace:
  21336. description: |-
  21337. The namespace of the Secret resource being referred to.
  21338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21339. maxLength: 63
  21340. minLength: 1
  21341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21342. type: string
  21343. type: object
  21344. serviceAccountRef:
  21345. description: |-
  21346. Optional service account field containing the name of a kubernetes ServiceAccount.
  21347. If the service account is specified, the service account secret token JWT will be used
  21348. for authenticating with Akeyless. If the service account selector is not supplied,
  21349. the secretRef will be used instead.
  21350. properties:
  21351. audiences:
  21352. description: |-
  21353. Audience specifies the `aud` claim for the service account token
  21354. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21355. then this audiences will be appended to the list
  21356. items:
  21357. type: string
  21358. type: array
  21359. name:
  21360. description: The name of the ServiceAccount resource being referred to.
  21361. maxLength: 253
  21362. minLength: 1
  21363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21364. type: string
  21365. namespace:
  21366. description: |-
  21367. Namespace of the resource being referred to.
  21368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21369. maxLength: 63
  21370. minLength: 1
  21371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21372. type: string
  21373. required:
  21374. - name
  21375. type: object
  21376. required:
  21377. - accessID
  21378. - k8sConfName
  21379. type: object
  21380. secretRef:
  21381. description: |-
  21382. Reference to a Secret that contains the details
  21383. to authenticate with Akeyless.
  21384. properties:
  21385. accessID:
  21386. description: The SecretAccessID is used for authentication
  21387. properties:
  21388. key:
  21389. description: |-
  21390. A key in the referenced Secret.
  21391. Some instances of this field may be defaulted, in others it may be required.
  21392. maxLength: 253
  21393. minLength: 1
  21394. pattern: ^[-._a-zA-Z0-9]+$
  21395. type: string
  21396. name:
  21397. description: The name of the Secret resource being referred to.
  21398. maxLength: 253
  21399. minLength: 1
  21400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21401. type: string
  21402. namespace:
  21403. description: |-
  21404. The namespace of the Secret resource being referred to.
  21405. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21406. maxLength: 63
  21407. minLength: 1
  21408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21409. type: string
  21410. type: object
  21411. accessType:
  21412. description: |-
  21413. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21414. In some instances, `key` is a required field.
  21415. properties:
  21416. key:
  21417. description: |-
  21418. A key in the referenced Secret.
  21419. Some instances of this field may be defaulted, in others it may be required.
  21420. maxLength: 253
  21421. minLength: 1
  21422. pattern: ^[-._a-zA-Z0-9]+$
  21423. type: string
  21424. name:
  21425. description: The name of the Secret resource being referred to.
  21426. maxLength: 253
  21427. minLength: 1
  21428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21429. type: string
  21430. namespace:
  21431. description: |-
  21432. The namespace of the Secret resource being referred to.
  21433. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21434. maxLength: 63
  21435. minLength: 1
  21436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21437. type: string
  21438. type: object
  21439. accessTypeParam:
  21440. description: |-
  21441. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21442. In some instances, `key` is a required field.
  21443. properties:
  21444. key:
  21445. description: |-
  21446. A key in the referenced Secret.
  21447. Some instances of this field may be defaulted, in others it may be required.
  21448. maxLength: 253
  21449. minLength: 1
  21450. pattern: ^[-._a-zA-Z0-9]+$
  21451. type: string
  21452. name:
  21453. description: The name of the Secret resource being referred to.
  21454. maxLength: 253
  21455. minLength: 1
  21456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21457. type: string
  21458. namespace:
  21459. description: |-
  21460. The namespace of the Secret resource being referred to.
  21461. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21462. maxLength: 63
  21463. minLength: 1
  21464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21465. type: string
  21466. type: object
  21467. type: object
  21468. type: object
  21469. caBundle:
  21470. description: |-
  21471. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21472. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21473. are used to validate the TLS connection.
  21474. format: byte
  21475. type: string
  21476. caProvider:
  21477. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21478. properties:
  21479. key:
  21480. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21481. maxLength: 253
  21482. minLength: 1
  21483. pattern: ^[-._a-zA-Z0-9]+$
  21484. type: string
  21485. name:
  21486. description: The name of the object located at the provider type.
  21487. maxLength: 253
  21488. minLength: 1
  21489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21490. type: string
  21491. namespace:
  21492. description: |-
  21493. The namespace the Provider type is in.
  21494. Can only be defined when used in a ClusterSecretStore.
  21495. maxLength: 63
  21496. minLength: 1
  21497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21498. type: string
  21499. type:
  21500. description: The type of provider to use such as "Secret", or "ConfigMap".
  21501. enum:
  21502. - Secret
  21503. - ConfigMap
  21504. type: string
  21505. required:
  21506. - name
  21507. - type
  21508. type: object
  21509. required:
  21510. - akeylessGWApiURL
  21511. - authSecretRef
  21512. type: object
  21513. alibaba:
  21514. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21515. properties:
  21516. auth:
  21517. description: AlibabaAuth contains a secretRef for credentials.
  21518. properties:
  21519. rrsa:
  21520. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21521. properties:
  21522. oidcProviderArn:
  21523. type: string
  21524. oidcTokenFilePath:
  21525. type: string
  21526. roleArn:
  21527. type: string
  21528. sessionName:
  21529. type: string
  21530. required:
  21531. - oidcProviderArn
  21532. - oidcTokenFilePath
  21533. - roleArn
  21534. - sessionName
  21535. type: object
  21536. secretRef:
  21537. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21538. properties:
  21539. accessKeyIDSecretRef:
  21540. description: The AccessKeyID is used for authentication
  21541. properties:
  21542. key:
  21543. description: |-
  21544. A key in the referenced Secret.
  21545. Some instances of this field may be defaulted, in others it may be required.
  21546. maxLength: 253
  21547. minLength: 1
  21548. pattern: ^[-._a-zA-Z0-9]+$
  21549. type: string
  21550. name:
  21551. description: The name of the Secret resource being referred to.
  21552. maxLength: 253
  21553. minLength: 1
  21554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21555. type: string
  21556. namespace:
  21557. description: |-
  21558. The namespace of the Secret resource being referred to.
  21559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21560. maxLength: 63
  21561. minLength: 1
  21562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21563. type: string
  21564. type: object
  21565. accessKeySecretSecretRef:
  21566. description: The AccessKeySecret is used for authentication
  21567. properties:
  21568. key:
  21569. description: |-
  21570. A key in the referenced Secret.
  21571. Some instances of this field may be defaulted, in others it may be required.
  21572. maxLength: 253
  21573. minLength: 1
  21574. pattern: ^[-._a-zA-Z0-9]+$
  21575. type: string
  21576. name:
  21577. description: The name of the Secret resource being referred to.
  21578. maxLength: 253
  21579. minLength: 1
  21580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21581. type: string
  21582. namespace:
  21583. description: |-
  21584. The namespace of the Secret resource being referred to.
  21585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21586. maxLength: 63
  21587. minLength: 1
  21588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21589. type: string
  21590. type: object
  21591. required:
  21592. - accessKeyIDSecretRef
  21593. - accessKeySecretSecretRef
  21594. type: object
  21595. type: object
  21596. regionID:
  21597. description: Alibaba Region to be used for the provider
  21598. type: string
  21599. required:
  21600. - auth
  21601. - regionID
  21602. type: object
  21603. aws:
  21604. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21605. properties:
  21606. additionalRoles:
  21607. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21608. items:
  21609. type: string
  21610. type: array
  21611. auth:
  21612. description: |-
  21613. Auth defines the information necessary to authenticate against AWS
  21614. if not set aws sdk will infer credentials from your environment
  21615. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21616. properties:
  21617. jwt:
  21618. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21619. properties:
  21620. serviceAccountRef:
  21621. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21622. properties:
  21623. audiences:
  21624. description: |-
  21625. Audience specifies the `aud` claim for the service account token
  21626. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21627. then this audiences will be appended to the list
  21628. items:
  21629. type: string
  21630. type: array
  21631. name:
  21632. description: The name of the ServiceAccount resource being referred to.
  21633. maxLength: 253
  21634. minLength: 1
  21635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21636. type: string
  21637. namespace:
  21638. description: |-
  21639. Namespace of the resource being referred to.
  21640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21641. maxLength: 63
  21642. minLength: 1
  21643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21644. type: string
  21645. required:
  21646. - name
  21647. type: object
  21648. type: object
  21649. secretRef:
  21650. description: |-
  21651. AWSAuthSecretRef holds secret references for AWS credentials
  21652. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21653. properties:
  21654. accessKeyIDSecretRef:
  21655. description: The AccessKeyID is used for authentication
  21656. properties:
  21657. key:
  21658. description: |-
  21659. A key in the referenced Secret.
  21660. Some instances of this field may be defaulted, in others it may be required.
  21661. maxLength: 253
  21662. minLength: 1
  21663. pattern: ^[-._a-zA-Z0-9]+$
  21664. type: string
  21665. name:
  21666. description: The name of the Secret resource being referred to.
  21667. maxLength: 253
  21668. minLength: 1
  21669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21670. type: string
  21671. namespace:
  21672. description: |-
  21673. The namespace of the Secret resource being referred to.
  21674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21675. maxLength: 63
  21676. minLength: 1
  21677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21678. type: string
  21679. type: object
  21680. secretAccessKeySecretRef:
  21681. description: The SecretAccessKey is used for authentication
  21682. properties:
  21683. key:
  21684. description: |-
  21685. A key in the referenced Secret.
  21686. Some instances of this field may be defaulted, in others it may be required.
  21687. maxLength: 253
  21688. minLength: 1
  21689. pattern: ^[-._a-zA-Z0-9]+$
  21690. type: string
  21691. name:
  21692. description: The name of the Secret resource being referred to.
  21693. maxLength: 253
  21694. minLength: 1
  21695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21696. type: string
  21697. namespace:
  21698. description: |-
  21699. The namespace of the Secret resource being referred to.
  21700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21701. maxLength: 63
  21702. minLength: 1
  21703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21704. type: string
  21705. type: object
  21706. sessionTokenSecretRef:
  21707. description: |-
  21708. The SessionToken used for authentication
  21709. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21710. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21711. properties:
  21712. key:
  21713. description: |-
  21714. A key in the referenced Secret.
  21715. Some instances of this field may be defaulted, in others it may be required.
  21716. maxLength: 253
  21717. minLength: 1
  21718. pattern: ^[-._a-zA-Z0-9]+$
  21719. type: string
  21720. name:
  21721. description: The name of the Secret resource being referred to.
  21722. maxLength: 253
  21723. minLength: 1
  21724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21725. type: string
  21726. namespace:
  21727. description: |-
  21728. The namespace of the Secret resource being referred to.
  21729. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21730. maxLength: 63
  21731. minLength: 1
  21732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21733. type: string
  21734. type: object
  21735. type: object
  21736. type: object
  21737. externalID:
  21738. description: AWS External ID set on assumed IAM roles
  21739. type: string
  21740. prefix:
  21741. description: Prefix adds a prefix to all retrieved values.
  21742. type: string
  21743. region:
  21744. description: AWS Region to be used for the provider
  21745. type: string
  21746. role:
  21747. description: Role is a Role ARN which the provider will assume
  21748. type: string
  21749. secretsManager:
  21750. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  21751. properties:
  21752. forceDeleteWithoutRecovery:
  21753. description: |-
  21754. Specifies whether to delete the secret without any recovery window. You
  21755. can't use both this parameter and RecoveryWindowInDays in the same call.
  21756. If you don't use either, then by default Secrets Manager uses a 30 day
  21757. recovery window.
  21758. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  21759. type: boolean
  21760. recoveryWindowInDays:
  21761. description: |-
  21762. The number of days from 7 to 30 that Secrets Manager waits before
  21763. permanently deleting the secret. You can't use both this parameter and
  21764. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  21765. then by default Secrets Manager uses a 30 day recovery window.
  21766. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  21767. format: int64
  21768. type: integer
  21769. type: object
  21770. service:
  21771. description: Service defines which service should be used to fetch the secrets
  21772. enum:
  21773. - SecretsManager
  21774. - ParameterStore
  21775. type: string
  21776. sessionTags:
  21777. description: AWS STS assume role session tags
  21778. items:
  21779. description: Tag defines a tag key and value for AWS resources.
  21780. properties:
  21781. key:
  21782. type: string
  21783. value:
  21784. type: string
  21785. required:
  21786. - key
  21787. - value
  21788. type: object
  21789. type: array
  21790. transitiveTagKeys:
  21791. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  21792. items:
  21793. type: string
  21794. type: array
  21795. required:
  21796. - region
  21797. - service
  21798. type: object
  21799. azurekv:
  21800. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  21801. properties:
  21802. authSecretRef:
  21803. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21804. properties:
  21805. clientCertificate:
  21806. description: The Azure ClientCertificate of the service principle used for authentication.
  21807. properties:
  21808. key:
  21809. description: |-
  21810. A key in the referenced Secret.
  21811. Some instances of this field may be defaulted, in others it may be required.
  21812. maxLength: 253
  21813. minLength: 1
  21814. pattern: ^[-._a-zA-Z0-9]+$
  21815. type: string
  21816. name:
  21817. description: The name of the Secret resource being referred to.
  21818. maxLength: 253
  21819. minLength: 1
  21820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21821. type: string
  21822. namespace:
  21823. description: |-
  21824. The namespace of the Secret resource being referred to.
  21825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21826. maxLength: 63
  21827. minLength: 1
  21828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21829. type: string
  21830. type: object
  21831. clientId:
  21832. description: The Azure clientId of the service principle or managed identity used for authentication.
  21833. properties:
  21834. key:
  21835. description: |-
  21836. A key in the referenced Secret.
  21837. Some instances of this field may be defaulted, in others it may be required.
  21838. maxLength: 253
  21839. minLength: 1
  21840. pattern: ^[-._a-zA-Z0-9]+$
  21841. type: string
  21842. name:
  21843. description: The name of the Secret resource being referred to.
  21844. maxLength: 253
  21845. minLength: 1
  21846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21847. type: string
  21848. namespace:
  21849. description: |-
  21850. The namespace of the Secret resource being referred to.
  21851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21852. maxLength: 63
  21853. minLength: 1
  21854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21855. type: string
  21856. type: object
  21857. clientSecret:
  21858. description: The Azure ClientSecret of the service principle used for authentication.
  21859. properties:
  21860. key:
  21861. description: |-
  21862. A key in the referenced Secret.
  21863. Some instances of this field may be defaulted, in others it may be required.
  21864. maxLength: 253
  21865. minLength: 1
  21866. pattern: ^[-._a-zA-Z0-9]+$
  21867. type: string
  21868. name:
  21869. description: The name of the Secret resource being referred to.
  21870. maxLength: 253
  21871. minLength: 1
  21872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21873. type: string
  21874. namespace:
  21875. description: |-
  21876. The namespace of the Secret resource being referred to.
  21877. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21878. maxLength: 63
  21879. minLength: 1
  21880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21881. type: string
  21882. type: object
  21883. tenantId:
  21884. description: The Azure tenantId of the managed identity used for authentication.
  21885. properties:
  21886. key:
  21887. description: |-
  21888. A key in the referenced Secret.
  21889. Some instances of this field may be defaulted, in others it may be required.
  21890. maxLength: 253
  21891. minLength: 1
  21892. pattern: ^[-._a-zA-Z0-9]+$
  21893. type: string
  21894. name:
  21895. description: The name of the Secret resource being referred to.
  21896. maxLength: 253
  21897. minLength: 1
  21898. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21899. type: string
  21900. namespace:
  21901. description: |-
  21902. The namespace of the Secret resource being referred to.
  21903. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21904. maxLength: 63
  21905. minLength: 1
  21906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21907. type: string
  21908. type: object
  21909. type: object
  21910. authType:
  21911. default: ServicePrincipal
  21912. description: |-
  21913. Auth type defines how to authenticate to the keyvault service.
  21914. Valid values are:
  21915. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  21916. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  21917. enum:
  21918. - ServicePrincipal
  21919. - ManagedIdentity
  21920. - WorkloadIdentity
  21921. type: string
  21922. environmentType:
  21923. default: PublicCloud
  21924. description: |-
  21925. EnvironmentType specifies the Azure cloud environment endpoints to use for
  21926. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  21927. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  21928. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  21929. enum:
  21930. - PublicCloud
  21931. - USGovernmentCloud
  21932. - ChinaCloud
  21933. - GermanCloud
  21934. type: string
  21935. identityId:
  21936. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  21937. type: string
  21938. serviceAccountRef:
  21939. description: |-
  21940. ServiceAccountRef specified the service account
  21941. that should be used when authenticating with WorkloadIdentity.
  21942. properties:
  21943. audiences:
  21944. description: |-
  21945. Audience specifies the `aud` claim for the service account token
  21946. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21947. then this audiences will be appended to the list
  21948. items:
  21949. type: string
  21950. type: array
  21951. name:
  21952. description: The name of the ServiceAccount resource being referred to.
  21953. maxLength: 253
  21954. minLength: 1
  21955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21956. type: string
  21957. namespace:
  21958. description: |-
  21959. Namespace of the resource being referred to.
  21960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21961. maxLength: 63
  21962. minLength: 1
  21963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21964. type: string
  21965. required:
  21966. - name
  21967. type: object
  21968. tenantId:
  21969. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21970. type: string
  21971. vaultUrl:
  21972. description: Vault Url from which the secrets to be fetched from.
  21973. type: string
  21974. required:
  21975. - vaultUrl
  21976. type: object
  21977. beyondtrust:
  21978. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  21979. properties:
  21980. auth:
  21981. description: Auth configures how the operator authenticates with Beyondtrust.
  21982. properties:
  21983. apiKey:
  21984. description: APIKey If not provided then ClientID/ClientSecret become required.
  21985. properties:
  21986. secretRef:
  21987. description: SecretRef references a key in a secret that will be used as value.
  21988. properties:
  21989. key:
  21990. description: |-
  21991. A key in the referenced Secret.
  21992. Some instances of this field may be defaulted, in others it may be required.
  21993. maxLength: 253
  21994. minLength: 1
  21995. pattern: ^[-._a-zA-Z0-9]+$
  21996. type: string
  21997. name:
  21998. description: The name of the Secret resource being referred to.
  21999. maxLength: 253
  22000. minLength: 1
  22001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22002. type: string
  22003. namespace:
  22004. description: |-
  22005. The namespace of the Secret resource being referred to.
  22006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22007. maxLength: 63
  22008. minLength: 1
  22009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22010. type: string
  22011. type: object
  22012. value:
  22013. description: Value can be specified directly to set a value without using a secret.
  22014. type: string
  22015. type: object
  22016. certificate:
  22017. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  22018. properties:
  22019. secretRef:
  22020. description: SecretRef references a key in a secret that will be used as value.
  22021. properties:
  22022. key:
  22023. description: |-
  22024. A key in the referenced Secret.
  22025. Some instances of this field may be defaulted, in others it may be required.
  22026. maxLength: 253
  22027. minLength: 1
  22028. pattern: ^[-._a-zA-Z0-9]+$
  22029. type: string
  22030. name:
  22031. description: The name of the Secret resource being referred to.
  22032. maxLength: 253
  22033. minLength: 1
  22034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22035. type: string
  22036. namespace:
  22037. description: |-
  22038. The namespace of the Secret resource being referred to.
  22039. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22040. maxLength: 63
  22041. minLength: 1
  22042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22043. type: string
  22044. type: object
  22045. value:
  22046. description: Value can be specified directly to set a value without using a secret.
  22047. type: string
  22048. type: object
  22049. certificateKey:
  22050. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  22051. properties:
  22052. secretRef:
  22053. description: SecretRef references a key in a secret that will be used as value.
  22054. properties:
  22055. key:
  22056. description: |-
  22057. A key in the referenced Secret.
  22058. Some instances of this field may be defaulted, in others it may be required.
  22059. maxLength: 253
  22060. minLength: 1
  22061. pattern: ^[-._a-zA-Z0-9]+$
  22062. type: string
  22063. name:
  22064. description: The name of the Secret resource being referred to.
  22065. maxLength: 253
  22066. minLength: 1
  22067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22068. type: string
  22069. namespace:
  22070. description: |-
  22071. The namespace of the Secret resource being referred to.
  22072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22073. maxLength: 63
  22074. minLength: 1
  22075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22076. type: string
  22077. type: object
  22078. value:
  22079. description: Value can be specified directly to set a value without using a secret.
  22080. type: string
  22081. type: object
  22082. clientId:
  22083. description: ClientID is the API OAuth Client ID.
  22084. properties:
  22085. secretRef:
  22086. description: SecretRef references a key in a secret that will be used as value.
  22087. properties:
  22088. key:
  22089. description: |-
  22090. A key in the referenced Secret.
  22091. Some instances of this field may be defaulted, in others it may be required.
  22092. maxLength: 253
  22093. minLength: 1
  22094. pattern: ^[-._a-zA-Z0-9]+$
  22095. type: string
  22096. name:
  22097. description: The name of the Secret resource being referred to.
  22098. maxLength: 253
  22099. minLength: 1
  22100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22101. type: string
  22102. namespace:
  22103. description: |-
  22104. The namespace of the Secret resource being referred to.
  22105. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22106. maxLength: 63
  22107. minLength: 1
  22108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22109. type: string
  22110. type: object
  22111. value:
  22112. description: Value can be specified directly to set a value without using a secret.
  22113. type: string
  22114. type: object
  22115. clientSecret:
  22116. description: ClientSecret is the API OAuth Client Secret.
  22117. properties:
  22118. secretRef:
  22119. description: SecretRef references a key in a secret that will be used as value.
  22120. properties:
  22121. key:
  22122. description: |-
  22123. A key in the referenced Secret.
  22124. Some instances of this field may be defaulted, in others it may be required.
  22125. maxLength: 253
  22126. minLength: 1
  22127. pattern: ^[-._a-zA-Z0-9]+$
  22128. type: string
  22129. name:
  22130. description: The name of the Secret resource being referred to.
  22131. maxLength: 253
  22132. minLength: 1
  22133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22134. type: string
  22135. namespace:
  22136. description: |-
  22137. The namespace of the Secret resource being referred to.
  22138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22139. maxLength: 63
  22140. minLength: 1
  22141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22142. type: string
  22143. type: object
  22144. value:
  22145. description: Value can be specified directly to set a value without using a secret.
  22146. type: string
  22147. type: object
  22148. type: object
  22149. server:
  22150. description: Auth configures how API server works.
  22151. properties:
  22152. apiUrl:
  22153. type: string
  22154. apiVersion:
  22155. type: string
  22156. clientTimeOutSeconds:
  22157. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  22158. type: integer
  22159. decrypt:
  22160. default: true
  22161. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  22162. type: boolean
  22163. retrievalType:
  22164. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  22165. type: string
  22166. separator:
  22167. description: A character that separates the folder names.
  22168. type: string
  22169. verifyCA:
  22170. type: boolean
  22171. required:
  22172. - apiUrl
  22173. - verifyCA
  22174. type: object
  22175. required:
  22176. - auth
  22177. - server
  22178. type: object
  22179. bitwardensecretsmanager:
  22180. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  22181. properties:
  22182. apiURL:
  22183. type: string
  22184. auth:
  22185. description: |-
  22186. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  22187. Make sure that the token being used has permissions on the given secret.
  22188. properties:
  22189. secretRef:
  22190. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  22191. properties:
  22192. credentials:
  22193. description: AccessToken used for the bitwarden instance.
  22194. properties:
  22195. key:
  22196. description: |-
  22197. A key in the referenced Secret.
  22198. Some instances of this field may be defaulted, in others it may be required.
  22199. maxLength: 253
  22200. minLength: 1
  22201. pattern: ^[-._a-zA-Z0-9]+$
  22202. type: string
  22203. name:
  22204. description: The name of the Secret resource being referred to.
  22205. maxLength: 253
  22206. minLength: 1
  22207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22208. type: string
  22209. namespace:
  22210. description: |-
  22211. The namespace of the Secret resource being referred to.
  22212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22213. maxLength: 63
  22214. minLength: 1
  22215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22216. type: string
  22217. type: object
  22218. required:
  22219. - credentials
  22220. type: object
  22221. required:
  22222. - secretRef
  22223. type: object
  22224. bitwardenServerSDKURL:
  22225. type: string
  22226. caBundle:
  22227. description: |-
  22228. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22229. can be performed.
  22230. type: string
  22231. caProvider:
  22232. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22233. properties:
  22234. key:
  22235. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22236. maxLength: 253
  22237. minLength: 1
  22238. pattern: ^[-._a-zA-Z0-9]+$
  22239. type: string
  22240. name:
  22241. description: The name of the object located at the provider type.
  22242. maxLength: 253
  22243. minLength: 1
  22244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22245. type: string
  22246. namespace:
  22247. description: |-
  22248. The namespace the Provider type is in.
  22249. Can only be defined when used in a ClusterSecretStore.
  22250. maxLength: 63
  22251. minLength: 1
  22252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22253. type: string
  22254. type:
  22255. description: The type of provider to use such as "Secret", or "ConfigMap".
  22256. enum:
  22257. - Secret
  22258. - ConfigMap
  22259. type: string
  22260. required:
  22261. - name
  22262. - type
  22263. type: object
  22264. identityURL:
  22265. type: string
  22266. organizationID:
  22267. description: OrganizationID determines which organization this secret store manages.
  22268. type: string
  22269. projectID:
  22270. description: ProjectID determines which project this secret store manages.
  22271. type: string
  22272. required:
  22273. - auth
  22274. - organizationID
  22275. - projectID
  22276. type: object
  22277. chef:
  22278. description: Chef configures this store to sync secrets with chef server
  22279. properties:
  22280. auth:
  22281. description: Auth defines the information necessary to authenticate against chef Server
  22282. properties:
  22283. secretRef:
  22284. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22285. properties:
  22286. privateKeySecretRef:
  22287. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22288. properties:
  22289. key:
  22290. description: |-
  22291. A key in the referenced Secret.
  22292. Some instances of this field may be defaulted, in others it may be required.
  22293. maxLength: 253
  22294. minLength: 1
  22295. pattern: ^[-._a-zA-Z0-9]+$
  22296. type: string
  22297. name:
  22298. description: The name of the Secret resource being referred to.
  22299. maxLength: 253
  22300. minLength: 1
  22301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22302. type: string
  22303. namespace:
  22304. description: |-
  22305. The namespace of the Secret resource being referred to.
  22306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22307. maxLength: 63
  22308. minLength: 1
  22309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22310. type: string
  22311. type: object
  22312. required:
  22313. - privateKeySecretRef
  22314. type: object
  22315. required:
  22316. - secretRef
  22317. type: object
  22318. serverUrl:
  22319. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22320. type: string
  22321. username:
  22322. description: UserName should be the user ID on the chef server
  22323. type: string
  22324. required:
  22325. - auth
  22326. - serverUrl
  22327. - username
  22328. type: object
  22329. cloudrusm:
  22330. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22331. properties:
  22332. auth:
  22333. description: CSMAuth contains a secretRef for credentials.
  22334. properties:
  22335. secretRef:
  22336. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22337. properties:
  22338. accessKeyIDSecretRef:
  22339. description: The AccessKeyID is used for authentication
  22340. properties:
  22341. key:
  22342. description: |-
  22343. A key in the referenced Secret.
  22344. Some instances of this field may be defaulted, in others it may be required.
  22345. maxLength: 253
  22346. minLength: 1
  22347. pattern: ^[-._a-zA-Z0-9]+$
  22348. type: string
  22349. name:
  22350. description: The name of the Secret resource being referred to.
  22351. maxLength: 253
  22352. minLength: 1
  22353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22354. type: string
  22355. namespace:
  22356. description: |-
  22357. The namespace of the Secret resource being referred to.
  22358. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22359. maxLength: 63
  22360. minLength: 1
  22361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22362. type: string
  22363. type: object
  22364. accessKeySecretSecretRef:
  22365. description: The AccessKeySecret is used for authentication
  22366. properties:
  22367. key:
  22368. description: |-
  22369. A key in the referenced Secret.
  22370. Some instances of this field may be defaulted, in others it may be required.
  22371. maxLength: 253
  22372. minLength: 1
  22373. pattern: ^[-._a-zA-Z0-9]+$
  22374. type: string
  22375. name:
  22376. description: The name of the Secret resource being referred to.
  22377. maxLength: 253
  22378. minLength: 1
  22379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22380. type: string
  22381. namespace:
  22382. description: |-
  22383. The namespace of the Secret resource being referred to.
  22384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22385. maxLength: 63
  22386. minLength: 1
  22387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22388. type: string
  22389. type: object
  22390. required:
  22391. - accessKeyIDSecretRef
  22392. - accessKeySecretSecretRef
  22393. type: object
  22394. type: object
  22395. projectID:
  22396. description: ProjectID is the project, which the secrets are stored in.
  22397. type: string
  22398. required:
  22399. - auth
  22400. type: object
  22401. conjur:
  22402. description: Conjur configures this store to sync secrets using conjur provider
  22403. properties:
  22404. auth:
  22405. description: Defines authentication settings for connecting to Conjur.
  22406. properties:
  22407. apikey:
  22408. description: Authenticates with Conjur using an API key.
  22409. properties:
  22410. account:
  22411. description: Account is the Conjur organization account name.
  22412. type: string
  22413. apiKeyRef:
  22414. description: |-
  22415. A reference to a specific 'key' containing the Conjur API key
  22416. within a Secret resource. In some instances, `key` is a required field.
  22417. properties:
  22418. key:
  22419. description: |-
  22420. A key in the referenced Secret.
  22421. Some instances of this field may be defaulted, in others it may be required.
  22422. maxLength: 253
  22423. minLength: 1
  22424. pattern: ^[-._a-zA-Z0-9]+$
  22425. type: string
  22426. name:
  22427. description: The name of the Secret resource being referred to.
  22428. maxLength: 253
  22429. minLength: 1
  22430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22431. type: string
  22432. namespace:
  22433. description: |-
  22434. The namespace of the Secret resource being referred to.
  22435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22436. maxLength: 63
  22437. minLength: 1
  22438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22439. type: string
  22440. type: object
  22441. userRef:
  22442. description: |-
  22443. A reference to a specific 'key' containing the Conjur username
  22444. within a Secret resource. In some instances, `key` is a required field.
  22445. properties:
  22446. key:
  22447. description: |-
  22448. A key in the referenced Secret.
  22449. Some instances of this field may be defaulted, in others it may be required.
  22450. maxLength: 253
  22451. minLength: 1
  22452. pattern: ^[-._a-zA-Z0-9]+$
  22453. type: string
  22454. name:
  22455. description: The name of the Secret resource being referred to.
  22456. maxLength: 253
  22457. minLength: 1
  22458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22459. type: string
  22460. namespace:
  22461. description: |-
  22462. The namespace of the Secret resource being referred to.
  22463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22464. maxLength: 63
  22465. minLength: 1
  22466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22467. type: string
  22468. type: object
  22469. required:
  22470. - account
  22471. - apiKeyRef
  22472. - userRef
  22473. type: object
  22474. jwt:
  22475. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22476. properties:
  22477. account:
  22478. description: Account is the Conjur organization account name.
  22479. type: string
  22480. hostId:
  22481. description: |-
  22482. Optional HostID for JWT authentication. This may be used depending
  22483. on how the Conjur JWT authenticator policy is configured.
  22484. type: string
  22485. secretRef:
  22486. description: |-
  22487. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22488. authenticate with Conjur using the JWT authentication method.
  22489. properties:
  22490. key:
  22491. description: |-
  22492. A key in the referenced Secret.
  22493. Some instances of this field may be defaulted, in others it may be required.
  22494. maxLength: 253
  22495. minLength: 1
  22496. pattern: ^[-._a-zA-Z0-9]+$
  22497. type: string
  22498. name:
  22499. description: The name of the Secret resource being referred to.
  22500. maxLength: 253
  22501. minLength: 1
  22502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22503. type: string
  22504. namespace:
  22505. description: |-
  22506. The namespace of the Secret resource being referred to.
  22507. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22508. maxLength: 63
  22509. minLength: 1
  22510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22511. type: string
  22512. type: object
  22513. serviceAccountRef:
  22514. description: |-
  22515. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22516. a token for with the `TokenRequest` API.
  22517. properties:
  22518. audiences:
  22519. description: |-
  22520. Audience specifies the `aud` claim for the service account token
  22521. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22522. then this audiences will be appended to the list
  22523. items:
  22524. type: string
  22525. type: array
  22526. name:
  22527. description: The name of the ServiceAccount resource being referred to.
  22528. maxLength: 253
  22529. minLength: 1
  22530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22531. type: string
  22532. namespace:
  22533. description: |-
  22534. Namespace of the resource being referred to.
  22535. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22536. maxLength: 63
  22537. minLength: 1
  22538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22539. type: string
  22540. required:
  22541. - name
  22542. type: object
  22543. serviceID:
  22544. description: The conjur authn jwt webservice id
  22545. type: string
  22546. required:
  22547. - account
  22548. - serviceID
  22549. type: object
  22550. type: object
  22551. caBundle:
  22552. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22553. type: string
  22554. caProvider:
  22555. description: |-
  22556. Used to provide custom certificate authority (CA) certificates
  22557. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22558. that contains a PEM-encoded certificate.
  22559. properties:
  22560. key:
  22561. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22562. maxLength: 253
  22563. minLength: 1
  22564. pattern: ^[-._a-zA-Z0-9]+$
  22565. type: string
  22566. name:
  22567. description: The name of the object located at the provider type.
  22568. maxLength: 253
  22569. minLength: 1
  22570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22571. type: string
  22572. namespace:
  22573. description: |-
  22574. The namespace the Provider type is in.
  22575. Can only be defined when used in a ClusterSecretStore.
  22576. maxLength: 63
  22577. minLength: 1
  22578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22579. type: string
  22580. type:
  22581. description: The type of provider to use such as "Secret", or "ConfigMap".
  22582. enum:
  22583. - Secret
  22584. - ConfigMap
  22585. type: string
  22586. required:
  22587. - name
  22588. - type
  22589. type: object
  22590. url:
  22591. description: URL is the endpoint of the Conjur instance.
  22592. type: string
  22593. required:
  22594. - auth
  22595. - url
  22596. type: object
  22597. delinea:
  22598. description: |-
  22599. Delinea DevOps Secrets Vault
  22600. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22601. properties:
  22602. clientId:
  22603. description: ClientID is the non-secret part of the credential.
  22604. properties:
  22605. secretRef:
  22606. description: SecretRef references a key in a secret that will be used as value.
  22607. properties:
  22608. key:
  22609. description: |-
  22610. A key in the referenced Secret.
  22611. Some instances of this field may be defaulted, in others it may be required.
  22612. maxLength: 253
  22613. minLength: 1
  22614. pattern: ^[-._a-zA-Z0-9]+$
  22615. type: string
  22616. name:
  22617. description: The name of the Secret resource being referred to.
  22618. maxLength: 253
  22619. minLength: 1
  22620. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22621. type: string
  22622. namespace:
  22623. description: |-
  22624. The namespace of the Secret resource being referred to.
  22625. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22626. maxLength: 63
  22627. minLength: 1
  22628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22629. type: string
  22630. type: object
  22631. value:
  22632. description: Value can be specified directly to set a value without using a secret.
  22633. type: string
  22634. type: object
  22635. clientSecret:
  22636. description: ClientSecret is the secret part of the credential.
  22637. properties:
  22638. secretRef:
  22639. description: SecretRef references a key in a secret that will be used as value.
  22640. properties:
  22641. key:
  22642. description: |-
  22643. A key in the referenced Secret.
  22644. Some instances of this field may be defaulted, in others it may be required.
  22645. maxLength: 253
  22646. minLength: 1
  22647. pattern: ^[-._a-zA-Z0-9]+$
  22648. type: string
  22649. name:
  22650. description: The name of the Secret resource being referred to.
  22651. maxLength: 253
  22652. minLength: 1
  22653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22654. type: string
  22655. namespace:
  22656. description: |-
  22657. The namespace of the Secret resource being referred to.
  22658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22659. maxLength: 63
  22660. minLength: 1
  22661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22662. type: string
  22663. type: object
  22664. value:
  22665. description: Value can be specified directly to set a value without using a secret.
  22666. type: string
  22667. type: object
  22668. tenant:
  22669. description: Tenant is the chosen hostname / site name.
  22670. type: string
  22671. tld:
  22672. description: |-
  22673. TLD is based on the server location that was chosen during provisioning.
  22674. If unset, defaults to "com".
  22675. type: string
  22676. urlTemplate:
  22677. description: |-
  22678. URLTemplate
  22679. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  22680. type: string
  22681. required:
  22682. - clientId
  22683. - clientSecret
  22684. - tenant
  22685. type: object
  22686. device42:
  22687. description: Device42 configures this store to sync secrets using the Device42 provider
  22688. properties:
  22689. auth:
  22690. description: Auth configures how secret-manager authenticates with a Device42 instance.
  22691. properties:
  22692. secretRef:
  22693. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  22694. properties:
  22695. credentials:
  22696. description: Username / Password is used for authentication.
  22697. properties:
  22698. key:
  22699. description: |-
  22700. A key in the referenced Secret.
  22701. Some instances of this field may be defaulted, in others it may be required.
  22702. maxLength: 253
  22703. minLength: 1
  22704. pattern: ^[-._a-zA-Z0-9]+$
  22705. type: string
  22706. name:
  22707. description: The name of the Secret resource being referred to.
  22708. maxLength: 253
  22709. minLength: 1
  22710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22711. type: string
  22712. namespace:
  22713. description: |-
  22714. The namespace of the Secret resource being referred to.
  22715. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22716. maxLength: 63
  22717. minLength: 1
  22718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22719. type: string
  22720. type: object
  22721. type: object
  22722. required:
  22723. - secretRef
  22724. type: object
  22725. host:
  22726. description: URL configures the Device42 instance URL.
  22727. type: string
  22728. required:
  22729. - auth
  22730. - host
  22731. type: object
  22732. doppler:
  22733. description: Doppler configures this store to sync secrets using the Doppler provider
  22734. properties:
  22735. auth:
  22736. description: Auth configures how the Operator authenticates with the Doppler API
  22737. properties:
  22738. secretRef:
  22739. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  22740. properties:
  22741. dopplerToken:
  22742. description: |-
  22743. The DopplerToken is used for authentication.
  22744. See https://docs.doppler.com/reference/api#authentication for auth token types.
  22745. The Key attribute defaults to dopplerToken if not specified.
  22746. properties:
  22747. key:
  22748. description: |-
  22749. A key in the referenced Secret.
  22750. Some instances of this field may be defaulted, in others it may be required.
  22751. maxLength: 253
  22752. minLength: 1
  22753. pattern: ^[-._a-zA-Z0-9]+$
  22754. type: string
  22755. name:
  22756. description: The name of the Secret resource being referred to.
  22757. maxLength: 253
  22758. minLength: 1
  22759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22760. type: string
  22761. namespace:
  22762. description: |-
  22763. The namespace of the Secret resource being referred to.
  22764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22765. maxLength: 63
  22766. minLength: 1
  22767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22768. type: string
  22769. type: object
  22770. required:
  22771. - dopplerToken
  22772. type: object
  22773. required:
  22774. - secretRef
  22775. type: object
  22776. config:
  22777. description: Doppler config (required if not using a Service Token)
  22778. type: string
  22779. format:
  22780. description: Format enables the downloading of secrets as a file (string)
  22781. enum:
  22782. - json
  22783. - dotnet-json
  22784. - env
  22785. - yaml
  22786. - docker
  22787. type: string
  22788. nameTransformer:
  22789. description: Environment variable compatible name transforms that change secret names to a different format
  22790. enum:
  22791. - upper-camel
  22792. - camel
  22793. - lower-snake
  22794. - tf-var
  22795. - dotnet-env
  22796. - lower-kebab
  22797. type: string
  22798. project:
  22799. description: Doppler project (required if not using a Service Token)
  22800. type: string
  22801. required:
  22802. - auth
  22803. type: object
  22804. fake:
  22805. description: Fake configures a store with static key/value pairs
  22806. properties:
  22807. data:
  22808. items:
  22809. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  22810. properties:
  22811. key:
  22812. type: string
  22813. value:
  22814. type: string
  22815. version:
  22816. type: string
  22817. required:
  22818. - key
  22819. - value
  22820. type: object
  22821. type: array
  22822. required:
  22823. - data
  22824. type: object
  22825. fortanix:
  22826. description: Fortanix configures this store to sync secrets using the Fortanix provider
  22827. properties:
  22828. apiKey:
  22829. description: APIKey is the API token to access SDKMS Applications.
  22830. properties:
  22831. secretRef:
  22832. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  22833. properties:
  22834. key:
  22835. description: |-
  22836. A key in the referenced Secret.
  22837. Some instances of this field may be defaulted, in others it may be required.
  22838. maxLength: 253
  22839. minLength: 1
  22840. pattern: ^[-._a-zA-Z0-9]+$
  22841. type: string
  22842. name:
  22843. description: The name of the Secret resource being referred to.
  22844. maxLength: 253
  22845. minLength: 1
  22846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22847. type: string
  22848. namespace:
  22849. description: |-
  22850. The namespace of the Secret resource being referred to.
  22851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22852. maxLength: 63
  22853. minLength: 1
  22854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22855. type: string
  22856. type: object
  22857. type: object
  22858. apiUrl:
  22859. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  22860. type: string
  22861. type: object
  22862. gcpsm:
  22863. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  22864. properties:
  22865. auth:
  22866. description: Auth defines the information necessary to authenticate against GCP
  22867. properties:
  22868. secretRef:
  22869. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  22870. properties:
  22871. secretAccessKeySecretRef:
  22872. description: The SecretAccessKey is used for authentication
  22873. properties:
  22874. key:
  22875. description: |-
  22876. A key in the referenced Secret.
  22877. Some instances of this field may be defaulted, in others it may be required.
  22878. maxLength: 253
  22879. minLength: 1
  22880. pattern: ^[-._a-zA-Z0-9]+$
  22881. type: string
  22882. name:
  22883. description: The name of the Secret resource being referred to.
  22884. maxLength: 253
  22885. minLength: 1
  22886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22887. type: string
  22888. namespace:
  22889. description: |-
  22890. The namespace of the Secret resource being referred to.
  22891. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22892. maxLength: 63
  22893. minLength: 1
  22894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22895. type: string
  22896. type: object
  22897. type: object
  22898. workloadIdentity:
  22899. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  22900. properties:
  22901. clusterLocation:
  22902. description: |-
  22903. ClusterLocation is the location of the cluster
  22904. If not specified, it fetches information from the metadata server
  22905. type: string
  22906. clusterName:
  22907. description: |-
  22908. ClusterName is the name of the cluster
  22909. If not specified, it fetches information from the metadata server
  22910. type: string
  22911. clusterProjectID:
  22912. description: |-
  22913. ClusterProjectID is the project ID of the cluster
  22914. If not specified, it fetches information from the metadata server
  22915. type: string
  22916. serviceAccountRef:
  22917. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22918. properties:
  22919. audiences:
  22920. description: |-
  22921. Audience specifies the `aud` claim for the service account token
  22922. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22923. then this audiences will be appended to the list
  22924. items:
  22925. type: string
  22926. type: array
  22927. name:
  22928. description: The name of the ServiceAccount resource being referred to.
  22929. maxLength: 253
  22930. minLength: 1
  22931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22932. type: string
  22933. namespace:
  22934. description: |-
  22935. Namespace of the resource being referred to.
  22936. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22937. maxLength: 63
  22938. minLength: 1
  22939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22940. type: string
  22941. required:
  22942. - name
  22943. type: object
  22944. required:
  22945. - serviceAccountRef
  22946. type: object
  22947. type: object
  22948. location:
  22949. description: Location optionally defines a location for a secret
  22950. type: string
  22951. projectID:
  22952. description: ProjectID project where secret is located
  22953. type: string
  22954. type: object
  22955. github:
  22956. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  22957. properties:
  22958. appID:
  22959. description: appID specifies the Github APP that will be used to authenticate the client
  22960. format: int64
  22961. type: integer
  22962. auth:
  22963. description: auth configures how secret-manager authenticates with a Github instance.
  22964. properties:
  22965. privateKey:
  22966. description: |-
  22967. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22968. In some instances, `key` is a required field.
  22969. properties:
  22970. key:
  22971. description: |-
  22972. A key in the referenced Secret.
  22973. Some instances of this field may be defaulted, in others it may be required.
  22974. maxLength: 253
  22975. minLength: 1
  22976. pattern: ^[-._a-zA-Z0-9]+$
  22977. type: string
  22978. name:
  22979. description: The name of the Secret resource being referred to.
  22980. maxLength: 253
  22981. minLength: 1
  22982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22983. type: string
  22984. namespace:
  22985. description: |-
  22986. The namespace of the Secret resource being referred to.
  22987. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22988. maxLength: 63
  22989. minLength: 1
  22990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22991. type: string
  22992. type: object
  22993. required:
  22994. - privateKey
  22995. type: object
  22996. environment:
  22997. description: environment will be used to fetch secrets from a particular environment within a github repository
  22998. type: string
  22999. installationID:
  23000. description: installationID specifies the Github APP installation that will be used to authenticate the client
  23001. format: int64
  23002. type: integer
  23003. organization:
  23004. description: organization will be used to fetch secrets from the Github organization
  23005. type: string
  23006. repository:
  23007. description: repository will be used to fetch secrets from the Github repository within an organization
  23008. type: string
  23009. uploadURL:
  23010. description: Upload URL for enterprise instances. Default to URL.
  23011. type: string
  23012. url:
  23013. default: https://github.com/
  23014. description: URL configures the Github instance URL. Defaults to https://github.com/.
  23015. type: string
  23016. required:
  23017. - appID
  23018. - auth
  23019. - installationID
  23020. - organization
  23021. type: object
  23022. gitlab:
  23023. description: GitLab configures this store to sync secrets using GitLab Variables provider
  23024. properties:
  23025. auth:
  23026. description: Auth configures how secret-manager authenticates with a GitLab instance.
  23027. properties:
  23028. SecretRef:
  23029. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  23030. properties:
  23031. accessToken:
  23032. description: AccessToken is used for authentication.
  23033. properties:
  23034. key:
  23035. description: |-
  23036. A key in the referenced Secret.
  23037. Some instances of this field may be defaulted, in others it may be required.
  23038. maxLength: 253
  23039. minLength: 1
  23040. pattern: ^[-._a-zA-Z0-9]+$
  23041. type: string
  23042. name:
  23043. description: The name of the Secret resource being referred to.
  23044. maxLength: 253
  23045. minLength: 1
  23046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23047. type: string
  23048. namespace:
  23049. description: |-
  23050. The namespace of the Secret resource being referred to.
  23051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23052. maxLength: 63
  23053. minLength: 1
  23054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23055. type: string
  23056. type: object
  23057. type: object
  23058. required:
  23059. - SecretRef
  23060. type: object
  23061. caBundle:
  23062. description: |-
  23063. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  23064. can be performed.
  23065. format: byte
  23066. type: string
  23067. caProvider:
  23068. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  23069. properties:
  23070. key:
  23071. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23072. maxLength: 253
  23073. minLength: 1
  23074. pattern: ^[-._a-zA-Z0-9]+$
  23075. type: string
  23076. name:
  23077. description: The name of the object located at the provider type.
  23078. maxLength: 253
  23079. minLength: 1
  23080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23081. type: string
  23082. namespace:
  23083. description: |-
  23084. The namespace the Provider type is in.
  23085. Can only be defined when used in a ClusterSecretStore.
  23086. maxLength: 63
  23087. minLength: 1
  23088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23089. type: string
  23090. type:
  23091. description: The type of provider to use such as "Secret", or "ConfigMap".
  23092. enum:
  23093. - Secret
  23094. - ConfigMap
  23095. type: string
  23096. required:
  23097. - name
  23098. - type
  23099. type: object
  23100. environment:
  23101. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  23102. type: string
  23103. groupIDs:
  23104. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  23105. items:
  23106. type: string
  23107. type: array
  23108. inheritFromGroups:
  23109. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  23110. type: boolean
  23111. projectID:
  23112. description: ProjectID specifies a project where secrets are located.
  23113. type: string
  23114. url:
  23115. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  23116. type: string
  23117. required:
  23118. - auth
  23119. type: object
  23120. ibm:
  23121. description: IBM configures this store to sync secrets using IBM Cloud provider
  23122. properties:
  23123. auth:
  23124. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  23125. maxProperties: 1
  23126. minProperties: 1
  23127. properties:
  23128. containerAuth:
  23129. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  23130. properties:
  23131. iamEndpoint:
  23132. type: string
  23133. profile:
  23134. description: the IBM Trusted Profile
  23135. type: string
  23136. tokenLocation:
  23137. description: Location the token is mounted on the pod
  23138. type: string
  23139. required:
  23140. - profile
  23141. type: object
  23142. secretRef:
  23143. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  23144. properties:
  23145. secretApiKeySecretRef:
  23146. description: The SecretAccessKey is used for authentication
  23147. properties:
  23148. key:
  23149. description: |-
  23150. A key in the referenced Secret.
  23151. Some instances of this field may be defaulted, in others it may be required.
  23152. maxLength: 253
  23153. minLength: 1
  23154. pattern: ^[-._a-zA-Z0-9]+$
  23155. type: string
  23156. name:
  23157. description: The name of the Secret resource being referred to.
  23158. maxLength: 253
  23159. minLength: 1
  23160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23161. type: string
  23162. namespace:
  23163. description: |-
  23164. The namespace of the Secret resource being referred to.
  23165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23166. maxLength: 63
  23167. minLength: 1
  23168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23169. type: string
  23170. type: object
  23171. type: object
  23172. type: object
  23173. serviceUrl:
  23174. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  23175. type: string
  23176. required:
  23177. - auth
  23178. type: object
  23179. infisical:
  23180. description: Infisical configures this store to sync secrets using the Infisical provider
  23181. properties:
  23182. auth:
  23183. description: Auth configures how the Operator authenticates with the Infisical API
  23184. properties:
  23185. universalAuthCredentials:
  23186. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  23187. properties:
  23188. clientId:
  23189. description: |-
  23190. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23191. In some instances, `key` is a required field.
  23192. properties:
  23193. key:
  23194. description: |-
  23195. A key in the referenced Secret.
  23196. Some instances of this field may be defaulted, in others it may be required.
  23197. maxLength: 253
  23198. minLength: 1
  23199. pattern: ^[-._a-zA-Z0-9]+$
  23200. type: string
  23201. name:
  23202. description: The name of the Secret resource being referred to.
  23203. maxLength: 253
  23204. minLength: 1
  23205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23206. type: string
  23207. namespace:
  23208. description: |-
  23209. The namespace of the Secret resource being referred to.
  23210. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23211. maxLength: 63
  23212. minLength: 1
  23213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23214. type: string
  23215. type: object
  23216. clientSecret:
  23217. description: |-
  23218. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23219. In some instances, `key` is a required field.
  23220. properties:
  23221. key:
  23222. description: |-
  23223. A key in the referenced Secret.
  23224. Some instances of this field may be defaulted, in others it may be required.
  23225. maxLength: 253
  23226. minLength: 1
  23227. pattern: ^[-._a-zA-Z0-9]+$
  23228. type: string
  23229. name:
  23230. description: The name of the Secret resource being referred to.
  23231. maxLength: 253
  23232. minLength: 1
  23233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23234. type: string
  23235. namespace:
  23236. description: |-
  23237. The namespace of the Secret resource being referred to.
  23238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23239. maxLength: 63
  23240. minLength: 1
  23241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23242. type: string
  23243. type: object
  23244. required:
  23245. - clientId
  23246. - clientSecret
  23247. type: object
  23248. type: object
  23249. hostAPI:
  23250. default: https://app.infisical.com/api
  23251. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23252. type: string
  23253. secretsScope:
  23254. description: SecretsScope defines the scope of the secrets within the workspace
  23255. properties:
  23256. environmentSlug:
  23257. description: EnvironmentSlug is the required slug identifier for the environment.
  23258. type: string
  23259. expandSecretReferences:
  23260. default: true
  23261. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23262. type: boolean
  23263. projectSlug:
  23264. description: ProjectSlug is the required slug identifier for the project.
  23265. type: string
  23266. recursive:
  23267. default: false
  23268. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23269. type: boolean
  23270. secretsPath:
  23271. default: /
  23272. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23273. type: string
  23274. required:
  23275. - environmentSlug
  23276. - projectSlug
  23277. type: object
  23278. required:
  23279. - auth
  23280. - secretsScope
  23281. type: object
  23282. keepersecurity:
  23283. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23284. properties:
  23285. authRef:
  23286. description: |-
  23287. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23288. In some instances, `key` is a required field.
  23289. properties:
  23290. key:
  23291. description: |-
  23292. A key in the referenced Secret.
  23293. Some instances of this field may be defaulted, in others it may be required.
  23294. maxLength: 253
  23295. minLength: 1
  23296. pattern: ^[-._a-zA-Z0-9]+$
  23297. type: string
  23298. name:
  23299. description: The name of the Secret resource being referred to.
  23300. maxLength: 253
  23301. minLength: 1
  23302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23303. type: string
  23304. namespace:
  23305. description: |-
  23306. The namespace of the Secret resource being referred to.
  23307. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23308. maxLength: 63
  23309. minLength: 1
  23310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23311. type: string
  23312. type: object
  23313. folderID:
  23314. type: string
  23315. required:
  23316. - authRef
  23317. - folderID
  23318. type: object
  23319. kubernetes:
  23320. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23321. properties:
  23322. auth:
  23323. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23324. maxProperties: 1
  23325. minProperties: 1
  23326. properties:
  23327. cert:
  23328. description: has both clientCert and clientKey as secretKeySelector
  23329. properties:
  23330. clientCert:
  23331. description: |-
  23332. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23333. In some instances, `key` is a required field.
  23334. properties:
  23335. key:
  23336. description: |-
  23337. A key in the referenced Secret.
  23338. Some instances of this field may be defaulted, in others it may be required.
  23339. maxLength: 253
  23340. minLength: 1
  23341. pattern: ^[-._a-zA-Z0-9]+$
  23342. type: string
  23343. name:
  23344. description: The name of the Secret resource being referred to.
  23345. maxLength: 253
  23346. minLength: 1
  23347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23348. type: string
  23349. namespace:
  23350. description: |-
  23351. The namespace of the Secret resource being referred to.
  23352. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23353. maxLength: 63
  23354. minLength: 1
  23355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23356. type: string
  23357. type: object
  23358. clientKey:
  23359. description: |-
  23360. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23361. In some instances, `key` is a required field.
  23362. properties:
  23363. key:
  23364. description: |-
  23365. A key in the referenced Secret.
  23366. Some instances of this field may be defaulted, in others it may be required.
  23367. maxLength: 253
  23368. minLength: 1
  23369. pattern: ^[-._a-zA-Z0-9]+$
  23370. type: string
  23371. name:
  23372. description: The name of the Secret resource being referred to.
  23373. maxLength: 253
  23374. minLength: 1
  23375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23376. type: string
  23377. namespace:
  23378. description: |-
  23379. The namespace of the Secret resource being referred to.
  23380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23381. maxLength: 63
  23382. minLength: 1
  23383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23384. type: string
  23385. type: object
  23386. type: object
  23387. serviceAccount:
  23388. description: points to a service account that should be used for authentication
  23389. properties:
  23390. audiences:
  23391. description: |-
  23392. Audience specifies the `aud` claim for the service account token
  23393. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23394. then this audiences will be appended to the list
  23395. items:
  23396. type: string
  23397. type: array
  23398. name:
  23399. description: The name of the ServiceAccount resource being referred to.
  23400. maxLength: 253
  23401. minLength: 1
  23402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23403. type: string
  23404. namespace:
  23405. description: |-
  23406. Namespace of the resource being referred to.
  23407. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23408. maxLength: 63
  23409. minLength: 1
  23410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23411. type: string
  23412. required:
  23413. - name
  23414. type: object
  23415. token:
  23416. description: use static token to authenticate with
  23417. properties:
  23418. bearerToken:
  23419. description: |-
  23420. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23421. In some instances, `key` is a required field.
  23422. properties:
  23423. key:
  23424. description: |-
  23425. A key in the referenced Secret.
  23426. Some instances of this field may be defaulted, in others it may be required.
  23427. maxLength: 253
  23428. minLength: 1
  23429. pattern: ^[-._a-zA-Z0-9]+$
  23430. type: string
  23431. name:
  23432. description: The name of the Secret resource being referred to.
  23433. maxLength: 253
  23434. minLength: 1
  23435. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23436. type: string
  23437. namespace:
  23438. description: |-
  23439. The namespace of the Secret resource being referred to.
  23440. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23441. maxLength: 63
  23442. minLength: 1
  23443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23444. type: string
  23445. type: object
  23446. type: object
  23447. type: object
  23448. authRef:
  23449. description: A reference to a secret that contains the auth information.
  23450. properties:
  23451. key:
  23452. description: |-
  23453. A key in the referenced Secret.
  23454. Some instances of this field may be defaulted, in others it may be required.
  23455. maxLength: 253
  23456. minLength: 1
  23457. pattern: ^[-._a-zA-Z0-9]+$
  23458. type: string
  23459. name:
  23460. description: The name of the Secret resource being referred to.
  23461. maxLength: 253
  23462. minLength: 1
  23463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23464. type: string
  23465. namespace:
  23466. description: |-
  23467. The namespace of the Secret resource being referred to.
  23468. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23469. maxLength: 63
  23470. minLength: 1
  23471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23472. type: string
  23473. type: object
  23474. remoteNamespace:
  23475. default: default
  23476. description: Remote namespace to fetch the secrets from
  23477. maxLength: 63
  23478. minLength: 1
  23479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23480. type: string
  23481. server:
  23482. description: configures the Kubernetes server Address.
  23483. properties:
  23484. caBundle:
  23485. description: CABundle is a base64-encoded CA certificate
  23486. format: byte
  23487. type: string
  23488. caProvider:
  23489. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23490. properties:
  23491. key:
  23492. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23493. maxLength: 253
  23494. minLength: 1
  23495. pattern: ^[-._a-zA-Z0-9]+$
  23496. type: string
  23497. name:
  23498. description: The name of the object located at the provider type.
  23499. maxLength: 253
  23500. minLength: 1
  23501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23502. type: string
  23503. namespace:
  23504. description: |-
  23505. The namespace the Provider type is in.
  23506. Can only be defined when used in a ClusterSecretStore.
  23507. maxLength: 63
  23508. minLength: 1
  23509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23510. type: string
  23511. type:
  23512. description: The type of provider to use such as "Secret", or "ConfigMap".
  23513. enum:
  23514. - Secret
  23515. - ConfigMap
  23516. type: string
  23517. required:
  23518. - name
  23519. - type
  23520. type: object
  23521. url:
  23522. default: kubernetes.default
  23523. description: configures the Kubernetes server Address.
  23524. type: string
  23525. type: object
  23526. type: object
  23527. onboardbase:
  23528. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23529. properties:
  23530. apiHost:
  23531. default: https://public.onboardbase.com/api/v1/
  23532. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23533. type: string
  23534. auth:
  23535. description: Auth configures how the Operator authenticates with the Onboardbase API
  23536. properties:
  23537. apiKeyRef:
  23538. description: |-
  23539. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23540. It is used to recognize and authorize access to a project and environment within onboardbase
  23541. properties:
  23542. key:
  23543. description: |-
  23544. A key in the referenced Secret.
  23545. Some instances of this field may be defaulted, in others it may be required.
  23546. maxLength: 253
  23547. minLength: 1
  23548. pattern: ^[-._a-zA-Z0-9]+$
  23549. type: string
  23550. name:
  23551. description: The name of the Secret resource being referred to.
  23552. maxLength: 253
  23553. minLength: 1
  23554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23555. type: string
  23556. namespace:
  23557. description: |-
  23558. The namespace of the Secret resource being referred to.
  23559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23560. maxLength: 63
  23561. minLength: 1
  23562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23563. type: string
  23564. type: object
  23565. passcodeRef:
  23566. description: OnboardbasePasscode is the passcode attached to the API Key
  23567. properties:
  23568. key:
  23569. description: |-
  23570. A key in the referenced Secret.
  23571. Some instances of this field may be defaulted, in others it may be required.
  23572. maxLength: 253
  23573. minLength: 1
  23574. pattern: ^[-._a-zA-Z0-9]+$
  23575. type: string
  23576. name:
  23577. description: The name of the Secret resource being referred to.
  23578. maxLength: 253
  23579. minLength: 1
  23580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23581. type: string
  23582. namespace:
  23583. description: |-
  23584. The namespace of the Secret resource being referred to.
  23585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23586. maxLength: 63
  23587. minLength: 1
  23588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23589. type: string
  23590. type: object
  23591. required:
  23592. - apiKeyRef
  23593. - passcodeRef
  23594. type: object
  23595. environment:
  23596. default: development
  23597. description: Environment is the name of an environmnent within a project to pull the secrets from
  23598. type: string
  23599. project:
  23600. default: development
  23601. description: Project is an onboardbase project that the secrets should be pulled from
  23602. type: string
  23603. required:
  23604. - apiHost
  23605. - auth
  23606. - environment
  23607. - project
  23608. type: object
  23609. onepassword:
  23610. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23611. properties:
  23612. auth:
  23613. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23614. properties:
  23615. secretRef:
  23616. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23617. properties:
  23618. connectTokenSecretRef:
  23619. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23620. properties:
  23621. key:
  23622. description: |-
  23623. A key in the referenced Secret.
  23624. Some instances of this field may be defaulted, in others it may be required.
  23625. maxLength: 253
  23626. minLength: 1
  23627. pattern: ^[-._a-zA-Z0-9]+$
  23628. type: string
  23629. name:
  23630. description: The name of the Secret resource being referred to.
  23631. maxLength: 253
  23632. minLength: 1
  23633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23634. type: string
  23635. namespace:
  23636. description: |-
  23637. The namespace of the Secret resource being referred to.
  23638. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23639. maxLength: 63
  23640. minLength: 1
  23641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23642. type: string
  23643. type: object
  23644. required:
  23645. - connectTokenSecretRef
  23646. type: object
  23647. required:
  23648. - secretRef
  23649. type: object
  23650. connectHost:
  23651. description: ConnectHost defines the OnePassword Connect Server to connect to
  23652. type: string
  23653. vaults:
  23654. additionalProperties:
  23655. type: integer
  23656. description: Vaults defines which OnePassword vaults to search in which order
  23657. type: object
  23658. required:
  23659. - auth
  23660. - connectHost
  23661. - vaults
  23662. type: object
  23663. oracle:
  23664. description: Oracle configures this store to sync secrets using Oracle Vault provider
  23665. properties:
  23666. auth:
  23667. description: |-
  23668. Auth configures how secret-manager authenticates with the Oracle Vault.
  23669. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  23670. properties:
  23671. secretRef:
  23672. description: SecretRef to pass through sensitive information.
  23673. properties:
  23674. fingerprint:
  23675. description: Fingerprint is the fingerprint of the API private key.
  23676. properties:
  23677. key:
  23678. description: |-
  23679. A key in the referenced Secret.
  23680. Some instances of this field may be defaulted, in others it may be required.
  23681. maxLength: 253
  23682. minLength: 1
  23683. pattern: ^[-._a-zA-Z0-9]+$
  23684. type: string
  23685. name:
  23686. description: The name of the Secret resource being referred to.
  23687. maxLength: 253
  23688. minLength: 1
  23689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23690. type: string
  23691. namespace:
  23692. description: |-
  23693. The namespace of the Secret resource being referred to.
  23694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23695. maxLength: 63
  23696. minLength: 1
  23697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23698. type: string
  23699. type: object
  23700. privatekey:
  23701. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  23702. properties:
  23703. key:
  23704. description: |-
  23705. A key in the referenced Secret.
  23706. Some instances of this field may be defaulted, in others it may be required.
  23707. maxLength: 253
  23708. minLength: 1
  23709. pattern: ^[-._a-zA-Z0-9]+$
  23710. type: string
  23711. name:
  23712. description: The name of the Secret resource being referred to.
  23713. maxLength: 253
  23714. minLength: 1
  23715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23716. type: string
  23717. namespace:
  23718. description: |-
  23719. The namespace of the Secret resource being referred to.
  23720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23721. maxLength: 63
  23722. minLength: 1
  23723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23724. type: string
  23725. type: object
  23726. required:
  23727. - fingerprint
  23728. - privatekey
  23729. type: object
  23730. tenancy:
  23731. description: Tenancy is the tenancy OCID where user is located.
  23732. type: string
  23733. user:
  23734. description: User is an access OCID specific to the account.
  23735. type: string
  23736. required:
  23737. - secretRef
  23738. - tenancy
  23739. - user
  23740. type: object
  23741. compartment:
  23742. description: |-
  23743. Compartment is the vault compartment OCID.
  23744. Required for PushSecret
  23745. type: string
  23746. encryptionKey:
  23747. description: |-
  23748. EncryptionKey is the OCID of the encryption key within the vault.
  23749. Required for PushSecret
  23750. type: string
  23751. principalType:
  23752. description: |-
  23753. The type of principal to use for authentication. If left blank, the Auth struct will
  23754. determine the principal type. This optional field must be specified if using
  23755. workload identity.
  23756. enum:
  23757. - ""
  23758. - UserPrincipal
  23759. - InstancePrincipal
  23760. - Workload
  23761. type: string
  23762. region:
  23763. description: Region is the region where vault is located.
  23764. type: string
  23765. serviceAccountRef:
  23766. description: |-
  23767. ServiceAccountRef specified the service account
  23768. that should be used when authenticating with WorkloadIdentity.
  23769. properties:
  23770. audiences:
  23771. description: |-
  23772. Audience specifies the `aud` claim for the service account token
  23773. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23774. then this audiences will be appended to the list
  23775. items:
  23776. type: string
  23777. type: array
  23778. name:
  23779. description: The name of the ServiceAccount resource being referred to.
  23780. maxLength: 253
  23781. minLength: 1
  23782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23783. type: string
  23784. namespace:
  23785. description: |-
  23786. Namespace of the resource being referred to.
  23787. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23788. maxLength: 63
  23789. minLength: 1
  23790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23791. type: string
  23792. required:
  23793. - name
  23794. type: object
  23795. vault:
  23796. description: Vault is the vault's OCID of the specific vault where secret is located.
  23797. type: string
  23798. required:
  23799. - region
  23800. - vault
  23801. type: object
  23802. passbolt:
  23803. description: PassboltProvider defines configuration for the Passbolt provider.
  23804. properties:
  23805. auth:
  23806. description: Auth defines the information necessary to authenticate against Passbolt Server
  23807. properties:
  23808. passwordSecretRef:
  23809. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  23810. properties:
  23811. key:
  23812. description: |-
  23813. A key in the referenced Secret.
  23814. Some instances of this field may be defaulted, in others it may be required.
  23815. maxLength: 253
  23816. minLength: 1
  23817. pattern: ^[-._a-zA-Z0-9]+$
  23818. type: string
  23819. name:
  23820. description: The name of the Secret resource being referred to.
  23821. maxLength: 253
  23822. minLength: 1
  23823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23824. type: string
  23825. namespace:
  23826. description: |-
  23827. The namespace of the Secret resource being referred to.
  23828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23829. maxLength: 63
  23830. minLength: 1
  23831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23832. type: string
  23833. type: object
  23834. privateKeySecretRef:
  23835. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  23836. properties:
  23837. key:
  23838. description: |-
  23839. A key in the referenced Secret.
  23840. Some instances of this field may be defaulted, in others it may be required.
  23841. maxLength: 253
  23842. minLength: 1
  23843. pattern: ^[-._a-zA-Z0-9]+$
  23844. type: string
  23845. name:
  23846. description: The name of the Secret resource being referred to.
  23847. maxLength: 253
  23848. minLength: 1
  23849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23850. type: string
  23851. namespace:
  23852. description: |-
  23853. The namespace of the Secret resource being referred to.
  23854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23855. maxLength: 63
  23856. minLength: 1
  23857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23858. type: string
  23859. type: object
  23860. required:
  23861. - passwordSecretRef
  23862. - privateKeySecretRef
  23863. type: object
  23864. host:
  23865. description: Host defines the Passbolt Server to connect to
  23866. type: string
  23867. required:
  23868. - auth
  23869. - host
  23870. type: object
  23871. passworddepot:
  23872. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  23873. properties:
  23874. auth:
  23875. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  23876. properties:
  23877. secretRef:
  23878. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  23879. properties:
  23880. credentials:
  23881. description: Username / Password is used for authentication.
  23882. properties:
  23883. key:
  23884. description: |-
  23885. A key in the referenced Secret.
  23886. Some instances of this field may be defaulted, in others it may be required.
  23887. maxLength: 253
  23888. minLength: 1
  23889. pattern: ^[-._a-zA-Z0-9]+$
  23890. type: string
  23891. name:
  23892. description: The name of the Secret resource being referred to.
  23893. maxLength: 253
  23894. minLength: 1
  23895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23896. type: string
  23897. namespace:
  23898. description: |-
  23899. The namespace of the Secret resource being referred to.
  23900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23901. maxLength: 63
  23902. minLength: 1
  23903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23904. type: string
  23905. type: object
  23906. type: object
  23907. required:
  23908. - secretRef
  23909. type: object
  23910. database:
  23911. description: Database to use as source
  23912. type: string
  23913. host:
  23914. description: URL configures the Password Depot instance URL.
  23915. type: string
  23916. required:
  23917. - auth
  23918. - database
  23919. - host
  23920. type: object
  23921. previder:
  23922. description: Previder configures this store to sync secrets using the Previder provider
  23923. properties:
  23924. auth:
  23925. description: PreviderAuth contains a secretRef for credentials.
  23926. properties:
  23927. secretRef:
  23928. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  23929. properties:
  23930. accessToken:
  23931. description: The AccessToken is used for authentication
  23932. properties:
  23933. key:
  23934. description: |-
  23935. A key in the referenced Secret.
  23936. Some instances of this field may be defaulted, in others it may be required.
  23937. maxLength: 253
  23938. minLength: 1
  23939. pattern: ^[-._a-zA-Z0-9]+$
  23940. type: string
  23941. name:
  23942. description: The name of the Secret resource being referred to.
  23943. maxLength: 253
  23944. minLength: 1
  23945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23946. type: string
  23947. namespace:
  23948. description: |-
  23949. The namespace of the Secret resource being referred to.
  23950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23951. maxLength: 63
  23952. minLength: 1
  23953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23954. type: string
  23955. type: object
  23956. required:
  23957. - accessToken
  23958. type: object
  23959. type: object
  23960. baseUri:
  23961. type: string
  23962. required:
  23963. - auth
  23964. type: object
  23965. pulumi:
  23966. description: Pulumi configures this store to sync secrets using the Pulumi provider
  23967. properties:
  23968. accessToken:
  23969. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  23970. properties:
  23971. secretRef:
  23972. description: SecretRef is a reference to a secret containing the Pulumi API token.
  23973. properties:
  23974. key:
  23975. description: |-
  23976. A key in the referenced Secret.
  23977. Some instances of this field may be defaulted, in others it may be required.
  23978. maxLength: 253
  23979. minLength: 1
  23980. pattern: ^[-._a-zA-Z0-9]+$
  23981. type: string
  23982. name:
  23983. description: The name of the Secret resource being referred to.
  23984. maxLength: 253
  23985. minLength: 1
  23986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23987. type: string
  23988. namespace:
  23989. description: |-
  23990. The namespace of the Secret resource being referred to.
  23991. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23992. maxLength: 63
  23993. minLength: 1
  23994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23995. type: string
  23996. type: object
  23997. type: object
  23998. apiUrl:
  23999. default: https://api.pulumi.com/api/esc
  24000. description: APIURL is the URL of the Pulumi API.
  24001. type: string
  24002. environment:
  24003. description: |-
  24004. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  24005. dynamically retrieved values from supported providers including all major clouds,
  24006. and other Pulumi ESC environments.
  24007. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  24008. type: string
  24009. organization:
  24010. description: |-
  24011. Organization are a space to collaborate on shared projects and stacks.
  24012. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  24013. type: string
  24014. project:
  24015. description: Project is the name of the Pulumi ESC project the environment belongs to.
  24016. type: string
  24017. required:
  24018. - accessToken
  24019. - environment
  24020. - organization
  24021. - project
  24022. type: object
  24023. scaleway:
  24024. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  24025. properties:
  24026. accessKey:
  24027. description: AccessKey is the non-secret part of the api key.
  24028. properties:
  24029. secretRef:
  24030. description: SecretRef references a key in a secret that will be used as value.
  24031. properties:
  24032. key:
  24033. description: |-
  24034. A key in the referenced Secret.
  24035. Some instances of this field may be defaulted, in others it may be required.
  24036. maxLength: 253
  24037. minLength: 1
  24038. pattern: ^[-._a-zA-Z0-9]+$
  24039. type: string
  24040. name:
  24041. description: The name of the Secret resource being referred to.
  24042. maxLength: 253
  24043. minLength: 1
  24044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24045. type: string
  24046. namespace:
  24047. description: |-
  24048. The namespace of the Secret resource being referred to.
  24049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24050. maxLength: 63
  24051. minLength: 1
  24052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24053. type: string
  24054. type: object
  24055. value:
  24056. description: Value can be specified directly to set a value without using a secret.
  24057. type: string
  24058. type: object
  24059. apiUrl:
  24060. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  24061. type: string
  24062. projectId:
  24063. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  24064. type: string
  24065. region:
  24066. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  24067. type: string
  24068. secretKey:
  24069. description: SecretKey is the non-secret part of the api key.
  24070. properties:
  24071. secretRef:
  24072. description: SecretRef references a key in a secret that will be used as value.
  24073. properties:
  24074. key:
  24075. description: |-
  24076. A key in the referenced Secret.
  24077. Some instances of this field may be defaulted, in others it may be required.
  24078. maxLength: 253
  24079. minLength: 1
  24080. pattern: ^[-._a-zA-Z0-9]+$
  24081. type: string
  24082. name:
  24083. description: The name of the Secret resource being referred to.
  24084. maxLength: 253
  24085. minLength: 1
  24086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24087. type: string
  24088. namespace:
  24089. description: |-
  24090. The namespace of the Secret resource being referred to.
  24091. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24092. maxLength: 63
  24093. minLength: 1
  24094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24095. type: string
  24096. type: object
  24097. value:
  24098. description: Value can be specified directly to set a value without using a secret.
  24099. type: string
  24100. type: object
  24101. required:
  24102. - accessKey
  24103. - projectId
  24104. - region
  24105. - secretKey
  24106. type: object
  24107. secretserver:
  24108. description: |-
  24109. SecretServer configures this store to sync secrets using SecretServer provider
  24110. https://docs.delinea.com/online-help/secret-server/start.htm
  24111. properties:
  24112. password:
  24113. description: Password is the secret server account password.
  24114. properties:
  24115. secretRef:
  24116. description: SecretRef references a key in a secret that will be used as value.
  24117. properties:
  24118. key:
  24119. description: |-
  24120. A key in the referenced Secret.
  24121. Some instances of this field may be defaulted, in others it may be required.
  24122. maxLength: 253
  24123. minLength: 1
  24124. pattern: ^[-._a-zA-Z0-9]+$
  24125. type: string
  24126. name:
  24127. description: The name of the Secret resource being referred to.
  24128. maxLength: 253
  24129. minLength: 1
  24130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24131. type: string
  24132. namespace:
  24133. description: |-
  24134. The namespace of the Secret resource being referred to.
  24135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24136. maxLength: 63
  24137. minLength: 1
  24138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24139. type: string
  24140. type: object
  24141. value:
  24142. description: Value can be specified directly to set a value without using a secret.
  24143. type: string
  24144. type: object
  24145. serverURL:
  24146. description: |-
  24147. ServerURL
  24148. URL to your secret server installation
  24149. type: string
  24150. username:
  24151. description: Username is the secret server account username.
  24152. properties:
  24153. secretRef:
  24154. description: SecretRef references a key in a secret that will be used as value.
  24155. properties:
  24156. key:
  24157. description: |-
  24158. A key in the referenced Secret.
  24159. Some instances of this field may be defaulted, in others it may be required.
  24160. maxLength: 253
  24161. minLength: 1
  24162. pattern: ^[-._a-zA-Z0-9]+$
  24163. type: string
  24164. name:
  24165. description: The name of the Secret resource being referred to.
  24166. maxLength: 253
  24167. minLength: 1
  24168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24169. type: string
  24170. namespace:
  24171. description: |-
  24172. The namespace of the Secret resource being referred to.
  24173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24174. maxLength: 63
  24175. minLength: 1
  24176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24177. type: string
  24178. type: object
  24179. value:
  24180. description: Value can be specified directly to set a value without using a secret.
  24181. type: string
  24182. type: object
  24183. required:
  24184. - password
  24185. - serverURL
  24186. - username
  24187. type: object
  24188. senhasegura:
  24189. description: Senhasegura configures this store to sync secrets using senhasegura provider
  24190. properties:
  24191. auth:
  24192. description: Auth defines parameters to authenticate in senhasegura
  24193. properties:
  24194. clientId:
  24195. type: string
  24196. clientSecretSecretRef:
  24197. description: |-
  24198. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24199. In some instances, `key` is a required field.
  24200. properties:
  24201. key:
  24202. description: |-
  24203. A key in the referenced Secret.
  24204. Some instances of this field may be defaulted, in others it may be required.
  24205. maxLength: 253
  24206. minLength: 1
  24207. pattern: ^[-._a-zA-Z0-9]+$
  24208. type: string
  24209. name:
  24210. description: The name of the Secret resource being referred to.
  24211. maxLength: 253
  24212. minLength: 1
  24213. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24214. type: string
  24215. namespace:
  24216. description: |-
  24217. The namespace of the Secret resource being referred to.
  24218. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24219. maxLength: 63
  24220. minLength: 1
  24221. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24222. type: string
  24223. type: object
  24224. required:
  24225. - clientId
  24226. - clientSecretSecretRef
  24227. type: object
  24228. ignoreSslCertificate:
  24229. default: false
  24230. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24231. type: boolean
  24232. module:
  24233. description: Module defines which senhasegura module should be used to get secrets
  24234. type: string
  24235. url:
  24236. description: URL of senhasegura
  24237. type: string
  24238. required:
  24239. - auth
  24240. - module
  24241. - url
  24242. type: object
  24243. vault:
  24244. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24245. properties:
  24246. auth:
  24247. description: Auth configures how secret-manager authenticates with the Vault server.
  24248. properties:
  24249. appRole:
  24250. description: |-
  24251. AppRole authenticates with Vault using the App Role auth mechanism,
  24252. with the role and secret stored in a Kubernetes Secret resource.
  24253. properties:
  24254. path:
  24255. default: approle
  24256. description: |-
  24257. Path where the App Role authentication backend is mounted
  24258. in Vault, e.g: "approle"
  24259. type: string
  24260. roleId:
  24261. description: |-
  24262. RoleID configured in the App Role authentication backend when setting
  24263. up the authentication backend in Vault.
  24264. type: string
  24265. roleRef:
  24266. description: |-
  24267. Reference to a key in a Secret that contains the App Role ID used
  24268. to authenticate with Vault.
  24269. The `key` field must be specified and denotes which entry within the Secret
  24270. resource is used as the app role id.
  24271. properties:
  24272. key:
  24273. description: |-
  24274. A key in the referenced Secret.
  24275. Some instances of this field may be defaulted, in others it may be required.
  24276. maxLength: 253
  24277. minLength: 1
  24278. pattern: ^[-._a-zA-Z0-9]+$
  24279. type: string
  24280. name:
  24281. description: The name of the Secret resource being referred to.
  24282. maxLength: 253
  24283. minLength: 1
  24284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24285. type: string
  24286. namespace:
  24287. description: |-
  24288. The namespace of the Secret resource being referred to.
  24289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24290. maxLength: 63
  24291. minLength: 1
  24292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24293. type: string
  24294. type: object
  24295. secretRef:
  24296. description: |-
  24297. Reference to a key in a Secret that contains the App Role secret used
  24298. to authenticate with Vault.
  24299. The `key` field must be specified and denotes which entry within the Secret
  24300. resource is used as the app role secret.
  24301. properties:
  24302. key:
  24303. description: |-
  24304. A key in the referenced Secret.
  24305. Some instances of this field may be defaulted, in others it may be required.
  24306. maxLength: 253
  24307. minLength: 1
  24308. pattern: ^[-._a-zA-Z0-9]+$
  24309. type: string
  24310. name:
  24311. description: The name of the Secret resource being referred to.
  24312. maxLength: 253
  24313. minLength: 1
  24314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24315. type: string
  24316. namespace:
  24317. description: |-
  24318. The namespace of the Secret resource being referred to.
  24319. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24320. maxLength: 63
  24321. minLength: 1
  24322. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24323. type: string
  24324. type: object
  24325. required:
  24326. - path
  24327. - secretRef
  24328. type: object
  24329. cert:
  24330. description: |-
  24331. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24332. Cert authentication method
  24333. properties:
  24334. clientCert:
  24335. description: |-
  24336. ClientCert is a certificate to authenticate using the Cert Vault
  24337. authentication method
  24338. properties:
  24339. key:
  24340. description: |-
  24341. A key in the referenced Secret.
  24342. Some instances of this field may be defaulted, in others it may be required.
  24343. maxLength: 253
  24344. minLength: 1
  24345. pattern: ^[-._a-zA-Z0-9]+$
  24346. type: string
  24347. name:
  24348. description: The name of the Secret resource being referred to.
  24349. maxLength: 253
  24350. minLength: 1
  24351. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24352. type: string
  24353. namespace:
  24354. description: |-
  24355. The namespace of the Secret resource being referred to.
  24356. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24357. maxLength: 63
  24358. minLength: 1
  24359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24360. type: string
  24361. type: object
  24362. secretRef:
  24363. description: |-
  24364. SecretRef to a key in a Secret resource containing client private key to
  24365. authenticate with Vault using the Cert authentication method
  24366. properties:
  24367. key:
  24368. description: |-
  24369. A key in the referenced Secret.
  24370. Some instances of this field may be defaulted, in others it may be required.
  24371. maxLength: 253
  24372. minLength: 1
  24373. pattern: ^[-._a-zA-Z0-9]+$
  24374. type: string
  24375. name:
  24376. description: The name of the Secret resource being referred to.
  24377. maxLength: 253
  24378. minLength: 1
  24379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24380. type: string
  24381. namespace:
  24382. description: |-
  24383. The namespace of the Secret resource being referred to.
  24384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24385. maxLength: 63
  24386. minLength: 1
  24387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24388. type: string
  24389. type: object
  24390. type: object
  24391. iam:
  24392. description: |-
  24393. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24394. AWS IAM authentication method
  24395. properties:
  24396. externalID:
  24397. description: AWS External ID set on assumed IAM roles
  24398. type: string
  24399. jwt:
  24400. description: Specify a service account with IRSA enabled
  24401. properties:
  24402. serviceAccountRef:
  24403. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24404. properties:
  24405. audiences:
  24406. description: |-
  24407. Audience specifies the `aud` claim for the service account token
  24408. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24409. then this audiences will be appended to the list
  24410. items:
  24411. type: string
  24412. type: array
  24413. name:
  24414. description: The name of the ServiceAccount resource being referred to.
  24415. maxLength: 253
  24416. minLength: 1
  24417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24418. type: string
  24419. namespace:
  24420. description: |-
  24421. Namespace of the resource being referred to.
  24422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24423. maxLength: 63
  24424. minLength: 1
  24425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24426. type: string
  24427. required:
  24428. - name
  24429. type: object
  24430. type: object
  24431. path:
  24432. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24433. type: string
  24434. region:
  24435. description: AWS region
  24436. type: string
  24437. role:
  24438. description: This is the AWS role to be assumed before talking to vault
  24439. type: string
  24440. secretRef:
  24441. description: Specify credentials in a Secret object
  24442. properties:
  24443. accessKeyIDSecretRef:
  24444. description: The AccessKeyID is used for authentication
  24445. properties:
  24446. key:
  24447. description: |-
  24448. A key in the referenced Secret.
  24449. Some instances of this field may be defaulted, in others it may be required.
  24450. maxLength: 253
  24451. minLength: 1
  24452. pattern: ^[-._a-zA-Z0-9]+$
  24453. type: string
  24454. name:
  24455. description: The name of the Secret resource being referred to.
  24456. maxLength: 253
  24457. minLength: 1
  24458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24459. type: string
  24460. namespace:
  24461. description: |-
  24462. The namespace of the Secret resource being referred to.
  24463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24464. maxLength: 63
  24465. minLength: 1
  24466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24467. type: string
  24468. type: object
  24469. secretAccessKeySecretRef:
  24470. description: The SecretAccessKey is used for authentication
  24471. properties:
  24472. key:
  24473. description: |-
  24474. A key in the referenced Secret.
  24475. Some instances of this field may be defaulted, in others it may be required.
  24476. maxLength: 253
  24477. minLength: 1
  24478. pattern: ^[-._a-zA-Z0-9]+$
  24479. type: string
  24480. name:
  24481. description: The name of the Secret resource being referred to.
  24482. maxLength: 253
  24483. minLength: 1
  24484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24485. type: string
  24486. namespace:
  24487. description: |-
  24488. The namespace of the Secret resource being referred to.
  24489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24490. maxLength: 63
  24491. minLength: 1
  24492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24493. type: string
  24494. type: object
  24495. sessionTokenSecretRef:
  24496. description: |-
  24497. The SessionToken used for authentication
  24498. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24499. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24500. properties:
  24501. key:
  24502. description: |-
  24503. A key in the referenced Secret.
  24504. Some instances of this field may be defaulted, in others it may be required.
  24505. maxLength: 253
  24506. minLength: 1
  24507. pattern: ^[-._a-zA-Z0-9]+$
  24508. type: string
  24509. name:
  24510. description: The name of the Secret resource being referred to.
  24511. maxLength: 253
  24512. minLength: 1
  24513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24514. type: string
  24515. namespace:
  24516. description: |-
  24517. The namespace of the Secret resource being referred to.
  24518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24519. maxLength: 63
  24520. minLength: 1
  24521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24522. type: string
  24523. type: object
  24524. type: object
  24525. vaultAwsIamServerID:
  24526. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24527. type: string
  24528. vaultRole:
  24529. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24530. type: string
  24531. required:
  24532. - vaultRole
  24533. type: object
  24534. jwt:
  24535. description: |-
  24536. Jwt authenticates with Vault by passing role and JWT token using the
  24537. JWT/OIDC authentication method
  24538. properties:
  24539. kubernetesServiceAccountToken:
  24540. description: |-
  24541. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24542. a token for with the `TokenRequest` API.
  24543. properties:
  24544. audiences:
  24545. description: |-
  24546. Optional audiences field that will be used to request a temporary Kubernetes service
  24547. account token for the service account referenced by `serviceAccountRef`.
  24548. Defaults to a single audience `vault` it not specified.
  24549. Deprecated: use serviceAccountRef.Audiences instead
  24550. items:
  24551. type: string
  24552. type: array
  24553. expirationSeconds:
  24554. description: |-
  24555. Optional expiration time in seconds that will be used to request a temporary
  24556. Kubernetes service account token for the service account referenced by
  24557. `serviceAccountRef`.
  24558. Deprecated: this will be removed in the future.
  24559. Defaults to 10 minutes.
  24560. format: int64
  24561. type: integer
  24562. serviceAccountRef:
  24563. description: Service account field containing the name of a kubernetes ServiceAccount.
  24564. properties:
  24565. audiences:
  24566. description: |-
  24567. Audience specifies the `aud` claim for the service account token
  24568. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24569. then this audiences will be appended to the list
  24570. items:
  24571. type: string
  24572. type: array
  24573. name:
  24574. description: The name of the ServiceAccount resource being referred to.
  24575. maxLength: 253
  24576. minLength: 1
  24577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24578. type: string
  24579. namespace:
  24580. description: |-
  24581. Namespace of the resource being referred to.
  24582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24583. maxLength: 63
  24584. minLength: 1
  24585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24586. type: string
  24587. required:
  24588. - name
  24589. type: object
  24590. required:
  24591. - serviceAccountRef
  24592. type: object
  24593. path:
  24594. default: jwt
  24595. description: |-
  24596. Path where the JWT authentication backend is mounted
  24597. in Vault, e.g: "jwt"
  24598. type: string
  24599. role:
  24600. description: |-
  24601. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24602. authentication method
  24603. type: string
  24604. secretRef:
  24605. description: |-
  24606. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24607. authenticate with Vault using the JWT/OIDC authentication method.
  24608. properties:
  24609. key:
  24610. description: |-
  24611. A key in the referenced Secret.
  24612. Some instances of this field may be defaulted, in others it may be required.
  24613. maxLength: 253
  24614. minLength: 1
  24615. pattern: ^[-._a-zA-Z0-9]+$
  24616. type: string
  24617. name:
  24618. description: The name of the Secret resource being referred to.
  24619. maxLength: 253
  24620. minLength: 1
  24621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24622. type: string
  24623. namespace:
  24624. description: |-
  24625. The namespace of the Secret resource being referred to.
  24626. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24627. maxLength: 63
  24628. minLength: 1
  24629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24630. type: string
  24631. type: object
  24632. required:
  24633. - path
  24634. type: object
  24635. kubernetes:
  24636. description: |-
  24637. Kubernetes authenticates with Vault by passing the ServiceAccount
  24638. token stored in the named Secret resource to the Vault server.
  24639. properties:
  24640. mountPath:
  24641. default: kubernetes
  24642. description: |-
  24643. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24644. "kubernetes"
  24645. type: string
  24646. role:
  24647. description: |-
  24648. A required field containing the Vault Role to assume. A Role binds a
  24649. Kubernetes ServiceAccount with a set of Vault policies.
  24650. type: string
  24651. secretRef:
  24652. description: |-
  24653. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24654. for authenticating with Vault. If a name is specified without a key,
  24655. `token` is the default. If one is not specified, the one bound to
  24656. the controller will be used.
  24657. properties:
  24658. key:
  24659. description: |-
  24660. A key in the referenced Secret.
  24661. Some instances of this field may be defaulted, in others it may be required.
  24662. maxLength: 253
  24663. minLength: 1
  24664. pattern: ^[-._a-zA-Z0-9]+$
  24665. type: string
  24666. name:
  24667. description: The name of the Secret resource being referred to.
  24668. maxLength: 253
  24669. minLength: 1
  24670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24671. type: string
  24672. namespace:
  24673. description: |-
  24674. The namespace of the Secret resource being referred to.
  24675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24676. maxLength: 63
  24677. minLength: 1
  24678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24679. type: string
  24680. type: object
  24681. serviceAccountRef:
  24682. description: |-
  24683. Optional service account field containing the name of a kubernetes ServiceAccount.
  24684. If the service account is specified, the service account secret token JWT will be used
  24685. for authenticating with Vault. If the service account selector is not supplied,
  24686. the secretRef will be used instead.
  24687. properties:
  24688. audiences:
  24689. description: |-
  24690. Audience specifies the `aud` claim for the service account token
  24691. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24692. then this audiences will be appended to the list
  24693. items:
  24694. type: string
  24695. type: array
  24696. name:
  24697. description: The name of the ServiceAccount resource being referred to.
  24698. maxLength: 253
  24699. minLength: 1
  24700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24701. type: string
  24702. namespace:
  24703. description: |-
  24704. Namespace of the resource being referred to.
  24705. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24706. maxLength: 63
  24707. minLength: 1
  24708. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24709. type: string
  24710. required:
  24711. - name
  24712. type: object
  24713. required:
  24714. - mountPath
  24715. - role
  24716. type: object
  24717. ldap:
  24718. description: |-
  24719. Ldap authenticates with Vault by passing username/password pair using
  24720. the LDAP authentication method
  24721. properties:
  24722. path:
  24723. default: ldap
  24724. description: |-
  24725. Path where the LDAP authentication backend is mounted
  24726. in Vault, e.g: "ldap"
  24727. type: string
  24728. secretRef:
  24729. description: |-
  24730. SecretRef to a key in a Secret resource containing password for the LDAP
  24731. user used to authenticate with Vault using the LDAP authentication
  24732. method
  24733. properties:
  24734. key:
  24735. description: |-
  24736. A key in the referenced Secret.
  24737. Some instances of this field may be defaulted, in others it may be required.
  24738. maxLength: 253
  24739. minLength: 1
  24740. pattern: ^[-._a-zA-Z0-9]+$
  24741. type: string
  24742. name:
  24743. description: The name of the Secret resource being referred to.
  24744. maxLength: 253
  24745. minLength: 1
  24746. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24747. type: string
  24748. namespace:
  24749. description: |-
  24750. The namespace of the Secret resource being referred to.
  24751. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24752. maxLength: 63
  24753. minLength: 1
  24754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24755. type: string
  24756. type: object
  24757. username:
  24758. description: |-
  24759. Username is an LDAP username used to authenticate using the LDAP Vault
  24760. authentication method
  24761. type: string
  24762. required:
  24763. - path
  24764. - username
  24765. type: object
  24766. namespace:
  24767. description: |-
  24768. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  24769. Namespaces is a set of features within Vault Enterprise that allows
  24770. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24771. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24772. This will default to Vault.Namespace field if set, or empty otherwise
  24773. type: string
  24774. tokenSecretRef:
  24775. description: TokenSecretRef authenticates with Vault by presenting a token.
  24776. properties:
  24777. key:
  24778. description: |-
  24779. A key in the referenced Secret.
  24780. Some instances of this field may be defaulted, in others it may be required.
  24781. maxLength: 253
  24782. minLength: 1
  24783. pattern: ^[-._a-zA-Z0-9]+$
  24784. type: string
  24785. name:
  24786. description: The name of the Secret resource being referred to.
  24787. maxLength: 253
  24788. minLength: 1
  24789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24790. type: string
  24791. namespace:
  24792. description: |-
  24793. The namespace of the Secret resource being referred to.
  24794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24795. maxLength: 63
  24796. minLength: 1
  24797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24798. type: string
  24799. type: object
  24800. userPass:
  24801. description: UserPass authenticates with Vault by passing username/password pair
  24802. properties:
  24803. path:
  24804. default: userpass
  24805. description: |-
  24806. Path where the UserPassword authentication backend is mounted
  24807. in Vault, e.g: "userpass"
  24808. type: string
  24809. secretRef:
  24810. description: |-
  24811. SecretRef to a key in a Secret resource containing password for the
  24812. user used to authenticate with Vault using the UserPass authentication
  24813. method
  24814. properties:
  24815. key:
  24816. description: |-
  24817. A key in the referenced Secret.
  24818. Some instances of this field may be defaulted, in others it may be required.
  24819. maxLength: 253
  24820. minLength: 1
  24821. pattern: ^[-._a-zA-Z0-9]+$
  24822. type: string
  24823. name:
  24824. description: The name of the Secret resource being referred to.
  24825. maxLength: 253
  24826. minLength: 1
  24827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24828. type: string
  24829. namespace:
  24830. description: |-
  24831. The namespace of the Secret resource being referred to.
  24832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24833. maxLength: 63
  24834. minLength: 1
  24835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24836. type: string
  24837. type: object
  24838. username:
  24839. description: |-
  24840. Username is a username used to authenticate using the UserPass Vault
  24841. authentication method
  24842. type: string
  24843. required:
  24844. - path
  24845. - username
  24846. type: object
  24847. type: object
  24848. caBundle:
  24849. description: |-
  24850. PEM encoded CA bundle used to validate Vault server certificate. Only used
  24851. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24852. plain HTTP protocol connection. If not set the system root certificates
  24853. are used to validate the TLS connection.
  24854. format: byte
  24855. type: string
  24856. caProvider:
  24857. description: The provider for the CA bundle to use to validate Vault server certificate.
  24858. properties:
  24859. key:
  24860. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24861. maxLength: 253
  24862. minLength: 1
  24863. pattern: ^[-._a-zA-Z0-9]+$
  24864. type: string
  24865. name:
  24866. description: The name of the object located at the provider type.
  24867. maxLength: 253
  24868. minLength: 1
  24869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24870. type: string
  24871. namespace:
  24872. description: |-
  24873. The namespace the Provider type is in.
  24874. Can only be defined when used in a ClusterSecretStore.
  24875. maxLength: 63
  24876. minLength: 1
  24877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24878. type: string
  24879. type:
  24880. description: The type of provider to use such as "Secret", or "ConfigMap".
  24881. enum:
  24882. - Secret
  24883. - ConfigMap
  24884. type: string
  24885. required:
  24886. - name
  24887. - type
  24888. type: object
  24889. forwardInconsistent:
  24890. description: |-
  24891. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  24892. leader instead of simply retrying within a loop. This can increase performance if
  24893. the option is enabled serverside.
  24894. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  24895. type: boolean
  24896. headers:
  24897. additionalProperties:
  24898. type: string
  24899. description: Headers to be added in Vault request
  24900. type: object
  24901. namespace:
  24902. description: |-
  24903. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  24904. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24905. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24906. type: string
  24907. path:
  24908. description: |-
  24909. Path is the mount path of the Vault KV backend endpoint, e.g:
  24910. "secret". The v2 KV secret engine version specific "/data" path suffix
  24911. for fetching secrets from Vault is optional and will be appended
  24912. if not present in specified path.
  24913. type: string
  24914. readYourWrites:
  24915. description: |-
  24916. ReadYourWrites ensures isolated read-after-write semantics by
  24917. providing discovered cluster replication states in each request.
  24918. More information about eventual consistency in Vault can be found here
  24919. https://www.vaultproject.io/docs/enterprise/consistency
  24920. type: boolean
  24921. server:
  24922. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  24923. type: string
  24924. tls:
  24925. description: |-
  24926. The configuration used for client side related TLS communication, when the Vault server
  24927. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  24928. This parameter is ignored for plain HTTP protocol connection.
  24929. It's worth noting this configuration is different from the "TLS certificates auth method",
  24930. which is available under the `auth.cert` section.
  24931. properties:
  24932. certSecretRef:
  24933. description: |-
  24934. CertSecretRef is a certificate added to the transport layer
  24935. when communicating with the Vault server.
  24936. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  24937. properties:
  24938. key:
  24939. description: |-
  24940. A key in the referenced Secret.
  24941. Some instances of this field may be defaulted, in others it may be required.
  24942. maxLength: 253
  24943. minLength: 1
  24944. pattern: ^[-._a-zA-Z0-9]+$
  24945. type: string
  24946. name:
  24947. description: The name of the Secret resource being referred to.
  24948. maxLength: 253
  24949. minLength: 1
  24950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24951. type: string
  24952. namespace:
  24953. description: |-
  24954. The namespace of the Secret resource being referred to.
  24955. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24956. maxLength: 63
  24957. minLength: 1
  24958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24959. type: string
  24960. type: object
  24961. keySecretRef:
  24962. description: |-
  24963. KeySecretRef to a key in a Secret resource containing client private key
  24964. added to the transport layer when communicating with the Vault server.
  24965. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  24966. properties:
  24967. key:
  24968. description: |-
  24969. A key in the referenced Secret.
  24970. Some instances of this field may be defaulted, in others it may be required.
  24971. maxLength: 253
  24972. minLength: 1
  24973. pattern: ^[-._a-zA-Z0-9]+$
  24974. type: string
  24975. name:
  24976. description: The name of the Secret resource being referred to.
  24977. maxLength: 253
  24978. minLength: 1
  24979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24980. type: string
  24981. namespace:
  24982. description: |-
  24983. The namespace of the Secret resource being referred to.
  24984. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24985. maxLength: 63
  24986. minLength: 1
  24987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24988. type: string
  24989. type: object
  24990. type: object
  24991. version:
  24992. default: v2
  24993. description: |-
  24994. Version is the Vault KV secret engine version. This can be either "v1" or
  24995. "v2". Version defaults to "v2".
  24996. enum:
  24997. - v1
  24998. - v2
  24999. type: string
  25000. required:
  25001. - server
  25002. type: object
  25003. webhook:
  25004. description: Webhook configures this store to sync secrets using a generic templated webhook
  25005. properties:
  25006. auth:
  25007. description: Auth specifies a authorization protocol. Only one protocol may be set.
  25008. maxProperties: 1
  25009. minProperties: 1
  25010. properties:
  25011. ntlm:
  25012. description: NTLMProtocol configures the store to use NTLM for auth
  25013. properties:
  25014. passwordSecret:
  25015. description: |-
  25016. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25017. In some instances, `key` is a required field.
  25018. properties:
  25019. key:
  25020. description: |-
  25021. A key in the referenced Secret.
  25022. Some instances of this field may be defaulted, in others it may be required.
  25023. maxLength: 253
  25024. minLength: 1
  25025. pattern: ^[-._a-zA-Z0-9]+$
  25026. type: string
  25027. name:
  25028. description: The name of the Secret resource being referred to.
  25029. maxLength: 253
  25030. minLength: 1
  25031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25032. type: string
  25033. namespace:
  25034. description: |-
  25035. The namespace of the Secret resource being referred to.
  25036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25037. maxLength: 63
  25038. minLength: 1
  25039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25040. type: string
  25041. type: object
  25042. usernameSecret:
  25043. description: |-
  25044. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25045. In some instances, `key` is a required field.
  25046. properties:
  25047. key:
  25048. description: |-
  25049. A key in the referenced Secret.
  25050. Some instances of this field may be defaulted, in others it may be required.
  25051. maxLength: 253
  25052. minLength: 1
  25053. pattern: ^[-._a-zA-Z0-9]+$
  25054. type: string
  25055. name:
  25056. description: The name of the Secret resource being referred to.
  25057. maxLength: 253
  25058. minLength: 1
  25059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25060. type: string
  25061. namespace:
  25062. description: |-
  25063. The namespace of the Secret resource being referred to.
  25064. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25065. maxLength: 63
  25066. minLength: 1
  25067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25068. type: string
  25069. type: object
  25070. required:
  25071. - passwordSecret
  25072. - usernameSecret
  25073. type: object
  25074. type: object
  25075. body:
  25076. description: Body
  25077. type: string
  25078. caBundle:
  25079. description: |-
  25080. PEM encoded CA bundle used to validate webhook server certificate. Only used
  25081. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25082. plain HTTP protocol connection. If not set the system root certificates
  25083. are used to validate the TLS connection.
  25084. format: byte
  25085. type: string
  25086. caProvider:
  25087. description: The provider for the CA bundle to use to validate webhook server certificate.
  25088. properties:
  25089. key:
  25090. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25091. maxLength: 253
  25092. minLength: 1
  25093. pattern: ^[-._a-zA-Z0-9]+$
  25094. type: string
  25095. name:
  25096. description: The name of the object located at the provider type.
  25097. maxLength: 253
  25098. minLength: 1
  25099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25100. type: string
  25101. namespace:
  25102. description: The namespace the Provider type is in.
  25103. maxLength: 63
  25104. minLength: 1
  25105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25106. type: string
  25107. type:
  25108. description: The type of provider to use such as "Secret", or "ConfigMap".
  25109. enum:
  25110. - Secret
  25111. - ConfigMap
  25112. type: string
  25113. required:
  25114. - name
  25115. - type
  25116. type: object
  25117. headers:
  25118. additionalProperties:
  25119. type: string
  25120. description: Headers
  25121. type: object
  25122. method:
  25123. description: Webhook Method
  25124. type: string
  25125. result:
  25126. description: Result formatting
  25127. properties:
  25128. jsonPath:
  25129. description: Json path of return value
  25130. type: string
  25131. type: object
  25132. secrets:
  25133. description: |-
  25134. Secrets to fill in templates
  25135. These secrets will be passed to the templating function as key value pairs under the given name
  25136. items:
  25137. description: WebhookSecret defines a secret to be used in webhook templates.
  25138. properties:
  25139. name:
  25140. description: Name of this secret in templates
  25141. type: string
  25142. secretRef:
  25143. description: Secret ref to fill in credentials
  25144. properties:
  25145. key:
  25146. description: |-
  25147. A key in the referenced Secret.
  25148. Some instances of this field may be defaulted, in others it may be required.
  25149. maxLength: 253
  25150. minLength: 1
  25151. pattern: ^[-._a-zA-Z0-9]+$
  25152. type: string
  25153. name:
  25154. description: The name of the Secret resource being referred to.
  25155. maxLength: 253
  25156. minLength: 1
  25157. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25158. type: string
  25159. namespace:
  25160. description: |-
  25161. The namespace of the Secret resource being referred to.
  25162. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25163. maxLength: 63
  25164. minLength: 1
  25165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25166. type: string
  25167. type: object
  25168. required:
  25169. - name
  25170. - secretRef
  25171. type: object
  25172. type: array
  25173. timeout:
  25174. description: Timeout
  25175. type: string
  25176. url:
  25177. description: Webhook url to call
  25178. type: string
  25179. required:
  25180. - result
  25181. - url
  25182. type: object
  25183. yandexcertificatemanager:
  25184. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  25185. properties:
  25186. apiEndpoint:
  25187. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25188. type: string
  25189. auth:
  25190. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  25191. properties:
  25192. authorizedKeySecretRef:
  25193. description: The authorized key used for authentication
  25194. properties:
  25195. key:
  25196. description: |-
  25197. A key in the referenced Secret.
  25198. Some instances of this field may be defaulted, in others it may be required.
  25199. maxLength: 253
  25200. minLength: 1
  25201. pattern: ^[-._a-zA-Z0-9]+$
  25202. type: string
  25203. name:
  25204. description: The name of the Secret resource being referred to.
  25205. maxLength: 253
  25206. minLength: 1
  25207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25208. type: string
  25209. namespace:
  25210. description: |-
  25211. The namespace of the Secret resource being referred to.
  25212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25213. maxLength: 63
  25214. minLength: 1
  25215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25216. type: string
  25217. type: object
  25218. type: object
  25219. caProvider:
  25220. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25221. properties:
  25222. certSecretRef:
  25223. description: |-
  25224. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25225. In some instances, `key` is a required field.
  25226. properties:
  25227. key:
  25228. description: |-
  25229. A key in the referenced Secret.
  25230. Some instances of this field may be defaulted, in others it may be required.
  25231. maxLength: 253
  25232. minLength: 1
  25233. pattern: ^[-._a-zA-Z0-9]+$
  25234. type: string
  25235. name:
  25236. description: The name of the Secret resource being referred to.
  25237. maxLength: 253
  25238. minLength: 1
  25239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25240. type: string
  25241. namespace:
  25242. description: |-
  25243. The namespace of the Secret resource being referred to.
  25244. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25245. maxLength: 63
  25246. minLength: 1
  25247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25248. type: string
  25249. type: object
  25250. type: object
  25251. required:
  25252. - auth
  25253. type: object
  25254. yandexlockbox:
  25255. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25256. properties:
  25257. apiEndpoint:
  25258. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25259. type: string
  25260. auth:
  25261. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25262. properties:
  25263. authorizedKeySecretRef:
  25264. description: The authorized key used for authentication
  25265. properties:
  25266. key:
  25267. description: |-
  25268. A key in the referenced Secret.
  25269. Some instances of this field may be defaulted, in others it may be required.
  25270. maxLength: 253
  25271. minLength: 1
  25272. pattern: ^[-._a-zA-Z0-9]+$
  25273. type: string
  25274. name:
  25275. description: The name of the Secret resource being referred to.
  25276. maxLength: 253
  25277. minLength: 1
  25278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25279. type: string
  25280. namespace:
  25281. description: |-
  25282. The namespace of the Secret resource being referred to.
  25283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25284. maxLength: 63
  25285. minLength: 1
  25286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25287. type: string
  25288. type: object
  25289. type: object
  25290. caProvider:
  25291. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25292. properties:
  25293. certSecretRef:
  25294. description: |-
  25295. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25296. In some instances, `key` is a required field.
  25297. properties:
  25298. key:
  25299. description: |-
  25300. A key in the referenced Secret.
  25301. Some instances of this field may be defaulted, in others it may be required.
  25302. maxLength: 253
  25303. minLength: 1
  25304. pattern: ^[-._a-zA-Z0-9]+$
  25305. type: string
  25306. name:
  25307. description: The name of the Secret resource being referred to.
  25308. maxLength: 253
  25309. minLength: 1
  25310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25311. type: string
  25312. namespace:
  25313. description: |-
  25314. The namespace of the Secret resource being referred to.
  25315. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25316. maxLength: 63
  25317. minLength: 1
  25318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25319. type: string
  25320. type: object
  25321. type: object
  25322. required:
  25323. - auth
  25324. type: object
  25325. type: object
  25326. refreshInterval:
  25327. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25328. type: integer
  25329. retrySettings:
  25330. description: Used to configure HTTP retries on failures.
  25331. properties:
  25332. maxRetries:
  25333. description: MaxRetries is the maximum number of retry attempts.
  25334. format: int32
  25335. type: integer
  25336. retryInterval:
  25337. description: RetryInterval is the interval between retry attempts.
  25338. type: string
  25339. type: object
  25340. required:
  25341. - provider
  25342. type: object
  25343. status:
  25344. description: SecretStoreStatus defines the observed state of the SecretStore.
  25345. properties:
  25346. capabilities:
  25347. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25348. type: string
  25349. conditions:
  25350. items:
  25351. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25352. properties:
  25353. lastTransitionTime:
  25354. format: date-time
  25355. type: string
  25356. message:
  25357. type: string
  25358. reason:
  25359. type: string
  25360. status:
  25361. type: string
  25362. type:
  25363. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25364. type: string
  25365. required:
  25366. - status
  25367. - type
  25368. type: object
  25369. type: array
  25370. type: object
  25371. type: object
  25372. served: false
  25373. storage: false
  25374. subresources:
  25375. status: {}
  25376. ---
  25377. apiVersion: apiextensions.k8s.io/v1
  25378. kind: CustomResourceDefinition
  25379. metadata:
  25380. annotations:
  25381. controller-gen.kubebuilder.io/version: v0.19.0
  25382. labels:
  25383. external-secrets.io/component: controller
  25384. name: acraccesstokens.generators.external-secrets.io
  25385. spec:
  25386. group: generators.external-secrets.io
  25387. names:
  25388. categories:
  25389. - external-secrets
  25390. - external-secrets-generators
  25391. kind: ACRAccessToken
  25392. listKind: ACRAccessTokenList
  25393. plural: acraccesstokens
  25394. singular: acraccesstoken
  25395. scope: Namespaced
  25396. versions:
  25397. - name: v1alpha1
  25398. schema:
  25399. openAPIV3Schema:
  25400. description: |-
  25401. ACRAccessToken returns an Azure Container Registry token
  25402. that can be used for pushing/pulling images.
  25403. Note: by default it will return an ACR Refresh Token with full access
  25404. (depending on the identity).
  25405. This can be scoped down to the repository level using .spec.scope.
  25406. In case scope is defined it will return an ACR Access Token.
  25407. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25408. properties:
  25409. apiVersion:
  25410. description: |-
  25411. APIVersion defines the versioned schema of this representation of an object.
  25412. Servers should convert recognized schemas to the latest internal value, and
  25413. may reject unrecognized values.
  25414. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25415. type: string
  25416. kind:
  25417. description: |-
  25418. Kind is a string value representing the REST resource this object represents.
  25419. Servers may infer this from the endpoint the client submits requests to.
  25420. Cannot be updated.
  25421. In CamelCase.
  25422. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25423. type: string
  25424. metadata:
  25425. type: object
  25426. spec:
  25427. description: |-
  25428. ACRAccessTokenSpec defines how to generate the access token
  25429. e.g. how to authenticate and which registry to use.
  25430. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25431. properties:
  25432. auth:
  25433. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25434. properties:
  25435. managedIdentity:
  25436. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25437. properties:
  25438. identityId:
  25439. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25440. type: string
  25441. type: object
  25442. servicePrincipal:
  25443. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25444. properties:
  25445. secretRef:
  25446. description: |-
  25447. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25448. It uses static credentials stored in a Kind=Secret.
  25449. properties:
  25450. clientId:
  25451. description: The Azure clientId of the service principle used for authentication.
  25452. properties:
  25453. key:
  25454. description: |-
  25455. A key in the referenced Secret.
  25456. Some instances of this field may be defaulted, in others it may be required.
  25457. maxLength: 253
  25458. minLength: 1
  25459. pattern: ^[-._a-zA-Z0-9]+$
  25460. type: string
  25461. name:
  25462. description: The name of the Secret resource being referred to.
  25463. maxLength: 253
  25464. minLength: 1
  25465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25466. type: string
  25467. namespace:
  25468. description: |-
  25469. The namespace of the Secret resource being referred to.
  25470. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25471. maxLength: 63
  25472. minLength: 1
  25473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25474. type: string
  25475. type: object
  25476. clientSecret:
  25477. description: The Azure ClientSecret of the service principle used for authentication.
  25478. properties:
  25479. key:
  25480. description: |-
  25481. A key in the referenced Secret.
  25482. Some instances of this field may be defaulted, in others it may be required.
  25483. maxLength: 253
  25484. minLength: 1
  25485. pattern: ^[-._a-zA-Z0-9]+$
  25486. type: string
  25487. name:
  25488. description: The name of the Secret resource being referred to.
  25489. maxLength: 253
  25490. minLength: 1
  25491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25492. type: string
  25493. namespace:
  25494. description: |-
  25495. The namespace of the Secret resource being referred to.
  25496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25497. maxLength: 63
  25498. minLength: 1
  25499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25500. type: string
  25501. type: object
  25502. type: object
  25503. required:
  25504. - secretRef
  25505. type: object
  25506. workloadIdentity:
  25507. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25508. properties:
  25509. serviceAccountRef:
  25510. description: |-
  25511. ServiceAccountRef specified the service account
  25512. that should be used when authenticating with WorkloadIdentity.
  25513. properties:
  25514. audiences:
  25515. description: |-
  25516. Audience specifies the `aud` claim for the service account token
  25517. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25518. then this audiences will be appended to the list
  25519. items:
  25520. type: string
  25521. type: array
  25522. name:
  25523. description: The name of the ServiceAccount resource being referred to.
  25524. maxLength: 253
  25525. minLength: 1
  25526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25527. type: string
  25528. namespace:
  25529. description: |-
  25530. Namespace of the resource being referred to.
  25531. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25532. maxLength: 63
  25533. minLength: 1
  25534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25535. type: string
  25536. required:
  25537. - name
  25538. type: object
  25539. type: object
  25540. type: object
  25541. environmentType:
  25542. default: PublicCloud
  25543. description: |-
  25544. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25545. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25546. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25547. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25548. enum:
  25549. - PublicCloud
  25550. - USGovernmentCloud
  25551. - ChinaCloud
  25552. - GermanCloud
  25553. - AzureStackCloud
  25554. type: string
  25555. registry:
  25556. description: |-
  25557. the domain name of the ACR registry
  25558. e.g. foobarexample.azurecr.io
  25559. type: string
  25560. scope:
  25561. description: |-
  25562. Define the scope for the access token, e.g. pull/push access for a repository.
  25563. if not provided it will return a refresh token that has full scope.
  25564. Note: you need to pin it down to the repository level, there is no wildcard available.
  25565. examples:
  25566. repository:my-repository:pull,push
  25567. repository:my-repository:pull
  25568. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25569. type: string
  25570. tenantId:
  25571. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25572. type: string
  25573. required:
  25574. - auth
  25575. - registry
  25576. type: object
  25577. type: object
  25578. served: true
  25579. storage: true
  25580. subresources:
  25581. status: {}
  25582. ---
  25583. apiVersion: apiextensions.k8s.io/v1
  25584. kind: CustomResourceDefinition
  25585. metadata:
  25586. annotations:
  25587. controller-gen.kubebuilder.io/version: v0.19.0
  25588. labels:
  25589. external-secrets.io/component: controller
  25590. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  25591. spec:
  25592. group: generators.external-secrets.io
  25593. names:
  25594. categories:
  25595. - external-secrets
  25596. - external-secrets-generators
  25597. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  25598. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  25599. plural: beyondtrustworkloadcredentialsdynamicsecrets
  25600. singular: beyondtrustworkloadcredentialsdynamicsecret
  25601. scope: Namespaced
  25602. versions:
  25603. - name: v1alpha1
  25604. schema:
  25605. openAPIV3Schema:
  25606. description: |-
  25607. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  25608. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  25609. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  25610. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  25611. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25612. properties:
  25613. apiVersion:
  25614. description: |-
  25615. APIVersion defines the versioned schema of this representation of an object.
  25616. Servers should convert recognized schemas to the latest internal value, and
  25617. may reject unrecognized values.
  25618. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25619. type: string
  25620. kind:
  25621. description: |-
  25622. Kind is a string value representing the REST resource this object represents.
  25623. Servers may infer this from the endpoint the client submits requests to.
  25624. Cannot be updated.
  25625. In CamelCase.
  25626. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25627. type: string
  25628. metadata:
  25629. type: object
  25630. spec:
  25631. description: |-
  25632. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  25633. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  25634. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25635. properties:
  25636. controller:
  25637. description: |-
  25638. Controller selects the controller that should handle this generator.
  25639. Leave empty to use the default controller.
  25640. type: string
  25641. provider:
  25642. description: |-
  25643. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  25644. server connection details, and the folder path to the dynamic secret definition.
  25645. The folderPath should point to a dynamic secret definition that has been created in
  25646. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  25647. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25648. properties:
  25649. auth:
  25650. description: |-
  25651. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  25652. Currently supports API key authentication via Kubernetes secret reference.
  25653. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25654. properties:
  25655. apikey:
  25656. description: |-
  25657. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  25658. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  25659. properties:
  25660. token:
  25661. description: |-
  25662. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  25663. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  25664. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  25665. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  25666. properties:
  25667. key:
  25668. description: |-
  25669. A key in the referenced Secret.
  25670. Some instances of this field may be defaulted, in others it may be required.
  25671. maxLength: 253
  25672. minLength: 1
  25673. pattern: ^[-._a-zA-Z0-9]+$
  25674. type: string
  25675. name:
  25676. description: The name of the Secret resource being referred to.
  25677. maxLength: 253
  25678. minLength: 1
  25679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25680. type: string
  25681. namespace:
  25682. description: |-
  25683. The namespace of the Secret resource being referred to.
  25684. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25685. maxLength: 63
  25686. minLength: 1
  25687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25688. type: string
  25689. type: object
  25690. required:
  25691. - token
  25692. type: object
  25693. required:
  25694. - apikey
  25695. type: object
  25696. caBundle:
  25697. description: |-
  25698. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25699. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  25700. If not set, the system's trusted root certificates are used.
  25701. format: byte
  25702. type: string
  25703. caProvider:
  25704. description: |-
  25705. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  25706. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  25707. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  25708. properties:
  25709. key:
  25710. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25711. maxLength: 253
  25712. minLength: 1
  25713. pattern: ^[-._a-zA-Z0-9]+$
  25714. type: string
  25715. name:
  25716. description: The name of the object located at the provider type.
  25717. maxLength: 253
  25718. minLength: 1
  25719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25720. type: string
  25721. namespace:
  25722. description: |-
  25723. The namespace the Provider type is in.
  25724. Can only be defined when used in a ClusterSecretStore.
  25725. maxLength: 63
  25726. minLength: 1
  25727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25728. type: string
  25729. type:
  25730. description: The type of provider to use such as "Secret", or "ConfigMap".
  25731. enum:
  25732. - Secret
  25733. - ConfigMap
  25734. type: string
  25735. required:
  25736. - name
  25737. - type
  25738. type: object
  25739. folderPath:
  25740. description: |-
  25741. FolderPath specifies the default folder path for secret retrieval.
  25742. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  25743. Example: "production/database" or "dev/api-keys"
  25744. Leave empty to retrieve secrets from the root folder.
  25745. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  25746. type: string
  25747. server:
  25748. description: |-
  25749. Server configures the BeyondTrust Workload Credentials server connection details.
  25750. Includes the API URL and Site ID for your BeyondTrust instance.
  25751. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25752. properties:
  25753. apiUrl:
  25754. description: |-
  25755. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  25756. This should be the full URL to your BeyondTrust instance.
  25757. Example: https://api.beyondtrust.io/siie
  25758. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  25759. type: string
  25760. siteId:
  25761. description: |-
  25762. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  25763. This identifier is unique to your BeyondTrust Workload Credentials instance.
  25764. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  25765. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  25766. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  25767. type: string
  25768. required:
  25769. - apiUrl
  25770. - siteId
  25771. type: object
  25772. required:
  25773. - auth
  25774. - server
  25775. type: object
  25776. retrySettings:
  25777. description: |-
  25778. RetrySettings configures exponential backoff for failed API requests.
  25779. If not specified, uses the default retry settings.
  25780. properties:
  25781. maxRetries:
  25782. format: int32
  25783. type: integer
  25784. retryInterval:
  25785. type: string
  25786. type: object
  25787. required:
  25788. - provider
  25789. type: object
  25790. type: object
  25791. served: true
  25792. storage: true
  25793. subresources:
  25794. status: {}
  25795. ---
  25796. apiVersion: apiextensions.k8s.io/v1
  25797. kind: CustomResourceDefinition
  25798. metadata:
  25799. annotations:
  25800. controller-gen.kubebuilder.io/version: v0.19.0
  25801. labels:
  25802. external-secrets.io/component: controller
  25803. name: cloudsmithaccesstokens.generators.external-secrets.io
  25804. spec:
  25805. group: generators.external-secrets.io
  25806. names:
  25807. categories:
  25808. - external-secrets
  25809. - external-secrets-generators
  25810. kind: CloudsmithAccessToken
  25811. listKind: CloudsmithAccessTokenList
  25812. plural: cloudsmithaccesstokens
  25813. singular: cloudsmithaccesstoken
  25814. scope: Namespaced
  25815. versions:
  25816. - name: v1alpha1
  25817. schema:
  25818. openAPIV3Schema:
  25819. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  25820. properties:
  25821. apiVersion:
  25822. description: |-
  25823. APIVersion defines the versioned schema of this representation of an object.
  25824. Servers should convert recognized schemas to the latest internal value, and
  25825. may reject unrecognized values.
  25826. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25827. type: string
  25828. kind:
  25829. description: |-
  25830. Kind is a string value representing the REST resource this object represents.
  25831. Servers may infer this from the endpoint the client submits requests to.
  25832. Cannot be updated.
  25833. In CamelCase.
  25834. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25835. type: string
  25836. metadata:
  25837. type: object
  25838. spec:
  25839. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25840. properties:
  25841. apiUrl:
  25842. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25843. type: string
  25844. orgSlug:
  25845. description: OrgSlug is the organization slug in Cloudsmith
  25846. type: string
  25847. serviceAccountRef:
  25848. description: Name of the service account you are federating with
  25849. properties:
  25850. audiences:
  25851. description: |-
  25852. Audience specifies the `aud` claim for the service account token
  25853. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25854. then this audiences will be appended to the list
  25855. items:
  25856. type: string
  25857. type: array
  25858. name:
  25859. description: The name of the ServiceAccount resource being referred to.
  25860. maxLength: 253
  25861. minLength: 1
  25862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25863. type: string
  25864. namespace:
  25865. description: |-
  25866. Namespace of the resource being referred to.
  25867. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25868. maxLength: 63
  25869. minLength: 1
  25870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25871. type: string
  25872. required:
  25873. - name
  25874. type: object
  25875. serviceSlug:
  25876. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25877. type: string
  25878. required:
  25879. - orgSlug
  25880. - serviceAccountRef
  25881. - serviceSlug
  25882. type: object
  25883. type: object
  25884. served: true
  25885. storage: true
  25886. subresources:
  25887. status: {}
  25888. ---
  25889. apiVersion: apiextensions.k8s.io/v1
  25890. kind: CustomResourceDefinition
  25891. metadata:
  25892. annotations:
  25893. controller-gen.kubebuilder.io/version: v0.19.0
  25894. labels:
  25895. external-secrets.io/component: controller
  25896. name: clustergenerators.generators.external-secrets.io
  25897. spec:
  25898. group: generators.external-secrets.io
  25899. names:
  25900. categories:
  25901. - external-secrets
  25902. - external-secrets-generators
  25903. kind: ClusterGenerator
  25904. listKind: ClusterGeneratorList
  25905. plural: clustergenerators
  25906. singular: clustergenerator
  25907. scope: Cluster
  25908. versions:
  25909. - name: v1alpha1
  25910. schema:
  25911. openAPIV3Schema:
  25912. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  25913. properties:
  25914. apiVersion:
  25915. description: |-
  25916. APIVersion defines the versioned schema of this representation of an object.
  25917. Servers should convert recognized schemas to the latest internal value, and
  25918. may reject unrecognized values.
  25919. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25920. type: string
  25921. kind:
  25922. description: |-
  25923. Kind is a string value representing the REST resource this object represents.
  25924. Servers may infer this from the endpoint the client submits requests to.
  25925. Cannot be updated.
  25926. In CamelCase.
  25927. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25928. type: string
  25929. metadata:
  25930. type: object
  25931. spec:
  25932. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  25933. properties:
  25934. generator:
  25935. description: Generator the spec for this generator, must match the kind.
  25936. maxProperties: 1
  25937. minProperties: 1
  25938. properties:
  25939. acrAccessTokenSpec:
  25940. description: |-
  25941. ACRAccessTokenSpec defines how to generate the access token
  25942. e.g. how to authenticate and which registry to use.
  25943. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25944. properties:
  25945. auth:
  25946. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25947. properties:
  25948. managedIdentity:
  25949. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25950. properties:
  25951. identityId:
  25952. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25953. type: string
  25954. type: object
  25955. servicePrincipal:
  25956. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25957. properties:
  25958. secretRef:
  25959. description: |-
  25960. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25961. It uses static credentials stored in a Kind=Secret.
  25962. properties:
  25963. clientId:
  25964. description: The Azure clientId of the service principle used for authentication.
  25965. properties:
  25966. key:
  25967. description: |-
  25968. A key in the referenced Secret.
  25969. Some instances of this field may be defaulted, in others it may be required.
  25970. maxLength: 253
  25971. minLength: 1
  25972. pattern: ^[-._a-zA-Z0-9]+$
  25973. type: string
  25974. name:
  25975. description: The name of the Secret resource being referred to.
  25976. maxLength: 253
  25977. minLength: 1
  25978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25979. type: string
  25980. namespace:
  25981. description: |-
  25982. The namespace of the Secret resource being referred to.
  25983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25984. maxLength: 63
  25985. minLength: 1
  25986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25987. type: string
  25988. type: object
  25989. clientSecret:
  25990. description: The Azure ClientSecret of the service principle used for authentication.
  25991. properties:
  25992. key:
  25993. description: |-
  25994. A key in the referenced Secret.
  25995. Some instances of this field may be defaulted, in others it may be required.
  25996. maxLength: 253
  25997. minLength: 1
  25998. pattern: ^[-._a-zA-Z0-9]+$
  25999. type: string
  26000. name:
  26001. description: The name of the Secret resource being referred to.
  26002. maxLength: 253
  26003. minLength: 1
  26004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26005. type: string
  26006. namespace:
  26007. description: |-
  26008. The namespace of the Secret resource being referred to.
  26009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26010. maxLength: 63
  26011. minLength: 1
  26012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26013. type: string
  26014. type: object
  26015. type: object
  26016. required:
  26017. - secretRef
  26018. type: object
  26019. workloadIdentity:
  26020. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  26021. properties:
  26022. serviceAccountRef:
  26023. description: |-
  26024. ServiceAccountRef specified the service account
  26025. that should be used when authenticating with WorkloadIdentity.
  26026. properties:
  26027. audiences:
  26028. description: |-
  26029. Audience specifies the `aud` claim for the service account token
  26030. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26031. then this audiences will be appended to the list
  26032. items:
  26033. type: string
  26034. type: array
  26035. name:
  26036. description: The name of the ServiceAccount resource being referred to.
  26037. maxLength: 253
  26038. minLength: 1
  26039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26040. type: string
  26041. namespace:
  26042. description: |-
  26043. Namespace of the resource being referred to.
  26044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26045. maxLength: 63
  26046. minLength: 1
  26047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26048. type: string
  26049. required:
  26050. - name
  26051. type: object
  26052. type: object
  26053. type: object
  26054. environmentType:
  26055. default: PublicCloud
  26056. description: |-
  26057. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26058. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26059. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26060. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26061. enum:
  26062. - PublicCloud
  26063. - USGovernmentCloud
  26064. - ChinaCloud
  26065. - GermanCloud
  26066. - AzureStackCloud
  26067. type: string
  26068. registry:
  26069. description: |-
  26070. the domain name of the ACR registry
  26071. e.g. foobarexample.azurecr.io
  26072. type: string
  26073. scope:
  26074. description: |-
  26075. Define the scope for the access token, e.g. pull/push access for a repository.
  26076. if not provided it will return a refresh token that has full scope.
  26077. Note: you need to pin it down to the repository level, there is no wildcard available.
  26078. examples:
  26079. repository:my-repository:pull,push
  26080. repository:my-repository:pull
  26081. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26082. type: string
  26083. tenantId:
  26084. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26085. type: string
  26086. required:
  26087. - auth
  26088. - registry
  26089. type: object
  26090. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  26091. description: |-
  26092. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26093. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26094. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26095. properties:
  26096. controller:
  26097. description: |-
  26098. Controller selects the controller that should handle this generator.
  26099. Leave empty to use the default controller.
  26100. type: string
  26101. provider:
  26102. description: |-
  26103. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26104. server connection details, and the folder path to the dynamic secret definition.
  26105. The folderPath should point to a dynamic secret definition that has been created in
  26106. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26107. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26108. properties:
  26109. auth:
  26110. description: |-
  26111. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26112. Currently supports API key authentication via Kubernetes secret reference.
  26113. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26114. properties:
  26115. apikey:
  26116. description: |-
  26117. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26118. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26119. properties:
  26120. token:
  26121. description: |-
  26122. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26123. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26124. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26125. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26126. properties:
  26127. key:
  26128. description: |-
  26129. A key in the referenced Secret.
  26130. Some instances of this field may be defaulted, in others it may be required.
  26131. maxLength: 253
  26132. minLength: 1
  26133. pattern: ^[-._a-zA-Z0-9]+$
  26134. type: string
  26135. name:
  26136. description: The name of the Secret resource being referred to.
  26137. maxLength: 253
  26138. minLength: 1
  26139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26140. type: string
  26141. namespace:
  26142. description: |-
  26143. The namespace of the Secret resource being referred to.
  26144. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26145. maxLength: 63
  26146. minLength: 1
  26147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26148. type: string
  26149. type: object
  26150. required:
  26151. - token
  26152. type: object
  26153. required:
  26154. - apikey
  26155. type: object
  26156. caBundle:
  26157. description: |-
  26158. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26159. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26160. If not set, the system's trusted root certificates are used.
  26161. format: byte
  26162. type: string
  26163. caProvider:
  26164. description: |-
  26165. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26166. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26167. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26168. properties:
  26169. key:
  26170. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26171. maxLength: 253
  26172. minLength: 1
  26173. pattern: ^[-._a-zA-Z0-9]+$
  26174. type: string
  26175. name:
  26176. description: The name of the object located at the provider type.
  26177. maxLength: 253
  26178. minLength: 1
  26179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26180. type: string
  26181. namespace:
  26182. description: |-
  26183. The namespace the Provider type is in.
  26184. Can only be defined when used in a ClusterSecretStore.
  26185. maxLength: 63
  26186. minLength: 1
  26187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26188. type: string
  26189. type:
  26190. description: The type of provider to use such as "Secret", or "ConfigMap".
  26191. enum:
  26192. - Secret
  26193. - ConfigMap
  26194. type: string
  26195. required:
  26196. - name
  26197. - type
  26198. type: object
  26199. folderPath:
  26200. description: |-
  26201. FolderPath specifies the default folder path for secret retrieval.
  26202. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26203. Example: "production/database" or "dev/api-keys"
  26204. Leave empty to retrieve secrets from the root folder.
  26205. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26206. type: string
  26207. server:
  26208. description: |-
  26209. Server configures the BeyondTrust Workload Credentials server connection details.
  26210. Includes the API URL and Site ID for your BeyondTrust instance.
  26211. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26212. properties:
  26213. apiUrl:
  26214. description: |-
  26215. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26216. This should be the full URL to your BeyondTrust instance.
  26217. Example: https://api.beyondtrust.io/siie
  26218. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26219. type: string
  26220. siteId:
  26221. description: |-
  26222. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26223. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26224. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26225. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26226. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26227. type: string
  26228. required:
  26229. - apiUrl
  26230. - siteId
  26231. type: object
  26232. required:
  26233. - auth
  26234. - server
  26235. type: object
  26236. retrySettings:
  26237. description: |-
  26238. RetrySettings configures exponential backoff for failed API requests.
  26239. If not specified, uses the default retry settings.
  26240. properties:
  26241. maxRetries:
  26242. format: int32
  26243. type: integer
  26244. retryInterval:
  26245. type: string
  26246. type: object
  26247. required:
  26248. - provider
  26249. type: object
  26250. cloudsmithAccessTokenSpec:
  26251. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26252. properties:
  26253. apiUrl:
  26254. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26255. type: string
  26256. orgSlug:
  26257. description: OrgSlug is the organization slug in Cloudsmith
  26258. type: string
  26259. serviceAccountRef:
  26260. description: Name of the service account you are federating with
  26261. properties:
  26262. audiences:
  26263. description: |-
  26264. Audience specifies the `aud` claim for the service account token
  26265. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26266. then this audiences will be appended to the list
  26267. items:
  26268. type: string
  26269. type: array
  26270. name:
  26271. description: The name of the ServiceAccount resource being referred to.
  26272. maxLength: 253
  26273. minLength: 1
  26274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26275. type: string
  26276. namespace:
  26277. description: |-
  26278. Namespace of the resource being referred to.
  26279. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26280. maxLength: 63
  26281. minLength: 1
  26282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26283. type: string
  26284. required:
  26285. - name
  26286. type: object
  26287. serviceSlug:
  26288. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26289. type: string
  26290. required:
  26291. - orgSlug
  26292. - serviceAccountRef
  26293. - serviceSlug
  26294. type: object
  26295. ecrAuthorizationTokenSpec:
  26296. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26297. properties:
  26298. auth:
  26299. description: Auth defines how to authenticate with AWS
  26300. properties:
  26301. jwt:
  26302. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26303. properties:
  26304. serviceAccountRef:
  26305. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26306. properties:
  26307. audiences:
  26308. description: |-
  26309. Audience specifies the `aud` claim for the service account token
  26310. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26311. then this audiences will be appended to the list
  26312. items:
  26313. type: string
  26314. type: array
  26315. name:
  26316. description: The name of the ServiceAccount resource being referred to.
  26317. maxLength: 253
  26318. minLength: 1
  26319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26320. type: string
  26321. namespace:
  26322. description: |-
  26323. Namespace of the resource being referred to.
  26324. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26325. maxLength: 63
  26326. minLength: 1
  26327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26328. type: string
  26329. required:
  26330. - name
  26331. type: object
  26332. type: object
  26333. secretRef:
  26334. description: |-
  26335. AWSAuthSecretRef holds secret references for AWS credentials
  26336. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26337. properties:
  26338. accessKeyIDSecretRef:
  26339. description: The AccessKeyID is used for authentication
  26340. properties:
  26341. key:
  26342. description: |-
  26343. A key in the referenced Secret.
  26344. Some instances of this field may be defaulted, in others it may be required.
  26345. maxLength: 253
  26346. minLength: 1
  26347. pattern: ^[-._a-zA-Z0-9]+$
  26348. type: string
  26349. name:
  26350. description: The name of the Secret resource being referred to.
  26351. maxLength: 253
  26352. minLength: 1
  26353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26354. type: string
  26355. namespace:
  26356. description: |-
  26357. The namespace of the Secret resource being referred to.
  26358. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26359. maxLength: 63
  26360. minLength: 1
  26361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26362. type: string
  26363. type: object
  26364. secretAccessKeySecretRef:
  26365. description: The SecretAccessKey is used for authentication
  26366. properties:
  26367. key:
  26368. description: |-
  26369. A key in the referenced Secret.
  26370. Some instances of this field may be defaulted, in others it may be required.
  26371. maxLength: 253
  26372. minLength: 1
  26373. pattern: ^[-._a-zA-Z0-9]+$
  26374. type: string
  26375. name:
  26376. description: The name of the Secret resource being referred to.
  26377. maxLength: 253
  26378. minLength: 1
  26379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26380. type: string
  26381. namespace:
  26382. description: |-
  26383. The namespace of the Secret resource being referred to.
  26384. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26385. maxLength: 63
  26386. minLength: 1
  26387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26388. type: string
  26389. type: object
  26390. sessionTokenSecretRef:
  26391. description: |-
  26392. The SessionToken used for authentication
  26393. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26394. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26395. properties:
  26396. key:
  26397. description: |-
  26398. A key in the referenced Secret.
  26399. Some instances of this field may be defaulted, in others it may be required.
  26400. maxLength: 253
  26401. minLength: 1
  26402. pattern: ^[-._a-zA-Z0-9]+$
  26403. type: string
  26404. name:
  26405. description: The name of the Secret resource being referred to.
  26406. maxLength: 253
  26407. minLength: 1
  26408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26409. type: string
  26410. namespace:
  26411. description: |-
  26412. The namespace of the Secret resource being referred to.
  26413. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26414. maxLength: 63
  26415. minLength: 1
  26416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26417. type: string
  26418. type: object
  26419. type: object
  26420. type: object
  26421. region:
  26422. description: Region specifies the region to operate in.
  26423. type: string
  26424. role:
  26425. description: |-
  26426. You can assume a role before making calls to the
  26427. desired AWS service.
  26428. type: string
  26429. scope:
  26430. description: |-
  26431. Scope specifies the ECR service scope.
  26432. Valid options are private and public.
  26433. type: string
  26434. required:
  26435. - region
  26436. type: object
  26437. fakeSpec:
  26438. description: FakeSpec contains the static data.
  26439. properties:
  26440. controller:
  26441. description: |-
  26442. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26443. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26444. type: string
  26445. data:
  26446. additionalProperties:
  26447. type: string
  26448. description: |-
  26449. Data defines the static data returned
  26450. by this generator.
  26451. type: object
  26452. type: object
  26453. gcrAccessTokenSpec:
  26454. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26455. properties:
  26456. auth:
  26457. description: Auth defines the means for authenticating with GCP
  26458. properties:
  26459. secretRef:
  26460. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26461. properties:
  26462. secretAccessKeySecretRef:
  26463. description: The SecretAccessKey is used for authentication
  26464. properties:
  26465. key:
  26466. description: |-
  26467. A key in the referenced Secret.
  26468. Some instances of this field may be defaulted, in others it may be required.
  26469. maxLength: 253
  26470. minLength: 1
  26471. pattern: ^[-._a-zA-Z0-9]+$
  26472. type: string
  26473. name:
  26474. description: The name of the Secret resource being referred to.
  26475. maxLength: 253
  26476. minLength: 1
  26477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26478. type: string
  26479. namespace:
  26480. description: |-
  26481. The namespace of the Secret resource being referred to.
  26482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26483. maxLength: 63
  26484. minLength: 1
  26485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26486. type: string
  26487. type: object
  26488. type: object
  26489. workloadIdentity:
  26490. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26491. properties:
  26492. clusterLocation:
  26493. type: string
  26494. clusterName:
  26495. type: string
  26496. clusterProjectID:
  26497. type: string
  26498. serviceAccountRef:
  26499. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26500. properties:
  26501. audiences:
  26502. description: |-
  26503. Audience specifies the `aud` claim for the service account token
  26504. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26505. then this audiences will be appended to the list
  26506. items:
  26507. type: string
  26508. type: array
  26509. name:
  26510. description: The name of the ServiceAccount resource being referred to.
  26511. maxLength: 253
  26512. minLength: 1
  26513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26514. type: string
  26515. namespace:
  26516. description: |-
  26517. Namespace of the resource being referred to.
  26518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26519. maxLength: 63
  26520. minLength: 1
  26521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26522. type: string
  26523. required:
  26524. - name
  26525. type: object
  26526. required:
  26527. - clusterLocation
  26528. - clusterName
  26529. - serviceAccountRef
  26530. type: object
  26531. workloadIdentityFederation:
  26532. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  26533. properties:
  26534. audience:
  26535. description: |-
  26536. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  26537. If specified, Audience found in the external account credential config will be overridden with the configured value.
  26538. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  26539. type: string
  26540. awsSecurityCredentials:
  26541. description: |-
  26542. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  26543. when using the AWS metadata server is not an option.
  26544. properties:
  26545. awsCredentialsSecretRef:
  26546. description: |-
  26547. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  26548. Secret should be created with below names for keys
  26549. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  26550. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  26551. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  26552. properties:
  26553. name:
  26554. description: name of the secret.
  26555. maxLength: 253
  26556. minLength: 1
  26557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26558. type: string
  26559. namespace:
  26560. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  26561. maxLength: 63
  26562. minLength: 1
  26563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26564. type: string
  26565. required:
  26566. - name
  26567. type: object
  26568. region:
  26569. description: region is for configuring the AWS region to be used.
  26570. example: ap-south-1
  26571. maxLength: 50
  26572. minLength: 1
  26573. pattern: ^[a-z0-9-]+$
  26574. type: string
  26575. required:
  26576. - awsCredentialsSecretRef
  26577. - region
  26578. type: object
  26579. credConfig:
  26580. description: |-
  26581. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  26582. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  26583. serviceAccountRef must be used by providing operators service account details.
  26584. properties:
  26585. key:
  26586. description: key name holding the external account credential config.
  26587. maxLength: 253
  26588. minLength: 1
  26589. pattern: ^[-._a-zA-Z0-9]+$
  26590. type: string
  26591. name:
  26592. description: name of the configmap.
  26593. maxLength: 253
  26594. minLength: 1
  26595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26596. type: string
  26597. namespace:
  26598. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  26599. maxLength: 63
  26600. minLength: 1
  26601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26602. type: string
  26603. required:
  26604. - key
  26605. - name
  26606. type: object
  26607. externalTokenEndpoint:
  26608. description: |-
  26609. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  26610. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  26611. URL is having the expected value.
  26612. type: string
  26613. gcpServiceAccountEmail:
  26614. description: |-
  26615. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  26616. after Workload Identity Federation. Use this to grant access through the service account's
  26617. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  26618. service_account_impersonation_url in the external account JSON from credConfig;
  26619. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  26620. on that ServiceAccount.
  26621. example: my-gsa@my-project.iam.gserviceaccount.com
  26622. minLength: 1
  26623. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  26624. type: string
  26625. serviceAccountRef:
  26626. description: |-
  26627. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  26628. when Kubernetes is configured as provider in workload identity pool.
  26629. properties:
  26630. audiences:
  26631. description: |-
  26632. Audience specifies the `aud` claim for the service account token
  26633. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26634. then this audiences will be appended to the list
  26635. items:
  26636. type: string
  26637. type: array
  26638. name:
  26639. description: The name of the ServiceAccount resource being referred to.
  26640. maxLength: 253
  26641. minLength: 1
  26642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26643. type: string
  26644. namespace:
  26645. description: |-
  26646. Namespace of the resource being referred to.
  26647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26648. maxLength: 63
  26649. minLength: 1
  26650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26651. type: string
  26652. required:
  26653. - name
  26654. type: object
  26655. type: object
  26656. type: object
  26657. projectID:
  26658. description: ProjectID defines which project to use to authenticate with
  26659. type: string
  26660. required:
  26661. - auth
  26662. - projectID
  26663. type: object
  26664. githubAccessTokenSpec:
  26665. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  26666. properties:
  26667. appID:
  26668. type: string
  26669. auth:
  26670. description: Auth configures how ESO authenticates with a Github instance.
  26671. properties:
  26672. privateKey:
  26673. description: GithubSecretRef references a secret containing GitHub credentials.
  26674. properties:
  26675. secretRef:
  26676. description: |-
  26677. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  26678. In some instances, `key` is a required field.
  26679. properties:
  26680. key:
  26681. description: |-
  26682. A key in the referenced Secret.
  26683. Some instances of this field may be defaulted, in others it may be required.
  26684. maxLength: 253
  26685. minLength: 1
  26686. pattern: ^[-._a-zA-Z0-9]+$
  26687. type: string
  26688. name:
  26689. description: The name of the Secret resource being referred to.
  26690. maxLength: 253
  26691. minLength: 1
  26692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26693. type: string
  26694. namespace:
  26695. description: |-
  26696. The namespace of the Secret resource being referred to.
  26697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26698. maxLength: 63
  26699. minLength: 1
  26700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26701. type: string
  26702. type: object
  26703. required:
  26704. - secretRef
  26705. type: object
  26706. required:
  26707. - privateKey
  26708. type: object
  26709. installID:
  26710. type: string
  26711. permissions:
  26712. additionalProperties:
  26713. type: string
  26714. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  26715. type: object
  26716. repositories:
  26717. description: |-
  26718. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  26719. is installed to.
  26720. items:
  26721. type: string
  26722. type: array
  26723. url:
  26724. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  26725. type: string
  26726. required:
  26727. - appID
  26728. - auth
  26729. - installID
  26730. type: object
  26731. grafanaSpec:
  26732. description: GrafanaSpec controls the behavior of the grafana generator.
  26733. properties:
  26734. auth:
  26735. description: |-
  26736. Auth is the authentication configuration to authenticate
  26737. against the Grafana instance.
  26738. properties:
  26739. basic:
  26740. description: |-
  26741. Basic auth credentials used to authenticate against the Grafana instance.
  26742. Note: you need a token which has elevated permissions to create service accounts.
  26743. See here for the documentation on basic roles offered by Grafana:
  26744. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26745. properties:
  26746. password:
  26747. description: A basic auth password used to authenticate against the Grafana instance.
  26748. properties:
  26749. key:
  26750. description: The key where the token is found.
  26751. maxLength: 253
  26752. minLength: 1
  26753. pattern: ^[-._a-zA-Z0-9]+$
  26754. type: string
  26755. name:
  26756. description: The name of the Secret resource being referred to.
  26757. maxLength: 253
  26758. minLength: 1
  26759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26760. type: string
  26761. type: object
  26762. username:
  26763. description: A basic auth username used to authenticate against the Grafana instance.
  26764. type: string
  26765. required:
  26766. - password
  26767. - username
  26768. type: object
  26769. token:
  26770. description: |-
  26771. A service account token used to authenticate against the Grafana instance.
  26772. Note: you need a token which has elevated permissions to create service accounts.
  26773. See here for the documentation on basic roles offered by Grafana:
  26774. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26775. properties:
  26776. key:
  26777. description: The key where the token is found.
  26778. maxLength: 253
  26779. minLength: 1
  26780. pattern: ^[-._a-zA-Z0-9]+$
  26781. type: string
  26782. name:
  26783. description: The name of the Secret resource being referred to.
  26784. maxLength: 253
  26785. minLength: 1
  26786. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26787. type: string
  26788. type: object
  26789. type: object
  26790. serviceAccount:
  26791. description: |-
  26792. ServiceAccount is the configuration for the service account that
  26793. is supposed to be generated by the generator.
  26794. properties:
  26795. name:
  26796. description: Name is the name of the service account that will be created by ESO.
  26797. type: string
  26798. role:
  26799. description: |-
  26800. Role is the role of the service account.
  26801. See here for the documentation on basic roles offered by Grafana:
  26802. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  26803. type: string
  26804. required:
  26805. - name
  26806. - role
  26807. type: object
  26808. url:
  26809. description: URL is the URL of the Grafana instance.
  26810. type: string
  26811. required:
  26812. - auth
  26813. - serviceAccount
  26814. - url
  26815. type: object
  26816. mfaSpec:
  26817. description: MFASpec controls the behavior of the mfa generator.
  26818. properties:
  26819. algorithm:
  26820. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  26821. type: string
  26822. length:
  26823. description: Length defines the token length. Defaults to 6 characters.
  26824. type: integer
  26825. secret:
  26826. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  26827. properties:
  26828. key:
  26829. description: |-
  26830. A key in the referenced Secret.
  26831. Some instances of this field may be defaulted, in others it may be required.
  26832. maxLength: 253
  26833. minLength: 1
  26834. pattern: ^[-._a-zA-Z0-9]+$
  26835. type: string
  26836. name:
  26837. description: The name of the Secret resource being referred to.
  26838. maxLength: 253
  26839. minLength: 1
  26840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26841. type: string
  26842. namespace:
  26843. description: |-
  26844. The namespace of the Secret resource being referred to.
  26845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26846. maxLength: 63
  26847. minLength: 1
  26848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26849. type: string
  26850. type: object
  26851. timePeriod:
  26852. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  26853. type: integer
  26854. when:
  26855. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  26856. format: date-time
  26857. type: string
  26858. required:
  26859. - secret
  26860. type: object
  26861. passwordSpec:
  26862. description: PasswordSpec controls the behavior of the password generator.
  26863. properties:
  26864. allowRepeat:
  26865. default: false
  26866. description: set AllowRepeat to true to allow repeating characters.
  26867. type: boolean
  26868. digits:
  26869. description: |-
  26870. Digits specifies the number of digits in the generated
  26871. password. If omitted it defaults to 25% of the length of the password
  26872. type: integer
  26873. encoding:
  26874. default: raw
  26875. description: |-
  26876. Encoding specifies the encoding of the generated password.
  26877. Valid values are:
  26878. - "raw" (default): no encoding
  26879. - "base64": standard base64 encoding
  26880. - "base64url": base64url encoding
  26881. - "base32": base32 encoding
  26882. - "hex": hexadecimal encoding
  26883. enum:
  26884. - base64
  26885. - base64url
  26886. - base32
  26887. - hex
  26888. - raw
  26889. type: string
  26890. length:
  26891. default: 24
  26892. description: |-
  26893. Length of the password to be generated.
  26894. Defaults to 24
  26895. type: integer
  26896. noUpper:
  26897. default: false
  26898. description: Set NoUpper to disable uppercase characters
  26899. type: boolean
  26900. secretKeys:
  26901. description: |-
  26902. SecretKeys defines the keys that will be populated with generated passwords.
  26903. Defaults to "password" when not set.
  26904. items:
  26905. type: string
  26906. minItems: 1
  26907. type: array
  26908. symbolCharacters:
  26909. description: |-
  26910. SymbolCharacters specifies the special characters that should be used
  26911. in the generated password.
  26912. type: string
  26913. symbols:
  26914. description: |-
  26915. Symbols specifies the number of symbol characters in the generated
  26916. password. If omitted it defaults to 25% of the length of the password
  26917. type: integer
  26918. required:
  26919. - allowRepeat
  26920. - length
  26921. - noUpper
  26922. type: object
  26923. quayAccessTokenSpec:
  26924. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  26925. properties:
  26926. robotAccount:
  26927. description: Name of the robot account you are federating with
  26928. type: string
  26929. serviceAccountRef:
  26930. description: Name of the service account you are federating with
  26931. properties:
  26932. audiences:
  26933. description: |-
  26934. Audience specifies the `aud` claim for the service account token
  26935. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26936. then this audiences will be appended to the list
  26937. items:
  26938. type: string
  26939. type: array
  26940. name:
  26941. description: The name of the ServiceAccount resource being referred to.
  26942. maxLength: 253
  26943. minLength: 1
  26944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26945. type: string
  26946. namespace:
  26947. description: |-
  26948. Namespace of the resource being referred to.
  26949. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26950. maxLength: 63
  26951. minLength: 1
  26952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26953. type: string
  26954. required:
  26955. - name
  26956. type: object
  26957. url:
  26958. description: URL configures the Quay instance URL. Defaults to quay.io.
  26959. type: string
  26960. required:
  26961. - robotAccount
  26962. - serviceAccountRef
  26963. type: object
  26964. sshKeySpec:
  26965. description: SSHKeySpec controls the behavior of the ssh key generator.
  26966. properties:
  26967. comment:
  26968. description: Comment specifies an optional comment for the SSH key
  26969. type: string
  26970. keySize:
  26971. description: |-
  26972. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  26973. For RSA keys: 2048, 3072, 4096
  26974. For ECDSA keys: 256, 384, 521
  26975. Ignored for ed25519 keys
  26976. maximum: 8192
  26977. minimum: 256
  26978. type: integer
  26979. keyType:
  26980. default: rsa
  26981. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  26982. enum:
  26983. - rsa
  26984. - ecdsa
  26985. - ed25519
  26986. type: string
  26987. type: object
  26988. stsSessionTokenSpec:
  26989. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  26990. properties:
  26991. auth:
  26992. description: Auth defines how to authenticate with AWS
  26993. properties:
  26994. jwt:
  26995. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26996. properties:
  26997. serviceAccountRef:
  26998. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26999. properties:
  27000. audiences:
  27001. description: |-
  27002. Audience specifies the `aud` claim for the service account token
  27003. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27004. then this audiences will be appended to the list
  27005. items:
  27006. type: string
  27007. type: array
  27008. name:
  27009. description: The name of the ServiceAccount resource being referred to.
  27010. maxLength: 253
  27011. minLength: 1
  27012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27013. type: string
  27014. namespace:
  27015. description: |-
  27016. Namespace of the resource being referred to.
  27017. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27018. maxLength: 63
  27019. minLength: 1
  27020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27021. type: string
  27022. required:
  27023. - name
  27024. type: object
  27025. type: object
  27026. secretRef:
  27027. description: |-
  27028. AWSAuthSecretRef holds secret references for AWS credentials
  27029. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27030. properties:
  27031. accessKeyIDSecretRef:
  27032. description: The AccessKeyID is used for authentication
  27033. properties:
  27034. key:
  27035. description: |-
  27036. A key in the referenced Secret.
  27037. Some instances of this field may be defaulted, in others it may be required.
  27038. maxLength: 253
  27039. minLength: 1
  27040. pattern: ^[-._a-zA-Z0-9]+$
  27041. type: string
  27042. name:
  27043. description: The name of the Secret resource being referred to.
  27044. maxLength: 253
  27045. minLength: 1
  27046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27047. type: string
  27048. namespace:
  27049. description: |-
  27050. The namespace of the Secret resource being referred to.
  27051. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27052. maxLength: 63
  27053. minLength: 1
  27054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27055. type: string
  27056. type: object
  27057. secretAccessKeySecretRef:
  27058. description: The SecretAccessKey is used for authentication
  27059. properties:
  27060. key:
  27061. description: |-
  27062. A key in the referenced Secret.
  27063. Some instances of this field may be defaulted, in others it may be required.
  27064. maxLength: 253
  27065. minLength: 1
  27066. pattern: ^[-._a-zA-Z0-9]+$
  27067. type: string
  27068. name:
  27069. description: The name of the Secret resource being referred to.
  27070. maxLength: 253
  27071. minLength: 1
  27072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27073. type: string
  27074. namespace:
  27075. description: |-
  27076. The namespace of the Secret resource being referred to.
  27077. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27078. maxLength: 63
  27079. minLength: 1
  27080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27081. type: string
  27082. type: object
  27083. sessionTokenSecretRef:
  27084. description: |-
  27085. The SessionToken used for authentication
  27086. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27087. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27088. properties:
  27089. key:
  27090. description: |-
  27091. A key in the referenced Secret.
  27092. Some instances of this field may be defaulted, in others it may be required.
  27093. maxLength: 253
  27094. minLength: 1
  27095. pattern: ^[-._a-zA-Z0-9]+$
  27096. type: string
  27097. name:
  27098. description: The name of the Secret resource being referred to.
  27099. maxLength: 253
  27100. minLength: 1
  27101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27102. type: string
  27103. namespace:
  27104. description: |-
  27105. The namespace of the Secret resource being referred to.
  27106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27107. maxLength: 63
  27108. minLength: 1
  27109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27110. type: string
  27111. type: object
  27112. type: object
  27113. type: object
  27114. region:
  27115. description: Region specifies the region to operate in.
  27116. type: string
  27117. requestParameters:
  27118. description: RequestParameters contains parameters that can be passed to the STS service.
  27119. properties:
  27120. serialNumber:
  27121. description: |-
  27122. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  27123. the GetSessionToken call.
  27124. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  27125. (such as arn:aws:iam::123456789012:mfa/user)
  27126. type: string
  27127. sessionDuration:
  27128. format: int32
  27129. type: integer
  27130. tokenCode:
  27131. description: TokenCode is the value provided by the MFA device, if MFA is required.
  27132. type: string
  27133. type: object
  27134. role:
  27135. description: |-
  27136. You can assume a role before making calls to the
  27137. desired AWS service.
  27138. type: string
  27139. required:
  27140. - region
  27141. type: object
  27142. uuidSpec:
  27143. description: UUIDSpec controls the behavior of the uuid generator.
  27144. type: object
  27145. vaultDynamicSecretSpec:
  27146. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  27147. properties:
  27148. allowEmptyResponse:
  27149. default: false
  27150. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  27151. type: boolean
  27152. controller:
  27153. description: |-
  27154. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27155. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27156. type: string
  27157. getParameters:
  27158. additionalProperties:
  27159. items:
  27160. type: string
  27161. type: array
  27162. description: |-
  27163. GetParameters are query-string parameters passed to Vault on GET calls.
  27164. Each key may map to multiple values, matching HTTP query-string semantics.
  27165. Ignored for non-GET methods; use Parameters for write bodies.
  27166. type: object
  27167. method:
  27168. description: Vault API method to use (GET/POST/other)
  27169. type: string
  27170. parameters:
  27171. description: Parameters to pass to Vault write (for non-GET methods)
  27172. x-kubernetes-preserve-unknown-fields: true
  27173. path:
  27174. description: Vault path to obtain the dynamic secret from
  27175. type: string
  27176. provider:
  27177. description: Vault provider common spec
  27178. properties:
  27179. auth:
  27180. description: Auth configures how secret-manager authenticates with the Vault server.
  27181. properties:
  27182. appRole:
  27183. description: |-
  27184. AppRole authenticates with Vault using the App Role auth mechanism,
  27185. with the role and secret stored in a Kubernetes Secret resource.
  27186. properties:
  27187. path:
  27188. default: approle
  27189. description: |-
  27190. Path where the App Role authentication backend is mounted
  27191. in Vault, e.g: "approle"
  27192. type: string
  27193. roleId:
  27194. description: |-
  27195. RoleID configured in the App Role authentication backend when setting
  27196. up the authentication backend in Vault.
  27197. type: string
  27198. roleRef:
  27199. description: |-
  27200. Reference to a key in a Secret that contains the App Role ID used
  27201. to authenticate with Vault.
  27202. The `key` field must be specified and denotes which entry within the Secret
  27203. resource is used as the app role id.
  27204. properties:
  27205. key:
  27206. description: |-
  27207. A key in the referenced Secret.
  27208. Some instances of this field may be defaulted, in others it may be required.
  27209. maxLength: 253
  27210. minLength: 1
  27211. pattern: ^[-._a-zA-Z0-9]+$
  27212. type: string
  27213. name:
  27214. description: The name of the Secret resource being referred to.
  27215. maxLength: 253
  27216. minLength: 1
  27217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27218. type: string
  27219. namespace:
  27220. description: |-
  27221. The namespace of the Secret resource being referred to.
  27222. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27223. maxLength: 63
  27224. minLength: 1
  27225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27226. type: string
  27227. type: object
  27228. secretRef:
  27229. description: |-
  27230. Reference to a key in a Secret that contains the App Role secret used
  27231. to authenticate with Vault.
  27232. The `key` field must be specified and denotes which entry within the Secret
  27233. resource is used as the app role secret.
  27234. properties:
  27235. key:
  27236. description: |-
  27237. A key in the referenced Secret.
  27238. Some instances of this field may be defaulted, in others it may be required.
  27239. maxLength: 253
  27240. minLength: 1
  27241. pattern: ^[-._a-zA-Z0-9]+$
  27242. type: string
  27243. name:
  27244. description: The name of the Secret resource being referred to.
  27245. maxLength: 253
  27246. minLength: 1
  27247. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27248. type: string
  27249. namespace:
  27250. description: |-
  27251. The namespace of the Secret resource being referred to.
  27252. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27253. maxLength: 63
  27254. minLength: 1
  27255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27256. type: string
  27257. type: object
  27258. required:
  27259. - path
  27260. - secretRef
  27261. type: object
  27262. cert:
  27263. description: |-
  27264. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27265. Cert authentication method
  27266. properties:
  27267. clientCert:
  27268. description: |-
  27269. ClientCert is a certificate to authenticate using the Cert Vault
  27270. authentication method
  27271. properties:
  27272. key:
  27273. description: |-
  27274. A key in the referenced Secret.
  27275. Some instances of this field may be defaulted, in others it may be required.
  27276. maxLength: 253
  27277. minLength: 1
  27278. pattern: ^[-._a-zA-Z0-9]+$
  27279. type: string
  27280. name:
  27281. description: The name of the Secret resource being referred to.
  27282. maxLength: 253
  27283. minLength: 1
  27284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27285. type: string
  27286. namespace:
  27287. description: |-
  27288. The namespace of the Secret resource being referred to.
  27289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27290. maxLength: 63
  27291. minLength: 1
  27292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27293. type: string
  27294. type: object
  27295. path:
  27296. default: cert
  27297. description: |-
  27298. Path where the Certificate authentication backend is mounted
  27299. in Vault, e.g: "cert"
  27300. type: string
  27301. secretRef:
  27302. description: |-
  27303. SecretRef to a key in a Secret resource containing client private key to
  27304. authenticate with Vault using the Cert authentication method
  27305. properties:
  27306. key:
  27307. description: |-
  27308. A key in the referenced Secret.
  27309. Some instances of this field may be defaulted, in others it may be required.
  27310. maxLength: 253
  27311. minLength: 1
  27312. pattern: ^[-._a-zA-Z0-9]+$
  27313. type: string
  27314. name:
  27315. description: The name of the Secret resource being referred to.
  27316. maxLength: 253
  27317. minLength: 1
  27318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27319. type: string
  27320. namespace:
  27321. description: |-
  27322. The namespace of the Secret resource being referred to.
  27323. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27324. maxLength: 63
  27325. minLength: 1
  27326. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27327. type: string
  27328. type: object
  27329. vaultRole:
  27330. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27331. type: string
  27332. type: object
  27333. gcp:
  27334. description: |-
  27335. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27336. GCP authentication method
  27337. properties:
  27338. location:
  27339. description: Location optionally defines a location/region for the secret
  27340. type: string
  27341. path:
  27342. default: gcp
  27343. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27344. type: string
  27345. projectID:
  27346. description: Project ID of the Google Cloud Platform project
  27347. type: string
  27348. role:
  27349. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27350. type: string
  27351. secretRef:
  27352. description: Specify credentials in a Secret object
  27353. properties:
  27354. secretAccessKeySecretRef:
  27355. description: The SecretAccessKey is used for authentication
  27356. properties:
  27357. key:
  27358. description: |-
  27359. A key in the referenced Secret.
  27360. Some instances of this field may be defaulted, in others it may be required.
  27361. maxLength: 253
  27362. minLength: 1
  27363. pattern: ^[-._a-zA-Z0-9]+$
  27364. type: string
  27365. name:
  27366. description: The name of the Secret resource being referred to.
  27367. maxLength: 253
  27368. minLength: 1
  27369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27370. type: string
  27371. namespace:
  27372. description: |-
  27373. The namespace of the Secret resource being referred to.
  27374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27375. maxLength: 63
  27376. minLength: 1
  27377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27378. type: string
  27379. type: object
  27380. type: object
  27381. serviceAccountRef:
  27382. description: ServiceAccountRef to a service account for impersonation
  27383. properties:
  27384. audiences:
  27385. description: |-
  27386. Audience specifies the `aud` claim for the service account token
  27387. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27388. then this audiences will be appended to the list
  27389. items:
  27390. type: string
  27391. type: array
  27392. name:
  27393. description: The name of the ServiceAccount resource being referred to.
  27394. maxLength: 253
  27395. minLength: 1
  27396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27397. type: string
  27398. namespace:
  27399. description: |-
  27400. Namespace of the resource being referred to.
  27401. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27402. maxLength: 63
  27403. minLength: 1
  27404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27405. type: string
  27406. required:
  27407. - name
  27408. type: object
  27409. workloadIdentity:
  27410. description: Specify a service account with Workload Identity
  27411. properties:
  27412. clusterLocation:
  27413. description: |-
  27414. ClusterLocation is the location of the cluster
  27415. If not specified, it fetches information from the metadata server
  27416. type: string
  27417. clusterName:
  27418. description: |-
  27419. ClusterName is the name of the cluster
  27420. If not specified, it fetches information from the metadata server
  27421. type: string
  27422. clusterProjectID:
  27423. description: |-
  27424. ClusterProjectID is the project ID of the cluster
  27425. If not specified, it fetches information from the metadata server
  27426. type: string
  27427. serviceAccountRef:
  27428. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27429. properties:
  27430. audiences:
  27431. description: |-
  27432. Audience specifies the `aud` claim for the service account token
  27433. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27434. then this audiences will be appended to the list
  27435. items:
  27436. type: string
  27437. type: array
  27438. name:
  27439. description: The name of the ServiceAccount resource being referred to.
  27440. maxLength: 253
  27441. minLength: 1
  27442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27443. type: string
  27444. namespace:
  27445. description: |-
  27446. Namespace of the resource being referred to.
  27447. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27448. maxLength: 63
  27449. minLength: 1
  27450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27451. type: string
  27452. required:
  27453. - name
  27454. type: object
  27455. required:
  27456. - serviceAccountRef
  27457. type: object
  27458. required:
  27459. - role
  27460. type: object
  27461. iam:
  27462. description: |-
  27463. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27464. AWS IAM authentication method
  27465. properties:
  27466. externalID:
  27467. description: AWS External ID set on assumed IAM roles
  27468. type: string
  27469. jwt:
  27470. description: Specify a service account with IRSA enabled
  27471. properties:
  27472. serviceAccountRef:
  27473. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27474. properties:
  27475. audiences:
  27476. description: |-
  27477. Audience specifies the `aud` claim for the service account token
  27478. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27479. then this audiences will be appended to the list
  27480. items:
  27481. type: string
  27482. type: array
  27483. name:
  27484. description: The name of the ServiceAccount resource being referred to.
  27485. maxLength: 253
  27486. minLength: 1
  27487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27488. type: string
  27489. namespace:
  27490. description: |-
  27491. Namespace of the resource being referred to.
  27492. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27493. maxLength: 63
  27494. minLength: 1
  27495. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27496. type: string
  27497. required:
  27498. - name
  27499. type: object
  27500. type: object
  27501. path:
  27502. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  27503. type: string
  27504. region:
  27505. description: AWS region
  27506. type: string
  27507. role:
  27508. description: This is the AWS role to be assumed before talking to vault
  27509. type: string
  27510. secretRef:
  27511. description: Specify credentials in a Secret object
  27512. properties:
  27513. accessKeyIDSecretRef:
  27514. description: The AccessKeyID is used for authentication
  27515. properties:
  27516. key:
  27517. description: |-
  27518. A key in the referenced Secret.
  27519. Some instances of this field may be defaulted, in others it may be required.
  27520. maxLength: 253
  27521. minLength: 1
  27522. pattern: ^[-._a-zA-Z0-9]+$
  27523. type: string
  27524. name:
  27525. description: The name of the Secret resource being referred to.
  27526. maxLength: 253
  27527. minLength: 1
  27528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27529. type: string
  27530. namespace:
  27531. description: |-
  27532. The namespace of the Secret resource being referred to.
  27533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27534. maxLength: 63
  27535. minLength: 1
  27536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27537. type: string
  27538. type: object
  27539. secretAccessKeySecretRef:
  27540. description: The SecretAccessKey is used for authentication
  27541. properties:
  27542. key:
  27543. description: |-
  27544. A key in the referenced Secret.
  27545. Some instances of this field may be defaulted, in others it may be required.
  27546. maxLength: 253
  27547. minLength: 1
  27548. pattern: ^[-._a-zA-Z0-9]+$
  27549. type: string
  27550. name:
  27551. description: The name of the Secret resource being referred to.
  27552. maxLength: 253
  27553. minLength: 1
  27554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27555. type: string
  27556. namespace:
  27557. description: |-
  27558. The namespace of the Secret resource being referred to.
  27559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27560. maxLength: 63
  27561. minLength: 1
  27562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27563. type: string
  27564. type: object
  27565. sessionTokenSecretRef:
  27566. description: |-
  27567. The SessionToken used for authentication
  27568. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27569. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27570. properties:
  27571. key:
  27572. description: |-
  27573. A key in the referenced Secret.
  27574. Some instances of this field may be defaulted, in others it may be required.
  27575. maxLength: 253
  27576. minLength: 1
  27577. pattern: ^[-._a-zA-Z0-9]+$
  27578. type: string
  27579. name:
  27580. description: The name of the Secret resource being referred to.
  27581. maxLength: 253
  27582. minLength: 1
  27583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27584. type: string
  27585. namespace:
  27586. description: |-
  27587. The namespace of the Secret resource being referred to.
  27588. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27589. maxLength: 63
  27590. minLength: 1
  27591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27592. type: string
  27593. type: object
  27594. type: object
  27595. vaultAwsIamServerID:
  27596. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  27597. type: string
  27598. vaultRole:
  27599. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  27600. type: string
  27601. required:
  27602. - vaultRole
  27603. type: object
  27604. jwt:
  27605. description: |-
  27606. Jwt authenticates with Vault by passing role and JWT token using the
  27607. JWT/OIDC authentication method
  27608. properties:
  27609. kubernetesServiceAccountToken:
  27610. description: |-
  27611. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  27612. a token for with the `TokenRequest` API.
  27613. properties:
  27614. audiences:
  27615. description: |-
  27616. Optional audiences field that will be used to request a temporary Kubernetes service
  27617. account token for the service account referenced by `serviceAccountRef`.
  27618. Defaults to a single audience `vault` it not specified.
  27619. Deprecated: use serviceAccountRef.Audiences instead
  27620. items:
  27621. type: string
  27622. type: array
  27623. expirationSeconds:
  27624. description: |-
  27625. Optional expiration time in seconds that will be used to request a temporary
  27626. Kubernetes service account token for the service account referenced by
  27627. `serviceAccountRef`.
  27628. Deprecated: this will be removed in the future.
  27629. Defaults to 10 minutes.
  27630. format: int64
  27631. type: integer
  27632. serviceAccountRef:
  27633. description: Service account field containing the name of a kubernetes ServiceAccount.
  27634. properties:
  27635. audiences:
  27636. description: |-
  27637. Audience specifies the `aud` claim for the service account token
  27638. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27639. then this audiences will be appended to the list
  27640. items:
  27641. type: string
  27642. type: array
  27643. name:
  27644. description: The name of the ServiceAccount resource being referred to.
  27645. maxLength: 253
  27646. minLength: 1
  27647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27648. type: string
  27649. namespace:
  27650. description: |-
  27651. Namespace of the resource being referred to.
  27652. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27653. maxLength: 63
  27654. minLength: 1
  27655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27656. type: string
  27657. required:
  27658. - name
  27659. type: object
  27660. required:
  27661. - serviceAccountRef
  27662. type: object
  27663. path:
  27664. default: jwt
  27665. description: |-
  27666. Path where the JWT authentication backend is mounted
  27667. in Vault, e.g: "jwt"
  27668. type: string
  27669. role:
  27670. description: |-
  27671. Role is a JWT role to authenticate using the JWT/OIDC Vault
  27672. authentication method
  27673. type: string
  27674. secretRef:
  27675. description: |-
  27676. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  27677. authenticate with Vault using the JWT/OIDC authentication method.
  27678. properties:
  27679. key:
  27680. description: |-
  27681. A key in the referenced Secret.
  27682. Some instances of this field may be defaulted, in others it may be required.
  27683. maxLength: 253
  27684. minLength: 1
  27685. pattern: ^[-._a-zA-Z0-9]+$
  27686. type: string
  27687. name:
  27688. description: The name of the Secret resource being referred to.
  27689. maxLength: 253
  27690. minLength: 1
  27691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27692. type: string
  27693. namespace:
  27694. description: |-
  27695. The namespace of the Secret resource being referred to.
  27696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27697. maxLength: 63
  27698. minLength: 1
  27699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27700. type: string
  27701. type: object
  27702. required:
  27703. - path
  27704. type: object
  27705. kubernetes:
  27706. description: |-
  27707. Kubernetes authenticates with Vault by passing the ServiceAccount
  27708. token stored in the named Secret resource to the Vault server.
  27709. properties:
  27710. mountPath:
  27711. default: kubernetes
  27712. description: |-
  27713. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  27714. "kubernetes"
  27715. type: string
  27716. role:
  27717. description: |-
  27718. A required field containing the Vault Role to assume. A Role binds a
  27719. Kubernetes ServiceAccount with a set of Vault policies.
  27720. type: string
  27721. secretRef:
  27722. description: |-
  27723. Optional secret field containing a Kubernetes ServiceAccount JWT used
  27724. for authenticating with Vault. If a name is specified without a key,
  27725. `token` is the default. If one is not specified, the one bound to
  27726. the controller will be used.
  27727. properties:
  27728. key:
  27729. description: |-
  27730. A key in the referenced Secret.
  27731. Some instances of this field may be defaulted, in others it may be required.
  27732. maxLength: 253
  27733. minLength: 1
  27734. pattern: ^[-._a-zA-Z0-9]+$
  27735. type: string
  27736. name:
  27737. description: The name of the Secret resource being referred to.
  27738. maxLength: 253
  27739. minLength: 1
  27740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27741. type: string
  27742. namespace:
  27743. description: |-
  27744. The namespace of the Secret resource being referred to.
  27745. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27746. maxLength: 63
  27747. minLength: 1
  27748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27749. type: string
  27750. type: object
  27751. serviceAccountRef:
  27752. description: |-
  27753. Optional service account field containing the name of a kubernetes ServiceAccount.
  27754. If the service account is specified, the service account secret token JWT will be used
  27755. for authenticating with Vault. If the service account selector is not supplied,
  27756. the secretRef will be used instead.
  27757. properties:
  27758. audiences:
  27759. description: |-
  27760. Audience specifies the `aud` claim for the service account token
  27761. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27762. then this audiences will be appended to the list
  27763. items:
  27764. type: string
  27765. type: array
  27766. name:
  27767. description: The name of the ServiceAccount resource being referred to.
  27768. maxLength: 253
  27769. minLength: 1
  27770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27771. type: string
  27772. namespace:
  27773. description: |-
  27774. Namespace of the resource being referred to.
  27775. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27776. maxLength: 63
  27777. minLength: 1
  27778. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27779. type: string
  27780. required:
  27781. - name
  27782. type: object
  27783. required:
  27784. - mountPath
  27785. - role
  27786. type: object
  27787. ldap:
  27788. description: |-
  27789. Ldap authenticates with Vault by passing username/password pair using
  27790. the LDAP authentication method
  27791. properties:
  27792. path:
  27793. default: ldap
  27794. description: |-
  27795. Path where the LDAP authentication backend is mounted
  27796. in Vault, e.g: "ldap"
  27797. type: string
  27798. secretRef:
  27799. description: |-
  27800. SecretRef to a key in a Secret resource containing password for the LDAP
  27801. user used to authenticate with Vault using the LDAP authentication
  27802. method
  27803. properties:
  27804. key:
  27805. description: |-
  27806. A key in the referenced Secret.
  27807. Some instances of this field may be defaulted, in others it may be required.
  27808. maxLength: 253
  27809. minLength: 1
  27810. pattern: ^[-._a-zA-Z0-9]+$
  27811. type: string
  27812. name:
  27813. description: The name of the Secret resource being referred to.
  27814. maxLength: 253
  27815. minLength: 1
  27816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27817. type: string
  27818. namespace:
  27819. description: |-
  27820. The namespace of the Secret resource being referred to.
  27821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27822. maxLength: 63
  27823. minLength: 1
  27824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27825. type: string
  27826. type: object
  27827. username:
  27828. description: |-
  27829. Username is an LDAP username used to authenticate using the LDAP Vault
  27830. authentication method
  27831. type: string
  27832. required:
  27833. - path
  27834. - username
  27835. type: object
  27836. namespace:
  27837. description: |-
  27838. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  27839. Namespaces is a set of features within Vault Enterprise that allows
  27840. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27841. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27842. This will default to Vault.Namespace field if set, or empty otherwise
  27843. type: string
  27844. tokenSecretRef:
  27845. description: TokenSecretRef authenticates with Vault by presenting a token.
  27846. properties:
  27847. key:
  27848. description: |-
  27849. A key in the referenced Secret.
  27850. Some instances of this field may be defaulted, in others it may be required.
  27851. maxLength: 253
  27852. minLength: 1
  27853. pattern: ^[-._a-zA-Z0-9]+$
  27854. type: string
  27855. name:
  27856. description: The name of the Secret resource being referred to.
  27857. maxLength: 253
  27858. minLength: 1
  27859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27860. type: string
  27861. namespace:
  27862. description: |-
  27863. The namespace of the Secret resource being referred to.
  27864. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27865. maxLength: 63
  27866. minLength: 1
  27867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27868. type: string
  27869. type: object
  27870. userPass:
  27871. description: UserPass authenticates with Vault by passing username/password pair
  27872. properties:
  27873. path:
  27874. default: userpass
  27875. description: |-
  27876. Path where the UserPassword authentication backend is mounted
  27877. in Vault, e.g: "userpass"
  27878. type: string
  27879. secretRef:
  27880. description: |-
  27881. SecretRef to a key in a Secret resource containing password for the
  27882. user used to authenticate with Vault using the UserPass authentication
  27883. method
  27884. properties:
  27885. key:
  27886. description: |-
  27887. A key in the referenced Secret.
  27888. Some instances of this field may be defaulted, in others it may be required.
  27889. maxLength: 253
  27890. minLength: 1
  27891. pattern: ^[-._a-zA-Z0-9]+$
  27892. type: string
  27893. name:
  27894. description: The name of the Secret resource being referred to.
  27895. maxLength: 253
  27896. minLength: 1
  27897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27898. type: string
  27899. namespace:
  27900. description: |-
  27901. The namespace of the Secret resource being referred to.
  27902. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27903. maxLength: 63
  27904. minLength: 1
  27905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27906. type: string
  27907. type: object
  27908. username:
  27909. description: |-
  27910. Username is a username used to authenticate using the UserPass Vault
  27911. authentication method
  27912. type: string
  27913. required:
  27914. - path
  27915. - username
  27916. type: object
  27917. type: object
  27918. caBundle:
  27919. description: |-
  27920. PEM encoded CA bundle used to validate Vault server certificate. Only used
  27921. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27922. plain HTTP protocol connection. If not set the system root certificates
  27923. are used to validate the TLS connection.
  27924. format: byte
  27925. type: string
  27926. caProvider:
  27927. description: The provider for the CA bundle to use to validate Vault server certificate.
  27928. properties:
  27929. key:
  27930. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27931. maxLength: 253
  27932. minLength: 1
  27933. pattern: ^[-._a-zA-Z0-9]+$
  27934. type: string
  27935. name:
  27936. description: The name of the object located at the provider type.
  27937. maxLength: 253
  27938. minLength: 1
  27939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27940. type: string
  27941. namespace:
  27942. description: |-
  27943. The namespace the Provider type is in.
  27944. Can only be defined when used in a ClusterSecretStore.
  27945. maxLength: 63
  27946. minLength: 1
  27947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27948. type: string
  27949. type:
  27950. description: The type of provider to use such as "Secret", or "ConfigMap".
  27951. enum:
  27952. - Secret
  27953. - ConfigMap
  27954. type: string
  27955. required:
  27956. - name
  27957. - type
  27958. type: object
  27959. checkAndSet:
  27960. description: |-
  27961. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  27962. Only applies to Vault KV v2 stores. When enabled, write operations must include
  27963. the current version of the secret to prevent unintentional overwrites.
  27964. properties:
  27965. required:
  27966. description: |-
  27967. Required when true, all write operations must include a check-and-set parameter.
  27968. This helps prevent unintentional overwrites of secrets.
  27969. type: boolean
  27970. type: object
  27971. forwardInconsistent:
  27972. description: |-
  27973. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  27974. leader instead of simply retrying within a loop. This can increase performance if
  27975. the option is enabled serverside.
  27976. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  27977. type: boolean
  27978. headers:
  27979. additionalProperties:
  27980. type: string
  27981. description: Headers to be added in Vault request
  27982. type: object
  27983. namespace:
  27984. description: |-
  27985. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  27986. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27987. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27988. type: string
  27989. path:
  27990. description: |-
  27991. Path is the mount path of the Vault KV backend endpoint, e.g:
  27992. "secret". The v2 KV secret engine version specific "/data" path suffix
  27993. for fetching secrets from Vault is optional and will be appended
  27994. if not present in specified path.
  27995. type: string
  27996. readYourWrites:
  27997. description: |-
  27998. ReadYourWrites ensures isolated read-after-write semantics by
  27999. providing discovered cluster replication states in each request.
  28000. More information about eventual consistency in Vault can be found here
  28001. https://www.vaultproject.io/docs/enterprise/consistency
  28002. type: boolean
  28003. server:
  28004. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  28005. type: string
  28006. tls:
  28007. description: |-
  28008. The configuration used for client side related TLS communication, when the Vault server
  28009. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  28010. This parameter is ignored for plain HTTP protocol connection.
  28011. It's worth noting this configuration is different from the "TLS certificates auth method",
  28012. which is available under the `auth.cert` section.
  28013. properties:
  28014. certSecretRef:
  28015. description: |-
  28016. CertSecretRef is a certificate added to the transport layer
  28017. when communicating with the Vault server.
  28018. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  28019. properties:
  28020. key:
  28021. description: |-
  28022. A key in the referenced Secret.
  28023. Some instances of this field may be defaulted, in others it may be required.
  28024. maxLength: 253
  28025. minLength: 1
  28026. pattern: ^[-._a-zA-Z0-9]+$
  28027. type: string
  28028. name:
  28029. description: The name of the Secret resource being referred to.
  28030. maxLength: 253
  28031. minLength: 1
  28032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28033. type: string
  28034. namespace:
  28035. description: |-
  28036. The namespace of the Secret resource being referred to.
  28037. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28038. maxLength: 63
  28039. minLength: 1
  28040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28041. type: string
  28042. type: object
  28043. keySecretRef:
  28044. description: |-
  28045. KeySecretRef to a key in a Secret resource containing client private key
  28046. added to the transport layer when communicating with the Vault server.
  28047. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  28048. properties:
  28049. key:
  28050. description: |-
  28051. A key in the referenced Secret.
  28052. Some instances of this field may be defaulted, in others it may be required.
  28053. maxLength: 253
  28054. minLength: 1
  28055. pattern: ^[-._a-zA-Z0-9]+$
  28056. type: string
  28057. name:
  28058. description: The name of the Secret resource being referred to.
  28059. maxLength: 253
  28060. minLength: 1
  28061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28062. type: string
  28063. namespace:
  28064. description: |-
  28065. The namespace of the Secret resource being referred to.
  28066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28067. maxLength: 63
  28068. minLength: 1
  28069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28070. type: string
  28071. type: object
  28072. type: object
  28073. version:
  28074. default: v2
  28075. description: |-
  28076. Version is the Vault KV secret engine version. This can be either "v1" or
  28077. "v2". Version defaults to "v2".
  28078. enum:
  28079. - v1
  28080. - v2
  28081. type: string
  28082. required:
  28083. - server
  28084. type: object
  28085. resultType:
  28086. default: Data
  28087. description: |-
  28088. Result type defines which data is returned from the generator.
  28089. By default, it is the "data" section of the Vault API response.
  28090. When using e.g. /auth/token/create the "data" section is empty but
  28091. the "auth" section contains the generated token.
  28092. Please refer to the vault docs regarding the result data structure.
  28093. Additionally, accessing the raw response is possibly by using "Raw" result type.
  28094. enum:
  28095. - Data
  28096. - Auth
  28097. - Raw
  28098. type: string
  28099. retrySettings:
  28100. description: Used to configure http retries if failed
  28101. properties:
  28102. maxRetries:
  28103. format: int32
  28104. type: integer
  28105. retryInterval:
  28106. type: string
  28107. type: object
  28108. required:
  28109. - path
  28110. - provider
  28111. type: object
  28112. webhookSpec:
  28113. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  28114. properties:
  28115. auth:
  28116. description: Auth specifies a authorization protocol. Only one protocol may be set.
  28117. maxProperties: 1
  28118. minProperties: 1
  28119. properties:
  28120. ntlm:
  28121. description: NTLMProtocol configures the store to use NTLM for auth
  28122. properties:
  28123. passwordSecret:
  28124. description: |-
  28125. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28126. In some instances, `key` is a required field.
  28127. properties:
  28128. key:
  28129. description: |-
  28130. A key in the referenced Secret.
  28131. Some instances of this field may be defaulted, in others it may be required.
  28132. maxLength: 253
  28133. minLength: 1
  28134. pattern: ^[-._a-zA-Z0-9]+$
  28135. type: string
  28136. name:
  28137. description: The name of the Secret resource being referred to.
  28138. maxLength: 253
  28139. minLength: 1
  28140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28141. type: string
  28142. namespace:
  28143. description: |-
  28144. The namespace of the Secret resource being referred to.
  28145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28146. maxLength: 63
  28147. minLength: 1
  28148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28149. type: string
  28150. type: object
  28151. usernameSecret:
  28152. description: |-
  28153. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28154. In some instances, `key` is a required field.
  28155. properties:
  28156. key:
  28157. description: |-
  28158. A key in the referenced Secret.
  28159. Some instances of this field may be defaulted, in others it may be required.
  28160. maxLength: 253
  28161. minLength: 1
  28162. pattern: ^[-._a-zA-Z0-9]+$
  28163. type: string
  28164. name:
  28165. description: The name of the Secret resource being referred to.
  28166. maxLength: 253
  28167. minLength: 1
  28168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28169. type: string
  28170. namespace:
  28171. description: |-
  28172. The namespace of the Secret resource being referred to.
  28173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28174. maxLength: 63
  28175. minLength: 1
  28176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28177. type: string
  28178. type: object
  28179. required:
  28180. - passwordSecret
  28181. - usernameSecret
  28182. type: object
  28183. type: object
  28184. body:
  28185. description: Body
  28186. type: string
  28187. caBundle:
  28188. description: |-
  28189. PEM encoded CA bundle used to validate webhook server certificate. Only used
  28190. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28191. plain HTTP protocol connection. If not set the system root certificates
  28192. are used to validate the TLS connection.
  28193. format: byte
  28194. type: string
  28195. caProvider:
  28196. description: The provider for the CA bundle to use to validate webhook server certificate.
  28197. properties:
  28198. key:
  28199. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28200. maxLength: 253
  28201. minLength: 1
  28202. pattern: ^[-._a-zA-Z0-9]+$
  28203. type: string
  28204. name:
  28205. description: The name of the object located at the provider type.
  28206. maxLength: 253
  28207. minLength: 1
  28208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28209. type: string
  28210. namespace:
  28211. description: The namespace the Provider type is in.
  28212. maxLength: 63
  28213. minLength: 1
  28214. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28215. type: string
  28216. type:
  28217. description: The type of provider to use such as "Secret", or "ConfigMap".
  28218. enum:
  28219. - Secret
  28220. - ConfigMap
  28221. type: string
  28222. required:
  28223. - name
  28224. - type
  28225. type: object
  28226. headers:
  28227. additionalProperties:
  28228. type: string
  28229. description: Headers
  28230. type: object
  28231. method:
  28232. description: Webhook Method
  28233. type: string
  28234. result:
  28235. description: Result formatting
  28236. properties:
  28237. jsonPath:
  28238. description: Json path of return value
  28239. type: string
  28240. type: object
  28241. secrets:
  28242. description: |-
  28243. Secrets to fill in templates
  28244. These secrets will be passed to the templating function as key value pairs under the given name
  28245. items:
  28246. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28247. properties:
  28248. name:
  28249. description: Name of this secret in templates
  28250. type: string
  28251. secretRef:
  28252. description: Secret ref to fill in credentials
  28253. properties:
  28254. key:
  28255. description: The key where the token is found.
  28256. maxLength: 253
  28257. minLength: 1
  28258. pattern: ^[-._a-zA-Z0-9]+$
  28259. type: string
  28260. name:
  28261. description: The name of the Secret resource being referred to.
  28262. maxLength: 253
  28263. minLength: 1
  28264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28265. type: string
  28266. type: object
  28267. required:
  28268. - name
  28269. - secretRef
  28270. type: object
  28271. type: array
  28272. timeout:
  28273. description: Timeout
  28274. type: string
  28275. url:
  28276. description: Webhook url to call
  28277. type: string
  28278. required:
  28279. - result
  28280. - url
  28281. type: object
  28282. type: object
  28283. kind:
  28284. description: Kind the kind of this generator.
  28285. enum:
  28286. - ACRAccessToken
  28287. - BeyondtrustWorkloadCredentialsDynamicSecret
  28288. - CloudsmithAccessToken
  28289. - ECRAuthorizationToken
  28290. - Fake
  28291. - GCRAccessToken
  28292. - GithubAccessToken
  28293. - QuayAccessToken
  28294. - Password
  28295. - SSHKey
  28296. - STSSessionToken
  28297. - UUID
  28298. - VaultDynamicSecret
  28299. - Webhook
  28300. - Grafana
  28301. - MFA
  28302. type: string
  28303. required:
  28304. - generator
  28305. - kind
  28306. type: object
  28307. type: object
  28308. served: true
  28309. storage: true
  28310. subresources:
  28311. status: {}
  28312. ---
  28313. apiVersion: apiextensions.k8s.io/v1
  28314. kind: CustomResourceDefinition
  28315. metadata:
  28316. annotations:
  28317. controller-gen.kubebuilder.io/version: v0.19.0
  28318. labels:
  28319. external-secrets.io/component: controller
  28320. name: ecrauthorizationtokens.generators.external-secrets.io
  28321. spec:
  28322. group: generators.external-secrets.io
  28323. names:
  28324. categories:
  28325. - external-secrets
  28326. - external-secrets-generators
  28327. kind: ECRAuthorizationToken
  28328. listKind: ECRAuthorizationTokenList
  28329. plural: ecrauthorizationtokens
  28330. singular: ecrauthorizationtoken
  28331. scope: Namespaced
  28332. versions:
  28333. - name: v1alpha1
  28334. schema:
  28335. openAPIV3Schema:
  28336. description: |-
  28337. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28338. The authorization token is valid for 12 hours.
  28339. The authorizationToken returned is a base64 encoded string that can be decoded
  28340. and used in a docker login command to authenticate to a registry.
  28341. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28342. properties:
  28343. apiVersion:
  28344. description: |-
  28345. APIVersion defines the versioned schema of this representation of an object.
  28346. Servers should convert recognized schemas to the latest internal value, and
  28347. may reject unrecognized values.
  28348. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28349. type: string
  28350. kind:
  28351. description: |-
  28352. Kind is a string value representing the REST resource this object represents.
  28353. Servers may infer this from the endpoint the client submits requests to.
  28354. Cannot be updated.
  28355. In CamelCase.
  28356. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28357. type: string
  28358. metadata:
  28359. type: object
  28360. spec:
  28361. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28362. properties:
  28363. auth:
  28364. description: Auth defines how to authenticate with AWS
  28365. properties:
  28366. jwt:
  28367. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28368. properties:
  28369. serviceAccountRef:
  28370. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28371. properties:
  28372. audiences:
  28373. description: |-
  28374. Audience specifies the `aud` claim for the service account token
  28375. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28376. then this audiences will be appended to the list
  28377. items:
  28378. type: string
  28379. type: array
  28380. name:
  28381. description: The name of the ServiceAccount resource being referred to.
  28382. maxLength: 253
  28383. minLength: 1
  28384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28385. type: string
  28386. namespace:
  28387. description: |-
  28388. Namespace of the resource being referred to.
  28389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28390. maxLength: 63
  28391. minLength: 1
  28392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28393. type: string
  28394. required:
  28395. - name
  28396. type: object
  28397. type: object
  28398. secretRef:
  28399. description: |-
  28400. AWSAuthSecretRef holds secret references for AWS credentials
  28401. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28402. properties:
  28403. accessKeyIDSecretRef:
  28404. description: The AccessKeyID is used for authentication
  28405. properties:
  28406. key:
  28407. description: |-
  28408. A key in the referenced Secret.
  28409. Some instances of this field may be defaulted, in others it may be required.
  28410. maxLength: 253
  28411. minLength: 1
  28412. pattern: ^[-._a-zA-Z0-9]+$
  28413. type: string
  28414. name:
  28415. description: The name of the Secret resource being referred to.
  28416. maxLength: 253
  28417. minLength: 1
  28418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28419. type: string
  28420. namespace:
  28421. description: |-
  28422. The namespace of the Secret resource being referred to.
  28423. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28424. maxLength: 63
  28425. minLength: 1
  28426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28427. type: string
  28428. type: object
  28429. secretAccessKeySecretRef:
  28430. description: The SecretAccessKey is used for authentication
  28431. properties:
  28432. key:
  28433. description: |-
  28434. A key in the referenced Secret.
  28435. Some instances of this field may be defaulted, in others it may be required.
  28436. maxLength: 253
  28437. minLength: 1
  28438. pattern: ^[-._a-zA-Z0-9]+$
  28439. type: string
  28440. name:
  28441. description: The name of the Secret resource being referred to.
  28442. maxLength: 253
  28443. minLength: 1
  28444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28445. type: string
  28446. namespace:
  28447. description: |-
  28448. The namespace of the Secret resource being referred to.
  28449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28450. maxLength: 63
  28451. minLength: 1
  28452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28453. type: string
  28454. type: object
  28455. sessionTokenSecretRef:
  28456. description: |-
  28457. The SessionToken used for authentication
  28458. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28459. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28460. properties:
  28461. key:
  28462. description: |-
  28463. A key in the referenced Secret.
  28464. Some instances of this field may be defaulted, in others it may be required.
  28465. maxLength: 253
  28466. minLength: 1
  28467. pattern: ^[-._a-zA-Z0-9]+$
  28468. type: string
  28469. name:
  28470. description: The name of the Secret resource being referred to.
  28471. maxLength: 253
  28472. minLength: 1
  28473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28474. type: string
  28475. namespace:
  28476. description: |-
  28477. The namespace of the Secret resource being referred to.
  28478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28479. maxLength: 63
  28480. minLength: 1
  28481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28482. type: string
  28483. type: object
  28484. type: object
  28485. type: object
  28486. region:
  28487. description: Region specifies the region to operate in.
  28488. type: string
  28489. role:
  28490. description: |-
  28491. You can assume a role before making calls to the
  28492. desired AWS service.
  28493. type: string
  28494. scope:
  28495. description: |-
  28496. Scope specifies the ECR service scope.
  28497. Valid options are private and public.
  28498. type: string
  28499. required:
  28500. - region
  28501. type: object
  28502. type: object
  28503. served: true
  28504. storage: true
  28505. subresources:
  28506. status: {}
  28507. ---
  28508. apiVersion: apiextensions.k8s.io/v1
  28509. kind: CustomResourceDefinition
  28510. metadata:
  28511. annotations:
  28512. controller-gen.kubebuilder.io/version: v0.19.0
  28513. labels:
  28514. external-secrets.io/component: controller
  28515. name: fakes.generators.external-secrets.io
  28516. spec:
  28517. group: generators.external-secrets.io
  28518. names:
  28519. categories:
  28520. - external-secrets
  28521. - external-secrets-generators
  28522. kind: Fake
  28523. listKind: FakeList
  28524. plural: fakes
  28525. singular: fake
  28526. scope: Namespaced
  28527. versions:
  28528. - name: v1alpha1
  28529. schema:
  28530. openAPIV3Schema:
  28531. description: |-
  28532. Fake generator is used for testing. It lets you define
  28533. a static set of credentials that is always returned.
  28534. properties:
  28535. apiVersion:
  28536. description: |-
  28537. APIVersion defines the versioned schema of this representation of an object.
  28538. Servers should convert recognized schemas to the latest internal value, and
  28539. may reject unrecognized values.
  28540. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28541. type: string
  28542. kind:
  28543. description: |-
  28544. Kind is a string value representing the REST resource this object represents.
  28545. Servers may infer this from the endpoint the client submits requests to.
  28546. Cannot be updated.
  28547. In CamelCase.
  28548. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28549. type: string
  28550. metadata:
  28551. type: object
  28552. spec:
  28553. description: FakeSpec contains the static data.
  28554. properties:
  28555. controller:
  28556. description: |-
  28557. Used to select the correct ESO controller (think: ingress.ingressClassName)
  28558. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  28559. type: string
  28560. data:
  28561. additionalProperties:
  28562. type: string
  28563. description: |-
  28564. Data defines the static data returned
  28565. by this generator.
  28566. type: object
  28567. type: object
  28568. type: object
  28569. served: true
  28570. storage: true
  28571. subresources:
  28572. status: {}
  28573. ---
  28574. apiVersion: apiextensions.k8s.io/v1
  28575. kind: CustomResourceDefinition
  28576. metadata:
  28577. annotations:
  28578. controller-gen.kubebuilder.io/version: v0.19.0
  28579. labels:
  28580. external-secrets.io/component: controller
  28581. name: gcraccesstokens.generators.external-secrets.io
  28582. spec:
  28583. group: generators.external-secrets.io
  28584. names:
  28585. categories:
  28586. - external-secrets
  28587. - external-secrets-generators
  28588. kind: GCRAccessToken
  28589. listKind: GCRAccessTokenList
  28590. plural: gcraccesstokens
  28591. singular: gcraccesstoken
  28592. scope: Namespaced
  28593. versions:
  28594. - name: v1alpha1
  28595. schema:
  28596. openAPIV3Schema:
  28597. description: |-
  28598. GCRAccessToken generates an GCP access token
  28599. that can be used to authenticate with GCR.
  28600. properties:
  28601. apiVersion:
  28602. description: |-
  28603. APIVersion defines the versioned schema of this representation of an object.
  28604. Servers should convert recognized schemas to the latest internal value, and
  28605. may reject unrecognized values.
  28606. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28607. type: string
  28608. kind:
  28609. description: |-
  28610. Kind is a string value representing the REST resource this object represents.
  28611. Servers may infer this from the endpoint the client submits requests to.
  28612. Cannot be updated.
  28613. In CamelCase.
  28614. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28615. type: string
  28616. metadata:
  28617. type: object
  28618. spec:
  28619. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  28620. properties:
  28621. auth:
  28622. description: Auth defines the means for authenticating with GCP
  28623. properties:
  28624. secretRef:
  28625. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  28626. properties:
  28627. secretAccessKeySecretRef:
  28628. description: The SecretAccessKey is used for authentication
  28629. properties:
  28630. key:
  28631. description: |-
  28632. A key in the referenced Secret.
  28633. Some instances of this field may be defaulted, in others it may be required.
  28634. maxLength: 253
  28635. minLength: 1
  28636. pattern: ^[-._a-zA-Z0-9]+$
  28637. type: string
  28638. name:
  28639. description: The name of the Secret resource being referred to.
  28640. maxLength: 253
  28641. minLength: 1
  28642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28643. type: string
  28644. namespace:
  28645. description: |-
  28646. The namespace of the Secret resource being referred to.
  28647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28648. maxLength: 63
  28649. minLength: 1
  28650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28651. type: string
  28652. type: object
  28653. type: object
  28654. workloadIdentity:
  28655. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  28656. properties:
  28657. clusterLocation:
  28658. type: string
  28659. clusterName:
  28660. type: string
  28661. clusterProjectID:
  28662. type: string
  28663. serviceAccountRef:
  28664. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28665. properties:
  28666. audiences:
  28667. description: |-
  28668. Audience specifies the `aud` claim for the service account token
  28669. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28670. then this audiences will be appended to the list
  28671. items:
  28672. type: string
  28673. type: array
  28674. name:
  28675. description: The name of the ServiceAccount resource being referred to.
  28676. maxLength: 253
  28677. minLength: 1
  28678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28679. type: string
  28680. namespace:
  28681. description: |-
  28682. Namespace of the resource being referred to.
  28683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28684. maxLength: 63
  28685. minLength: 1
  28686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28687. type: string
  28688. required:
  28689. - name
  28690. type: object
  28691. required:
  28692. - clusterLocation
  28693. - clusterName
  28694. - serviceAccountRef
  28695. type: object
  28696. workloadIdentityFederation:
  28697. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  28698. properties:
  28699. audience:
  28700. description: |-
  28701. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  28702. If specified, Audience found in the external account credential config will be overridden with the configured value.
  28703. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  28704. type: string
  28705. awsSecurityCredentials:
  28706. description: |-
  28707. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  28708. when using the AWS metadata server is not an option.
  28709. properties:
  28710. awsCredentialsSecretRef:
  28711. description: |-
  28712. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  28713. Secret should be created with below names for keys
  28714. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  28715. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  28716. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  28717. properties:
  28718. name:
  28719. description: name of the secret.
  28720. maxLength: 253
  28721. minLength: 1
  28722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28723. type: string
  28724. namespace:
  28725. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  28726. maxLength: 63
  28727. minLength: 1
  28728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28729. type: string
  28730. required:
  28731. - name
  28732. type: object
  28733. region:
  28734. description: region is for configuring the AWS region to be used.
  28735. example: ap-south-1
  28736. maxLength: 50
  28737. minLength: 1
  28738. pattern: ^[a-z0-9-]+$
  28739. type: string
  28740. required:
  28741. - awsCredentialsSecretRef
  28742. - region
  28743. type: object
  28744. credConfig:
  28745. description: |-
  28746. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  28747. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  28748. serviceAccountRef must be used by providing operators service account details.
  28749. properties:
  28750. key:
  28751. description: key name holding the external account credential config.
  28752. maxLength: 253
  28753. minLength: 1
  28754. pattern: ^[-._a-zA-Z0-9]+$
  28755. type: string
  28756. name:
  28757. description: name of the configmap.
  28758. maxLength: 253
  28759. minLength: 1
  28760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28761. type: string
  28762. namespace:
  28763. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  28764. maxLength: 63
  28765. minLength: 1
  28766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28767. type: string
  28768. required:
  28769. - key
  28770. - name
  28771. type: object
  28772. externalTokenEndpoint:
  28773. description: |-
  28774. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  28775. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  28776. URL is having the expected value.
  28777. type: string
  28778. gcpServiceAccountEmail:
  28779. description: |-
  28780. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  28781. after Workload Identity Federation. Use this to grant access through the service account's
  28782. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  28783. service_account_impersonation_url in the external account JSON from credConfig;
  28784. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  28785. on that ServiceAccount.
  28786. example: my-gsa@my-project.iam.gserviceaccount.com
  28787. minLength: 1
  28788. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  28789. type: string
  28790. serviceAccountRef:
  28791. description: |-
  28792. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  28793. when Kubernetes is configured as provider in workload identity pool.
  28794. properties:
  28795. audiences:
  28796. description: |-
  28797. Audience specifies the `aud` claim for the service account token
  28798. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28799. then this audiences will be appended to the list
  28800. items:
  28801. type: string
  28802. type: array
  28803. name:
  28804. description: The name of the ServiceAccount resource being referred to.
  28805. maxLength: 253
  28806. minLength: 1
  28807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28808. type: string
  28809. namespace:
  28810. description: |-
  28811. Namespace of the resource being referred to.
  28812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28813. maxLength: 63
  28814. minLength: 1
  28815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28816. type: string
  28817. required:
  28818. - name
  28819. type: object
  28820. type: object
  28821. type: object
  28822. projectID:
  28823. description: ProjectID defines which project to use to authenticate with
  28824. type: string
  28825. required:
  28826. - auth
  28827. - projectID
  28828. type: object
  28829. type: object
  28830. served: true
  28831. storage: true
  28832. subresources:
  28833. status: {}
  28834. ---
  28835. apiVersion: apiextensions.k8s.io/v1
  28836. kind: CustomResourceDefinition
  28837. metadata:
  28838. annotations:
  28839. controller-gen.kubebuilder.io/version: v0.19.0
  28840. labels:
  28841. external-secrets.io/component: controller
  28842. name: generatorstates.generators.external-secrets.io
  28843. spec:
  28844. group: generators.external-secrets.io
  28845. names:
  28846. categories:
  28847. - external-secrets
  28848. - external-secrets-generators
  28849. kind: GeneratorState
  28850. listKind: GeneratorStateList
  28851. plural: generatorstates
  28852. shortNames:
  28853. - gs
  28854. singular: generatorstate
  28855. scope: Namespaced
  28856. versions:
  28857. - additionalPrinterColumns:
  28858. - jsonPath: .spec.garbageCollectionDeadline
  28859. name: GC Deadline
  28860. type: string
  28861. - jsonPath: .metadata.creationTimestamp
  28862. name: Age
  28863. type: date
  28864. name: v1alpha1
  28865. schema:
  28866. openAPIV3Schema:
  28867. description: GeneratorState represents the state created and managed by a generator resource.
  28868. properties:
  28869. apiVersion:
  28870. description: |-
  28871. APIVersion defines the versioned schema of this representation of an object.
  28872. Servers should convert recognized schemas to the latest internal value, and
  28873. may reject unrecognized values.
  28874. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28875. type: string
  28876. kind:
  28877. description: |-
  28878. Kind is a string value representing the REST resource this object represents.
  28879. Servers may infer this from the endpoint the client submits requests to.
  28880. Cannot be updated.
  28881. In CamelCase.
  28882. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28883. type: string
  28884. metadata:
  28885. type: object
  28886. spec:
  28887. description: GeneratorStateSpec defines the desired state of a generator state resource.
  28888. properties:
  28889. garbageCollectionDeadline:
  28890. description: |-
  28891. GarbageCollectionDeadline is the time after which the generator state
  28892. will be deleted.
  28893. It is set by the controller which creates the generator state and
  28894. can be set configured by the user.
  28895. If the garbage collection deadline is not set the generator state will not be deleted.
  28896. format: date-time
  28897. type: string
  28898. resource:
  28899. description: |-
  28900. Resource is the generator manifest that produced the state.
  28901. It is a snapshot of the generator manifest at the time the state was produced.
  28902. This manifest will be used to delete the resource. Any configuration that is referenced
  28903. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  28904. be blocked by a finalizer.
  28905. x-kubernetes-preserve-unknown-fields: true
  28906. state:
  28907. description: State is the state that was produced by the generator implementation.
  28908. x-kubernetes-preserve-unknown-fields: true
  28909. required:
  28910. - resource
  28911. - state
  28912. type: object
  28913. status:
  28914. description: GeneratorStateStatus defines the observed state of a generator state resource.
  28915. properties:
  28916. conditions:
  28917. items:
  28918. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  28919. properties:
  28920. lastTransitionTime:
  28921. format: date-time
  28922. type: string
  28923. message:
  28924. type: string
  28925. reason:
  28926. type: string
  28927. status:
  28928. type: string
  28929. type:
  28930. description: GeneratorStateConditionType represents the type of condition for a generator state.
  28931. type: string
  28932. required:
  28933. - status
  28934. - type
  28935. type: object
  28936. type: array
  28937. type: object
  28938. type: object
  28939. served: true
  28940. storage: true
  28941. subresources: {}
  28942. ---
  28943. apiVersion: apiextensions.k8s.io/v1
  28944. kind: CustomResourceDefinition
  28945. metadata:
  28946. annotations:
  28947. controller-gen.kubebuilder.io/version: v0.19.0
  28948. labels:
  28949. external-secrets.io/component: controller
  28950. name: githubaccesstokens.generators.external-secrets.io
  28951. spec:
  28952. group: generators.external-secrets.io
  28953. names:
  28954. categories:
  28955. - external-secrets
  28956. - external-secrets-generators
  28957. kind: GithubAccessToken
  28958. listKind: GithubAccessTokenList
  28959. plural: githubaccesstokens
  28960. singular: githubaccesstoken
  28961. scope: Namespaced
  28962. versions:
  28963. - name: v1alpha1
  28964. schema:
  28965. openAPIV3Schema:
  28966. description: GithubAccessToken generates ghs_ accessToken
  28967. properties:
  28968. apiVersion:
  28969. description: |-
  28970. APIVersion defines the versioned schema of this representation of an object.
  28971. Servers should convert recognized schemas to the latest internal value, and
  28972. may reject unrecognized values.
  28973. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28974. type: string
  28975. kind:
  28976. description: |-
  28977. Kind is a string value representing the REST resource this object represents.
  28978. Servers may infer this from the endpoint the client submits requests to.
  28979. Cannot be updated.
  28980. In CamelCase.
  28981. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28982. type: string
  28983. metadata:
  28984. type: object
  28985. spec:
  28986. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  28987. properties:
  28988. appID:
  28989. type: string
  28990. auth:
  28991. description: Auth configures how ESO authenticates with a Github instance.
  28992. properties:
  28993. privateKey:
  28994. description: GithubSecretRef references a secret containing GitHub credentials.
  28995. properties:
  28996. secretRef:
  28997. description: |-
  28998. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28999. In some instances, `key` is a required field.
  29000. properties:
  29001. key:
  29002. description: |-
  29003. A key in the referenced Secret.
  29004. Some instances of this field may be defaulted, in others it may be required.
  29005. maxLength: 253
  29006. minLength: 1
  29007. pattern: ^[-._a-zA-Z0-9]+$
  29008. type: string
  29009. name:
  29010. description: The name of the Secret resource being referred to.
  29011. maxLength: 253
  29012. minLength: 1
  29013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29014. type: string
  29015. namespace:
  29016. description: |-
  29017. The namespace of the Secret resource being referred to.
  29018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29019. maxLength: 63
  29020. minLength: 1
  29021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29022. type: string
  29023. type: object
  29024. required:
  29025. - secretRef
  29026. type: object
  29027. required:
  29028. - privateKey
  29029. type: object
  29030. installID:
  29031. type: string
  29032. permissions:
  29033. additionalProperties:
  29034. type: string
  29035. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  29036. type: object
  29037. repositories:
  29038. description: |-
  29039. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  29040. is installed to.
  29041. items:
  29042. type: string
  29043. type: array
  29044. url:
  29045. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  29046. type: string
  29047. required:
  29048. - appID
  29049. - auth
  29050. - installID
  29051. type: object
  29052. type: object
  29053. served: true
  29054. storage: true
  29055. subresources:
  29056. status: {}
  29057. ---
  29058. apiVersion: apiextensions.k8s.io/v1
  29059. kind: CustomResourceDefinition
  29060. metadata:
  29061. annotations:
  29062. controller-gen.kubebuilder.io/version: v0.19.0
  29063. labels:
  29064. external-secrets.io/component: controller
  29065. name: grafanas.generators.external-secrets.io
  29066. spec:
  29067. group: generators.external-secrets.io
  29068. names:
  29069. categories:
  29070. - external-secrets
  29071. - external-secrets-generators
  29072. kind: Grafana
  29073. listKind: GrafanaList
  29074. plural: grafanas
  29075. singular: grafana
  29076. scope: Namespaced
  29077. versions:
  29078. - name: v1alpha1
  29079. schema:
  29080. openAPIV3Schema:
  29081. description: Grafana represents a generator for Grafana service account tokens.
  29082. properties:
  29083. apiVersion:
  29084. description: |-
  29085. APIVersion defines the versioned schema of this representation of an object.
  29086. Servers should convert recognized schemas to the latest internal value, and
  29087. may reject unrecognized values.
  29088. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29089. type: string
  29090. kind:
  29091. description: |-
  29092. Kind is a string value representing the REST resource this object represents.
  29093. Servers may infer this from the endpoint the client submits requests to.
  29094. Cannot be updated.
  29095. In CamelCase.
  29096. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29097. type: string
  29098. metadata:
  29099. type: object
  29100. spec:
  29101. description: GrafanaSpec controls the behavior of the grafana generator.
  29102. properties:
  29103. auth:
  29104. description: |-
  29105. Auth is the authentication configuration to authenticate
  29106. against the Grafana instance.
  29107. properties:
  29108. basic:
  29109. description: |-
  29110. Basic auth credentials used to authenticate against the Grafana instance.
  29111. Note: you need a token which has elevated permissions to create service accounts.
  29112. See here for the documentation on basic roles offered by Grafana:
  29113. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29114. properties:
  29115. password:
  29116. description: A basic auth password used to authenticate against the Grafana instance.
  29117. properties:
  29118. key:
  29119. description: The key where the token is found.
  29120. maxLength: 253
  29121. minLength: 1
  29122. pattern: ^[-._a-zA-Z0-9]+$
  29123. type: string
  29124. name:
  29125. description: The name of the Secret resource being referred to.
  29126. maxLength: 253
  29127. minLength: 1
  29128. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29129. type: string
  29130. type: object
  29131. username:
  29132. description: A basic auth username used to authenticate against the Grafana instance.
  29133. type: string
  29134. required:
  29135. - password
  29136. - username
  29137. type: object
  29138. token:
  29139. description: |-
  29140. A service account token used to authenticate against the Grafana instance.
  29141. Note: you need a token which has elevated permissions to create service accounts.
  29142. See here for the documentation on basic roles offered by Grafana:
  29143. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29144. properties:
  29145. key:
  29146. description: The key where the token is found.
  29147. maxLength: 253
  29148. minLength: 1
  29149. pattern: ^[-._a-zA-Z0-9]+$
  29150. type: string
  29151. name:
  29152. description: The name of the Secret resource being referred to.
  29153. maxLength: 253
  29154. minLength: 1
  29155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29156. type: string
  29157. type: object
  29158. type: object
  29159. serviceAccount:
  29160. description: |-
  29161. ServiceAccount is the configuration for the service account that
  29162. is supposed to be generated by the generator.
  29163. properties:
  29164. name:
  29165. description: Name is the name of the service account that will be created by ESO.
  29166. type: string
  29167. role:
  29168. description: |-
  29169. Role is the role of the service account.
  29170. See here for the documentation on basic roles offered by Grafana:
  29171. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29172. type: string
  29173. required:
  29174. - name
  29175. - role
  29176. type: object
  29177. url:
  29178. description: URL is the URL of the Grafana instance.
  29179. type: string
  29180. required:
  29181. - auth
  29182. - serviceAccount
  29183. - url
  29184. type: object
  29185. type: object
  29186. served: true
  29187. storage: true
  29188. subresources:
  29189. status: {}
  29190. ---
  29191. apiVersion: apiextensions.k8s.io/v1
  29192. kind: CustomResourceDefinition
  29193. metadata:
  29194. annotations:
  29195. controller-gen.kubebuilder.io/version: v0.19.0
  29196. labels:
  29197. external-secrets.io/component: controller
  29198. name: mfas.generators.external-secrets.io
  29199. spec:
  29200. group: generators.external-secrets.io
  29201. names:
  29202. categories:
  29203. - external-secrets
  29204. - external-secrets-generators
  29205. kind: MFA
  29206. listKind: MFAList
  29207. plural: mfas
  29208. singular: mfa
  29209. scope: Namespaced
  29210. versions:
  29211. - name: v1alpha1
  29212. schema:
  29213. openAPIV3Schema:
  29214. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29215. properties:
  29216. apiVersion:
  29217. description: |-
  29218. APIVersion defines the versioned schema of this representation of an object.
  29219. Servers should convert recognized schemas to the latest internal value, and
  29220. may reject unrecognized values.
  29221. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29222. type: string
  29223. kind:
  29224. description: |-
  29225. Kind is a string value representing the REST resource this object represents.
  29226. Servers may infer this from the endpoint the client submits requests to.
  29227. Cannot be updated.
  29228. In CamelCase.
  29229. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29230. type: string
  29231. metadata:
  29232. type: object
  29233. spec:
  29234. description: MFASpec controls the behavior of the mfa generator.
  29235. properties:
  29236. algorithm:
  29237. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29238. type: string
  29239. length:
  29240. description: Length defines the token length. Defaults to 6 characters.
  29241. type: integer
  29242. secret:
  29243. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29244. properties:
  29245. key:
  29246. description: |-
  29247. A key in the referenced Secret.
  29248. Some instances of this field may be defaulted, in others it may be required.
  29249. maxLength: 253
  29250. minLength: 1
  29251. pattern: ^[-._a-zA-Z0-9]+$
  29252. type: string
  29253. name:
  29254. description: The name of the Secret resource being referred to.
  29255. maxLength: 253
  29256. minLength: 1
  29257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29258. type: string
  29259. namespace:
  29260. description: |-
  29261. The namespace of the Secret resource being referred to.
  29262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29263. maxLength: 63
  29264. minLength: 1
  29265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29266. type: string
  29267. type: object
  29268. timePeriod:
  29269. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29270. type: integer
  29271. when:
  29272. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29273. format: date-time
  29274. type: string
  29275. required:
  29276. - secret
  29277. type: object
  29278. type: object
  29279. served: true
  29280. storage: true
  29281. subresources:
  29282. status: {}
  29283. ---
  29284. apiVersion: apiextensions.k8s.io/v1
  29285. kind: CustomResourceDefinition
  29286. metadata:
  29287. annotations:
  29288. controller-gen.kubebuilder.io/version: v0.19.0
  29289. labels:
  29290. external-secrets.io/component: controller
  29291. name: passwords.generators.external-secrets.io
  29292. spec:
  29293. group: generators.external-secrets.io
  29294. names:
  29295. categories:
  29296. - external-secrets
  29297. - external-secrets-generators
  29298. kind: Password
  29299. listKind: PasswordList
  29300. plural: passwords
  29301. singular: password
  29302. scope: Namespaced
  29303. versions:
  29304. - name: v1alpha1
  29305. schema:
  29306. openAPIV3Schema:
  29307. description: |-
  29308. Password generates a random password based on the
  29309. configuration parameters in spec.
  29310. You can specify the length, characterset and other attributes.
  29311. properties:
  29312. apiVersion:
  29313. description: |-
  29314. APIVersion defines the versioned schema of this representation of an object.
  29315. Servers should convert recognized schemas to the latest internal value, and
  29316. may reject unrecognized values.
  29317. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29318. type: string
  29319. kind:
  29320. description: |-
  29321. Kind is a string value representing the REST resource this object represents.
  29322. Servers may infer this from the endpoint the client submits requests to.
  29323. Cannot be updated.
  29324. In CamelCase.
  29325. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29326. type: string
  29327. metadata:
  29328. type: object
  29329. spec:
  29330. description: PasswordSpec controls the behavior of the password generator.
  29331. properties:
  29332. allowRepeat:
  29333. default: false
  29334. description: set AllowRepeat to true to allow repeating characters.
  29335. type: boolean
  29336. digits:
  29337. description: |-
  29338. Digits specifies the number of digits in the generated
  29339. password. If omitted it defaults to 25% of the length of the password
  29340. type: integer
  29341. encoding:
  29342. default: raw
  29343. description: |-
  29344. Encoding specifies the encoding of the generated password.
  29345. Valid values are:
  29346. - "raw" (default): no encoding
  29347. - "base64": standard base64 encoding
  29348. - "base64url": base64url encoding
  29349. - "base32": base32 encoding
  29350. - "hex": hexadecimal encoding
  29351. enum:
  29352. - base64
  29353. - base64url
  29354. - base32
  29355. - hex
  29356. - raw
  29357. type: string
  29358. length:
  29359. default: 24
  29360. description: |-
  29361. Length of the password to be generated.
  29362. Defaults to 24
  29363. type: integer
  29364. noUpper:
  29365. default: false
  29366. description: Set NoUpper to disable uppercase characters
  29367. type: boolean
  29368. secretKeys:
  29369. description: |-
  29370. SecretKeys defines the keys that will be populated with generated passwords.
  29371. Defaults to "password" when not set.
  29372. items:
  29373. type: string
  29374. minItems: 1
  29375. type: array
  29376. symbolCharacters:
  29377. description: |-
  29378. SymbolCharacters specifies the special characters that should be used
  29379. in the generated password.
  29380. type: string
  29381. symbols:
  29382. description: |-
  29383. Symbols specifies the number of symbol characters in the generated
  29384. password. If omitted it defaults to 25% of the length of the password
  29385. type: integer
  29386. required:
  29387. - allowRepeat
  29388. - length
  29389. - noUpper
  29390. type: object
  29391. type: object
  29392. served: true
  29393. storage: true
  29394. subresources:
  29395. status: {}
  29396. ---
  29397. apiVersion: apiextensions.k8s.io/v1
  29398. kind: CustomResourceDefinition
  29399. metadata:
  29400. annotations:
  29401. controller-gen.kubebuilder.io/version: v0.19.0
  29402. labels:
  29403. external-secrets.io/component: controller
  29404. name: quayaccesstokens.generators.external-secrets.io
  29405. spec:
  29406. group: generators.external-secrets.io
  29407. names:
  29408. categories:
  29409. - external-secrets
  29410. - external-secrets-generators
  29411. kind: QuayAccessToken
  29412. listKind: QuayAccessTokenList
  29413. plural: quayaccesstokens
  29414. singular: quayaccesstoken
  29415. scope: Namespaced
  29416. versions:
  29417. - name: v1alpha1
  29418. schema:
  29419. openAPIV3Schema:
  29420. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  29421. properties:
  29422. apiVersion:
  29423. description: |-
  29424. APIVersion defines the versioned schema of this representation of an object.
  29425. Servers should convert recognized schemas to the latest internal value, and
  29426. may reject unrecognized values.
  29427. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29428. type: string
  29429. kind:
  29430. description: |-
  29431. Kind is a string value representing the REST resource this object represents.
  29432. Servers may infer this from the endpoint the client submits requests to.
  29433. Cannot be updated.
  29434. In CamelCase.
  29435. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29436. type: string
  29437. metadata:
  29438. type: object
  29439. spec:
  29440. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  29441. properties:
  29442. robotAccount:
  29443. description: Name of the robot account you are federating with
  29444. type: string
  29445. serviceAccountRef:
  29446. description: Name of the service account you are federating with
  29447. properties:
  29448. audiences:
  29449. description: |-
  29450. Audience specifies the `aud` claim for the service account token
  29451. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29452. then this audiences will be appended to the list
  29453. items:
  29454. type: string
  29455. type: array
  29456. name:
  29457. description: The name of the ServiceAccount resource being referred to.
  29458. maxLength: 253
  29459. minLength: 1
  29460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29461. type: string
  29462. namespace:
  29463. description: |-
  29464. Namespace of the resource being referred to.
  29465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29466. maxLength: 63
  29467. minLength: 1
  29468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29469. type: string
  29470. required:
  29471. - name
  29472. type: object
  29473. url:
  29474. description: URL configures the Quay instance URL. Defaults to quay.io.
  29475. type: string
  29476. required:
  29477. - robotAccount
  29478. - serviceAccountRef
  29479. type: object
  29480. type: object
  29481. served: true
  29482. storage: true
  29483. subresources:
  29484. status: {}
  29485. ---
  29486. apiVersion: apiextensions.k8s.io/v1
  29487. kind: CustomResourceDefinition
  29488. metadata:
  29489. annotations:
  29490. controller-gen.kubebuilder.io/version: v0.19.0
  29491. labels:
  29492. external-secrets.io/component: controller
  29493. name: sshkeys.generators.external-secrets.io
  29494. spec:
  29495. group: generators.external-secrets.io
  29496. names:
  29497. categories:
  29498. - external-secrets
  29499. - external-secrets-generators
  29500. kind: SSHKey
  29501. listKind: SSHKeyList
  29502. plural: sshkeys
  29503. singular: sshkey
  29504. scope: Namespaced
  29505. versions:
  29506. - name: v1alpha1
  29507. schema:
  29508. openAPIV3Schema:
  29509. description: SSHKey generates SSH key pairs.
  29510. properties:
  29511. apiVersion:
  29512. description: |-
  29513. APIVersion defines the versioned schema of this representation of an object.
  29514. Servers should convert recognized schemas to the latest internal value, and
  29515. may reject unrecognized values.
  29516. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29517. type: string
  29518. kind:
  29519. description: |-
  29520. Kind is a string value representing the REST resource this object represents.
  29521. Servers may infer this from the endpoint the client submits requests to.
  29522. Cannot be updated.
  29523. In CamelCase.
  29524. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29525. type: string
  29526. metadata:
  29527. type: object
  29528. spec:
  29529. description: SSHKeySpec controls the behavior of the ssh key generator.
  29530. properties:
  29531. comment:
  29532. description: Comment specifies an optional comment for the SSH key
  29533. type: string
  29534. keySize:
  29535. description: |-
  29536. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  29537. For RSA keys: 2048, 3072, 4096
  29538. For ECDSA keys: 256, 384, 521
  29539. Ignored for ed25519 keys
  29540. maximum: 8192
  29541. minimum: 256
  29542. type: integer
  29543. keyType:
  29544. default: rsa
  29545. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  29546. enum:
  29547. - rsa
  29548. - ecdsa
  29549. - ed25519
  29550. type: string
  29551. type: object
  29552. type: object
  29553. served: true
  29554. storage: true
  29555. subresources:
  29556. status: {}
  29557. ---
  29558. apiVersion: apiextensions.k8s.io/v1
  29559. kind: CustomResourceDefinition
  29560. metadata:
  29561. annotations:
  29562. controller-gen.kubebuilder.io/version: v0.19.0
  29563. labels:
  29564. external-secrets.io/component: controller
  29565. name: stssessiontokens.generators.external-secrets.io
  29566. spec:
  29567. group: generators.external-secrets.io
  29568. names:
  29569. categories:
  29570. - external-secrets
  29571. - external-secrets-generators
  29572. kind: STSSessionToken
  29573. listKind: STSSessionTokenList
  29574. plural: stssessiontokens
  29575. singular: stssessiontoken
  29576. scope: Namespaced
  29577. versions:
  29578. - name: v1alpha1
  29579. schema:
  29580. openAPIV3Schema:
  29581. description: |-
  29582. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  29583. The authorization token is valid for 12 hours.
  29584. The authorizationToken returned is a base64 encoded string that can be decoded.
  29585. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  29586. properties:
  29587. apiVersion:
  29588. description: |-
  29589. APIVersion defines the versioned schema of this representation of an object.
  29590. Servers should convert recognized schemas to the latest internal value, and
  29591. may reject unrecognized values.
  29592. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29593. type: string
  29594. kind:
  29595. description: |-
  29596. Kind is a string value representing the REST resource this object represents.
  29597. Servers may infer this from the endpoint the client submits requests to.
  29598. Cannot be updated.
  29599. In CamelCase.
  29600. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29601. type: string
  29602. metadata:
  29603. type: object
  29604. spec:
  29605. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  29606. properties:
  29607. auth:
  29608. description: Auth defines how to authenticate with AWS
  29609. properties:
  29610. jwt:
  29611. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  29612. properties:
  29613. serviceAccountRef:
  29614. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29615. properties:
  29616. audiences:
  29617. description: |-
  29618. Audience specifies the `aud` claim for the service account token
  29619. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29620. then this audiences will be appended to the list
  29621. items:
  29622. type: string
  29623. type: array
  29624. name:
  29625. description: The name of the ServiceAccount resource being referred to.
  29626. maxLength: 253
  29627. minLength: 1
  29628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29629. type: string
  29630. namespace:
  29631. description: |-
  29632. Namespace of the resource being referred to.
  29633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29634. maxLength: 63
  29635. minLength: 1
  29636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29637. type: string
  29638. required:
  29639. - name
  29640. type: object
  29641. type: object
  29642. secretRef:
  29643. description: |-
  29644. AWSAuthSecretRef holds secret references for AWS credentials
  29645. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  29646. properties:
  29647. accessKeyIDSecretRef:
  29648. description: The AccessKeyID is used for authentication
  29649. properties:
  29650. key:
  29651. description: |-
  29652. A key in the referenced Secret.
  29653. Some instances of this field may be defaulted, in others it may be required.
  29654. maxLength: 253
  29655. minLength: 1
  29656. pattern: ^[-._a-zA-Z0-9]+$
  29657. type: string
  29658. name:
  29659. description: The name of the Secret resource being referred to.
  29660. maxLength: 253
  29661. minLength: 1
  29662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29663. type: string
  29664. namespace:
  29665. description: |-
  29666. The namespace of the Secret resource being referred to.
  29667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29668. maxLength: 63
  29669. minLength: 1
  29670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29671. type: string
  29672. type: object
  29673. secretAccessKeySecretRef:
  29674. description: The SecretAccessKey is used for authentication
  29675. properties:
  29676. key:
  29677. description: |-
  29678. A key in the referenced Secret.
  29679. Some instances of this field may be defaulted, in others it may be required.
  29680. maxLength: 253
  29681. minLength: 1
  29682. pattern: ^[-._a-zA-Z0-9]+$
  29683. type: string
  29684. name:
  29685. description: The name of the Secret resource being referred to.
  29686. maxLength: 253
  29687. minLength: 1
  29688. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29689. type: string
  29690. namespace:
  29691. description: |-
  29692. The namespace of the Secret resource being referred to.
  29693. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29694. maxLength: 63
  29695. minLength: 1
  29696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29697. type: string
  29698. type: object
  29699. sessionTokenSecretRef:
  29700. description: |-
  29701. The SessionToken used for authentication
  29702. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  29703. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  29704. properties:
  29705. key:
  29706. description: |-
  29707. A key in the referenced Secret.
  29708. Some instances of this field may be defaulted, in others it may be required.
  29709. maxLength: 253
  29710. minLength: 1
  29711. pattern: ^[-._a-zA-Z0-9]+$
  29712. type: string
  29713. name:
  29714. description: The name of the Secret resource being referred to.
  29715. maxLength: 253
  29716. minLength: 1
  29717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29718. type: string
  29719. namespace:
  29720. description: |-
  29721. The namespace of the Secret resource being referred to.
  29722. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29723. maxLength: 63
  29724. minLength: 1
  29725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29726. type: string
  29727. type: object
  29728. type: object
  29729. type: object
  29730. region:
  29731. description: Region specifies the region to operate in.
  29732. type: string
  29733. requestParameters:
  29734. description: RequestParameters contains parameters that can be passed to the STS service.
  29735. properties:
  29736. serialNumber:
  29737. description: |-
  29738. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  29739. the GetSessionToken call.
  29740. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  29741. (such as arn:aws:iam::123456789012:mfa/user)
  29742. type: string
  29743. sessionDuration:
  29744. format: int32
  29745. type: integer
  29746. tokenCode:
  29747. description: TokenCode is the value provided by the MFA device, if MFA is required.
  29748. type: string
  29749. type: object
  29750. role:
  29751. description: |-
  29752. You can assume a role before making calls to the
  29753. desired AWS service.
  29754. type: string
  29755. required:
  29756. - region
  29757. type: object
  29758. type: object
  29759. served: true
  29760. storage: true
  29761. subresources:
  29762. status: {}
  29763. ---
  29764. apiVersion: apiextensions.k8s.io/v1
  29765. kind: CustomResourceDefinition
  29766. metadata:
  29767. annotations:
  29768. controller-gen.kubebuilder.io/version: v0.19.0
  29769. labels:
  29770. external-secrets.io/component: controller
  29771. name: uuids.generators.external-secrets.io
  29772. spec:
  29773. group: generators.external-secrets.io
  29774. names:
  29775. categories:
  29776. - external-secrets
  29777. - external-secrets-generators
  29778. kind: UUID
  29779. listKind: UUIDList
  29780. plural: uuids
  29781. singular: uuid
  29782. scope: Namespaced
  29783. versions:
  29784. - name: v1alpha1
  29785. schema:
  29786. openAPIV3Schema:
  29787. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  29788. properties:
  29789. apiVersion:
  29790. description: |-
  29791. APIVersion defines the versioned schema of this representation of an object.
  29792. Servers should convert recognized schemas to the latest internal value, and
  29793. may reject unrecognized values.
  29794. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29795. type: string
  29796. kind:
  29797. description: |-
  29798. Kind is a string value representing the REST resource this object represents.
  29799. Servers may infer this from the endpoint the client submits requests to.
  29800. Cannot be updated.
  29801. In CamelCase.
  29802. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29803. type: string
  29804. metadata:
  29805. type: object
  29806. spec:
  29807. description: UUIDSpec controls the behavior of the uuid generator.
  29808. type: object
  29809. type: object
  29810. served: true
  29811. storage: true
  29812. subresources:
  29813. status: {}
  29814. ---
  29815. apiVersion: apiextensions.k8s.io/v1
  29816. kind: CustomResourceDefinition
  29817. metadata:
  29818. annotations:
  29819. controller-gen.kubebuilder.io/version: v0.19.0
  29820. labels:
  29821. external-secrets.io/component: controller
  29822. name: vaultdynamicsecrets.generators.external-secrets.io
  29823. spec:
  29824. group: generators.external-secrets.io
  29825. names:
  29826. categories:
  29827. - external-secrets
  29828. - external-secrets-generators
  29829. kind: VaultDynamicSecret
  29830. listKind: VaultDynamicSecretList
  29831. plural: vaultdynamicsecrets
  29832. singular: vaultdynamicsecret
  29833. scope: Namespaced
  29834. versions:
  29835. - name: v1alpha1
  29836. schema:
  29837. openAPIV3Schema:
  29838. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  29839. properties:
  29840. apiVersion:
  29841. description: |-
  29842. APIVersion defines the versioned schema of this representation of an object.
  29843. Servers should convert recognized schemas to the latest internal value, and
  29844. may reject unrecognized values.
  29845. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29846. type: string
  29847. kind:
  29848. description: |-
  29849. Kind is a string value representing the REST resource this object represents.
  29850. Servers may infer this from the endpoint the client submits requests to.
  29851. Cannot be updated.
  29852. In CamelCase.
  29853. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29854. type: string
  29855. metadata:
  29856. type: object
  29857. spec:
  29858. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  29859. properties:
  29860. allowEmptyResponse:
  29861. default: false
  29862. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  29863. type: boolean
  29864. controller:
  29865. description: |-
  29866. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29867. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29868. type: string
  29869. getParameters:
  29870. additionalProperties:
  29871. items:
  29872. type: string
  29873. type: array
  29874. description: |-
  29875. GetParameters are query-string parameters passed to Vault on GET calls.
  29876. Each key may map to multiple values, matching HTTP query-string semantics.
  29877. Ignored for non-GET methods; use Parameters for write bodies.
  29878. type: object
  29879. method:
  29880. description: Vault API method to use (GET/POST/other)
  29881. type: string
  29882. parameters:
  29883. description: Parameters to pass to Vault write (for non-GET methods)
  29884. x-kubernetes-preserve-unknown-fields: true
  29885. path:
  29886. description: Vault path to obtain the dynamic secret from
  29887. type: string
  29888. provider:
  29889. description: Vault provider common spec
  29890. properties:
  29891. auth:
  29892. description: Auth configures how secret-manager authenticates with the Vault server.
  29893. properties:
  29894. appRole:
  29895. description: |-
  29896. AppRole authenticates with Vault using the App Role auth mechanism,
  29897. with the role and secret stored in a Kubernetes Secret resource.
  29898. properties:
  29899. path:
  29900. default: approle
  29901. description: |-
  29902. Path where the App Role authentication backend is mounted
  29903. in Vault, e.g: "approle"
  29904. type: string
  29905. roleId:
  29906. description: |-
  29907. RoleID configured in the App Role authentication backend when setting
  29908. up the authentication backend in Vault.
  29909. type: string
  29910. roleRef:
  29911. description: |-
  29912. Reference to a key in a Secret that contains the App Role ID used
  29913. to authenticate with Vault.
  29914. The `key` field must be specified and denotes which entry within the Secret
  29915. resource is used as the app role id.
  29916. properties:
  29917. key:
  29918. description: |-
  29919. A key in the referenced Secret.
  29920. Some instances of this field may be defaulted, in others it may be required.
  29921. maxLength: 253
  29922. minLength: 1
  29923. pattern: ^[-._a-zA-Z0-9]+$
  29924. type: string
  29925. name:
  29926. description: The name of the Secret resource being referred to.
  29927. maxLength: 253
  29928. minLength: 1
  29929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29930. type: string
  29931. namespace:
  29932. description: |-
  29933. The namespace of the Secret resource being referred to.
  29934. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29935. maxLength: 63
  29936. minLength: 1
  29937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29938. type: string
  29939. type: object
  29940. secretRef:
  29941. description: |-
  29942. Reference to a key in a Secret that contains the App Role secret used
  29943. to authenticate with Vault.
  29944. The `key` field must be specified and denotes which entry within the Secret
  29945. resource is used as the app role secret.
  29946. properties:
  29947. key:
  29948. description: |-
  29949. A key in the referenced Secret.
  29950. Some instances of this field may be defaulted, in others it may be required.
  29951. maxLength: 253
  29952. minLength: 1
  29953. pattern: ^[-._a-zA-Z0-9]+$
  29954. type: string
  29955. name:
  29956. description: The name of the Secret resource being referred to.
  29957. maxLength: 253
  29958. minLength: 1
  29959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29960. type: string
  29961. namespace:
  29962. description: |-
  29963. The namespace of the Secret resource being referred to.
  29964. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29965. maxLength: 63
  29966. minLength: 1
  29967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29968. type: string
  29969. type: object
  29970. required:
  29971. - path
  29972. - secretRef
  29973. type: object
  29974. cert:
  29975. description: |-
  29976. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  29977. Cert authentication method
  29978. properties:
  29979. clientCert:
  29980. description: |-
  29981. ClientCert is a certificate to authenticate using the Cert Vault
  29982. authentication method
  29983. properties:
  29984. key:
  29985. description: |-
  29986. A key in the referenced Secret.
  29987. Some instances of this field may be defaulted, in others it may be required.
  29988. maxLength: 253
  29989. minLength: 1
  29990. pattern: ^[-._a-zA-Z0-9]+$
  29991. type: string
  29992. name:
  29993. description: The name of the Secret resource being referred to.
  29994. maxLength: 253
  29995. minLength: 1
  29996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29997. type: string
  29998. namespace:
  29999. description: |-
  30000. The namespace of the Secret resource being referred to.
  30001. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30002. maxLength: 63
  30003. minLength: 1
  30004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30005. type: string
  30006. type: object
  30007. path:
  30008. default: cert
  30009. description: |-
  30010. Path where the Certificate authentication backend is mounted
  30011. in Vault, e.g: "cert"
  30012. type: string
  30013. secretRef:
  30014. description: |-
  30015. SecretRef to a key in a Secret resource containing client private key to
  30016. authenticate with Vault using the Cert authentication method
  30017. properties:
  30018. key:
  30019. description: |-
  30020. A key in the referenced Secret.
  30021. Some instances of this field may be defaulted, in others it may be required.
  30022. maxLength: 253
  30023. minLength: 1
  30024. pattern: ^[-._a-zA-Z0-9]+$
  30025. type: string
  30026. name:
  30027. description: The name of the Secret resource being referred to.
  30028. maxLength: 253
  30029. minLength: 1
  30030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30031. type: string
  30032. namespace:
  30033. description: |-
  30034. The namespace of the Secret resource being referred to.
  30035. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30036. maxLength: 63
  30037. minLength: 1
  30038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30039. type: string
  30040. type: object
  30041. vaultRole:
  30042. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  30043. type: string
  30044. type: object
  30045. gcp:
  30046. description: |-
  30047. Gcp authenticates with Vault using Google Cloud Platform authentication method
  30048. GCP authentication method
  30049. properties:
  30050. location:
  30051. description: Location optionally defines a location/region for the secret
  30052. type: string
  30053. path:
  30054. default: gcp
  30055. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  30056. type: string
  30057. projectID:
  30058. description: Project ID of the Google Cloud Platform project
  30059. type: string
  30060. role:
  30061. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  30062. type: string
  30063. secretRef:
  30064. description: Specify credentials in a Secret object
  30065. properties:
  30066. secretAccessKeySecretRef:
  30067. description: The SecretAccessKey is used for authentication
  30068. properties:
  30069. key:
  30070. description: |-
  30071. A key in the referenced Secret.
  30072. Some instances of this field may be defaulted, in others it may be required.
  30073. maxLength: 253
  30074. minLength: 1
  30075. pattern: ^[-._a-zA-Z0-9]+$
  30076. type: string
  30077. name:
  30078. description: The name of the Secret resource being referred to.
  30079. maxLength: 253
  30080. minLength: 1
  30081. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30082. type: string
  30083. namespace:
  30084. description: |-
  30085. The namespace of the Secret resource being referred to.
  30086. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30087. maxLength: 63
  30088. minLength: 1
  30089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30090. type: string
  30091. type: object
  30092. type: object
  30093. serviceAccountRef:
  30094. description: ServiceAccountRef to a service account for impersonation
  30095. properties:
  30096. audiences:
  30097. description: |-
  30098. Audience specifies the `aud` claim for the service account token
  30099. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30100. then this audiences will be appended to the list
  30101. items:
  30102. type: string
  30103. type: array
  30104. name:
  30105. description: The name of the ServiceAccount resource being referred to.
  30106. maxLength: 253
  30107. minLength: 1
  30108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30109. type: string
  30110. namespace:
  30111. description: |-
  30112. Namespace of the resource being referred to.
  30113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30114. maxLength: 63
  30115. minLength: 1
  30116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30117. type: string
  30118. required:
  30119. - name
  30120. type: object
  30121. workloadIdentity:
  30122. description: Specify a service account with Workload Identity
  30123. properties:
  30124. clusterLocation:
  30125. description: |-
  30126. ClusterLocation is the location of the cluster
  30127. If not specified, it fetches information from the metadata server
  30128. type: string
  30129. clusterName:
  30130. description: |-
  30131. ClusterName is the name of the cluster
  30132. If not specified, it fetches information from the metadata server
  30133. type: string
  30134. clusterProjectID:
  30135. description: |-
  30136. ClusterProjectID is the project ID of the cluster
  30137. If not specified, it fetches information from the metadata server
  30138. type: string
  30139. serviceAccountRef:
  30140. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30141. properties:
  30142. audiences:
  30143. description: |-
  30144. Audience specifies the `aud` claim for the service account token
  30145. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30146. then this audiences will be appended to the list
  30147. items:
  30148. type: string
  30149. type: array
  30150. name:
  30151. description: The name of the ServiceAccount resource being referred to.
  30152. maxLength: 253
  30153. minLength: 1
  30154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30155. type: string
  30156. namespace:
  30157. description: |-
  30158. Namespace of the resource being referred to.
  30159. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30160. maxLength: 63
  30161. minLength: 1
  30162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30163. type: string
  30164. required:
  30165. - name
  30166. type: object
  30167. required:
  30168. - serviceAccountRef
  30169. type: object
  30170. required:
  30171. - role
  30172. type: object
  30173. iam:
  30174. description: |-
  30175. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  30176. AWS IAM authentication method
  30177. properties:
  30178. externalID:
  30179. description: AWS External ID set on assumed IAM roles
  30180. type: string
  30181. jwt:
  30182. description: Specify a service account with IRSA enabled
  30183. properties:
  30184. serviceAccountRef:
  30185. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30186. properties:
  30187. audiences:
  30188. description: |-
  30189. Audience specifies the `aud` claim for the service account token
  30190. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30191. then this audiences will be appended to the list
  30192. items:
  30193. type: string
  30194. type: array
  30195. name:
  30196. description: The name of the ServiceAccount resource being referred to.
  30197. maxLength: 253
  30198. minLength: 1
  30199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30200. type: string
  30201. namespace:
  30202. description: |-
  30203. Namespace of the resource being referred to.
  30204. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30205. maxLength: 63
  30206. minLength: 1
  30207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30208. type: string
  30209. required:
  30210. - name
  30211. type: object
  30212. type: object
  30213. path:
  30214. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30215. type: string
  30216. region:
  30217. description: AWS region
  30218. type: string
  30219. role:
  30220. description: This is the AWS role to be assumed before talking to vault
  30221. type: string
  30222. secretRef:
  30223. description: Specify credentials in a Secret object
  30224. properties:
  30225. accessKeyIDSecretRef:
  30226. description: The AccessKeyID is used for authentication
  30227. properties:
  30228. key:
  30229. description: |-
  30230. A key in the referenced Secret.
  30231. Some instances of this field may be defaulted, in others it may be required.
  30232. maxLength: 253
  30233. minLength: 1
  30234. pattern: ^[-._a-zA-Z0-9]+$
  30235. type: string
  30236. name:
  30237. description: The name of the Secret resource being referred to.
  30238. maxLength: 253
  30239. minLength: 1
  30240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30241. type: string
  30242. namespace:
  30243. description: |-
  30244. The namespace of the Secret resource being referred to.
  30245. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30246. maxLength: 63
  30247. minLength: 1
  30248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30249. type: string
  30250. type: object
  30251. secretAccessKeySecretRef:
  30252. description: The SecretAccessKey is used for authentication
  30253. properties:
  30254. key:
  30255. description: |-
  30256. A key in the referenced Secret.
  30257. Some instances of this field may be defaulted, in others it may be required.
  30258. maxLength: 253
  30259. minLength: 1
  30260. pattern: ^[-._a-zA-Z0-9]+$
  30261. type: string
  30262. name:
  30263. description: The name of the Secret resource being referred to.
  30264. maxLength: 253
  30265. minLength: 1
  30266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30267. type: string
  30268. namespace:
  30269. description: |-
  30270. The namespace of the Secret resource being referred to.
  30271. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30272. maxLength: 63
  30273. minLength: 1
  30274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30275. type: string
  30276. type: object
  30277. sessionTokenSecretRef:
  30278. description: |-
  30279. The SessionToken used for authentication
  30280. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30281. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30282. properties:
  30283. key:
  30284. description: |-
  30285. A key in the referenced Secret.
  30286. Some instances of this field may be defaulted, in others it may be required.
  30287. maxLength: 253
  30288. minLength: 1
  30289. pattern: ^[-._a-zA-Z0-9]+$
  30290. type: string
  30291. name:
  30292. description: The name of the Secret resource being referred to.
  30293. maxLength: 253
  30294. minLength: 1
  30295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30296. type: string
  30297. namespace:
  30298. description: |-
  30299. The namespace of the Secret resource being referred to.
  30300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30301. maxLength: 63
  30302. minLength: 1
  30303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30304. type: string
  30305. type: object
  30306. type: object
  30307. vaultAwsIamServerID:
  30308. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30309. type: string
  30310. vaultRole:
  30311. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30312. type: string
  30313. required:
  30314. - vaultRole
  30315. type: object
  30316. jwt:
  30317. description: |-
  30318. Jwt authenticates with Vault by passing role and JWT token using the
  30319. JWT/OIDC authentication method
  30320. properties:
  30321. kubernetesServiceAccountToken:
  30322. description: |-
  30323. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30324. a token for with the `TokenRequest` API.
  30325. properties:
  30326. audiences:
  30327. description: |-
  30328. Optional audiences field that will be used to request a temporary Kubernetes service
  30329. account token for the service account referenced by `serviceAccountRef`.
  30330. Defaults to a single audience `vault` it not specified.
  30331. Deprecated: use serviceAccountRef.Audiences instead
  30332. items:
  30333. type: string
  30334. type: array
  30335. expirationSeconds:
  30336. description: |-
  30337. Optional expiration time in seconds that will be used to request a temporary
  30338. Kubernetes service account token for the service account referenced by
  30339. `serviceAccountRef`.
  30340. Deprecated: this will be removed in the future.
  30341. Defaults to 10 minutes.
  30342. format: int64
  30343. type: integer
  30344. serviceAccountRef:
  30345. description: Service account field containing the name of a kubernetes ServiceAccount.
  30346. properties:
  30347. audiences:
  30348. description: |-
  30349. Audience specifies the `aud` claim for the service account token
  30350. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30351. then this audiences will be appended to the list
  30352. items:
  30353. type: string
  30354. type: array
  30355. name:
  30356. description: The name of the ServiceAccount resource being referred to.
  30357. maxLength: 253
  30358. minLength: 1
  30359. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30360. type: string
  30361. namespace:
  30362. description: |-
  30363. Namespace of the resource being referred to.
  30364. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30365. maxLength: 63
  30366. minLength: 1
  30367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30368. type: string
  30369. required:
  30370. - name
  30371. type: object
  30372. required:
  30373. - serviceAccountRef
  30374. type: object
  30375. path:
  30376. default: jwt
  30377. description: |-
  30378. Path where the JWT authentication backend is mounted
  30379. in Vault, e.g: "jwt"
  30380. type: string
  30381. role:
  30382. description: |-
  30383. Role is a JWT role to authenticate using the JWT/OIDC Vault
  30384. authentication method
  30385. type: string
  30386. secretRef:
  30387. description: |-
  30388. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  30389. authenticate with Vault using the JWT/OIDC authentication method.
  30390. properties:
  30391. key:
  30392. description: |-
  30393. A key in the referenced Secret.
  30394. Some instances of this field may be defaulted, in others it may be required.
  30395. maxLength: 253
  30396. minLength: 1
  30397. pattern: ^[-._a-zA-Z0-9]+$
  30398. type: string
  30399. name:
  30400. description: The name of the Secret resource being referred to.
  30401. maxLength: 253
  30402. minLength: 1
  30403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30404. type: string
  30405. namespace:
  30406. description: |-
  30407. The namespace of the Secret resource being referred to.
  30408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30409. maxLength: 63
  30410. minLength: 1
  30411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30412. type: string
  30413. type: object
  30414. required:
  30415. - path
  30416. type: object
  30417. kubernetes:
  30418. description: |-
  30419. Kubernetes authenticates with Vault by passing the ServiceAccount
  30420. token stored in the named Secret resource to the Vault server.
  30421. properties:
  30422. mountPath:
  30423. default: kubernetes
  30424. description: |-
  30425. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  30426. "kubernetes"
  30427. type: string
  30428. role:
  30429. description: |-
  30430. A required field containing the Vault Role to assume. A Role binds a
  30431. Kubernetes ServiceAccount with a set of Vault policies.
  30432. type: string
  30433. secretRef:
  30434. description: |-
  30435. Optional secret field containing a Kubernetes ServiceAccount JWT used
  30436. for authenticating with Vault. If a name is specified without a key,
  30437. `token` is the default. If one is not specified, the one bound to
  30438. the controller will be used.
  30439. properties:
  30440. key:
  30441. description: |-
  30442. A key in the referenced Secret.
  30443. Some instances of this field may be defaulted, in others it may be required.
  30444. maxLength: 253
  30445. minLength: 1
  30446. pattern: ^[-._a-zA-Z0-9]+$
  30447. type: string
  30448. name:
  30449. description: The name of the Secret resource being referred to.
  30450. maxLength: 253
  30451. minLength: 1
  30452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30453. type: string
  30454. namespace:
  30455. description: |-
  30456. The namespace of the Secret resource being referred to.
  30457. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30458. maxLength: 63
  30459. minLength: 1
  30460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30461. type: string
  30462. type: object
  30463. serviceAccountRef:
  30464. description: |-
  30465. Optional service account field containing the name of a kubernetes ServiceAccount.
  30466. If the service account is specified, the service account secret token JWT will be used
  30467. for authenticating with Vault. If the service account selector is not supplied,
  30468. the secretRef will be used instead.
  30469. properties:
  30470. audiences:
  30471. description: |-
  30472. Audience specifies the `aud` claim for the service account token
  30473. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30474. then this audiences will be appended to the list
  30475. items:
  30476. type: string
  30477. type: array
  30478. name:
  30479. description: The name of the ServiceAccount resource being referred to.
  30480. maxLength: 253
  30481. minLength: 1
  30482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30483. type: string
  30484. namespace:
  30485. description: |-
  30486. Namespace of the resource being referred to.
  30487. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30488. maxLength: 63
  30489. minLength: 1
  30490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30491. type: string
  30492. required:
  30493. - name
  30494. type: object
  30495. required:
  30496. - mountPath
  30497. - role
  30498. type: object
  30499. ldap:
  30500. description: |-
  30501. Ldap authenticates with Vault by passing username/password pair using
  30502. the LDAP authentication method
  30503. properties:
  30504. path:
  30505. default: ldap
  30506. description: |-
  30507. Path where the LDAP authentication backend is mounted
  30508. in Vault, e.g: "ldap"
  30509. type: string
  30510. secretRef:
  30511. description: |-
  30512. SecretRef to a key in a Secret resource containing password for the LDAP
  30513. user used to authenticate with Vault using the LDAP authentication
  30514. method
  30515. properties:
  30516. key:
  30517. description: |-
  30518. A key in the referenced Secret.
  30519. Some instances of this field may be defaulted, in others it may be required.
  30520. maxLength: 253
  30521. minLength: 1
  30522. pattern: ^[-._a-zA-Z0-9]+$
  30523. type: string
  30524. name:
  30525. description: The name of the Secret resource being referred to.
  30526. maxLength: 253
  30527. minLength: 1
  30528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30529. type: string
  30530. namespace:
  30531. description: |-
  30532. The namespace of the Secret resource being referred to.
  30533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30534. maxLength: 63
  30535. minLength: 1
  30536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30537. type: string
  30538. type: object
  30539. username:
  30540. description: |-
  30541. Username is an LDAP username used to authenticate using the LDAP Vault
  30542. authentication method
  30543. type: string
  30544. required:
  30545. - path
  30546. - username
  30547. type: object
  30548. namespace:
  30549. description: |-
  30550. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  30551. Namespaces is a set of features within Vault Enterprise that allows
  30552. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30553. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30554. This will default to Vault.Namespace field if set, or empty otherwise
  30555. type: string
  30556. tokenSecretRef:
  30557. description: TokenSecretRef authenticates with Vault by presenting a token.
  30558. properties:
  30559. key:
  30560. description: |-
  30561. A key in the referenced Secret.
  30562. Some instances of this field may be defaulted, in others it may be required.
  30563. maxLength: 253
  30564. minLength: 1
  30565. pattern: ^[-._a-zA-Z0-9]+$
  30566. type: string
  30567. name:
  30568. description: The name of the Secret resource being referred to.
  30569. maxLength: 253
  30570. minLength: 1
  30571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30572. type: string
  30573. namespace:
  30574. description: |-
  30575. The namespace of the Secret resource being referred to.
  30576. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30577. maxLength: 63
  30578. minLength: 1
  30579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30580. type: string
  30581. type: object
  30582. userPass:
  30583. description: UserPass authenticates with Vault by passing username/password pair
  30584. properties:
  30585. path:
  30586. default: userpass
  30587. description: |-
  30588. Path where the UserPassword authentication backend is mounted
  30589. in Vault, e.g: "userpass"
  30590. type: string
  30591. secretRef:
  30592. description: |-
  30593. SecretRef to a key in a Secret resource containing password for the
  30594. user used to authenticate with Vault using the UserPass authentication
  30595. method
  30596. properties:
  30597. key:
  30598. description: |-
  30599. A key in the referenced Secret.
  30600. Some instances of this field may be defaulted, in others it may be required.
  30601. maxLength: 253
  30602. minLength: 1
  30603. pattern: ^[-._a-zA-Z0-9]+$
  30604. type: string
  30605. name:
  30606. description: The name of the Secret resource being referred to.
  30607. maxLength: 253
  30608. minLength: 1
  30609. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30610. type: string
  30611. namespace:
  30612. description: |-
  30613. The namespace of the Secret resource being referred to.
  30614. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30615. maxLength: 63
  30616. minLength: 1
  30617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30618. type: string
  30619. type: object
  30620. username:
  30621. description: |-
  30622. Username is a username used to authenticate using the UserPass Vault
  30623. authentication method
  30624. type: string
  30625. required:
  30626. - path
  30627. - username
  30628. type: object
  30629. type: object
  30630. caBundle:
  30631. description: |-
  30632. PEM encoded CA bundle used to validate Vault server certificate. Only used
  30633. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30634. plain HTTP protocol connection. If not set the system root certificates
  30635. are used to validate the TLS connection.
  30636. format: byte
  30637. type: string
  30638. caProvider:
  30639. description: The provider for the CA bundle to use to validate Vault server certificate.
  30640. properties:
  30641. key:
  30642. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30643. maxLength: 253
  30644. minLength: 1
  30645. pattern: ^[-._a-zA-Z0-9]+$
  30646. type: string
  30647. name:
  30648. description: The name of the object located at the provider type.
  30649. maxLength: 253
  30650. minLength: 1
  30651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30652. type: string
  30653. namespace:
  30654. description: |-
  30655. The namespace the Provider type is in.
  30656. Can only be defined when used in a ClusterSecretStore.
  30657. maxLength: 63
  30658. minLength: 1
  30659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30660. type: string
  30661. type:
  30662. description: The type of provider to use such as "Secret", or "ConfigMap".
  30663. enum:
  30664. - Secret
  30665. - ConfigMap
  30666. type: string
  30667. required:
  30668. - name
  30669. - type
  30670. type: object
  30671. checkAndSet:
  30672. description: |-
  30673. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  30674. Only applies to Vault KV v2 stores. When enabled, write operations must include
  30675. the current version of the secret to prevent unintentional overwrites.
  30676. properties:
  30677. required:
  30678. description: |-
  30679. Required when true, all write operations must include a check-and-set parameter.
  30680. This helps prevent unintentional overwrites of secrets.
  30681. type: boolean
  30682. type: object
  30683. forwardInconsistent:
  30684. description: |-
  30685. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  30686. leader instead of simply retrying within a loop. This can increase performance if
  30687. the option is enabled serverside.
  30688. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  30689. type: boolean
  30690. headers:
  30691. additionalProperties:
  30692. type: string
  30693. description: Headers to be added in Vault request
  30694. type: object
  30695. namespace:
  30696. description: |-
  30697. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  30698. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  30699. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  30700. type: string
  30701. path:
  30702. description: |-
  30703. Path is the mount path of the Vault KV backend endpoint, e.g:
  30704. "secret". The v2 KV secret engine version specific "/data" path suffix
  30705. for fetching secrets from Vault is optional and will be appended
  30706. if not present in specified path.
  30707. type: string
  30708. readYourWrites:
  30709. description: |-
  30710. ReadYourWrites ensures isolated read-after-write semantics by
  30711. providing discovered cluster replication states in each request.
  30712. More information about eventual consistency in Vault can be found here
  30713. https://www.vaultproject.io/docs/enterprise/consistency
  30714. type: boolean
  30715. server:
  30716. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  30717. type: string
  30718. tls:
  30719. description: |-
  30720. The configuration used for client side related TLS communication, when the Vault server
  30721. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  30722. This parameter is ignored for plain HTTP protocol connection.
  30723. It's worth noting this configuration is different from the "TLS certificates auth method",
  30724. which is available under the `auth.cert` section.
  30725. properties:
  30726. certSecretRef:
  30727. description: |-
  30728. CertSecretRef is a certificate added to the transport layer
  30729. when communicating with the Vault server.
  30730. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  30731. properties:
  30732. key:
  30733. description: |-
  30734. A key in the referenced Secret.
  30735. Some instances of this field may be defaulted, in others it may be required.
  30736. maxLength: 253
  30737. minLength: 1
  30738. pattern: ^[-._a-zA-Z0-9]+$
  30739. type: string
  30740. name:
  30741. description: The name of the Secret resource being referred to.
  30742. maxLength: 253
  30743. minLength: 1
  30744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30745. type: string
  30746. namespace:
  30747. description: |-
  30748. The namespace of the Secret resource being referred to.
  30749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30750. maxLength: 63
  30751. minLength: 1
  30752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30753. type: string
  30754. type: object
  30755. keySecretRef:
  30756. description: |-
  30757. KeySecretRef to a key in a Secret resource containing client private key
  30758. added to the transport layer when communicating with the Vault server.
  30759. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  30760. properties:
  30761. key:
  30762. description: |-
  30763. A key in the referenced Secret.
  30764. Some instances of this field may be defaulted, in others it may be required.
  30765. maxLength: 253
  30766. minLength: 1
  30767. pattern: ^[-._a-zA-Z0-9]+$
  30768. type: string
  30769. name:
  30770. description: The name of the Secret resource being referred to.
  30771. maxLength: 253
  30772. minLength: 1
  30773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30774. type: string
  30775. namespace:
  30776. description: |-
  30777. The namespace of the Secret resource being referred to.
  30778. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30779. maxLength: 63
  30780. minLength: 1
  30781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30782. type: string
  30783. type: object
  30784. type: object
  30785. version:
  30786. default: v2
  30787. description: |-
  30788. Version is the Vault KV secret engine version. This can be either "v1" or
  30789. "v2". Version defaults to "v2".
  30790. enum:
  30791. - v1
  30792. - v2
  30793. type: string
  30794. required:
  30795. - server
  30796. type: object
  30797. resultType:
  30798. default: Data
  30799. description: |-
  30800. Result type defines which data is returned from the generator.
  30801. By default, it is the "data" section of the Vault API response.
  30802. When using e.g. /auth/token/create the "data" section is empty but
  30803. the "auth" section contains the generated token.
  30804. Please refer to the vault docs regarding the result data structure.
  30805. Additionally, accessing the raw response is possibly by using "Raw" result type.
  30806. enum:
  30807. - Data
  30808. - Auth
  30809. - Raw
  30810. type: string
  30811. retrySettings:
  30812. description: Used to configure http retries if failed
  30813. properties:
  30814. maxRetries:
  30815. format: int32
  30816. type: integer
  30817. retryInterval:
  30818. type: string
  30819. type: object
  30820. required:
  30821. - path
  30822. - provider
  30823. type: object
  30824. type: object
  30825. served: true
  30826. storage: true
  30827. subresources:
  30828. status: {}
  30829. ---
  30830. apiVersion: apiextensions.k8s.io/v1
  30831. kind: CustomResourceDefinition
  30832. metadata:
  30833. annotations:
  30834. controller-gen.kubebuilder.io/version: v0.19.0
  30835. labels:
  30836. external-secrets.io/component: controller
  30837. name: webhooks.generators.external-secrets.io
  30838. spec:
  30839. group: generators.external-secrets.io
  30840. names:
  30841. categories:
  30842. - external-secrets
  30843. - external-secrets-generators
  30844. kind: Webhook
  30845. listKind: WebhookList
  30846. plural: webhooks
  30847. singular: webhook
  30848. scope: Namespaced
  30849. versions:
  30850. - name: v1alpha1
  30851. schema:
  30852. openAPIV3Schema:
  30853. description: |-
  30854. Webhook connects to a third party API server to handle the secrets generation
  30855. configuration parameters in spec.
  30856. You can specify the server, the token, and additional body parameters.
  30857. See documentation for the full API specification for requests and responses.
  30858. properties:
  30859. apiVersion:
  30860. description: |-
  30861. APIVersion defines the versioned schema of this representation of an object.
  30862. Servers should convert recognized schemas to the latest internal value, and
  30863. may reject unrecognized values.
  30864. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30865. type: string
  30866. kind:
  30867. description: |-
  30868. Kind is a string value representing the REST resource this object represents.
  30869. Servers may infer this from the endpoint the client submits requests to.
  30870. Cannot be updated.
  30871. In CamelCase.
  30872. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30873. type: string
  30874. metadata:
  30875. type: object
  30876. spec:
  30877. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  30878. properties:
  30879. auth:
  30880. description: Auth specifies a authorization protocol. Only one protocol may be set.
  30881. maxProperties: 1
  30882. minProperties: 1
  30883. properties:
  30884. ntlm:
  30885. description: NTLMProtocol configures the store to use NTLM for auth
  30886. properties:
  30887. passwordSecret:
  30888. description: |-
  30889. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30890. In some instances, `key` is a required field.
  30891. properties:
  30892. key:
  30893. description: |-
  30894. A key in the referenced Secret.
  30895. Some instances of this field may be defaulted, in others it may be required.
  30896. maxLength: 253
  30897. minLength: 1
  30898. pattern: ^[-._a-zA-Z0-9]+$
  30899. type: string
  30900. name:
  30901. description: The name of the Secret resource being referred to.
  30902. maxLength: 253
  30903. minLength: 1
  30904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30905. type: string
  30906. namespace:
  30907. description: |-
  30908. The namespace of the Secret resource being referred to.
  30909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30910. maxLength: 63
  30911. minLength: 1
  30912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30913. type: string
  30914. type: object
  30915. usernameSecret:
  30916. description: |-
  30917. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30918. In some instances, `key` is a required field.
  30919. properties:
  30920. key:
  30921. description: |-
  30922. A key in the referenced Secret.
  30923. Some instances of this field may be defaulted, in others it may be required.
  30924. maxLength: 253
  30925. minLength: 1
  30926. pattern: ^[-._a-zA-Z0-9]+$
  30927. type: string
  30928. name:
  30929. description: The name of the Secret resource being referred to.
  30930. maxLength: 253
  30931. minLength: 1
  30932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30933. type: string
  30934. namespace:
  30935. description: |-
  30936. The namespace of the Secret resource being referred to.
  30937. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30938. maxLength: 63
  30939. minLength: 1
  30940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30941. type: string
  30942. type: object
  30943. required:
  30944. - passwordSecret
  30945. - usernameSecret
  30946. type: object
  30947. type: object
  30948. body:
  30949. description: Body
  30950. type: string
  30951. caBundle:
  30952. description: |-
  30953. PEM encoded CA bundle used to validate webhook server certificate. Only used
  30954. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30955. plain HTTP protocol connection. If not set the system root certificates
  30956. are used to validate the TLS connection.
  30957. format: byte
  30958. type: string
  30959. caProvider:
  30960. description: The provider for the CA bundle to use to validate webhook server certificate.
  30961. properties:
  30962. key:
  30963. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30964. maxLength: 253
  30965. minLength: 1
  30966. pattern: ^[-._a-zA-Z0-9]+$
  30967. type: string
  30968. name:
  30969. description: The name of the object located at the provider type.
  30970. maxLength: 253
  30971. minLength: 1
  30972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30973. type: string
  30974. namespace:
  30975. description: The namespace the Provider type is in.
  30976. maxLength: 63
  30977. minLength: 1
  30978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30979. type: string
  30980. type:
  30981. description: The type of provider to use such as "Secret", or "ConfigMap".
  30982. enum:
  30983. - Secret
  30984. - ConfigMap
  30985. type: string
  30986. required:
  30987. - name
  30988. - type
  30989. type: object
  30990. headers:
  30991. additionalProperties:
  30992. type: string
  30993. description: Headers
  30994. type: object
  30995. method:
  30996. description: Webhook Method
  30997. type: string
  30998. result:
  30999. description: Result formatting
  31000. properties:
  31001. jsonPath:
  31002. description: Json path of return value
  31003. type: string
  31004. type: object
  31005. secrets:
  31006. description: |-
  31007. Secrets to fill in templates
  31008. These secrets will be passed to the templating function as key value pairs under the given name
  31009. items:
  31010. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  31011. properties:
  31012. name:
  31013. description: Name of this secret in templates
  31014. type: string
  31015. secretRef:
  31016. description: Secret ref to fill in credentials
  31017. properties:
  31018. key:
  31019. description: The key where the token is found.
  31020. maxLength: 253
  31021. minLength: 1
  31022. pattern: ^[-._a-zA-Z0-9]+$
  31023. type: string
  31024. name:
  31025. description: The name of the Secret resource being referred to.
  31026. maxLength: 253
  31027. minLength: 1
  31028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31029. type: string
  31030. type: object
  31031. required:
  31032. - name
  31033. - secretRef
  31034. type: object
  31035. type: array
  31036. timeout:
  31037. description: Timeout
  31038. type: string
  31039. url:
  31040. description: Webhook url to call
  31041. type: string
  31042. required:
  31043. - result
  31044. - url
  31045. type: object
  31046. type: object
  31047. served: true
  31048. storage: true
  31049. subresources:
  31050. status: {}