| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693769476957696769776987699770077017702770377047705770677077708770977107711771277137714771577167717771877197720772177227723772477257726772777287729773077317732773377347735773677377738773977407741774277437744774577467747774877497750775177527753775477557756775777587759776077617762776377647765776677677768776977707771777277737774777577767777777877797780778177827783778477857786778777887789779077917792779377947795779677977798779978007801780278037804780578067807780878097810781178127813781478157816781778187819782078217822782378247825782678277828782978307831783278337834783578367837783878397840784178427843784478457846784778487849785078517852785378547855785678577858785978607861786278637864786578667867786878697870787178727873787478757876787778787879788078817882788378847885788678877888788978907891789278937894789578967897789878997900790179027903790479057906790779087909791079117912791379147915791679177918791979207921792279237924792579267927792879297930793179327933793479357936793779387939794079417942794379447945794679477948794979507951795279537954795579567957795879597960796179627963796479657966796779687969797079717972797379747975797679777978797979807981798279837984798579867987798879897990799179927993799479957996799779987999800080018002800380048005800680078008800980108011801280138014801580168017801880198020802180228023802480258026802780288029803080318032803380348035803680378038803980408041804280438044804580468047804880498050805180528053805480558056805780588059806080618062806380648065806680678068806980708071807280738074807580768077807880798080808180828083808480858086808780888089809080918092809380948095809680978098809981008101810281038104810581068107810881098110811181128113811481158116811781188119812081218122812381248125812681278128812981308131813281338134813581368137813881398140814181428143814481458146814781488149815081518152815381548155815681578158815981608161816281638164816581668167 |
- should match snapshot of default values:
- 1: |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.17.3
- labels:
- external-secrets.io/component: controller
- name: secretstores.external-secrets.io
- spec:
- group: external-secrets.io
- names:
- categories:
- - external-secrets
- kind: SecretStore
- listKind: SecretStoreList
- plural: secretstores
- shortNames:
- - ss
- singular: secretstore
- scope: Namespaced
- versions:
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using conjur provider
- properties:
- auth:
- description: Defines authentication settings for connecting to Conjur.
- properties:
- apikey:
- description: Authenticates with Conjur using an API key.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- description: URL is the endpoint of the Conjur instance.
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service Token)
- type: string
- format:
- description: Format enables the downloading of secrets as a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- version:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- required:
- - data
- type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
- required:
- - apiHost
- - auth
- - environment
- - project
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication to a 1Password Connect Server.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
- - additionalPrinterColumns:
- - jsonPath: .metadata.creationTimestamp
- name: AGE
- type: date
- - jsonPath: .status.conditions[?(@.type=="Ready")].reason
- name: Status
- type: string
- - jsonPath: .status.capabilities
- name: Capabilities
- type: string
- - jsonPath: .status.conditions[?(@.type=="Ready")].status
- name: Ready
- type: string
- name: v1beta1
- schema:
- openAPIV3Schema:
- description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- description: SecretStoreSpec defines the desired state of SecretStore.
- properties:
- conditions:
- description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
- items:
- description: |-
- ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
- for a ClusterSecretStore instance.
- properties:
- namespaceRegexes:
- description: Choose namespaces by using regex matching
- items:
- type: string
- type: array
- namespaceSelector:
- description: Choose namespace using a labelSelector
- properties:
- matchExpressions:
- description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
- items:
- description: |-
- A label selector requirement is a selector that contains values, a key, and an operator that
- relates the key and values.
- properties:
- key:
- description: key is the label key that the selector applies to.
- type: string
- operator:
- description: |-
- operator represents a key's relationship to a set of values.
- Valid operators are In, NotIn, Exists and DoesNotExist.
- type: string
- values:
- description: |-
- values is an array of string values. If the operator is In or NotIn,
- the values array must be non-empty. If the operator is Exists or DoesNotExist,
- the values array must be empty. This array is replaced during a strategic
- merge patch.
- items:
- type: string
- type: array
- x-kubernetes-list-type: atomic
- required:
- - key
- - operator
- type: object
- type: array
- x-kubernetes-list-type: atomic
- matchLabels:
- additionalProperties:
- type: string
- description: |-
- matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
- map is equivalent to an element of matchExpressions, whose key field is "key", the
- operator is "In", and the values array contains only "value". The requirements are ANDed.
- type: object
- type: object
- x-kubernetes-map-type: atomic
- namespaces:
- description: Choose namespaces by name
- items:
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: array
- type: object
- type: array
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters ES based on this property
- type: string
- provider:
- description: Used to configure the provider. Only one provider may be set
- maxProperties: 1
- minProperties: 1
- properties:
- akeyless:
- description: Akeyless configures this store to sync secrets using Akeyless Vault provider
- properties:
- akeylessGWApiURL:
- description: Akeyless GW API Url from which the secrets to be fetched from.
- type: string
- authSecretRef:
- description: Auth configures how the operator authenticates with Akeyless.
- properties:
- kubernetesAuth:
- description: |-
- Kubernetes authenticates with Akeyless by passing the ServiceAccount
- token stored in the named Secret resource.
- properties:
- accessID:
- description: the Akeyless Kubernetes auth-method access-id
- type: string
- k8sConfName:
- description: Kubernetes-auth configuration name in Akeyless-Gateway
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Akeyless. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Akeyless. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - accessID
- - k8sConfName
- type: object
- secretRef:
- description: |-
- Reference to a Secret that contains the details
- to authenticate with Akeyless.
- properties:
- accessID:
- description: The SecretAccessID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessType:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessTypeParam:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- caBundle:
- description: |-
- PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
- if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- required:
- - akeylessGWApiURL
- - authSecretRef
- type: object
- alibaba:
- description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
- properties:
- auth:
- description: AlibabaAuth contains a secretRef for credentials.
- properties:
- rrsa:
- description: Authenticate against Alibaba using RRSA.
- properties:
- oidcProviderArn:
- type: string
- oidcTokenFilePath:
- type: string
- roleArn:
- type: string
- sessionName:
- type: string
- required:
- - oidcProviderArn
- - oidcTokenFilePath
- - roleArn
- - sessionName
- type: object
- secretRef:
- description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- regionID:
- description: Alibaba Region to be used for the provider
- type: string
- required:
- - auth
- - regionID
- type: object
- aws:
- description: AWS configures this store to sync secrets using AWS Secret Manager provider
- properties:
- additionalRoles:
- description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
- items:
- type: string
- type: array
- auth:
- description: |-
- Auth defines the information necessary to authenticate against AWS
- if not set aws sdk will infer credentials from your environment
- see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
- properties:
- jwt:
- description: Authenticate against AWS using service account tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- prefix:
- description: Prefix adds a prefix to all retrieved values.
- type: string
- region:
- description: AWS Region to be used for the provider
- type: string
- role:
- description: Role is a Role ARN which the provider will assume
- type: string
- secretsManager:
- description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
- properties:
- forceDeleteWithoutRecovery:
- description: |-
- Specifies whether to delete the secret without any recovery window. You
- can't use both this parameter and RecoveryWindowInDays in the same call.
- If you don't use either, then by default Secrets Manager uses a 30 day
- recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
- type: boolean
- recoveryWindowInDays:
- description: |-
- The number of days from 7 to 30 that Secrets Manager waits before
- permanently deleting the secret. You can't use both this parameter and
- ForceDeleteWithoutRecovery in the same call. If you don't use either,
- then by default Secrets Manager uses a 30 day recovery window.
- see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
- format: int64
- type: integer
- type: object
- service:
- description: Service defines which service should be used to fetch the secrets
- enum:
- - SecretsManager
- - ParameterStore
- type: string
- sessionTags:
- description: AWS STS assume role session tags
- items:
- properties:
- key:
- type: string
- value:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- transitiveTagKeys:
- description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
- items:
- type: string
- type: array
- required:
- - region
- - service
- type: object
- azurekv:
- description: AzureKV configures this store to sync secrets using Azure Key Vault provider
- properties:
- authSecretRef:
- description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- properties:
- clientCertificate:
- description: The Azure ClientCertificate of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientId:
- description: The Azure clientId of the service principle or managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- tenantId:
- description: The Azure tenantId of the managed identity used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- authType:
- default: ServicePrincipal
- description: |-
- Auth type defines how to authenticate to the keyvault service.
- Valid values are:
- - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
- - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
- enum:
- - ServicePrincipal
- - ManagedIdentity
- - WorkloadIdentity
- type: string
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- identityId:
- description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- tenantId:
- description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
- type: string
- vaultUrl:
- description: Vault Url from which the secrets to be fetched from.
- type: string
- required:
- - vaultUrl
- type: object
- beyondtrust:
- description: Beyondtrust configures this store to sync secrets using Password Safe provider.
- properties:
- auth:
- description: Auth configures how the operator authenticates with Beyondtrust.
- properties:
- apiKey:
- description: APIKey If not provided then ClientID/ClientSecret become required.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificate:
- description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- certificateKey:
- description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientId:
- description: ClientID is the API OAuth Client ID.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the API OAuth Client Secret.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- type: object
- server:
- description: Auth configures how API server works.
- properties:
- apiUrl:
- type: string
- apiVersion:
- type: string
- clientTimeOutSeconds:
- description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
- type: integer
- retrievalType:
- description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
- type: string
- separator:
- description: A character that separates the folder names.
- type: string
- verifyCA:
- type: boolean
- required:
- - apiUrl
- - verifyCA
- type: object
- required:
- - auth
- - server
- type: object
- bitwardensecretsmanager:
- description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
- properties:
- apiURL:
- type: string
- auth:
- description: |-
- Auth configures how secret-manager authenticates with a bitwarden machine account instance.
- Make sure that the token being used has permissions on the given secret.
- properties:
- secretRef:
- description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
- properties:
- credentials:
- description: AccessToken used for the bitwarden instance.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - credentials
- type: object
- required:
- - secretRef
- type: object
- bitwardenServerSDKURL:
- type: string
- caBundle:
- description: |-
- Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
- can be performed.
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- identityURL:
- type: string
- organizationID:
- description: OrganizationID determines which organization this secret store manages.
- type: string
- projectID:
- description: ProjectID determines which project this secret store manages.
- type: string
- required:
- - auth
- - organizationID
- - projectID
- type: object
- chef:
- description: Chef configures this store to sync secrets with chef server
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against chef Server
- properties:
- secretRef:
- description: ChefAuthSecretRef holds secret references for chef server login credentials.
- properties:
- privateKeySecretRef:
- description: SecretKey is the Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKeySecretRef
- type: object
- required:
- - secretRef
- type: object
- serverUrl:
- description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
- type: string
- username:
- description: UserName should be the user ID on the chef server
- type: string
- required:
- - auth
- - serverUrl
- - username
- type: object
- cloudrusm:
- description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
- properties:
- auth:
- description: CSMAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- accessKeySecretSecretRef:
- description: The AccessKeySecret is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessKeyIDSecretRef
- - accessKeySecretSecretRef
- type: object
- type: object
- projectID:
- description: ProjectID is the project, which the secrets are stored in.
- type: string
- required:
- - auth
- type: object
- conjur:
- description: Conjur configures this store to sync secrets using conjur provider
- properties:
- auth:
- description: Defines authentication settings for connecting to Conjur.
- properties:
- apikey:
- description: Authenticates with Conjur using an API key.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- apiKeyRef:
- description: |-
- A reference to a specific 'key' containing the Conjur API key
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userRef:
- description: |-
- A reference to a specific 'key' containing the Conjur username
- within a Secret resource. In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - account
- - apiKeyRef
- - userRef
- type: object
- jwt:
- description: Jwt enables JWT authentication using Kubernetes service account tokens.
- properties:
- account:
- description: Account is the Conjur organization account name.
- type: string
- hostId:
- description: |-
- Optional HostID for JWT authentication. This may be used depending
- on how the Conjur JWT authenticator policy is configured.
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Conjur using the JWT authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional ServiceAccountRef specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- serviceID:
- description: The conjur authn jwt webservice id
- type: string
- required:
- - account
- - serviceID
- type: object
- type: object
- caBundle:
- description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
- type: string
- caProvider:
- description: |-
- Used to provide custom certificate authority (CA) certificates
- for a secret store. The CAProvider points to a Secret or ConfigMap resource
- that contains a PEM-encoded certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- description: URL is the endpoint of the Conjur instance.
- type: string
- required:
- - auth
- - url
- type: object
- delinea:
- description: |-
- Delinea DevOps Secrets Vault
- https://docs.delinea.com/online-help/products/devops-secrets-vault/current
- properties:
- clientId:
- description: ClientID is the non-secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- clientSecret:
- description: ClientSecret is the secret part of the credential.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- tenant:
- description: Tenant is the chosen hostname / site name.
- type: string
- tld:
- description: |-
- TLD is based on the server location that was chosen during provisioning.
- If unset, defaults to "com".
- type: string
- urlTemplate:
- description: |-
- URLTemplate
- If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
- type: string
- required:
- - clientId
- - clientSecret
- - tenant
- type: object
- device42:
- description: Device42 configures this store to sync secrets using the Device42 provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Device42 instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- host:
- description: URL configures the Device42 instance URL.
- type: string
- required:
- - auth
- - host
- type: object
- doppler:
- description: Doppler configures this store to sync secrets using the Doppler provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Doppler API
- properties:
- secretRef:
- properties:
- dopplerToken:
- description: |-
- The DopplerToken is used for authentication.
- See https://docs.doppler.com/reference/api#authentication for auth token types.
- The Key attribute defaults to dopplerToken if not specified.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - dopplerToken
- type: object
- required:
- - secretRef
- type: object
- config:
- description: Doppler config (required if not using a Service Token)
- type: string
- format:
- description: Format enables the downloading of secrets as a file (string)
- enum:
- - json
- - dotnet-json
- - env
- - yaml
- - docker
- type: string
- nameTransformer:
- description: Environment variable compatible name transforms that change secret names to a different format
- enum:
- - upper-camel
- - camel
- - lower-snake
- - tf-var
- - dotnet-env
- - lower-kebab
- type: string
- project:
- description: Doppler project (required if not using a Service Token)
- type: string
- required:
- - auth
- type: object
- fake:
- description: Fake configures a store with static key/value pairs
- properties:
- data:
- items:
- properties:
- key:
- type: string
- value:
- type: string
- version:
- type: string
- required:
- - key
- - value
- type: object
- type: array
- required:
- - data
- type: object
- fortanix:
- description: Fortanix configures this store to sync secrets using the Fortanix provider
- properties:
- apiKey:
- description: APIKey is the API token to access SDKMS Applications.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the SDKMS API Key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
- type: string
- type: object
- gcpsm:
- description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- description: |-
- ClusterLocation is the location of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterName:
- description: |-
- ClusterName is the name of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- clusterProjectID:
- description: |-
- ClusterProjectID is the project ID of the cluster
- If not specified, it fetches information from the metadata server
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- type: object
- location:
- description: Location optionally defines a location for a secret
- type: string
- projectID:
- description: ProjectID project where secret is located
- type: string
- type: object
- github:
- description: Github configures this store to push Github Action secrets using Github API provider
- properties:
- appID:
- description: appID specifies the Github APP that will be used to authenticate the client
- format: int64
- type: integer
- auth:
- description: auth configures how secret-manager authenticates with a Github instance.
- properties:
- privateKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - privateKey
- type: object
- environment:
- description: environment will be used to fetch secrets from a particular environment within a github repository
- type: string
- installationID:
- description: installationID specifies the Github APP installation that will be used to authenticate the client
- format: int64
- type: integer
- organization:
- description: organization will be used to fetch secrets from the Github organization
- type: string
- repository:
- description: repository will be used to fetch secrets from the Github repository within an organization
- type: string
- uploadURL:
- description: Upload URL for enterprise instances. Default to URL.
- type: string
- url:
- default: https://github.com/
- description: URL configures the Github instance URL. Defaults to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installationID
- - organization
- type: object
- gitlab:
- description: GitLab configures this store to sync secrets using GitLab Variables provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a GitLab instance.
- properties:
- SecretRef:
- properties:
- accessToken:
- description: AccessToken is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - SecretRef
- type: object
- environment:
- description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
- type: string
- groupIDs:
- description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
- items:
- type: string
- type: array
- inheritFromGroups:
- description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
- type: boolean
- projectID:
- description: ProjectID specifies a project where secrets are located.
- type: string
- url:
- description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
- type: string
- required:
- - auth
- type: object
- ibm:
- description: IBM configures this store to sync secrets using IBM Cloud provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the IBM secrets manager.
- maxProperties: 1
- minProperties: 1
- properties:
- containerAuth:
- description: IBM Container-based auth with IAM Trusted Profile.
- properties:
- iamEndpoint:
- type: string
- profile:
- description: the IBM Trusted Profile
- type: string
- tokenLocation:
- description: Location the token is mounted on the pod
- type: string
- required:
- - profile
- type: object
- secretRef:
- properties:
- secretApiKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- serviceUrl:
- description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
- type: string
- required:
- - auth
- type: object
- infisical:
- description: Infisical configures this store to sync secrets using the Infisical provider
- properties:
- auth:
- description: Auth configures how the Operator authenticates with the Infisical API
- properties:
- universalAuthCredentials:
- properties:
- clientId:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecret
- type: object
- type: object
- hostAPI:
- default: https://app.infisical.com/api
- description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
- type: string
- secretsScope:
- description: SecretsScope defines the scope of the secrets within the workspace
- properties:
- environmentSlug:
- description: EnvironmentSlug is the required slug identifier for the environment.
- type: string
- expandSecretReferences:
- default: true
- description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
- type: boolean
- projectSlug:
- description: ProjectSlug is the required slug identifier for the project.
- type: string
- recursive:
- default: false
- description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
- type: boolean
- secretsPath:
- default: /
- description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
- type: string
- required:
- - environmentSlug
- - projectSlug
- type: object
- required:
- - auth
- - secretsScope
- type: object
- keepersecurity:
- description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
- properties:
- authRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- folderID:
- type: string
- required:
- - authRef
- - folderID
- type: object
- kubernetes:
- description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Kubernetes instance.
- maxProperties: 1
- minProperties: 1
- properties:
- cert:
- description: has both clientCert and clientKey as secretKeySelector
- properties:
- clientCert:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientKey:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- serviceAccount:
- description: points to a service account that should be used for authentication
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- token:
- description: use static token to authenticate with
- properties:
- bearerToken:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- authRef:
- description: A reference to a secret that contains the auth information.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- remoteNamespace:
- default: default
- description: Remote namespace to fetch the secrets from
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- server:
- description: configures the Kubernetes server Address.
- properties:
- caBundle:
- description: CABundle is a base64-encoded CA certificate
- format: byte
- type: string
- caProvider:
- description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- url:
- default: kubernetes.default
- description: configures the Kubernetes server Address.
- type: string
- type: object
- type: object
- onboardbase:
- description: Onboardbase configures this store to sync secrets using the Onboardbase provider
- properties:
- apiHost:
- default: https://public.onboardbase.com/api/v1/
- description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
- type: string
- auth:
- description: Auth configures how the Operator authenticates with the Onboardbase API
- properties:
- apiKeyRef:
- description: |-
- OnboardbaseAPIKey is the APIKey generated by an admin account.
- It is used to recognize and authorize access to a project and environment within onboardbase
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- passcodeRef:
- description: OnboardbasePasscode is the passcode attached to the API Key
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - apiKeyRef
- - passcodeRef
- type: object
- environment:
- default: development
- description: Environment is the name of an environmnent within a project to pull the secrets from
- type: string
- project:
- default: development
- description: Project is an onboardbase project that the secrets should be pulled from
- type: string
- required:
- - apiHost
- - auth
- - environment
- - project
- type: object
- onepassword:
- description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against OnePassword Connect Server
- properties:
- secretRef:
- description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
- properties:
- connectTokenSecretRef:
- description: The ConnectToken is used for authentication to a 1Password Connect Server.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - connectTokenSecretRef
- type: object
- required:
- - secretRef
- type: object
- connectHost:
- description: ConnectHost defines the OnePassword Connect Server to connect to
- type: string
- vaults:
- additionalProperties:
- type: integer
- description: Vaults defines which OnePassword vaults to search in which order
- type: object
- required:
- - auth
- - connectHost
- - vaults
- type: object
- oracle:
- description: Oracle configures this store to sync secrets using Oracle Vault provider
- properties:
- auth:
- description: |-
- Auth configures how secret-manager authenticates with the Oracle Vault.
- If empty, use the instance principal, otherwise the user credentials specified in Auth.
- properties:
- secretRef:
- description: SecretRef to pass through sensitive information.
- properties:
- fingerprint:
- description: Fingerprint is the fingerprint of the API private key.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privatekey:
- description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - fingerprint
- - privatekey
- type: object
- tenancy:
- description: Tenancy is the tenancy OCID where user is located.
- type: string
- user:
- description: User is an access OCID specific to the account.
- type: string
- required:
- - secretRef
- - tenancy
- - user
- type: object
- compartment:
- description: |-
- Compartment is the vault compartment OCID.
- Required for PushSecret
- type: string
- encryptionKey:
- description: |-
- EncryptionKey is the OCID of the encryption key within the vault.
- Required for PushSecret
- type: string
- principalType:
- description: |-
- The type of principal to use for authentication. If left blank, the Auth struct will
- determine the principal type. This optional field must be specified if using
- workload identity.
- enum:
- - ""
- - UserPrincipal
- - InstancePrincipal
- - Workload
- type: string
- region:
- description: Region is the region where vault is located.
- type: string
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- vault:
- description: Vault is the vault's OCID of the specific vault where secret is located.
- type: string
- required:
- - region
- - vault
- type: object
- passbolt:
- properties:
- auth:
- description: Auth defines the information necessary to authenticate against Passbolt Server
- properties:
- passwordSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- privateKeySecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecretRef
- - privateKeySecretRef
- type: object
- host:
- description: Host defines the Passbolt Server to connect to
- type: string
- required:
- - auth
- - host
- type: object
- passworddepot:
- description: Configures a store to sync secrets with a Password Depot instance.
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with a Password Depot instance.
- properties:
- secretRef:
- properties:
- credentials:
- description: Username / Password is used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- database:
- description: Database to use as source
- type: string
- host:
- description: URL configures the Password Depot instance URL.
- type: string
- required:
- - auth
- - database
- - host
- type: object
- previder:
- description: Previder configures this store to sync secrets using the Previder provider
- properties:
- auth:
- description: PreviderAuth contains a secretRef for credentials.
- properties:
- secretRef:
- description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
- properties:
- accessToken:
- description: The AccessToken is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - accessToken
- type: object
- type: object
- baseUri:
- type: string
- required:
- - auth
- type: object
- pulumi:
- description: Pulumi configures this store to sync secrets using the Pulumi provider
- properties:
- accessToken:
- description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
- properties:
- secretRef:
- description: SecretRef is a reference to a secret containing the Pulumi API token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- apiUrl:
- default: https://api.pulumi.com/api/esc
- description: APIURL is the URL of the Pulumi API.
- type: string
- environment:
- description: |-
- Environment are YAML documents composed of static key-value pairs, programmatic expressions,
- dynamically retrieved values from supported providers including all major clouds,
- and other Pulumi ESC environments.
- To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
- type: string
- organization:
- description: |-
- Organization are a space to collaborate on shared projects and stacks.
- To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
- type: string
- project:
- description: Project is the name of the Pulumi ESC project the environment belongs to.
- type: string
- required:
- - accessToken
- - environment
- - organization
- - project
- type: object
- scaleway:
- description: Scaleway
- properties:
- accessKey:
- description: AccessKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- apiUrl:
- description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
- type: string
- projectId:
- description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
- type: string
- region:
- description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
- type: string
- secretKey:
- description: SecretKey is the non-secret part of the api key.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - accessKey
- - projectId
- - region
- - secretKey
- type: object
- secretserver:
- description: |-
- SecretServer configures this store to sync secrets using SecretServer provider
- https://docs.delinea.com/online-help/secret-server/start.htm
- properties:
- password:
- description: Password is the secret server account password.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- serverURL:
- description: |-
- ServerURL
- URL to your secret server installation
- type: string
- username:
- description: Username is the secret server account username.
- properties:
- secretRef:
- description: SecretRef references a key in a secret that will be used as value.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- value:
- description: Value can be specified directly to set a value without using a secret.
- type: string
- type: object
- required:
- - password
- - serverURL
- - username
- type: object
- senhasegura:
- description: Senhasegura configures this store to sync secrets using senhasegura provider
- properties:
- auth:
- description: Auth defines parameters to authenticate in senhasegura
- properties:
- clientId:
- type: string
- clientSecretSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - clientId
- - clientSecretSecretRef
- type: object
- ignoreSslCertificate:
- default: false
- description: IgnoreSslCertificate defines if SSL certificate must be ignored
- type: boolean
- module:
- description: Module defines which senhasegura module should be used to get secrets
- type: string
- url:
- description: URL of senhasegura
- type: string
- required:
- - auth
- - module
- - url
- type: object
- vault:
- description: Vault configures this store to sync secrets using Hashi provider
- properties:
- auth:
- description: Auth configures how secret-manager authenticates with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM roles
- type: string
- jwt:
- description: Specify a service account with IRSA enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- webhook:
- description: Webhook configures this store to sync secrets using a generic templated webhook
- properties:
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret", or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- yandexcertificatemanager:
- description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- yandexlockbox:
- description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
- properties:
- apiEndpoint:
- description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
- type: string
- auth:
- description: Auth defines the information necessary to authenticate against Yandex Lockbox
- properties:
- authorizedKeySecretRef:
- description: The authorized key used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- caProvider:
- description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
- properties:
- certSecretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - auth
- type: object
- type: object
- refreshInterval:
- description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
- type: integer
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - provider
- type: object
- status:
- description: SecretStoreStatus defines the observed state of the SecretStore.
- properties:
- capabilities:
- description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
- type: string
- conditions:
- items:
- properties:
- lastTransitionTime:
- format: date-time
- type: string
- message:
- type: string
- reason:
- type: string
- status:
- type: string
- type:
- type: string
- required:
- - status
- - type
- type: object
- type: array
- type: object
- type: object
- served: true
- storage: false
- subresources:
- status: {}
|
