external-secrets.io_externalsecrets.yaml 57 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.18.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: externalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ExternalSecret
  15. listKind: ExternalSecretList
  16. plural: externalsecrets
  17. shortNames:
  18. - es
  19. singular: externalsecret
  20. scope: Namespaced
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.secretStoreRef.kind
  24. name: StoreType
  25. type: string
  26. - jsonPath: .spec.secretStoreRef.name
  27. name: Store
  28. type: string
  29. - jsonPath: .spec.refreshInterval
  30. name: Refresh Interval
  31. type: string
  32. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  33. name: Status
  34. type: string
  35. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  36. name: Ready
  37. type: string
  38. name: v1
  39. schema:
  40. openAPIV3Schema:
  41. description: ExternalSecret is the Schema for the external-secrets API.
  42. properties:
  43. apiVersion:
  44. description: |-
  45. APIVersion defines the versioned schema of this representation of an object.
  46. Servers should convert recognized schemas to the latest internal value, and
  47. may reject unrecognized values.
  48. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  49. type: string
  50. kind:
  51. description: |-
  52. Kind is a string value representing the REST resource this object represents.
  53. Servers may infer this from the endpoint the client submits requests to.
  54. Cannot be updated.
  55. In CamelCase.
  56. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  57. type: string
  58. metadata:
  59. type: object
  60. spec:
  61. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  62. properties:
  63. data:
  64. description: Data defines the connection between the Kubernetes Secret
  65. keys and the Provider data
  66. items:
  67. description: ExternalSecretData defines the connection between the
  68. Kubernetes Secret key (spec.data.<key>) and the Provider data.
  69. properties:
  70. remoteRef:
  71. description: |-
  72. RemoteRef points to the remote secret and defines
  73. which secret (version/property/..) to fetch.
  74. properties:
  75. conversionStrategy:
  76. default: Default
  77. description: Used to define a conversion Strategy
  78. enum:
  79. - Default
  80. - Unicode
  81. type: string
  82. decodingStrategy:
  83. default: None
  84. description: Used to define a decoding Strategy
  85. enum:
  86. - Auto
  87. - Base64
  88. - Base64URL
  89. - None
  90. type: string
  91. key:
  92. description: Key is the key used in the Provider, mandatory
  93. type: string
  94. metadataPolicy:
  95. default: None
  96. description: Policy for fetching tags/labels from provider
  97. secrets, possible options are Fetch, None. Defaults to
  98. None
  99. enum:
  100. - None
  101. - Fetch
  102. type: string
  103. property:
  104. description: Used to select a specific property of the Provider
  105. value (if a map), if supported
  106. type: string
  107. version:
  108. description: Used to select a specific version of the Provider
  109. value, if supported
  110. type: string
  111. required:
  112. - key
  113. type: object
  114. secretKey:
  115. description: The key in the Kubernetes Secret to store the value.
  116. maxLength: 253
  117. minLength: 1
  118. pattern: ^[-._a-zA-Z0-9]+$
  119. type: string
  120. sourceRef:
  121. description: |-
  122. SourceRef allows you to override the source
  123. from which the value will be pulled.
  124. maxProperties: 1
  125. minProperties: 1
  126. properties:
  127. generatorRef:
  128. description: |-
  129. GeneratorRef points to a generator custom resource.
  130. Deprecated: The generatorRef is not implemented in .data[].
  131. this will be removed with v1.
  132. properties:
  133. apiVersion:
  134. default: generators.external-secrets.io/v1alpha1
  135. description: Specify the apiVersion of the generator
  136. resource
  137. type: string
  138. kind:
  139. description: Specify the Kind of the generator resource
  140. enum:
  141. - ACRAccessToken
  142. - ClusterGenerator
  143. - ECRAuthorizationToken
  144. - Fake
  145. - GCRAccessToken
  146. - GithubAccessToken
  147. - QuayAccessToken
  148. - Password
  149. - STSSessionToken
  150. - UUID
  151. - VaultDynamicSecret
  152. - Webhook
  153. - Grafana
  154. - MFA
  155. type: string
  156. name:
  157. description: Specify the name of the generator resource
  158. maxLength: 253
  159. minLength: 1
  160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  161. type: string
  162. required:
  163. - kind
  164. - name
  165. type: object
  166. storeRef:
  167. description: SecretStoreRef defines which SecretStore to
  168. fetch the ExternalSecret data.
  169. properties:
  170. kind:
  171. description: |-
  172. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  173. Defaults to `SecretStore`
  174. enum:
  175. - SecretStore
  176. - ClusterSecretStore
  177. type: string
  178. name:
  179. description: Name of the SecretStore resource
  180. maxLength: 253
  181. minLength: 1
  182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  183. type: string
  184. type: object
  185. type: object
  186. required:
  187. - remoteRef
  188. - secretKey
  189. type: object
  190. type: array
  191. dataFrom:
  192. description: |-
  193. DataFrom is used to fetch all properties from a specific Provider data
  194. If multiple entries are specified, the Secret keys are merged in the specified order
  195. items:
  196. properties:
  197. extract:
  198. description: |-
  199. Used to extract multiple key/value pairs from one secret
  200. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  201. properties:
  202. conversionStrategy:
  203. default: Default
  204. description: Used to define a conversion Strategy
  205. enum:
  206. - Default
  207. - Unicode
  208. type: string
  209. decodingStrategy:
  210. default: None
  211. description: Used to define a decoding Strategy
  212. enum:
  213. - Auto
  214. - Base64
  215. - Base64URL
  216. - None
  217. type: string
  218. key:
  219. description: Key is the key used in the Provider, mandatory
  220. type: string
  221. metadataPolicy:
  222. default: None
  223. description: Policy for fetching tags/labels from provider
  224. secrets, possible options are Fetch, None. Defaults to
  225. None
  226. enum:
  227. - None
  228. - Fetch
  229. type: string
  230. property:
  231. description: Used to select a specific property of the Provider
  232. value (if a map), if supported
  233. type: string
  234. version:
  235. description: Used to select a specific version of the Provider
  236. value, if supported
  237. type: string
  238. required:
  239. - key
  240. type: object
  241. find:
  242. description: |-
  243. Used to find secrets based on tags or regular expressions
  244. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  245. properties:
  246. conversionStrategy:
  247. default: Default
  248. description: Used to define a conversion Strategy
  249. enum:
  250. - Default
  251. - Unicode
  252. type: string
  253. decodingStrategy:
  254. default: None
  255. description: Used to define a decoding Strategy
  256. enum:
  257. - Auto
  258. - Base64
  259. - Base64URL
  260. - None
  261. type: string
  262. name:
  263. description: Finds secrets based on the name.
  264. properties:
  265. regexp:
  266. description: Finds secrets base
  267. type: string
  268. type: object
  269. path:
  270. description: A root path to start the find operations.
  271. type: string
  272. tags:
  273. additionalProperties:
  274. type: string
  275. description: Find secrets based on tags.
  276. type: object
  277. type: object
  278. rewrite:
  279. description: |-
  280. Used to rewrite secret Keys after getting them from the secret Provider
  281. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  282. items:
  283. properties:
  284. regexp:
  285. description: |-
  286. Used to rewrite with regular expressions.
  287. The resulting key will be the output of a regexp.ReplaceAll operation.
  288. properties:
  289. source:
  290. description: Used to define the regular expression
  291. of a re.Compiler.
  292. type: string
  293. target:
  294. description: Used to define the target pattern of
  295. a ReplaceAll operation.
  296. type: string
  297. required:
  298. - source
  299. - target
  300. type: object
  301. transform:
  302. description: |-
  303. Used to apply string transformation on the secrets.
  304. The resulting key will be the output of the template applied by the operation.
  305. properties:
  306. template:
  307. description: |-
  308. Used to define the template to apply on the secret name.
  309. `.value ` will specify the secret name in the template.
  310. type: string
  311. required:
  312. - template
  313. type: object
  314. type: object
  315. type: array
  316. sourceRef:
  317. description: |-
  318. SourceRef points to a store or generator
  319. which contains secret values ready to use.
  320. Use this in combination with Extract or Find pull values out of
  321. a specific SecretStore.
  322. When sourceRef points to a generator Extract or Find is not supported.
  323. The generator returns a static map of values
  324. maxProperties: 1
  325. minProperties: 1
  326. properties:
  327. generatorRef:
  328. description: GeneratorRef points to a generator custom resource.
  329. properties:
  330. apiVersion:
  331. default: generators.external-secrets.io/v1alpha1
  332. description: Specify the apiVersion of the generator
  333. resource
  334. type: string
  335. kind:
  336. description: Specify the Kind of the generator resource
  337. enum:
  338. - ACRAccessToken
  339. - ClusterGenerator
  340. - ECRAuthorizationToken
  341. - Fake
  342. - GCRAccessToken
  343. - GithubAccessToken
  344. - QuayAccessToken
  345. - Password
  346. - STSSessionToken
  347. - UUID
  348. - VaultDynamicSecret
  349. - Webhook
  350. - Grafana
  351. - MFA
  352. type: string
  353. name:
  354. description: Specify the name of the generator resource
  355. maxLength: 253
  356. minLength: 1
  357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  358. type: string
  359. required:
  360. - kind
  361. - name
  362. type: object
  363. storeRef:
  364. description: SecretStoreRef defines which SecretStore to
  365. fetch the ExternalSecret data.
  366. properties:
  367. kind:
  368. description: |-
  369. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  370. Defaults to `SecretStore`
  371. enum:
  372. - SecretStore
  373. - ClusterSecretStore
  374. type: string
  375. name:
  376. description: Name of the SecretStore resource
  377. maxLength: 253
  378. minLength: 1
  379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  380. type: string
  381. type: object
  382. type: object
  383. type: object
  384. type: array
  385. refreshInterval:
  386. default: 1h
  387. description: |-
  388. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  389. specified as Golang Duration strings.
  390. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  391. Example values: "1h", "2h30m", "10s"
  392. May be set to zero to fetch and create it once. Defaults to 1h.
  393. type: string
  394. refreshPolicy:
  395. description: |-
  396. RefreshPolicy determines how the ExternalSecret should be refreshed:
  397. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  398. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  399. No periodic updates occur if refreshInterval is 0.
  400. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  401. enum:
  402. - CreatedOnce
  403. - Periodic
  404. - OnChange
  405. type: string
  406. secretStoreRef:
  407. description: SecretStoreRef defines which SecretStore to fetch the
  408. ExternalSecret data.
  409. properties:
  410. kind:
  411. description: |-
  412. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  413. Defaults to `SecretStore`
  414. enum:
  415. - SecretStore
  416. - ClusterSecretStore
  417. type: string
  418. name:
  419. description: Name of the SecretStore resource
  420. maxLength: 253
  421. minLength: 1
  422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  423. type: string
  424. type: object
  425. target:
  426. default:
  427. creationPolicy: Owner
  428. deletionPolicy: Retain
  429. description: |-
  430. ExternalSecretTarget defines the Kubernetes Secret to be created
  431. There can be only one target per ExternalSecret.
  432. properties:
  433. creationPolicy:
  434. default: Owner
  435. description: |-
  436. CreationPolicy defines rules on how to create the resulting Secret.
  437. Defaults to "Owner"
  438. enum:
  439. - Owner
  440. - Orphan
  441. - Merge
  442. - None
  443. type: string
  444. deletionPolicy:
  445. default: Retain
  446. description: |-
  447. DeletionPolicy defines rules on how to delete the resulting Secret.
  448. Defaults to "Retain"
  449. enum:
  450. - Delete
  451. - Merge
  452. - Retain
  453. type: string
  454. immutable:
  455. description: Immutable defines if the final secret will be immutable
  456. type: boolean
  457. name:
  458. description: |-
  459. The name of the Secret resource to be managed.
  460. Defaults to the .metadata.name of the ExternalSecret resource
  461. maxLength: 253
  462. minLength: 1
  463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  464. type: string
  465. template:
  466. description: Template defines a blueprint for the created Secret
  467. resource.
  468. properties:
  469. data:
  470. additionalProperties:
  471. type: string
  472. type: object
  473. engineVersion:
  474. default: v2
  475. description: |-
  476. EngineVersion specifies the template engine version
  477. that should be used to compile/execute the
  478. template specified in .data and .templateFrom[].
  479. enum:
  480. - v2
  481. type: string
  482. mergePolicy:
  483. default: Replace
  484. enum:
  485. - Replace
  486. - Merge
  487. type: string
  488. metadata:
  489. description: ExternalSecretTemplateMetadata defines metadata
  490. fields for the Secret blueprint.
  491. properties:
  492. annotations:
  493. additionalProperties:
  494. type: string
  495. type: object
  496. labels:
  497. additionalProperties:
  498. type: string
  499. type: object
  500. type: object
  501. templateFrom:
  502. items:
  503. properties:
  504. configMap:
  505. properties:
  506. items:
  507. description: A list of keys in the ConfigMap/Secret
  508. to use as templates for Secret data
  509. items:
  510. properties:
  511. key:
  512. description: A key in the ConfigMap/Secret
  513. maxLength: 253
  514. minLength: 1
  515. pattern: ^[-._a-zA-Z0-9]+$
  516. type: string
  517. templateAs:
  518. default: Values
  519. enum:
  520. - Values
  521. - KeysAndValues
  522. type: string
  523. required:
  524. - key
  525. type: object
  526. type: array
  527. name:
  528. description: The name of the ConfigMap/Secret resource
  529. maxLength: 253
  530. minLength: 1
  531. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  532. type: string
  533. required:
  534. - items
  535. - name
  536. type: object
  537. literal:
  538. type: string
  539. secret:
  540. properties:
  541. items:
  542. description: A list of keys in the ConfigMap/Secret
  543. to use as templates for Secret data
  544. items:
  545. properties:
  546. key:
  547. description: A key in the ConfigMap/Secret
  548. maxLength: 253
  549. minLength: 1
  550. pattern: ^[-._a-zA-Z0-9]+$
  551. type: string
  552. templateAs:
  553. default: Values
  554. enum:
  555. - Values
  556. - KeysAndValues
  557. type: string
  558. required:
  559. - key
  560. type: object
  561. type: array
  562. name:
  563. description: The name of the ConfigMap/Secret resource
  564. maxLength: 253
  565. minLength: 1
  566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  567. type: string
  568. required:
  569. - items
  570. - name
  571. type: object
  572. target:
  573. default: Data
  574. enum:
  575. - Data
  576. - Annotations
  577. - Labels
  578. type: string
  579. type: object
  580. type: array
  581. type:
  582. type: string
  583. type: object
  584. type: object
  585. type: object
  586. status:
  587. properties:
  588. binding:
  589. description: Binding represents a servicebinding.io Provisioned Service
  590. reference to the secret
  591. properties:
  592. name:
  593. default: ""
  594. description: |-
  595. Name of the referent.
  596. This field is effectively required, but due to backwards compatibility is
  597. allowed to be empty. Instances of this type with an empty value here are
  598. almost certainly wrong.
  599. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  600. type: string
  601. type: object
  602. x-kubernetes-map-type: atomic
  603. conditions:
  604. items:
  605. properties:
  606. lastTransitionTime:
  607. format: date-time
  608. type: string
  609. message:
  610. type: string
  611. reason:
  612. type: string
  613. status:
  614. type: string
  615. type:
  616. type: string
  617. required:
  618. - status
  619. - type
  620. type: object
  621. type: array
  622. refreshTime:
  623. description: |-
  624. refreshTime is the time and date the external secret was fetched and
  625. the target secret updated
  626. format: date-time
  627. nullable: true
  628. type: string
  629. syncedResourceVersion:
  630. description: SyncedResourceVersion keeps track of the last synced
  631. version
  632. type: string
  633. type: object
  634. type: object
  635. served: true
  636. storage: true
  637. subresources:
  638. status: {}
  639. - additionalPrinterColumns:
  640. - jsonPath: .spec.secretStoreRef.kind
  641. name: StoreType
  642. type: string
  643. - jsonPath: .spec.secretStoreRef.name
  644. name: Store
  645. type: string
  646. - jsonPath: .spec.refreshInterval
  647. name: Refresh Interval
  648. type: string
  649. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  650. name: Status
  651. type: string
  652. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  653. name: Ready
  654. type: string
  655. deprecated: true
  656. name: v1beta1
  657. schema:
  658. openAPIV3Schema:
  659. description: ExternalSecret is the Schema for the external-secrets API.
  660. properties:
  661. apiVersion:
  662. description: |-
  663. APIVersion defines the versioned schema of this representation of an object.
  664. Servers should convert recognized schemas to the latest internal value, and
  665. may reject unrecognized values.
  666. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  667. type: string
  668. kind:
  669. description: |-
  670. Kind is a string value representing the REST resource this object represents.
  671. Servers may infer this from the endpoint the client submits requests to.
  672. Cannot be updated.
  673. In CamelCase.
  674. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  675. type: string
  676. metadata:
  677. type: object
  678. spec:
  679. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  680. properties:
  681. data:
  682. description: Data defines the connection between the Kubernetes Secret
  683. keys and the Provider data
  684. items:
  685. description: ExternalSecretData defines the connection between the
  686. Kubernetes Secret key (spec.data.<key>) and the Provider data.
  687. properties:
  688. remoteRef:
  689. description: |-
  690. RemoteRef points to the remote secret and defines
  691. which secret (version/property/..) to fetch.
  692. properties:
  693. conversionStrategy:
  694. default: Default
  695. description: Used to define a conversion Strategy
  696. enum:
  697. - Default
  698. - Unicode
  699. type: string
  700. decodingStrategy:
  701. default: None
  702. description: Used to define a decoding Strategy
  703. enum:
  704. - Auto
  705. - Base64
  706. - Base64URL
  707. - None
  708. type: string
  709. key:
  710. description: Key is the key used in the Provider, mandatory
  711. type: string
  712. metadataPolicy:
  713. default: None
  714. description: Policy for fetching tags/labels from provider
  715. secrets, possible options are Fetch, None. Defaults to
  716. None
  717. enum:
  718. - None
  719. - Fetch
  720. type: string
  721. property:
  722. description: Used to select a specific property of the Provider
  723. value (if a map), if supported
  724. type: string
  725. version:
  726. description: Used to select a specific version of the Provider
  727. value, if supported
  728. type: string
  729. required:
  730. - key
  731. type: object
  732. secretKey:
  733. description: The key in the Kubernetes Secret to store the value.
  734. maxLength: 253
  735. minLength: 1
  736. pattern: ^[-._a-zA-Z0-9]+$
  737. type: string
  738. sourceRef:
  739. description: |-
  740. SourceRef allows you to override the source
  741. from which the value will be pulled.
  742. maxProperties: 1
  743. minProperties: 1
  744. properties:
  745. generatorRef:
  746. description: |-
  747. GeneratorRef points to a generator custom resource.
  748. Deprecated: The generatorRef is not implemented in .data[].
  749. this will be removed with v1.
  750. properties:
  751. apiVersion:
  752. default: generators.external-secrets.io/v1alpha1
  753. description: Specify the apiVersion of the generator
  754. resource
  755. type: string
  756. kind:
  757. description: Specify the Kind of the generator resource
  758. enum:
  759. - ACRAccessToken
  760. - ClusterGenerator
  761. - ECRAuthorizationToken
  762. - Fake
  763. - GCRAccessToken
  764. - GithubAccessToken
  765. - QuayAccessToken
  766. - Password
  767. - STSSessionToken
  768. - UUID
  769. - VaultDynamicSecret
  770. - Webhook
  771. - Grafana
  772. type: string
  773. name:
  774. description: Specify the name of the generator resource
  775. maxLength: 253
  776. minLength: 1
  777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  778. type: string
  779. required:
  780. - kind
  781. - name
  782. type: object
  783. storeRef:
  784. description: SecretStoreRef defines which SecretStore to
  785. fetch the ExternalSecret data.
  786. properties:
  787. kind:
  788. description: |-
  789. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  790. Defaults to `SecretStore`
  791. enum:
  792. - SecretStore
  793. - ClusterSecretStore
  794. type: string
  795. name:
  796. description: Name of the SecretStore resource
  797. maxLength: 253
  798. minLength: 1
  799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  800. type: string
  801. type: object
  802. type: object
  803. required:
  804. - remoteRef
  805. - secretKey
  806. type: object
  807. type: array
  808. dataFrom:
  809. description: |-
  810. DataFrom is used to fetch all properties from a specific Provider data
  811. If multiple entries are specified, the Secret keys are merged in the specified order
  812. items:
  813. properties:
  814. extract:
  815. description: |-
  816. Used to extract multiple key/value pairs from one secret
  817. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  818. properties:
  819. conversionStrategy:
  820. default: Default
  821. description: Used to define a conversion Strategy
  822. enum:
  823. - Default
  824. - Unicode
  825. type: string
  826. decodingStrategy:
  827. default: None
  828. description: Used to define a decoding Strategy
  829. enum:
  830. - Auto
  831. - Base64
  832. - Base64URL
  833. - None
  834. type: string
  835. key:
  836. description: Key is the key used in the Provider, mandatory
  837. type: string
  838. metadataPolicy:
  839. default: None
  840. description: Policy for fetching tags/labels from provider
  841. secrets, possible options are Fetch, None. Defaults to
  842. None
  843. enum:
  844. - None
  845. - Fetch
  846. type: string
  847. property:
  848. description: Used to select a specific property of the Provider
  849. value (if a map), if supported
  850. type: string
  851. version:
  852. description: Used to select a specific version of the Provider
  853. value, if supported
  854. type: string
  855. required:
  856. - key
  857. type: object
  858. find:
  859. description: |-
  860. Used to find secrets based on tags or regular expressions
  861. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  862. properties:
  863. conversionStrategy:
  864. default: Default
  865. description: Used to define a conversion Strategy
  866. enum:
  867. - Default
  868. - Unicode
  869. type: string
  870. decodingStrategy:
  871. default: None
  872. description: Used to define a decoding Strategy
  873. enum:
  874. - Auto
  875. - Base64
  876. - Base64URL
  877. - None
  878. type: string
  879. name:
  880. description: Finds secrets based on the name.
  881. properties:
  882. regexp:
  883. description: Finds secrets base
  884. type: string
  885. type: object
  886. path:
  887. description: A root path to start the find operations.
  888. type: string
  889. tags:
  890. additionalProperties:
  891. type: string
  892. description: Find secrets based on tags.
  893. type: object
  894. type: object
  895. rewrite:
  896. description: |-
  897. Used to rewrite secret Keys after getting them from the secret Provider
  898. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  899. items:
  900. properties:
  901. regexp:
  902. description: |-
  903. Used to rewrite with regular expressions.
  904. The resulting key will be the output of a regexp.ReplaceAll operation.
  905. properties:
  906. source:
  907. description: Used to define the regular expression
  908. of a re.Compiler.
  909. type: string
  910. target:
  911. description: Used to define the target pattern of
  912. a ReplaceAll operation.
  913. type: string
  914. required:
  915. - source
  916. - target
  917. type: object
  918. transform:
  919. description: |-
  920. Used to apply string transformation on the secrets.
  921. The resulting key will be the output of the template applied by the operation.
  922. properties:
  923. template:
  924. description: |-
  925. Used to define the template to apply on the secret name.
  926. `.value ` will specify the secret name in the template.
  927. type: string
  928. required:
  929. - template
  930. type: object
  931. type: object
  932. type: array
  933. sourceRef:
  934. description: |-
  935. SourceRef points to a store or generator
  936. which contains secret values ready to use.
  937. Use this in combination with Extract or Find pull values out of
  938. a specific SecretStore.
  939. When sourceRef points to a generator Extract or Find is not supported.
  940. The generator returns a static map of values
  941. maxProperties: 1
  942. minProperties: 1
  943. properties:
  944. generatorRef:
  945. description: GeneratorRef points to a generator custom resource.
  946. properties:
  947. apiVersion:
  948. default: generators.external-secrets.io/v1alpha1
  949. description: Specify the apiVersion of the generator
  950. resource
  951. type: string
  952. kind:
  953. description: Specify the Kind of the generator resource
  954. enum:
  955. - ACRAccessToken
  956. - ClusterGenerator
  957. - ECRAuthorizationToken
  958. - Fake
  959. - GCRAccessToken
  960. - GithubAccessToken
  961. - QuayAccessToken
  962. - Password
  963. - STSSessionToken
  964. - UUID
  965. - VaultDynamicSecret
  966. - Webhook
  967. - Grafana
  968. type: string
  969. name:
  970. description: Specify the name of the generator resource
  971. maxLength: 253
  972. minLength: 1
  973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  974. type: string
  975. required:
  976. - kind
  977. - name
  978. type: object
  979. storeRef:
  980. description: SecretStoreRef defines which SecretStore to
  981. fetch the ExternalSecret data.
  982. properties:
  983. kind:
  984. description: |-
  985. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  986. Defaults to `SecretStore`
  987. enum:
  988. - SecretStore
  989. - ClusterSecretStore
  990. type: string
  991. name:
  992. description: Name of the SecretStore resource
  993. maxLength: 253
  994. minLength: 1
  995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  996. type: string
  997. type: object
  998. type: object
  999. type: object
  1000. type: array
  1001. refreshInterval:
  1002. default: 1h
  1003. description: |-
  1004. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1005. specified as Golang Duration strings.
  1006. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1007. Example values: "1h", "2h30m", "10s"
  1008. May be set to zero to fetch and create it once. Defaults to 1h.
  1009. type: string
  1010. refreshPolicy:
  1011. description: |-
  1012. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1013. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1014. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1015. No periodic updates occur if refreshInterval is 0.
  1016. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1017. enum:
  1018. - CreatedOnce
  1019. - Periodic
  1020. - OnChange
  1021. type: string
  1022. secretStoreRef:
  1023. description: SecretStoreRef defines which SecretStore to fetch the
  1024. ExternalSecret data.
  1025. properties:
  1026. kind:
  1027. description: |-
  1028. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1029. Defaults to `SecretStore`
  1030. enum:
  1031. - SecretStore
  1032. - ClusterSecretStore
  1033. type: string
  1034. name:
  1035. description: Name of the SecretStore resource
  1036. maxLength: 253
  1037. minLength: 1
  1038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1039. type: string
  1040. type: object
  1041. target:
  1042. default:
  1043. creationPolicy: Owner
  1044. deletionPolicy: Retain
  1045. description: |-
  1046. ExternalSecretTarget defines the Kubernetes Secret to be created
  1047. There can be only one target per ExternalSecret.
  1048. properties:
  1049. creationPolicy:
  1050. default: Owner
  1051. description: |-
  1052. CreationPolicy defines rules on how to create the resulting Secret.
  1053. Defaults to "Owner"
  1054. enum:
  1055. - Owner
  1056. - Orphan
  1057. - Merge
  1058. - None
  1059. type: string
  1060. deletionPolicy:
  1061. default: Retain
  1062. description: |-
  1063. DeletionPolicy defines rules on how to delete the resulting Secret.
  1064. Defaults to "Retain"
  1065. enum:
  1066. - Delete
  1067. - Merge
  1068. - Retain
  1069. type: string
  1070. immutable:
  1071. description: Immutable defines if the final secret will be immutable
  1072. type: boolean
  1073. name:
  1074. description: |-
  1075. The name of the Secret resource to be managed.
  1076. Defaults to the .metadata.name of the ExternalSecret resource
  1077. maxLength: 253
  1078. minLength: 1
  1079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1080. type: string
  1081. template:
  1082. description: Template defines a blueprint for the created Secret
  1083. resource.
  1084. properties:
  1085. data:
  1086. additionalProperties:
  1087. type: string
  1088. type: object
  1089. engineVersion:
  1090. default: v2
  1091. description: |-
  1092. EngineVersion specifies the template engine version
  1093. that should be used to compile/execute the
  1094. template specified in .data and .templateFrom[].
  1095. enum:
  1096. - v2
  1097. type: string
  1098. mergePolicy:
  1099. default: Replace
  1100. enum:
  1101. - Replace
  1102. - Merge
  1103. type: string
  1104. metadata:
  1105. description: ExternalSecretTemplateMetadata defines metadata
  1106. fields for the Secret blueprint.
  1107. properties:
  1108. annotations:
  1109. additionalProperties:
  1110. type: string
  1111. type: object
  1112. labels:
  1113. additionalProperties:
  1114. type: string
  1115. type: object
  1116. type: object
  1117. templateFrom:
  1118. items:
  1119. properties:
  1120. configMap:
  1121. properties:
  1122. items:
  1123. description: A list of keys in the ConfigMap/Secret
  1124. to use as templates for Secret data
  1125. items:
  1126. properties:
  1127. key:
  1128. description: A key in the ConfigMap/Secret
  1129. maxLength: 253
  1130. minLength: 1
  1131. pattern: ^[-._a-zA-Z0-9]+$
  1132. type: string
  1133. templateAs:
  1134. default: Values
  1135. enum:
  1136. - Values
  1137. - KeysAndValues
  1138. type: string
  1139. required:
  1140. - key
  1141. type: object
  1142. type: array
  1143. name:
  1144. description: The name of the ConfigMap/Secret resource
  1145. maxLength: 253
  1146. minLength: 1
  1147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1148. type: string
  1149. required:
  1150. - items
  1151. - name
  1152. type: object
  1153. literal:
  1154. type: string
  1155. secret:
  1156. properties:
  1157. items:
  1158. description: A list of keys in the ConfigMap/Secret
  1159. to use as templates for Secret data
  1160. items:
  1161. properties:
  1162. key:
  1163. description: A key in the ConfigMap/Secret
  1164. maxLength: 253
  1165. minLength: 1
  1166. pattern: ^[-._a-zA-Z0-9]+$
  1167. type: string
  1168. templateAs:
  1169. default: Values
  1170. enum:
  1171. - Values
  1172. - KeysAndValues
  1173. type: string
  1174. required:
  1175. - key
  1176. type: object
  1177. type: array
  1178. name:
  1179. description: The name of the ConfigMap/Secret resource
  1180. maxLength: 253
  1181. minLength: 1
  1182. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1183. type: string
  1184. required:
  1185. - items
  1186. - name
  1187. type: object
  1188. target:
  1189. default: Data
  1190. enum:
  1191. - Data
  1192. - Annotations
  1193. - Labels
  1194. type: string
  1195. type: object
  1196. type: array
  1197. type:
  1198. type: string
  1199. type: object
  1200. type: object
  1201. type: object
  1202. status:
  1203. properties:
  1204. binding:
  1205. description: Binding represents a servicebinding.io Provisioned Service
  1206. reference to the secret
  1207. properties:
  1208. name:
  1209. default: ""
  1210. description: |-
  1211. Name of the referent.
  1212. This field is effectively required, but due to backwards compatibility is
  1213. allowed to be empty. Instances of this type with an empty value here are
  1214. almost certainly wrong.
  1215. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  1216. type: string
  1217. type: object
  1218. x-kubernetes-map-type: atomic
  1219. conditions:
  1220. items:
  1221. properties:
  1222. lastTransitionTime:
  1223. format: date-time
  1224. type: string
  1225. message:
  1226. type: string
  1227. reason:
  1228. type: string
  1229. status:
  1230. type: string
  1231. type:
  1232. type: string
  1233. required:
  1234. - status
  1235. - type
  1236. type: object
  1237. type: array
  1238. refreshTime:
  1239. description: |-
  1240. refreshTime is the time and date the external secret was fetched and
  1241. the target secret updated
  1242. format: date-time
  1243. nullable: true
  1244. type: string
  1245. syncedResourceVersion:
  1246. description: SyncedResourceVersion keeps track of the last synced
  1247. version
  1248. type: string
  1249. type: object
  1250. type: object
  1251. served: false
  1252. storage: false
  1253. subresources:
  1254. status: {}