crds_test.yaml.snap 600 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455
  1. should match snapshot of default values:
  2. 1: |
  3. apiVersion: apiextensions.k8s.io/v1
  4. kind: CustomResourceDefinition
  5. metadata:
  6. annotations:
  7. controller-gen.kubebuilder.io/version: v0.19.0
  8. labels:
  9. external-secrets.io/component: controller
  10. name: secretstores.external-secrets.io
  11. spec:
  12. group: external-secrets.io
  13. names:
  14. categories:
  15. - external-secrets
  16. kind: SecretStore
  17. listKind: SecretStoreList
  18. plural: secretstores
  19. shortNames:
  20. - ss
  21. singular: secretstore
  22. scope: Namespaced
  23. versions:
  24. - additionalPrinterColumns:
  25. - jsonPath: .metadata.creationTimestamp
  26. name: AGE
  27. type: date
  28. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  29. name: Status
  30. type: string
  31. - jsonPath: .status.capabilities
  32. name: Capabilities
  33. type: string
  34. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  35. name: Ready
  36. type: string
  37. name: v1
  38. schema:
  39. openAPIV3Schema:
  40. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  41. properties:
  42. apiVersion:
  43. description: |-
  44. APIVersion defines the versioned schema of this representation of an object.
  45. Servers should convert recognized schemas to the latest internal value, and
  46. may reject unrecognized values.
  47. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  48. type: string
  49. kind:
  50. description: |-
  51. Kind is a string value representing the REST resource this object represents.
  52. Servers may infer this from the endpoint the client submits requests to.
  53. Cannot be updated.
  54. In CamelCase.
  55. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  56. type: string
  57. metadata:
  58. type: object
  59. spec:
  60. description: SecretStoreSpec defines the desired state of SecretStore.
  61. properties:
  62. conditions:
  63. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  64. items:
  65. description: |-
  66. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  67. for a ClusterSecretStore instance.
  68. properties:
  69. namespaceRegexes:
  70. description: Choose namespaces by using regex matching
  71. items:
  72. type: string
  73. type: array
  74. namespaceSelector:
  75. description: Choose namespace using a labelSelector
  76. properties:
  77. matchExpressions:
  78. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  79. items:
  80. description: |-
  81. A label selector requirement is a selector that contains values, a key, and an operator that
  82. relates the key and values.
  83. properties:
  84. key:
  85. description: key is the label key that the selector applies to.
  86. type: string
  87. operator:
  88. description: |-
  89. operator represents a key's relationship to a set of values.
  90. Valid operators are In, NotIn, Exists and DoesNotExist.
  91. type: string
  92. values:
  93. description: |-
  94. values is an array of string values. If the operator is In or NotIn,
  95. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  96. the values array must be empty. This array is replaced during a strategic
  97. merge patch.
  98. items:
  99. type: string
  100. type: array
  101. x-kubernetes-list-type: atomic
  102. required:
  103. - key
  104. - operator
  105. type: object
  106. type: array
  107. x-kubernetes-list-type: atomic
  108. matchLabels:
  109. additionalProperties:
  110. type: string
  111. description: |-
  112. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  113. map is equivalent to an element of matchExpressions, whose key field is "key", the
  114. operator is "In", and the values array contains only "value". The requirements are ANDed.
  115. type: object
  116. type: object
  117. x-kubernetes-map-type: atomic
  118. namespaces:
  119. description: Choose namespaces by name
  120. items:
  121. maxLength: 63
  122. minLength: 1
  123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  124. type: string
  125. type: array
  126. type: object
  127. type: array
  128. controller:
  129. description: |-
  130. Used to select the correct ESO controller (think: ingress.ingressClassName)
  131. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  132. type: string
  133. provider:
  134. description: Used to configure the provider. Only one provider may be set
  135. maxProperties: 1
  136. minProperties: 1
  137. properties:
  138. akeyless:
  139. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  140. properties:
  141. akeylessGWApiURL:
  142. description: Akeyless GW API Url from which the secrets to be fetched from.
  143. type: string
  144. authSecretRef:
  145. description: Auth configures how the operator authenticates with Akeyless.
  146. properties:
  147. kubernetesAuth:
  148. description: |-
  149. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  150. token stored in the named Secret resource.
  151. properties:
  152. accessID:
  153. description: the Akeyless Kubernetes auth-method access-id
  154. type: string
  155. k8sConfName:
  156. description: Kubernetes-auth configuration name in Akeyless-Gateway
  157. type: string
  158. secretRef:
  159. description: |-
  160. Optional secret field containing a Kubernetes ServiceAccount JWT used
  161. for authenticating with Akeyless. If a name is specified without a key,
  162. `token` is the default. If one is not specified, the one bound to
  163. the controller will be used.
  164. properties:
  165. key:
  166. description: |-
  167. A key in the referenced Secret.
  168. Some instances of this field may be defaulted, in others it may be required.
  169. maxLength: 253
  170. minLength: 1
  171. pattern: ^[-._a-zA-Z0-9]+$
  172. type: string
  173. name:
  174. description: The name of the Secret resource being referred to.
  175. maxLength: 253
  176. minLength: 1
  177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  178. type: string
  179. namespace:
  180. description: |-
  181. The namespace of the Secret resource being referred to.
  182. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  183. maxLength: 63
  184. minLength: 1
  185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  186. type: string
  187. type: object
  188. serviceAccountRef:
  189. description: |-
  190. Optional service account field containing the name of a kubernetes ServiceAccount.
  191. If the service account is specified, the service account secret token JWT will be used
  192. for authenticating with Akeyless. If the service account selector is not supplied,
  193. the secretRef will be used instead.
  194. properties:
  195. audiences:
  196. description: |-
  197. Audience specifies the `aud` claim for the service account token
  198. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  199. then this audiences will be appended to the list
  200. items:
  201. type: string
  202. type: array
  203. name:
  204. description: The name of the ServiceAccount resource being referred to.
  205. maxLength: 253
  206. minLength: 1
  207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  208. type: string
  209. namespace:
  210. description: |-
  211. Namespace of the resource being referred to.
  212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  213. maxLength: 63
  214. minLength: 1
  215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  216. type: string
  217. required:
  218. - name
  219. type: object
  220. required:
  221. - accessID
  222. - k8sConfName
  223. type: object
  224. secretRef:
  225. description: |-
  226. Reference to a Secret that contains the details
  227. to authenticate with Akeyless.
  228. properties:
  229. accessID:
  230. description: The SecretAccessID is used for authentication
  231. properties:
  232. key:
  233. description: |-
  234. A key in the referenced Secret.
  235. Some instances of this field may be defaulted, in others it may be required.
  236. maxLength: 253
  237. minLength: 1
  238. pattern: ^[-._a-zA-Z0-9]+$
  239. type: string
  240. name:
  241. description: The name of the Secret resource being referred to.
  242. maxLength: 253
  243. minLength: 1
  244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  245. type: string
  246. namespace:
  247. description: |-
  248. The namespace of the Secret resource being referred to.
  249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  250. maxLength: 63
  251. minLength: 1
  252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  253. type: string
  254. type: object
  255. accessType:
  256. description: |-
  257. A reference to a specific 'key' within a Secret resource.
  258. In some instances, `key` is a required field.
  259. properties:
  260. key:
  261. description: |-
  262. A key in the referenced Secret.
  263. Some instances of this field may be defaulted, in others it may be required.
  264. maxLength: 253
  265. minLength: 1
  266. pattern: ^[-._a-zA-Z0-9]+$
  267. type: string
  268. name:
  269. description: The name of the Secret resource being referred to.
  270. maxLength: 253
  271. minLength: 1
  272. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  273. type: string
  274. namespace:
  275. description: |-
  276. The namespace of the Secret resource being referred to.
  277. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  278. maxLength: 63
  279. minLength: 1
  280. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  281. type: string
  282. type: object
  283. accessTypeParam:
  284. description: |-
  285. A reference to a specific 'key' within a Secret resource.
  286. In some instances, `key` is a required field.
  287. properties:
  288. key:
  289. description: |-
  290. A key in the referenced Secret.
  291. Some instances of this field may be defaulted, in others it may be required.
  292. maxLength: 253
  293. minLength: 1
  294. pattern: ^[-._a-zA-Z0-9]+$
  295. type: string
  296. name:
  297. description: The name of the Secret resource being referred to.
  298. maxLength: 253
  299. minLength: 1
  300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  301. type: string
  302. namespace:
  303. description: |-
  304. The namespace of the Secret resource being referred to.
  305. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  306. maxLength: 63
  307. minLength: 1
  308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  309. type: string
  310. type: object
  311. type: object
  312. type: object
  313. caBundle:
  314. description: |-
  315. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  316. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  317. are used to validate the TLS connection.
  318. format: byte
  319. type: string
  320. caProvider:
  321. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  322. properties:
  323. key:
  324. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  325. maxLength: 253
  326. minLength: 1
  327. pattern: ^[-._a-zA-Z0-9]+$
  328. type: string
  329. name:
  330. description: The name of the object located at the provider type.
  331. maxLength: 253
  332. minLength: 1
  333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  334. type: string
  335. namespace:
  336. description: |-
  337. The namespace the Provider type is in.
  338. Can only be defined when used in a ClusterSecretStore.
  339. maxLength: 63
  340. minLength: 1
  341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  342. type: string
  343. type:
  344. description: The type of provider to use such as "Secret", or "ConfigMap".
  345. enum:
  346. - Secret
  347. - ConfigMap
  348. type: string
  349. required:
  350. - name
  351. - type
  352. type: object
  353. required:
  354. - akeylessGWApiURL
  355. - authSecretRef
  356. type: object
  357. alibaba:
  358. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  359. properties:
  360. auth:
  361. description: AlibabaAuth contains a secretRef for credentials.
  362. properties:
  363. rrsa:
  364. description: Authenticate against Alibaba using RRSA.
  365. properties:
  366. oidcProviderArn:
  367. type: string
  368. oidcTokenFilePath:
  369. type: string
  370. roleArn:
  371. type: string
  372. sessionName:
  373. type: string
  374. required:
  375. - oidcProviderArn
  376. - oidcTokenFilePath
  377. - roleArn
  378. - sessionName
  379. type: object
  380. secretRef:
  381. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  382. properties:
  383. accessKeyIDSecretRef:
  384. description: The AccessKeyID is used for authentication
  385. properties:
  386. key:
  387. description: |-
  388. A key in the referenced Secret.
  389. Some instances of this field may be defaulted, in others it may be required.
  390. maxLength: 253
  391. minLength: 1
  392. pattern: ^[-._a-zA-Z0-9]+$
  393. type: string
  394. name:
  395. description: The name of the Secret resource being referred to.
  396. maxLength: 253
  397. minLength: 1
  398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  399. type: string
  400. namespace:
  401. description: |-
  402. The namespace of the Secret resource being referred to.
  403. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  404. maxLength: 63
  405. minLength: 1
  406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  407. type: string
  408. type: object
  409. accessKeySecretSecretRef:
  410. description: The AccessKeySecret is used for authentication
  411. properties:
  412. key:
  413. description: |-
  414. A key in the referenced Secret.
  415. Some instances of this field may be defaulted, in others it may be required.
  416. maxLength: 253
  417. minLength: 1
  418. pattern: ^[-._a-zA-Z0-9]+$
  419. type: string
  420. name:
  421. description: The name of the Secret resource being referred to.
  422. maxLength: 253
  423. minLength: 1
  424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  425. type: string
  426. namespace:
  427. description: |-
  428. The namespace of the Secret resource being referred to.
  429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  430. maxLength: 63
  431. minLength: 1
  432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  433. type: string
  434. type: object
  435. required:
  436. - accessKeyIDSecretRef
  437. - accessKeySecretSecretRef
  438. type: object
  439. type: object
  440. regionID:
  441. description: Alibaba Region to be used for the provider
  442. type: string
  443. required:
  444. - auth
  445. - regionID
  446. type: object
  447. aws:
  448. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  449. properties:
  450. additionalRoles:
  451. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  452. items:
  453. type: string
  454. type: array
  455. auth:
  456. description: |-
  457. Auth defines the information necessary to authenticate against AWS
  458. if not set aws sdk will infer credentials from your environment
  459. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  460. properties:
  461. jwt:
  462. description: Authenticate against AWS using service account tokens.
  463. properties:
  464. serviceAccountRef:
  465. description: A reference to a ServiceAccount resource.
  466. properties:
  467. audiences:
  468. description: |-
  469. Audience specifies the `aud` claim for the service account token
  470. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  471. then this audiences will be appended to the list
  472. items:
  473. type: string
  474. type: array
  475. name:
  476. description: The name of the ServiceAccount resource being referred to.
  477. maxLength: 253
  478. minLength: 1
  479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  480. type: string
  481. namespace:
  482. description: |-
  483. Namespace of the resource being referred to.
  484. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  485. maxLength: 63
  486. minLength: 1
  487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  488. type: string
  489. required:
  490. - name
  491. type: object
  492. type: object
  493. secretRef:
  494. description: |-
  495. AWSAuthSecretRef holds secret references for AWS credentials
  496. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  497. properties:
  498. accessKeyIDSecretRef:
  499. description: The AccessKeyID is used for authentication
  500. properties:
  501. key:
  502. description: |-
  503. A key in the referenced Secret.
  504. Some instances of this field may be defaulted, in others it may be required.
  505. maxLength: 253
  506. minLength: 1
  507. pattern: ^[-._a-zA-Z0-9]+$
  508. type: string
  509. name:
  510. description: The name of the Secret resource being referred to.
  511. maxLength: 253
  512. minLength: 1
  513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  514. type: string
  515. namespace:
  516. description: |-
  517. The namespace of the Secret resource being referred to.
  518. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  519. maxLength: 63
  520. minLength: 1
  521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  522. type: string
  523. type: object
  524. secretAccessKeySecretRef:
  525. description: The SecretAccessKey is used for authentication
  526. properties:
  527. key:
  528. description: |-
  529. A key in the referenced Secret.
  530. Some instances of this field may be defaulted, in others it may be required.
  531. maxLength: 253
  532. minLength: 1
  533. pattern: ^[-._a-zA-Z0-9]+$
  534. type: string
  535. name:
  536. description: The name of the Secret resource being referred to.
  537. maxLength: 253
  538. minLength: 1
  539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  540. type: string
  541. namespace:
  542. description: |-
  543. The namespace of the Secret resource being referred to.
  544. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  545. maxLength: 63
  546. minLength: 1
  547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  548. type: string
  549. type: object
  550. sessionTokenSecretRef:
  551. description: |-
  552. The SessionToken used for authentication
  553. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  554. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  555. properties:
  556. key:
  557. description: |-
  558. A key in the referenced Secret.
  559. Some instances of this field may be defaulted, in others it may be required.
  560. maxLength: 253
  561. minLength: 1
  562. pattern: ^[-._a-zA-Z0-9]+$
  563. type: string
  564. name:
  565. description: The name of the Secret resource being referred to.
  566. maxLength: 253
  567. minLength: 1
  568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  569. type: string
  570. namespace:
  571. description: |-
  572. The namespace of the Secret resource being referred to.
  573. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  574. maxLength: 63
  575. minLength: 1
  576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  577. type: string
  578. type: object
  579. type: object
  580. type: object
  581. externalID:
  582. description: AWS External ID set on assumed IAM roles
  583. type: string
  584. prefix:
  585. description: Prefix adds a prefix to all retrieved values.
  586. type: string
  587. region:
  588. description: AWS Region to be used for the provider
  589. type: string
  590. role:
  591. description: Role is a Role ARN which the provider will assume
  592. type: string
  593. secretsManager:
  594. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  595. properties:
  596. forceDeleteWithoutRecovery:
  597. description: |-
  598. Specifies whether to delete the secret without any recovery window. You
  599. can't use both this parameter and RecoveryWindowInDays in the same call.
  600. If you don't use either, then by default Secrets Manager uses a 30 day
  601. recovery window.
  602. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  603. type: boolean
  604. recoveryWindowInDays:
  605. description: |-
  606. The number of days from 7 to 30 that Secrets Manager waits before
  607. permanently deleting the secret. You can't use both this parameter and
  608. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  609. then by default Secrets Manager uses a 30 day recovery window.
  610. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  611. format: int64
  612. type: integer
  613. type: object
  614. service:
  615. description: Service defines which service should be used to fetch the secrets
  616. enum:
  617. - SecretsManager
  618. - ParameterStore
  619. type: string
  620. sessionTags:
  621. description: AWS STS assume role session tags
  622. items:
  623. properties:
  624. key:
  625. type: string
  626. value:
  627. type: string
  628. required:
  629. - key
  630. - value
  631. type: object
  632. type: array
  633. transitiveTagKeys:
  634. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  635. items:
  636. type: string
  637. type: array
  638. required:
  639. - region
  640. - service
  641. type: object
  642. azurekv:
  643. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  644. properties:
  645. authSecretRef:
  646. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  647. properties:
  648. clientCertificate:
  649. description: The Azure ClientCertificate of the service principle used for authentication.
  650. properties:
  651. key:
  652. description: |-
  653. A key in the referenced Secret.
  654. Some instances of this field may be defaulted, in others it may be required.
  655. maxLength: 253
  656. minLength: 1
  657. pattern: ^[-._a-zA-Z0-9]+$
  658. type: string
  659. name:
  660. description: The name of the Secret resource being referred to.
  661. maxLength: 253
  662. minLength: 1
  663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  664. type: string
  665. namespace:
  666. description: |-
  667. The namespace of the Secret resource being referred to.
  668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  669. maxLength: 63
  670. minLength: 1
  671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  672. type: string
  673. type: object
  674. clientId:
  675. description: The Azure clientId of the service principle or managed identity used for authentication.
  676. properties:
  677. key:
  678. description: |-
  679. A key in the referenced Secret.
  680. Some instances of this field may be defaulted, in others it may be required.
  681. maxLength: 253
  682. minLength: 1
  683. pattern: ^[-._a-zA-Z0-9]+$
  684. type: string
  685. name:
  686. description: The name of the Secret resource being referred to.
  687. maxLength: 253
  688. minLength: 1
  689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  690. type: string
  691. namespace:
  692. description: |-
  693. The namespace of the Secret resource being referred to.
  694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  695. maxLength: 63
  696. minLength: 1
  697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  698. type: string
  699. type: object
  700. clientSecret:
  701. description: The Azure ClientSecret of the service principle used for authentication.
  702. properties:
  703. key:
  704. description: |-
  705. A key in the referenced Secret.
  706. Some instances of this field may be defaulted, in others it may be required.
  707. maxLength: 253
  708. minLength: 1
  709. pattern: ^[-._a-zA-Z0-9]+$
  710. type: string
  711. name:
  712. description: The name of the Secret resource being referred to.
  713. maxLength: 253
  714. minLength: 1
  715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  716. type: string
  717. namespace:
  718. description: |-
  719. The namespace of the Secret resource being referred to.
  720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  721. maxLength: 63
  722. minLength: 1
  723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  724. type: string
  725. type: object
  726. tenantId:
  727. description: The Azure tenantId of the managed identity used for authentication.
  728. properties:
  729. key:
  730. description: |-
  731. A key in the referenced Secret.
  732. Some instances of this field may be defaulted, in others it may be required.
  733. maxLength: 253
  734. minLength: 1
  735. pattern: ^[-._a-zA-Z0-9]+$
  736. type: string
  737. name:
  738. description: The name of the Secret resource being referred to.
  739. maxLength: 253
  740. minLength: 1
  741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  742. type: string
  743. namespace:
  744. description: |-
  745. The namespace of the Secret resource being referred to.
  746. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  747. maxLength: 63
  748. minLength: 1
  749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  750. type: string
  751. type: object
  752. type: object
  753. authType:
  754. default: ServicePrincipal
  755. description: |-
  756. Auth type defines how to authenticate to the keyvault service.
  757. Valid values are:
  758. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  759. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  760. enum:
  761. - ServicePrincipal
  762. - ManagedIdentity
  763. - WorkloadIdentity
  764. type: string
  765. customCloudConfig:
  766. description: |-
  767. CustomCloudConfig defines custom Azure Stack Hub or Azure Stack Edge endpoints.
  768. Required when EnvironmentType is AzureStackCloud.
  769. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  770. configuration is not supported with the legacy go-autorest SDK.
  771. properties:
  772. activeDirectoryEndpoint:
  773. description: |-
  774. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  775. Required when using custom cloud configuration
  776. type: string
  777. keyVaultDNSSuffix:
  778. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  779. type: string
  780. keyVaultEndpoint:
  781. description: KeyVaultEndpoint is the Key Vault service endpoint
  782. type: string
  783. resourceManagerEndpoint:
  784. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  785. type: string
  786. required:
  787. - activeDirectoryEndpoint
  788. type: object
  789. environmentType:
  790. default: PublicCloud
  791. description: |-
  792. EnvironmentType specifies the Azure cloud environment endpoints to use for
  793. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  794. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  795. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  796. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  797. enum:
  798. - PublicCloud
  799. - USGovernmentCloud
  800. - ChinaCloud
  801. - GermanCloud
  802. - AzureStackCloud
  803. type: string
  804. identityId:
  805. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  806. type: string
  807. serviceAccountRef:
  808. description: |-
  809. ServiceAccountRef specified the service account
  810. that should be used when authenticating with WorkloadIdentity.
  811. properties:
  812. audiences:
  813. description: |-
  814. Audience specifies the `aud` claim for the service account token
  815. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  816. then this audiences will be appended to the list
  817. items:
  818. type: string
  819. type: array
  820. name:
  821. description: The name of the ServiceAccount resource being referred to.
  822. maxLength: 253
  823. minLength: 1
  824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  825. type: string
  826. namespace:
  827. description: |-
  828. Namespace of the resource being referred to.
  829. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  830. maxLength: 63
  831. minLength: 1
  832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  833. type: string
  834. required:
  835. - name
  836. type: object
  837. tenantId:
  838. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  839. type: string
  840. useAzureSDK:
  841. default: false
  842. description: |-
  843. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  844. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  845. type: boolean
  846. vaultUrl:
  847. description: Vault Url from which the secrets to be fetched from.
  848. type: string
  849. required:
  850. - vaultUrl
  851. type: object
  852. beyondtrust:
  853. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  854. properties:
  855. auth:
  856. description: Auth configures how the operator authenticates with Beyondtrust.
  857. properties:
  858. apiKey:
  859. description: APIKey If not provided then ClientID/ClientSecret become required.
  860. properties:
  861. secretRef:
  862. description: SecretRef references a key in a secret that will be used as value.
  863. properties:
  864. key:
  865. description: |-
  866. A key in the referenced Secret.
  867. Some instances of this field may be defaulted, in others it may be required.
  868. maxLength: 253
  869. minLength: 1
  870. pattern: ^[-._a-zA-Z0-9]+$
  871. type: string
  872. name:
  873. description: The name of the Secret resource being referred to.
  874. maxLength: 253
  875. minLength: 1
  876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  877. type: string
  878. namespace:
  879. description: |-
  880. The namespace of the Secret resource being referred to.
  881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  882. maxLength: 63
  883. minLength: 1
  884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  885. type: string
  886. type: object
  887. value:
  888. description: Value can be specified directly to set a value without using a secret.
  889. type: string
  890. type: object
  891. certificate:
  892. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  893. properties:
  894. secretRef:
  895. description: SecretRef references a key in a secret that will be used as value.
  896. properties:
  897. key:
  898. description: |-
  899. A key in the referenced Secret.
  900. Some instances of this field may be defaulted, in others it may be required.
  901. maxLength: 253
  902. minLength: 1
  903. pattern: ^[-._a-zA-Z0-9]+$
  904. type: string
  905. name:
  906. description: The name of the Secret resource being referred to.
  907. maxLength: 253
  908. minLength: 1
  909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  910. type: string
  911. namespace:
  912. description: |-
  913. The namespace of the Secret resource being referred to.
  914. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  915. maxLength: 63
  916. minLength: 1
  917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  918. type: string
  919. type: object
  920. value:
  921. description: Value can be specified directly to set a value without using a secret.
  922. type: string
  923. type: object
  924. certificateKey:
  925. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  926. properties:
  927. secretRef:
  928. description: SecretRef references a key in a secret that will be used as value.
  929. properties:
  930. key:
  931. description: |-
  932. A key in the referenced Secret.
  933. Some instances of this field may be defaulted, in others it may be required.
  934. maxLength: 253
  935. minLength: 1
  936. pattern: ^[-._a-zA-Z0-9]+$
  937. type: string
  938. name:
  939. description: The name of the Secret resource being referred to.
  940. maxLength: 253
  941. minLength: 1
  942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  943. type: string
  944. namespace:
  945. description: |-
  946. The namespace of the Secret resource being referred to.
  947. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  948. maxLength: 63
  949. minLength: 1
  950. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  951. type: string
  952. type: object
  953. value:
  954. description: Value can be specified directly to set a value without using a secret.
  955. type: string
  956. type: object
  957. clientId:
  958. description: ClientID is the API OAuth Client ID.
  959. properties:
  960. secretRef:
  961. description: SecretRef references a key in a secret that will be used as value.
  962. properties:
  963. key:
  964. description: |-
  965. A key in the referenced Secret.
  966. Some instances of this field may be defaulted, in others it may be required.
  967. maxLength: 253
  968. minLength: 1
  969. pattern: ^[-._a-zA-Z0-9]+$
  970. type: string
  971. name:
  972. description: The name of the Secret resource being referred to.
  973. maxLength: 253
  974. minLength: 1
  975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  976. type: string
  977. namespace:
  978. description: |-
  979. The namespace of the Secret resource being referred to.
  980. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  981. maxLength: 63
  982. minLength: 1
  983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  984. type: string
  985. type: object
  986. value:
  987. description: Value can be specified directly to set a value without using a secret.
  988. type: string
  989. type: object
  990. clientSecret:
  991. description: ClientSecret is the API OAuth Client Secret.
  992. properties:
  993. secretRef:
  994. description: SecretRef references a key in a secret that will be used as value.
  995. properties:
  996. key:
  997. description: |-
  998. A key in the referenced Secret.
  999. Some instances of this field may be defaulted, in others it may be required.
  1000. maxLength: 253
  1001. minLength: 1
  1002. pattern: ^[-._a-zA-Z0-9]+$
  1003. type: string
  1004. name:
  1005. description: The name of the Secret resource being referred to.
  1006. maxLength: 253
  1007. minLength: 1
  1008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1009. type: string
  1010. namespace:
  1011. description: |-
  1012. The namespace of the Secret resource being referred to.
  1013. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1014. maxLength: 63
  1015. minLength: 1
  1016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1017. type: string
  1018. type: object
  1019. value:
  1020. description: Value can be specified directly to set a value without using a secret.
  1021. type: string
  1022. type: object
  1023. type: object
  1024. server:
  1025. description: Auth configures how API server works.
  1026. properties:
  1027. apiUrl:
  1028. type: string
  1029. apiVersion:
  1030. type: string
  1031. clientTimeOutSeconds:
  1032. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  1033. type: integer
  1034. retrievalType:
  1035. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  1036. type: string
  1037. separator:
  1038. description: A character that separates the folder names.
  1039. type: string
  1040. verifyCA:
  1041. type: boolean
  1042. required:
  1043. - apiUrl
  1044. - verifyCA
  1045. type: object
  1046. required:
  1047. - auth
  1048. - server
  1049. type: object
  1050. bitwardensecretsmanager:
  1051. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  1052. properties:
  1053. apiURL:
  1054. type: string
  1055. auth:
  1056. description: |-
  1057. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  1058. Make sure that the token being used has permissions on the given secret.
  1059. properties:
  1060. secretRef:
  1061. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  1062. properties:
  1063. credentials:
  1064. description: AccessToken used for the bitwarden instance.
  1065. properties:
  1066. key:
  1067. description: |-
  1068. A key in the referenced Secret.
  1069. Some instances of this field may be defaulted, in others it may be required.
  1070. maxLength: 253
  1071. minLength: 1
  1072. pattern: ^[-._a-zA-Z0-9]+$
  1073. type: string
  1074. name:
  1075. description: The name of the Secret resource being referred to.
  1076. maxLength: 253
  1077. minLength: 1
  1078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1079. type: string
  1080. namespace:
  1081. description: |-
  1082. The namespace of the Secret resource being referred to.
  1083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1084. maxLength: 63
  1085. minLength: 1
  1086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1087. type: string
  1088. type: object
  1089. required:
  1090. - credentials
  1091. type: object
  1092. required:
  1093. - secretRef
  1094. type: object
  1095. bitwardenServerSDKURL:
  1096. type: string
  1097. caBundle:
  1098. description: |-
  1099. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  1100. can be performed.
  1101. type: string
  1102. caProvider:
  1103. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  1104. properties:
  1105. key:
  1106. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  1107. maxLength: 253
  1108. minLength: 1
  1109. pattern: ^[-._a-zA-Z0-9]+$
  1110. type: string
  1111. name:
  1112. description: The name of the object located at the provider type.
  1113. maxLength: 253
  1114. minLength: 1
  1115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1116. type: string
  1117. namespace:
  1118. description: |-
  1119. The namespace the Provider type is in.
  1120. Can only be defined when used in a ClusterSecretStore.
  1121. maxLength: 63
  1122. minLength: 1
  1123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1124. type: string
  1125. type:
  1126. description: The type of provider to use such as "Secret", or "ConfigMap".
  1127. enum:
  1128. - Secret
  1129. - ConfigMap
  1130. type: string
  1131. required:
  1132. - name
  1133. - type
  1134. type: object
  1135. identityURL:
  1136. type: string
  1137. organizationID:
  1138. description: OrganizationID determines which organization this secret store manages.
  1139. type: string
  1140. projectID:
  1141. description: ProjectID determines which project this secret store manages.
  1142. type: string
  1143. required:
  1144. - auth
  1145. - organizationID
  1146. - projectID
  1147. type: object
  1148. chef:
  1149. description: Chef configures this store to sync secrets with chef server
  1150. properties:
  1151. auth:
  1152. description: Auth defines the information necessary to authenticate against chef Server
  1153. properties:
  1154. secretRef:
  1155. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  1156. properties:
  1157. privateKeySecretRef:
  1158. description: SecretKey is the Signing Key in PEM format, used for authentication.
  1159. properties:
  1160. key:
  1161. description: |-
  1162. A key in the referenced Secret.
  1163. Some instances of this field may be defaulted, in others it may be required.
  1164. maxLength: 253
  1165. minLength: 1
  1166. pattern: ^[-._a-zA-Z0-9]+$
  1167. type: string
  1168. name:
  1169. description: The name of the Secret resource being referred to.
  1170. maxLength: 253
  1171. minLength: 1
  1172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1173. type: string
  1174. namespace:
  1175. description: |-
  1176. The namespace of the Secret resource being referred to.
  1177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1178. maxLength: 63
  1179. minLength: 1
  1180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1181. type: string
  1182. type: object
  1183. required:
  1184. - privateKeySecretRef
  1185. type: object
  1186. required:
  1187. - secretRef
  1188. type: object
  1189. serverUrl:
  1190. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  1191. type: string
  1192. username:
  1193. description: UserName should be the user ID on the chef server
  1194. type: string
  1195. required:
  1196. - auth
  1197. - serverUrl
  1198. - username
  1199. type: object
  1200. cloudrusm:
  1201. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  1202. properties:
  1203. auth:
  1204. description: CSMAuth contains a secretRef for credentials.
  1205. properties:
  1206. secretRef:
  1207. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  1208. properties:
  1209. accessKeyIDSecretRef:
  1210. description: The AccessKeyID is used for authentication
  1211. properties:
  1212. key:
  1213. description: |-
  1214. A key in the referenced Secret.
  1215. Some instances of this field may be defaulted, in others it may be required.
  1216. maxLength: 253
  1217. minLength: 1
  1218. pattern: ^[-._a-zA-Z0-9]+$
  1219. type: string
  1220. name:
  1221. description: The name of the Secret resource being referred to.
  1222. maxLength: 253
  1223. minLength: 1
  1224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1225. type: string
  1226. namespace:
  1227. description: |-
  1228. The namespace of the Secret resource being referred to.
  1229. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1230. maxLength: 63
  1231. minLength: 1
  1232. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1233. type: string
  1234. type: object
  1235. accessKeySecretSecretRef:
  1236. description: The AccessKeySecret is used for authentication
  1237. properties:
  1238. key:
  1239. description: |-
  1240. A key in the referenced Secret.
  1241. Some instances of this field may be defaulted, in others it may be required.
  1242. maxLength: 253
  1243. minLength: 1
  1244. pattern: ^[-._a-zA-Z0-9]+$
  1245. type: string
  1246. name:
  1247. description: The name of the Secret resource being referred to.
  1248. maxLength: 253
  1249. minLength: 1
  1250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1251. type: string
  1252. namespace:
  1253. description: |-
  1254. The namespace of the Secret resource being referred to.
  1255. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1256. maxLength: 63
  1257. minLength: 1
  1258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1259. type: string
  1260. type: object
  1261. required:
  1262. - accessKeyIDSecretRef
  1263. - accessKeySecretSecretRef
  1264. type: object
  1265. type: object
  1266. projectID:
  1267. description: ProjectID is the project, which the secrets are stored in.
  1268. type: string
  1269. required:
  1270. - auth
  1271. type: object
  1272. conjur:
  1273. description: Conjur configures this store to sync secrets using conjur provider
  1274. properties:
  1275. auth:
  1276. description: Defines authentication settings for connecting to Conjur.
  1277. properties:
  1278. apikey:
  1279. description: Authenticates with Conjur using an API key.
  1280. properties:
  1281. account:
  1282. description: Account is the Conjur organization account name.
  1283. type: string
  1284. apiKeyRef:
  1285. description: |-
  1286. A reference to a specific 'key' containing the Conjur API key
  1287. within a Secret resource. In some instances, `key` is a required field.
  1288. properties:
  1289. key:
  1290. description: |-
  1291. A key in the referenced Secret.
  1292. Some instances of this field may be defaulted, in others it may be required.
  1293. maxLength: 253
  1294. minLength: 1
  1295. pattern: ^[-._a-zA-Z0-9]+$
  1296. type: string
  1297. name:
  1298. description: The name of the Secret resource being referred to.
  1299. maxLength: 253
  1300. minLength: 1
  1301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1302. type: string
  1303. namespace:
  1304. description: |-
  1305. The namespace of the Secret resource being referred to.
  1306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1307. maxLength: 63
  1308. minLength: 1
  1309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1310. type: string
  1311. type: object
  1312. userRef:
  1313. description: |-
  1314. A reference to a specific 'key' containing the Conjur username
  1315. within a Secret resource. In some instances, `key` is a required field.
  1316. properties:
  1317. key:
  1318. description: |-
  1319. A key in the referenced Secret.
  1320. Some instances of this field may be defaulted, in others it may be required.
  1321. maxLength: 253
  1322. minLength: 1
  1323. pattern: ^[-._a-zA-Z0-9]+$
  1324. type: string
  1325. name:
  1326. description: The name of the Secret resource being referred to.
  1327. maxLength: 253
  1328. minLength: 1
  1329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1330. type: string
  1331. namespace:
  1332. description: |-
  1333. The namespace of the Secret resource being referred to.
  1334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1335. maxLength: 63
  1336. minLength: 1
  1337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1338. type: string
  1339. type: object
  1340. required:
  1341. - account
  1342. - apiKeyRef
  1343. - userRef
  1344. type: object
  1345. jwt:
  1346. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  1347. properties:
  1348. account:
  1349. description: Account is the Conjur organization account name.
  1350. type: string
  1351. hostId:
  1352. description: |-
  1353. Optional HostID for JWT authentication. This may be used depending
  1354. on how the Conjur JWT authenticator policy is configured.
  1355. type: string
  1356. secretRef:
  1357. description: |-
  1358. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1359. authenticate with Conjur using the JWT authentication method.
  1360. properties:
  1361. key:
  1362. description: |-
  1363. A key in the referenced Secret.
  1364. Some instances of this field may be defaulted, in others it may be required.
  1365. maxLength: 253
  1366. minLength: 1
  1367. pattern: ^[-._a-zA-Z0-9]+$
  1368. type: string
  1369. name:
  1370. description: The name of the Secret resource being referred to.
  1371. maxLength: 253
  1372. minLength: 1
  1373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1374. type: string
  1375. namespace:
  1376. description: |-
  1377. The namespace of the Secret resource being referred to.
  1378. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1379. maxLength: 63
  1380. minLength: 1
  1381. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1382. type: string
  1383. type: object
  1384. serviceAccountRef:
  1385. description: |-
  1386. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  1387. a token for with the `TokenRequest` API.
  1388. properties:
  1389. audiences:
  1390. description: |-
  1391. Audience specifies the `aud` claim for the service account token
  1392. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1393. then this audiences will be appended to the list
  1394. items:
  1395. type: string
  1396. type: array
  1397. name:
  1398. description: The name of the ServiceAccount resource being referred to.
  1399. maxLength: 253
  1400. minLength: 1
  1401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1402. type: string
  1403. namespace:
  1404. description: |-
  1405. Namespace of the resource being referred to.
  1406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1407. maxLength: 63
  1408. minLength: 1
  1409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1410. type: string
  1411. required:
  1412. - name
  1413. type: object
  1414. serviceID:
  1415. description: The conjur authn jwt webservice id
  1416. type: string
  1417. required:
  1418. - account
  1419. - serviceID
  1420. type: object
  1421. type: object
  1422. caBundle:
  1423. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  1424. type: string
  1425. caProvider:
  1426. description: |-
  1427. Used to provide custom certificate authority (CA) certificates
  1428. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  1429. that contains a PEM-encoded certificate.
  1430. properties:
  1431. key:
  1432. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  1433. maxLength: 253
  1434. minLength: 1
  1435. pattern: ^[-._a-zA-Z0-9]+$
  1436. type: string
  1437. name:
  1438. description: The name of the object located at the provider type.
  1439. maxLength: 253
  1440. minLength: 1
  1441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1442. type: string
  1443. namespace:
  1444. description: |-
  1445. The namespace the Provider type is in.
  1446. Can only be defined when used in a ClusterSecretStore.
  1447. maxLength: 63
  1448. minLength: 1
  1449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1450. type: string
  1451. type:
  1452. description: The type of provider to use such as "Secret", or "ConfigMap".
  1453. enum:
  1454. - Secret
  1455. - ConfigMap
  1456. type: string
  1457. required:
  1458. - name
  1459. - type
  1460. type: object
  1461. url:
  1462. description: URL is the endpoint of the Conjur instance.
  1463. type: string
  1464. required:
  1465. - auth
  1466. - url
  1467. type: object
  1468. delinea:
  1469. description: |-
  1470. Delinea DevOps Secrets Vault
  1471. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  1472. properties:
  1473. clientId:
  1474. description: ClientID is the non-secret part of the credential.
  1475. properties:
  1476. secretRef:
  1477. description: SecretRef references a key in a secret that will be used as value.
  1478. properties:
  1479. key:
  1480. description: |-
  1481. A key in the referenced Secret.
  1482. Some instances of this field may be defaulted, in others it may be required.
  1483. maxLength: 253
  1484. minLength: 1
  1485. pattern: ^[-._a-zA-Z0-9]+$
  1486. type: string
  1487. name:
  1488. description: The name of the Secret resource being referred to.
  1489. maxLength: 253
  1490. minLength: 1
  1491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1492. type: string
  1493. namespace:
  1494. description: |-
  1495. The namespace of the Secret resource being referred to.
  1496. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1497. maxLength: 63
  1498. minLength: 1
  1499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1500. type: string
  1501. type: object
  1502. value:
  1503. description: Value can be specified directly to set a value without using a secret.
  1504. type: string
  1505. type: object
  1506. clientSecret:
  1507. description: ClientSecret is the secret part of the credential.
  1508. properties:
  1509. secretRef:
  1510. description: SecretRef references a key in a secret that will be used as value.
  1511. properties:
  1512. key:
  1513. description: |-
  1514. A key in the referenced Secret.
  1515. Some instances of this field may be defaulted, in others it may be required.
  1516. maxLength: 253
  1517. minLength: 1
  1518. pattern: ^[-._a-zA-Z0-9]+$
  1519. type: string
  1520. name:
  1521. description: The name of the Secret resource being referred to.
  1522. maxLength: 253
  1523. minLength: 1
  1524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1525. type: string
  1526. namespace:
  1527. description: |-
  1528. The namespace of the Secret resource being referred to.
  1529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1530. maxLength: 63
  1531. minLength: 1
  1532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1533. type: string
  1534. type: object
  1535. value:
  1536. description: Value can be specified directly to set a value without using a secret.
  1537. type: string
  1538. type: object
  1539. tenant:
  1540. description: Tenant is the chosen hostname / site name.
  1541. type: string
  1542. tld:
  1543. description: |-
  1544. TLD is based on the server location that was chosen during provisioning.
  1545. If unset, defaults to "com".
  1546. type: string
  1547. urlTemplate:
  1548. description: |-
  1549. URLTemplate
  1550. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  1551. type: string
  1552. required:
  1553. - clientId
  1554. - clientSecret
  1555. - tenant
  1556. type: object
  1557. device42:
  1558. description: Device42 configures this store to sync secrets using the Device42 provider
  1559. properties:
  1560. auth:
  1561. description: Auth configures how secret-manager authenticates with a Device42 instance.
  1562. properties:
  1563. secretRef:
  1564. properties:
  1565. credentials:
  1566. description: Username / Password is used for authentication.
  1567. properties:
  1568. key:
  1569. description: |-
  1570. A key in the referenced Secret.
  1571. Some instances of this field may be defaulted, in others it may be required.
  1572. maxLength: 253
  1573. minLength: 1
  1574. pattern: ^[-._a-zA-Z0-9]+$
  1575. type: string
  1576. name:
  1577. description: The name of the Secret resource being referred to.
  1578. maxLength: 253
  1579. minLength: 1
  1580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1581. type: string
  1582. namespace:
  1583. description: |-
  1584. The namespace of the Secret resource being referred to.
  1585. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1586. maxLength: 63
  1587. minLength: 1
  1588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1589. type: string
  1590. type: object
  1591. type: object
  1592. required:
  1593. - secretRef
  1594. type: object
  1595. host:
  1596. description: URL configures the Device42 instance URL.
  1597. type: string
  1598. required:
  1599. - auth
  1600. - host
  1601. type: object
  1602. doppler:
  1603. description: Doppler configures this store to sync secrets using the Doppler provider
  1604. properties:
  1605. auth:
  1606. description: Auth configures how the Operator authenticates with the Doppler API
  1607. properties:
  1608. secretRef:
  1609. properties:
  1610. dopplerToken:
  1611. description: |-
  1612. The DopplerToken is used for authentication.
  1613. See https://docs.doppler.com/reference/api#authentication for auth token types.
  1614. The Key attribute defaults to dopplerToken if not specified.
  1615. properties:
  1616. key:
  1617. description: |-
  1618. A key in the referenced Secret.
  1619. Some instances of this field may be defaulted, in others it may be required.
  1620. maxLength: 253
  1621. minLength: 1
  1622. pattern: ^[-._a-zA-Z0-9]+$
  1623. type: string
  1624. name:
  1625. description: The name of the Secret resource being referred to.
  1626. maxLength: 253
  1627. minLength: 1
  1628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1629. type: string
  1630. namespace:
  1631. description: |-
  1632. The namespace of the Secret resource being referred to.
  1633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1634. maxLength: 63
  1635. minLength: 1
  1636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1637. type: string
  1638. type: object
  1639. required:
  1640. - dopplerToken
  1641. type: object
  1642. required:
  1643. - secretRef
  1644. type: object
  1645. config:
  1646. description: Doppler config (required if not using a Service Token)
  1647. type: string
  1648. format:
  1649. description: Format enables the downloading of secrets as a file (string)
  1650. enum:
  1651. - json
  1652. - dotnet-json
  1653. - env
  1654. - yaml
  1655. - docker
  1656. type: string
  1657. nameTransformer:
  1658. description: Environment variable compatible name transforms that change secret names to a different format
  1659. enum:
  1660. - upper-camel
  1661. - camel
  1662. - lower-snake
  1663. - tf-var
  1664. - dotnet-env
  1665. - lower-kebab
  1666. type: string
  1667. project:
  1668. description: Doppler project (required if not using a Service Token)
  1669. type: string
  1670. required:
  1671. - auth
  1672. type: object
  1673. fake:
  1674. description: Fake configures a store with static key/value pairs
  1675. properties:
  1676. data:
  1677. items:
  1678. properties:
  1679. key:
  1680. type: string
  1681. value:
  1682. type: string
  1683. version:
  1684. type: string
  1685. required:
  1686. - key
  1687. - value
  1688. type: object
  1689. type: array
  1690. validationResult:
  1691. type: integer
  1692. required:
  1693. - data
  1694. type: object
  1695. fortanix:
  1696. description: Fortanix configures this store to sync secrets using the Fortanix provider
  1697. properties:
  1698. apiKey:
  1699. description: APIKey is the API token to access SDKMS Applications.
  1700. properties:
  1701. secretRef:
  1702. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  1703. properties:
  1704. key:
  1705. description: |-
  1706. A key in the referenced Secret.
  1707. Some instances of this field may be defaulted, in others it may be required.
  1708. maxLength: 253
  1709. minLength: 1
  1710. pattern: ^[-._a-zA-Z0-9]+$
  1711. type: string
  1712. name:
  1713. description: The name of the Secret resource being referred to.
  1714. maxLength: 253
  1715. minLength: 1
  1716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1717. type: string
  1718. namespace:
  1719. description: |-
  1720. The namespace of the Secret resource being referred to.
  1721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1722. maxLength: 63
  1723. minLength: 1
  1724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1725. type: string
  1726. type: object
  1727. type: object
  1728. apiUrl:
  1729. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  1730. type: string
  1731. type: object
  1732. gcpsm:
  1733. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1734. properties:
  1735. auth:
  1736. description: Auth defines the information necessary to authenticate against GCP
  1737. properties:
  1738. secretRef:
  1739. properties:
  1740. secretAccessKeySecretRef:
  1741. description: The SecretAccessKey is used for authentication
  1742. properties:
  1743. key:
  1744. description: |-
  1745. A key in the referenced Secret.
  1746. Some instances of this field may be defaulted, in others it may be required.
  1747. maxLength: 253
  1748. minLength: 1
  1749. pattern: ^[-._a-zA-Z0-9]+$
  1750. type: string
  1751. name:
  1752. description: The name of the Secret resource being referred to.
  1753. maxLength: 253
  1754. minLength: 1
  1755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1756. type: string
  1757. namespace:
  1758. description: |-
  1759. The namespace of the Secret resource being referred to.
  1760. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1761. maxLength: 63
  1762. minLength: 1
  1763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1764. type: string
  1765. type: object
  1766. type: object
  1767. workloadIdentity:
  1768. properties:
  1769. clusterLocation:
  1770. description: |-
  1771. ClusterLocation is the location of the cluster
  1772. If not specified, it fetches information from the metadata server
  1773. type: string
  1774. clusterName:
  1775. description: |-
  1776. ClusterName is the name of the cluster
  1777. If not specified, it fetches information from the metadata server
  1778. type: string
  1779. clusterProjectID:
  1780. description: |-
  1781. ClusterProjectID is the project ID of the cluster
  1782. If not specified, it fetches information from the metadata server
  1783. type: string
  1784. serviceAccountRef:
  1785. description: A reference to a ServiceAccount resource.
  1786. properties:
  1787. audiences:
  1788. description: |-
  1789. Audience specifies the `aud` claim for the service account token
  1790. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1791. then this audiences will be appended to the list
  1792. items:
  1793. type: string
  1794. type: array
  1795. name:
  1796. description: The name of the ServiceAccount resource being referred to.
  1797. maxLength: 253
  1798. minLength: 1
  1799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1800. type: string
  1801. namespace:
  1802. description: |-
  1803. Namespace of the resource being referred to.
  1804. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1805. maxLength: 63
  1806. minLength: 1
  1807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1808. type: string
  1809. required:
  1810. - name
  1811. type: object
  1812. required:
  1813. - serviceAccountRef
  1814. type: object
  1815. workloadIdentityFederation:
  1816. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  1817. properties:
  1818. audience:
  1819. description: |-
  1820. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  1821. If specified, Audience found in the external account credential config will be overridden with the configured value.
  1822. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  1823. type: string
  1824. awsSecurityCredentials:
  1825. description: |-
  1826. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  1827. when using the AWS metadata server is not an option.
  1828. properties:
  1829. awsCredentialsSecretRef:
  1830. description: |-
  1831. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  1832. Secret should be created with below names for keys
  1833. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  1834. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  1835. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  1836. properties:
  1837. name:
  1838. description: name of the secret.
  1839. maxLength: 253
  1840. minLength: 1
  1841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1842. type: string
  1843. namespace:
  1844. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  1845. maxLength: 63
  1846. minLength: 1
  1847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1848. type: string
  1849. required:
  1850. - name
  1851. type: object
  1852. region:
  1853. description: region is for configuring the AWS region to be used.
  1854. example: ap-south-1
  1855. maxLength: 50
  1856. minLength: 1
  1857. pattern: ^[a-z0-9-]+$
  1858. type: string
  1859. required:
  1860. - awsCredentialsSecretRef
  1861. - region
  1862. type: object
  1863. credConfig:
  1864. description: |-
  1865. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  1866. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  1867. serviceAccountRef must be used by providing operators service account details.
  1868. properties:
  1869. key:
  1870. description: key name holding the external account credential config.
  1871. maxLength: 253
  1872. minLength: 1
  1873. pattern: ^[-._a-zA-Z0-9]+$
  1874. type: string
  1875. name:
  1876. description: name of the configmap.
  1877. maxLength: 253
  1878. minLength: 1
  1879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1880. type: string
  1881. namespace:
  1882. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  1883. maxLength: 63
  1884. minLength: 1
  1885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1886. type: string
  1887. required:
  1888. - key
  1889. - name
  1890. type: object
  1891. externalTokenEndpoint:
  1892. description: |-
  1893. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  1894. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  1895. URL is having the expected value.
  1896. type: string
  1897. serviceAccountRef:
  1898. description: |-
  1899. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  1900. when Kubernetes is configured as provider in workload identity pool.
  1901. properties:
  1902. audiences:
  1903. description: |-
  1904. Audience specifies the `aud` claim for the service account token
  1905. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1906. then this audiences will be appended to the list
  1907. items:
  1908. type: string
  1909. type: array
  1910. name:
  1911. description: The name of the ServiceAccount resource being referred to.
  1912. maxLength: 253
  1913. minLength: 1
  1914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1915. type: string
  1916. namespace:
  1917. description: |-
  1918. Namespace of the resource being referred to.
  1919. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1920. maxLength: 63
  1921. minLength: 1
  1922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1923. type: string
  1924. required:
  1925. - name
  1926. type: object
  1927. type: object
  1928. type: object
  1929. location:
  1930. description: Location optionally defines a location for a secret
  1931. type: string
  1932. projectID:
  1933. description: ProjectID project where secret is located
  1934. type: string
  1935. secretVersionSelectionPolicy:
  1936. default: LatestOrFail
  1937. description: |-
  1938. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  1939. when "latest" is disabled or destroyed.
  1940. Possible values are:
  1941. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  1942. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  1943. type: string
  1944. type: object
  1945. github:
  1946. description: |-
  1947. Github configures this store to push GitHub Action secrets using GitHub API provider.
  1948. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  1949. properties:
  1950. appID:
  1951. description: appID specifies the Github APP that will be used to authenticate the client
  1952. format: int64
  1953. type: integer
  1954. auth:
  1955. description: auth configures how secret-manager authenticates with a Github instance.
  1956. properties:
  1957. privateKey:
  1958. description: |-
  1959. A reference to a specific 'key' within a Secret resource.
  1960. In some instances, `key` is a required field.
  1961. properties:
  1962. key:
  1963. description: |-
  1964. A key in the referenced Secret.
  1965. Some instances of this field may be defaulted, in others it may be required.
  1966. maxLength: 253
  1967. minLength: 1
  1968. pattern: ^[-._a-zA-Z0-9]+$
  1969. type: string
  1970. name:
  1971. description: The name of the Secret resource being referred to.
  1972. maxLength: 253
  1973. minLength: 1
  1974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1975. type: string
  1976. namespace:
  1977. description: |-
  1978. The namespace of the Secret resource being referred to.
  1979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  1980. maxLength: 63
  1981. minLength: 1
  1982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1983. type: string
  1984. type: object
  1985. required:
  1986. - privateKey
  1987. type: object
  1988. environment:
  1989. description: environment will be used to fetch secrets from a particular environment within a github repository
  1990. type: string
  1991. installationID:
  1992. description: installationID specifies the Github APP installation that will be used to authenticate the client
  1993. format: int64
  1994. type: integer
  1995. organization:
  1996. description: organization will be used to fetch secrets from the Github organization
  1997. type: string
  1998. repository:
  1999. description: repository will be used to fetch secrets from the Github repository within an organization
  2000. type: string
  2001. uploadURL:
  2002. description: Upload URL for enterprise instances. Default to URL.
  2003. type: string
  2004. url:
  2005. default: https://github.com/
  2006. description: URL configures the Github instance URL. Defaults to https://github.com/.
  2007. type: string
  2008. required:
  2009. - appID
  2010. - auth
  2011. - installationID
  2012. - organization
  2013. type: object
  2014. gitlab:
  2015. description: GitLab configures this store to sync secrets using GitLab Variables provider
  2016. properties:
  2017. auth:
  2018. description: Auth configures how secret-manager authenticates with a GitLab instance.
  2019. properties:
  2020. SecretRef:
  2021. properties:
  2022. accessToken:
  2023. description: AccessToken is used for authentication.
  2024. properties:
  2025. key:
  2026. description: |-
  2027. A key in the referenced Secret.
  2028. Some instances of this field may be defaulted, in others it may be required.
  2029. maxLength: 253
  2030. minLength: 1
  2031. pattern: ^[-._a-zA-Z0-9]+$
  2032. type: string
  2033. name:
  2034. description: The name of the Secret resource being referred to.
  2035. maxLength: 253
  2036. minLength: 1
  2037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2038. type: string
  2039. namespace:
  2040. description: |-
  2041. The namespace of the Secret resource being referred to.
  2042. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2043. maxLength: 63
  2044. minLength: 1
  2045. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2046. type: string
  2047. type: object
  2048. type: object
  2049. required:
  2050. - SecretRef
  2051. type: object
  2052. caBundle:
  2053. description: |-
  2054. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  2055. can be performed.
  2056. format: byte
  2057. type: string
  2058. caProvider:
  2059. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  2060. properties:
  2061. key:
  2062. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2063. maxLength: 253
  2064. minLength: 1
  2065. pattern: ^[-._a-zA-Z0-9]+$
  2066. type: string
  2067. name:
  2068. description: The name of the object located at the provider type.
  2069. maxLength: 253
  2070. minLength: 1
  2071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2072. type: string
  2073. namespace:
  2074. description: |-
  2075. The namespace the Provider type is in.
  2076. Can only be defined when used in a ClusterSecretStore.
  2077. maxLength: 63
  2078. minLength: 1
  2079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2080. type: string
  2081. type:
  2082. description: The type of provider to use such as "Secret", or "ConfigMap".
  2083. enum:
  2084. - Secret
  2085. - ConfigMap
  2086. type: string
  2087. required:
  2088. - name
  2089. - type
  2090. type: object
  2091. environment:
  2092. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  2093. type: string
  2094. groupIDs:
  2095. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  2096. items:
  2097. type: string
  2098. type: array
  2099. inheritFromGroups:
  2100. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  2101. type: boolean
  2102. projectID:
  2103. description: ProjectID specifies a project where secrets are located.
  2104. type: string
  2105. url:
  2106. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  2107. type: string
  2108. required:
  2109. - auth
  2110. type: object
  2111. ibm:
  2112. description: IBM configures this store to sync secrets using IBM Cloud provider
  2113. properties:
  2114. auth:
  2115. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  2116. maxProperties: 1
  2117. minProperties: 1
  2118. properties:
  2119. containerAuth:
  2120. description: IBM Container-based auth with IAM Trusted Profile.
  2121. properties:
  2122. iamEndpoint:
  2123. type: string
  2124. profile:
  2125. description: the IBM Trusted Profile
  2126. type: string
  2127. tokenLocation:
  2128. description: Location the token is mounted on the pod
  2129. type: string
  2130. required:
  2131. - profile
  2132. type: object
  2133. secretRef:
  2134. properties:
  2135. secretApiKeySecretRef:
  2136. description: The SecretAccessKey is used for authentication
  2137. properties:
  2138. key:
  2139. description: |-
  2140. A key in the referenced Secret.
  2141. Some instances of this field may be defaulted, in others it may be required.
  2142. maxLength: 253
  2143. minLength: 1
  2144. pattern: ^[-._a-zA-Z0-9]+$
  2145. type: string
  2146. name:
  2147. description: The name of the Secret resource being referred to.
  2148. maxLength: 253
  2149. minLength: 1
  2150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2151. type: string
  2152. namespace:
  2153. description: |-
  2154. The namespace of the Secret resource being referred to.
  2155. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2156. maxLength: 63
  2157. minLength: 1
  2158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2159. type: string
  2160. type: object
  2161. type: object
  2162. type: object
  2163. serviceUrl:
  2164. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  2165. type: string
  2166. required:
  2167. - auth
  2168. type: object
  2169. infisical:
  2170. description: Infisical configures this store to sync secrets using the Infisical provider
  2171. properties:
  2172. auth:
  2173. description: Auth configures how the Operator authenticates with the Infisical API
  2174. properties:
  2175. awsAuthCredentials:
  2176. properties:
  2177. identityId:
  2178. description: |-
  2179. A reference to a specific 'key' within a Secret resource.
  2180. In some instances, `key` is a required field.
  2181. properties:
  2182. key:
  2183. description: |-
  2184. A key in the referenced Secret.
  2185. Some instances of this field may be defaulted, in others it may be required.
  2186. maxLength: 253
  2187. minLength: 1
  2188. pattern: ^[-._a-zA-Z0-9]+$
  2189. type: string
  2190. name:
  2191. description: The name of the Secret resource being referred to.
  2192. maxLength: 253
  2193. minLength: 1
  2194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2195. type: string
  2196. namespace:
  2197. description: |-
  2198. The namespace of the Secret resource being referred to.
  2199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2200. maxLength: 63
  2201. minLength: 1
  2202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2203. type: string
  2204. type: object
  2205. required:
  2206. - identityId
  2207. type: object
  2208. azureAuthCredentials:
  2209. properties:
  2210. identityId:
  2211. description: |-
  2212. A reference to a specific 'key' within a Secret resource.
  2213. In some instances, `key` is a required field.
  2214. properties:
  2215. key:
  2216. description: |-
  2217. A key in the referenced Secret.
  2218. Some instances of this field may be defaulted, in others it may be required.
  2219. maxLength: 253
  2220. minLength: 1
  2221. pattern: ^[-._a-zA-Z0-9]+$
  2222. type: string
  2223. name:
  2224. description: The name of the Secret resource being referred to.
  2225. maxLength: 253
  2226. minLength: 1
  2227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2228. type: string
  2229. namespace:
  2230. description: |-
  2231. The namespace of the Secret resource being referred to.
  2232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2233. maxLength: 63
  2234. minLength: 1
  2235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2236. type: string
  2237. type: object
  2238. resource:
  2239. description: |-
  2240. A reference to a specific 'key' within a Secret resource.
  2241. In some instances, `key` is a required field.
  2242. properties:
  2243. key:
  2244. description: |-
  2245. A key in the referenced Secret.
  2246. Some instances of this field may be defaulted, in others it may be required.
  2247. maxLength: 253
  2248. minLength: 1
  2249. pattern: ^[-._a-zA-Z0-9]+$
  2250. type: string
  2251. name:
  2252. description: The name of the Secret resource being referred to.
  2253. maxLength: 253
  2254. minLength: 1
  2255. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2256. type: string
  2257. namespace:
  2258. description: |-
  2259. The namespace of the Secret resource being referred to.
  2260. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2261. maxLength: 63
  2262. minLength: 1
  2263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2264. type: string
  2265. type: object
  2266. required:
  2267. - identityId
  2268. type: object
  2269. gcpIamAuthCredentials:
  2270. properties:
  2271. identityId:
  2272. description: |-
  2273. A reference to a specific 'key' within a Secret resource.
  2274. In some instances, `key` is a required field.
  2275. properties:
  2276. key:
  2277. description: |-
  2278. A key in the referenced Secret.
  2279. Some instances of this field may be defaulted, in others it may be required.
  2280. maxLength: 253
  2281. minLength: 1
  2282. pattern: ^[-._a-zA-Z0-9]+$
  2283. type: string
  2284. name:
  2285. description: The name of the Secret resource being referred to.
  2286. maxLength: 253
  2287. minLength: 1
  2288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2289. type: string
  2290. namespace:
  2291. description: |-
  2292. The namespace of the Secret resource being referred to.
  2293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2294. maxLength: 63
  2295. minLength: 1
  2296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2297. type: string
  2298. type: object
  2299. serviceAccountKeyFilePath:
  2300. description: |-
  2301. A reference to a specific 'key' within a Secret resource.
  2302. In some instances, `key` is a required field.
  2303. properties:
  2304. key:
  2305. description: |-
  2306. A key in the referenced Secret.
  2307. Some instances of this field may be defaulted, in others it may be required.
  2308. maxLength: 253
  2309. minLength: 1
  2310. pattern: ^[-._a-zA-Z0-9]+$
  2311. type: string
  2312. name:
  2313. description: The name of the Secret resource being referred to.
  2314. maxLength: 253
  2315. minLength: 1
  2316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2317. type: string
  2318. namespace:
  2319. description: |-
  2320. The namespace of the Secret resource being referred to.
  2321. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2322. maxLength: 63
  2323. minLength: 1
  2324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2325. type: string
  2326. type: object
  2327. required:
  2328. - identityId
  2329. - serviceAccountKeyFilePath
  2330. type: object
  2331. gcpIdTokenAuthCredentials:
  2332. properties:
  2333. identityId:
  2334. description: |-
  2335. A reference to a specific 'key' within a Secret resource.
  2336. In some instances, `key` is a required field.
  2337. properties:
  2338. key:
  2339. description: |-
  2340. A key in the referenced Secret.
  2341. Some instances of this field may be defaulted, in others it may be required.
  2342. maxLength: 253
  2343. minLength: 1
  2344. pattern: ^[-._a-zA-Z0-9]+$
  2345. type: string
  2346. name:
  2347. description: The name of the Secret resource being referred to.
  2348. maxLength: 253
  2349. minLength: 1
  2350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2351. type: string
  2352. namespace:
  2353. description: |-
  2354. The namespace of the Secret resource being referred to.
  2355. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2356. maxLength: 63
  2357. minLength: 1
  2358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2359. type: string
  2360. type: object
  2361. required:
  2362. - identityId
  2363. type: object
  2364. jwtAuthCredentials:
  2365. properties:
  2366. identityId:
  2367. description: |-
  2368. A reference to a specific 'key' within a Secret resource.
  2369. In some instances, `key` is a required field.
  2370. properties:
  2371. key:
  2372. description: |-
  2373. A key in the referenced Secret.
  2374. Some instances of this field may be defaulted, in others it may be required.
  2375. maxLength: 253
  2376. minLength: 1
  2377. pattern: ^[-._a-zA-Z0-9]+$
  2378. type: string
  2379. name:
  2380. description: The name of the Secret resource being referred to.
  2381. maxLength: 253
  2382. minLength: 1
  2383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2384. type: string
  2385. namespace:
  2386. description: |-
  2387. The namespace of the Secret resource being referred to.
  2388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2389. maxLength: 63
  2390. minLength: 1
  2391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2392. type: string
  2393. type: object
  2394. jwt:
  2395. description: |-
  2396. A reference to a specific 'key' within a Secret resource.
  2397. In some instances, `key` is a required field.
  2398. properties:
  2399. key:
  2400. description: |-
  2401. A key in the referenced Secret.
  2402. Some instances of this field may be defaulted, in others it may be required.
  2403. maxLength: 253
  2404. minLength: 1
  2405. pattern: ^[-._a-zA-Z0-9]+$
  2406. type: string
  2407. name:
  2408. description: The name of the Secret resource being referred to.
  2409. maxLength: 253
  2410. minLength: 1
  2411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2412. type: string
  2413. namespace:
  2414. description: |-
  2415. The namespace of the Secret resource being referred to.
  2416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2417. maxLength: 63
  2418. minLength: 1
  2419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2420. type: string
  2421. type: object
  2422. required:
  2423. - identityId
  2424. - jwt
  2425. type: object
  2426. kubernetesAuthCredentials:
  2427. properties:
  2428. identityId:
  2429. description: |-
  2430. A reference to a specific 'key' within a Secret resource.
  2431. In some instances, `key` is a required field.
  2432. properties:
  2433. key:
  2434. description: |-
  2435. A key in the referenced Secret.
  2436. Some instances of this field may be defaulted, in others it may be required.
  2437. maxLength: 253
  2438. minLength: 1
  2439. pattern: ^[-._a-zA-Z0-9]+$
  2440. type: string
  2441. name:
  2442. description: The name of the Secret resource being referred to.
  2443. maxLength: 253
  2444. minLength: 1
  2445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2446. type: string
  2447. namespace:
  2448. description: |-
  2449. The namespace of the Secret resource being referred to.
  2450. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2451. maxLength: 63
  2452. minLength: 1
  2453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2454. type: string
  2455. type: object
  2456. serviceAccountTokenPath:
  2457. description: |-
  2458. A reference to a specific 'key' within a Secret resource.
  2459. In some instances, `key` is a required field.
  2460. properties:
  2461. key:
  2462. description: |-
  2463. A key in the referenced Secret.
  2464. Some instances of this field may be defaulted, in others it may be required.
  2465. maxLength: 253
  2466. minLength: 1
  2467. pattern: ^[-._a-zA-Z0-9]+$
  2468. type: string
  2469. name:
  2470. description: The name of the Secret resource being referred to.
  2471. maxLength: 253
  2472. minLength: 1
  2473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2474. type: string
  2475. namespace:
  2476. description: |-
  2477. The namespace of the Secret resource being referred to.
  2478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2479. maxLength: 63
  2480. minLength: 1
  2481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2482. type: string
  2483. type: object
  2484. required:
  2485. - identityId
  2486. type: object
  2487. ldapAuthCredentials:
  2488. properties:
  2489. identityId:
  2490. description: |-
  2491. A reference to a specific 'key' within a Secret resource.
  2492. In some instances, `key` is a required field.
  2493. properties:
  2494. key:
  2495. description: |-
  2496. A key in the referenced Secret.
  2497. Some instances of this field may be defaulted, in others it may be required.
  2498. maxLength: 253
  2499. minLength: 1
  2500. pattern: ^[-._a-zA-Z0-9]+$
  2501. type: string
  2502. name:
  2503. description: The name of the Secret resource being referred to.
  2504. maxLength: 253
  2505. minLength: 1
  2506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2507. type: string
  2508. namespace:
  2509. description: |-
  2510. The namespace of the Secret resource being referred to.
  2511. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2512. maxLength: 63
  2513. minLength: 1
  2514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2515. type: string
  2516. type: object
  2517. ldapPassword:
  2518. description: |-
  2519. A reference to a specific 'key' within a Secret resource.
  2520. In some instances, `key` is a required field.
  2521. properties:
  2522. key:
  2523. description: |-
  2524. A key in the referenced Secret.
  2525. Some instances of this field may be defaulted, in others it may be required.
  2526. maxLength: 253
  2527. minLength: 1
  2528. pattern: ^[-._a-zA-Z0-9]+$
  2529. type: string
  2530. name:
  2531. description: The name of the Secret resource being referred to.
  2532. maxLength: 253
  2533. minLength: 1
  2534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2535. type: string
  2536. namespace:
  2537. description: |-
  2538. The namespace of the Secret resource being referred to.
  2539. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2540. maxLength: 63
  2541. minLength: 1
  2542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2543. type: string
  2544. type: object
  2545. ldapUsername:
  2546. description: |-
  2547. A reference to a specific 'key' within a Secret resource.
  2548. In some instances, `key` is a required field.
  2549. properties:
  2550. key:
  2551. description: |-
  2552. A key in the referenced Secret.
  2553. Some instances of this field may be defaulted, in others it may be required.
  2554. maxLength: 253
  2555. minLength: 1
  2556. pattern: ^[-._a-zA-Z0-9]+$
  2557. type: string
  2558. name:
  2559. description: The name of the Secret resource being referred to.
  2560. maxLength: 253
  2561. minLength: 1
  2562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2563. type: string
  2564. namespace:
  2565. description: |-
  2566. The namespace of the Secret resource being referred to.
  2567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2568. maxLength: 63
  2569. minLength: 1
  2570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2571. type: string
  2572. type: object
  2573. required:
  2574. - identityId
  2575. - ldapPassword
  2576. - ldapUsername
  2577. type: object
  2578. ociAuthCredentials:
  2579. properties:
  2580. fingerprint:
  2581. description: |-
  2582. A reference to a specific 'key' within a Secret resource.
  2583. In some instances, `key` is a required field.
  2584. properties:
  2585. key:
  2586. description: |-
  2587. A key in the referenced Secret.
  2588. Some instances of this field may be defaulted, in others it may be required.
  2589. maxLength: 253
  2590. minLength: 1
  2591. pattern: ^[-._a-zA-Z0-9]+$
  2592. type: string
  2593. name:
  2594. description: The name of the Secret resource being referred to.
  2595. maxLength: 253
  2596. minLength: 1
  2597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2598. type: string
  2599. namespace:
  2600. description: |-
  2601. The namespace of the Secret resource being referred to.
  2602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2603. maxLength: 63
  2604. minLength: 1
  2605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2606. type: string
  2607. type: object
  2608. identityId:
  2609. description: |-
  2610. A reference to a specific 'key' within a Secret resource.
  2611. In some instances, `key` is a required field.
  2612. properties:
  2613. key:
  2614. description: |-
  2615. A key in the referenced Secret.
  2616. Some instances of this field may be defaulted, in others it may be required.
  2617. maxLength: 253
  2618. minLength: 1
  2619. pattern: ^[-._a-zA-Z0-9]+$
  2620. type: string
  2621. name:
  2622. description: The name of the Secret resource being referred to.
  2623. maxLength: 253
  2624. minLength: 1
  2625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2626. type: string
  2627. namespace:
  2628. description: |-
  2629. The namespace of the Secret resource being referred to.
  2630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2631. maxLength: 63
  2632. minLength: 1
  2633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2634. type: string
  2635. type: object
  2636. privateKey:
  2637. description: |-
  2638. A reference to a specific 'key' within a Secret resource.
  2639. In some instances, `key` is a required field.
  2640. properties:
  2641. key:
  2642. description: |-
  2643. A key in the referenced Secret.
  2644. Some instances of this field may be defaulted, in others it may be required.
  2645. maxLength: 253
  2646. minLength: 1
  2647. pattern: ^[-._a-zA-Z0-9]+$
  2648. type: string
  2649. name:
  2650. description: The name of the Secret resource being referred to.
  2651. maxLength: 253
  2652. minLength: 1
  2653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2654. type: string
  2655. namespace:
  2656. description: |-
  2657. The namespace of the Secret resource being referred to.
  2658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2659. maxLength: 63
  2660. minLength: 1
  2661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2662. type: string
  2663. type: object
  2664. privateKeyPassphrase:
  2665. description: |-
  2666. A reference to a specific 'key' within a Secret resource.
  2667. In some instances, `key` is a required field.
  2668. properties:
  2669. key:
  2670. description: |-
  2671. A key in the referenced Secret.
  2672. Some instances of this field may be defaulted, in others it may be required.
  2673. maxLength: 253
  2674. minLength: 1
  2675. pattern: ^[-._a-zA-Z0-9]+$
  2676. type: string
  2677. name:
  2678. description: The name of the Secret resource being referred to.
  2679. maxLength: 253
  2680. minLength: 1
  2681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2682. type: string
  2683. namespace:
  2684. description: |-
  2685. The namespace of the Secret resource being referred to.
  2686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2687. maxLength: 63
  2688. minLength: 1
  2689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2690. type: string
  2691. type: object
  2692. region:
  2693. description: |-
  2694. A reference to a specific 'key' within a Secret resource.
  2695. In some instances, `key` is a required field.
  2696. properties:
  2697. key:
  2698. description: |-
  2699. A key in the referenced Secret.
  2700. Some instances of this field may be defaulted, in others it may be required.
  2701. maxLength: 253
  2702. minLength: 1
  2703. pattern: ^[-._a-zA-Z0-9]+$
  2704. type: string
  2705. name:
  2706. description: The name of the Secret resource being referred to.
  2707. maxLength: 253
  2708. minLength: 1
  2709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2710. type: string
  2711. namespace:
  2712. description: |-
  2713. The namespace of the Secret resource being referred to.
  2714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2715. maxLength: 63
  2716. minLength: 1
  2717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2718. type: string
  2719. type: object
  2720. tenancyId:
  2721. description: |-
  2722. A reference to a specific 'key' within a Secret resource.
  2723. In some instances, `key` is a required field.
  2724. properties:
  2725. key:
  2726. description: |-
  2727. A key in the referenced Secret.
  2728. Some instances of this field may be defaulted, in others it may be required.
  2729. maxLength: 253
  2730. minLength: 1
  2731. pattern: ^[-._a-zA-Z0-9]+$
  2732. type: string
  2733. name:
  2734. description: The name of the Secret resource being referred to.
  2735. maxLength: 253
  2736. minLength: 1
  2737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2738. type: string
  2739. namespace:
  2740. description: |-
  2741. The namespace of the Secret resource being referred to.
  2742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2743. maxLength: 63
  2744. minLength: 1
  2745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2746. type: string
  2747. type: object
  2748. userId:
  2749. description: |-
  2750. A reference to a specific 'key' within a Secret resource.
  2751. In some instances, `key` is a required field.
  2752. properties:
  2753. key:
  2754. description: |-
  2755. A key in the referenced Secret.
  2756. Some instances of this field may be defaulted, in others it may be required.
  2757. maxLength: 253
  2758. minLength: 1
  2759. pattern: ^[-._a-zA-Z0-9]+$
  2760. type: string
  2761. name:
  2762. description: The name of the Secret resource being referred to.
  2763. maxLength: 253
  2764. minLength: 1
  2765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2766. type: string
  2767. namespace:
  2768. description: |-
  2769. The namespace of the Secret resource being referred to.
  2770. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2771. maxLength: 63
  2772. minLength: 1
  2773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2774. type: string
  2775. type: object
  2776. required:
  2777. - fingerprint
  2778. - identityId
  2779. - privateKey
  2780. - region
  2781. - tenancyId
  2782. - userId
  2783. type: object
  2784. tokenAuthCredentials:
  2785. properties:
  2786. accessToken:
  2787. description: |-
  2788. A reference to a specific 'key' within a Secret resource.
  2789. In some instances, `key` is a required field.
  2790. properties:
  2791. key:
  2792. description: |-
  2793. A key in the referenced Secret.
  2794. Some instances of this field may be defaulted, in others it may be required.
  2795. maxLength: 253
  2796. minLength: 1
  2797. pattern: ^[-._a-zA-Z0-9]+$
  2798. type: string
  2799. name:
  2800. description: The name of the Secret resource being referred to.
  2801. maxLength: 253
  2802. minLength: 1
  2803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2804. type: string
  2805. namespace:
  2806. description: |-
  2807. The namespace of the Secret resource being referred to.
  2808. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2809. maxLength: 63
  2810. minLength: 1
  2811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2812. type: string
  2813. type: object
  2814. required:
  2815. - accessToken
  2816. type: object
  2817. universalAuthCredentials:
  2818. properties:
  2819. clientId:
  2820. description: |-
  2821. A reference to a specific 'key' within a Secret resource.
  2822. In some instances, `key` is a required field.
  2823. properties:
  2824. key:
  2825. description: |-
  2826. A key in the referenced Secret.
  2827. Some instances of this field may be defaulted, in others it may be required.
  2828. maxLength: 253
  2829. minLength: 1
  2830. pattern: ^[-._a-zA-Z0-9]+$
  2831. type: string
  2832. name:
  2833. description: The name of the Secret resource being referred to.
  2834. maxLength: 253
  2835. minLength: 1
  2836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2837. type: string
  2838. namespace:
  2839. description: |-
  2840. The namespace of the Secret resource being referred to.
  2841. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2842. maxLength: 63
  2843. minLength: 1
  2844. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2845. type: string
  2846. type: object
  2847. clientSecret:
  2848. description: |-
  2849. A reference to a specific 'key' within a Secret resource.
  2850. In some instances, `key` is a required field.
  2851. properties:
  2852. key:
  2853. description: |-
  2854. A key in the referenced Secret.
  2855. Some instances of this field may be defaulted, in others it may be required.
  2856. maxLength: 253
  2857. minLength: 1
  2858. pattern: ^[-._a-zA-Z0-9]+$
  2859. type: string
  2860. name:
  2861. description: The name of the Secret resource being referred to.
  2862. maxLength: 253
  2863. minLength: 1
  2864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2865. type: string
  2866. namespace:
  2867. description: |-
  2868. The namespace of the Secret resource being referred to.
  2869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2870. maxLength: 63
  2871. minLength: 1
  2872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2873. type: string
  2874. type: object
  2875. required:
  2876. - clientId
  2877. - clientSecret
  2878. type: object
  2879. type: object
  2880. hostAPI:
  2881. default: https://app.infisical.com/api
  2882. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  2883. type: string
  2884. secretsScope:
  2885. description: SecretsScope defines the scope of the secrets within the workspace
  2886. properties:
  2887. environmentSlug:
  2888. description: EnvironmentSlug is the required slug identifier for the environment.
  2889. type: string
  2890. expandSecretReferences:
  2891. default: true
  2892. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  2893. type: boolean
  2894. projectSlug:
  2895. description: ProjectSlug is the required slug identifier for the project.
  2896. type: string
  2897. recursive:
  2898. default: false
  2899. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  2900. type: boolean
  2901. secretsPath:
  2902. default: /
  2903. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  2904. type: string
  2905. required:
  2906. - environmentSlug
  2907. - projectSlug
  2908. type: object
  2909. required:
  2910. - auth
  2911. - secretsScope
  2912. type: object
  2913. keepersecurity:
  2914. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  2915. properties:
  2916. authRef:
  2917. description: |-
  2918. A reference to a specific 'key' within a Secret resource.
  2919. In some instances, `key` is a required field.
  2920. properties:
  2921. key:
  2922. description: |-
  2923. A key in the referenced Secret.
  2924. Some instances of this field may be defaulted, in others it may be required.
  2925. maxLength: 253
  2926. minLength: 1
  2927. pattern: ^[-._a-zA-Z0-9]+$
  2928. type: string
  2929. name:
  2930. description: The name of the Secret resource being referred to.
  2931. maxLength: 253
  2932. minLength: 1
  2933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2934. type: string
  2935. namespace:
  2936. description: |-
  2937. The namespace of the Secret resource being referred to.
  2938. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2939. maxLength: 63
  2940. minLength: 1
  2941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2942. type: string
  2943. type: object
  2944. folderID:
  2945. type: string
  2946. required:
  2947. - authRef
  2948. - folderID
  2949. type: object
  2950. kubernetes:
  2951. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  2952. properties:
  2953. auth:
  2954. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  2955. maxProperties: 1
  2956. minProperties: 1
  2957. properties:
  2958. cert:
  2959. description: has both clientCert and clientKey as secretKeySelector
  2960. properties:
  2961. clientCert:
  2962. description: |-
  2963. A reference to a specific 'key' within a Secret resource.
  2964. In some instances, `key` is a required field.
  2965. properties:
  2966. key:
  2967. description: |-
  2968. A key in the referenced Secret.
  2969. Some instances of this field may be defaulted, in others it may be required.
  2970. maxLength: 253
  2971. minLength: 1
  2972. pattern: ^[-._a-zA-Z0-9]+$
  2973. type: string
  2974. name:
  2975. description: The name of the Secret resource being referred to.
  2976. maxLength: 253
  2977. minLength: 1
  2978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2979. type: string
  2980. namespace:
  2981. description: |-
  2982. The namespace of the Secret resource being referred to.
  2983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2984. maxLength: 63
  2985. minLength: 1
  2986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2987. type: string
  2988. type: object
  2989. clientKey:
  2990. description: |-
  2991. A reference to a specific 'key' within a Secret resource.
  2992. In some instances, `key` is a required field.
  2993. properties:
  2994. key:
  2995. description: |-
  2996. A key in the referenced Secret.
  2997. Some instances of this field may be defaulted, in others it may be required.
  2998. maxLength: 253
  2999. minLength: 1
  3000. pattern: ^[-._a-zA-Z0-9]+$
  3001. type: string
  3002. name:
  3003. description: The name of the Secret resource being referred to.
  3004. maxLength: 253
  3005. minLength: 1
  3006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3007. type: string
  3008. namespace:
  3009. description: |-
  3010. The namespace of the Secret resource being referred to.
  3011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3012. maxLength: 63
  3013. minLength: 1
  3014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3015. type: string
  3016. type: object
  3017. type: object
  3018. serviceAccount:
  3019. description: points to a service account that should be used for authentication
  3020. properties:
  3021. audiences:
  3022. description: |-
  3023. Audience specifies the `aud` claim for the service account token
  3024. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3025. then this audiences will be appended to the list
  3026. items:
  3027. type: string
  3028. type: array
  3029. name:
  3030. description: The name of the ServiceAccount resource being referred to.
  3031. maxLength: 253
  3032. minLength: 1
  3033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3034. type: string
  3035. namespace:
  3036. description: |-
  3037. Namespace of the resource being referred to.
  3038. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3039. maxLength: 63
  3040. minLength: 1
  3041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3042. type: string
  3043. required:
  3044. - name
  3045. type: object
  3046. token:
  3047. description: use static token to authenticate with
  3048. properties:
  3049. bearerToken:
  3050. description: |-
  3051. A reference to a specific 'key' within a Secret resource.
  3052. In some instances, `key` is a required field.
  3053. properties:
  3054. key:
  3055. description: |-
  3056. A key in the referenced Secret.
  3057. Some instances of this field may be defaulted, in others it may be required.
  3058. maxLength: 253
  3059. minLength: 1
  3060. pattern: ^[-._a-zA-Z0-9]+$
  3061. type: string
  3062. name:
  3063. description: The name of the Secret resource being referred to.
  3064. maxLength: 253
  3065. minLength: 1
  3066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3067. type: string
  3068. namespace:
  3069. description: |-
  3070. The namespace of the Secret resource being referred to.
  3071. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3072. maxLength: 63
  3073. minLength: 1
  3074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3075. type: string
  3076. type: object
  3077. type: object
  3078. type: object
  3079. authRef:
  3080. description: A reference to a secret that contains the auth information.
  3081. properties:
  3082. key:
  3083. description: |-
  3084. A key in the referenced Secret.
  3085. Some instances of this field may be defaulted, in others it may be required.
  3086. maxLength: 253
  3087. minLength: 1
  3088. pattern: ^[-._a-zA-Z0-9]+$
  3089. type: string
  3090. name:
  3091. description: The name of the Secret resource being referred to.
  3092. maxLength: 253
  3093. minLength: 1
  3094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3095. type: string
  3096. namespace:
  3097. description: |-
  3098. The namespace of the Secret resource being referred to.
  3099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3100. maxLength: 63
  3101. minLength: 1
  3102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3103. type: string
  3104. type: object
  3105. remoteNamespace:
  3106. default: default
  3107. description: Remote namespace to fetch the secrets from
  3108. maxLength: 63
  3109. minLength: 1
  3110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3111. type: string
  3112. server:
  3113. description: configures the Kubernetes server Address.
  3114. properties:
  3115. caBundle:
  3116. description: CABundle is a base64-encoded CA certificate
  3117. format: byte
  3118. type: string
  3119. caProvider:
  3120. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3121. properties:
  3122. key:
  3123. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3124. maxLength: 253
  3125. minLength: 1
  3126. pattern: ^[-._a-zA-Z0-9]+$
  3127. type: string
  3128. name:
  3129. description: The name of the object located at the provider type.
  3130. maxLength: 253
  3131. minLength: 1
  3132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3133. type: string
  3134. namespace:
  3135. description: |-
  3136. The namespace the Provider type is in.
  3137. Can only be defined when used in a ClusterSecretStore.
  3138. maxLength: 63
  3139. minLength: 1
  3140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3141. type: string
  3142. type:
  3143. description: The type of provider to use such as "Secret", or "ConfigMap".
  3144. enum:
  3145. - Secret
  3146. - ConfigMap
  3147. type: string
  3148. required:
  3149. - name
  3150. - type
  3151. type: object
  3152. url:
  3153. default: kubernetes.default
  3154. description: configures the Kubernetes server Address.
  3155. type: string
  3156. type: object
  3157. type: object
  3158. ngrok:
  3159. description: Ngrok configures this store to sync secrets using the ngrok provider.
  3160. properties:
  3161. apiUrl:
  3162. default: https://api.ngrok.com
  3163. description: APIURL is the URL of the ngrok API.
  3164. type: string
  3165. auth:
  3166. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  3167. maxProperties: 1
  3168. minProperties: 1
  3169. properties:
  3170. apiKey:
  3171. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  3172. properties:
  3173. secretRef:
  3174. description: SecretRef is a reference to a secret containing the ngrok API key.
  3175. properties:
  3176. key:
  3177. description: |-
  3178. A key in the referenced Secret.
  3179. Some instances of this field may be defaulted, in others it may be required.
  3180. maxLength: 253
  3181. minLength: 1
  3182. pattern: ^[-._a-zA-Z0-9]+$
  3183. type: string
  3184. name:
  3185. description: The name of the Secret resource being referred to.
  3186. maxLength: 253
  3187. minLength: 1
  3188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3189. type: string
  3190. namespace:
  3191. description: |-
  3192. The namespace of the Secret resource being referred to.
  3193. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3194. maxLength: 63
  3195. minLength: 1
  3196. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3197. type: string
  3198. type: object
  3199. type: object
  3200. type: object
  3201. vault:
  3202. description: Vault configures the ngrok vault to sync secrets with.
  3203. properties:
  3204. name:
  3205. description: Name is the name of the ngrok vault to sync secrets with.
  3206. type: string
  3207. required:
  3208. - name
  3209. type: object
  3210. required:
  3211. - auth
  3212. - vault
  3213. type: object
  3214. onboardbase:
  3215. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  3216. properties:
  3217. apiHost:
  3218. default: https://public.onboardbase.com/api/v1/
  3219. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  3220. type: string
  3221. auth:
  3222. description: Auth configures how the Operator authenticates with the Onboardbase API
  3223. properties:
  3224. apiKeyRef:
  3225. description: |-
  3226. OnboardbaseAPIKey is the APIKey generated by an admin account.
  3227. It is used to recognize and authorize access to a project and environment within onboardbase
  3228. properties:
  3229. key:
  3230. description: |-
  3231. A key in the referenced Secret.
  3232. Some instances of this field may be defaulted, in others it may be required.
  3233. maxLength: 253
  3234. minLength: 1
  3235. pattern: ^[-._a-zA-Z0-9]+$
  3236. type: string
  3237. name:
  3238. description: The name of the Secret resource being referred to.
  3239. maxLength: 253
  3240. minLength: 1
  3241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3242. type: string
  3243. namespace:
  3244. description: |-
  3245. The namespace of the Secret resource being referred to.
  3246. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3247. maxLength: 63
  3248. minLength: 1
  3249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3250. type: string
  3251. type: object
  3252. passcodeRef:
  3253. description: OnboardbasePasscode is the passcode attached to the API Key
  3254. properties:
  3255. key:
  3256. description: |-
  3257. A key in the referenced Secret.
  3258. Some instances of this field may be defaulted, in others it may be required.
  3259. maxLength: 253
  3260. minLength: 1
  3261. pattern: ^[-._a-zA-Z0-9]+$
  3262. type: string
  3263. name:
  3264. description: The name of the Secret resource being referred to.
  3265. maxLength: 253
  3266. minLength: 1
  3267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3268. type: string
  3269. namespace:
  3270. description: |-
  3271. The namespace of the Secret resource being referred to.
  3272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3273. maxLength: 63
  3274. minLength: 1
  3275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3276. type: string
  3277. type: object
  3278. required:
  3279. - apiKeyRef
  3280. - passcodeRef
  3281. type: object
  3282. environment:
  3283. default: development
  3284. description: Environment is the name of an environmnent within a project to pull the secrets from
  3285. type: string
  3286. project:
  3287. default: development
  3288. description: Project is an onboardbase project that the secrets should be pulled from
  3289. type: string
  3290. required:
  3291. - apiHost
  3292. - auth
  3293. - environment
  3294. - project
  3295. type: object
  3296. onepassword:
  3297. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  3298. properties:
  3299. auth:
  3300. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  3301. properties:
  3302. secretRef:
  3303. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  3304. properties:
  3305. connectTokenSecretRef:
  3306. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  3307. properties:
  3308. key:
  3309. description: |-
  3310. A key in the referenced Secret.
  3311. Some instances of this field may be defaulted, in others it may be required.
  3312. maxLength: 253
  3313. minLength: 1
  3314. pattern: ^[-._a-zA-Z0-9]+$
  3315. type: string
  3316. name:
  3317. description: The name of the Secret resource being referred to.
  3318. maxLength: 253
  3319. minLength: 1
  3320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3321. type: string
  3322. namespace:
  3323. description: |-
  3324. The namespace of the Secret resource being referred to.
  3325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3326. maxLength: 63
  3327. minLength: 1
  3328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3329. type: string
  3330. type: object
  3331. required:
  3332. - connectTokenSecretRef
  3333. type: object
  3334. required:
  3335. - secretRef
  3336. type: object
  3337. connectHost:
  3338. description: ConnectHost defines the OnePassword Connect Server to connect to
  3339. type: string
  3340. vaults:
  3341. additionalProperties:
  3342. type: integer
  3343. description: Vaults defines which OnePassword vaults to search in which order
  3344. type: object
  3345. required:
  3346. - auth
  3347. - connectHost
  3348. - vaults
  3349. type: object
  3350. onepasswordSDK:
  3351. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  3352. properties:
  3353. auth:
  3354. description: Auth defines the information necessary to authenticate against OnePassword API.
  3355. properties:
  3356. serviceAccountSecretRef:
  3357. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  3358. properties:
  3359. key:
  3360. description: |-
  3361. A key in the referenced Secret.
  3362. Some instances of this field may be defaulted, in others it may be required.
  3363. maxLength: 253
  3364. minLength: 1
  3365. pattern: ^[-._a-zA-Z0-9]+$
  3366. type: string
  3367. name:
  3368. description: The name of the Secret resource being referred to.
  3369. maxLength: 253
  3370. minLength: 1
  3371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3372. type: string
  3373. namespace:
  3374. description: |-
  3375. The namespace of the Secret resource being referred to.
  3376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3377. maxLength: 63
  3378. minLength: 1
  3379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3380. type: string
  3381. type: object
  3382. required:
  3383. - serviceAccountSecretRef
  3384. type: object
  3385. integrationInfo:
  3386. description: |-
  3387. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  3388. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  3389. properties:
  3390. name:
  3391. default: 1Password SDK
  3392. description: Name defaults to "1Password SDK".
  3393. type: string
  3394. version:
  3395. default: v1.0.0
  3396. description: Version defaults to "v1.0.0".
  3397. type: string
  3398. type: object
  3399. vault:
  3400. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  3401. type: string
  3402. required:
  3403. - auth
  3404. - vault
  3405. type: object
  3406. oracle:
  3407. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3408. properties:
  3409. auth:
  3410. description: |-
  3411. Auth configures how secret-manager authenticates with the Oracle Vault.
  3412. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3413. properties:
  3414. secretRef:
  3415. description: SecretRef to pass through sensitive information.
  3416. properties:
  3417. fingerprint:
  3418. description: Fingerprint is the fingerprint of the API private key.
  3419. properties:
  3420. key:
  3421. description: |-
  3422. A key in the referenced Secret.
  3423. Some instances of this field may be defaulted, in others it may be required.
  3424. maxLength: 253
  3425. minLength: 1
  3426. pattern: ^[-._a-zA-Z0-9]+$
  3427. type: string
  3428. name:
  3429. description: The name of the Secret resource being referred to.
  3430. maxLength: 253
  3431. minLength: 1
  3432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3433. type: string
  3434. namespace:
  3435. description: |-
  3436. The namespace of the Secret resource being referred to.
  3437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3438. maxLength: 63
  3439. minLength: 1
  3440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3441. type: string
  3442. type: object
  3443. privatekey:
  3444. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3445. properties:
  3446. key:
  3447. description: |-
  3448. A key in the referenced Secret.
  3449. Some instances of this field may be defaulted, in others it may be required.
  3450. maxLength: 253
  3451. minLength: 1
  3452. pattern: ^[-._a-zA-Z0-9]+$
  3453. type: string
  3454. name:
  3455. description: The name of the Secret resource being referred to.
  3456. maxLength: 253
  3457. minLength: 1
  3458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3459. type: string
  3460. namespace:
  3461. description: |-
  3462. The namespace of the Secret resource being referred to.
  3463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3464. maxLength: 63
  3465. minLength: 1
  3466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3467. type: string
  3468. type: object
  3469. required:
  3470. - fingerprint
  3471. - privatekey
  3472. type: object
  3473. tenancy:
  3474. description: Tenancy is the tenancy OCID where user is located.
  3475. type: string
  3476. user:
  3477. description: User is an access OCID specific to the account.
  3478. type: string
  3479. required:
  3480. - secretRef
  3481. - tenancy
  3482. - user
  3483. type: object
  3484. compartment:
  3485. description: |-
  3486. Compartment is the vault compartment OCID.
  3487. Required for PushSecret
  3488. type: string
  3489. encryptionKey:
  3490. description: |-
  3491. EncryptionKey is the OCID of the encryption key within the vault.
  3492. Required for PushSecret
  3493. type: string
  3494. principalType:
  3495. description: |-
  3496. The type of principal to use for authentication. If left blank, the Auth struct will
  3497. determine the principal type. This optional field must be specified if using
  3498. workload identity.
  3499. enum:
  3500. - ""
  3501. - UserPrincipal
  3502. - InstancePrincipal
  3503. - Workload
  3504. type: string
  3505. region:
  3506. description: Region is the region where vault is located.
  3507. type: string
  3508. serviceAccountRef:
  3509. description: |-
  3510. ServiceAccountRef specified the service account
  3511. that should be used when authenticating with WorkloadIdentity.
  3512. properties:
  3513. audiences:
  3514. description: |-
  3515. Audience specifies the `aud` claim for the service account token
  3516. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3517. then this audiences will be appended to the list
  3518. items:
  3519. type: string
  3520. type: array
  3521. name:
  3522. description: The name of the ServiceAccount resource being referred to.
  3523. maxLength: 253
  3524. minLength: 1
  3525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3526. type: string
  3527. namespace:
  3528. description: |-
  3529. Namespace of the resource being referred to.
  3530. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3531. maxLength: 63
  3532. minLength: 1
  3533. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3534. type: string
  3535. required:
  3536. - name
  3537. type: object
  3538. vault:
  3539. description: Vault is the vault's OCID of the specific vault where secret is located.
  3540. type: string
  3541. required:
  3542. - region
  3543. - vault
  3544. type: object
  3545. passbolt:
  3546. properties:
  3547. auth:
  3548. description: Auth defines the information necessary to authenticate against Passbolt Server
  3549. properties:
  3550. passwordSecretRef:
  3551. description: |-
  3552. A reference to a specific 'key' within a Secret resource.
  3553. In some instances, `key` is a required field.
  3554. properties:
  3555. key:
  3556. description: |-
  3557. A key in the referenced Secret.
  3558. Some instances of this field may be defaulted, in others it may be required.
  3559. maxLength: 253
  3560. minLength: 1
  3561. pattern: ^[-._a-zA-Z0-9]+$
  3562. type: string
  3563. name:
  3564. description: The name of the Secret resource being referred to.
  3565. maxLength: 253
  3566. minLength: 1
  3567. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3568. type: string
  3569. namespace:
  3570. description: |-
  3571. The namespace of the Secret resource being referred to.
  3572. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3573. maxLength: 63
  3574. minLength: 1
  3575. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3576. type: string
  3577. type: object
  3578. privateKeySecretRef:
  3579. description: |-
  3580. A reference to a specific 'key' within a Secret resource.
  3581. In some instances, `key` is a required field.
  3582. properties:
  3583. key:
  3584. description: |-
  3585. A key in the referenced Secret.
  3586. Some instances of this field may be defaulted, in others it may be required.
  3587. maxLength: 253
  3588. minLength: 1
  3589. pattern: ^[-._a-zA-Z0-9]+$
  3590. type: string
  3591. name:
  3592. description: The name of the Secret resource being referred to.
  3593. maxLength: 253
  3594. minLength: 1
  3595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3596. type: string
  3597. namespace:
  3598. description: |-
  3599. The namespace of the Secret resource being referred to.
  3600. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3601. maxLength: 63
  3602. minLength: 1
  3603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3604. type: string
  3605. type: object
  3606. required:
  3607. - passwordSecretRef
  3608. - privateKeySecretRef
  3609. type: object
  3610. host:
  3611. description: Host defines the Passbolt Server to connect to
  3612. type: string
  3613. required:
  3614. - auth
  3615. - host
  3616. type: object
  3617. passworddepot:
  3618. description: Configures a store to sync secrets with a Password Depot instance.
  3619. properties:
  3620. auth:
  3621. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  3622. properties:
  3623. secretRef:
  3624. properties:
  3625. credentials:
  3626. description: Username / Password is used for authentication.
  3627. properties:
  3628. key:
  3629. description: |-
  3630. A key in the referenced Secret.
  3631. Some instances of this field may be defaulted, in others it may be required.
  3632. maxLength: 253
  3633. minLength: 1
  3634. pattern: ^[-._a-zA-Z0-9]+$
  3635. type: string
  3636. name:
  3637. description: The name of the Secret resource being referred to.
  3638. maxLength: 253
  3639. minLength: 1
  3640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3641. type: string
  3642. namespace:
  3643. description: |-
  3644. The namespace of the Secret resource being referred to.
  3645. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3646. maxLength: 63
  3647. minLength: 1
  3648. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3649. type: string
  3650. type: object
  3651. type: object
  3652. required:
  3653. - secretRef
  3654. type: object
  3655. database:
  3656. description: Database to use as source
  3657. type: string
  3658. host:
  3659. description: URL configures the Password Depot instance URL.
  3660. type: string
  3661. required:
  3662. - auth
  3663. - database
  3664. - host
  3665. type: object
  3666. previder:
  3667. description: Previder configures this store to sync secrets using the Previder provider
  3668. properties:
  3669. auth:
  3670. description: PreviderAuth contains a secretRef for credentials.
  3671. properties:
  3672. secretRef:
  3673. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  3674. properties:
  3675. accessToken:
  3676. description: The AccessToken is used for authentication
  3677. properties:
  3678. key:
  3679. description: |-
  3680. A key in the referenced Secret.
  3681. Some instances of this field may be defaulted, in others it may be required.
  3682. maxLength: 253
  3683. minLength: 1
  3684. pattern: ^[-._a-zA-Z0-9]+$
  3685. type: string
  3686. name:
  3687. description: The name of the Secret resource being referred to.
  3688. maxLength: 253
  3689. minLength: 1
  3690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3691. type: string
  3692. namespace:
  3693. description: |-
  3694. The namespace of the Secret resource being referred to.
  3695. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3696. maxLength: 63
  3697. minLength: 1
  3698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3699. type: string
  3700. type: object
  3701. required:
  3702. - accessToken
  3703. type: object
  3704. type: object
  3705. baseUri:
  3706. type: string
  3707. required:
  3708. - auth
  3709. type: object
  3710. pulumi:
  3711. description: Pulumi configures this store to sync secrets using the Pulumi provider
  3712. properties:
  3713. accessToken:
  3714. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  3715. properties:
  3716. secretRef:
  3717. description: SecretRef is a reference to a secret containing the Pulumi API token.
  3718. properties:
  3719. key:
  3720. description: |-
  3721. A key in the referenced Secret.
  3722. Some instances of this field may be defaulted, in others it may be required.
  3723. maxLength: 253
  3724. minLength: 1
  3725. pattern: ^[-._a-zA-Z0-9]+$
  3726. type: string
  3727. name:
  3728. description: The name of the Secret resource being referred to.
  3729. maxLength: 253
  3730. minLength: 1
  3731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3732. type: string
  3733. namespace:
  3734. description: |-
  3735. The namespace of the Secret resource being referred to.
  3736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3737. maxLength: 63
  3738. minLength: 1
  3739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3740. type: string
  3741. type: object
  3742. type: object
  3743. apiUrl:
  3744. default: https://api.pulumi.com/api/esc
  3745. description: APIURL is the URL of the Pulumi API.
  3746. type: string
  3747. environment:
  3748. description: |-
  3749. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  3750. dynamically retrieved values from supported providers including all major clouds,
  3751. and other Pulumi ESC environments.
  3752. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  3753. type: string
  3754. organization:
  3755. description: |-
  3756. Organization are a space to collaborate on shared projects and stacks.
  3757. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  3758. type: string
  3759. project:
  3760. description: Project is the name of the Pulumi ESC project the environment belongs to.
  3761. type: string
  3762. required:
  3763. - accessToken
  3764. - environment
  3765. - organization
  3766. - project
  3767. type: object
  3768. scaleway:
  3769. description: Scaleway
  3770. properties:
  3771. accessKey:
  3772. description: AccessKey is the non-secret part of the api key.
  3773. properties:
  3774. secretRef:
  3775. description: SecretRef references a key in a secret that will be used as value.
  3776. properties:
  3777. key:
  3778. description: |-
  3779. A key in the referenced Secret.
  3780. Some instances of this field may be defaulted, in others it may be required.
  3781. maxLength: 253
  3782. minLength: 1
  3783. pattern: ^[-._a-zA-Z0-9]+$
  3784. type: string
  3785. name:
  3786. description: The name of the Secret resource being referred to.
  3787. maxLength: 253
  3788. minLength: 1
  3789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3790. type: string
  3791. namespace:
  3792. description: |-
  3793. The namespace of the Secret resource being referred to.
  3794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3795. maxLength: 63
  3796. minLength: 1
  3797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3798. type: string
  3799. type: object
  3800. value:
  3801. description: Value can be specified directly to set a value without using a secret.
  3802. type: string
  3803. type: object
  3804. apiUrl:
  3805. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  3806. type: string
  3807. projectId:
  3808. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  3809. type: string
  3810. region:
  3811. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  3812. type: string
  3813. secretKey:
  3814. description: SecretKey is the non-secret part of the api key.
  3815. properties:
  3816. secretRef:
  3817. description: SecretRef references a key in a secret that will be used as value.
  3818. properties:
  3819. key:
  3820. description: |-
  3821. A key in the referenced Secret.
  3822. Some instances of this field may be defaulted, in others it may be required.
  3823. maxLength: 253
  3824. minLength: 1
  3825. pattern: ^[-._a-zA-Z0-9]+$
  3826. type: string
  3827. name:
  3828. description: The name of the Secret resource being referred to.
  3829. maxLength: 253
  3830. minLength: 1
  3831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3832. type: string
  3833. namespace:
  3834. description: |-
  3835. The namespace of the Secret resource being referred to.
  3836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3837. maxLength: 63
  3838. minLength: 1
  3839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3840. type: string
  3841. type: object
  3842. value:
  3843. description: Value can be specified directly to set a value without using a secret.
  3844. type: string
  3845. type: object
  3846. required:
  3847. - accessKey
  3848. - projectId
  3849. - region
  3850. - secretKey
  3851. type: object
  3852. secretserver:
  3853. description: |-
  3854. SecretServer configures this store to sync secrets using SecretServer provider
  3855. https://docs.delinea.com/online-help/secret-server/start.htm
  3856. properties:
  3857. domain:
  3858. description: Domain is the secret server domain.
  3859. type: string
  3860. password:
  3861. description: Password is the secret server account password.
  3862. properties:
  3863. secretRef:
  3864. description: SecretRef references a key in a secret that will be used as value.
  3865. properties:
  3866. key:
  3867. description: |-
  3868. A key in the referenced Secret.
  3869. Some instances of this field may be defaulted, in others it may be required.
  3870. maxLength: 253
  3871. minLength: 1
  3872. pattern: ^[-._a-zA-Z0-9]+$
  3873. type: string
  3874. name:
  3875. description: The name of the Secret resource being referred to.
  3876. maxLength: 253
  3877. minLength: 1
  3878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3879. type: string
  3880. namespace:
  3881. description: |-
  3882. The namespace of the Secret resource being referred to.
  3883. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3884. maxLength: 63
  3885. minLength: 1
  3886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3887. type: string
  3888. type: object
  3889. value:
  3890. description: Value can be specified directly to set a value without using a secret.
  3891. type: string
  3892. type: object
  3893. serverURL:
  3894. description: |-
  3895. ServerURL
  3896. URL to your secret server installation
  3897. type: string
  3898. username:
  3899. description: Username is the secret server account username.
  3900. properties:
  3901. secretRef:
  3902. description: SecretRef references a key in a secret that will be used as value.
  3903. properties:
  3904. key:
  3905. description: |-
  3906. A key in the referenced Secret.
  3907. Some instances of this field may be defaulted, in others it may be required.
  3908. maxLength: 253
  3909. minLength: 1
  3910. pattern: ^[-._a-zA-Z0-9]+$
  3911. type: string
  3912. name:
  3913. description: The name of the Secret resource being referred to.
  3914. maxLength: 253
  3915. minLength: 1
  3916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3917. type: string
  3918. namespace:
  3919. description: |-
  3920. The namespace of the Secret resource being referred to.
  3921. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3922. maxLength: 63
  3923. minLength: 1
  3924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3925. type: string
  3926. type: object
  3927. value:
  3928. description: Value can be specified directly to set a value without using a secret.
  3929. type: string
  3930. type: object
  3931. required:
  3932. - password
  3933. - serverURL
  3934. - username
  3935. type: object
  3936. senhasegura:
  3937. description: Senhasegura configures this store to sync secrets using senhasegura provider
  3938. properties:
  3939. auth:
  3940. description: Auth defines parameters to authenticate in senhasegura
  3941. properties:
  3942. clientId:
  3943. type: string
  3944. clientSecretSecretRef:
  3945. description: |-
  3946. A reference to a specific 'key' within a Secret resource.
  3947. In some instances, `key` is a required field.
  3948. properties:
  3949. key:
  3950. description: |-
  3951. A key in the referenced Secret.
  3952. Some instances of this field may be defaulted, in others it may be required.
  3953. maxLength: 253
  3954. minLength: 1
  3955. pattern: ^[-._a-zA-Z0-9]+$
  3956. type: string
  3957. name:
  3958. description: The name of the Secret resource being referred to.
  3959. maxLength: 253
  3960. minLength: 1
  3961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3962. type: string
  3963. namespace:
  3964. description: |-
  3965. The namespace of the Secret resource being referred to.
  3966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3967. maxLength: 63
  3968. minLength: 1
  3969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3970. type: string
  3971. type: object
  3972. required:
  3973. - clientId
  3974. - clientSecretSecretRef
  3975. type: object
  3976. ignoreSslCertificate:
  3977. default: false
  3978. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  3979. type: boolean
  3980. module:
  3981. description: Module defines which senhasegura module should be used to get secrets
  3982. type: string
  3983. url:
  3984. description: URL of senhasegura
  3985. type: string
  3986. required:
  3987. - auth
  3988. - module
  3989. - url
  3990. type: object
  3991. vault:
  3992. description: Vault configures this store to sync secrets using Hashi provider
  3993. properties:
  3994. auth:
  3995. description: Auth configures how secret-manager authenticates with the Vault server.
  3996. properties:
  3997. appRole:
  3998. description: |-
  3999. AppRole authenticates with Vault using the App Role auth mechanism,
  4000. with the role and secret stored in a Kubernetes Secret resource.
  4001. properties:
  4002. path:
  4003. default: approle
  4004. description: |-
  4005. Path where the App Role authentication backend is mounted
  4006. in Vault, e.g: "approle"
  4007. type: string
  4008. roleId:
  4009. description: |-
  4010. RoleID configured in the App Role authentication backend when setting
  4011. up the authentication backend in Vault.
  4012. type: string
  4013. roleRef:
  4014. description: |-
  4015. Reference to a key in a Secret that contains the App Role ID used
  4016. to authenticate with Vault.
  4017. The `key` field must be specified and denotes which entry within the Secret
  4018. resource is used as the app role id.
  4019. properties:
  4020. key:
  4021. description: |-
  4022. A key in the referenced Secret.
  4023. Some instances of this field may be defaulted, in others it may be required.
  4024. maxLength: 253
  4025. minLength: 1
  4026. pattern: ^[-._a-zA-Z0-9]+$
  4027. type: string
  4028. name:
  4029. description: The name of the Secret resource being referred to.
  4030. maxLength: 253
  4031. minLength: 1
  4032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4033. type: string
  4034. namespace:
  4035. description: |-
  4036. The namespace of the Secret resource being referred to.
  4037. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4038. maxLength: 63
  4039. minLength: 1
  4040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4041. type: string
  4042. type: object
  4043. secretRef:
  4044. description: |-
  4045. Reference to a key in a Secret that contains the App Role secret used
  4046. to authenticate with Vault.
  4047. The `key` field must be specified and denotes which entry within the Secret
  4048. resource is used as the app role secret.
  4049. properties:
  4050. key:
  4051. description: |-
  4052. A key in the referenced Secret.
  4053. Some instances of this field may be defaulted, in others it may be required.
  4054. maxLength: 253
  4055. minLength: 1
  4056. pattern: ^[-._a-zA-Z0-9]+$
  4057. type: string
  4058. name:
  4059. description: The name of the Secret resource being referred to.
  4060. maxLength: 253
  4061. minLength: 1
  4062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4063. type: string
  4064. namespace:
  4065. description: |-
  4066. The namespace of the Secret resource being referred to.
  4067. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4068. maxLength: 63
  4069. minLength: 1
  4070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4071. type: string
  4072. type: object
  4073. required:
  4074. - path
  4075. - secretRef
  4076. type: object
  4077. cert:
  4078. description: |-
  4079. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  4080. Cert authentication method
  4081. properties:
  4082. clientCert:
  4083. description: |-
  4084. ClientCert is a certificate to authenticate using the Cert Vault
  4085. authentication method
  4086. properties:
  4087. key:
  4088. description: |-
  4089. A key in the referenced Secret.
  4090. Some instances of this field may be defaulted, in others it may be required.
  4091. maxLength: 253
  4092. minLength: 1
  4093. pattern: ^[-._a-zA-Z0-9]+$
  4094. type: string
  4095. name:
  4096. description: The name of the Secret resource being referred to.
  4097. maxLength: 253
  4098. minLength: 1
  4099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4100. type: string
  4101. namespace:
  4102. description: |-
  4103. The namespace of the Secret resource being referred to.
  4104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4105. maxLength: 63
  4106. minLength: 1
  4107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4108. type: string
  4109. type: object
  4110. path:
  4111. default: cert
  4112. description: |-
  4113. Path where the Certificate authentication backend is mounted
  4114. in Vault, e.g: "cert"
  4115. type: string
  4116. secretRef:
  4117. description: |-
  4118. SecretRef to a key in a Secret resource containing client private key to
  4119. authenticate with Vault using the Cert authentication method
  4120. properties:
  4121. key:
  4122. description: |-
  4123. A key in the referenced Secret.
  4124. Some instances of this field may be defaulted, in others it may be required.
  4125. maxLength: 253
  4126. minLength: 1
  4127. pattern: ^[-._a-zA-Z0-9]+$
  4128. type: string
  4129. name:
  4130. description: The name of the Secret resource being referred to.
  4131. maxLength: 253
  4132. minLength: 1
  4133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4134. type: string
  4135. namespace:
  4136. description: |-
  4137. The namespace of the Secret resource being referred to.
  4138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4139. maxLength: 63
  4140. minLength: 1
  4141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4142. type: string
  4143. type: object
  4144. type: object
  4145. iam:
  4146. description: |-
  4147. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  4148. AWS IAM authentication method
  4149. properties:
  4150. externalID:
  4151. description: AWS External ID set on assumed IAM roles
  4152. type: string
  4153. jwt:
  4154. description: Specify a service account with IRSA enabled
  4155. properties:
  4156. serviceAccountRef:
  4157. description: A reference to a ServiceAccount resource.
  4158. properties:
  4159. audiences:
  4160. description: |-
  4161. Audience specifies the `aud` claim for the service account token
  4162. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4163. then this audiences will be appended to the list
  4164. items:
  4165. type: string
  4166. type: array
  4167. name:
  4168. description: The name of the ServiceAccount resource being referred to.
  4169. maxLength: 253
  4170. minLength: 1
  4171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4172. type: string
  4173. namespace:
  4174. description: |-
  4175. Namespace of the resource being referred to.
  4176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4177. maxLength: 63
  4178. minLength: 1
  4179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4180. type: string
  4181. required:
  4182. - name
  4183. type: object
  4184. type: object
  4185. path:
  4186. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  4187. type: string
  4188. region:
  4189. description: AWS region
  4190. type: string
  4191. role:
  4192. description: This is the AWS role to be assumed before talking to vault
  4193. type: string
  4194. secretRef:
  4195. description: Specify credentials in a Secret object
  4196. properties:
  4197. accessKeyIDSecretRef:
  4198. description: The AccessKeyID is used for authentication
  4199. properties:
  4200. key:
  4201. description: |-
  4202. A key in the referenced Secret.
  4203. Some instances of this field may be defaulted, in others it may be required.
  4204. maxLength: 253
  4205. minLength: 1
  4206. pattern: ^[-._a-zA-Z0-9]+$
  4207. type: string
  4208. name:
  4209. description: The name of the Secret resource being referred to.
  4210. maxLength: 253
  4211. minLength: 1
  4212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4213. type: string
  4214. namespace:
  4215. description: |-
  4216. The namespace of the Secret resource being referred to.
  4217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4218. maxLength: 63
  4219. minLength: 1
  4220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4221. type: string
  4222. type: object
  4223. secretAccessKeySecretRef:
  4224. description: The SecretAccessKey is used for authentication
  4225. properties:
  4226. key:
  4227. description: |-
  4228. A key in the referenced Secret.
  4229. Some instances of this field may be defaulted, in others it may be required.
  4230. maxLength: 253
  4231. minLength: 1
  4232. pattern: ^[-._a-zA-Z0-9]+$
  4233. type: string
  4234. name:
  4235. description: The name of the Secret resource being referred to.
  4236. maxLength: 253
  4237. minLength: 1
  4238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4239. type: string
  4240. namespace:
  4241. description: |-
  4242. The namespace of the Secret resource being referred to.
  4243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4244. maxLength: 63
  4245. minLength: 1
  4246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4247. type: string
  4248. type: object
  4249. sessionTokenSecretRef:
  4250. description: |-
  4251. The SessionToken used for authentication
  4252. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  4253. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  4254. properties:
  4255. key:
  4256. description: |-
  4257. A key in the referenced Secret.
  4258. Some instances of this field may be defaulted, in others it may be required.
  4259. maxLength: 253
  4260. minLength: 1
  4261. pattern: ^[-._a-zA-Z0-9]+$
  4262. type: string
  4263. name:
  4264. description: The name of the Secret resource being referred to.
  4265. maxLength: 253
  4266. minLength: 1
  4267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4268. type: string
  4269. namespace:
  4270. description: |-
  4271. The namespace of the Secret resource being referred to.
  4272. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4273. maxLength: 63
  4274. minLength: 1
  4275. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4276. type: string
  4277. type: object
  4278. type: object
  4279. vaultAwsIamServerID:
  4280. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  4281. type: string
  4282. vaultRole:
  4283. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  4284. type: string
  4285. required:
  4286. - vaultRole
  4287. type: object
  4288. jwt:
  4289. description: |-
  4290. Jwt authenticates with Vault by passing role and JWT token using the
  4291. JWT/OIDC authentication method
  4292. properties:
  4293. kubernetesServiceAccountToken:
  4294. description: |-
  4295. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  4296. a token for with the `TokenRequest` API.
  4297. properties:
  4298. audiences:
  4299. description: |-
  4300. Optional audiences field that will be used to request a temporary Kubernetes service
  4301. account token for the service account referenced by `serviceAccountRef`.
  4302. Defaults to a single audience `vault` it not specified.
  4303. Deprecated: use serviceAccountRef.Audiences instead
  4304. items:
  4305. type: string
  4306. type: array
  4307. expirationSeconds:
  4308. description: |-
  4309. Optional expiration time in seconds that will be used to request a temporary
  4310. Kubernetes service account token for the service account referenced by
  4311. `serviceAccountRef`.
  4312. Deprecated: this will be removed in the future.
  4313. Defaults to 10 minutes.
  4314. format: int64
  4315. type: integer
  4316. serviceAccountRef:
  4317. description: Service account field containing the name of a kubernetes ServiceAccount.
  4318. properties:
  4319. audiences:
  4320. description: |-
  4321. Audience specifies the `aud` claim for the service account token
  4322. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4323. then this audiences will be appended to the list
  4324. items:
  4325. type: string
  4326. type: array
  4327. name:
  4328. description: The name of the ServiceAccount resource being referred to.
  4329. maxLength: 253
  4330. minLength: 1
  4331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4332. type: string
  4333. namespace:
  4334. description: |-
  4335. Namespace of the resource being referred to.
  4336. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4337. maxLength: 63
  4338. minLength: 1
  4339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4340. type: string
  4341. required:
  4342. - name
  4343. type: object
  4344. required:
  4345. - serviceAccountRef
  4346. type: object
  4347. path:
  4348. default: jwt
  4349. description: |-
  4350. Path where the JWT authentication backend is mounted
  4351. in Vault, e.g: "jwt"
  4352. type: string
  4353. role:
  4354. description: |-
  4355. Role is a JWT role to authenticate using the JWT/OIDC Vault
  4356. authentication method
  4357. type: string
  4358. secretRef:
  4359. description: |-
  4360. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  4361. authenticate with Vault using the JWT/OIDC authentication method.
  4362. properties:
  4363. key:
  4364. description: |-
  4365. A key in the referenced Secret.
  4366. Some instances of this field may be defaulted, in others it may be required.
  4367. maxLength: 253
  4368. minLength: 1
  4369. pattern: ^[-._a-zA-Z0-9]+$
  4370. type: string
  4371. name:
  4372. description: The name of the Secret resource being referred to.
  4373. maxLength: 253
  4374. minLength: 1
  4375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4376. type: string
  4377. namespace:
  4378. description: |-
  4379. The namespace of the Secret resource being referred to.
  4380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4381. maxLength: 63
  4382. minLength: 1
  4383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4384. type: string
  4385. type: object
  4386. required:
  4387. - path
  4388. type: object
  4389. kubernetes:
  4390. description: |-
  4391. Kubernetes authenticates with Vault by passing the ServiceAccount
  4392. token stored in the named Secret resource to the Vault server.
  4393. properties:
  4394. mountPath:
  4395. default: kubernetes
  4396. description: |-
  4397. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  4398. "kubernetes"
  4399. type: string
  4400. role:
  4401. description: |-
  4402. A required field containing the Vault Role to assume. A Role binds a
  4403. Kubernetes ServiceAccount with a set of Vault policies.
  4404. type: string
  4405. secretRef:
  4406. description: |-
  4407. Optional secret field containing a Kubernetes ServiceAccount JWT used
  4408. for authenticating with Vault. If a name is specified without a key,
  4409. `token` is the default. If one is not specified, the one bound to
  4410. the controller will be used.
  4411. properties:
  4412. key:
  4413. description: |-
  4414. A key in the referenced Secret.
  4415. Some instances of this field may be defaulted, in others it may be required.
  4416. maxLength: 253
  4417. minLength: 1
  4418. pattern: ^[-._a-zA-Z0-9]+$
  4419. type: string
  4420. name:
  4421. description: The name of the Secret resource being referred to.
  4422. maxLength: 253
  4423. minLength: 1
  4424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4425. type: string
  4426. namespace:
  4427. description: |-
  4428. The namespace of the Secret resource being referred to.
  4429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4430. maxLength: 63
  4431. minLength: 1
  4432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4433. type: string
  4434. type: object
  4435. serviceAccountRef:
  4436. description: |-
  4437. Optional service account field containing the name of a kubernetes ServiceAccount.
  4438. If the service account is specified, the service account secret token JWT will be used
  4439. for authenticating with Vault. If the service account selector is not supplied,
  4440. the secretRef will be used instead.
  4441. properties:
  4442. audiences:
  4443. description: |-
  4444. Audience specifies the `aud` claim for the service account token
  4445. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4446. then this audiences will be appended to the list
  4447. items:
  4448. type: string
  4449. type: array
  4450. name:
  4451. description: The name of the ServiceAccount resource being referred to.
  4452. maxLength: 253
  4453. minLength: 1
  4454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4455. type: string
  4456. namespace:
  4457. description: |-
  4458. Namespace of the resource being referred to.
  4459. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4460. maxLength: 63
  4461. minLength: 1
  4462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4463. type: string
  4464. required:
  4465. - name
  4466. type: object
  4467. required:
  4468. - mountPath
  4469. - role
  4470. type: object
  4471. ldap:
  4472. description: |-
  4473. Ldap authenticates with Vault by passing username/password pair using
  4474. the LDAP authentication method
  4475. properties:
  4476. path:
  4477. default: ldap
  4478. description: |-
  4479. Path where the LDAP authentication backend is mounted
  4480. in Vault, e.g: "ldap"
  4481. type: string
  4482. secretRef:
  4483. description: |-
  4484. SecretRef to a key in a Secret resource containing password for the LDAP
  4485. user used to authenticate with Vault using the LDAP authentication
  4486. method
  4487. properties:
  4488. key:
  4489. description: |-
  4490. A key in the referenced Secret.
  4491. Some instances of this field may be defaulted, in others it may be required.
  4492. maxLength: 253
  4493. minLength: 1
  4494. pattern: ^[-._a-zA-Z0-9]+$
  4495. type: string
  4496. name:
  4497. description: The name of the Secret resource being referred to.
  4498. maxLength: 253
  4499. minLength: 1
  4500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4501. type: string
  4502. namespace:
  4503. description: |-
  4504. The namespace of the Secret resource being referred to.
  4505. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4506. maxLength: 63
  4507. minLength: 1
  4508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4509. type: string
  4510. type: object
  4511. username:
  4512. description: |-
  4513. Username is an LDAP username used to authenticate using the LDAP Vault
  4514. authentication method
  4515. type: string
  4516. required:
  4517. - path
  4518. - username
  4519. type: object
  4520. namespace:
  4521. description: |-
  4522. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  4523. Namespaces is a set of features within Vault Enterprise that allows
  4524. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4525. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4526. This will default to Vault.Namespace field if set, or empty otherwise
  4527. type: string
  4528. tokenSecretRef:
  4529. description: TokenSecretRef authenticates with Vault by presenting a token.
  4530. properties:
  4531. key:
  4532. description: |-
  4533. A key in the referenced Secret.
  4534. Some instances of this field may be defaulted, in others it may be required.
  4535. maxLength: 253
  4536. minLength: 1
  4537. pattern: ^[-._a-zA-Z0-9]+$
  4538. type: string
  4539. name:
  4540. description: The name of the Secret resource being referred to.
  4541. maxLength: 253
  4542. minLength: 1
  4543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4544. type: string
  4545. namespace:
  4546. description: |-
  4547. The namespace of the Secret resource being referred to.
  4548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4549. maxLength: 63
  4550. minLength: 1
  4551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4552. type: string
  4553. type: object
  4554. userPass:
  4555. description: UserPass authenticates with Vault by passing username/password pair
  4556. properties:
  4557. path:
  4558. default: userpass
  4559. description: |-
  4560. Path where the UserPassword authentication backend is mounted
  4561. in Vault, e.g: "userpass"
  4562. type: string
  4563. secretRef:
  4564. description: |-
  4565. SecretRef to a key in a Secret resource containing password for the
  4566. user used to authenticate with Vault using the UserPass authentication
  4567. method
  4568. properties:
  4569. key:
  4570. description: |-
  4571. A key in the referenced Secret.
  4572. Some instances of this field may be defaulted, in others it may be required.
  4573. maxLength: 253
  4574. minLength: 1
  4575. pattern: ^[-._a-zA-Z0-9]+$
  4576. type: string
  4577. name:
  4578. description: The name of the Secret resource being referred to.
  4579. maxLength: 253
  4580. minLength: 1
  4581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4582. type: string
  4583. namespace:
  4584. description: |-
  4585. The namespace of the Secret resource being referred to.
  4586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4587. maxLength: 63
  4588. minLength: 1
  4589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4590. type: string
  4591. type: object
  4592. username:
  4593. description: |-
  4594. Username is a username used to authenticate using the UserPass Vault
  4595. authentication method
  4596. type: string
  4597. required:
  4598. - path
  4599. - username
  4600. type: object
  4601. type: object
  4602. caBundle:
  4603. description: |-
  4604. PEM encoded CA bundle used to validate Vault server certificate. Only used
  4605. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4606. plain HTTP protocol connection. If not set the system root certificates
  4607. are used to validate the TLS connection.
  4608. format: byte
  4609. type: string
  4610. caProvider:
  4611. description: The provider for the CA bundle to use to validate Vault server certificate.
  4612. properties:
  4613. key:
  4614. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4615. maxLength: 253
  4616. minLength: 1
  4617. pattern: ^[-._a-zA-Z0-9]+$
  4618. type: string
  4619. name:
  4620. description: The name of the object located at the provider type.
  4621. maxLength: 253
  4622. minLength: 1
  4623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4624. type: string
  4625. namespace:
  4626. description: |-
  4627. The namespace the Provider type is in.
  4628. Can only be defined when used in a ClusterSecretStore.
  4629. maxLength: 63
  4630. minLength: 1
  4631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4632. type: string
  4633. type:
  4634. description: The type of provider to use such as "Secret", or "ConfigMap".
  4635. enum:
  4636. - Secret
  4637. - ConfigMap
  4638. type: string
  4639. required:
  4640. - name
  4641. - type
  4642. type: object
  4643. checkAndSet:
  4644. description: |-
  4645. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  4646. Only applies to Vault KV v2 stores. When enabled, write operations must include
  4647. the current version of the secret to prevent unintentional overwrites.
  4648. properties:
  4649. required:
  4650. description: |-
  4651. Required when true, all write operations must include a check-and-set parameter.
  4652. This helps prevent unintentional overwrites of secrets.
  4653. type: boolean
  4654. type: object
  4655. forwardInconsistent:
  4656. description: |-
  4657. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  4658. leader instead of simply retrying within a loop. This can increase performance if
  4659. the option is enabled serverside.
  4660. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4661. type: boolean
  4662. headers:
  4663. additionalProperties:
  4664. type: string
  4665. description: Headers to be added in Vault request
  4666. type: object
  4667. namespace:
  4668. description: |-
  4669. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  4670. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4671. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4672. type: string
  4673. path:
  4674. description: |-
  4675. Path is the mount path of the Vault KV backend endpoint, e.g:
  4676. "secret". The v2 KV secret engine version specific "/data" path suffix
  4677. for fetching secrets from Vault is optional and will be appended
  4678. if not present in specified path.
  4679. type: string
  4680. readYourWrites:
  4681. description: |-
  4682. ReadYourWrites ensures isolated read-after-write semantics by
  4683. providing discovered cluster replication states in each request.
  4684. More information about eventual consistency in Vault can be found here
  4685. https://www.vaultproject.io/docs/enterprise/consistency
  4686. type: boolean
  4687. server:
  4688. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4689. type: string
  4690. tls:
  4691. description: |-
  4692. The configuration used for client side related TLS communication, when the Vault server
  4693. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  4694. This parameter is ignored for plain HTTP protocol connection.
  4695. It's worth noting this configuration is different from the "TLS certificates auth method",
  4696. which is available under the `auth.cert` section.
  4697. properties:
  4698. certSecretRef:
  4699. description: |-
  4700. CertSecretRef is a certificate added to the transport layer
  4701. when communicating with the Vault server.
  4702. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  4703. properties:
  4704. key:
  4705. description: |-
  4706. A key in the referenced Secret.
  4707. Some instances of this field may be defaulted, in others it may be required.
  4708. maxLength: 253
  4709. minLength: 1
  4710. pattern: ^[-._a-zA-Z0-9]+$
  4711. type: string
  4712. name:
  4713. description: The name of the Secret resource being referred to.
  4714. maxLength: 253
  4715. minLength: 1
  4716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4717. type: string
  4718. namespace:
  4719. description: |-
  4720. The namespace of the Secret resource being referred to.
  4721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4722. maxLength: 63
  4723. minLength: 1
  4724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4725. type: string
  4726. type: object
  4727. keySecretRef:
  4728. description: |-
  4729. KeySecretRef to a key in a Secret resource containing client private key
  4730. added to the transport layer when communicating with the Vault server.
  4731. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  4732. properties:
  4733. key:
  4734. description: |-
  4735. A key in the referenced Secret.
  4736. Some instances of this field may be defaulted, in others it may be required.
  4737. maxLength: 253
  4738. minLength: 1
  4739. pattern: ^[-._a-zA-Z0-9]+$
  4740. type: string
  4741. name:
  4742. description: The name of the Secret resource being referred to.
  4743. maxLength: 253
  4744. minLength: 1
  4745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4746. type: string
  4747. namespace:
  4748. description: |-
  4749. The namespace of the Secret resource being referred to.
  4750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4751. maxLength: 63
  4752. minLength: 1
  4753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4754. type: string
  4755. type: object
  4756. type: object
  4757. version:
  4758. default: v2
  4759. description: |-
  4760. Version is the Vault KV secret engine version. This can be either "v1" or
  4761. "v2". Version defaults to "v2".
  4762. enum:
  4763. - v1
  4764. - v2
  4765. type: string
  4766. required:
  4767. - server
  4768. type: object
  4769. volcengine:
  4770. description: Volcengine configures this store to sync secrets using the Volcengine provider
  4771. properties:
  4772. auth:
  4773. description: |-
  4774. Auth defines the authentication method to use.
  4775. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  4776. properties:
  4777. secretRef:
  4778. description: |-
  4779. SecretRef defines the static credentials to use for authentication.
  4780. If not set, IRSA is used.
  4781. properties:
  4782. accessKeyID:
  4783. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  4784. properties:
  4785. key:
  4786. description: |-
  4787. A key in the referenced Secret.
  4788. Some instances of this field may be defaulted, in others it may be required.
  4789. maxLength: 253
  4790. minLength: 1
  4791. pattern: ^[-._a-zA-Z0-9]+$
  4792. type: string
  4793. name:
  4794. description: The name of the Secret resource being referred to.
  4795. maxLength: 253
  4796. minLength: 1
  4797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4798. type: string
  4799. namespace:
  4800. description: |-
  4801. The namespace of the Secret resource being referred to.
  4802. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4803. maxLength: 63
  4804. minLength: 1
  4805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4806. type: string
  4807. type: object
  4808. secretAccessKey:
  4809. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  4810. properties:
  4811. key:
  4812. description: |-
  4813. A key in the referenced Secret.
  4814. Some instances of this field may be defaulted, in others it may be required.
  4815. maxLength: 253
  4816. minLength: 1
  4817. pattern: ^[-._a-zA-Z0-9]+$
  4818. type: string
  4819. name:
  4820. description: The name of the Secret resource being referred to.
  4821. maxLength: 253
  4822. minLength: 1
  4823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4824. type: string
  4825. namespace:
  4826. description: |-
  4827. The namespace of the Secret resource being referred to.
  4828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4829. maxLength: 63
  4830. minLength: 1
  4831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4832. type: string
  4833. type: object
  4834. token:
  4835. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  4836. properties:
  4837. key:
  4838. description: |-
  4839. A key in the referenced Secret.
  4840. Some instances of this field may be defaulted, in others it may be required.
  4841. maxLength: 253
  4842. minLength: 1
  4843. pattern: ^[-._a-zA-Z0-9]+$
  4844. type: string
  4845. name:
  4846. description: The name of the Secret resource being referred to.
  4847. maxLength: 253
  4848. minLength: 1
  4849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4850. type: string
  4851. namespace:
  4852. description: |-
  4853. The namespace of the Secret resource being referred to.
  4854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4855. maxLength: 63
  4856. minLength: 1
  4857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4858. type: string
  4859. type: object
  4860. required:
  4861. - accessKeyID
  4862. - secretAccessKey
  4863. type: object
  4864. type: object
  4865. region:
  4866. description: Region specifies the Volcengine region to connect to.
  4867. type: string
  4868. required:
  4869. - region
  4870. type: object
  4871. webhook:
  4872. description: Webhook configures this store to sync secrets using a generic templated webhook
  4873. properties:
  4874. auth:
  4875. description: Auth specifies a authorization protocol. Only one protocol may be set.
  4876. maxProperties: 1
  4877. minProperties: 1
  4878. properties:
  4879. ntlm:
  4880. description: NTLMProtocol configures the store to use NTLM for auth
  4881. properties:
  4882. passwordSecret:
  4883. description: |-
  4884. A reference to a specific 'key' within a Secret resource.
  4885. In some instances, `key` is a required field.
  4886. properties:
  4887. key:
  4888. description: |-
  4889. A key in the referenced Secret.
  4890. Some instances of this field may be defaulted, in others it may be required.
  4891. maxLength: 253
  4892. minLength: 1
  4893. pattern: ^[-._a-zA-Z0-9]+$
  4894. type: string
  4895. name:
  4896. description: The name of the Secret resource being referred to.
  4897. maxLength: 253
  4898. minLength: 1
  4899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4900. type: string
  4901. namespace:
  4902. description: |-
  4903. The namespace of the Secret resource being referred to.
  4904. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4905. maxLength: 63
  4906. minLength: 1
  4907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4908. type: string
  4909. type: object
  4910. usernameSecret:
  4911. description: |-
  4912. A reference to a specific 'key' within a Secret resource.
  4913. In some instances, `key` is a required field.
  4914. properties:
  4915. key:
  4916. description: |-
  4917. A key in the referenced Secret.
  4918. Some instances of this field may be defaulted, in others it may be required.
  4919. maxLength: 253
  4920. minLength: 1
  4921. pattern: ^[-._a-zA-Z0-9]+$
  4922. type: string
  4923. name:
  4924. description: The name of the Secret resource being referred to.
  4925. maxLength: 253
  4926. minLength: 1
  4927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4928. type: string
  4929. namespace:
  4930. description: |-
  4931. The namespace of the Secret resource being referred to.
  4932. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4933. maxLength: 63
  4934. minLength: 1
  4935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4936. type: string
  4937. type: object
  4938. required:
  4939. - passwordSecret
  4940. - usernameSecret
  4941. type: object
  4942. type: object
  4943. body:
  4944. description: Body
  4945. type: string
  4946. caBundle:
  4947. description: |-
  4948. PEM encoded CA bundle used to validate webhook server certificate. Only used
  4949. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4950. plain HTTP protocol connection. If not set the system root certificates
  4951. are used to validate the TLS connection.
  4952. format: byte
  4953. type: string
  4954. caProvider:
  4955. description: The provider for the CA bundle to use to validate webhook server certificate.
  4956. properties:
  4957. key:
  4958. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4959. maxLength: 253
  4960. minLength: 1
  4961. pattern: ^[-._a-zA-Z0-9]+$
  4962. type: string
  4963. name:
  4964. description: The name of the object located at the provider type.
  4965. maxLength: 253
  4966. minLength: 1
  4967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4968. type: string
  4969. namespace:
  4970. description: The namespace the Provider type is in.
  4971. maxLength: 63
  4972. minLength: 1
  4973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4974. type: string
  4975. type:
  4976. description: The type of provider to use such as "Secret", or "ConfigMap".
  4977. enum:
  4978. - Secret
  4979. - ConfigMap
  4980. type: string
  4981. required:
  4982. - name
  4983. - type
  4984. type: object
  4985. headers:
  4986. additionalProperties:
  4987. type: string
  4988. description: Headers
  4989. type: object
  4990. method:
  4991. description: Webhook Method
  4992. type: string
  4993. result:
  4994. description: Result formatting
  4995. properties:
  4996. jsonPath:
  4997. description: Json path of return value
  4998. type: string
  4999. type: object
  5000. secrets:
  5001. description: |-
  5002. Secrets to fill in templates
  5003. These secrets will be passed to the templating function as key value pairs under the given name
  5004. items:
  5005. properties:
  5006. name:
  5007. description: Name of this secret in templates
  5008. type: string
  5009. secretRef:
  5010. description: Secret ref to fill in credentials
  5011. properties:
  5012. key:
  5013. description: |-
  5014. A key in the referenced Secret.
  5015. Some instances of this field may be defaulted, in others it may be required.
  5016. maxLength: 253
  5017. minLength: 1
  5018. pattern: ^[-._a-zA-Z0-9]+$
  5019. type: string
  5020. name:
  5021. description: The name of the Secret resource being referred to.
  5022. maxLength: 253
  5023. minLength: 1
  5024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5025. type: string
  5026. namespace:
  5027. description: |-
  5028. The namespace of the Secret resource being referred to.
  5029. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5030. maxLength: 63
  5031. minLength: 1
  5032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5033. type: string
  5034. type: object
  5035. required:
  5036. - name
  5037. - secretRef
  5038. type: object
  5039. type: array
  5040. timeout:
  5041. description: Timeout
  5042. type: string
  5043. url:
  5044. description: Webhook url to call
  5045. type: string
  5046. required:
  5047. - result
  5048. - url
  5049. type: object
  5050. yandexcertificatemanager:
  5051. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5052. properties:
  5053. apiEndpoint:
  5054. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5055. type: string
  5056. auth:
  5057. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  5058. properties:
  5059. authorizedKeySecretRef:
  5060. description: The authorized key used for authentication
  5061. properties:
  5062. key:
  5063. description: |-
  5064. A key in the referenced Secret.
  5065. Some instances of this field may be defaulted, in others it may be required.
  5066. maxLength: 253
  5067. minLength: 1
  5068. pattern: ^[-._a-zA-Z0-9]+$
  5069. type: string
  5070. name:
  5071. description: The name of the Secret resource being referred to.
  5072. maxLength: 253
  5073. minLength: 1
  5074. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5075. type: string
  5076. namespace:
  5077. description: |-
  5078. The namespace of the Secret resource being referred to.
  5079. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5080. maxLength: 63
  5081. minLength: 1
  5082. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5083. type: string
  5084. type: object
  5085. type: object
  5086. caProvider:
  5087. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5088. properties:
  5089. certSecretRef:
  5090. description: |-
  5091. A reference to a specific 'key' within a Secret resource.
  5092. In some instances, `key` is a required field.
  5093. properties:
  5094. key:
  5095. description: |-
  5096. A key in the referenced Secret.
  5097. Some instances of this field may be defaulted, in others it may be required.
  5098. maxLength: 253
  5099. minLength: 1
  5100. pattern: ^[-._a-zA-Z0-9]+$
  5101. type: string
  5102. name:
  5103. description: The name of the Secret resource being referred to.
  5104. maxLength: 253
  5105. minLength: 1
  5106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5107. type: string
  5108. namespace:
  5109. description: |-
  5110. The namespace of the Secret resource being referred to.
  5111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5112. maxLength: 63
  5113. minLength: 1
  5114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5115. type: string
  5116. type: object
  5117. type: object
  5118. fetching:
  5119. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  5120. maxProperties: 1
  5121. minProperties: 1
  5122. properties:
  5123. byID:
  5124. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  5125. type: object
  5126. byName:
  5127. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  5128. properties:
  5129. folderID:
  5130. description: The folder to fetch secrets from
  5131. type: string
  5132. required:
  5133. - folderID
  5134. type: object
  5135. type: object
  5136. required:
  5137. - auth
  5138. type: object
  5139. yandexlockbox:
  5140. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5141. properties:
  5142. apiEndpoint:
  5143. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5144. type: string
  5145. auth:
  5146. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  5147. properties:
  5148. authorizedKeySecretRef:
  5149. description: The authorized key used for authentication
  5150. properties:
  5151. key:
  5152. description: |-
  5153. A key in the referenced Secret.
  5154. Some instances of this field may be defaulted, in others it may be required.
  5155. maxLength: 253
  5156. minLength: 1
  5157. pattern: ^[-._a-zA-Z0-9]+$
  5158. type: string
  5159. name:
  5160. description: The name of the Secret resource being referred to.
  5161. maxLength: 253
  5162. minLength: 1
  5163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5164. type: string
  5165. namespace:
  5166. description: |-
  5167. The namespace of the Secret resource being referred to.
  5168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5169. maxLength: 63
  5170. minLength: 1
  5171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5172. type: string
  5173. type: object
  5174. type: object
  5175. caProvider:
  5176. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5177. properties:
  5178. certSecretRef:
  5179. description: |-
  5180. A reference to a specific 'key' within a Secret resource.
  5181. In some instances, `key` is a required field.
  5182. properties:
  5183. key:
  5184. description: |-
  5185. A key in the referenced Secret.
  5186. Some instances of this field may be defaulted, in others it may be required.
  5187. maxLength: 253
  5188. minLength: 1
  5189. pattern: ^[-._a-zA-Z0-9]+$
  5190. type: string
  5191. name:
  5192. description: The name of the Secret resource being referred to.
  5193. maxLength: 253
  5194. minLength: 1
  5195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5196. type: string
  5197. namespace:
  5198. description: |-
  5199. The namespace of the Secret resource being referred to.
  5200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5201. maxLength: 63
  5202. minLength: 1
  5203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5204. type: string
  5205. type: object
  5206. type: object
  5207. fetching:
  5208. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  5209. maxProperties: 1
  5210. minProperties: 1
  5211. properties:
  5212. byID:
  5213. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  5214. type: object
  5215. byName:
  5216. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  5217. properties:
  5218. folderID:
  5219. description: The folder to fetch secrets from
  5220. type: string
  5221. required:
  5222. - folderID
  5223. type: object
  5224. type: object
  5225. required:
  5226. - auth
  5227. type: object
  5228. type: object
  5229. refreshInterval:
  5230. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5231. type: integer
  5232. retrySettings:
  5233. description: Used to configure http retries if failed
  5234. properties:
  5235. maxRetries:
  5236. format: int32
  5237. type: integer
  5238. retryInterval:
  5239. type: string
  5240. type: object
  5241. required:
  5242. - provider
  5243. type: object
  5244. status:
  5245. description: SecretStoreStatus defines the observed state of the SecretStore.
  5246. properties:
  5247. capabilities:
  5248. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5249. type: string
  5250. conditions:
  5251. items:
  5252. properties:
  5253. lastTransitionTime:
  5254. format: date-time
  5255. type: string
  5256. message:
  5257. type: string
  5258. reason:
  5259. type: string
  5260. status:
  5261. type: string
  5262. type:
  5263. type: string
  5264. required:
  5265. - status
  5266. - type
  5267. type: object
  5268. type: array
  5269. type: object
  5270. type: object
  5271. served: true
  5272. storage: true
  5273. subresources:
  5274. status: {}
  5275. - additionalPrinterColumns:
  5276. - jsonPath: .metadata.creationTimestamp
  5277. name: AGE
  5278. type: date
  5279. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5280. name: Status
  5281. type: string
  5282. - jsonPath: .status.capabilities
  5283. name: Capabilities
  5284. type: string
  5285. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5286. name: Ready
  5287. type: string
  5288. deprecated: true
  5289. name: v1beta1
  5290. schema:
  5291. openAPIV3Schema:
  5292. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  5293. properties:
  5294. apiVersion:
  5295. description: |-
  5296. APIVersion defines the versioned schema of this representation of an object.
  5297. Servers should convert recognized schemas to the latest internal value, and
  5298. may reject unrecognized values.
  5299. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5300. type: string
  5301. kind:
  5302. description: |-
  5303. Kind is a string value representing the REST resource this object represents.
  5304. Servers may infer this from the endpoint the client submits requests to.
  5305. Cannot be updated.
  5306. In CamelCase.
  5307. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5308. type: string
  5309. metadata:
  5310. type: object
  5311. spec:
  5312. description: SecretStoreSpec defines the desired state of SecretStore.
  5313. properties:
  5314. conditions:
  5315. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  5316. items:
  5317. description: |-
  5318. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  5319. for a ClusterSecretStore instance.
  5320. properties:
  5321. namespaceRegexes:
  5322. description: Choose namespaces by using regex matching
  5323. items:
  5324. type: string
  5325. type: array
  5326. namespaceSelector:
  5327. description: Choose namespace using a labelSelector
  5328. properties:
  5329. matchExpressions:
  5330. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  5331. items:
  5332. description: |-
  5333. A label selector requirement is a selector that contains values, a key, and an operator that
  5334. relates the key and values.
  5335. properties:
  5336. key:
  5337. description: key is the label key that the selector applies to.
  5338. type: string
  5339. operator:
  5340. description: |-
  5341. operator represents a key's relationship to a set of values.
  5342. Valid operators are In, NotIn, Exists and DoesNotExist.
  5343. type: string
  5344. values:
  5345. description: |-
  5346. values is an array of string values. If the operator is In or NotIn,
  5347. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  5348. the values array must be empty. This array is replaced during a strategic
  5349. merge patch.
  5350. items:
  5351. type: string
  5352. type: array
  5353. x-kubernetes-list-type: atomic
  5354. required:
  5355. - key
  5356. - operator
  5357. type: object
  5358. type: array
  5359. x-kubernetes-list-type: atomic
  5360. matchLabels:
  5361. additionalProperties:
  5362. type: string
  5363. description: |-
  5364. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  5365. map is equivalent to an element of matchExpressions, whose key field is "key", the
  5366. operator is "In", and the values array contains only "value". The requirements are ANDed.
  5367. type: object
  5368. type: object
  5369. x-kubernetes-map-type: atomic
  5370. namespaces:
  5371. description: Choose namespaces by name
  5372. items:
  5373. maxLength: 63
  5374. minLength: 1
  5375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5376. type: string
  5377. type: array
  5378. type: object
  5379. type: array
  5380. controller:
  5381. description: |-
  5382. Used to select the correct ESO controller (think: ingress.ingressClassName)
  5383. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  5384. type: string
  5385. provider:
  5386. description: Used to configure the provider. Only one provider may be set
  5387. maxProperties: 1
  5388. minProperties: 1
  5389. properties:
  5390. akeyless:
  5391. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  5392. properties:
  5393. akeylessGWApiURL:
  5394. description: Akeyless GW API Url from which the secrets to be fetched from.
  5395. type: string
  5396. authSecretRef:
  5397. description: Auth configures how the operator authenticates with Akeyless.
  5398. properties:
  5399. kubernetesAuth:
  5400. description: |-
  5401. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  5402. token stored in the named Secret resource.
  5403. properties:
  5404. accessID:
  5405. description: the Akeyless Kubernetes auth-method access-id
  5406. type: string
  5407. k8sConfName:
  5408. description: Kubernetes-auth configuration name in Akeyless-Gateway
  5409. type: string
  5410. secretRef:
  5411. description: |-
  5412. Optional secret field containing a Kubernetes ServiceAccount JWT used
  5413. for authenticating with Akeyless. If a name is specified without a key,
  5414. `token` is the default. If one is not specified, the one bound to
  5415. the controller will be used.
  5416. properties:
  5417. key:
  5418. description: |-
  5419. A key in the referenced Secret.
  5420. Some instances of this field may be defaulted, in others it may be required.
  5421. maxLength: 253
  5422. minLength: 1
  5423. pattern: ^[-._a-zA-Z0-9]+$
  5424. type: string
  5425. name:
  5426. description: The name of the Secret resource being referred to.
  5427. maxLength: 253
  5428. minLength: 1
  5429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5430. type: string
  5431. namespace:
  5432. description: |-
  5433. The namespace of the Secret resource being referred to.
  5434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5435. maxLength: 63
  5436. minLength: 1
  5437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5438. type: string
  5439. type: object
  5440. serviceAccountRef:
  5441. description: |-
  5442. Optional service account field containing the name of a kubernetes ServiceAccount.
  5443. If the service account is specified, the service account secret token JWT will be used
  5444. for authenticating with Akeyless. If the service account selector is not supplied,
  5445. the secretRef will be used instead.
  5446. properties:
  5447. audiences:
  5448. description: |-
  5449. Audience specifies the `aud` claim for the service account token
  5450. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5451. then this audiences will be appended to the list
  5452. items:
  5453. type: string
  5454. type: array
  5455. name:
  5456. description: The name of the ServiceAccount resource being referred to.
  5457. maxLength: 253
  5458. minLength: 1
  5459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5460. type: string
  5461. namespace:
  5462. description: |-
  5463. Namespace of the resource being referred to.
  5464. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5465. maxLength: 63
  5466. minLength: 1
  5467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5468. type: string
  5469. required:
  5470. - name
  5471. type: object
  5472. required:
  5473. - accessID
  5474. - k8sConfName
  5475. type: object
  5476. secretRef:
  5477. description: |-
  5478. Reference to a Secret that contains the details
  5479. to authenticate with Akeyless.
  5480. properties:
  5481. accessID:
  5482. description: The SecretAccessID is used for authentication
  5483. properties:
  5484. key:
  5485. description: |-
  5486. A key in the referenced Secret.
  5487. Some instances of this field may be defaulted, in others it may be required.
  5488. maxLength: 253
  5489. minLength: 1
  5490. pattern: ^[-._a-zA-Z0-9]+$
  5491. type: string
  5492. name:
  5493. description: The name of the Secret resource being referred to.
  5494. maxLength: 253
  5495. minLength: 1
  5496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5497. type: string
  5498. namespace:
  5499. description: |-
  5500. The namespace of the Secret resource being referred to.
  5501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5502. maxLength: 63
  5503. minLength: 1
  5504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5505. type: string
  5506. type: object
  5507. accessType:
  5508. description: |-
  5509. A reference to a specific 'key' within a Secret resource.
  5510. In some instances, `key` is a required field.
  5511. properties:
  5512. key:
  5513. description: |-
  5514. A key in the referenced Secret.
  5515. Some instances of this field may be defaulted, in others it may be required.
  5516. maxLength: 253
  5517. minLength: 1
  5518. pattern: ^[-._a-zA-Z0-9]+$
  5519. type: string
  5520. name:
  5521. description: The name of the Secret resource being referred to.
  5522. maxLength: 253
  5523. minLength: 1
  5524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5525. type: string
  5526. namespace:
  5527. description: |-
  5528. The namespace of the Secret resource being referred to.
  5529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5530. maxLength: 63
  5531. minLength: 1
  5532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5533. type: string
  5534. type: object
  5535. accessTypeParam:
  5536. description: |-
  5537. A reference to a specific 'key' within a Secret resource.
  5538. In some instances, `key` is a required field.
  5539. properties:
  5540. key:
  5541. description: |-
  5542. A key in the referenced Secret.
  5543. Some instances of this field may be defaulted, in others it may be required.
  5544. maxLength: 253
  5545. minLength: 1
  5546. pattern: ^[-._a-zA-Z0-9]+$
  5547. type: string
  5548. name:
  5549. description: The name of the Secret resource being referred to.
  5550. maxLength: 253
  5551. minLength: 1
  5552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5553. type: string
  5554. namespace:
  5555. description: |-
  5556. The namespace of the Secret resource being referred to.
  5557. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5558. maxLength: 63
  5559. minLength: 1
  5560. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5561. type: string
  5562. type: object
  5563. type: object
  5564. type: object
  5565. caBundle:
  5566. description: |-
  5567. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  5568. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  5569. are used to validate the TLS connection.
  5570. format: byte
  5571. type: string
  5572. caProvider:
  5573. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  5574. properties:
  5575. key:
  5576. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5577. maxLength: 253
  5578. minLength: 1
  5579. pattern: ^[-._a-zA-Z0-9]+$
  5580. type: string
  5581. name:
  5582. description: The name of the object located at the provider type.
  5583. maxLength: 253
  5584. minLength: 1
  5585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5586. type: string
  5587. namespace:
  5588. description: |-
  5589. The namespace the Provider type is in.
  5590. Can only be defined when used in a ClusterSecretStore.
  5591. maxLength: 63
  5592. minLength: 1
  5593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5594. type: string
  5595. type:
  5596. description: The type of provider to use such as "Secret", or "ConfigMap".
  5597. enum:
  5598. - Secret
  5599. - ConfigMap
  5600. type: string
  5601. required:
  5602. - name
  5603. - type
  5604. type: object
  5605. required:
  5606. - akeylessGWApiURL
  5607. - authSecretRef
  5608. type: object
  5609. alibaba:
  5610. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  5611. properties:
  5612. auth:
  5613. description: AlibabaAuth contains a secretRef for credentials.
  5614. properties:
  5615. rrsa:
  5616. description: Authenticate against Alibaba using RRSA.
  5617. properties:
  5618. oidcProviderArn:
  5619. type: string
  5620. oidcTokenFilePath:
  5621. type: string
  5622. roleArn:
  5623. type: string
  5624. sessionName:
  5625. type: string
  5626. required:
  5627. - oidcProviderArn
  5628. - oidcTokenFilePath
  5629. - roleArn
  5630. - sessionName
  5631. type: object
  5632. secretRef:
  5633. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  5634. properties:
  5635. accessKeyIDSecretRef:
  5636. description: The AccessKeyID is used for authentication
  5637. properties:
  5638. key:
  5639. description: |-
  5640. A key in the referenced Secret.
  5641. Some instances of this field may be defaulted, in others it may be required.
  5642. maxLength: 253
  5643. minLength: 1
  5644. pattern: ^[-._a-zA-Z0-9]+$
  5645. type: string
  5646. name:
  5647. description: The name of the Secret resource being referred to.
  5648. maxLength: 253
  5649. minLength: 1
  5650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5651. type: string
  5652. namespace:
  5653. description: |-
  5654. The namespace of the Secret resource being referred to.
  5655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5656. maxLength: 63
  5657. minLength: 1
  5658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5659. type: string
  5660. type: object
  5661. accessKeySecretSecretRef:
  5662. description: The AccessKeySecret is used for authentication
  5663. properties:
  5664. key:
  5665. description: |-
  5666. A key in the referenced Secret.
  5667. Some instances of this field may be defaulted, in others it may be required.
  5668. maxLength: 253
  5669. minLength: 1
  5670. pattern: ^[-._a-zA-Z0-9]+$
  5671. type: string
  5672. name:
  5673. description: The name of the Secret resource being referred to.
  5674. maxLength: 253
  5675. minLength: 1
  5676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5677. type: string
  5678. namespace:
  5679. description: |-
  5680. The namespace of the Secret resource being referred to.
  5681. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5682. maxLength: 63
  5683. minLength: 1
  5684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5685. type: string
  5686. type: object
  5687. required:
  5688. - accessKeyIDSecretRef
  5689. - accessKeySecretSecretRef
  5690. type: object
  5691. type: object
  5692. regionID:
  5693. description: Alibaba Region to be used for the provider
  5694. type: string
  5695. required:
  5696. - auth
  5697. - regionID
  5698. type: object
  5699. aws:
  5700. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  5701. properties:
  5702. additionalRoles:
  5703. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  5704. items:
  5705. type: string
  5706. type: array
  5707. auth:
  5708. description: |-
  5709. Auth defines the information necessary to authenticate against AWS
  5710. if not set aws sdk will infer credentials from your environment
  5711. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  5712. properties:
  5713. jwt:
  5714. description: Authenticate against AWS using service account tokens.
  5715. properties:
  5716. serviceAccountRef:
  5717. description: A reference to a ServiceAccount resource.
  5718. properties:
  5719. audiences:
  5720. description: |-
  5721. Audience specifies the `aud` claim for the service account token
  5722. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5723. then this audiences will be appended to the list
  5724. items:
  5725. type: string
  5726. type: array
  5727. name:
  5728. description: The name of the ServiceAccount resource being referred to.
  5729. maxLength: 253
  5730. minLength: 1
  5731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5732. type: string
  5733. namespace:
  5734. description: |-
  5735. Namespace of the resource being referred to.
  5736. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5737. maxLength: 63
  5738. minLength: 1
  5739. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5740. type: string
  5741. required:
  5742. - name
  5743. type: object
  5744. type: object
  5745. secretRef:
  5746. description: |-
  5747. AWSAuthSecretRef holds secret references for AWS credentials
  5748. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  5749. properties:
  5750. accessKeyIDSecretRef:
  5751. description: The AccessKeyID is used for authentication
  5752. properties:
  5753. key:
  5754. description: |-
  5755. A key in the referenced Secret.
  5756. Some instances of this field may be defaulted, in others it may be required.
  5757. maxLength: 253
  5758. minLength: 1
  5759. pattern: ^[-._a-zA-Z0-9]+$
  5760. type: string
  5761. name:
  5762. description: The name of the Secret resource being referred to.
  5763. maxLength: 253
  5764. minLength: 1
  5765. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5766. type: string
  5767. namespace:
  5768. description: |-
  5769. The namespace of the Secret resource being referred to.
  5770. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5771. maxLength: 63
  5772. minLength: 1
  5773. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5774. type: string
  5775. type: object
  5776. secretAccessKeySecretRef:
  5777. description: The SecretAccessKey is used for authentication
  5778. properties:
  5779. key:
  5780. description: |-
  5781. A key in the referenced Secret.
  5782. Some instances of this field may be defaulted, in others it may be required.
  5783. maxLength: 253
  5784. minLength: 1
  5785. pattern: ^[-._a-zA-Z0-9]+$
  5786. type: string
  5787. name:
  5788. description: The name of the Secret resource being referred to.
  5789. maxLength: 253
  5790. minLength: 1
  5791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5792. type: string
  5793. namespace:
  5794. description: |-
  5795. The namespace of the Secret resource being referred to.
  5796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5797. maxLength: 63
  5798. minLength: 1
  5799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5800. type: string
  5801. type: object
  5802. sessionTokenSecretRef:
  5803. description: |-
  5804. The SessionToken used for authentication
  5805. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  5806. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  5807. properties:
  5808. key:
  5809. description: |-
  5810. A key in the referenced Secret.
  5811. Some instances of this field may be defaulted, in others it may be required.
  5812. maxLength: 253
  5813. minLength: 1
  5814. pattern: ^[-._a-zA-Z0-9]+$
  5815. type: string
  5816. name:
  5817. description: The name of the Secret resource being referred to.
  5818. maxLength: 253
  5819. minLength: 1
  5820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5821. type: string
  5822. namespace:
  5823. description: |-
  5824. The namespace of the Secret resource being referred to.
  5825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5826. maxLength: 63
  5827. minLength: 1
  5828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5829. type: string
  5830. type: object
  5831. type: object
  5832. type: object
  5833. externalID:
  5834. description: AWS External ID set on assumed IAM roles
  5835. type: string
  5836. prefix:
  5837. description: Prefix adds a prefix to all retrieved values.
  5838. type: string
  5839. region:
  5840. description: AWS Region to be used for the provider
  5841. type: string
  5842. role:
  5843. description: Role is a Role ARN which the provider will assume
  5844. type: string
  5845. secretsManager:
  5846. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  5847. properties:
  5848. forceDeleteWithoutRecovery:
  5849. description: |-
  5850. Specifies whether to delete the secret without any recovery window. You
  5851. can't use both this parameter and RecoveryWindowInDays in the same call.
  5852. If you don't use either, then by default Secrets Manager uses a 30 day
  5853. recovery window.
  5854. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  5855. type: boolean
  5856. recoveryWindowInDays:
  5857. description: |-
  5858. The number of days from 7 to 30 that Secrets Manager waits before
  5859. permanently deleting the secret. You can't use both this parameter and
  5860. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  5861. then by default Secrets Manager uses a 30 day recovery window.
  5862. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  5863. format: int64
  5864. type: integer
  5865. type: object
  5866. service:
  5867. description: Service defines which service should be used to fetch the secrets
  5868. enum:
  5869. - SecretsManager
  5870. - ParameterStore
  5871. type: string
  5872. sessionTags:
  5873. description: AWS STS assume role session tags
  5874. items:
  5875. properties:
  5876. key:
  5877. type: string
  5878. value:
  5879. type: string
  5880. required:
  5881. - key
  5882. - value
  5883. type: object
  5884. type: array
  5885. transitiveTagKeys:
  5886. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  5887. items:
  5888. type: string
  5889. type: array
  5890. required:
  5891. - region
  5892. - service
  5893. type: object
  5894. azurekv:
  5895. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  5896. properties:
  5897. authSecretRef:
  5898. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  5899. properties:
  5900. clientCertificate:
  5901. description: The Azure ClientCertificate of the service principle used for authentication.
  5902. properties:
  5903. key:
  5904. description: |-
  5905. A key in the referenced Secret.
  5906. Some instances of this field may be defaulted, in others it may be required.
  5907. maxLength: 253
  5908. minLength: 1
  5909. pattern: ^[-._a-zA-Z0-9]+$
  5910. type: string
  5911. name:
  5912. description: The name of the Secret resource being referred to.
  5913. maxLength: 253
  5914. minLength: 1
  5915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5916. type: string
  5917. namespace:
  5918. description: |-
  5919. The namespace of the Secret resource being referred to.
  5920. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5921. maxLength: 63
  5922. minLength: 1
  5923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5924. type: string
  5925. type: object
  5926. clientId:
  5927. description: The Azure clientId of the service principle or managed identity used for authentication.
  5928. properties:
  5929. key:
  5930. description: |-
  5931. A key in the referenced Secret.
  5932. Some instances of this field may be defaulted, in others it may be required.
  5933. maxLength: 253
  5934. minLength: 1
  5935. pattern: ^[-._a-zA-Z0-9]+$
  5936. type: string
  5937. name:
  5938. description: The name of the Secret resource being referred to.
  5939. maxLength: 253
  5940. minLength: 1
  5941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5942. type: string
  5943. namespace:
  5944. description: |-
  5945. The namespace of the Secret resource being referred to.
  5946. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5947. maxLength: 63
  5948. minLength: 1
  5949. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5950. type: string
  5951. type: object
  5952. clientSecret:
  5953. description: The Azure ClientSecret of the service principle used for authentication.
  5954. properties:
  5955. key:
  5956. description: |-
  5957. A key in the referenced Secret.
  5958. Some instances of this field may be defaulted, in others it may be required.
  5959. maxLength: 253
  5960. minLength: 1
  5961. pattern: ^[-._a-zA-Z0-9]+$
  5962. type: string
  5963. name:
  5964. description: The name of the Secret resource being referred to.
  5965. maxLength: 253
  5966. minLength: 1
  5967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5968. type: string
  5969. namespace:
  5970. description: |-
  5971. The namespace of the Secret resource being referred to.
  5972. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5973. maxLength: 63
  5974. minLength: 1
  5975. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5976. type: string
  5977. type: object
  5978. tenantId:
  5979. description: The Azure tenantId of the managed identity used for authentication.
  5980. properties:
  5981. key:
  5982. description: |-
  5983. A key in the referenced Secret.
  5984. Some instances of this field may be defaulted, in others it may be required.
  5985. maxLength: 253
  5986. minLength: 1
  5987. pattern: ^[-._a-zA-Z0-9]+$
  5988. type: string
  5989. name:
  5990. description: The name of the Secret resource being referred to.
  5991. maxLength: 253
  5992. minLength: 1
  5993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5994. type: string
  5995. namespace:
  5996. description: |-
  5997. The namespace of the Secret resource being referred to.
  5998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5999. maxLength: 63
  6000. minLength: 1
  6001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6002. type: string
  6003. type: object
  6004. type: object
  6005. authType:
  6006. default: ServicePrincipal
  6007. description: |-
  6008. Auth type defines how to authenticate to the keyvault service.
  6009. Valid values are:
  6010. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  6011. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  6012. enum:
  6013. - ServicePrincipal
  6014. - ManagedIdentity
  6015. - WorkloadIdentity
  6016. type: string
  6017. environmentType:
  6018. default: PublicCloud
  6019. description: |-
  6020. EnvironmentType specifies the Azure cloud environment endpoints to use for
  6021. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  6022. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  6023. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  6024. enum:
  6025. - PublicCloud
  6026. - USGovernmentCloud
  6027. - ChinaCloud
  6028. - GermanCloud
  6029. type: string
  6030. identityId:
  6031. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6032. type: string
  6033. serviceAccountRef:
  6034. description: |-
  6035. ServiceAccountRef specified the service account
  6036. that should be used when authenticating with WorkloadIdentity.
  6037. properties:
  6038. audiences:
  6039. description: |-
  6040. Audience specifies the `aud` claim for the service account token
  6041. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6042. then this audiences will be appended to the list
  6043. items:
  6044. type: string
  6045. type: array
  6046. name:
  6047. description: The name of the ServiceAccount resource being referred to.
  6048. maxLength: 253
  6049. minLength: 1
  6050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6051. type: string
  6052. namespace:
  6053. description: |-
  6054. Namespace of the resource being referred to.
  6055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6056. maxLength: 63
  6057. minLength: 1
  6058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6059. type: string
  6060. required:
  6061. - name
  6062. type: object
  6063. tenantId:
  6064. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  6065. type: string
  6066. vaultUrl:
  6067. description: Vault Url from which the secrets to be fetched from.
  6068. type: string
  6069. required:
  6070. - vaultUrl
  6071. type: object
  6072. beyondtrust:
  6073. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  6074. properties:
  6075. auth:
  6076. description: Auth configures how the operator authenticates with Beyondtrust.
  6077. properties:
  6078. apiKey:
  6079. description: APIKey If not provided then ClientID/ClientSecret become required.
  6080. properties:
  6081. secretRef:
  6082. description: SecretRef references a key in a secret that will be used as value.
  6083. properties:
  6084. key:
  6085. description: |-
  6086. A key in the referenced Secret.
  6087. Some instances of this field may be defaulted, in others it may be required.
  6088. maxLength: 253
  6089. minLength: 1
  6090. pattern: ^[-._a-zA-Z0-9]+$
  6091. type: string
  6092. name:
  6093. description: The name of the Secret resource being referred to.
  6094. maxLength: 253
  6095. minLength: 1
  6096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6097. type: string
  6098. namespace:
  6099. description: |-
  6100. The namespace of the Secret resource being referred to.
  6101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6102. maxLength: 63
  6103. minLength: 1
  6104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6105. type: string
  6106. type: object
  6107. value:
  6108. description: Value can be specified directly to set a value without using a secret.
  6109. type: string
  6110. type: object
  6111. certificate:
  6112. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  6113. properties:
  6114. secretRef:
  6115. description: SecretRef references a key in a secret that will be used as value.
  6116. properties:
  6117. key:
  6118. description: |-
  6119. A key in the referenced Secret.
  6120. Some instances of this field may be defaulted, in others it may be required.
  6121. maxLength: 253
  6122. minLength: 1
  6123. pattern: ^[-._a-zA-Z0-9]+$
  6124. type: string
  6125. name:
  6126. description: The name of the Secret resource being referred to.
  6127. maxLength: 253
  6128. minLength: 1
  6129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6130. type: string
  6131. namespace:
  6132. description: |-
  6133. The namespace of the Secret resource being referred to.
  6134. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6135. maxLength: 63
  6136. minLength: 1
  6137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6138. type: string
  6139. type: object
  6140. value:
  6141. description: Value can be specified directly to set a value without using a secret.
  6142. type: string
  6143. type: object
  6144. certificateKey:
  6145. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  6146. properties:
  6147. secretRef:
  6148. description: SecretRef references a key in a secret that will be used as value.
  6149. properties:
  6150. key:
  6151. description: |-
  6152. A key in the referenced Secret.
  6153. Some instances of this field may be defaulted, in others it may be required.
  6154. maxLength: 253
  6155. minLength: 1
  6156. pattern: ^[-._a-zA-Z0-9]+$
  6157. type: string
  6158. name:
  6159. description: The name of the Secret resource being referred to.
  6160. maxLength: 253
  6161. minLength: 1
  6162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6163. type: string
  6164. namespace:
  6165. description: |-
  6166. The namespace of the Secret resource being referred to.
  6167. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6168. maxLength: 63
  6169. minLength: 1
  6170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6171. type: string
  6172. type: object
  6173. value:
  6174. description: Value can be specified directly to set a value without using a secret.
  6175. type: string
  6176. type: object
  6177. clientId:
  6178. description: ClientID is the API OAuth Client ID.
  6179. properties:
  6180. secretRef:
  6181. description: SecretRef references a key in a secret that will be used as value.
  6182. properties:
  6183. key:
  6184. description: |-
  6185. A key in the referenced Secret.
  6186. Some instances of this field may be defaulted, in others it may be required.
  6187. maxLength: 253
  6188. minLength: 1
  6189. pattern: ^[-._a-zA-Z0-9]+$
  6190. type: string
  6191. name:
  6192. description: The name of the Secret resource being referred to.
  6193. maxLength: 253
  6194. minLength: 1
  6195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6196. type: string
  6197. namespace:
  6198. description: |-
  6199. The namespace of the Secret resource being referred to.
  6200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6201. maxLength: 63
  6202. minLength: 1
  6203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6204. type: string
  6205. type: object
  6206. value:
  6207. description: Value can be specified directly to set a value without using a secret.
  6208. type: string
  6209. type: object
  6210. clientSecret:
  6211. description: ClientSecret is the API OAuth Client Secret.
  6212. properties:
  6213. secretRef:
  6214. description: SecretRef references a key in a secret that will be used as value.
  6215. properties:
  6216. key:
  6217. description: |-
  6218. A key in the referenced Secret.
  6219. Some instances of this field may be defaulted, in others it may be required.
  6220. maxLength: 253
  6221. minLength: 1
  6222. pattern: ^[-._a-zA-Z0-9]+$
  6223. type: string
  6224. name:
  6225. description: The name of the Secret resource being referred to.
  6226. maxLength: 253
  6227. minLength: 1
  6228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6229. type: string
  6230. namespace:
  6231. description: |-
  6232. The namespace of the Secret resource being referred to.
  6233. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6234. maxLength: 63
  6235. minLength: 1
  6236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6237. type: string
  6238. type: object
  6239. value:
  6240. description: Value can be specified directly to set a value without using a secret.
  6241. type: string
  6242. type: object
  6243. type: object
  6244. server:
  6245. description: Auth configures how API server works.
  6246. properties:
  6247. apiUrl:
  6248. type: string
  6249. apiVersion:
  6250. type: string
  6251. clientTimeOutSeconds:
  6252. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  6253. type: integer
  6254. retrievalType:
  6255. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  6256. type: string
  6257. separator:
  6258. description: A character that separates the folder names.
  6259. type: string
  6260. verifyCA:
  6261. type: boolean
  6262. required:
  6263. - apiUrl
  6264. - verifyCA
  6265. type: object
  6266. required:
  6267. - auth
  6268. - server
  6269. type: object
  6270. bitwardensecretsmanager:
  6271. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  6272. properties:
  6273. apiURL:
  6274. type: string
  6275. auth:
  6276. description: |-
  6277. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  6278. Make sure that the token being used has permissions on the given secret.
  6279. properties:
  6280. secretRef:
  6281. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  6282. properties:
  6283. credentials:
  6284. description: AccessToken used for the bitwarden instance.
  6285. properties:
  6286. key:
  6287. description: |-
  6288. A key in the referenced Secret.
  6289. Some instances of this field may be defaulted, in others it may be required.
  6290. maxLength: 253
  6291. minLength: 1
  6292. pattern: ^[-._a-zA-Z0-9]+$
  6293. type: string
  6294. name:
  6295. description: The name of the Secret resource being referred to.
  6296. maxLength: 253
  6297. minLength: 1
  6298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6299. type: string
  6300. namespace:
  6301. description: |-
  6302. The namespace of the Secret resource being referred to.
  6303. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6304. maxLength: 63
  6305. minLength: 1
  6306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6307. type: string
  6308. type: object
  6309. required:
  6310. - credentials
  6311. type: object
  6312. required:
  6313. - secretRef
  6314. type: object
  6315. bitwardenServerSDKURL:
  6316. type: string
  6317. caBundle:
  6318. description: |-
  6319. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  6320. can be performed.
  6321. type: string
  6322. caProvider:
  6323. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  6324. properties:
  6325. key:
  6326. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6327. maxLength: 253
  6328. minLength: 1
  6329. pattern: ^[-._a-zA-Z0-9]+$
  6330. type: string
  6331. name:
  6332. description: The name of the object located at the provider type.
  6333. maxLength: 253
  6334. minLength: 1
  6335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6336. type: string
  6337. namespace:
  6338. description: |-
  6339. The namespace the Provider type is in.
  6340. Can only be defined when used in a ClusterSecretStore.
  6341. maxLength: 63
  6342. minLength: 1
  6343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6344. type: string
  6345. type:
  6346. description: The type of provider to use such as "Secret", or "ConfigMap".
  6347. enum:
  6348. - Secret
  6349. - ConfigMap
  6350. type: string
  6351. required:
  6352. - name
  6353. - type
  6354. type: object
  6355. identityURL:
  6356. type: string
  6357. organizationID:
  6358. description: OrganizationID determines which organization this secret store manages.
  6359. type: string
  6360. projectID:
  6361. description: ProjectID determines which project this secret store manages.
  6362. type: string
  6363. required:
  6364. - auth
  6365. - organizationID
  6366. - projectID
  6367. type: object
  6368. chef:
  6369. description: Chef configures this store to sync secrets with chef server
  6370. properties:
  6371. auth:
  6372. description: Auth defines the information necessary to authenticate against chef Server
  6373. properties:
  6374. secretRef:
  6375. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  6376. properties:
  6377. privateKeySecretRef:
  6378. description: SecretKey is the Signing Key in PEM format, used for authentication.
  6379. properties:
  6380. key:
  6381. description: |-
  6382. A key in the referenced Secret.
  6383. Some instances of this field may be defaulted, in others it may be required.
  6384. maxLength: 253
  6385. minLength: 1
  6386. pattern: ^[-._a-zA-Z0-9]+$
  6387. type: string
  6388. name:
  6389. description: The name of the Secret resource being referred to.
  6390. maxLength: 253
  6391. minLength: 1
  6392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6393. type: string
  6394. namespace:
  6395. description: |-
  6396. The namespace of the Secret resource being referred to.
  6397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6398. maxLength: 63
  6399. minLength: 1
  6400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6401. type: string
  6402. type: object
  6403. required:
  6404. - privateKeySecretRef
  6405. type: object
  6406. required:
  6407. - secretRef
  6408. type: object
  6409. serverUrl:
  6410. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  6411. type: string
  6412. username:
  6413. description: UserName should be the user ID on the chef server
  6414. type: string
  6415. required:
  6416. - auth
  6417. - serverUrl
  6418. - username
  6419. type: object
  6420. cloudrusm:
  6421. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  6422. properties:
  6423. auth:
  6424. description: CSMAuth contains a secretRef for credentials.
  6425. properties:
  6426. secretRef:
  6427. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  6428. properties:
  6429. accessKeyIDSecretRef:
  6430. description: The AccessKeyID is used for authentication
  6431. properties:
  6432. key:
  6433. description: |-
  6434. A key in the referenced Secret.
  6435. Some instances of this field may be defaulted, in others it may be required.
  6436. maxLength: 253
  6437. minLength: 1
  6438. pattern: ^[-._a-zA-Z0-9]+$
  6439. type: string
  6440. name:
  6441. description: The name of the Secret resource being referred to.
  6442. maxLength: 253
  6443. minLength: 1
  6444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6445. type: string
  6446. namespace:
  6447. description: |-
  6448. The namespace of the Secret resource being referred to.
  6449. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6450. maxLength: 63
  6451. minLength: 1
  6452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6453. type: string
  6454. type: object
  6455. accessKeySecretSecretRef:
  6456. description: The AccessKeySecret is used for authentication
  6457. properties:
  6458. key:
  6459. description: |-
  6460. A key in the referenced Secret.
  6461. Some instances of this field may be defaulted, in others it may be required.
  6462. maxLength: 253
  6463. minLength: 1
  6464. pattern: ^[-._a-zA-Z0-9]+$
  6465. type: string
  6466. name:
  6467. description: The name of the Secret resource being referred to.
  6468. maxLength: 253
  6469. minLength: 1
  6470. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6471. type: string
  6472. namespace:
  6473. description: |-
  6474. The namespace of the Secret resource being referred to.
  6475. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6476. maxLength: 63
  6477. minLength: 1
  6478. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6479. type: string
  6480. type: object
  6481. required:
  6482. - accessKeyIDSecretRef
  6483. - accessKeySecretSecretRef
  6484. type: object
  6485. type: object
  6486. projectID:
  6487. description: ProjectID is the project, which the secrets are stored in.
  6488. type: string
  6489. required:
  6490. - auth
  6491. type: object
  6492. conjur:
  6493. description: Conjur configures this store to sync secrets using conjur provider
  6494. properties:
  6495. auth:
  6496. description: Defines authentication settings for connecting to Conjur.
  6497. properties:
  6498. apikey:
  6499. description: Authenticates with Conjur using an API key.
  6500. properties:
  6501. account:
  6502. description: Account is the Conjur organization account name.
  6503. type: string
  6504. apiKeyRef:
  6505. description: |-
  6506. A reference to a specific 'key' containing the Conjur API key
  6507. within a Secret resource. In some instances, `key` is a required field.
  6508. properties:
  6509. key:
  6510. description: |-
  6511. A key in the referenced Secret.
  6512. Some instances of this field may be defaulted, in others it may be required.
  6513. maxLength: 253
  6514. minLength: 1
  6515. pattern: ^[-._a-zA-Z0-9]+$
  6516. type: string
  6517. name:
  6518. description: The name of the Secret resource being referred to.
  6519. maxLength: 253
  6520. minLength: 1
  6521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6522. type: string
  6523. namespace:
  6524. description: |-
  6525. The namespace of the Secret resource being referred to.
  6526. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6527. maxLength: 63
  6528. minLength: 1
  6529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6530. type: string
  6531. type: object
  6532. userRef:
  6533. description: |-
  6534. A reference to a specific 'key' containing the Conjur username
  6535. within a Secret resource. In some instances, `key` is a required field.
  6536. properties:
  6537. key:
  6538. description: |-
  6539. A key in the referenced Secret.
  6540. Some instances of this field may be defaulted, in others it may be required.
  6541. maxLength: 253
  6542. minLength: 1
  6543. pattern: ^[-._a-zA-Z0-9]+$
  6544. type: string
  6545. name:
  6546. description: The name of the Secret resource being referred to.
  6547. maxLength: 253
  6548. minLength: 1
  6549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6550. type: string
  6551. namespace:
  6552. description: |-
  6553. The namespace of the Secret resource being referred to.
  6554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6555. maxLength: 63
  6556. minLength: 1
  6557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6558. type: string
  6559. type: object
  6560. required:
  6561. - account
  6562. - apiKeyRef
  6563. - userRef
  6564. type: object
  6565. jwt:
  6566. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  6567. properties:
  6568. account:
  6569. description: Account is the Conjur organization account name.
  6570. type: string
  6571. hostId:
  6572. description: |-
  6573. Optional HostID for JWT authentication. This may be used depending
  6574. on how the Conjur JWT authenticator policy is configured.
  6575. type: string
  6576. secretRef:
  6577. description: |-
  6578. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  6579. authenticate with Conjur using the JWT authentication method.
  6580. properties:
  6581. key:
  6582. description: |-
  6583. A key in the referenced Secret.
  6584. Some instances of this field may be defaulted, in others it may be required.
  6585. maxLength: 253
  6586. minLength: 1
  6587. pattern: ^[-._a-zA-Z0-9]+$
  6588. type: string
  6589. name:
  6590. description: The name of the Secret resource being referred to.
  6591. maxLength: 253
  6592. minLength: 1
  6593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6594. type: string
  6595. namespace:
  6596. description: |-
  6597. The namespace of the Secret resource being referred to.
  6598. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6599. maxLength: 63
  6600. minLength: 1
  6601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6602. type: string
  6603. type: object
  6604. serviceAccountRef:
  6605. description: |-
  6606. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  6607. a token for with the `TokenRequest` API.
  6608. properties:
  6609. audiences:
  6610. description: |-
  6611. Audience specifies the `aud` claim for the service account token
  6612. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6613. then this audiences will be appended to the list
  6614. items:
  6615. type: string
  6616. type: array
  6617. name:
  6618. description: The name of the ServiceAccount resource being referred to.
  6619. maxLength: 253
  6620. minLength: 1
  6621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6622. type: string
  6623. namespace:
  6624. description: |-
  6625. Namespace of the resource being referred to.
  6626. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6627. maxLength: 63
  6628. minLength: 1
  6629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6630. type: string
  6631. required:
  6632. - name
  6633. type: object
  6634. serviceID:
  6635. description: The conjur authn jwt webservice id
  6636. type: string
  6637. required:
  6638. - account
  6639. - serviceID
  6640. type: object
  6641. type: object
  6642. caBundle:
  6643. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  6644. type: string
  6645. caProvider:
  6646. description: |-
  6647. Used to provide custom certificate authority (CA) certificates
  6648. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  6649. that contains a PEM-encoded certificate.
  6650. properties:
  6651. key:
  6652. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6653. maxLength: 253
  6654. minLength: 1
  6655. pattern: ^[-._a-zA-Z0-9]+$
  6656. type: string
  6657. name:
  6658. description: The name of the object located at the provider type.
  6659. maxLength: 253
  6660. minLength: 1
  6661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6662. type: string
  6663. namespace:
  6664. description: |-
  6665. The namespace the Provider type is in.
  6666. Can only be defined when used in a ClusterSecretStore.
  6667. maxLength: 63
  6668. minLength: 1
  6669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6670. type: string
  6671. type:
  6672. description: The type of provider to use such as "Secret", or "ConfigMap".
  6673. enum:
  6674. - Secret
  6675. - ConfigMap
  6676. type: string
  6677. required:
  6678. - name
  6679. - type
  6680. type: object
  6681. url:
  6682. description: URL is the endpoint of the Conjur instance.
  6683. type: string
  6684. required:
  6685. - auth
  6686. - url
  6687. type: object
  6688. delinea:
  6689. description: |-
  6690. Delinea DevOps Secrets Vault
  6691. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  6692. properties:
  6693. clientId:
  6694. description: ClientID is the non-secret part of the credential.
  6695. properties:
  6696. secretRef:
  6697. description: SecretRef references a key in a secret that will be used as value.
  6698. properties:
  6699. key:
  6700. description: |-
  6701. A key in the referenced Secret.
  6702. Some instances of this field may be defaulted, in others it may be required.
  6703. maxLength: 253
  6704. minLength: 1
  6705. pattern: ^[-._a-zA-Z0-9]+$
  6706. type: string
  6707. name:
  6708. description: The name of the Secret resource being referred to.
  6709. maxLength: 253
  6710. minLength: 1
  6711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6712. type: string
  6713. namespace:
  6714. description: |-
  6715. The namespace of the Secret resource being referred to.
  6716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6717. maxLength: 63
  6718. minLength: 1
  6719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6720. type: string
  6721. type: object
  6722. value:
  6723. description: Value can be specified directly to set a value without using a secret.
  6724. type: string
  6725. type: object
  6726. clientSecret:
  6727. description: ClientSecret is the secret part of the credential.
  6728. properties:
  6729. secretRef:
  6730. description: SecretRef references a key in a secret that will be used as value.
  6731. properties:
  6732. key:
  6733. description: |-
  6734. A key in the referenced Secret.
  6735. Some instances of this field may be defaulted, in others it may be required.
  6736. maxLength: 253
  6737. minLength: 1
  6738. pattern: ^[-._a-zA-Z0-9]+$
  6739. type: string
  6740. name:
  6741. description: The name of the Secret resource being referred to.
  6742. maxLength: 253
  6743. minLength: 1
  6744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6745. type: string
  6746. namespace:
  6747. description: |-
  6748. The namespace of the Secret resource being referred to.
  6749. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6750. maxLength: 63
  6751. minLength: 1
  6752. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6753. type: string
  6754. type: object
  6755. value:
  6756. description: Value can be specified directly to set a value without using a secret.
  6757. type: string
  6758. type: object
  6759. tenant:
  6760. description: Tenant is the chosen hostname / site name.
  6761. type: string
  6762. tld:
  6763. description: |-
  6764. TLD is based on the server location that was chosen during provisioning.
  6765. If unset, defaults to "com".
  6766. type: string
  6767. urlTemplate:
  6768. description: |-
  6769. URLTemplate
  6770. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  6771. type: string
  6772. required:
  6773. - clientId
  6774. - clientSecret
  6775. - tenant
  6776. type: object
  6777. device42:
  6778. description: Device42 configures this store to sync secrets using the Device42 provider
  6779. properties:
  6780. auth:
  6781. description: Auth configures how secret-manager authenticates with a Device42 instance.
  6782. properties:
  6783. secretRef:
  6784. properties:
  6785. credentials:
  6786. description: Username / Password is used for authentication.
  6787. properties:
  6788. key:
  6789. description: |-
  6790. A key in the referenced Secret.
  6791. Some instances of this field may be defaulted, in others it may be required.
  6792. maxLength: 253
  6793. minLength: 1
  6794. pattern: ^[-._a-zA-Z0-9]+$
  6795. type: string
  6796. name:
  6797. description: The name of the Secret resource being referred to.
  6798. maxLength: 253
  6799. minLength: 1
  6800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6801. type: string
  6802. namespace:
  6803. description: |-
  6804. The namespace of the Secret resource being referred to.
  6805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6806. maxLength: 63
  6807. minLength: 1
  6808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6809. type: string
  6810. type: object
  6811. type: object
  6812. required:
  6813. - secretRef
  6814. type: object
  6815. host:
  6816. description: URL configures the Device42 instance URL.
  6817. type: string
  6818. required:
  6819. - auth
  6820. - host
  6821. type: object
  6822. doppler:
  6823. description: Doppler configures this store to sync secrets using the Doppler provider
  6824. properties:
  6825. auth:
  6826. description: Auth configures how the Operator authenticates with the Doppler API
  6827. properties:
  6828. secretRef:
  6829. properties:
  6830. dopplerToken:
  6831. description: |-
  6832. The DopplerToken is used for authentication.
  6833. See https://docs.doppler.com/reference/api#authentication for auth token types.
  6834. The Key attribute defaults to dopplerToken if not specified.
  6835. properties:
  6836. key:
  6837. description: |-
  6838. A key in the referenced Secret.
  6839. Some instances of this field may be defaulted, in others it may be required.
  6840. maxLength: 253
  6841. minLength: 1
  6842. pattern: ^[-._a-zA-Z0-9]+$
  6843. type: string
  6844. name:
  6845. description: The name of the Secret resource being referred to.
  6846. maxLength: 253
  6847. minLength: 1
  6848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6849. type: string
  6850. namespace:
  6851. description: |-
  6852. The namespace of the Secret resource being referred to.
  6853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6854. maxLength: 63
  6855. minLength: 1
  6856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6857. type: string
  6858. type: object
  6859. required:
  6860. - dopplerToken
  6861. type: object
  6862. required:
  6863. - secretRef
  6864. type: object
  6865. config:
  6866. description: Doppler config (required if not using a Service Token)
  6867. type: string
  6868. format:
  6869. description: Format enables the downloading of secrets as a file (string)
  6870. enum:
  6871. - json
  6872. - dotnet-json
  6873. - env
  6874. - yaml
  6875. - docker
  6876. type: string
  6877. nameTransformer:
  6878. description: Environment variable compatible name transforms that change secret names to a different format
  6879. enum:
  6880. - upper-camel
  6881. - camel
  6882. - lower-snake
  6883. - tf-var
  6884. - dotnet-env
  6885. - lower-kebab
  6886. type: string
  6887. project:
  6888. description: Doppler project (required if not using a Service Token)
  6889. type: string
  6890. required:
  6891. - auth
  6892. type: object
  6893. fake:
  6894. description: Fake configures a store with static key/value pairs
  6895. properties:
  6896. data:
  6897. items:
  6898. properties:
  6899. key:
  6900. type: string
  6901. value:
  6902. type: string
  6903. version:
  6904. type: string
  6905. required:
  6906. - key
  6907. - value
  6908. type: object
  6909. type: array
  6910. required:
  6911. - data
  6912. type: object
  6913. fortanix:
  6914. description: Fortanix configures this store to sync secrets using the Fortanix provider
  6915. properties:
  6916. apiKey:
  6917. description: APIKey is the API token to access SDKMS Applications.
  6918. properties:
  6919. secretRef:
  6920. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  6921. properties:
  6922. key:
  6923. description: |-
  6924. A key in the referenced Secret.
  6925. Some instances of this field may be defaulted, in others it may be required.
  6926. maxLength: 253
  6927. minLength: 1
  6928. pattern: ^[-._a-zA-Z0-9]+$
  6929. type: string
  6930. name:
  6931. description: The name of the Secret resource being referred to.
  6932. maxLength: 253
  6933. minLength: 1
  6934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6935. type: string
  6936. namespace:
  6937. description: |-
  6938. The namespace of the Secret resource being referred to.
  6939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6940. maxLength: 63
  6941. minLength: 1
  6942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6943. type: string
  6944. type: object
  6945. type: object
  6946. apiUrl:
  6947. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  6948. type: string
  6949. type: object
  6950. gcpsm:
  6951. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  6952. properties:
  6953. auth:
  6954. description: Auth defines the information necessary to authenticate against GCP
  6955. properties:
  6956. secretRef:
  6957. properties:
  6958. secretAccessKeySecretRef:
  6959. description: The SecretAccessKey is used for authentication
  6960. properties:
  6961. key:
  6962. description: |-
  6963. A key in the referenced Secret.
  6964. Some instances of this field may be defaulted, in others it may be required.
  6965. maxLength: 253
  6966. minLength: 1
  6967. pattern: ^[-._a-zA-Z0-9]+$
  6968. type: string
  6969. name:
  6970. description: The name of the Secret resource being referred to.
  6971. maxLength: 253
  6972. minLength: 1
  6973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6974. type: string
  6975. namespace:
  6976. description: |-
  6977. The namespace of the Secret resource being referred to.
  6978. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6979. maxLength: 63
  6980. minLength: 1
  6981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6982. type: string
  6983. type: object
  6984. type: object
  6985. workloadIdentity:
  6986. properties:
  6987. clusterLocation:
  6988. description: |-
  6989. ClusterLocation is the location of the cluster
  6990. If not specified, it fetches information from the metadata server
  6991. type: string
  6992. clusterName:
  6993. description: |-
  6994. ClusterName is the name of the cluster
  6995. If not specified, it fetches information from the metadata server
  6996. type: string
  6997. clusterProjectID:
  6998. description: |-
  6999. ClusterProjectID is the project ID of the cluster
  7000. If not specified, it fetches information from the metadata server
  7001. type: string
  7002. serviceAccountRef:
  7003. description: A reference to a ServiceAccount resource.
  7004. properties:
  7005. audiences:
  7006. description: |-
  7007. Audience specifies the `aud` claim for the service account token
  7008. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7009. then this audiences will be appended to the list
  7010. items:
  7011. type: string
  7012. type: array
  7013. name:
  7014. description: The name of the ServiceAccount resource being referred to.
  7015. maxLength: 253
  7016. minLength: 1
  7017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7018. type: string
  7019. namespace:
  7020. description: |-
  7021. Namespace of the resource being referred to.
  7022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7023. maxLength: 63
  7024. minLength: 1
  7025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7026. type: string
  7027. required:
  7028. - name
  7029. type: object
  7030. required:
  7031. - serviceAccountRef
  7032. type: object
  7033. type: object
  7034. location:
  7035. description: Location optionally defines a location for a secret
  7036. type: string
  7037. projectID:
  7038. description: ProjectID project where secret is located
  7039. type: string
  7040. type: object
  7041. github:
  7042. description: Github configures this store to push Github Action secrets using Github API provider
  7043. properties:
  7044. appID:
  7045. description: appID specifies the Github APP that will be used to authenticate the client
  7046. format: int64
  7047. type: integer
  7048. auth:
  7049. description: auth configures how secret-manager authenticates with a Github instance.
  7050. properties:
  7051. privateKey:
  7052. description: |-
  7053. A reference to a specific 'key' within a Secret resource.
  7054. In some instances, `key` is a required field.
  7055. properties:
  7056. key:
  7057. description: |-
  7058. A key in the referenced Secret.
  7059. Some instances of this field may be defaulted, in others it may be required.
  7060. maxLength: 253
  7061. minLength: 1
  7062. pattern: ^[-._a-zA-Z0-9]+$
  7063. type: string
  7064. name:
  7065. description: The name of the Secret resource being referred to.
  7066. maxLength: 253
  7067. minLength: 1
  7068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7069. type: string
  7070. namespace:
  7071. description: |-
  7072. The namespace of the Secret resource being referred to.
  7073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7074. maxLength: 63
  7075. minLength: 1
  7076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7077. type: string
  7078. type: object
  7079. required:
  7080. - privateKey
  7081. type: object
  7082. environment:
  7083. description: environment will be used to fetch secrets from a particular environment within a github repository
  7084. type: string
  7085. installationID:
  7086. description: installationID specifies the Github APP installation that will be used to authenticate the client
  7087. format: int64
  7088. type: integer
  7089. organization:
  7090. description: organization will be used to fetch secrets from the Github organization
  7091. type: string
  7092. repository:
  7093. description: repository will be used to fetch secrets from the Github repository within an organization
  7094. type: string
  7095. uploadURL:
  7096. description: Upload URL for enterprise instances. Default to URL.
  7097. type: string
  7098. url:
  7099. default: https://github.com/
  7100. description: URL configures the Github instance URL. Defaults to https://github.com/.
  7101. type: string
  7102. required:
  7103. - appID
  7104. - auth
  7105. - installationID
  7106. - organization
  7107. type: object
  7108. gitlab:
  7109. description: GitLab configures this store to sync secrets using GitLab Variables provider
  7110. properties:
  7111. auth:
  7112. description: Auth configures how secret-manager authenticates with a GitLab instance.
  7113. properties:
  7114. SecretRef:
  7115. properties:
  7116. accessToken:
  7117. description: AccessToken is used for authentication.
  7118. properties:
  7119. key:
  7120. description: |-
  7121. A key in the referenced Secret.
  7122. Some instances of this field may be defaulted, in others it may be required.
  7123. maxLength: 253
  7124. minLength: 1
  7125. pattern: ^[-._a-zA-Z0-9]+$
  7126. type: string
  7127. name:
  7128. description: The name of the Secret resource being referred to.
  7129. maxLength: 253
  7130. minLength: 1
  7131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7132. type: string
  7133. namespace:
  7134. description: |-
  7135. The namespace of the Secret resource being referred to.
  7136. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7137. maxLength: 63
  7138. minLength: 1
  7139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7140. type: string
  7141. type: object
  7142. type: object
  7143. required:
  7144. - SecretRef
  7145. type: object
  7146. caBundle:
  7147. description: |-
  7148. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  7149. can be performed.
  7150. format: byte
  7151. type: string
  7152. caProvider:
  7153. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  7154. properties:
  7155. key:
  7156. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7157. maxLength: 253
  7158. minLength: 1
  7159. pattern: ^[-._a-zA-Z0-9]+$
  7160. type: string
  7161. name:
  7162. description: The name of the object located at the provider type.
  7163. maxLength: 253
  7164. minLength: 1
  7165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7166. type: string
  7167. namespace:
  7168. description: |-
  7169. The namespace the Provider type is in.
  7170. Can only be defined when used in a ClusterSecretStore.
  7171. maxLength: 63
  7172. minLength: 1
  7173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7174. type: string
  7175. type:
  7176. description: The type of provider to use such as "Secret", or "ConfigMap".
  7177. enum:
  7178. - Secret
  7179. - ConfigMap
  7180. type: string
  7181. required:
  7182. - name
  7183. - type
  7184. type: object
  7185. environment:
  7186. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  7187. type: string
  7188. groupIDs:
  7189. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  7190. items:
  7191. type: string
  7192. type: array
  7193. inheritFromGroups:
  7194. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  7195. type: boolean
  7196. projectID:
  7197. description: ProjectID specifies a project where secrets are located.
  7198. type: string
  7199. url:
  7200. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  7201. type: string
  7202. required:
  7203. - auth
  7204. type: object
  7205. ibm:
  7206. description: IBM configures this store to sync secrets using IBM Cloud provider
  7207. properties:
  7208. auth:
  7209. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  7210. maxProperties: 1
  7211. minProperties: 1
  7212. properties:
  7213. containerAuth:
  7214. description: IBM Container-based auth with IAM Trusted Profile.
  7215. properties:
  7216. iamEndpoint:
  7217. type: string
  7218. profile:
  7219. description: the IBM Trusted Profile
  7220. type: string
  7221. tokenLocation:
  7222. description: Location the token is mounted on the pod
  7223. type: string
  7224. required:
  7225. - profile
  7226. type: object
  7227. secretRef:
  7228. properties:
  7229. secretApiKeySecretRef:
  7230. description: The SecretAccessKey is used for authentication
  7231. properties:
  7232. key:
  7233. description: |-
  7234. A key in the referenced Secret.
  7235. Some instances of this field may be defaulted, in others it may be required.
  7236. maxLength: 253
  7237. minLength: 1
  7238. pattern: ^[-._a-zA-Z0-9]+$
  7239. type: string
  7240. name:
  7241. description: The name of the Secret resource being referred to.
  7242. maxLength: 253
  7243. minLength: 1
  7244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7245. type: string
  7246. namespace:
  7247. description: |-
  7248. The namespace of the Secret resource being referred to.
  7249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7250. maxLength: 63
  7251. minLength: 1
  7252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7253. type: string
  7254. type: object
  7255. type: object
  7256. type: object
  7257. serviceUrl:
  7258. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  7259. type: string
  7260. required:
  7261. - auth
  7262. type: object
  7263. infisical:
  7264. description: Infisical configures this store to sync secrets using the Infisical provider
  7265. properties:
  7266. auth:
  7267. description: Auth configures how the Operator authenticates with the Infisical API
  7268. properties:
  7269. universalAuthCredentials:
  7270. properties:
  7271. clientId:
  7272. description: |-
  7273. A reference to a specific 'key' within a Secret resource.
  7274. In some instances, `key` is a required field.
  7275. properties:
  7276. key:
  7277. description: |-
  7278. A key in the referenced Secret.
  7279. Some instances of this field may be defaulted, in others it may be required.
  7280. maxLength: 253
  7281. minLength: 1
  7282. pattern: ^[-._a-zA-Z0-9]+$
  7283. type: string
  7284. name:
  7285. description: The name of the Secret resource being referred to.
  7286. maxLength: 253
  7287. minLength: 1
  7288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7289. type: string
  7290. namespace:
  7291. description: |-
  7292. The namespace of the Secret resource being referred to.
  7293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7294. maxLength: 63
  7295. minLength: 1
  7296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7297. type: string
  7298. type: object
  7299. clientSecret:
  7300. description: |-
  7301. A reference to a specific 'key' within a Secret resource.
  7302. In some instances, `key` is a required field.
  7303. properties:
  7304. key:
  7305. description: |-
  7306. A key in the referenced Secret.
  7307. Some instances of this field may be defaulted, in others it may be required.
  7308. maxLength: 253
  7309. minLength: 1
  7310. pattern: ^[-._a-zA-Z0-9]+$
  7311. type: string
  7312. name:
  7313. description: The name of the Secret resource being referred to.
  7314. maxLength: 253
  7315. minLength: 1
  7316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7317. type: string
  7318. namespace:
  7319. description: |-
  7320. The namespace of the Secret resource being referred to.
  7321. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7322. maxLength: 63
  7323. minLength: 1
  7324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7325. type: string
  7326. type: object
  7327. required:
  7328. - clientId
  7329. - clientSecret
  7330. type: object
  7331. type: object
  7332. hostAPI:
  7333. default: https://app.infisical.com/api
  7334. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  7335. type: string
  7336. secretsScope:
  7337. description: SecretsScope defines the scope of the secrets within the workspace
  7338. properties:
  7339. environmentSlug:
  7340. description: EnvironmentSlug is the required slug identifier for the environment.
  7341. type: string
  7342. expandSecretReferences:
  7343. default: true
  7344. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  7345. type: boolean
  7346. projectSlug:
  7347. description: ProjectSlug is the required slug identifier for the project.
  7348. type: string
  7349. recursive:
  7350. default: false
  7351. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  7352. type: boolean
  7353. secretsPath:
  7354. default: /
  7355. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  7356. type: string
  7357. required:
  7358. - environmentSlug
  7359. - projectSlug
  7360. type: object
  7361. required:
  7362. - auth
  7363. - secretsScope
  7364. type: object
  7365. keepersecurity:
  7366. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  7367. properties:
  7368. authRef:
  7369. description: |-
  7370. A reference to a specific 'key' within a Secret resource.
  7371. In some instances, `key` is a required field.
  7372. properties:
  7373. key:
  7374. description: |-
  7375. A key in the referenced Secret.
  7376. Some instances of this field may be defaulted, in others it may be required.
  7377. maxLength: 253
  7378. minLength: 1
  7379. pattern: ^[-._a-zA-Z0-9]+$
  7380. type: string
  7381. name:
  7382. description: The name of the Secret resource being referred to.
  7383. maxLength: 253
  7384. minLength: 1
  7385. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7386. type: string
  7387. namespace:
  7388. description: |-
  7389. The namespace of the Secret resource being referred to.
  7390. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7391. maxLength: 63
  7392. minLength: 1
  7393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7394. type: string
  7395. type: object
  7396. folderID:
  7397. type: string
  7398. required:
  7399. - authRef
  7400. - folderID
  7401. type: object
  7402. kubernetes:
  7403. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  7404. properties:
  7405. auth:
  7406. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  7407. maxProperties: 1
  7408. minProperties: 1
  7409. properties:
  7410. cert:
  7411. description: has both clientCert and clientKey as secretKeySelector
  7412. properties:
  7413. clientCert:
  7414. description: |-
  7415. A reference to a specific 'key' within a Secret resource.
  7416. In some instances, `key` is a required field.
  7417. properties:
  7418. key:
  7419. description: |-
  7420. A key in the referenced Secret.
  7421. Some instances of this field may be defaulted, in others it may be required.
  7422. maxLength: 253
  7423. minLength: 1
  7424. pattern: ^[-._a-zA-Z0-9]+$
  7425. type: string
  7426. name:
  7427. description: The name of the Secret resource being referred to.
  7428. maxLength: 253
  7429. minLength: 1
  7430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7431. type: string
  7432. namespace:
  7433. description: |-
  7434. The namespace of the Secret resource being referred to.
  7435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7436. maxLength: 63
  7437. minLength: 1
  7438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7439. type: string
  7440. type: object
  7441. clientKey:
  7442. description: |-
  7443. A reference to a specific 'key' within a Secret resource.
  7444. In some instances, `key` is a required field.
  7445. properties:
  7446. key:
  7447. description: |-
  7448. A key in the referenced Secret.
  7449. Some instances of this field may be defaulted, in others it may be required.
  7450. maxLength: 253
  7451. minLength: 1
  7452. pattern: ^[-._a-zA-Z0-9]+$
  7453. type: string
  7454. name:
  7455. description: The name of the Secret resource being referred to.
  7456. maxLength: 253
  7457. minLength: 1
  7458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7459. type: string
  7460. namespace:
  7461. description: |-
  7462. The namespace of the Secret resource being referred to.
  7463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7464. maxLength: 63
  7465. minLength: 1
  7466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7467. type: string
  7468. type: object
  7469. type: object
  7470. serviceAccount:
  7471. description: points to a service account that should be used for authentication
  7472. properties:
  7473. audiences:
  7474. description: |-
  7475. Audience specifies the `aud` claim for the service account token
  7476. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7477. then this audiences will be appended to the list
  7478. items:
  7479. type: string
  7480. type: array
  7481. name:
  7482. description: The name of the ServiceAccount resource being referred to.
  7483. maxLength: 253
  7484. minLength: 1
  7485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7486. type: string
  7487. namespace:
  7488. description: |-
  7489. Namespace of the resource being referred to.
  7490. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7491. maxLength: 63
  7492. minLength: 1
  7493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7494. type: string
  7495. required:
  7496. - name
  7497. type: object
  7498. token:
  7499. description: use static token to authenticate with
  7500. properties:
  7501. bearerToken:
  7502. description: |-
  7503. A reference to a specific 'key' within a Secret resource.
  7504. In some instances, `key` is a required field.
  7505. properties:
  7506. key:
  7507. description: |-
  7508. A key in the referenced Secret.
  7509. Some instances of this field may be defaulted, in others it may be required.
  7510. maxLength: 253
  7511. minLength: 1
  7512. pattern: ^[-._a-zA-Z0-9]+$
  7513. type: string
  7514. name:
  7515. description: The name of the Secret resource being referred to.
  7516. maxLength: 253
  7517. minLength: 1
  7518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7519. type: string
  7520. namespace:
  7521. description: |-
  7522. The namespace of the Secret resource being referred to.
  7523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7524. maxLength: 63
  7525. minLength: 1
  7526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7527. type: string
  7528. type: object
  7529. type: object
  7530. type: object
  7531. authRef:
  7532. description: A reference to a secret that contains the auth information.
  7533. properties:
  7534. key:
  7535. description: |-
  7536. A key in the referenced Secret.
  7537. Some instances of this field may be defaulted, in others it may be required.
  7538. maxLength: 253
  7539. minLength: 1
  7540. pattern: ^[-._a-zA-Z0-9]+$
  7541. type: string
  7542. name:
  7543. description: The name of the Secret resource being referred to.
  7544. maxLength: 253
  7545. minLength: 1
  7546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7547. type: string
  7548. namespace:
  7549. description: |-
  7550. The namespace of the Secret resource being referred to.
  7551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7552. maxLength: 63
  7553. minLength: 1
  7554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7555. type: string
  7556. type: object
  7557. remoteNamespace:
  7558. default: default
  7559. description: Remote namespace to fetch the secrets from
  7560. maxLength: 63
  7561. minLength: 1
  7562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7563. type: string
  7564. server:
  7565. description: configures the Kubernetes server Address.
  7566. properties:
  7567. caBundle:
  7568. description: CABundle is a base64-encoded CA certificate
  7569. format: byte
  7570. type: string
  7571. caProvider:
  7572. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  7573. properties:
  7574. key:
  7575. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7576. maxLength: 253
  7577. minLength: 1
  7578. pattern: ^[-._a-zA-Z0-9]+$
  7579. type: string
  7580. name:
  7581. description: The name of the object located at the provider type.
  7582. maxLength: 253
  7583. minLength: 1
  7584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7585. type: string
  7586. namespace:
  7587. description: |-
  7588. The namespace the Provider type is in.
  7589. Can only be defined when used in a ClusterSecretStore.
  7590. maxLength: 63
  7591. minLength: 1
  7592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7593. type: string
  7594. type:
  7595. description: The type of provider to use such as "Secret", or "ConfigMap".
  7596. enum:
  7597. - Secret
  7598. - ConfigMap
  7599. type: string
  7600. required:
  7601. - name
  7602. - type
  7603. type: object
  7604. url:
  7605. default: kubernetes.default
  7606. description: configures the Kubernetes server Address.
  7607. type: string
  7608. type: object
  7609. type: object
  7610. onboardbase:
  7611. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  7612. properties:
  7613. apiHost:
  7614. default: https://public.onboardbase.com/api/v1/
  7615. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  7616. type: string
  7617. auth:
  7618. description: Auth configures how the Operator authenticates with the Onboardbase API
  7619. properties:
  7620. apiKeyRef:
  7621. description: |-
  7622. OnboardbaseAPIKey is the APIKey generated by an admin account.
  7623. It is used to recognize and authorize access to a project and environment within onboardbase
  7624. properties:
  7625. key:
  7626. description: |-
  7627. A key in the referenced Secret.
  7628. Some instances of this field may be defaulted, in others it may be required.
  7629. maxLength: 253
  7630. minLength: 1
  7631. pattern: ^[-._a-zA-Z0-9]+$
  7632. type: string
  7633. name:
  7634. description: The name of the Secret resource being referred to.
  7635. maxLength: 253
  7636. minLength: 1
  7637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7638. type: string
  7639. namespace:
  7640. description: |-
  7641. The namespace of the Secret resource being referred to.
  7642. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7643. maxLength: 63
  7644. minLength: 1
  7645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7646. type: string
  7647. type: object
  7648. passcodeRef:
  7649. description: OnboardbasePasscode is the passcode attached to the API Key
  7650. properties:
  7651. key:
  7652. description: |-
  7653. A key in the referenced Secret.
  7654. Some instances of this field may be defaulted, in others it may be required.
  7655. maxLength: 253
  7656. minLength: 1
  7657. pattern: ^[-._a-zA-Z0-9]+$
  7658. type: string
  7659. name:
  7660. description: The name of the Secret resource being referred to.
  7661. maxLength: 253
  7662. minLength: 1
  7663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7664. type: string
  7665. namespace:
  7666. description: |-
  7667. The namespace of the Secret resource being referred to.
  7668. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7669. maxLength: 63
  7670. minLength: 1
  7671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7672. type: string
  7673. type: object
  7674. required:
  7675. - apiKeyRef
  7676. - passcodeRef
  7677. type: object
  7678. environment:
  7679. default: development
  7680. description: Environment is the name of an environmnent within a project to pull the secrets from
  7681. type: string
  7682. project:
  7683. default: development
  7684. description: Project is an onboardbase project that the secrets should be pulled from
  7685. type: string
  7686. required:
  7687. - apiHost
  7688. - auth
  7689. - environment
  7690. - project
  7691. type: object
  7692. onepassword:
  7693. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  7694. properties:
  7695. auth:
  7696. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  7697. properties:
  7698. secretRef:
  7699. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  7700. properties:
  7701. connectTokenSecretRef:
  7702. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  7703. properties:
  7704. key:
  7705. description: |-
  7706. A key in the referenced Secret.
  7707. Some instances of this field may be defaulted, in others it may be required.
  7708. maxLength: 253
  7709. minLength: 1
  7710. pattern: ^[-._a-zA-Z0-9]+$
  7711. type: string
  7712. name:
  7713. description: The name of the Secret resource being referred to.
  7714. maxLength: 253
  7715. minLength: 1
  7716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7717. type: string
  7718. namespace:
  7719. description: |-
  7720. The namespace of the Secret resource being referred to.
  7721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7722. maxLength: 63
  7723. minLength: 1
  7724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7725. type: string
  7726. type: object
  7727. required:
  7728. - connectTokenSecretRef
  7729. type: object
  7730. required:
  7731. - secretRef
  7732. type: object
  7733. connectHost:
  7734. description: ConnectHost defines the OnePassword Connect Server to connect to
  7735. type: string
  7736. vaults:
  7737. additionalProperties:
  7738. type: integer
  7739. description: Vaults defines which OnePassword vaults to search in which order
  7740. type: object
  7741. required:
  7742. - auth
  7743. - connectHost
  7744. - vaults
  7745. type: object
  7746. oracle:
  7747. description: Oracle configures this store to sync secrets using Oracle Vault provider
  7748. properties:
  7749. auth:
  7750. description: |-
  7751. Auth configures how secret-manager authenticates with the Oracle Vault.
  7752. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  7753. properties:
  7754. secretRef:
  7755. description: SecretRef to pass through sensitive information.
  7756. properties:
  7757. fingerprint:
  7758. description: Fingerprint is the fingerprint of the API private key.
  7759. properties:
  7760. key:
  7761. description: |-
  7762. A key in the referenced Secret.
  7763. Some instances of this field may be defaulted, in others it may be required.
  7764. maxLength: 253
  7765. minLength: 1
  7766. pattern: ^[-._a-zA-Z0-9]+$
  7767. type: string
  7768. name:
  7769. description: The name of the Secret resource being referred to.
  7770. maxLength: 253
  7771. minLength: 1
  7772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7773. type: string
  7774. namespace:
  7775. description: |-
  7776. The namespace of the Secret resource being referred to.
  7777. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7778. maxLength: 63
  7779. minLength: 1
  7780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7781. type: string
  7782. type: object
  7783. privatekey:
  7784. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  7785. properties:
  7786. key:
  7787. description: |-
  7788. A key in the referenced Secret.
  7789. Some instances of this field may be defaulted, in others it may be required.
  7790. maxLength: 253
  7791. minLength: 1
  7792. pattern: ^[-._a-zA-Z0-9]+$
  7793. type: string
  7794. name:
  7795. description: The name of the Secret resource being referred to.
  7796. maxLength: 253
  7797. minLength: 1
  7798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7799. type: string
  7800. namespace:
  7801. description: |-
  7802. The namespace of the Secret resource being referred to.
  7803. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7804. maxLength: 63
  7805. minLength: 1
  7806. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7807. type: string
  7808. type: object
  7809. required:
  7810. - fingerprint
  7811. - privatekey
  7812. type: object
  7813. tenancy:
  7814. description: Tenancy is the tenancy OCID where user is located.
  7815. type: string
  7816. user:
  7817. description: User is an access OCID specific to the account.
  7818. type: string
  7819. required:
  7820. - secretRef
  7821. - tenancy
  7822. - user
  7823. type: object
  7824. compartment:
  7825. description: |-
  7826. Compartment is the vault compartment OCID.
  7827. Required for PushSecret
  7828. type: string
  7829. encryptionKey:
  7830. description: |-
  7831. EncryptionKey is the OCID of the encryption key within the vault.
  7832. Required for PushSecret
  7833. type: string
  7834. principalType:
  7835. description: |-
  7836. The type of principal to use for authentication. If left blank, the Auth struct will
  7837. determine the principal type. This optional field must be specified if using
  7838. workload identity.
  7839. enum:
  7840. - ""
  7841. - UserPrincipal
  7842. - InstancePrincipal
  7843. - Workload
  7844. type: string
  7845. region:
  7846. description: Region is the region where vault is located.
  7847. type: string
  7848. serviceAccountRef:
  7849. description: |-
  7850. ServiceAccountRef specified the service account
  7851. that should be used when authenticating with WorkloadIdentity.
  7852. properties:
  7853. audiences:
  7854. description: |-
  7855. Audience specifies the `aud` claim for the service account token
  7856. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7857. then this audiences will be appended to the list
  7858. items:
  7859. type: string
  7860. type: array
  7861. name:
  7862. description: The name of the ServiceAccount resource being referred to.
  7863. maxLength: 253
  7864. minLength: 1
  7865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7866. type: string
  7867. namespace:
  7868. description: |-
  7869. Namespace of the resource being referred to.
  7870. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7871. maxLength: 63
  7872. minLength: 1
  7873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7874. type: string
  7875. required:
  7876. - name
  7877. type: object
  7878. vault:
  7879. description: Vault is the vault's OCID of the specific vault where secret is located.
  7880. type: string
  7881. required:
  7882. - region
  7883. - vault
  7884. type: object
  7885. passbolt:
  7886. properties:
  7887. auth:
  7888. description: Auth defines the information necessary to authenticate against Passbolt Server
  7889. properties:
  7890. passwordSecretRef:
  7891. description: |-
  7892. A reference to a specific 'key' within a Secret resource.
  7893. In some instances, `key` is a required field.
  7894. properties:
  7895. key:
  7896. description: |-
  7897. A key in the referenced Secret.
  7898. Some instances of this field may be defaulted, in others it may be required.
  7899. maxLength: 253
  7900. minLength: 1
  7901. pattern: ^[-._a-zA-Z0-9]+$
  7902. type: string
  7903. name:
  7904. description: The name of the Secret resource being referred to.
  7905. maxLength: 253
  7906. minLength: 1
  7907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7908. type: string
  7909. namespace:
  7910. description: |-
  7911. The namespace of the Secret resource being referred to.
  7912. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7913. maxLength: 63
  7914. minLength: 1
  7915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7916. type: string
  7917. type: object
  7918. privateKeySecretRef:
  7919. description: |-
  7920. A reference to a specific 'key' within a Secret resource.
  7921. In some instances, `key` is a required field.
  7922. properties:
  7923. key:
  7924. description: |-
  7925. A key in the referenced Secret.
  7926. Some instances of this field may be defaulted, in others it may be required.
  7927. maxLength: 253
  7928. minLength: 1
  7929. pattern: ^[-._a-zA-Z0-9]+$
  7930. type: string
  7931. name:
  7932. description: The name of the Secret resource being referred to.
  7933. maxLength: 253
  7934. minLength: 1
  7935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7936. type: string
  7937. namespace:
  7938. description: |-
  7939. The namespace of the Secret resource being referred to.
  7940. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7941. maxLength: 63
  7942. minLength: 1
  7943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7944. type: string
  7945. type: object
  7946. required:
  7947. - passwordSecretRef
  7948. - privateKeySecretRef
  7949. type: object
  7950. host:
  7951. description: Host defines the Passbolt Server to connect to
  7952. type: string
  7953. required:
  7954. - auth
  7955. - host
  7956. type: object
  7957. passworddepot:
  7958. description: Configures a store to sync secrets with a Password Depot instance.
  7959. properties:
  7960. auth:
  7961. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  7962. properties:
  7963. secretRef:
  7964. properties:
  7965. credentials:
  7966. description: Username / Password is used for authentication.
  7967. properties:
  7968. key:
  7969. description: |-
  7970. A key in the referenced Secret.
  7971. Some instances of this field may be defaulted, in others it may be required.
  7972. maxLength: 253
  7973. minLength: 1
  7974. pattern: ^[-._a-zA-Z0-9]+$
  7975. type: string
  7976. name:
  7977. description: The name of the Secret resource being referred to.
  7978. maxLength: 253
  7979. minLength: 1
  7980. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7981. type: string
  7982. namespace:
  7983. description: |-
  7984. The namespace of the Secret resource being referred to.
  7985. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7986. maxLength: 63
  7987. minLength: 1
  7988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7989. type: string
  7990. type: object
  7991. type: object
  7992. required:
  7993. - secretRef
  7994. type: object
  7995. database:
  7996. description: Database to use as source
  7997. type: string
  7998. host:
  7999. description: URL configures the Password Depot instance URL.
  8000. type: string
  8001. required:
  8002. - auth
  8003. - database
  8004. - host
  8005. type: object
  8006. previder:
  8007. description: Previder configures this store to sync secrets using the Previder provider
  8008. properties:
  8009. auth:
  8010. description: PreviderAuth contains a secretRef for credentials.
  8011. properties:
  8012. secretRef:
  8013. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  8014. properties:
  8015. accessToken:
  8016. description: The AccessToken is used for authentication
  8017. properties:
  8018. key:
  8019. description: |-
  8020. A key in the referenced Secret.
  8021. Some instances of this field may be defaulted, in others it may be required.
  8022. maxLength: 253
  8023. minLength: 1
  8024. pattern: ^[-._a-zA-Z0-9]+$
  8025. type: string
  8026. name:
  8027. description: The name of the Secret resource being referred to.
  8028. maxLength: 253
  8029. minLength: 1
  8030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8031. type: string
  8032. namespace:
  8033. description: |-
  8034. The namespace of the Secret resource being referred to.
  8035. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8036. maxLength: 63
  8037. minLength: 1
  8038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8039. type: string
  8040. type: object
  8041. required:
  8042. - accessToken
  8043. type: object
  8044. type: object
  8045. baseUri:
  8046. type: string
  8047. required:
  8048. - auth
  8049. type: object
  8050. pulumi:
  8051. description: Pulumi configures this store to sync secrets using the Pulumi provider
  8052. properties:
  8053. accessToken:
  8054. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  8055. properties:
  8056. secretRef:
  8057. description: SecretRef is a reference to a secret containing the Pulumi API token.
  8058. properties:
  8059. key:
  8060. description: |-
  8061. A key in the referenced Secret.
  8062. Some instances of this field may be defaulted, in others it may be required.
  8063. maxLength: 253
  8064. minLength: 1
  8065. pattern: ^[-._a-zA-Z0-9]+$
  8066. type: string
  8067. name:
  8068. description: The name of the Secret resource being referred to.
  8069. maxLength: 253
  8070. minLength: 1
  8071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8072. type: string
  8073. namespace:
  8074. description: |-
  8075. The namespace of the Secret resource being referred to.
  8076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8077. maxLength: 63
  8078. minLength: 1
  8079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8080. type: string
  8081. type: object
  8082. type: object
  8083. apiUrl:
  8084. default: https://api.pulumi.com/api/esc
  8085. description: APIURL is the URL of the Pulumi API.
  8086. type: string
  8087. environment:
  8088. description: |-
  8089. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  8090. dynamically retrieved values from supported providers including all major clouds,
  8091. and other Pulumi ESC environments.
  8092. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  8093. type: string
  8094. organization:
  8095. description: |-
  8096. Organization are a space to collaborate on shared projects and stacks.
  8097. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  8098. type: string
  8099. project:
  8100. description: Project is the name of the Pulumi ESC project the environment belongs to.
  8101. type: string
  8102. required:
  8103. - accessToken
  8104. - environment
  8105. - organization
  8106. - project
  8107. type: object
  8108. scaleway:
  8109. description: Scaleway
  8110. properties:
  8111. accessKey:
  8112. description: AccessKey is the non-secret part of the api key.
  8113. properties:
  8114. secretRef:
  8115. description: SecretRef references a key in a secret that will be used as value.
  8116. properties:
  8117. key:
  8118. description: |-
  8119. A key in the referenced Secret.
  8120. Some instances of this field may be defaulted, in others it may be required.
  8121. maxLength: 253
  8122. minLength: 1
  8123. pattern: ^[-._a-zA-Z0-9]+$
  8124. type: string
  8125. name:
  8126. description: The name of the Secret resource being referred to.
  8127. maxLength: 253
  8128. minLength: 1
  8129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8130. type: string
  8131. namespace:
  8132. description: |-
  8133. The namespace of the Secret resource being referred to.
  8134. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8135. maxLength: 63
  8136. minLength: 1
  8137. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8138. type: string
  8139. type: object
  8140. value:
  8141. description: Value can be specified directly to set a value without using a secret.
  8142. type: string
  8143. type: object
  8144. apiUrl:
  8145. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  8146. type: string
  8147. projectId:
  8148. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  8149. type: string
  8150. region:
  8151. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  8152. type: string
  8153. secretKey:
  8154. description: SecretKey is the non-secret part of the api key.
  8155. properties:
  8156. secretRef:
  8157. description: SecretRef references a key in a secret that will be used as value.
  8158. properties:
  8159. key:
  8160. description: |-
  8161. A key in the referenced Secret.
  8162. Some instances of this field may be defaulted, in others it may be required.
  8163. maxLength: 253
  8164. minLength: 1
  8165. pattern: ^[-._a-zA-Z0-9]+$
  8166. type: string
  8167. name:
  8168. description: The name of the Secret resource being referred to.
  8169. maxLength: 253
  8170. minLength: 1
  8171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8172. type: string
  8173. namespace:
  8174. description: |-
  8175. The namespace of the Secret resource being referred to.
  8176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8177. maxLength: 63
  8178. minLength: 1
  8179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8180. type: string
  8181. type: object
  8182. value:
  8183. description: Value can be specified directly to set a value without using a secret.
  8184. type: string
  8185. type: object
  8186. required:
  8187. - accessKey
  8188. - projectId
  8189. - region
  8190. - secretKey
  8191. type: object
  8192. secretserver:
  8193. description: |-
  8194. SecretServer configures this store to sync secrets using SecretServer provider
  8195. https://docs.delinea.com/online-help/secret-server/start.htm
  8196. properties:
  8197. password:
  8198. description: Password is the secret server account password.
  8199. properties:
  8200. secretRef:
  8201. description: SecretRef references a key in a secret that will be used as value.
  8202. properties:
  8203. key:
  8204. description: |-
  8205. A key in the referenced Secret.
  8206. Some instances of this field may be defaulted, in others it may be required.
  8207. maxLength: 253
  8208. minLength: 1
  8209. pattern: ^[-._a-zA-Z0-9]+$
  8210. type: string
  8211. name:
  8212. description: The name of the Secret resource being referred to.
  8213. maxLength: 253
  8214. minLength: 1
  8215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8216. type: string
  8217. namespace:
  8218. description: |-
  8219. The namespace of the Secret resource being referred to.
  8220. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8221. maxLength: 63
  8222. minLength: 1
  8223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8224. type: string
  8225. type: object
  8226. value:
  8227. description: Value can be specified directly to set a value without using a secret.
  8228. type: string
  8229. type: object
  8230. serverURL:
  8231. description: |-
  8232. ServerURL
  8233. URL to your secret server installation
  8234. type: string
  8235. username:
  8236. description: Username is the secret server account username.
  8237. properties:
  8238. secretRef:
  8239. description: SecretRef references a key in a secret that will be used as value.
  8240. properties:
  8241. key:
  8242. description: |-
  8243. A key in the referenced Secret.
  8244. Some instances of this field may be defaulted, in others it may be required.
  8245. maxLength: 253
  8246. minLength: 1
  8247. pattern: ^[-._a-zA-Z0-9]+$
  8248. type: string
  8249. name:
  8250. description: The name of the Secret resource being referred to.
  8251. maxLength: 253
  8252. minLength: 1
  8253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8254. type: string
  8255. namespace:
  8256. description: |-
  8257. The namespace of the Secret resource being referred to.
  8258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8259. maxLength: 63
  8260. minLength: 1
  8261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8262. type: string
  8263. type: object
  8264. value:
  8265. description: Value can be specified directly to set a value without using a secret.
  8266. type: string
  8267. type: object
  8268. required:
  8269. - password
  8270. - serverURL
  8271. - username
  8272. type: object
  8273. senhasegura:
  8274. description: Senhasegura configures this store to sync secrets using senhasegura provider
  8275. properties:
  8276. auth:
  8277. description: Auth defines parameters to authenticate in senhasegura
  8278. properties:
  8279. clientId:
  8280. type: string
  8281. clientSecretSecretRef:
  8282. description: |-
  8283. A reference to a specific 'key' within a Secret resource.
  8284. In some instances, `key` is a required field.
  8285. properties:
  8286. key:
  8287. description: |-
  8288. A key in the referenced Secret.
  8289. Some instances of this field may be defaulted, in others it may be required.
  8290. maxLength: 253
  8291. minLength: 1
  8292. pattern: ^[-._a-zA-Z0-9]+$
  8293. type: string
  8294. name:
  8295. description: The name of the Secret resource being referred to.
  8296. maxLength: 253
  8297. minLength: 1
  8298. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8299. type: string
  8300. namespace:
  8301. description: |-
  8302. The namespace of the Secret resource being referred to.
  8303. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8304. maxLength: 63
  8305. minLength: 1
  8306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8307. type: string
  8308. type: object
  8309. required:
  8310. - clientId
  8311. - clientSecretSecretRef
  8312. type: object
  8313. ignoreSslCertificate:
  8314. default: false
  8315. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  8316. type: boolean
  8317. module:
  8318. description: Module defines which senhasegura module should be used to get secrets
  8319. type: string
  8320. url:
  8321. description: URL of senhasegura
  8322. type: string
  8323. required:
  8324. - auth
  8325. - module
  8326. - url
  8327. type: object
  8328. vault:
  8329. description: Vault configures this store to sync secrets using Hashi provider
  8330. properties:
  8331. auth:
  8332. description: Auth configures how secret-manager authenticates with the Vault server.
  8333. properties:
  8334. appRole:
  8335. description: |-
  8336. AppRole authenticates with Vault using the App Role auth mechanism,
  8337. with the role and secret stored in a Kubernetes Secret resource.
  8338. properties:
  8339. path:
  8340. default: approle
  8341. description: |-
  8342. Path where the App Role authentication backend is mounted
  8343. in Vault, e.g: "approle"
  8344. type: string
  8345. roleId:
  8346. description: |-
  8347. RoleID configured in the App Role authentication backend when setting
  8348. up the authentication backend in Vault.
  8349. type: string
  8350. roleRef:
  8351. description: |-
  8352. Reference to a key in a Secret that contains the App Role ID used
  8353. to authenticate with Vault.
  8354. The `key` field must be specified and denotes which entry within the Secret
  8355. resource is used as the app role id.
  8356. properties:
  8357. key:
  8358. description: |-
  8359. A key in the referenced Secret.
  8360. Some instances of this field may be defaulted, in others it may be required.
  8361. maxLength: 253
  8362. minLength: 1
  8363. pattern: ^[-._a-zA-Z0-9]+$
  8364. type: string
  8365. name:
  8366. description: The name of the Secret resource being referred to.
  8367. maxLength: 253
  8368. minLength: 1
  8369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8370. type: string
  8371. namespace:
  8372. description: |-
  8373. The namespace of the Secret resource being referred to.
  8374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8375. maxLength: 63
  8376. minLength: 1
  8377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8378. type: string
  8379. type: object
  8380. secretRef:
  8381. description: |-
  8382. Reference to a key in a Secret that contains the App Role secret used
  8383. to authenticate with Vault.
  8384. The `key` field must be specified and denotes which entry within the Secret
  8385. resource is used as the app role secret.
  8386. properties:
  8387. key:
  8388. description: |-
  8389. A key in the referenced Secret.
  8390. Some instances of this field may be defaulted, in others it may be required.
  8391. maxLength: 253
  8392. minLength: 1
  8393. pattern: ^[-._a-zA-Z0-9]+$
  8394. type: string
  8395. name:
  8396. description: The name of the Secret resource being referred to.
  8397. maxLength: 253
  8398. minLength: 1
  8399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8400. type: string
  8401. namespace:
  8402. description: |-
  8403. The namespace of the Secret resource being referred to.
  8404. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8405. maxLength: 63
  8406. minLength: 1
  8407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8408. type: string
  8409. type: object
  8410. required:
  8411. - path
  8412. - secretRef
  8413. type: object
  8414. cert:
  8415. description: |-
  8416. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  8417. Cert authentication method
  8418. properties:
  8419. clientCert:
  8420. description: |-
  8421. ClientCert is a certificate to authenticate using the Cert Vault
  8422. authentication method
  8423. properties:
  8424. key:
  8425. description: |-
  8426. A key in the referenced Secret.
  8427. Some instances of this field may be defaulted, in others it may be required.
  8428. maxLength: 253
  8429. minLength: 1
  8430. pattern: ^[-._a-zA-Z0-9]+$
  8431. type: string
  8432. name:
  8433. description: The name of the Secret resource being referred to.
  8434. maxLength: 253
  8435. minLength: 1
  8436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8437. type: string
  8438. namespace:
  8439. description: |-
  8440. The namespace of the Secret resource being referred to.
  8441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8442. maxLength: 63
  8443. minLength: 1
  8444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8445. type: string
  8446. type: object
  8447. secretRef:
  8448. description: |-
  8449. SecretRef to a key in a Secret resource containing client private key to
  8450. authenticate with Vault using the Cert authentication method
  8451. properties:
  8452. key:
  8453. description: |-
  8454. A key in the referenced Secret.
  8455. Some instances of this field may be defaulted, in others it may be required.
  8456. maxLength: 253
  8457. minLength: 1
  8458. pattern: ^[-._a-zA-Z0-9]+$
  8459. type: string
  8460. name:
  8461. description: The name of the Secret resource being referred to.
  8462. maxLength: 253
  8463. minLength: 1
  8464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8465. type: string
  8466. namespace:
  8467. description: |-
  8468. The namespace of the Secret resource being referred to.
  8469. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8470. maxLength: 63
  8471. minLength: 1
  8472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8473. type: string
  8474. type: object
  8475. type: object
  8476. iam:
  8477. description: |-
  8478. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  8479. AWS IAM authentication method
  8480. properties:
  8481. externalID:
  8482. description: AWS External ID set on assumed IAM roles
  8483. type: string
  8484. jwt:
  8485. description: Specify a service account with IRSA enabled
  8486. properties:
  8487. serviceAccountRef:
  8488. description: A reference to a ServiceAccount resource.
  8489. properties:
  8490. audiences:
  8491. description: |-
  8492. Audience specifies the `aud` claim for the service account token
  8493. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8494. then this audiences will be appended to the list
  8495. items:
  8496. type: string
  8497. type: array
  8498. name:
  8499. description: The name of the ServiceAccount resource being referred to.
  8500. maxLength: 253
  8501. minLength: 1
  8502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8503. type: string
  8504. namespace:
  8505. description: |-
  8506. Namespace of the resource being referred to.
  8507. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8508. maxLength: 63
  8509. minLength: 1
  8510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8511. type: string
  8512. required:
  8513. - name
  8514. type: object
  8515. type: object
  8516. path:
  8517. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  8518. type: string
  8519. region:
  8520. description: AWS region
  8521. type: string
  8522. role:
  8523. description: This is the AWS role to be assumed before talking to vault
  8524. type: string
  8525. secretRef:
  8526. description: Specify credentials in a Secret object
  8527. properties:
  8528. accessKeyIDSecretRef:
  8529. description: The AccessKeyID is used for authentication
  8530. properties:
  8531. key:
  8532. description: |-
  8533. A key in the referenced Secret.
  8534. Some instances of this field may be defaulted, in others it may be required.
  8535. maxLength: 253
  8536. minLength: 1
  8537. pattern: ^[-._a-zA-Z0-9]+$
  8538. type: string
  8539. name:
  8540. description: The name of the Secret resource being referred to.
  8541. maxLength: 253
  8542. minLength: 1
  8543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8544. type: string
  8545. namespace:
  8546. description: |-
  8547. The namespace of the Secret resource being referred to.
  8548. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8549. maxLength: 63
  8550. minLength: 1
  8551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8552. type: string
  8553. type: object
  8554. secretAccessKeySecretRef:
  8555. description: The SecretAccessKey is used for authentication
  8556. properties:
  8557. key:
  8558. description: |-
  8559. A key in the referenced Secret.
  8560. Some instances of this field may be defaulted, in others it may be required.
  8561. maxLength: 253
  8562. minLength: 1
  8563. pattern: ^[-._a-zA-Z0-9]+$
  8564. type: string
  8565. name:
  8566. description: The name of the Secret resource being referred to.
  8567. maxLength: 253
  8568. minLength: 1
  8569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8570. type: string
  8571. namespace:
  8572. description: |-
  8573. The namespace of the Secret resource being referred to.
  8574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8575. maxLength: 63
  8576. minLength: 1
  8577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8578. type: string
  8579. type: object
  8580. sessionTokenSecretRef:
  8581. description: |-
  8582. The SessionToken used for authentication
  8583. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  8584. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  8585. properties:
  8586. key:
  8587. description: |-
  8588. A key in the referenced Secret.
  8589. Some instances of this field may be defaulted, in others it may be required.
  8590. maxLength: 253
  8591. minLength: 1
  8592. pattern: ^[-._a-zA-Z0-9]+$
  8593. type: string
  8594. name:
  8595. description: The name of the Secret resource being referred to.
  8596. maxLength: 253
  8597. minLength: 1
  8598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8599. type: string
  8600. namespace:
  8601. description: |-
  8602. The namespace of the Secret resource being referred to.
  8603. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8604. maxLength: 63
  8605. minLength: 1
  8606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8607. type: string
  8608. type: object
  8609. type: object
  8610. vaultAwsIamServerID:
  8611. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  8612. type: string
  8613. vaultRole:
  8614. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  8615. type: string
  8616. required:
  8617. - vaultRole
  8618. type: object
  8619. jwt:
  8620. description: |-
  8621. Jwt authenticates with Vault by passing role and JWT token using the
  8622. JWT/OIDC authentication method
  8623. properties:
  8624. kubernetesServiceAccountToken:
  8625. description: |-
  8626. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  8627. a token for with the `TokenRequest` API.
  8628. properties:
  8629. audiences:
  8630. description: |-
  8631. Optional audiences field that will be used to request a temporary Kubernetes service
  8632. account token for the service account referenced by `serviceAccountRef`.
  8633. Defaults to a single audience `vault` it not specified.
  8634. Deprecated: use serviceAccountRef.Audiences instead
  8635. items:
  8636. type: string
  8637. type: array
  8638. expirationSeconds:
  8639. description: |-
  8640. Optional expiration time in seconds that will be used to request a temporary
  8641. Kubernetes service account token for the service account referenced by
  8642. `serviceAccountRef`.
  8643. Deprecated: this will be removed in the future.
  8644. Defaults to 10 minutes.
  8645. format: int64
  8646. type: integer
  8647. serviceAccountRef:
  8648. description: Service account field containing the name of a kubernetes ServiceAccount.
  8649. properties:
  8650. audiences:
  8651. description: |-
  8652. Audience specifies the `aud` claim for the service account token
  8653. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8654. then this audiences will be appended to the list
  8655. items:
  8656. type: string
  8657. type: array
  8658. name:
  8659. description: The name of the ServiceAccount resource being referred to.
  8660. maxLength: 253
  8661. minLength: 1
  8662. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8663. type: string
  8664. namespace:
  8665. description: |-
  8666. Namespace of the resource being referred to.
  8667. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8668. maxLength: 63
  8669. minLength: 1
  8670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8671. type: string
  8672. required:
  8673. - name
  8674. type: object
  8675. required:
  8676. - serviceAccountRef
  8677. type: object
  8678. path:
  8679. default: jwt
  8680. description: |-
  8681. Path where the JWT authentication backend is mounted
  8682. in Vault, e.g: "jwt"
  8683. type: string
  8684. role:
  8685. description: |-
  8686. Role is a JWT role to authenticate using the JWT/OIDC Vault
  8687. authentication method
  8688. type: string
  8689. secretRef:
  8690. description: |-
  8691. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  8692. authenticate with Vault using the JWT/OIDC authentication method.
  8693. properties:
  8694. key:
  8695. description: |-
  8696. A key in the referenced Secret.
  8697. Some instances of this field may be defaulted, in others it may be required.
  8698. maxLength: 253
  8699. minLength: 1
  8700. pattern: ^[-._a-zA-Z0-9]+$
  8701. type: string
  8702. name:
  8703. description: The name of the Secret resource being referred to.
  8704. maxLength: 253
  8705. minLength: 1
  8706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8707. type: string
  8708. namespace:
  8709. description: |-
  8710. The namespace of the Secret resource being referred to.
  8711. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8712. maxLength: 63
  8713. minLength: 1
  8714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8715. type: string
  8716. type: object
  8717. required:
  8718. - path
  8719. type: object
  8720. kubernetes:
  8721. description: |-
  8722. Kubernetes authenticates with Vault by passing the ServiceAccount
  8723. token stored in the named Secret resource to the Vault server.
  8724. properties:
  8725. mountPath:
  8726. default: kubernetes
  8727. description: |-
  8728. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  8729. "kubernetes"
  8730. type: string
  8731. role:
  8732. description: |-
  8733. A required field containing the Vault Role to assume. A Role binds a
  8734. Kubernetes ServiceAccount with a set of Vault policies.
  8735. type: string
  8736. secretRef:
  8737. description: |-
  8738. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8739. for authenticating with Vault. If a name is specified without a key,
  8740. `token` is the default. If one is not specified, the one bound to
  8741. the controller will be used.
  8742. properties:
  8743. key:
  8744. description: |-
  8745. A key in the referenced Secret.
  8746. Some instances of this field may be defaulted, in others it may be required.
  8747. maxLength: 253
  8748. minLength: 1
  8749. pattern: ^[-._a-zA-Z0-9]+$
  8750. type: string
  8751. name:
  8752. description: The name of the Secret resource being referred to.
  8753. maxLength: 253
  8754. minLength: 1
  8755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8756. type: string
  8757. namespace:
  8758. description: |-
  8759. The namespace of the Secret resource being referred to.
  8760. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8761. maxLength: 63
  8762. minLength: 1
  8763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8764. type: string
  8765. type: object
  8766. serviceAccountRef:
  8767. description: |-
  8768. Optional service account field containing the name of a kubernetes ServiceAccount.
  8769. If the service account is specified, the service account secret token JWT will be used
  8770. for authenticating with Vault. If the service account selector is not supplied,
  8771. the secretRef will be used instead.
  8772. properties:
  8773. audiences:
  8774. description: |-
  8775. Audience specifies the `aud` claim for the service account token
  8776. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8777. then this audiences will be appended to the list
  8778. items:
  8779. type: string
  8780. type: array
  8781. name:
  8782. description: The name of the ServiceAccount resource being referred to.
  8783. maxLength: 253
  8784. minLength: 1
  8785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8786. type: string
  8787. namespace:
  8788. description: |-
  8789. Namespace of the resource being referred to.
  8790. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8791. maxLength: 63
  8792. minLength: 1
  8793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8794. type: string
  8795. required:
  8796. - name
  8797. type: object
  8798. required:
  8799. - mountPath
  8800. - role
  8801. type: object
  8802. ldap:
  8803. description: |-
  8804. Ldap authenticates with Vault by passing username/password pair using
  8805. the LDAP authentication method
  8806. properties:
  8807. path:
  8808. default: ldap
  8809. description: |-
  8810. Path where the LDAP authentication backend is mounted
  8811. in Vault, e.g: "ldap"
  8812. type: string
  8813. secretRef:
  8814. description: |-
  8815. SecretRef to a key in a Secret resource containing password for the LDAP
  8816. user used to authenticate with Vault using the LDAP authentication
  8817. method
  8818. properties:
  8819. key:
  8820. description: |-
  8821. A key in the referenced Secret.
  8822. Some instances of this field may be defaulted, in others it may be required.
  8823. maxLength: 253
  8824. minLength: 1
  8825. pattern: ^[-._a-zA-Z0-9]+$
  8826. type: string
  8827. name:
  8828. description: The name of the Secret resource being referred to.
  8829. maxLength: 253
  8830. minLength: 1
  8831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8832. type: string
  8833. namespace:
  8834. description: |-
  8835. The namespace of the Secret resource being referred to.
  8836. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8837. maxLength: 63
  8838. minLength: 1
  8839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8840. type: string
  8841. type: object
  8842. username:
  8843. description: |-
  8844. Username is an LDAP username used to authenticate using the LDAP Vault
  8845. authentication method
  8846. type: string
  8847. required:
  8848. - path
  8849. - username
  8850. type: object
  8851. namespace:
  8852. description: |-
  8853. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  8854. Namespaces is a set of features within Vault Enterprise that allows
  8855. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8856. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8857. This will default to Vault.Namespace field if set, or empty otherwise
  8858. type: string
  8859. tokenSecretRef:
  8860. description: TokenSecretRef authenticates with Vault by presenting a token.
  8861. properties:
  8862. key:
  8863. description: |-
  8864. A key in the referenced Secret.
  8865. Some instances of this field may be defaulted, in others it may be required.
  8866. maxLength: 253
  8867. minLength: 1
  8868. pattern: ^[-._a-zA-Z0-9]+$
  8869. type: string
  8870. name:
  8871. description: The name of the Secret resource being referred to.
  8872. maxLength: 253
  8873. minLength: 1
  8874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8875. type: string
  8876. namespace:
  8877. description: |-
  8878. The namespace of the Secret resource being referred to.
  8879. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8880. maxLength: 63
  8881. minLength: 1
  8882. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8883. type: string
  8884. type: object
  8885. userPass:
  8886. description: UserPass authenticates with Vault by passing username/password pair
  8887. properties:
  8888. path:
  8889. default: userpass
  8890. description: |-
  8891. Path where the UserPassword authentication backend is mounted
  8892. in Vault, e.g: "userpass"
  8893. type: string
  8894. secretRef:
  8895. description: |-
  8896. SecretRef to a key in a Secret resource containing password for the
  8897. user used to authenticate with Vault using the UserPass authentication
  8898. method
  8899. properties:
  8900. key:
  8901. description: |-
  8902. A key in the referenced Secret.
  8903. Some instances of this field may be defaulted, in others it may be required.
  8904. maxLength: 253
  8905. minLength: 1
  8906. pattern: ^[-._a-zA-Z0-9]+$
  8907. type: string
  8908. name:
  8909. description: The name of the Secret resource being referred to.
  8910. maxLength: 253
  8911. minLength: 1
  8912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8913. type: string
  8914. namespace:
  8915. description: |-
  8916. The namespace of the Secret resource being referred to.
  8917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8918. maxLength: 63
  8919. minLength: 1
  8920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8921. type: string
  8922. type: object
  8923. username:
  8924. description: |-
  8925. Username is a username used to authenticate using the UserPass Vault
  8926. authentication method
  8927. type: string
  8928. required:
  8929. - path
  8930. - username
  8931. type: object
  8932. type: object
  8933. caBundle:
  8934. description: |-
  8935. PEM encoded CA bundle used to validate Vault server certificate. Only used
  8936. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8937. plain HTTP protocol connection. If not set the system root certificates
  8938. are used to validate the TLS connection.
  8939. format: byte
  8940. type: string
  8941. caProvider:
  8942. description: The provider for the CA bundle to use to validate Vault server certificate.
  8943. properties:
  8944. key:
  8945. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8946. maxLength: 253
  8947. minLength: 1
  8948. pattern: ^[-._a-zA-Z0-9]+$
  8949. type: string
  8950. name:
  8951. description: The name of the object located at the provider type.
  8952. maxLength: 253
  8953. minLength: 1
  8954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8955. type: string
  8956. namespace:
  8957. description: |-
  8958. The namespace the Provider type is in.
  8959. Can only be defined when used in a ClusterSecretStore.
  8960. maxLength: 63
  8961. minLength: 1
  8962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8963. type: string
  8964. type:
  8965. description: The type of provider to use such as "Secret", or "ConfigMap".
  8966. enum:
  8967. - Secret
  8968. - ConfigMap
  8969. type: string
  8970. required:
  8971. - name
  8972. - type
  8973. type: object
  8974. forwardInconsistent:
  8975. description: |-
  8976. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8977. leader instead of simply retrying within a loop. This can increase performance if
  8978. the option is enabled serverside.
  8979. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8980. type: boolean
  8981. headers:
  8982. additionalProperties:
  8983. type: string
  8984. description: Headers to be added in Vault request
  8985. type: object
  8986. namespace:
  8987. description: |-
  8988. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8989. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8990. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8991. type: string
  8992. path:
  8993. description: |-
  8994. Path is the mount path of the Vault KV backend endpoint, e.g:
  8995. "secret". The v2 KV secret engine version specific "/data" path suffix
  8996. for fetching secrets from Vault is optional and will be appended
  8997. if not present in specified path.
  8998. type: string
  8999. readYourWrites:
  9000. description: |-
  9001. ReadYourWrites ensures isolated read-after-write semantics by
  9002. providing discovered cluster replication states in each request.
  9003. More information about eventual consistency in Vault can be found here
  9004. https://www.vaultproject.io/docs/enterprise/consistency
  9005. type: boolean
  9006. server:
  9007. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  9008. type: string
  9009. tls:
  9010. description: |-
  9011. The configuration used for client side related TLS communication, when the Vault server
  9012. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  9013. This parameter is ignored for plain HTTP protocol connection.
  9014. It's worth noting this configuration is different from the "TLS certificates auth method",
  9015. which is available under the `auth.cert` section.
  9016. properties:
  9017. certSecretRef:
  9018. description: |-
  9019. CertSecretRef is a certificate added to the transport layer
  9020. when communicating with the Vault server.
  9021. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  9022. properties:
  9023. key:
  9024. description: |-
  9025. A key in the referenced Secret.
  9026. Some instances of this field may be defaulted, in others it may be required.
  9027. maxLength: 253
  9028. minLength: 1
  9029. pattern: ^[-._a-zA-Z0-9]+$
  9030. type: string
  9031. name:
  9032. description: The name of the Secret resource being referred to.
  9033. maxLength: 253
  9034. minLength: 1
  9035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9036. type: string
  9037. namespace:
  9038. description: |-
  9039. The namespace of the Secret resource being referred to.
  9040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9041. maxLength: 63
  9042. minLength: 1
  9043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9044. type: string
  9045. type: object
  9046. keySecretRef:
  9047. description: |-
  9048. KeySecretRef to a key in a Secret resource containing client private key
  9049. added to the transport layer when communicating with the Vault server.
  9050. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  9051. properties:
  9052. key:
  9053. description: |-
  9054. A key in the referenced Secret.
  9055. Some instances of this field may be defaulted, in others it may be required.
  9056. maxLength: 253
  9057. minLength: 1
  9058. pattern: ^[-._a-zA-Z0-9]+$
  9059. type: string
  9060. name:
  9061. description: The name of the Secret resource being referred to.
  9062. maxLength: 253
  9063. minLength: 1
  9064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9065. type: string
  9066. namespace:
  9067. description: |-
  9068. The namespace of the Secret resource being referred to.
  9069. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9070. maxLength: 63
  9071. minLength: 1
  9072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9073. type: string
  9074. type: object
  9075. type: object
  9076. version:
  9077. default: v2
  9078. description: |-
  9079. Version is the Vault KV secret engine version. This can be either "v1" or
  9080. "v2". Version defaults to "v2".
  9081. enum:
  9082. - v1
  9083. - v2
  9084. type: string
  9085. required:
  9086. - server
  9087. type: object
  9088. webhook:
  9089. description: Webhook configures this store to sync secrets using a generic templated webhook
  9090. properties:
  9091. auth:
  9092. description: Auth specifies a authorization protocol. Only one protocol may be set.
  9093. maxProperties: 1
  9094. minProperties: 1
  9095. properties:
  9096. ntlm:
  9097. description: NTLMProtocol configures the store to use NTLM for auth
  9098. properties:
  9099. passwordSecret:
  9100. description: |-
  9101. A reference to a specific 'key' within a Secret resource.
  9102. In some instances, `key` is a required field.
  9103. properties:
  9104. key:
  9105. description: |-
  9106. A key in the referenced Secret.
  9107. Some instances of this field may be defaulted, in others it may be required.
  9108. maxLength: 253
  9109. minLength: 1
  9110. pattern: ^[-._a-zA-Z0-9]+$
  9111. type: string
  9112. name:
  9113. description: The name of the Secret resource being referred to.
  9114. maxLength: 253
  9115. minLength: 1
  9116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9117. type: string
  9118. namespace:
  9119. description: |-
  9120. The namespace of the Secret resource being referred to.
  9121. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9122. maxLength: 63
  9123. minLength: 1
  9124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9125. type: string
  9126. type: object
  9127. usernameSecret:
  9128. description: |-
  9129. A reference to a specific 'key' within a Secret resource.
  9130. In some instances, `key` is a required field.
  9131. properties:
  9132. key:
  9133. description: |-
  9134. A key in the referenced Secret.
  9135. Some instances of this field may be defaulted, in others it may be required.
  9136. maxLength: 253
  9137. minLength: 1
  9138. pattern: ^[-._a-zA-Z0-9]+$
  9139. type: string
  9140. name:
  9141. description: The name of the Secret resource being referred to.
  9142. maxLength: 253
  9143. minLength: 1
  9144. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9145. type: string
  9146. namespace:
  9147. description: |-
  9148. The namespace of the Secret resource being referred to.
  9149. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9150. maxLength: 63
  9151. minLength: 1
  9152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9153. type: string
  9154. type: object
  9155. required:
  9156. - passwordSecret
  9157. - usernameSecret
  9158. type: object
  9159. type: object
  9160. body:
  9161. description: Body
  9162. type: string
  9163. caBundle:
  9164. description: |-
  9165. PEM encoded CA bundle used to validate webhook server certificate. Only used
  9166. if the Server URL is using HTTPS protocol. This parameter is ignored for
  9167. plain HTTP protocol connection. If not set the system root certificates
  9168. are used to validate the TLS connection.
  9169. format: byte
  9170. type: string
  9171. caProvider:
  9172. description: The provider for the CA bundle to use to validate webhook server certificate.
  9173. properties:
  9174. key:
  9175. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9176. maxLength: 253
  9177. minLength: 1
  9178. pattern: ^[-._a-zA-Z0-9]+$
  9179. type: string
  9180. name:
  9181. description: The name of the object located at the provider type.
  9182. maxLength: 253
  9183. minLength: 1
  9184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9185. type: string
  9186. namespace:
  9187. description: The namespace the Provider type is in.
  9188. maxLength: 63
  9189. minLength: 1
  9190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9191. type: string
  9192. type:
  9193. description: The type of provider to use such as "Secret", or "ConfigMap".
  9194. enum:
  9195. - Secret
  9196. - ConfigMap
  9197. type: string
  9198. required:
  9199. - name
  9200. - type
  9201. type: object
  9202. headers:
  9203. additionalProperties:
  9204. type: string
  9205. description: Headers
  9206. type: object
  9207. method:
  9208. description: Webhook Method
  9209. type: string
  9210. result:
  9211. description: Result formatting
  9212. properties:
  9213. jsonPath:
  9214. description: Json path of return value
  9215. type: string
  9216. type: object
  9217. secrets:
  9218. description: |-
  9219. Secrets to fill in templates
  9220. These secrets will be passed to the templating function as key value pairs under the given name
  9221. items:
  9222. properties:
  9223. name:
  9224. description: Name of this secret in templates
  9225. type: string
  9226. secretRef:
  9227. description: Secret ref to fill in credentials
  9228. properties:
  9229. key:
  9230. description: |-
  9231. A key in the referenced Secret.
  9232. Some instances of this field may be defaulted, in others it may be required.
  9233. maxLength: 253
  9234. minLength: 1
  9235. pattern: ^[-._a-zA-Z0-9]+$
  9236. type: string
  9237. name:
  9238. description: The name of the Secret resource being referred to.
  9239. maxLength: 253
  9240. minLength: 1
  9241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9242. type: string
  9243. namespace:
  9244. description: |-
  9245. The namespace of the Secret resource being referred to.
  9246. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9247. maxLength: 63
  9248. minLength: 1
  9249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9250. type: string
  9251. type: object
  9252. required:
  9253. - name
  9254. - secretRef
  9255. type: object
  9256. type: array
  9257. timeout:
  9258. description: Timeout
  9259. type: string
  9260. url:
  9261. description: Webhook url to call
  9262. type: string
  9263. required:
  9264. - result
  9265. - url
  9266. type: object
  9267. yandexcertificatemanager:
  9268. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  9269. properties:
  9270. apiEndpoint:
  9271. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  9272. type: string
  9273. auth:
  9274. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  9275. properties:
  9276. authorizedKeySecretRef:
  9277. description: The authorized key used for authentication
  9278. properties:
  9279. key:
  9280. description: |-
  9281. A key in the referenced Secret.
  9282. Some instances of this field may be defaulted, in others it may be required.
  9283. maxLength: 253
  9284. minLength: 1
  9285. pattern: ^[-._a-zA-Z0-9]+$
  9286. type: string
  9287. name:
  9288. description: The name of the Secret resource being referred to.
  9289. maxLength: 253
  9290. minLength: 1
  9291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9292. type: string
  9293. namespace:
  9294. description: |-
  9295. The namespace of the Secret resource being referred to.
  9296. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9297. maxLength: 63
  9298. minLength: 1
  9299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9300. type: string
  9301. type: object
  9302. type: object
  9303. caProvider:
  9304. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  9305. properties:
  9306. certSecretRef:
  9307. description: |-
  9308. A reference to a specific 'key' within a Secret resource.
  9309. In some instances, `key` is a required field.
  9310. properties:
  9311. key:
  9312. description: |-
  9313. A key in the referenced Secret.
  9314. Some instances of this field may be defaulted, in others it may be required.
  9315. maxLength: 253
  9316. minLength: 1
  9317. pattern: ^[-._a-zA-Z0-9]+$
  9318. type: string
  9319. name:
  9320. description: The name of the Secret resource being referred to.
  9321. maxLength: 253
  9322. minLength: 1
  9323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9324. type: string
  9325. namespace:
  9326. description: |-
  9327. The namespace of the Secret resource being referred to.
  9328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9329. maxLength: 63
  9330. minLength: 1
  9331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9332. type: string
  9333. type: object
  9334. type: object
  9335. required:
  9336. - auth
  9337. type: object
  9338. yandexlockbox:
  9339. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  9340. properties:
  9341. apiEndpoint:
  9342. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  9343. type: string
  9344. auth:
  9345. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  9346. properties:
  9347. authorizedKeySecretRef:
  9348. description: The authorized key used for authentication
  9349. properties:
  9350. key:
  9351. description: |-
  9352. A key in the referenced Secret.
  9353. Some instances of this field may be defaulted, in others it may be required.
  9354. maxLength: 253
  9355. minLength: 1
  9356. pattern: ^[-._a-zA-Z0-9]+$
  9357. type: string
  9358. name:
  9359. description: The name of the Secret resource being referred to.
  9360. maxLength: 253
  9361. minLength: 1
  9362. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9363. type: string
  9364. namespace:
  9365. description: |-
  9366. The namespace of the Secret resource being referred to.
  9367. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9368. maxLength: 63
  9369. minLength: 1
  9370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9371. type: string
  9372. type: object
  9373. type: object
  9374. caProvider:
  9375. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  9376. properties:
  9377. certSecretRef:
  9378. description: |-
  9379. A reference to a specific 'key' within a Secret resource.
  9380. In some instances, `key` is a required field.
  9381. properties:
  9382. key:
  9383. description: |-
  9384. A key in the referenced Secret.
  9385. Some instances of this field may be defaulted, in others it may be required.
  9386. maxLength: 253
  9387. minLength: 1
  9388. pattern: ^[-._a-zA-Z0-9]+$
  9389. type: string
  9390. name:
  9391. description: The name of the Secret resource being referred to.
  9392. maxLength: 253
  9393. minLength: 1
  9394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9395. type: string
  9396. namespace:
  9397. description: |-
  9398. The namespace of the Secret resource being referred to.
  9399. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9400. maxLength: 63
  9401. minLength: 1
  9402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9403. type: string
  9404. type: object
  9405. type: object
  9406. required:
  9407. - auth
  9408. type: object
  9409. type: object
  9410. refreshInterval:
  9411. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  9412. type: integer
  9413. retrySettings:
  9414. description: Used to configure http retries if failed
  9415. properties:
  9416. maxRetries:
  9417. format: int32
  9418. type: integer
  9419. retryInterval:
  9420. type: string
  9421. type: object
  9422. required:
  9423. - provider
  9424. type: object
  9425. status:
  9426. description: SecretStoreStatus defines the observed state of the SecretStore.
  9427. properties:
  9428. capabilities:
  9429. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  9430. type: string
  9431. conditions:
  9432. items:
  9433. properties:
  9434. lastTransitionTime:
  9435. format: date-time
  9436. type: string
  9437. message:
  9438. type: string
  9439. reason:
  9440. type: string
  9441. status:
  9442. type: string
  9443. type:
  9444. type: string
  9445. required:
  9446. - status
  9447. - type
  9448. type: object
  9449. type: array
  9450. type: object
  9451. type: object
  9452. served: false
  9453. storage: false
  9454. subresources:
  9455. status: {}