external-secrets.io_secretstores.yaml 31 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.5.0
  6. creationTimestamp: null
  7. name: secretstores.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: SecretStore
  14. listKind: SecretStoreList
  15. plural: secretstores
  16. shortNames:
  17. - ss
  18. singular: secretstore
  19. scope: Namespaced
  20. versions:
  21. - additionalPrinterColumns:
  22. - jsonPath: .metadata.creationTimestamp
  23. name: AGE
  24. type: date
  25. name: v1alpha1
  26. schema:
  27. openAPIV3Schema:
  28. description: SecretStore represents a secure external location for storing
  29. secrets, which can be referenced as part of `storeRef` fields.
  30. properties:
  31. apiVersion:
  32. description: 'APIVersion defines the versioned schema of this representation
  33. of an object. Servers should convert recognized schemas to the latest
  34. internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  35. type: string
  36. kind:
  37. description: 'Kind is a string value representing the REST resource this
  38. object represents. Servers may infer this from the endpoint the client
  39. submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  40. type: string
  41. metadata:
  42. type: object
  43. spec:
  44. description: SecretStoreSpec defines the desired state of SecretStore.
  45. properties:
  46. controller:
  47. description: 'Used to select the correct KES controller (think: ingress.ingressClassName)
  48. The KES controller is instantiated with a specific controller name
  49. and filters ES based on this property'
  50. type: string
  51. provider:
  52. description: Used to configure the provider. Only one provider may
  53. be set
  54. maxProperties: 1
  55. minProperties: 1
  56. properties:
  57. aws:
  58. description: AWS configures this store to sync secrets using AWS
  59. Secret Manager provider
  60. properties:
  61. auth:
  62. description: 'Auth defines the information necessary to authenticate
  63. against AWS if not set aws sdk will infer credentials from
  64. your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  65. properties:
  66. jwt:
  67. properties:
  68. serviceAccountRef:
  69. description: A reference to a ServiceAccount resource.
  70. properties:
  71. name:
  72. description: The name of the ServiceAccount resource
  73. being referred to.
  74. type: string
  75. namespace:
  76. description: Namespace of the resource being referred
  77. to. Ignored if referent is not cluster-scoped.
  78. cluster-scoped defaults to the namespace of
  79. the referent.
  80. type: string
  81. required:
  82. - name
  83. type: object
  84. type: object
  85. secretRef:
  86. description: AWSAuthSecretRef holds secret references
  87. for aws credentials both AccessKeyID and SecretAccessKey
  88. must be defined in order to properly authenticate.
  89. properties:
  90. accessKeyIDSecretRef:
  91. description: The AccessKeyID is used for authentication
  92. properties:
  93. key:
  94. description: The key of the entry in the Secret
  95. resource's `data` field to be used. Some instances
  96. of this field may be defaulted, in others it
  97. may be required.
  98. type: string
  99. name:
  100. description: The name of the Secret resource being
  101. referred to.
  102. type: string
  103. namespace:
  104. description: Namespace of the resource being referred
  105. to. Ignored if referent is not cluster-scoped.
  106. cluster-scoped defaults to the namespace of
  107. the referent.
  108. type: string
  109. required:
  110. - name
  111. type: object
  112. secretAccessKeySecretRef:
  113. description: The SecretAccessKey is used for authentication
  114. properties:
  115. key:
  116. description: The key of the entry in the Secret
  117. resource's `data` field to be used. Some instances
  118. of this field may be defaulted, in others it
  119. may be required.
  120. type: string
  121. name:
  122. description: The name of the Secret resource being
  123. referred to.
  124. type: string
  125. namespace:
  126. description: Namespace of the resource being referred
  127. to. Ignored if referent is not cluster-scoped.
  128. cluster-scoped defaults to the namespace of
  129. the referent.
  130. type: string
  131. required:
  132. - name
  133. type: object
  134. type: object
  135. type: object
  136. region:
  137. description: AWS Region to be used for the provider
  138. type: string
  139. role:
  140. description: Role is a Role ARN which the SecretManager provider
  141. will assume
  142. type: string
  143. service:
  144. description: Service defines which service should be used
  145. to fetch the secrets
  146. enum:
  147. - SecretsManager
  148. - ParameterStore
  149. type: string
  150. required:
  151. - region
  152. - service
  153. type: object
  154. azurekv:
  155. description: AzureKV configures this store to sync secrets using
  156. Azure Key Vault provider
  157. properties:
  158. authSecretRef:
  159. description: Auth configures how the operator authenticates
  160. with Azure.
  161. properties:
  162. clientId:
  163. description: The Azure clientId of the service principle
  164. used for authentication.
  165. properties:
  166. key:
  167. description: The key of the entry in the Secret resource's
  168. `data` field to be used. Some instances of this
  169. field may be defaulted, in others it may be required.
  170. type: string
  171. name:
  172. description: The name of the Secret resource being
  173. referred to.
  174. type: string
  175. namespace:
  176. description: Namespace of the resource being referred
  177. to. Ignored if referent is not cluster-scoped. cluster-scoped
  178. defaults to the namespace of the referent.
  179. type: string
  180. required:
  181. - name
  182. type: object
  183. clientSecret:
  184. description: The Azure ClientSecret of the service principle
  185. used for authentication.
  186. properties:
  187. key:
  188. description: The key of the entry in the Secret resource's
  189. `data` field to be used. Some instances of this
  190. field may be defaulted, in others it may be required.
  191. type: string
  192. name:
  193. description: The name of the Secret resource being
  194. referred to.
  195. type: string
  196. namespace:
  197. description: Namespace of the resource being referred
  198. to. Ignored if referent is not cluster-scoped. cluster-scoped
  199. defaults to the namespace of the referent.
  200. type: string
  201. required:
  202. - name
  203. type: object
  204. required:
  205. - clientId
  206. - clientSecret
  207. type: object
  208. tenantId:
  209. description: TenantID configures the Azure Tenant to send
  210. requests to.
  211. type: string
  212. vaultUrl:
  213. description: Vault Url from which the secrets to be fetched
  214. from.
  215. type: string
  216. required:
  217. - authSecretRef
  218. - tenantId
  219. - vaultUrl
  220. type: object
  221. gcpsm:
  222. description: GCPSM configures this store to sync secrets using
  223. Google Cloud Platform Secret Manager provider
  224. properties:
  225. auth:
  226. description: Auth defines the information necessary to authenticate
  227. against GCP
  228. properties:
  229. secretRef:
  230. properties:
  231. secretAccessKeySecretRef:
  232. description: The SecretAccessKey is used for authentication
  233. properties:
  234. key:
  235. description: The key of the entry in the Secret
  236. resource's `data` field to be used. Some instances
  237. of this field may be defaulted, in others it
  238. may be required.
  239. type: string
  240. name:
  241. description: The name of the Secret resource being
  242. referred to.
  243. type: string
  244. namespace:
  245. description: Namespace of the resource being referred
  246. to. Ignored if referent is not cluster-scoped.
  247. cluster-scoped defaults to the namespace of
  248. the referent.
  249. type: string
  250. required:
  251. - name
  252. type: object
  253. type: object
  254. required:
  255. - secretRef
  256. type: object
  257. projectID:
  258. description: ProjectID project where secret is located
  259. type: string
  260. required:
  261. - auth
  262. type: object
  263. ibm:
  264. description: IBM configures this store to sync secrets using IBM
  265. Cloud provider
  266. properties:
  267. auth:
  268. description: Auth configures how secret-manager authenticates
  269. with the IBM secrets manager.
  270. properties:
  271. secretRef:
  272. properties:
  273. secretApiKeySecretRef:
  274. description: The SecretAccessKey is used for authentication
  275. properties:
  276. key:
  277. description: The key of the entry in the Secret
  278. resource's `data` field to be used. Some instances
  279. of this field may be defaulted, in others it
  280. may be required.
  281. type: string
  282. name:
  283. description: The name of the Secret resource being
  284. referred to.
  285. type: string
  286. namespace:
  287. description: Namespace of the resource being referred
  288. to. Ignored if referent is not cluster-scoped.
  289. cluster-scoped defaults to the namespace of
  290. the referent.
  291. type: string
  292. required:
  293. - name
  294. type: object
  295. type: object
  296. required:
  297. - secretRef
  298. type: object
  299. serviceUrl:
  300. description: ServiceURL is the Endpoint URL that is specific
  301. to the Secrets Manager service instance
  302. type: string
  303. required:
  304. - auth
  305. type: object
  306. vault:
  307. description: Vault configures this store to sync secrets using
  308. Hashi provider
  309. properties:
  310. auth:
  311. description: Auth configures how secret-manager authenticates
  312. with the Vault server.
  313. properties:
  314. appRole:
  315. description: AppRole authenticates with Vault using the
  316. App Role auth mechanism, with the role and secret stored
  317. in a Kubernetes Secret resource.
  318. properties:
  319. path:
  320. default: approle
  321. description: 'Path where the App Role authentication
  322. backend is mounted in Vault, e.g: "approle"'
  323. type: string
  324. roleId:
  325. description: RoleID configured in the App Role authentication
  326. backend when setting up the authentication backend
  327. in Vault.
  328. type: string
  329. secretRef:
  330. description: Reference to a key in a Secret that contains
  331. the App Role secret used to authenticate with Vault.
  332. The `key` field must be specified and denotes which
  333. entry within the Secret resource is used as the
  334. app role secret.
  335. properties:
  336. key:
  337. description: The key of the entry in the Secret
  338. resource's `data` field to be used. Some instances
  339. of this field may be defaulted, in others it
  340. may be required.
  341. type: string
  342. name:
  343. description: The name of the Secret resource being
  344. referred to.
  345. type: string
  346. namespace:
  347. description: Namespace of the resource being referred
  348. to. Ignored if referent is not cluster-scoped.
  349. cluster-scoped defaults to the namespace of
  350. the referent.
  351. type: string
  352. required:
  353. - name
  354. type: object
  355. required:
  356. - path
  357. - roleId
  358. - secretRef
  359. type: object
  360. jwt:
  361. description: Jwt authenticates with Vault by passing role
  362. and JWT token using the JWT/OIDC authentication method
  363. properties:
  364. role:
  365. description: Role is a JWT role to authenticate using
  366. the JWT/OIDC Vault authentication method
  367. type: string
  368. secretRef:
  369. description: SecretRef to a key in a Secret resource
  370. containing JWT token to authenticate with Vault
  371. using the JWT/OIDC authentication method
  372. properties:
  373. key:
  374. description: The key of the entry in the Secret
  375. resource's `data` field to be used. Some instances
  376. of this field may be defaulted, in others it
  377. may be required.
  378. type: string
  379. name:
  380. description: The name of the Secret resource being
  381. referred to.
  382. type: string
  383. namespace:
  384. description: Namespace of the resource being referred
  385. to. Ignored if referent is not cluster-scoped.
  386. cluster-scoped defaults to the namespace of
  387. the referent.
  388. type: string
  389. required:
  390. - name
  391. type: object
  392. type: object
  393. kubernetes:
  394. description: Kubernetes authenticates with Vault by passing
  395. the ServiceAccount token stored in the named Secret
  396. resource to the Vault server.
  397. properties:
  398. mountPath:
  399. default: kubernetes
  400. description: 'Path where the Kubernetes authentication
  401. backend is mounted in Vault, e.g: "kubernetes"'
  402. type: string
  403. role:
  404. description: A required field containing the Vault
  405. Role to assume. A Role binds a Kubernetes ServiceAccount
  406. with a set of Vault policies.
  407. type: string
  408. secretRef:
  409. description: Optional secret field containing a Kubernetes
  410. ServiceAccount JWT used for authenticating with
  411. Vault. If a name is specified without a key, `token`
  412. is the default. If one is not specified, the one
  413. bound to the controller will be used.
  414. properties:
  415. key:
  416. description: The key of the entry in the Secret
  417. resource's `data` field to be used. Some instances
  418. of this field may be defaulted, in others it
  419. may be required.
  420. type: string
  421. name:
  422. description: The name of the Secret resource being
  423. referred to.
  424. type: string
  425. namespace:
  426. description: Namespace of the resource being referred
  427. to. Ignored if referent is not cluster-scoped.
  428. cluster-scoped defaults to the namespace of
  429. the referent.
  430. type: string
  431. required:
  432. - name
  433. type: object
  434. serviceAccountRef:
  435. description: Optional service account field containing
  436. the name of a kubernetes ServiceAccount. If the
  437. service account is specified, the service account
  438. secret token JWT will be used for authenticating
  439. with Vault. If the service account selector is not
  440. supplied, the secretRef will be used instead.
  441. properties:
  442. name:
  443. description: The name of the ServiceAccount resource
  444. being referred to.
  445. type: string
  446. namespace:
  447. description: Namespace of the resource being referred
  448. to. Ignored if referent is not cluster-scoped.
  449. cluster-scoped defaults to the namespace of
  450. the referent.
  451. type: string
  452. required:
  453. - name
  454. type: object
  455. required:
  456. - mountPath
  457. - role
  458. type: object
  459. ldap:
  460. description: Ldap authenticates with Vault by passing
  461. username/password pair using the LDAP authentication
  462. method
  463. properties:
  464. secretRef:
  465. description: SecretRef to a key in a Secret resource
  466. containing password for the LDAP user used to authenticate
  467. with Vault using the LDAP authentication method
  468. properties:
  469. key:
  470. description: The key of the entry in the Secret
  471. resource's `data` field to be used. Some instances
  472. of this field may be defaulted, in others it
  473. may be required.
  474. type: string
  475. name:
  476. description: The name of the Secret resource being
  477. referred to.
  478. type: string
  479. namespace:
  480. description: Namespace of the resource being referred
  481. to. Ignored if referent is not cluster-scoped.
  482. cluster-scoped defaults to the namespace of
  483. the referent.
  484. type: string
  485. required:
  486. - name
  487. type: object
  488. username:
  489. description: Username is a LDAP user name used to
  490. authenticate using the LDAP Vault authentication
  491. method
  492. type: string
  493. required:
  494. - username
  495. type: object
  496. tokenSecretRef:
  497. description: TokenSecretRef authenticates with Vault by
  498. presenting a token.
  499. properties:
  500. key:
  501. description: The key of the entry in the Secret resource's
  502. `data` field to be used. Some instances of this
  503. field may be defaulted, in others it may be required.
  504. type: string
  505. name:
  506. description: The name of the Secret resource being
  507. referred to.
  508. type: string
  509. namespace:
  510. description: Namespace of the resource being referred
  511. to. Ignored if referent is not cluster-scoped. cluster-scoped
  512. defaults to the namespace of the referent.
  513. type: string
  514. required:
  515. - name
  516. type: object
  517. type: object
  518. caBundle:
  519. description: PEM encoded CA bundle used to validate Vault
  520. server certificate. Only used if the Server URL is using
  521. HTTPS protocol. This parameter is ignored for plain HTTP
  522. protocol connection. If not set the system root certificates
  523. are used to validate the TLS connection.
  524. format: byte
  525. type: string
  526. namespace:
  527. description: 'Name of the vault namespace. Namespaces is a
  528. set of features within Vault Enterprise that allows Vault
  529. environments to support Secure Multi-tenancy. e.g: "ns1".
  530. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  531. type: string
  532. path:
  533. description: 'Path is the mount path of the Vault KV backend
  534. endpoint, e.g: "secret". The v2 KV secret engine version
  535. specific "/data" path suffix for fetching secrets from Vault
  536. is optional and will be appended if not present in specified
  537. path.'
  538. type: string
  539. server:
  540. description: 'Server is the connection address for the Vault
  541. server, e.g: "https://vault.example.com:8200".'
  542. type: string
  543. version:
  544. default: v2
  545. description: Version is the Vault KV secret engine version.
  546. This can be either "v1" or "v2". Version defaults to "v2".
  547. enum:
  548. - v1
  549. - v2
  550. type: string
  551. required:
  552. - auth
  553. - path
  554. - server
  555. type: object
  556. type: object
  557. required:
  558. - provider
  559. type: object
  560. status:
  561. description: SecretStoreStatus defines the observed state of the SecretStore.
  562. properties:
  563. conditions:
  564. items:
  565. properties:
  566. lastTransitionTime:
  567. format: date-time
  568. type: string
  569. message:
  570. type: string
  571. reason:
  572. type: string
  573. status:
  574. type: string
  575. type:
  576. type: string
  577. required:
  578. - status
  579. - type
  580. type: object
  581. type: array
  582. type: object
  583. type: object
  584. served: true
  585. storage: true
  586. subresources:
  587. status: {}
  588. status:
  589. acceptedNames:
  590. kind: ""
  591. plural: ""
  592. conditions: []
  593. storedVersions: []