bundle.yaml 318 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.8.0
  6. creationTimestamp: null
  7. name: clusterexternalsecrets.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterExternalSecret
  14. listKind: ClusterExternalSecretList
  15. plural: clusterexternalsecrets
  16. shortNames:
  17. - ces
  18. singular: clusterexternalsecret
  19. scope: Cluster
  20. versions:
  21. - name: v1beta1
  22. schema:
  23. openAPIV3Schema:
  24. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  25. properties:
  26. apiVersion:
  27. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  28. type: string
  29. kind:
  30. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  31. type: string
  32. metadata:
  33. type: object
  34. spec:
  35. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  36. properties:
  37. externalSecretName:
  38. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  39. type: string
  40. externalSecretSpec:
  41. description: The spec for the ExternalSecrets to be created
  42. properties:
  43. data:
  44. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  45. items:
  46. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  47. properties:
  48. remoteRef:
  49. description: ExternalSecretDataRemoteRef defines Provider data location.
  50. properties:
  51. conversionStrategy:
  52. default: Default
  53. description: Used to define a conversion Strategy
  54. type: string
  55. key:
  56. description: Key is the key used in the Provider, mandatory
  57. type: string
  58. property:
  59. description: Used to select a specific property of the Provider value (if a map), if supported
  60. type: string
  61. version:
  62. description: Used to select a specific version of the Provider value, if supported
  63. type: string
  64. required:
  65. - key
  66. type: object
  67. secretKey:
  68. type: string
  69. required:
  70. - remoteRef
  71. - secretKey
  72. type: object
  73. type: array
  74. dataFrom:
  75. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  76. items:
  77. maxProperties: 1
  78. minProperties: 1
  79. properties:
  80. extract:
  81. description: Used to extract multiple key/value pairs from one secret
  82. properties:
  83. conversionStrategy:
  84. default: Default
  85. description: Used to define a conversion Strategy
  86. type: string
  87. key:
  88. description: Key is the key used in the Provider, mandatory
  89. type: string
  90. property:
  91. description: Used to select a specific property of the Provider value (if a map), if supported
  92. type: string
  93. version:
  94. description: Used to select a specific version of the Provider value, if supported
  95. type: string
  96. required:
  97. - key
  98. type: object
  99. find:
  100. description: Used to find secrets based on tags or regular expressions
  101. properties:
  102. conversionStrategy:
  103. default: Default
  104. description: Used to define a conversion Strategy
  105. type: string
  106. name:
  107. description: Finds secrets based on the name.
  108. properties:
  109. regexp:
  110. description: Finds secrets base
  111. type: string
  112. type: object
  113. path:
  114. description: A root path to start the find operations.
  115. type: string
  116. tags:
  117. additionalProperties:
  118. type: string
  119. description: Find secrets based on tags.
  120. type: object
  121. type: object
  122. type: object
  123. type: array
  124. refreshInterval:
  125. default: 1h
  126. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  127. type: string
  128. secretStoreRef:
  129. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  130. properties:
  131. kind:
  132. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  133. type: string
  134. name:
  135. description: Name of the SecretStore resource
  136. type: string
  137. required:
  138. - name
  139. type: object
  140. target:
  141. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  142. properties:
  143. creationPolicy:
  144. default: Owner
  145. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  146. enum:
  147. - Owner
  148. - Orphan
  149. - Merge
  150. - None
  151. type: string
  152. deletionPolicy:
  153. default: Retain
  154. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  155. enum:
  156. - Delete
  157. - Merge
  158. - Retain
  159. type: string
  160. immutable:
  161. description: Immutable defines if the final secret will be immutable
  162. type: boolean
  163. name:
  164. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  165. type: string
  166. template:
  167. description: Template defines a blueprint for the created Secret resource.
  168. properties:
  169. data:
  170. additionalProperties:
  171. type: string
  172. type: object
  173. engineVersion:
  174. default: v2
  175. type: string
  176. metadata:
  177. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  178. properties:
  179. annotations:
  180. additionalProperties:
  181. type: string
  182. type: object
  183. labels:
  184. additionalProperties:
  185. type: string
  186. type: object
  187. type: object
  188. templateFrom:
  189. items:
  190. maxProperties: 1
  191. minProperties: 1
  192. properties:
  193. configMap:
  194. properties:
  195. items:
  196. items:
  197. properties:
  198. key:
  199. type: string
  200. required:
  201. - key
  202. type: object
  203. type: array
  204. name:
  205. type: string
  206. required:
  207. - items
  208. - name
  209. type: object
  210. secret:
  211. properties:
  212. items:
  213. items:
  214. properties:
  215. key:
  216. type: string
  217. required:
  218. - key
  219. type: object
  220. type: array
  221. name:
  222. type: string
  223. required:
  224. - items
  225. - name
  226. type: object
  227. type: object
  228. type: array
  229. type:
  230. type: string
  231. type: object
  232. type: object
  233. required:
  234. - secretStoreRef
  235. type: object
  236. namespaceSelector:
  237. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  238. properties:
  239. matchExpressions:
  240. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  241. items:
  242. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  243. properties:
  244. key:
  245. description: key is the label key that the selector applies to.
  246. type: string
  247. operator:
  248. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  249. type: string
  250. values:
  251. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  252. items:
  253. type: string
  254. type: array
  255. required:
  256. - key
  257. - operator
  258. type: object
  259. type: array
  260. matchLabels:
  261. additionalProperties:
  262. type: string
  263. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  264. type: object
  265. type: object
  266. refreshTime:
  267. description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
  268. type: string
  269. required:
  270. - externalSecretSpec
  271. - namespaceSelector
  272. type: object
  273. status:
  274. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  275. properties:
  276. conditions:
  277. items:
  278. properties:
  279. message:
  280. type: string
  281. status:
  282. type: string
  283. type:
  284. type: string
  285. required:
  286. - status
  287. - type
  288. type: object
  289. type: array
  290. failedNamespaces:
  291. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  292. items:
  293. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  294. properties:
  295. namespace:
  296. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  297. type: string
  298. reason:
  299. description: Reason is why the ExternalSecret failed to apply to the namespace
  300. type: string
  301. required:
  302. - namespace
  303. type: object
  304. type: array
  305. provisionedNamespaces:
  306. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  307. items:
  308. type: string
  309. type: array
  310. type: object
  311. type: object
  312. served: true
  313. storage: true
  314. subresources:
  315. status: {}
  316. conversion:
  317. strategy: Webhook
  318. webhook:
  319. conversionReviewVersions:
  320. - v1
  321. clientConfig:
  322. service:
  323. name: kubernetes
  324. namespace: default
  325. path: /convert
  326. status:
  327. acceptedNames:
  328. kind: ""
  329. plural: ""
  330. conditions: []
  331. storedVersions: []
  332. ---
  333. apiVersion: apiextensions.k8s.io/v1
  334. kind: CustomResourceDefinition
  335. metadata:
  336. annotations:
  337. controller-gen.kubebuilder.io/version: v0.8.0
  338. creationTimestamp: null
  339. name: clustersecretstores.external-secrets.io
  340. spec:
  341. group: external-secrets.io
  342. names:
  343. categories:
  344. - externalsecrets
  345. kind: ClusterSecretStore
  346. listKind: ClusterSecretStoreList
  347. plural: clustersecretstores
  348. shortNames:
  349. - css
  350. singular: clustersecretstore
  351. scope: Cluster
  352. versions:
  353. - additionalPrinterColumns:
  354. - jsonPath: .metadata.creationTimestamp
  355. name: AGE
  356. type: date
  357. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  358. name: Status
  359. type: string
  360. deprecated: true
  361. name: v1alpha1
  362. schema:
  363. openAPIV3Schema:
  364. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  365. properties:
  366. apiVersion:
  367. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  368. type: string
  369. kind:
  370. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  371. type: string
  372. metadata:
  373. type: object
  374. spec:
  375. description: SecretStoreSpec defines the desired state of SecretStore.
  376. properties:
  377. controller:
  378. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  379. type: string
  380. provider:
  381. description: Used to configure the provider. Only one provider may be set
  382. maxProperties: 1
  383. minProperties: 1
  384. properties:
  385. akeyless:
  386. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  387. properties:
  388. akeylessGWApiURL:
  389. description: Akeyless GW API Url from which the secrets to be fetched from.
  390. type: string
  391. authSecretRef:
  392. description: Auth configures how the operator authenticates with Akeyless.
  393. properties:
  394. secretRef:
  395. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  396. properties:
  397. accessID:
  398. description: The SecretAccessID is used for authentication
  399. properties:
  400. key:
  401. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  402. type: string
  403. name:
  404. description: The name of the Secret resource being referred to.
  405. type: string
  406. namespace:
  407. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  408. type: string
  409. type: object
  410. accessType:
  411. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  412. properties:
  413. key:
  414. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  415. type: string
  416. name:
  417. description: The name of the Secret resource being referred to.
  418. type: string
  419. namespace:
  420. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  421. type: string
  422. type: object
  423. accessTypeParam:
  424. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  425. properties:
  426. key:
  427. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  428. type: string
  429. name:
  430. description: The name of the Secret resource being referred to.
  431. type: string
  432. namespace:
  433. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  434. type: string
  435. type: object
  436. type: object
  437. required:
  438. - secretRef
  439. type: object
  440. required:
  441. - akeylessGWApiURL
  442. - authSecretRef
  443. type: object
  444. alibaba:
  445. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  446. properties:
  447. auth:
  448. description: AlibabaAuth contains a secretRef for credentials.
  449. properties:
  450. secretRef:
  451. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  452. properties:
  453. accessKeyIDSecretRef:
  454. description: The AccessKeyID is used for authentication
  455. properties:
  456. key:
  457. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  458. type: string
  459. name:
  460. description: The name of the Secret resource being referred to.
  461. type: string
  462. namespace:
  463. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  464. type: string
  465. type: object
  466. accessKeySecretSecretRef:
  467. description: The AccessKeySecret is used for authentication
  468. properties:
  469. key:
  470. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  471. type: string
  472. name:
  473. description: The name of the Secret resource being referred to.
  474. type: string
  475. namespace:
  476. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  477. type: string
  478. type: object
  479. required:
  480. - accessKeyIDSecretRef
  481. - accessKeySecretSecretRef
  482. type: object
  483. required:
  484. - secretRef
  485. type: object
  486. endpoint:
  487. type: string
  488. regionID:
  489. description: Alibaba Region to be used for the provider
  490. type: string
  491. required:
  492. - auth
  493. - regionID
  494. type: object
  495. aws:
  496. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  497. properties:
  498. auth:
  499. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  500. properties:
  501. jwt:
  502. description: Authenticate against AWS using service account tokens.
  503. properties:
  504. serviceAccountRef:
  505. description: A reference to a ServiceAccount resource.
  506. properties:
  507. name:
  508. description: The name of the ServiceAccount resource being referred to.
  509. type: string
  510. namespace:
  511. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  512. type: string
  513. required:
  514. - name
  515. type: object
  516. type: object
  517. secretRef:
  518. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  519. properties:
  520. accessKeyIDSecretRef:
  521. description: The AccessKeyID is used for authentication
  522. properties:
  523. key:
  524. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  525. type: string
  526. name:
  527. description: The name of the Secret resource being referred to.
  528. type: string
  529. namespace:
  530. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  531. type: string
  532. type: object
  533. secretAccessKeySecretRef:
  534. description: The SecretAccessKey is used for authentication
  535. properties:
  536. key:
  537. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  538. type: string
  539. name:
  540. description: The name of the Secret resource being referred to.
  541. type: string
  542. namespace:
  543. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  544. type: string
  545. type: object
  546. type: object
  547. type: object
  548. region:
  549. description: AWS Region to be used for the provider
  550. type: string
  551. role:
  552. description: Role is a Role ARN which the SecretManager provider will assume
  553. type: string
  554. service:
  555. description: Service defines which service should be used to fetch the secrets
  556. enum:
  557. - SecretsManager
  558. - ParameterStore
  559. type: string
  560. required:
  561. - region
  562. - service
  563. type: object
  564. azurekv:
  565. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  566. properties:
  567. authSecretRef:
  568. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  569. properties:
  570. clientId:
  571. description: The Azure clientId of the service principle used for authentication.
  572. properties:
  573. key:
  574. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  575. type: string
  576. name:
  577. description: The name of the Secret resource being referred to.
  578. type: string
  579. namespace:
  580. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  581. type: string
  582. type: object
  583. clientSecret:
  584. description: The Azure ClientSecret of the service principle used for authentication.
  585. properties:
  586. key:
  587. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  588. type: string
  589. name:
  590. description: The name of the Secret resource being referred to.
  591. type: string
  592. namespace:
  593. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  594. type: string
  595. type: object
  596. type: object
  597. authType:
  598. default: ServicePrincipal
  599. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  600. enum:
  601. - ServicePrincipal
  602. - ManagedIdentity
  603. - WorkloadIdentity
  604. type: string
  605. identityId:
  606. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  607. type: string
  608. serviceAccountRef:
  609. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  610. properties:
  611. name:
  612. description: The name of the ServiceAccount resource being referred to.
  613. type: string
  614. namespace:
  615. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  616. type: string
  617. required:
  618. - name
  619. type: object
  620. tenantId:
  621. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  622. type: string
  623. vaultUrl:
  624. description: Vault Url from which the secrets to be fetched from.
  625. type: string
  626. required:
  627. - vaultUrl
  628. type: object
  629. fake:
  630. description: Fake configures a store with static key/value pairs
  631. properties:
  632. data:
  633. items:
  634. properties:
  635. key:
  636. type: string
  637. value:
  638. type: string
  639. valueMap:
  640. additionalProperties:
  641. type: string
  642. type: object
  643. version:
  644. type: string
  645. required:
  646. - key
  647. type: object
  648. type: array
  649. required:
  650. - data
  651. type: object
  652. gcpsm:
  653. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  654. properties:
  655. auth:
  656. description: Auth defines the information necessary to authenticate against GCP
  657. properties:
  658. secretRef:
  659. properties:
  660. secretAccessKeySecretRef:
  661. description: The SecretAccessKey is used for authentication
  662. properties:
  663. key:
  664. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  665. type: string
  666. name:
  667. description: The name of the Secret resource being referred to.
  668. type: string
  669. namespace:
  670. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  671. type: string
  672. type: object
  673. type: object
  674. workloadIdentity:
  675. properties:
  676. clusterLocation:
  677. type: string
  678. clusterName:
  679. type: string
  680. clusterProjectID:
  681. type: string
  682. serviceAccountRef:
  683. description: A reference to a ServiceAccount resource.
  684. properties:
  685. name:
  686. description: The name of the ServiceAccount resource being referred to.
  687. type: string
  688. namespace:
  689. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  690. type: string
  691. required:
  692. - name
  693. type: object
  694. required:
  695. - clusterLocation
  696. - clusterName
  697. - serviceAccountRef
  698. type: object
  699. type: object
  700. projectID:
  701. description: ProjectID project where secret is located
  702. type: string
  703. type: object
  704. gitlab:
  705. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  706. properties:
  707. auth:
  708. description: Auth configures how secret-manager authenticates with a GitLab instance.
  709. properties:
  710. SecretRef:
  711. properties:
  712. accessToken:
  713. description: AccessToken is used for authentication.
  714. properties:
  715. key:
  716. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  717. type: string
  718. name:
  719. description: The name of the Secret resource being referred to.
  720. type: string
  721. namespace:
  722. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  723. type: string
  724. type: object
  725. type: object
  726. required:
  727. - SecretRef
  728. type: object
  729. projectID:
  730. description: ProjectID specifies a project where secrets are located.
  731. type: string
  732. url:
  733. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  734. type: string
  735. required:
  736. - auth
  737. type: object
  738. ibm:
  739. description: IBM configures this store to sync secrets using IBM Cloud provider
  740. properties:
  741. auth:
  742. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  743. properties:
  744. secretRef:
  745. properties:
  746. secretApiKeySecretRef:
  747. description: The SecretAccessKey is used for authentication
  748. properties:
  749. key:
  750. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  751. type: string
  752. name:
  753. description: The name of the Secret resource being referred to.
  754. type: string
  755. namespace:
  756. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  757. type: string
  758. type: object
  759. type: object
  760. required:
  761. - secretRef
  762. type: object
  763. serviceUrl:
  764. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  765. type: string
  766. required:
  767. - auth
  768. type: object
  769. kubernetes:
  770. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  771. properties:
  772. auth:
  773. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  774. maxProperties: 1
  775. minProperties: 1
  776. properties:
  777. cert:
  778. description: has both clientCert and clientKey as secretKeySelector
  779. properties:
  780. clientCert:
  781. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  782. properties:
  783. key:
  784. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  785. type: string
  786. name:
  787. description: The name of the Secret resource being referred to.
  788. type: string
  789. namespace:
  790. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  791. type: string
  792. type: object
  793. clientKey:
  794. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  795. properties:
  796. key:
  797. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  798. type: string
  799. name:
  800. description: The name of the Secret resource being referred to.
  801. type: string
  802. namespace:
  803. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  804. type: string
  805. type: object
  806. type: object
  807. serviceAccount:
  808. description: points to a service account that should be used for authentication
  809. properties:
  810. serviceAccount:
  811. description: A reference to a ServiceAccount resource.
  812. properties:
  813. name:
  814. description: The name of the ServiceAccount resource being referred to.
  815. type: string
  816. namespace:
  817. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  818. type: string
  819. required:
  820. - name
  821. type: object
  822. type: object
  823. token:
  824. description: use static token to authenticate with
  825. properties:
  826. bearerToken:
  827. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  828. properties:
  829. key:
  830. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  831. type: string
  832. name:
  833. description: The name of the Secret resource being referred to.
  834. type: string
  835. namespace:
  836. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  837. type: string
  838. type: object
  839. type: object
  840. type: object
  841. remoteNamespace:
  842. default: default
  843. description: Remote namespace to fetch the secrets from
  844. type: string
  845. server:
  846. description: configures the Kubernetes server Address.
  847. properties:
  848. caBundle:
  849. description: CABundle is a base64-encoded CA certificate
  850. format: byte
  851. type: string
  852. caProvider:
  853. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  854. properties:
  855. key:
  856. description: The key the value inside of the provider type to use, only used with "Secret" type
  857. type: string
  858. name:
  859. description: The name of the object located at the provider type.
  860. type: string
  861. namespace:
  862. description: The namespace the Provider type is in.
  863. type: string
  864. type:
  865. description: The type of provider to use such as "Secret", or "ConfigMap".
  866. enum:
  867. - Secret
  868. - ConfigMap
  869. type: string
  870. required:
  871. - name
  872. - type
  873. type: object
  874. url:
  875. default: kubernetes.default
  876. description: configures the Kubernetes server Address.
  877. type: string
  878. type: object
  879. required:
  880. - auth
  881. type: object
  882. oracle:
  883. description: Oracle configures this store to sync secrets using Oracle Vault provider
  884. properties:
  885. auth:
  886. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  887. properties:
  888. secretRef:
  889. description: SecretRef to pass through sensitive information.
  890. properties:
  891. fingerprint:
  892. description: Fingerprint is the fingerprint of the API private key.
  893. properties:
  894. key:
  895. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  896. type: string
  897. name:
  898. description: The name of the Secret resource being referred to.
  899. type: string
  900. namespace:
  901. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  902. type: string
  903. type: object
  904. privatekey:
  905. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  906. properties:
  907. key:
  908. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  909. type: string
  910. name:
  911. description: The name of the Secret resource being referred to.
  912. type: string
  913. namespace:
  914. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  915. type: string
  916. type: object
  917. required:
  918. - fingerprint
  919. - privatekey
  920. type: object
  921. tenancy:
  922. description: Tenancy is the tenancy OCID where user is located.
  923. type: string
  924. user:
  925. description: User is an access OCID specific to the account.
  926. type: string
  927. required:
  928. - secretRef
  929. - tenancy
  930. - user
  931. type: object
  932. region:
  933. description: Region is the region where vault is located.
  934. type: string
  935. vault:
  936. description: Vault is the vault's OCID of the specific vault where secret is located.
  937. type: string
  938. required:
  939. - region
  940. - vault
  941. type: object
  942. vault:
  943. description: Vault configures this store to sync secrets using Hashi provider
  944. properties:
  945. auth:
  946. description: Auth configures how secret-manager authenticates with the Vault server.
  947. properties:
  948. appRole:
  949. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  950. properties:
  951. path:
  952. default: approle
  953. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  954. type: string
  955. roleId:
  956. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  957. type: string
  958. secretRef:
  959. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  960. properties:
  961. key:
  962. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  963. type: string
  964. name:
  965. description: The name of the Secret resource being referred to.
  966. type: string
  967. namespace:
  968. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  969. type: string
  970. type: object
  971. required:
  972. - path
  973. - roleId
  974. - secretRef
  975. type: object
  976. cert:
  977. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  978. properties:
  979. clientCert:
  980. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  981. properties:
  982. key:
  983. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  984. type: string
  985. name:
  986. description: The name of the Secret resource being referred to.
  987. type: string
  988. namespace:
  989. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  990. type: string
  991. type: object
  992. secretRef:
  993. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  994. properties:
  995. key:
  996. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  997. type: string
  998. name:
  999. description: The name of the Secret resource being referred to.
  1000. type: string
  1001. namespace:
  1002. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1003. type: string
  1004. type: object
  1005. type: object
  1006. jwt:
  1007. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1008. properties:
  1009. kubernetesServiceAccountToken:
  1010. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1011. properties:
  1012. audiences:
  1013. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1014. items:
  1015. type: string
  1016. type: array
  1017. expirationSeconds:
  1018. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1019. format: int64
  1020. type: integer
  1021. serviceAccountRef:
  1022. description: Service account field containing the name of a kubernetes ServiceAccount.
  1023. properties:
  1024. name:
  1025. description: The name of the ServiceAccount resource being referred to.
  1026. type: string
  1027. namespace:
  1028. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1029. type: string
  1030. required:
  1031. - name
  1032. type: object
  1033. required:
  1034. - serviceAccountRef
  1035. type: object
  1036. path:
  1037. default: jwt
  1038. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1039. type: string
  1040. role:
  1041. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1042. type: string
  1043. secretRef:
  1044. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1045. properties:
  1046. key:
  1047. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1048. type: string
  1049. name:
  1050. description: The name of the Secret resource being referred to.
  1051. type: string
  1052. namespace:
  1053. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1054. type: string
  1055. type: object
  1056. required:
  1057. - path
  1058. type: object
  1059. kubernetes:
  1060. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1061. properties:
  1062. mountPath:
  1063. default: kubernetes
  1064. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1065. type: string
  1066. role:
  1067. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1068. type: string
  1069. secretRef:
  1070. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1071. properties:
  1072. key:
  1073. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1074. type: string
  1075. name:
  1076. description: The name of the Secret resource being referred to.
  1077. type: string
  1078. namespace:
  1079. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1080. type: string
  1081. type: object
  1082. serviceAccountRef:
  1083. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1084. properties:
  1085. name:
  1086. description: The name of the ServiceAccount resource being referred to.
  1087. type: string
  1088. namespace:
  1089. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1090. type: string
  1091. required:
  1092. - name
  1093. type: object
  1094. required:
  1095. - mountPath
  1096. - role
  1097. type: object
  1098. ldap:
  1099. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1100. properties:
  1101. path:
  1102. default: ldap
  1103. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1104. type: string
  1105. secretRef:
  1106. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1107. properties:
  1108. key:
  1109. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1110. type: string
  1111. name:
  1112. description: The name of the Secret resource being referred to.
  1113. type: string
  1114. namespace:
  1115. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1116. type: string
  1117. type: object
  1118. username:
  1119. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1120. type: string
  1121. required:
  1122. - path
  1123. - username
  1124. type: object
  1125. tokenSecretRef:
  1126. description: TokenSecretRef authenticates with Vault by presenting a token.
  1127. properties:
  1128. key:
  1129. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1130. type: string
  1131. name:
  1132. description: The name of the Secret resource being referred to.
  1133. type: string
  1134. namespace:
  1135. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1136. type: string
  1137. type: object
  1138. type: object
  1139. caBundle:
  1140. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1141. format: byte
  1142. type: string
  1143. caProvider:
  1144. description: The provider for the CA bundle to use to validate Vault server certificate.
  1145. properties:
  1146. key:
  1147. description: The key the value inside of the provider type to use, only used with "Secret" type
  1148. type: string
  1149. name:
  1150. description: The name of the object located at the provider type.
  1151. type: string
  1152. namespace:
  1153. description: The namespace the Provider type is in.
  1154. type: string
  1155. type:
  1156. description: The type of provider to use such as "Secret", or "ConfigMap".
  1157. enum:
  1158. - Secret
  1159. - ConfigMap
  1160. type: string
  1161. required:
  1162. - name
  1163. - type
  1164. type: object
  1165. forwardInconsistent:
  1166. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1167. type: boolean
  1168. namespace:
  1169. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1170. type: string
  1171. path:
  1172. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1173. type: string
  1174. readYourWrites:
  1175. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1176. type: boolean
  1177. server:
  1178. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1179. type: string
  1180. version:
  1181. default: v2
  1182. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1183. enum:
  1184. - v1
  1185. - v2
  1186. type: string
  1187. required:
  1188. - auth
  1189. - server
  1190. type: object
  1191. webhook:
  1192. description: Webhook configures this store to sync secrets using a generic templated webhook
  1193. properties:
  1194. body:
  1195. description: Body
  1196. type: string
  1197. caBundle:
  1198. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1199. format: byte
  1200. type: string
  1201. caProvider:
  1202. description: The provider for the CA bundle to use to validate webhook server certificate.
  1203. properties:
  1204. key:
  1205. description: The key the value inside of the provider type to use, only used with "Secret" type
  1206. type: string
  1207. name:
  1208. description: The name of the object located at the provider type.
  1209. type: string
  1210. namespace:
  1211. description: The namespace the Provider type is in.
  1212. type: string
  1213. type:
  1214. description: The type of provider to use such as "Secret", or "ConfigMap".
  1215. enum:
  1216. - Secret
  1217. - ConfigMap
  1218. type: string
  1219. required:
  1220. - name
  1221. - type
  1222. type: object
  1223. headers:
  1224. additionalProperties:
  1225. type: string
  1226. description: Headers
  1227. type: object
  1228. method:
  1229. description: Webhook Method
  1230. type: string
  1231. result:
  1232. description: Result formatting
  1233. properties:
  1234. jsonPath:
  1235. description: Json path of return value
  1236. type: string
  1237. type: object
  1238. secrets:
  1239. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1240. items:
  1241. properties:
  1242. name:
  1243. description: Name of this secret in templates
  1244. type: string
  1245. secretRef:
  1246. description: Secret ref to fill in credentials
  1247. properties:
  1248. key:
  1249. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1250. type: string
  1251. name:
  1252. description: The name of the Secret resource being referred to.
  1253. type: string
  1254. namespace:
  1255. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1256. type: string
  1257. type: object
  1258. required:
  1259. - name
  1260. - secretRef
  1261. type: object
  1262. type: array
  1263. timeout:
  1264. description: Timeout
  1265. type: string
  1266. url:
  1267. description: Webhook url to call
  1268. type: string
  1269. required:
  1270. - result
  1271. - url
  1272. type: object
  1273. yandexlockbox:
  1274. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1275. properties:
  1276. apiEndpoint:
  1277. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1278. type: string
  1279. auth:
  1280. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1281. properties:
  1282. authorizedKeySecretRef:
  1283. description: The authorized key used for authentication
  1284. properties:
  1285. key:
  1286. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1287. type: string
  1288. name:
  1289. description: The name of the Secret resource being referred to.
  1290. type: string
  1291. namespace:
  1292. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1293. type: string
  1294. type: object
  1295. type: object
  1296. caProvider:
  1297. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1298. properties:
  1299. certSecretRef:
  1300. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1301. properties:
  1302. key:
  1303. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1304. type: string
  1305. name:
  1306. description: The name of the Secret resource being referred to.
  1307. type: string
  1308. namespace:
  1309. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1310. type: string
  1311. type: object
  1312. type: object
  1313. required:
  1314. - auth
  1315. type: object
  1316. type: object
  1317. retrySettings:
  1318. description: Used to configure http retries if failed
  1319. properties:
  1320. maxRetries:
  1321. format: int32
  1322. type: integer
  1323. retryInterval:
  1324. type: string
  1325. type: object
  1326. required:
  1327. - provider
  1328. type: object
  1329. status:
  1330. description: SecretStoreStatus defines the observed state of the SecretStore.
  1331. properties:
  1332. conditions:
  1333. items:
  1334. properties:
  1335. lastTransitionTime:
  1336. format: date-time
  1337. type: string
  1338. message:
  1339. type: string
  1340. reason:
  1341. type: string
  1342. status:
  1343. type: string
  1344. type:
  1345. type: string
  1346. required:
  1347. - status
  1348. - type
  1349. type: object
  1350. type: array
  1351. type: object
  1352. type: object
  1353. served: true
  1354. storage: false
  1355. subresources:
  1356. status: {}
  1357. - additionalPrinterColumns:
  1358. - jsonPath: .metadata.creationTimestamp
  1359. name: AGE
  1360. type: date
  1361. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1362. name: Status
  1363. type: string
  1364. - jsonPath: .status.capabilities
  1365. name: Capabilities
  1366. type: string
  1367. name: v1beta1
  1368. schema:
  1369. openAPIV3Schema:
  1370. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1371. properties:
  1372. apiVersion:
  1373. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1374. type: string
  1375. kind:
  1376. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1377. type: string
  1378. metadata:
  1379. type: object
  1380. spec:
  1381. description: SecretStoreSpec defines the desired state of SecretStore.
  1382. properties:
  1383. controller:
  1384. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  1385. type: string
  1386. provider:
  1387. description: Used to configure the provider. Only one provider may be set
  1388. maxProperties: 1
  1389. minProperties: 1
  1390. properties:
  1391. akeyless:
  1392. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1393. properties:
  1394. akeylessGWApiURL:
  1395. description: Akeyless GW API Url from which the secrets to be fetched from.
  1396. type: string
  1397. authSecretRef:
  1398. description: Auth configures how the operator authenticates with Akeyless.
  1399. properties:
  1400. secretRef:
  1401. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  1402. properties:
  1403. accessID:
  1404. description: The SecretAccessID is used for authentication
  1405. properties:
  1406. key:
  1407. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1408. type: string
  1409. name:
  1410. description: The name of the Secret resource being referred to.
  1411. type: string
  1412. namespace:
  1413. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1414. type: string
  1415. type: object
  1416. accessType:
  1417. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1418. properties:
  1419. key:
  1420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1421. type: string
  1422. name:
  1423. description: The name of the Secret resource being referred to.
  1424. type: string
  1425. namespace:
  1426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1427. type: string
  1428. type: object
  1429. accessTypeParam:
  1430. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1431. properties:
  1432. key:
  1433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1434. type: string
  1435. name:
  1436. description: The name of the Secret resource being referred to.
  1437. type: string
  1438. namespace:
  1439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1440. type: string
  1441. type: object
  1442. type: object
  1443. required:
  1444. - secretRef
  1445. type: object
  1446. required:
  1447. - akeylessGWApiURL
  1448. - authSecretRef
  1449. type: object
  1450. alibaba:
  1451. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1452. properties:
  1453. auth:
  1454. description: AlibabaAuth contains a secretRef for credentials.
  1455. properties:
  1456. secretRef:
  1457. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1458. properties:
  1459. accessKeyIDSecretRef:
  1460. description: The AccessKeyID is used for authentication
  1461. properties:
  1462. key:
  1463. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1464. type: string
  1465. name:
  1466. description: The name of the Secret resource being referred to.
  1467. type: string
  1468. namespace:
  1469. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1470. type: string
  1471. type: object
  1472. accessKeySecretSecretRef:
  1473. description: The AccessKeySecret is used for authentication
  1474. properties:
  1475. key:
  1476. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1477. type: string
  1478. name:
  1479. description: The name of the Secret resource being referred to.
  1480. type: string
  1481. namespace:
  1482. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1483. type: string
  1484. type: object
  1485. required:
  1486. - accessKeyIDSecretRef
  1487. - accessKeySecretSecretRef
  1488. type: object
  1489. required:
  1490. - secretRef
  1491. type: object
  1492. endpoint:
  1493. type: string
  1494. regionID:
  1495. description: Alibaba Region to be used for the provider
  1496. type: string
  1497. required:
  1498. - auth
  1499. - regionID
  1500. type: object
  1501. aws:
  1502. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1503. properties:
  1504. auth:
  1505. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1506. properties:
  1507. jwt:
  1508. description: Authenticate against AWS using service account tokens.
  1509. properties:
  1510. serviceAccountRef:
  1511. description: A reference to a ServiceAccount resource.
  1512. properties:
  1513. name:
  1514. description: The name of the ServiceAccount resource being referred to.
  1515. type: string
  1516. namespace:
  1517. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1518. type: string
  1519. required:
  1520. - name
  1521. type: object
  1522. type: object
  1523. secretRef:
  1524. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1525. properties:
  1526. accessKeyIDSecretRef:
  1527. description: The AccessKeyID is used for authentication
  1528. properties:
  1529. key:
  1530. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1531. type: string
  1532. name:
  1533. description: The name of the Secret resource being referred to.
  1534. type: string
  1535. namespace:
  1536. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1537. type: string
  1538. type: object
  1539. secretAccessKeySecretRef:
  1540. description: The SecretAccessKey is used for authentication
  1541. properties:
  1542. key:
  1543. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1544. type: string
  1545. name:
  1546. description: The name of the Secret resource being referred to.
  1547. type: string
  1548. namespace:
  1549. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1550. type: string
  1551. type: object
  1552. type: object
  1553. type: object
  1554. region:
  1555. description: AWS Region to be used for the provider
  1556. type: string
  1557. role:
  1558. description: Role is a Role ARN which the SecretManager provider will assume
  1559. type: string
  1560. service:
  1561. description: Service defines which service should be used to fetch the secrets
  1562. enum:
  1563. - SecretsManager
  1564. - ParameterStore
  1565. type: string
  1566. required:
  1567. - region
  1568. - service
  1569. type: object
  1570. azurekv:
  1571. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1572. properties:
  1573. authSecretRef:
  1574. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1575. properties:
  1576. clientId:
  1577. description: The Azure clientId of the service principle used for authentication.
  1578. properties:
  1579. key:
  1580. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1581. type: string
  1582. name:
  1583. description: The name of the Secret resource being referred to.
  1584. type: string
  1585. namespace:
  1586. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1587. type: string
  1588. type: object
  1589. clientSecret:
  1590. description: The Azure ClientSecret of the service principle used for authentication.
  1591. properties:
  1592. key:
  1593. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1594. type: string
  1595. name:
  1596. description: The name of the Secret resource being referred to.
  1597. type: string
  1598. namespace:
  1599. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1600. type: string
  1601. type: object
  1602. type: object
  1603. authType:
  1604. default: ServicePrincipal
  1605. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1606. enum:
  1607. - ServicePrincipal
  1608. - ManagedIdentity
  1609. - WorkloadIdentity
  1610. type: string
  1611. identityId:
  1612. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1613. type: string
  1614. serviceAccountRef:
  1615. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1616. properties:
  1617. name:
  1618. description: The name of the ServiceAccount resource being referred to.
  1619. type: string
  1620. namespace:
  1621. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1622. type: string
  1623. required:
  1624. - name
  1625. type: object
  1626. tenantId:
  1627. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1628. type: string
  1629. vaultUrl:
  1630. description: Vault Url from which the secrets to be fetched from.
  1631. type: string
  1632. required:
  1633. - vaultUrl
  1634. type: object
  1635. fake:
  1636. description: Fake configures a store with static key/value pairs
  1637. properties:
  1638. data:
  1639. items:
  1640. properties:
  1641. key:
  1642. type: string
  1643. value:
  1644. type: string
  1645. valueMap:
  1646. additionalProperties:
  1647. type: string
  1648. type: object
  1649. version:
  1650. type: string
  1651. required:
  1652. - key
  1653. type: object
  1654. type: array
  1655. required:
  1656. - data
  1657. type: object
  1658. gcpsm:
  1659. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1660. properties:
  1661. auth:
  1662. description: Auth defines the information necessary to authenticate against GCP
  1663. properties:
  1664. secretRef:
  1665. properties:
  1666. secretAccessKeySecretRef:
  1667. description: The SecretAccessKey is used for authentication
  1668. properties:
  1669. key:
  1670. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1671. type: string
  1672. name:
  1673. description: The name of the Secret resource being referred to.
  1674. type: string
  1675. namespace:
  1676. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1677. type: string
  1678. type: object
  1679. type: object
  1680. workloadIdentity:
  1681. properties:
  1682. clusterLocation:
  1683. type: string
  1684. clusterName:
  1685. type: string
  1686. clusterProjectID:
  1687. type: string
  1688. serviceAccountRef:
  1689. description: A reference to a ServiceAccount resource.
  1690. properties:
  1691. name:
  1692. description: The name of the ServiceAccount resource being referred to.
  1693. type: string
  1694. namespace:
  1695. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1696. type: string
  1697. required:
  1698. - name
  1699. type: object
  1700. required:
  1701. - clusterLocation
  1702. - clusterName
  1703. - serviceAccountRef
  1704. type: object
  1705. type: object
  1706. projectID:
  1707. description: ProjectID project where secret is located
  1708. type: string
  1709. type: object
  1710. gitlab:
  1711. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  1712. properties:
  1713. auth:
  1714. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1715. properties:
  1716. SecretRef:
  1717. properties:
  1718. accessToken:
  1719. description: AccessToken is used for authentication.
  1720. properties:
  1721. key:
  1722. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1723. type: string
  1724. name:
  1725. description: The name of the Secret resource being referred to.
  1726. type: string
  1727. namespace:
  1728. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1729. type: string
  1730. type: object
  1731. type: object
  1732. required:
  1733. - SecretRef
  1734. type: object
  1735. projectID:
  1736. description: ProjectID specifies a project where secrets are located.
  1737. type: string
  1738. url:
  1739. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1740. type: string
  1741. required:
  1742. - auth
  1743. type: object
  1744. ibm:
  1745. description: IBM configures this store to sync secrets using IBM Cloud provider
  1746. properties:
  1747. auth:
  1748. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1749. properties:
  1750. secretRef:
  1751. properties:
  1752. secretApiKeySecretRef:
  1753. description: The SecretAccessKey is used for authentication
  1754. properties:
  1755. key:
  1756. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1757. type: string
  1758. name:
  1759. description: The name of the Secret resource being referred to.
  1760. type: string
  1761. namespace:
  1762. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1763. type: string
  1764. type: object
  1765. type: object
  1766. required:
  1767. - secretRef
  1768. type: object
  1769. serviceUrl:
  1770. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1771. type: string
  1772. required:
  1773. - auth
  1774. type: object
  1775. kubernetes:
  1776. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1777. properties:
  1778. auth:
  1779. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1780. maxProperties: 1
  1781. minProperties: 1
  1782. properties:
  1783. cert:
  1784. description: has both clientCert and clientKey as secretKeySelector
  1785. properties:
  1786. clientCert:
  1787. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1788. properties:
  1789. key:
  1790. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1791. type: string
  1792. name:
  1793. description: The name of the Secret resource being referred to.
  1794. type: string
  1795. namespace:
  1796. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1797. type: string
  1798. type: object
  1799. clientKey:
  1800. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1801. properties:
  1802. key:
  1803. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1804. type: string
  1805. name:
  1806. description: The name of the Secret resource being referred to.
  1807. type: string
  1808. namespace:
  1809. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1810. type: string
  1811. type: object
  1812. type: object
  1813. serviceAccount:
  1814. description: points to a service account that should be used for authentication
  1815. properties:
  1816. serviceAccount:
  1817. description: A reference to a ServiceAccount resource.
  1818. properties:
  1819. name:
  1820. description: The name of the ServiceAccount resource being referred to.
  1821. type: string
  1822. namespace:
  1823. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1824. type: string
  1825. required:
  1826. - name
  1827. type: object
  1828. type: object
  1829. token:
  1830. description: use static token to authenticate with
  1831. properties:
  1832. bearerToken:
  1833. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1834. properties:
  1835. key:
  1836. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1837. type: string
  1838. name:
  1839. description: The name of the Secret resource being referred to.
  1840. type: string
  1841. namespace:
  1842. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1843. type: string
  1844. type: object
  1845. type: object
  1846. type: object
  1847. remoteNamespace:
  1848. default: default
  1849. description: Remote namespace to fetch the secrets from
  1850. type: string
  1851. server:
  1852. description: configures the Kubernetes server Address.
  1853. properties:
  1854. caBundle:
  1855. description: CABundle is a base64-encoded CA certificate
  1856. format: byte
  1857. type: string
  1858. caProvider:
  1859. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1860. properties:
  1861. key:
  1862. description: The key the value inside of the provider type to use, only used with "Secret" type
  1863. type: string
  1864. name:
  1865. description: The name of the object located at the provider type.
  1866. type: string
  1867. namespace:
  1868. description: The namespace the Provider type is in.
  1869. type: string
  1870. type:
  1871. description: The type of provider to use such as "Secret", or "ConfigMap".
  1872. enum:
  1873. - Secret
  1874. - ConfigMap
  1875. type: string
  1876. required:
  1877. - name
  1878. - type
  1879. type: object
  1880. url:
  1881. default: kubernetes.default
  1882. description: configures the Kubernetes server Address.
  1883. type: string
  1884. type: object
  1885. required:
  1886. - auth
  1887. type: object
  1888. onepassword:
  1889. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  1890. properties:
  1891. auth:
  1892. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  1893. properties:
  1894. secretRef:
  1895. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  1896. properties:
  1897. connectTokenSecretRef:
  1898. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  1899. properties:
  1900. key:
  1901. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1902. type: string
  1903. name:
  1904. description: The name of the Secret resource being referred to.
  1905. type: string
  1906. namespace:
  1907. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1908. type: string
  1909. type: object
  1910. required:
  1911. - connectTokenSecretRef
  1912. type: object
  1913. required:
  1914. - secretRef
  1915. type: object
  1916. connectHost:
  1917. description: ConnectHost defines the OnePassword Connect Server to connect to
  1918. type: string
  1919. vaults:
  1920. additionalProperties:
  1921. type: integer
  1922. description: Vaults defines which OnePassword vaults to search in which order
  1923. type: object
  1924. required:
  1925. - auth
  1926. - connectHost
  1927. - vaults
  1928. type: object
  1929. oracle:
  1930. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1931. properties:
  1932. auth:
  1933. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  1934. properties:
  1935. secretRef:
  1936. description: SecretRef to pass through sensitive information.
  1937. properties:
  1938. fingerprint:
  1939. description: Fingerprint is the fingerprint of the API private key.
  1940. properties:
  1941. key:
  1942. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1943. type: string
  1944. name:
  1945. description: The name of the Secret resource being referred to.
  1946. type: string
  1947. namespace:
  1948. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1949. type: string
  1950. type: object
  1951. privatekey:
  1952. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1953. properties:
  1954. key:
  1955. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1956. type: string
  1957. name:
  1958. description: The name of the Secret resource being referred to.
  1959. type: string
  1960. namespace:
  1961. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1962. type: string
  1963. type: object
  1964. required:
  1965. - fingerprint
  1966. - privatekey
  1967. type: object
  1968. tenancy:
  1969. description: Tenancy is the tenancy OCID where user is located.
  1970. type: string
  1971. user:
  1972. description: User is an access OCID specific to the account.
  1973. type: string
  1974. required:
  1975. - secretRef
  1976. - tenancy
  1977. - user
  1978. type: object
  1979. region:
  1980. description: Region is the region where vault is located.
  1981. type: string
  1982. vault:
  1983. description: Vault is the vault's OCID of the specific vault where secret is located.
  1984. type: string
  1985. required:
  1986. - region
  1987. - vault
  1988. type: object
  1989. senhasegura:
  1990. description: Senhasegura configures this store to sync secrets using senhasegura provider
  1991. properties:
  1992. auth:
  1993. description: Auth defines parameters to authenticate in senhasegura
  1994. properties:
  1995. clientId:
  1996. type: string
  1997. clientSecretSecretRef:
  1998. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1999. properties:
  2000. key:
  2001. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2002. type: string
  2003. name:
  2004. description: The name of the Secret resource being referred to.
  2005. type: string
  2006. namespace:
  2007. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2008. type: string
  2009. type: object
  2010. required:
  2011. - clientId
  2012. - clientSecretSecretRef
  2013. type: object
  2014. ignoreSslCertificate:
  2015. default: false
  2016. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2017. type: boolean
  2018. module:
  2019. description: Module defines which senhasegura module should be used to get secrets
  2020. type: string
  2021. url:
  2022. description: URL of senhasegura
  2023. type: string
  2024. required:
  2025. - auth
  2026. - module
  2027. - url
  2028. type: object
  2029. vault:
  2030. description: Vault configures this store to sync secrets using Hashi provider
  2031. properties:
  2032. auth:
  2033. description: Auth configures how secret-manager authenticates with the Vault server.
  2034. properties:
  2035. appRole:
  2036. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2037. properties:
  2038. path:
  2039. default: approle
  2040. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2041. type: string
  2042. roleId:
  2043. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2044. type: string
  2045. secretRef:
  2046. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2047. properties:
  2048. key:
  2049. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2050. type: string
  2051. name:
  2052. description: The name of the Secret resource being referred to.
  2053. type: string
  2054. namespace:
  2055. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2056. type: string
  2057. type: object
  2058. required:
  2059. - path
  2060. - roleId
  2061. - secretRef
  2062. type: object
  2063. cert:
  2064. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2065. properties:
  2066. clientCert:
  2067. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2068. properties:
  2069. key:
  2070. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2071. type: string
  2072. name:
  2073. description: The name of the Secret resource being referred to.
  2074. type: string
  2075. namespace:
  2076. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2077. type: string
  2078. type: object
  2079. secretRef:
  2080. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2081. properties:
  2082. key:
  2083. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2084. type: string
  2085. name:
  2086. description: The name of the Secret resource being referred to.
  2087. type: string
  2088. namespace:
  2089. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2090. type: string
  2091. type: object
  2092. type: object
  2093. jwt:
  2094. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2095. properties:
  2096. kubernetesServiceAccountToken:
  2097. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2098. properties:
  2099. audiences:
  2100. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  2101. items:
  2102. type: string
  2103. type: array
  2104. expirationSeconds:
  2105. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  2106. format: int64
  2107. type: integer
  2108. serviceAccountRef:
  2109. description: Service account field containing the name of a kubernetes ServiceAccount.
  2110. properties:
  2111. name:
  2112. description: The name of the ServiceAccount resource being referred to.
  2113. type: string
  2114. namespace:
  2115. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2116. type: string
  2117. required:
  2118. - name
  2119. type: object
  2120. required:
  2121. - serviceAccountRef
  2122. type: object
  2123. path:
  2124. default: jwt
  2125. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2126. type: string
  2127. role:
  2128. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2129. type: string
  2130. secretRef:
  2131. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  2132. properties:
  2133. key:
  2134. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2135. type: string
  2136. name:
  2137. description: The name of the Secret resource being referred to.
  2138. type: string
  2139. namespace:
  2140. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2141. type: string
  2142. type: object
  2143. required:
  2144. - path
  2145. type: object
  2146. kubernetes:
  2147. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2148. properties:
  2149. mountPath:
  2150. default: kubernetes
  2151. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2152. type: string
  2153. role:
  2154. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2155. type: string
  2156. secretRef:
  2157. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2158. properties:
  2159. key:
  2160. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2161. type: string
  2162. name:
  2163. description: The name of the Secret resource being referred to.
  2164. type: string
  2165. namespace:
  2166. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2167. type: string
  2168. type: object
  2169. serviceAccountRef:
  2170. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2171. properties:
  2172. name:
  2173. description: The name of the ServiceAccount resource being referred to.
  2174. type: string
  2175. namespace:
  2176. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2177. type: string
  2178. required:
  2179. - name
  2180. type: object
  2181. required:
  2182. - mountPath
  2183. - role
  2184. type: object
  2185. ldap:
  2186. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2187. properties:
  2188. path:
  2189. default: ldap
  2190. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2191. type: string
  2192. secretRef:
  2193. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2194. properties:
  2195. key:
  2196. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2197. type: string
  2198. name:
  2199. description: The name of the Secret resource being referred to.
  2200. type: string
  2201. namespace:
  2202. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2203. type: string
  2204. type: object
  2205. username:
  2206. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2207. type: string
  2208. required:
  2209. - path
  2210. - username
  2211. type: object
  2212. tokenSecretRef:
  2213. description: TokenSecretRef authenticates with Vault by presenting a token.
  2214. properties:
  2215. key:
  2216. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2217. type: string
  2218. name:
  2219. description: The name of the Secret resource being referred to.
  2220. type: string
  2221. namespace:
  2222. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2223. type: string
  2224. type: object
  2225. type: object
  2226. caBundle:
  2227. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2228. format: byte
  2229. type: string
  2230. caProvider:
  2231. description: The provider for the CA bundle to use to validate Vault server certificate.
  2232. properties:
  2233. key:
  2234. description: The key the value inside of the provider type to use, only used with "Secret" type
  2235. type: string
  2236. name:
  2237. description: The name of the object located at the provider type.
  2238. type: string
  2239. namespace:
  2240. description: The namespace the Provider type is in.
  2241. type: string
  2242. type:
  2243. description: The type of provider to use such as "Secret", or "ConfigMap".
  2244. enum:
  2245. - Secret
  2246. - ConfigMap
  2247. type: string
  2248. required:
  2249. - name
  2250. - type
  2251. type: object
  2252. forwardInconsistent:
  2253. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2254. type: boolean
  2255. namespace:
  2256. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2257. type: string
  2258. path:
  2259. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2260. type: string
  2261. readYourWrites:
  2262. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2263. type: boolean
  2264. server:
  2265. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2266. type: string
  2267. version:
  2268. default: v2
  2269. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2270. enum:
  2271. - v1
  2272. - v2
  2273. type: string
  2274. required:
  2275. - auth
  2276. - server
  2277. type: object
  2278. webhook:
  2279. description: Webhook configures this store to sync secrets using a generic templated webhook
  2280. properties:
  2281. body:
  2282. description: Body
  2283. type: string
  2284. caBundle:
  2285. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2286. format: byte
  2287. type: string
  2288. caProvider:
  2289. description: The provider for the CA bundle to use to validate webhook server certificate.
  2290. properties:
  2291. key:
  2292. description: The key the value inside of the provider type to use, only used with "Secret" type
  2293. type: string
  2294. name:
  2295. description: The name of the object located at the provider type.
  2296. type: string
  2297. namespace:
  2298. description: The namespace the Provider type is in.
  2299. type: string
  2300. type:
  2301. description: The type of provider to use such as "Secret", or "ConfigMap".
  2302. enum:
  2303. - Secret
  2304. - ConfigMap
  2305. type: string
  2306. required:
  2307. - name
  2308. - type
  2309. type: object
  2310. headers:
  2311. additionalProperties:
  2312. type: string
  2313. description: Headers
  2314. type: object
  2315. method:
  2316. description: Webhook Method
  2317. type: string
  2318. result:
  2319. description: Result formatting
  2320. properties:
  2321. jsonPath:
  2322. description: Json path of return value
  2323. type: string
  2324. type: object
  2325. secrets:
  2326. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2327. items:
  2328. properties:
  2329. name:
  2330. description: Name of this secret in templates
  2331. type: string
  2332. secretRef:
  2333. description: Secret ref to fill in credentials
  2334. properties:
  2335. key:
  2336. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2337. type: string
  2338. name:
  2339. description: The name of the Secret resource being referred to.
  2340. type: string
  2341. namespace:
  2342. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2343. type: string
  2344. type: object
  2345. required:
  2346. - name
  2347. - secretRef
  2348. type: object
  2349. type: array
  2350. timeout:
  2351. description: Timeout
  2352. type: string
  2353. url:
  2354. description: Webhook url to call
  2355. type: string
  2356. required:
  2357. - result
  2358. - url
  2359. type: object
  2360. yandexcertificatemanager:
  2361. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  2362. properties:
  2363. apiEndpoint:
  2364. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2365. type: string
  2366. auth:
  2367. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  2368. properties:
  2369. authorizedKeySecretRef:
  2370. description: The authorized key used for authentication
  2371. properties:
  2372. key:
  2373. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2374. type: string
  2375. name:
  2376. description: The name of the Secret resource being referred to.
  2377. type: string
  2378. namespace:
  2379. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2380. type: string
  2381. type: object
  2382. type: object
  2383. caProvider:
  2384. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2385. properties:
  2386. certSecretRef:
  2387. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2388. properties:
  2389. key:
  2390. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2391. type: string
  2392. name:
  2393. description: The name of the Secret resource being referred to.
  2394. type: string
  2395. namespace:
  2396. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2397. type: string
  2398. type: object
  2399. type: object
  2400. required:
  2401. - auth
  2402. type: object
  2403. yandexlockbox:
  2404. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2405. properties:
  2406. apiEndpoint:
  2407. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2408. type: string
  2409. auth:
  2410. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2411. properties:
  2412. authorizedKeySecretRef:
  2413. description: The authorized key used for authentication
  2414. properties:
  2415. key:
  2416. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2417. type: string
  2418. name:
  2419. description: The name of the Secret resource being referred to.
  2420. type: string
  2421. namespace:
  2422. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2423. type: string
  2424. type: object
  2425. type: object
  2426. caProvider:
  2427. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2428. properties:
  2429. certSecretRef:
  2430. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2431. properties:
  2432. key:
  2433. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2434. type: string
  2435. name:
  2436. description: The name of the Secret resource being referred to.
  2437. type: string
  2438. namespace:
  2439. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2440. type: string
  2441. type: object
  2442. type: object
  2443. required:
  2444. - auth
  2445. type: object
  2446. type: object
  2447. refreshInterval:
  2448. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  2449. type: integer
  2450. retrySettings:
  2451. description: Used to configure http retries if failed
  2452. properties:
  2453. maxRetries:
  2454. format: int32
  2455. type: integer
  2456. retryInterval:
  2457. type: string
  2458. type: object
  2459. required:
  2460. - provider
  2461. type: object
  2462. status:
  2463. description: SecretStoreStatus defines the observed state of the SecretStore.
  2464. properties:
  2465. capabilities:
  2466. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  2467. type: string
  2468. conditions:
  2469. items:
  2470. properties:
  2471. lastTransitionTime:
  2472. format: date-time
  2473. type: string
  2474. message:
  2475. type: string
  2476. reason:
  2477. type: string
  2478. status:
  2479. type: string
  2480. type:
  2481. type: string
  2482. required:
  2483. - status
  2484. - type
  2485. type: object
  2486. type: array
  2487. type: object
  2488. type: object
  2489. served: true
  2490. storage: true
  2491. subresources:
  2492. status: {}
  2493. conversion:
  2494. strategy: Webhook
  2495. webhook:
  2496. conversionReviewVersions:
  2497. - v1
  2498. clientConfig:
  2499. service:
  2500. name: kubernetes
  2501. namespace: default
  2502. path: /convert
  2503. status:
  2504. acceptedNames:
  2505. kind: ""
  2506. plural: ""
  2507. conditions: []
  2508. storedVersions: []
  2509. ---
  2510. apiVersion: apiextensions.k8s.io/v1
  2511. kind: CustomResourceDefinition
  2512. metadata:
  2513. annotations:
  2514. controller-gen.kubebuilder.io/version: v0.8.0
  2515. creationTimestamp: null
  2516. name: externalsecrets.external-secrets.io
  2517. spec:
  2518. group: external-secrets.io
  2519. names:
  2520. categories:
  2521. - externalsecrets
  2522. kind: ExternalSecret
  2523. listKind: ExternalSecretList
  2524. plural: externalsecrets
  2525. shortNames:
  2526. - es
  2527. singular: externalsecret
  2528. scope: Namespaced
  2529. versions:
  2530. - additionalPrinterColumns:
  2531. - jsonPath: .spec.secretStoreRef.name
  2532. name: Store
  2533. type: string
  2534. - jsonPath: .spec.refreshInterval
  2535. name: Refresh Interval
  2536. type: string
  2537. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2538. name: Status
  2539. type: string
  2540. deprecated: true
  2541. name: v1alpha1
  2542. schema:
  2543. openAPIV3Schema:
  2544. description: ExternalSecret is the Schema for the external-secrets API.
  2545. properties:
  2546. apiVersion:
  2547. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2548. type: string
  2549. kind:
  2550. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2551. type: string
  2552. metadata:
  2553. type: object
  2554. spec:
  2555. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2556. properties:
  2557. data:
  2558. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2559. items:
  2560. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2561. properties:
  2562. remoteRef:
  2563. description: ExternalSecretDataRemoteRef defines Provider data location.
  2564. properties:
  2565. conversionStrategy:
  2566. default: Default
  2567. description: Used to define a conversion Strategy
  2568. type: string
  2569. key:
  2570. description: Key is the key used in the Provider, mandatory
  2571. type: string
  2572. property:
  2573. description: Used to select a specific property of the Provider value (if a map), if supported
  2574. type: string
  2575. version:
  2576. description: Used to select a specific version of the Provider value, if supported
  2577. type: string
  2578. required:
  2579. - key
  2580. type: object
  2581. secretKey:
  2582. type: string
  2583. required:
  2584. - remoteRef
  2585. - secretKey
  2586. type: object
  2587. type: array
  2588. dataFrom:
  2589. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2590. items:
  2591. description: ExternalSecretDataRemoteRef defines Provider data location.
  2592. properties:
  2593. conversionStrategy:
  2594. default: Default
  2595. description: Used to define a conversion Strategy
  2596. type: string
  2597. key:
  2598. description: Key is the key used in the Provider, mandatory
  2599. type: string
  2600. property:
  2601. description: Used to select a specific property of the Provider value (if a map), if supported
  2602. type: string
  2603. version:
  2604. description: Used to select a specific version of the Provider value, if supported
  2605. type: string
  2606. required:
  2607. - key
  2608. type: object
  2609. type: array
  2610. refreshInterval:
  2611. default: 1h
  2612. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2613. type: string
  2614. secretStoreRef:
  2615. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2616. properties:
  2617. kind:
  2618. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2619. type: string
  2620. name:
  2621. description: Name of the SecretStore resource
  2622. type: string
  2623. required:
  2624. - name
  2625. type: object
  2626. target:
  2627. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2628. properties:
  2629. creationPolicy:
  2630. default: Owner
  2631. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2632. type: string
  2633. immutable:
  2634. description: Immutable defines if the final secret will be immutable
  2635. type: boolean
  2636. name:
  2637. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2638. type: string
  2639. template:
  2640. description: Template defines a blueprint for the created Secret resource.
  2641. properties:
  2642. data:
  2643. additionalProperties:
  2644. type: string
  2645. type: object
  2646. engineVersion:
  2647. default: v1
  2648. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  2649. type: string
  2650. metadata:
  2651. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2652. properties:
  2653. annotations:
  2654. additionalProperties:
  2655. type: string
  2656. type: object
  2657. labels:
  2658. additionalProperties:
  2659. type: string
  2660. type: object
  2661. type: object
  2662. templateFrom:
  2663. items:
  2664. maxProperties: 1
  2665. minProperties: 1
  2666. properties:
  2667. configMap:
  2668. properties:
  2669. items:
  2670. items:
  2671. properties:
  2672. key:
  2673. type: string
  2674. required:
  2675. - key
  2676. type: object
  2677. type: array
  2678. name:
  2679. type: string
  2680. required:
  2681. - items
  2682. - name
  2683. type: object
  2684. secret:
  2685. properties:
  2686. items:
  2687. items:
  2688. properties:
  2689. key:
  2690. type: string
  2691. required:
  2692. - key
  2693. type: object
  2694. type: array
  2695. name:
  2696. type: string
  2697. required:
  2698. - items
  2699. - name
  2700. type: object
  2701. type: object
  2702. type: array
  2703. type:
  2704. type: string
  2705. type: object
  2706. type: object
  2707. required:
  2708. - secretStoreRef
  2709. - target
  2710. type: object
  2711. status:
  2712. properties:
  2713. conditions:
  2714. items:
  2715. properties:
  2716. lastTransitionTime:
  2717. format: date-time
  2718. type: string
  2719. message:
  2720. type: string
  2721. reason:
  2722. type: string
  2723. status:
  2724. type: string
  2725. type:
  2726. type: string
  2727. required:
  2728. - status
  2729. - type
  2730. type: object
  2731. type: array
  2732. refreshTime:
  2733. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2734. format: date-time
  2735. nullable: true
  2736. type: string
  2737. syncedResourceVersion:
  2738. description: SyncedResourceVersion keeps track of the last synced version
  2739. type: string
  2740. type: object
  2741. type: object
  2742. served: true
  2743. storage: false
  2744. subresources:
  2745. status: {}
  2746. - additionalPrinterColumns:
  2747. - jsonPath: .spec.secretStoreRef.name
  2748. name: Store
  2749. type: string
  2750. - jsonPath: .spec.refreshInterval
  2751. name: Refresh Interval
  2752. type: string
  2753. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2754. name: Status
  2755. type: string
  2756. name: v1beta1
  2757. schema:
  2758. openAPIV3Schema:
  2759. description: ExternalSecret is the Schema for the external-secrets API.
  2760. properties:
  2761. apiVersion:
  2762. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2763. type: string
  2764. kind:
  2765. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2766. type: string
  2767. metadata:
  2768. type: object
  2769. spec:
  2770. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2771. properties:
  2772. data:
  2773. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2774. items:
  2775. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2776. properties:
  2777. remoteRef:
  2778. description: ExternalSecretDataRemoteRef defines Provider data location.
  2779. properties:
  2780. conversionStrategy:
  2781. default: Default
  2782. description: Used to define a conversion Strategy
  2783. type: string
  2784. key:
  2785. description: Key is the key used in the Provider, mandatory
  2786. type: string
  2787. property:
  2788. description: Used to select a specific property of the Provider value (if a map), if supported
  2789. type: string
  2790. version:
  2791. description: Used to select a specific version of the Provider value, if supported
  2792. type: string
  2793. required:
  2794. - key
  2795. type: object
  2796. secretKey:
  2797. type: string
  2798. required:
  2799. - remoteRef
  2800. - secretKey
  2801. type: object
  2802. type: array
  2803. dataFrom:
  2804. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2805. items:
  2806. maxProperties: 1
  2807. minProperties: 1
  2808. properties:
  2809. extract:
  2810. description: Used to extract multiple key/value pairs from one secret
  2811. properties:
  2812. conversionStrategy:
  2813. default: Default
  2814. description: Used to define a conversion Strategy
  2815. type: string
  2816. key:
  2817. description: Key is the key used in the Provider, mandatory
  2818. type: string
  2819. property:
  2820. description: Used to select a specific property of the Provider value (if a map), if supported
  2821. type: string
  2822. version:
  2823. description: Used to select a specific version of the Provider value, if supported
  2824. type: string
  2825. required:
  2826. - key
  2827. type: object
  2828. find:
  2829. description: Used to find secrets based on tags or regular expressions
  2830. properties:
  2831. conversionStrategy:
  2832. default: Default
  2833. description: Used to define a conversion Strategy
  2834. type: string
  2835. name:
  2836. description: Finds secrets based on the name.
  2837. properties:
  2838. regexp:
  2839. description: Finds secrets base
  2840. type: string
  2841. type: object
  2842. path:
  2843. description: A root path to start the find operations.
  2844. type: string
  2845. tags:
  2846. additionalProperties:
  2847. type: string
  2848. description: Find secrets based on tags.
  2849. type: object
  2850. type: object
  2851. type: object
  2852. type: array
  2853. refreshInterval:
  2854. default: 1h
  2855. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2856. type: string
  2857. secretStoreRef:
  2858. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2859. properties:
  2860. kind:
  2861. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2862. type: string
  2863. name:
  2864. description: Name of the SecretStore resource
  2865. type: string
  2866. required:
  2867. - name
  2868. type: object
  2869. target:
  2870. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2871. properties:
  2872. creationPolicy:
  2873. default: Owner
  2874. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2875. enum:
  2876. - Owner
  2877. - Orphan
  2878. - Merge
  2879. - None
  2880. type: string
  2881. deletionPolicy:
  2882. default: Retain
  2883. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  2884. enum:
  2885. - Delete
  2886. - Merge
  2887. - Retain
  2888. type: string
  2889. immutable:
  2890. description: Immutable defines if the final secret will be immutable
  2891. type: boolean
  2892. name:
  2893. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2894. type: string
  2895. template:
  2896. description: Template defines a blueprint for the created Secret resource.
  2897. properties:
  2898. data:
  2899. additionalProperties:
  2900. type: string
  2901. type: object
  2902. engineVersion:
  2903. default: v2
  2904. type: string
  2905. metadata:
  2906. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2907. properties:
  2908. annotations:
  2909. additionalProperties:
  2910. type: string
  2911. type: object
  2912. labels:
  2913. additionalProperties:
  2914. type: string
  2915. type: object
  2916. type: object
  2917. templateFrom:
  2918. items:
  2919. maxProperties: 1
  2920. minProperties: 1
  2921. properties:
  2922. configMap:
  2923. properties:
  2924. items:
  2925. items:
  2926. properties:
  2927. key:
  2928. type: string
  2929. required:
  2930. - key
  2931. type: object
  2932. type: array
  2933. name:
  2934. type: string
  2935. required:
  2936. - items
  2937. - name
  2938. type: object
  2939. secret:
  2940. properties:
  2941. items:
  2942. items:
  2943. properties:
  2944. key:
  2945. type: string
  2946. required:
  2947. - key
  2948. type: object
  2949. type: array
  2950. name:
  2951. type: string
  2952. required:
  2953. - items
  2954. - name
  2955. type: object
  2956. type: object
  2957. type: array
  2958. type:
  2959. type: string
  2960. type: object
  2961. type: object
  2962. required:
  2963. - secretStoreRef
  2964. type: object
  2965. status:
  2966. properties:
  2967. conditions:
  2968. items:
  2969. properties:
  2970. lastTransitionTime:
  2971. format: date-time
  2972. type: string
  2973. message:
  2974. type: string
  2975. reason:
  2976. type: string
  2977. status:
  2978. type: string
  2979. type:
  2980. type: string
  2981. required:
  2982. - status
  2983. - type
  2984. type: object
  2985. type: array
  2986. refreshTime:
  2987. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2988. format: date-time
  2989. nullable: true
  2990. type: string
  2991. syncedResourceVersion:
  2992. description: SyncedResourceVersion keeps track of the last synced version
  2993. type: string
  2994. type: object
  2995. type: object
  2996. served: true
  2997. storage: true
  2998. subresources:
  2999. status: {}
  3000. conversion:
  3001. strategy: Webhook
  3002. webhook:
  3003. conversionReviewVersions:
  3004. - v1
  3005. clientConfig:
  3006. service:
  3007. name: kubernetes
  3008. namespace: default
  3009. path: /convert
  3010. status:
  3011. acceptedNames:
  3012. kind: ""
  3013. plural: ""
  3014. conditions: []
  3015. storedVersions: []
  3016. ---
  3017. apiVersion: apiextensions.k8s.io/v1
  3018. kind: CustomResourceDefinition
  3019. metadata:
  3020. annotations:
  3021. controller-gen.kubebuilder.io/version: v0.8.0
  3022. creationTimestamp: null
  3023. name: secretsinks.external-secrets.io
  3024. spec:
  3025. group: external-secrets.io
  3026. names:
  3027. categories:
  3028. - secretsinks
  3029. kind: SecretSink
  3030. listKind: SecretSinkList
  3031. plural: secretsinks
  3032. singular: secretsink
  3033. scope: Namespaced
  3034. versions:
  3035. - name: v1alpha1
  3036. schema:
  3037. openAPIV3Schema:
  3038. properties:
  3039. apiVersion:
  3040. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3041. type: string
  3042. kind:
  3043. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3044. type: string
  3045. metadata:
  3046. type: object
  3047. spec:
  3048. description: SecretSinkSpec configures the behavior of the SecretSink.
  3049. properties:
  3050. data:
  3051. items:
  3052. properties:
  3053. match:
  3054. items:
  3055. properties:
  3056. remoteRefs:
  3057. items:
  3058. properties:
  3059. remoteKey:
  3060. type: string
  3061. required:
  3062. - remoteKey
  3063. type: object
  3064. type: array
  3065. secretKey:
  3066. type: string
  3067. required:
  3068. - remoteRefs
  3069. - secretKey
  3070. type: object
  3071. type: array
  3072. required:
  3073. - match
  3074. type: object
  3075. type: array
  3076. secretStoreRefs:
  3077. items:
  3078. properties:
  3079. kind:
  3080. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3081. type: string
  3082. name:
  3083. description: Name of the SecretStore resource
  3084. type: string
  3085. required:
  3086. - name
  3087. type: object
  3088. type: array
  3089. selector:
  3090. properties:
  3091. secret:
  3092. properties:
  3093. name:
  3094. type: string
  3095. required:
  3096. - name
  3097. type: object
  3098. required:
  3099. - secret
  3100. type: object
  3101. required:
  3102. - secretStoreRefs
  3103. - selector
  3104. type: object
  3105. status:
  3106. description: SecretSinkStatus indicates the history of the status of SecretSink.
  3107. properties:
  3108. conditions:
  3109. items:
  3110. description: SecretSinkStatusCondition indicates the status of the SecretSink.
  3111. properties:
  3112. lastTransitionTime:
  3113. format: date-time
  3114. type: string
  3115. message:
  3116. type: string
  3117. reason:
  3118. type: string
  3119. status:
  3120. type: string
  3121. type:
  3122. description: SecretSinkConditionType indicates the condition of the SecretSink.
  3123. type: string
  3124. required:
  3125. - status
  3126. - type
  3127. type: object
  3128. type: array
  3129. refreshTime:
  3130. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3131. format: date-time
  3132. nullable: true
  3133. type: string
  3134. syncedResourceVersion:
  3135. description: SyncedResourceVersion keeps track of the last synced version.
  3136. type: string
  3137. type: object
  3138. type: object
  3139. served: true
  3140. storage: true
  3141. subresources:
  3142. status: {}
  3143. conversion:
  3144. strategy: Webhook
  3145. webhook:
  3146. conversionReviewVersions:
  3147. - v1
  3148. clientConfig:
  3149. service:
  3150. name: kubernetes
  3151. namespace: default
  3152. path: /convert
  3153. status:
  3154. acceptedNames:
  3155. kind: ""
  3156. plural: ""
  3157. conditions: []
  3158. storedVersions: []
  3159. ---
  3160. apiVersion: apiextensions.k8s.io/v1
  3161. kind: CustomResourceDefinition
  3162. metadata:
  3163. annotations:
  3164. controller-gen.kubebuilder.io/version: v0.8.0
  3165. creationTimestamp: null
  3166. name: secretstores.external-secrets.io
  3167. spec:
  3168. group: external-secrets.io
  3169. names:
  3170. categories:
  3171. - externalsecrets
  3172. kind: SecretStore
  3173. listKind: SecretStoreList
  3174. plural: secretstores
  3175. shortNames:
  3176. - ss
  3177. singular: secretstore
  3178. scope: Namespaced
  3179. versions:
  3180. - additionalPrinterColumns:
  3181. - jsonPath: .metadata.creationTimestamp
  3182. name: AGE
  3183. type: date
  3184. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3185. name: Status
  3186. type: string
  3187. deprecated: true
  3188. name: v1alpha1
  3189. schema:
  3190. openAPIV3Schema:
  3191. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3192. properties:
  3193. apiVersion:
  3194. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3195. type: string
  3196. kind:
  3197. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3198. type: string
  3199. metadata:
  3200. type: object
  3201. spec:
  3202. description: SecretStoreSpec defines the desired state of SecretStore.
  3203. properties:
  3204. controller:
  3205. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3206. type: string
  3207. provider:
  3208. description: Used to configure the provider. Only one provider may be set
  3209. maxProperties: 1
  3210. minProperties: 1
  3211. properties:
  3212. akeyless:
  3213. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3214. properties:
  3215. akeylessGWApiURL:
  3216. description: Akeyless GW API Url from which the secrets to be fetched from.
  3217. type: string
  3218. authSecretRef:
  3219. description: Auth configures how the operator authenticates with Akeyless.
  3220. properties:
  3221. secretRef:
  3222. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  3223. properties:
  3224. accessID:
  3225. description: The SecretAccessID is used for authentication
  3226. properties:
  3227. key:
  3228. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3229. type: string
  3230. name:
  3231. description: The name of the Secret resource being referred to.
  3232. type: string
  3233. namespace:
  3234. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3235. type: string
  3236. type: object
  3237. accessType:
  3238. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3239. properties:
  3240. key:
  3241. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3242. type: string
  3243. name:
  3244. description: The name of the Secret resource being referred to.
  3245. type: string
  3246. namespace:
  3247. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3248. type: string
  3249. type: object
  3250. accessTypeParam:
  3251. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3252. properties:
  3253. key:
  3254. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3255. type: string
  3256. name:
  3257. description: The name of the Secret resource being referred to.
  3258. type: string
  3259. namespace:
  3260. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3261. type: string
  3262. type: object
  3263. type: object
  3264. required:
  3265. - secretRef
  3266. type: object
  3267. required:
  3268. - akeylessGWApiURL
  3269. - authSecretRef
  3270. type: object
  3271. alibaba:
  3272. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3273. properties:
  3274. auth:
  3275. description: AlibabaAuth contains a secretRef for credentials.
  3276. properties:
  3277. secretRef:
  3278. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3279. properties:
  3280. accessKeyIDSecretRef:
  3281. description: The AccessKeyID is used for authentication
  3282. properties:
  3283. key:
  3284. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3285. type: string
  3286. name:
  3287. description: The name of the Secret resource being referred to.
  3288. type: string
  3289. namespace:
  3290. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3291. type: string
  3292. type: object
  3293. accessKeySecretSecretRef:
  3294. description: The AccessKeySecret is used for authentication
  3295. properties:
  3296. key:
  3297. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3298. type: string
  3299. name:
  3300. description: The name of the Secret resource being referred to.
  3301. type: string
  3302. namespace:
  3303. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3304. type: string
  3305. type: object
  3306. required:
  3307. - accessKeyIDSecretRef
  3308. - accessKeySecretSecretRef
  3309. type: object
  3310. required:
  3311. - secretRef
  3312. type: object
  3313. endpoint:
  3314. type: string
  3315. regionID:
  3316. description: Alibaba Region to be used for the provider
  3317. type: string
  3318. required:
  3319. - auth
  3320. - regionID
  3321. type: object
  3322. aws:
  3323. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3324. properties:
  3325. auth:
  3326. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3327. properties:
  3328. jwt:
  3329. description: Authenticate against AWS using service account tokens.
  3330. properties:
  3331. serviceAccountRef:
  3332. description: A reference to a ServiceAccount resource.
  3333. properties:
  3334. name:
  3335. description: The name of the ServiceAccount resource being referred to.
  3336. type: string
  3337. namespace:
  3338. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3339. type: string
  3340. required:
  3341. - name
  3342. type: object
  3343. type: object
  3344. secretRef:
  3345. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3346. properties:
  3347. accessKeyIDSecretRef:
  3348. description: The AccessKeyID is used for authentication
  3349. properties:
  3350. key:
  3351. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3352. type: string
  3353. name:
  3354. description: The name of the Secret resource being referred to.
  3355. type: string
  3356. namespace:
  3357. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3358. type: string
  3359. type: object
  3360. secretAccessKeySecretRef:
  3361. description: The SecretAccessKey is used for authentication
  3362. properties:
  3363. key:
  3364. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3365. type: string
  3366. name:
  3367. description: The name of the Secret resource being referred to.
  3368. type: string
  3369. namespace:
  3370. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3371. type: string
  3372. type: object
  3373. type: object
  3374. type: object
  3375. region:
  3376. description: AWS Region to be used for the provider
  3377. type: string
  3378. role:
  3379. description: Role is a Role ARN which the SecretManager provider will assume
  3380. type: string
  3381. service:
  3382. description: Service defines which service should be used to fetch the secrets
  3383. enum:
  3384. - SecretsManager
  3385. - ParameterStore
  3386. type: string
  3387. required:
  3388. - region
  3389. - service
  3390. type: object
  3391. azurekv:
  3392. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3393. properties:
  3394. authSecretRef:
  3395. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3396. properties:
  3397. clientId:
  3398. description: The Azure clientId of the service principle used for authentication.
  3399. properties:
  3400. key:
  3401. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3402. type: string
  3403. name:
  3404. description: The name of the Secret resource being referred to.
  3405. type: string
  3406. namespace:
  3407. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3408. type: string
  3409. type: object
  3410. clientSecret:
  3411. description: The Azure ClientSecret of the service principle used for authentication.
  3412. properties:
  3413. key:
  3414. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3415. type: string
  3416. name:
  3417. description: The name of the Secret resource being referred to.
  3418. type: string
  3419. namespace:
  3420. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3421. type: string
  3422. type: object
  3423. type: object
  3424. authType:
  3425. default: ServicePrincipal
  3426. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3427. enum:
  3428. - ServicePrincipal
  3429. - ManagedIdentity
  3430. - WorkloadIdentity
  3431. type: string
  3432. identityId:
  3433. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3434. type: string
  3435. serviceAccountRef:
  3436. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  3437. properties:
  3438. name:
  3439. description: The name of the ServiceAccount resource being referred to.
  3440. type: string
  3441. namespace:
  3442. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3443. type: string
  3444. required:
  3445. - name
  3446. type: object
  3447. tenantId:
  3448. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3449. type: string
  3450. vaultUrl:
  3451. description: Vault Url from which the secrets to be fetched from.
  3452. type: string
  3453. required:
  3454. - vaultUrl
  3455. type: object
  3456. fake:
  3457. description: Fake configures a store with static key/value pairs
  3458. properties:
  3459. data:
  3460. items:
  3461. properties:
  3462. key:
  3463. type: string
  3464. value:
  3465. type: string
  3466. valueMap:
  3467. additionalProperties:
  3468. type: string
  3469. type: object
  3470. version:
  3471. type: string
  3472. required:
  3473. - key
  3474. type: object
  3475. type: array
  3476. required:
  3477. - data
  3478. type: object
  3479. gcpsm:
  3480. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3481. properties:
  3482. auth:
  3483. description: Auth defines the information necessary to authenticate against GCP
  3484. properties:
  3485. secretRef:
  3486. properties:
  3487. secretAccessKeySecretRef:
  3488. description: The SecretAccessKey is used for authentication
  3489. properties:
  3490. key:
  3491. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3492. type: string
  3493. name:
  3494. description: The name of the Secret resource being referred to.
  3495. type: string
  3496. namespace:
  3497. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3498. type: string
  3499. type: object
  3500. type: object
  3501. workloadIdentity:
  3502. properties:
  3503. clusterLocation:
  3504. type: string
  3505. clusterName:
  3506. type: string
  3507. clusterProjectID:
  3508. type: string
  3509. serviceAccountRef:
  3510. description: A reference to a ServiceAccount resource.
  3511. properties:
  3512. name:
  3513. description: The name of the ServiceAccount resource being referred to.
  3514. type: string
  3515. namespace:
  3516. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3517. type: string
  3518. required:
  3519. - name
  3520. type: object
  3521. required:
  3522. - clusterLocation
  3523. - clusterName
  3524. - serviceAccountRef
  3525. type: object
  3526. type: object
  3527. projectID:
  3528. description: ProjectID project where secret is located
  3529. type: string
  3530. type: object
  3531. gitlab:
  3532. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  3533. properties:
  3534. auth:
  3535. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3536. properties:
  3537. SecretRef:
  3538. properties:
  3539. accessToken:
  3540. description: AccessToken is used for authentication.
  3541. properties:
  3542. key:
  3543. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3544. type: string
  3545. name:
  3546. description: The name of the Secret resource being referred to.
  3547. type: string
  3548. namespace:
  3549. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3550. type: string
  3551. type: object
  3552. type: object
  3553. required:
  3554. - SecretRef
  3555. type: object
  3556. projectID:
  3557. description: ProjectID specifies a project where secrets are located.
  3558. type: string
  3559. url:
  3560. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3561. type: string
  3562. required:
  3563. - auth
  3564. type: object
  3565. ibm:
  3566. description: IBM configures this store to sync secrets using IBM Cloud provider
  3567. properties:
  3568. auth:
  3569. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3570. properties:
  3571. secretRef:
  3572. properties:
  3573. secretApiKeySecretRef:
  3574. description: The SecretAccessKey is used for authentication
  3575. properties:
  3576. key:
  3577. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3578. type: string
  3579. name:
  3580. description: The name of the Secret resource being referred to.
  3581. type: string
  3582. namespace:
  3583. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3584. type: string
  3585. type: object
  3586. type: object
  3587. required:
  3588. - secretRef
  3589. type: object
  3590. serviceUrl:
  3591. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3592. type: string
  3593. required:
  3594. - auth
  3595. type: object
  3596. kubernetes:
  3597. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3598. properties:
  3599. auth:
  3600. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3601. maxProperties: 1
  3602. minProperties: 1
  3603. properties:
  3604. cert:
  3605. description: has both clientCert and clientKey as secretKeySelector
  3606. properties:
  3607. clientCert:
  3608. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3609. properties:
  3610. key:
  3611. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3612. type: string
  3613. name:
  3614. description: The name of the Secret resource being referred to.
  3615. type: string
  3616. namespace:
  3617. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3618. type: string
  3619. type: object
  3620. clientKey:
  3621. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3622. properties:
  3623. key:
  3624. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3625. type: string
  3626. name:
  3627. description: The name of the Secret resource being referred to.
  3628. type: string
  3629. namespace:
  3630. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3631. type: string
  3632. type: object
  3633. type: object
  3634. serviceAccount:
  3635. description: points to a service account that should be used for authentication
  3636. properties:
  3637. serviceAccount:
  3638. description: A reference to a ServiceAccount resource.
  3639. properties:
  3640. name:
  3641. description: The name of the ServiceAccount resource being referred to.
  3642. type: string
  3643. namespace:
  3644. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3645. type: string
  3646. required:
  3647. - name
  3648. type: object
  3649. type: object
  3650. token:
  3651. description: use static token to authenticate with
  3652. properties:
  3653. bearerToken:
  3654. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3655. properties:
  3656. key:
  3657. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3658. type: string
  3659. name:
  3660. description: The name of the Secret resource being referred to.
  3661. type: string
  3662. namespace:
  3663. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3664. type: string
  3665. type: object
  3666. type: object
  3667. type: object
  3668. remoteNamespace:
  3669. default: default
  3670. description: Remote namespace to fetch the secrets from
  3671. type: string
  3672. server:
  3673. description: configures the Kubernetes server Address.
  3674. properties:
  3675. caBundle:
  3676. description: CABundle is a base64-encoded CA certificate
  3677. format: byte
  3678. type: string
  3679. caProvider:
  3680. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3681. properties:
  3682. key:
  3683. description: The key the value inside of the provider type to use, only used with "Secret" type
  3684. type: string
  3685. name:
  3686. description: The name of the object located at the provider type.
  3687. type: string
  3688. namespace:
  3689. description: The namespace the Provider type is in.
  3690. type: string
  3691. type:
  3692. description: The type of provider to use such as "Secret", or "ConfigMap".
  3693. enum:
  3694. - Secret
  3695. - ConfigMap
  3696. type: string
  3697. required:
  3698. - name
  3699. - type
  3700. type: object
  3701. url:
  3702. default: kubernetes.default
  3703. description: configures the Kubernetes server Address.
  3704. type: string
  3705. type: object
  3706. required:
  3707. - auth
  3708. type: object
  3709. oracle:
  3710. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3711. properties:
  3712. auth:
  3713. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3714. properties:
  3715. secretRef:
  3716. description: SecretRef to pass through sensitive information.
  3717. properties:
  3718. fingerprint:
  3719. description: Fingerprint is the fingerprint of the API private key.
  3720. properties:
  3721. key:
  3722. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3723. type: string
  3724. name:
  3725. description: The name of the Secret resource being referred to.
  3726. type: string
  3727. namespace:
  3728. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3729. type: string
  3730. type: object
  3731. privatekey:
  3732. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3733. properties:
  3734. key:
  3735. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3736. type: string
  3737. name:
  3738. description: The name of the Secret resource being referred to.
  3739. type: string
  3740. namespace:
  3741. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3742. type: string
  3743. type: object
  3744. required:
  3745. - fingerprint
  3746. - privatekey
  3747. type: object
  3748. tenancy:
  3749. description: Tenancy is the tenancy OCID where user is located.
  3750. type: string
  3751. user:
  3752. description: User is an access OCID specific to the account.
  3753. type: string
  3754. required:
  3755. - secretRef
  3756. - tenancy
  3757. - user
  3758. type: object
  3759. region:
  3760. description: Region is the region where vault is located.
  3761. type: string
  3762. vault:
  3763. description: Vault is the vault's OCID of the specific vault where secret is located.
  3764. type: string
  3765. required:
  3766. - region
  3767. - vault
  3768. type: object
  3769. vault:
  3770. description: Vault configures this store to sync secrets using Hashi provider
  3771. properties:
  3772. auth:
  3773. description: Auth configures how secret-manager authenticates with the Vault server.
  3774. properties:
  3775. appRole:
  3776. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3777. properties:
  3778. path:
  3779. default: approle
  3780. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3781. type: string
  3782. roleId:
  3783. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3784. type: string
  3785. secretRef:
  3786. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3787. properties:
  3788. key:
  3789. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3790. type: string
  3791. name:
  3792. description: The name of the Secret resource being referred to.
  3793. type: string
  3794. namespace:
  3795. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3796. type: string
  3797. type: object
  3798. required:
  3799. - path
  3800. - roleId
  3801. - secretRef
  3802. type: object
  3803. cert:
  3804. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  3805. properties:
  3806. clientCert:
  3807. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  3808. properties:
  3809. key:
  3810. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3811. type: string
  3812. name:
  3813. description: The name of the Secret resource being referred to.
  3814. type: string
  3815. namespace:
  3816. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3817. type: string
  3818. type: object
  3819. secretRef:
  3820. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  3821. properties:
  3822. key:
  3823. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3824. type: string
  3825. name:
  3826. description: The name of the Secret resource being referred to.
  3827. type: string
  3828. namespace:
  3829. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3830. type: string
  3831. type: object
  3832. type: object
  3833. jwt:
  3834. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3835. properties:
  3836. kubernetesServiceAccountToken:
  3837. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  3838. properties:
  3839. audiences:
  3840. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  3841. items:
  3842. type: string
  3843. type: array
  3844. expirationSeconds:
  3845. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  3846. format: int64
  3847. type: integer
  3848. serviceAccountRef:
  3849. description: Service account field containing the name of a kubernetes ServiceAccount.
  3850. properties:
  3851. name:
  3852. description: The name of the ServiceAccount resource being referred to.
  3853. type: string
  3854. namespace:
  3855. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3856. type: string
  3857. required:
  3858. - name
  3859. type: object
  3860. required:
  3861. - serviceAccountRef
  3862. type: object
  3863. path:
  3864. default: jwt
  3865. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3866. type: string
  3867. role:
  3868. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3869. type: string
  3870. secretRef:
  3871. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  3872. properties:
  3873. key:
  3874. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3875. type: string
  3876. name:
  3877. description: The name of the Secret resource being referred to.
  3878. type: string
  3879. namespace:
  3880. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3881. type: string
  3882. type: object
  3883. required:
  3884. - path
  3885. type: object
  3886. kubernetes:
  3887. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3888. properties:
  3889. mountPath:
  3890. default: kubernetes
  3891. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3892. type: string
  3893. role:
  3894. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3895. type: string
  3896. secretRef:
  3897. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3898. properties:
  3899. key:
  3900. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3901. type: string
  3902. name:
  3903. description: The name of the Secret resource being referred to.
  3904. type: string
  3905. namespace:
  3906. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3907. type: string
  3908. type: object
  3909. serviceAccountRef:
  3910. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3911. properties:
  3912. name:
  3913. description: The name of the ServiceAccount resource being referred to.
  3914. type: string
  3915. namespace:
  3916. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3917. type: string
  3918. required:
  3919. - name
  3920. type: object
  3921. required:
  3922. - mountPath
  3923. - role
  3924. type: object
  3925. ldap:
  3926. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  3927. properties:
  3928. path:
  3929. default: ldap
  3930. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  3931. type: string
  3932. secretRef:
  3933. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  3934. properties:
  3935. key:
  3936. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3937. type: string
  3938. name:
  3939. description: The name of the Secret resource being referred to.
  3940. type: string
  3941. namespace:
  3942. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3943. type: string
  3944. type: object
  3945. username:
  3946. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  3947. type: string
  3948. required:
  3949. - path
  3950. - username
  3951. type: object
  3952. tokenSecretRef:
  3953. description: TokenSecretRef authenticates with Vault by presenting a token.
  3954. properties:
  3955. key:
  3956. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3957. type: string
  3958. name:
  3959. description: The name of the Secret resource being referred to.
  3960. type: string
  3961. namespace:
  3962. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3963. type: string
  3964. type: object
  3965. type: object
  3966. caBundle:
  3967. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  3968. format: byte
  3969. type: string
  3970. caProvider:
  3971. description: The provider for the CA bundle to use to validate Vault server certificate.
  3972. properties:
  3973. key:
  3974. description: The key the value inside of the provider type to use, only used with "Secret" type
  3975. type: string
  3976. name:
  3977. description: The name of the object located at the provider type.
  3978. type: string
  3979. namespace:
  3980. description: The namespace the Provider type is in.
  3981. type: string
  3982. type:
  3983. description: The type of provider to use such as "Secret", or "ConfigMap".
  3984. enum:
  3985. - Secret
  3986. - ConfigMap
  3987. type: string
  3988. required:
  3989. - name
  3990. - type
  3991. type: object
  3992. forwardInconsistent:
  3993. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  3994. type: boolean
  3995. namespace:
  3996. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  3997. type: string
  3998. path:
  3999. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  4000. type: string
  4001. readYourWrites:
  4002. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  4003. type: boolean
  4004. server:
  4005. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4006. type: string
  4007. version:
  4008. default: v2
  4009. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  4010. enum:
  4011. - v1
  4012. - v2
  4013. type: string
  4014. required:
  4015. - auth
  4016. - server
  4017. type: object
  4018. webhook:
  4019. description: Webhook configures this store to sync secrets using a generic templated webhook
  4020. properties:
  4021. body:
  4022. description: Body
  4023. type: string
  4024. caBundle:
  4025. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4026. format: byte
  4027. type: string
  4028. caProvider:
  4029. description: The provider for the CA bundle to use to validate webhook server certificate.
  4030. properties:
  4031. key:
  4032. description: The key the value inside of the provider type to use, only used with "Secret" type
  4033. type: string
  4034. name:
  4035. description: The name of the object located at the provider type.
  4036. type: string
  4037. namespace:
  4038. description: The namespace the Provider type is in.
  4039. type: string
  4040. type:
  4041. description: The type of provider to use such as "Secret", or "ConfigMap".
  4042. enum:
  4043. - Secret
  4044. - ConfigMap
  4045. type: string
  4046. required:
  4047. - name
  4048. - type
  4049. type: object
  4050. headers:
  4051. additionalProperties:
  4052. type: string
  4053. description: Headers
  4054. type: object
  4055. method:
  4056. description: Webhook Method
  4057. type: string
  4058. result:
  4059. description: Result formatting
  4060. properties:
  4061. jsonPath:
  4062. description: Json path of return value
  4063. type: string
  4064. type: object
  4065. secrets:
  4066. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  4067. items:
  4068. properties:
  4069. name:
  4070. description: Name of this secret in templates
  4071. type: string
  4072. secretRef:
  4073. description: Secret ref to fill in credentials
  4074. properties:
  4075. key:
  4076. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4077. type: string
  4078. name:
  4079. description: The name of the Secret resource being referred to.
  4080. type: string
  4081. namespace:
  4082. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4083. type: string
  4084. type: object
  4085. required:
  4086. - name
  4087. - secretRef
  4088. type: object
  4089. type: array
  4090. timeout:
  4091. description: Timeout
  4092. type: string
  4093. url:
  4094. description: Webhook url to call
  4095. type: string
  4096. required:
  4097. - result
  4098. - url
  4099. type: object
  4100. yandexlockbox:
  4101. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4102. properties:
  4103. apiEndpoint:
  4104. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4105. type: string
  4106. auth:
  4107. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4108. properties:
  4109. authorizedKeySecretRef:
  4110. description: The authorized key used for authentication
  4111. properties:
  4112. key:
  4113. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4114. type: string
  4115. name:
  4116. description: The name of the Secret resource being referred to.
  4117. type: string
  4118. namespace:
  4119. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4120. type: string
  4121. type: object
  4122. type: object
  4123. caProvider:
  4124. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4125. properties:
  4126. certSecretRef:
  4127. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4128. properties:
  4129. key:
  4130. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4131. type: string
  4132. name:
  4133. description: The name of the Secret resource being referred to.
  4134. type: string
  4135. namespace:
  4136. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4137. type: string
  4138. type: object
  4139. type: object
  4140. required:
  4141. - auth
  4142. type: object
  4143. type: object
  4144. retrySettings:
  4145. description: Used to configure http retries if failed
  4146. properties:
  4147. maxRetries:
  4148. format: int32
  4149. type: integer
  4150. retryInterval:
  4151. type: string
  4152. type: object
  4153. required:
  4154. - provider
  4155. type: object
  4156. status:
  4157. description: SecretStoreStatus defines the observed state of the SecretStore.
  4158. properties:
  4159. conditions:
  4160. items:
  4161. properties:
  4162. lastTransitionTime:
  4163. format: date-time
  4164. type: string
  4165. message:
  4166. type: string
  4167. reason:
  4168. type: string
  4169. status:
  4170. type: string
  4171. type:
  4172. type: string
  4173. required:
  4174. - status
  4175. - type
  4176. type: object
  4177. type: array
  4178. type: object
  4179. type: object
  4180. served: true
  4181. storage: false
  4182. subresources:
  4183. status: {}
  4184. - additionalPrinterColumns:
  4185. - jsonPath: .metadata.creationTimestamp
  4186. name: AGE
  4187. type: date
  4188. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4189. name: Status
  4190. type: string
  4191. - jsonPath: .status.capabilities
  4192. name: Capabilities
  4193. type: string
  4194. name: v1beta1
  4195. schema:
  4196. openAPIV3Schema:
  4197. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4198. properties:
  4199. apiVersion:
  4200. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4201. type: string
  4202. kind:
  4203. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4204. type: string
  4205. metadata:
  4206. type: object
  4207. spec:
  4208. description: SecretStoreSpec defines the desired state of SecretStore.
  4209. properties:
  4210. controller:
  4211. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  4212. type: string
  4213. provider:
  4214. description: Used to configure the provider. Only one provider may be set
  4215. maxProperties: 1
  4216. minProperties: 1
  4217. properties:
  4218. akeyless:
  4219. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4220. properties:
  4221. akeylessGWApiURL:
  4222. description: Akeyless GW API Url from which the secrets to be fetched from.
  4223. type: string
  4224. authSecretRef:
  4225. description: Auth configures how the operator authenticates with Akeyless.
  4226. properties:
  4227. secretRef:
  4228. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  4229. properties:
  4230. accessID:
  4231. description: The SecretAccessID is used for authentication
  4232. properties:
  4233. key:
  4234. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4235. type: string
  4236. name:
  4237. description: The name of the Secret resource being referred to.
  4238. type: string
  4239. namespace:
  4240. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4241. type: string
  4242. type: object
  4243. accessType:
  4244. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4245. properties:
  4246. key:
  4247. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4248. type: string
  4249. name:
  4250. description: The name of the Secret resource being referred to.
  4251. type: string
  4252. namespace:
  4253. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4254. type: string
  4255. type: object
  4256. accessTypeParam:
  4257. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4258. properties:
  4259. key:
  4260. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4261. type: string
  4262. name:
  4263. description: The name of the Secret resource being referred to.
  4264. type: string
  4265. namespace:
  4266. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4267. type: string
  4268. type: object
  4269. type: object
  4270. required:
  4271. - secretRef
  4272. type: object
  4273. required:
  4274. - akeylessGWApiURL
  4275. - authSecretRef
  4276. type: object
  4277. alibaba:
  4278. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4279. properties:
  4280. auth:
  4281. description: AlibabaAuth contains a secretRef for credentials.
  4282. properties:
  4283. secretRef:
  4284. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4285. properties:
  4286. accessKeyIDSecretRef:
  4287. description: The AccessKeyID is used for authentication
  4288. properties:
  4289. key:
  4290. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4291. type: string
  4292. name:
  4293. description: The name of the Secret resource being referred to.
  4294. type: string
  4295. namespace:
  4296. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4297. type: string
  4298. type: object
  4299. accessKeySecretSecretRef:
  4300. description: The AccessKeySecret is used for authentication
  4301. properties:
  4302. key:
  4303. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4304. type: string
  4305. name:
  4306. description: The name of the Secret resource being referred to.
  4307. type: string
  4308. namespace:
  4309. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4310. type: string
  4311. type: object
  4312. required:
  4313. - accessKeyIDSecretRef
  4314. - accessKeySecretSecretRef
  4315. type: object
  4316. required:
  4317. - secretRef
  4318. type: object
  4319. endpoint:
  4320. type: string
  4321. regionID:
  4322. description: Alibaba Region to be used for the provider
  4323. type: string
  4324. required:
  4325. - auth
  4326. - regionID
  4327. type: object
  4328. aws:
  4329. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4330. properties:
  4331. auth:
  4332. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4333. properties:
  4334. jwt:
  4335. description: Authenticate against AWS using service account tokens.
  4336. properties:
  4337. serviceAccountRef:
  4338. description: A reference to a ServiceAccount resource.
  4339. properties:
  4340. name:
  4341. description: The name of the ServiceAccount resource being referred to.
  4342. type: string
  4343. namespace:
  4344. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4345. type: string
  4346. required:
  4347. - name
  4348. type: object
  4349. type: object
  4350. secretRef:
  4351. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4352. properties:
  4353. accessKeyIDSecretRef:
  4354. description: The AccessKeyID is used for authentication
  4355. properties:
  4356. key:
  4357. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4358. type: string
  4359. name:
  4360. description: The name of the Secret resource being referred to.
  4361. type: string
  4362. namespace:
  4363. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4364. type: string
  4365. type: object
  4366. secretAccessKeySecretRef:
  4367. description: The SecretAccessKey is used for authentication
  4368. properties:
  4369. key:
  4370. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4371. type: string
  4372. name:
  4373. description: The name of the Secret resource being referred to.
  4374. type: string
  4375. namespace:
  4376. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4377. type: string
  4378. type: object
  4379. type: object
  4380. type: object
  4381. region:
  4382. description: AWS Region to be used for the provider
  4383. type: string
  4384. role:
  4385. description: Role is a Role ARN which the SecretManager provider will assume
  4386. type: string
  4387. service:
  4388. description: Service defines which service should be used to fetch the secrets
  4389. enum:
  4390. - SecretsManager
  4391. - ParameterStore
  4392. type: string
  4393. required:
  4394. - region
  4395. - service
  4396. type: object
  4397. azurekv:
  4398. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4399. properties:
  4400. authSecretRef:
  4401. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4402. properties:
  4403. clientId:
  4404. description: The Azure clientId of the service principle used for authentication.
  4405. properties:
  4406. key:
  4407. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4408. type: string
  4409. name:
  4410. description: The name of the Secret resource being referred to.
  4411. type: string
  4412. namespace:
  4413. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4414. type: string
  4415. type: object
  4416. clientSecret:
  4417. description: The Azure ClientSecret of the service principle used for authentication.
  4418. properties:
  4419. key:
  4420. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4421. type: string
  4422. name:
  4423. description: The name of the Secret resource being referred to.
  4424. type: string
  4425. namespace:
  4426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4427. type: string
  4428. type: object
  4429. type: object
  4430. authType:
  4431. default: ServicePrincipal
  4432. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4433. enum:
  4434. - ServicePrincipal
  4435. - ManagedIdentity
  4436. - WorkloadIdentity
  4437. type: string
  4438. identityId:
  4439. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4440. type: string
  4441. serviceAccountRef:
  4442. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4443. properties:
  4444. name:
  4445. description: The name of the ServiceAccount resource being referred to.
  4446. type: string
  4447. namespace:
  4448. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4449. type: string
  4450. required:
  4451. - name
  4452. type: object
  4453. tenantId:
  4454. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4455. type: string
  4456. vaultUrl:
  4457. description: Vault Url from which the secrets to be fetched from.
  4458. type: string
  4459. required:
  4460. - vaultUrl
  4461. type: object
  4462. fake:
  4463. description: Fake configures a store with static key/value pairs
  4464. properties:
  4465. data:
  4466. items:
  4467. properties:
  4468. key:
  4469. type: string
  4470. value:
  4471. type: string
  4472. valueMap:
  4473. additionalProperties:
  4474. type: string
  4475. type: object
  4476. version:
  4477. type: string
  4478. required:
  4479. - key
  4480. type: object
  4481. type: array
  4482. required:
  4483. - data
  4484. type: object
  4485. gcpsm:
  4486. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4487. properties:
  4488. auth:
  4489. description: Auth defines the information necessary to authenticate against GCP
  4490. properties:
  4491. secretRef:
  4492. properties:
  4493. secretAccessKeySecretRef:
  4494. description: The SecretAccessKey is used for authentication
  4495. properties:
  4496. key:
  4497. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4498. type: string
  4499. name:
  4500. description: The name of the Secret resource being referred to.
  4501. type: string
  4502. namespace:
  4503. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4504. type: string
  4505. type: object
  4506. type: object
  4507. workloadIdentity:
  4508. properties:
  4509. clusterLocation:
  4510. type: string
  4511. clusterName:
  4512. type: string
  4513. clusterProjectID:
  4514. type: string
  4515. serviceAccountRef:
  4516. description: A reference to a ServiceAccount resource.
  4517. properties:
  4518. name:
  4519. description: The name of the ServiceAccount resource being referred to.
  4520. type: string
  4521. namespace:
  4522. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4523. type: string
  4524. required:
  4525. - name
  4526. type: object
  4527. required:
  4528. - clusterLocation
  4529. - clusterName
  4530. - serviceAccountRef
  4531. type: object
  4532. type: object
  4533. projectID:
  4534. description: ProjectID project where secret is located
  4535. type: string
  4536. type: object
  4537. gitlab:
  4538. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  4539. properties:
  4540. auth:
  4541. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4542. properties:
  4543. SecretRef:
  4544. properties:
  4545. accessToken:
  4546. description: AccessToken is used for authentication.
  4547. properties:
  4548. key:
  4549. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4550. type: string
  4551. name:
  4552. description: The name of the Secret resource being referred to.
  4553. type: string
  4554. namespace:
  4555. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4556. type: string
  4557. type: object
  4558. type: object
  4559. required:
  4560. - SecretRef
  4561. type: object
  4562. projectID:
  4563. description: ProjectID specifies a project where secrets are located.
  4564. type: string
  4565. url:
  4566. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4567. type: string
  4568. required:
  4569. - auth
  4570. type: object
  4571. ibm:
  4572. description: IBM configures this store to sync secrets using IBM Cloud provider
  4573. properties:
  4574. auth:
  4575. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4576. properties:
  4577. secretRef:
  4578. properties:
  4579. secretApiKeySecretRef:
  4580. description: The SecretAccessKey is used for authentication
  4581. properties:
  4582. key:
  4583. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4584. type: string
  4585. name:
  4586. description: The name of the Secret resource being referred to.
  4587. type: string
  4588. namespace:
  4589. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4590. type: string
  4591. type: object
  4592. type: object
  4593. required:
  4594. - secretRef
  4595. type: object
  4596. serviceUrl:
  4597. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4598. type: string
  4599. required:
  4600. - auth
  4601. type: object
  4602. kubernetes:
  4603. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  4604. properties:
  4605. auth:
  4606. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  4607. maxProperties: 1
  4608. minProperties: 1
  4609. properties:
  4610. cert:
  4611. description: has both clientCert and clientKey as secretKeySelector
  4612. properties:
  4613. clientCert:
  4614. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4615. properties:
  4616. key:
  4617. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4618. type: string
  4619. name:
  4620. description: The name of the Secret resource being referred to.
  4621. type: string
  4622. namespace:
  4623. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4624. type: string
  4625. type: object
  4626. clientKey:
  4627. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4628. properties:
  4629. key:
  4630. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4631. type: string
  4632. name:
  4633. description: The name of the Secret resource being referred to.
  4634. type: string
  4635. namespace:
  4636. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4637. type: string
  4638. type: object
  4639. type: object
  4640. serviceAccount:
  4641. description: points to a service account that should be used for authentication
  4642. properties:
  4643. serviceAccount:
  4644. description: A reference to a ServiceAccount resource.
  4645. properties:
  4646. name:
  4647. description: The name of the ServiceAccount resource being referred to.
  4648. type: string
  4649. namespace:
  4650. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4651. type: string
  4652. required:
  4653. - name
  4654. type: object
  4655. type: object
  4656. token:
  4657. description: use static token to authenticate with
  4658. properties:
  4659. bearerToken:
  4660. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4661. properties:
  4662. key:
  4663. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4664. type: string
  4665. name:
  4666. description: The name of the Secret resource being referred to.
  4667. type: string
  4668. namespace:
  4669. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4670. type: string
  4671. type: object
  4672. type: object
  4673. type: object
  4674. remoteNamespace:
  4675. default: default
  4676. description: Remote namespace to fetch the secrets from
  4677. type: string
  4678. server:
  4679. description: configures the Kubernetes server Address.
  4680. properties:
  4681. caBundle:
  4682. description: CABundle is a base64-encoded CA certificate
  4683. format: byte
  4684. type: string
  4685. caProvider:
  4686. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4687. properties:
  4688. key:
  4689. description: The key the value inside of the provider type to use, only used with "Secret" type
  4690. type: string
  4691. name:
  4692. description: The name of the object located at the provider type.
  4693. type: string
  4694. namespace:
  4695. description: The namespace the Provider type is in.
  4696. type: string
  4697. type:
  4698. description: The type of provider to use such as "Secret", or "ConfigMap".
  4699. enum:
  4700. - Secret
  4701. - ConfigMap
  4702. type: string
  4703. required:
  4704. - name
  4705. - type
  4706. type: object
  4707. url:
  4708. default: kubernetes.default
  4709. description: configures the Kubernetes server Address.
  4710. type: string
  4711. type: object
  4712. required:
  4713. - auth
  4714. type: object
  4715. onepassword:
  4716. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  4717. properties:
  4718. auth:
  4719. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  4720. properties:
  4721. secretRef:
  4722. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  4723. properties:
  4724. connectTokenSecretRef:
  4725. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  4726. properties:
  4727. key:
  4728. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4729. type: string
  4730. name:
  4731. description: The name of the Secret resource being referred to.
  4732. type: string
  4733. namespace:
  4734. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4735. type: string
  4736. type: object
  4737. required:
  4738. - connectTokenSecretRef
  4739. type: object
  4740. required:
  4741. - secretRef
  4742. type: object
  4743. connectHost:
  4744. description: ConnectHost defines the OnePassword Connect Server to connect to
  4745. type: string
  4746. vaults:
  4747. additionalProperties:
  4748. type: integer
  4749. description: Vaults defines which OnePassword vaults to search in which order
  4750. type: object
  4751. required:
  4752. - auth
  4753. - connectHost
  4754. - vaults
  4755. type: object
  4756. oracle:
  4757. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4758. properties:
  4759. auth:
  4760. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4761. properties:
  4762. secretRef:
  4763. description: SecretRef to pass through sensitive information.
  4764. properties:
  4765. fingerprint:
  4766. description: Fingerprint is the fingerprint of the API private key.
  4767. properties:
  4768. key:
  4769. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4770. type: string
  4771. name:
  4772. description: The name of the Secret resource being referred to.
  4773. type: string
  4774. namespace:
  4775. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4776. type: string
  4777. type: object
  4778. privatekey:
  4779. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4780. properties:
  4781. key:
  4782. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4783. type: string
  4784. name:
  4785. description: The name of the Secret resource being referred to.
  4786. type: string
  4787. namespace:
  4788. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4789. type: string
  4790. type: object
  4791. required:
  4792. - fingerprint
  4793. - privatekey
  4794. type: object
  4795. tenancy:
  4796. description: Tenancy is the tenancy OCID where user is located.
  4797. type: string
  4798. user:
  4799. description: User is an access OCID specific to the account.
  4800. type: string
  4801. required:
  4802. - secretRef
  4803. - tenancy
  4804. - user
  4805. type: object
  4806. region:
  4807. description: Region is the region where vault is located.
  4808. type: string
  4809. vault:
  4810. description: Vault is the vault's OCID of the specific vault where secret is located.
  4811. type: string
  4812. required:
  4813. - region
  4814. - vault
  4815. type: object
  4816. senhasegura:
  4817. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4818. properties:
  4819. auth:
  4820. description: Auth defines parameters to authenticate in senhasegura
  4821. properties:
  4822. clientId:
  4823. type: string
  4824. clientSecretSecretRef:
  4825. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4826. properties:
  4827. key:
  4828. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4829. type: string
  4830. name:
  4831. description: The name of the Secret resource being referred to.
  4832. type: string
  4833. namespace:
  4834. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4835. type: string
  4836. type: object
  4837. required:
  4838. - clientId
  4839. - clientSecretSecretRef
  4840. type: object
  4841. ignoreSslCertificate:
  4842. default: false
  4843. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4844. type: boolean
  4845. module:
  4846. description: Module defines which senhasegura module should be used to get secrets
  4847. type: string
  4848. url:
  4849. description: URL of senhasegura
  4850. type: string
  4851. required:
  4852. - auth
  4853. - module
  4854. - url
  4855. type: object
  4856. vault:
  4857. description: Vault configures this store to sync secrets using Hashi provider
  4858. properties:
  4859. auth:
  4860. description: Auth configures how secret-manager authenticates with the Vault server.
  4861. properties:
  4862. appRole:
  4863. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  4864. properties:
  4865. path:
  4866. default: approle
  4867. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  4868. type: string
  4869. roleId:
  4870. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  4871. type: string
  4872. secretRef:
  4873. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  4874. properties:
  4875. key:
  4876. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4877. type: string
  4878. name:
  4879. description: The name of the Secret resource being referred to.
  4880. type: string
  4881. namespace:
  4882. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4883. type: string
  4884. type: object
  4885. required:
  4886. - path
  4887. - roleId
  4888. - secretRef
  4889. type: object
  4890. cert:
  4891. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  4892. properties:
  4893. clientCert:
  4894. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  4895. properties:
  4896. key:
  4897. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4898. type: string
  4899. name:
  4900. description: The name of the Secret resource being referred to.
  4901. type: string
  4902. namespace:
  4903. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4904. type: string
  4905. type: object
  4906. secretRef:
  4907. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  4908. properties:
  4909. key:
  4910. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4911. type: string
  4912. name:
  4913. description: The name of the Secret resource being referred to.
  4914. type: string
  4915. namespace:
  4916. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4917. type: string
  4918. type: object
  4919. type: object
  4920. jwt:
  4921. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  4922. properties:
  4923. kubernetesServiceAccountToken:
  4924. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  4925. properties:
  4926. audiences:
  4927. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  4928. items:
  4929. type: string
  4930. type: array
  4931. expirationSeconds:
  4932. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  4933. format: int64
  4934. type: integer
  4935. serviceAccountRef:
  4936. description: Service account field containing the name of a kubernetes ServiceAccount.
  4937. properties:
  4938. name:
  4939. description: The name of the ServiceAccount resource being referred to.
  4940. type: string
  4941. namespace:
  4942. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4943. type: string
  4944. required:
  4945. - name
  4946. type: object
  4947. required:
  4948. - serviceAccountRef
  4949. type: object
  4950. path:
  4951. default: jwt
  4952. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  4953. type: string
  4954. role:
  4955. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  4956. type: string
  4957. secretRef:
  4958. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  4959. properties:
  4960. key:
  4961. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4962. type: string
  4963. name:
  4964. description: The name of the Secret resource being referred to.
  4965. type: string
  4966. namespace:
  4967. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4968. type: string
  4969. type: object
  4970. required:
  4971. - path
  4972. type: object
  4973. kubernetes:
  4974. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  4975. properties:
  4976. mountPath:
  4977. default: kubernetes
  4978. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  4979. type: string
  4980. role:
  4981. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  4982. type: string
  4983. secretRef:
  4984. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  4985. properties:
  4986. key:
  4987. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4988. type: string
  4989. name:
  4990. description: The name of the Secret resource being referred to.
  4991. type: string
  4992. namespace:
  4993. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4994. type: string
  4995. type: object
  4996. serviceAccountRef:
  4997. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  4998. properties:
  4999. name:
  5000. description: The name of the ServiceAccount resource being referred to.
  5001. type: string
  5002. namespace:
  5003. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5004. type: string
  5005. required:
  5006. - name
  5007. type: object
  5008. required:
  5009. - mountPath
  5010. - role
  5011. type: object
  5012. ldap:
  5013. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5014. properties:
  5015. path:
  5016. default: ldap
  5017. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5018. type: string
  5019. secretRef:
  5020. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5021. properties:
  5022. key:
  5023. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5024. type: string
  5025. name:
  5026. description: The name of the Secret resource being referred to.
  5027. type: string
  5028. namespace:
  5029. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5030. type: string
  5031. type: object
  5032. username:
  5033. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5034. type: string
  5035. required:
  5036. - path
  5037. - username
  5038. type: object
  5039. tokenSecretRef:
  5040. description: TokenSecretRef authenticates with Vault by presenting a token.
  5041. properties:
  5042. key:
  5043. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5044. type: string
  5045. name:
  5046. description: The name of the Secret resource being referred to.
  5047. type: string
  5048. namespace:
  5049. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5050. type: string
  5051. type: object
  5052. type: object
  5053. caBundle:
  5054. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5055. format: byte
  5056. type: string
  5057. caProvider:
  5058. description: The provider for the CA bundle to use to validate Vault server certificate.
  5059. properties:
  5060. key:
  5061. description: The key the value inside of the provider type to use, only used with "Secret" type
  5062. type: string
  5063. name:
  5064. description: The name of the object located at the provider type.
  5065. type: string
  5066. namespace:
  5067. description: The namespace the Provider type is in.
  5068. type: string
  5069. type:
  5070. description: The type of provider to use such as "Secret", or "ConfigMap".
  5071. enum:
  5072. - Secret
  5073. - ConfigMap
  5074. type: string
  5075. required:
  5076. - name
  5077. - type
  5078. type: object
  5079. forwardInconsistent:
  5080. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5081. type: boolean
  5082. namespace:
  5083. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5084. type: string
  5085. path:
  5086. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5087. type: string
  5088. readYourWrites:
  5089. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5090. type: boolean
  5091. server:
  5092. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5093. type: string
  5094. version:
  5095. default: v2
  5096. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5097. enum:
  5098. - v1
  5099. - v2
  5100. type: string
  5101. required:
  5102. - auth
  5103. - server
  5104. type: object
  5105. webhook:
  5106. description: Webhook configures this store to sync secrets using a generic templated webhook
  5107. properties:
  5108. body:
  5109. description: Body
  5110. type: string
  5111. caBundle:
  5112. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5113. format: byte
  5114. type: string
  5115. caProvider:
  5116. description: The provider for the CA bundle to use to validate webhook server certificate.
  5117. properties:
  5118. key:
  5119. description: The key the value inside of the provider type to use, only used with "Secret" type
  5120. type: string
  5121. name:
  5122. description: The name of the object located at the provider type.
  5123. type: string
  5124. namespace:
  5125. description: The namespace the Provider type is in.
  5126. type: string
  5127. type:
  5128. description: The type of provider to use such as "Secret", or "ConfigMap".
  5129. enum:
  5130. - Secret
  5131. - ConfigMap
  5132. type: string
  5133. required:
  5134. - name
  5135. - type
  5136. type: object
  5137. headers:
  5138. additionalProperties:
  5139. type: string
  5140. description: Headers
  5141. type: object
  5142. method:
  5143. description: Webhook Method
  5144. type: string
  5145. result:
  5146. description: Result formatting
  5147. properties:
  5148. jsonPath:
  5149. description: Json path of return value
  5150. type: string
  5151. type: object
  5152. secrets:
  5153. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5154. items:
  5155. properties:
  5156. name:
  5157. description: Name of this secret in templates
  5158. type: string
  5159. secretRef:
  5160. description: Secret ref to fill in credentials
  5161. properties:
  5162. key:
  5163. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5164. type: string
  5165. name:
  5166. description: The name of the Secret resource being referred to.
  5167. type: string
  5168. namespace:
  5169. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5170. type: string
  5171. type: object
  5172. required:
  5173. - name
  5174. - secretRef
  5175. type: object
  5176. type: array
  5177. timeout:
  5178. description: Timeout
  5179. type: string
  5180. url:
  5181. description: Webhook url to call
  5182. type: string
  5183. required:
  5184. - result
  5185. - url
  5186. type: object
  5187. yandexcertificatemanager:
  5188. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5189. properties:
  5190. apiEndpoint:
  5191. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5192. type: string
  5193. auth:
  5194. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5195. properties:
  5196. authorizedKeySecretRef:
  5197. description: The authorized key used for authentication
  5198. properties:
  5199. key:
  5200. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5201. type: string
  5202. name:
  5203. description: The name of the Secret resource being referred to.
  5204. type: string
  5205. namespace:
  5206. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5207. type: string
  5208. type: object
  5209. type: object
  5210. caProvider:
  5211. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5212. properties:
  5213. certSecretRef:
  5214. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5215. properties:
  5216. key:
  5217. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5218. type: string
  5219. name:
  5220. description: The name of the Secret resource being referred to.
  5221. type: string
  5222. namespace:
  5223. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5224. type: string
  5225. type: object
  5226. type: object
  5227. required:
  5228. - auth
  5229. type: object
  5230. yandexlockbox:
  5231. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5232. properties:
  5233. apiEndpoint:
  5234. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5235. type: string
  5236. auth:
  5237. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5238. properties:
  5239. authorizedKeySecretRef:
  5240. description: The authorized key used for authentication
  5241. properties:
  5242. key:
  5243. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5244. type: string
  5245. name:
  5246. description: The name of the Secret resource being referred to.
  5247. type: string
  5248. namespace:
  5249. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5250. type: string
  5251. type: object
  5252. type: object
  5253. caProvider:
  5254. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5255. properties:
  5256. certSecretRef:
  5257. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5258. properties:
  5259. key:
  5260. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5261. type: string
  5262. name:
  5263. description: The name of the Secret resource being referred to.
  5264. type: string
  5265. namespace:
  5266. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5267. type: string
  5268. type: object
  5269. type: object
  5270. required:
  5271. - auth
  5272. type: object
  5273. type: object
  5274. refreshInterval:
  5275. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5276. type: integer
  5277. retrySettings:
  5278. description: Used to configure http retries if failed
  5279. properties:
  5280. maxRetries:
  5281. format: int32
  5282. type: integer
  5283. retryInterval:
  5284. type: string
  5285. type: object
  5286. required:
  5287. - provider
  5288. type: object
  5289. status:
  5290. description: SecretStoreStatus defines the observed state of the SecretStore.
  5291. properties:
  5292. capabilities:
  5293. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5294. type: string
  5295. conditions:
  5296. items:
  5297. properties:
  5298. lastTransitionTime:
  5299. format: date-time
  5300. type: string
  5301. message:
  5302. type: string
  5303. reason:
  5304. type: string
  5305. status:
  5306. type: string
  5307. type:
  5308. type: string
  5309. required:
  5310. - status
  5311. - type
  5312. type: object
  5313. type: array
  5314. type: object
  5315. type: object
  5316. served: true
  5317. storage: true
  5318. subresources:
  5319. status: {}
  5320. conversion:
  5321. strategy: Webhook
  5322. webhook:
  5323. conversionReviewVersions:
  5324. - v1
  5325. clientConfig:
  5326. service:
  5327. name: kubernetes
  5328. namespace: default
  5329. path: /convert
  5330. status:
  5331. acceptedNames:
  5332. kind: ""
  5333. plural: ""
  5334. conditions: []
  5335. storedVersions: []