bundle.yaml 324 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.9.2
  6. creationTimestamp: null
  7. name: clusterexternalsecrets.external-secrets.io
  8. spec:
  9. group: external-secrets.io
  10. names:
  11. categories:
  12. - externalsecrets
  13. kind: ClusterExternalSecret
  14. listKind: ClusterExternalSecretList
  15. plural: clusterexternalsecrets
  16. shortNames:
  17. - ces
  18. singular: clusterexternalsecret
  19. scope: Cluster
  20. versions:
  21. - additionalPrinterColumns:
  22. - jsonPath: .spec.secretStoreRef.name
  23. name: Store
  24. type: string
  25. - jsonPath: .spec.refreshInterval
  26. name: Refresh Interval
  27. type: string
  28. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  29. name: Status
  30. type: string
  31. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  32. name: Ready
  33. type: string
  34. name: v1beta1
  35. schema:
  36. openAPIV3Schema:
  37. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  38. properties:
  39. apiVersion:
  40. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  41. type: string
  42. kind:
  43. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  44. type: string
  45. metadata:
  46. type: object
  47. spec:
  48. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  49. properties:
  50. externalSecretName:
  51. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  52. type: string
  53. externalSecretSpec:
  54. description: The spec for the ExternalSecrets to be created
  55. properties:
  56. data:
  57. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  58. items:
  59. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  60. properties:
  61. remoteRef:
  62. description: ExternalSecretDataRemoteRef defines Provider data location.
  63. properties:
  64. conversionStrategy:
  65. default: Default
  66. description: Used to define a conversion Strategy
  67. type: string
  68. decodingStrategy:
  69. default: None
  70. description: Used to define a decoding Strategy
  71. type: string
  72. key:
  73. description: Key is the key used in the Provider, mandatory
  74. type: string
  75. metadataPolicy:
  76. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  77. type: string
  78. property:
  79. description: Used to select a specific property of the Provider value (if a map), if supported
  80. type: string
  81. version:
  82. description: Used to select a specific version of the Provider value, if supported
  83. type: string
  84. required:
  85. - key
  86. type: object
  87. secretKey:
  88. type: string
  89. required:
  90. - remoteRef
  91. - secretKey
  92. type: object
  93. type: array
  94. dataFrom:
  95. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  96. items:
  97. properties:
  98. extract:
  99. description: Used to extract multiple key/value pairs from one secret
  100. properties:
  101. conversionStrategy:
  102. default: Default
  103. description: Used to define a conversion Strategy
  104. type: string
  105. decodingStrategy:
  106. default: None
  107. description: Used to define a decoding Strategy
  108. type: string
  109. key:
  110. description: Key is the key used in the Provider, mandatory
  111. type: string
  112. metadataPolicy:
  113. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  114. type: string
  115. property:
  116. description: Used to select a specific property of the Provider value (if a map), if supported
  117. type: string
  118. version:
  119. description: Used to select a specific version of the Provider value, if supported
  120. type: string
  121. required:
  122. - key
  123. type: object
  124. find:
  125. description: Used to find secrets based on tags or regular expressions
  126. properties:
  127. conversionStrategy:
  128. default: Default
  129. description: Used to define a conversion Strategy
  130. type: string
  131. decodingStrategy:
  132. default: None
  133. description: Used to define a decoding Strategy
  134. type: string
  135. name:
  136. description: Finds secrets based on the name.
  137. properties:
  138. regexp:
  139. description: Finds secrets base
  140. type: string
  141. type: object
  142. path:
  143. description: A root path to start the find operations.
  144. type: string
  145. tags:
  146. additionalProperties:
  147. type: string
  148. description: Find secrets based on tags.
  149. type: object
  150. type: object
  151. rewrite:
  152. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  153. items:
  154. properties:
  155. regexp:
  156. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  157. properties:
  158. source:
  159. description: Used to define the regular expression of a re.Compiler.
  160. type: string
  161. target:
  162. description: Used to define the target pattern of a ReplaceAll operation.
  163. type: string
  164. required:
  165. - source
  166. - target
  167. type: object
  168. type: object
  169. type: array
  170. type: object
  171. type: array
  172. refreshInterval:
  173. default: 1h
  174. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  175. type: string
  176. secretStoreRef:
  177. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  178. properties:
  179. kind:
  180. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  181. type: string
  182. name:
  183. description: Name of the SecretStore resource
  184. type: string
  185. required:
  186. - name
  187. type: object
  188. target:
  189. default:
  190. creationPolicy: Owner
  191. deletionPolicy: Retain
  192. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  193. properties:
  194. creationPolicy:
  195. default: Owner
  196. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  197. enum:
  198. - Owner
  199. - Orphan
  200. - Merge
  201. - None
  202. type: string
  203. deletionPolicy:
  204. default: Retain
  205. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  206. enum:
  207. - Delete
  208. - Merge
  209. - Retain
  210. type: string
  211. immutable:
  212. description: Immutable defines if the final secret will be immutable
  213. type: boolean
  214. name:
  215. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  216. type: string
  217. template:
  218. description: Template defines a blueprint for the created Secret resource.
  219. properties:
  220. data:
  221. additionalProperties:
  222. type: string
  223. type: object
  224. engineVersion:
  225. default: v2
  226. type: string
  227. metadata:
  228. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  229. properties:
  230. annotations:
  231. additionalProperties:
  232. type: string
  233. type: object
  234. labels:
  235. additionalProperties:
  236. type: string
  237. type: object
  238. type: object
  239. templateFrom:
  240. items:
  241. maxProperties: 1
  242. minProperties: 1
  243. properties:
  244. configMap:
  245. properties:
  246. items:
  247. items:
  248. properties:
  249. key:
  250. type: string
  251. required:
  252. - key
  253. type: object
  254. type: array
  255. name:
  256. type: string
  257. required:
  258. - items
  259. - name
  260. type: object
  261. secret:
  262. properties:
  263. items:
  264. items:
  265. properties:
  266. key:
  267. type: string
  268. required:
  269. - key
  270. type: object
  271. type: array
  272. name:
  273. type: string
  274. required:
  275. - items
  276. - name
  277. type: object
  278. type: object
  279. type: array
  280. type:
  281. type: string
  282. type: object
  283. type: object
  284. required:
  285. - secretStoreRef
  286. type: object
  287. namespaceSelector:
  288. description: The labels to select by to find the Namespaces to create the ExternalSecrets in.
  289. properties:
  290. matchExpressions:
  291. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  292. items:
  293. description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
  294. properties:
  295. key:
  296. description: key is the label key that the selector applies to.
  297. type: string
  298. operator:
  299. description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
  300. type: string
  301. values:
  302. description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
  303. items:
  304. type: string
  305. type: array
  306. required:
  307. - key
  308. - operator
  309. type: object
  310. type: array
  311. matchLabels:
  312. additionalProperties:
  313. type: string
  314. description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
  315. type: object
  316. type: object
  317. x-kubernetes-map-type: atomic
  318. refreshTime:
  319. description: The time in which the controller should reconcile it's objects and recheck namespaces for labels.
  320. type: string
  321. required:
  322. - externalSecretSpec
  323. - namespaceSelector
  324. type: object
  325. status:
  326. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  327. properties:
  328. conditions:
  329. items:
  330. properties:
  331. message:
  332. type: string
  333. status:
  334. type: string
  335. type:
  336. type: string
  337. required:
  338. - status
  339. - type
  340. type: object
  341. type: array
  342. failedNamespaces:
  343. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  344. items:
  345. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  346. properties:
  347. namespace:
  348. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  349. type: string
  350. reason:
  351. description: Reason is why the ExternalSecret failed to apply to the namespace
  352. type: string
  353. required:
  354. - namespace
  355. type: object
  356. type: array
  357. provisionedNamespaces:
  358. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  359. items:
  360. type: string
  361. type: array
  362. type: object
  363. type: object
  364. served: true
  365. storage: true
  366. subresources:
  367. status: {}
  368. conversion:
  369. strategy: Webhook
  370. webhook:
  371. conversionReviewVersions:
  372. - v1
  373. clientConfig:
  374. service:
  375. name: kubernetes
  376. namespace: default
  377. path: /convert
  378. ---
  379. apiVersion: apiextensions.k8s.io/v1
  380. kind: CustomResourceDefinition
  381. metadata:
  382. annotations:
  383. controller-gen.kubebuilder.io/version: v0.9.2
  384. creationTimestamp: null
  385. name: clustersecretstores.external-secrets.io
  386. spec:
  387. group: external-secrets.io
  388. names:
  389. categories:
  390. - externalsecrets
  391. kind: ClusterSecretStore
  392. listKind: ClusterSecretStoreList
  393. plural: clustersecretstores
  394. shortNames:
  395. - css
  396. singular: clustersecretstore
  397. scope: Cluster
  398. versions:
  399. - additionalPrinterColumns:
  400. - jsonPath: .metadata.creationTimestamp
  401. name: AGE
  402. type: date
  403. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  404. name: Status
  405. type: string
  406. deprecated: true
  407. name: v1alpha1
  408. schema:
  409. openAPIV3Schema:
  410. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  411. properties:
  412. apiVersion:
  413. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  414. type: string
  415. kind:
  416. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  417. type: string
  418. metadata:
  419. type: object
  420. spec:
  421. description: SecretStoreSpec defines the desired state of SecretStore.
  422. properties:
  423. controller:
  424. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  425. type: string
  426. provider:
  427. description: Used to configure the provider. Only one provider may be set
  428. maxProperties: 1
  429. minProperties: 1
  430. properties:
  431. akeyless:
  432. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  433. properties:
  434. akeylessGWApiURL:
  435. description: Akeyless GW API Url from which the secrets to be fetched from.
  436. type: string
  437. authSecretRef:
  438. description: Auth configures how the operator authenticates with Akeyless.
  439. properties:
  440. secretRef:
  441. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  442. properties:
  443. accessID:
  444. description: The SecretAccessID is used for authentication
  445. properties:
  446. key:
  447. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  448. type: string
  449. name:
  450. description: The name of the Secret resource being referred to.
  451. type: string
  452. namespace:
  453. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  454. type: string
  455. type: object
  456. accessType:
  457. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  458. properties:
  459. key:
  460. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  461. type: string
  462. name:
  463. description: The name of the Secret resource being referred to.
  464. type: string
  465. namespace:
  466. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  467. type: string
  468. type: object
  469. accessTypeParam:
  470. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  471. properties:
  472. key:
  473. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  474. type: string
  475. name:
  476. description: The name of the Secret resource being referred to.
  477. type: string
  478. namespace:
  479. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  480. type: string
  481. type: object
  482. type: object
  483. required:
  484. - secretRef
  485. type: object
  486. required:
  487. - akeylessGWApiURL
  488. - authSecretRef
  489. type: object
  490. alibaba:
  491. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  492. properties:
  493. auth:
  494. description: AlibabaAuth contains a secretRef for credentials.
  495. properties:
  496. secretRef:
  497. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  498. properties:
  499. accessKeyIDSecretRef:
  500. description: The AccessKeyID is used for authentication
  501. properties:
  502. key:
  503. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  504. type: string
  505. name:
  506. description: The name of the Secret resource being referred to.
  507. type: string
  508. namespace:
  509. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  510. type: string
  511. type: object
  512. accessKeySecretSecretRef:
  513. description: The AccessKeySecret is used for authentication
  514. properties:
  515. key:
  516. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  517. type: string
  518. name:
  519. description: The name of the Secret resource being referred to.
  520. type: string
  521. namespace:
  522. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  523. type: string
  524. type: object
  525. required:
  526. - accessKeyIDSecretRef
  527. - accessKeySecretSecretRef
  528. type: object
  529. required:
  530. - secretRef
  531. type: object
  532. endpoint:
  533. type: string
  534. regionID:
  535. description: Alibaba Region to be used for the provider
  536. type: string
  537. required:
  538. - auth
  539. - regionID
  540. type: object
  541. aws:
  542. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  543. properties:
  544. auth:
  545. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  546. properties:
  547. jwt:
  548. description: Authenticate against AWS using service account tokens.
  549. properties:
  550. serviceAccountRef:
  551. description: A reference to a ServiceAccount resource.
  552. properties:
  553. name:
  554. description: The name of the ServiceAccount resource being referred to.
  555. type: string
  556. namespace:
  557. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  558. type: string
  559. required:
  560. - name
  561. type: object
  562. type: object
  563. secretRef:
  564. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  565. properties:
  566. accessKeyIDSecretRef:
  567. description: The AccessKeyID is used for authentication
  568. properties:
  569. key:
  570. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  571. type: string
  572. name:
  573. description: The name of the Secret resource being referred to.
  574. type: string
  575. namespace:
  576. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  577. type: string
  578. type: object
  579. secretAccessKeySecretRef:
  580. description: The SecretAccessKey is used for authentication
  581. properties:
  582. key:
  583. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  584. type: string
  585. name:
  586. description: The name of the Secret resource being referred to.
  587. type: string
  588. namespace:
  589. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  590. type: string
  591. type: object
  592. type: object
  593. type: object
  594. region:
  595. description: AWS Region to be used for the provider
  596. type: string
  597. role:
  598. description: Role is a Role ARN which the SecretManager provider will assume
  599. type: string
  600. service:
  601. description: Service defines which service should be used to fetch the secrets
  602. enum:
  603. - SecretsManager
  604. - ParameterStore
  605. type: string
  606. required:
  607. - region
  608. - service
  609. type: object
  610. azurekv:
  611. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  612. properties:
  613. authSecretRef:
  614. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  615. properties:
  616. clientId:
  617. description: The Azure clientId of the service principle used for authentication.
  618. properties:
  619. key:
  620. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  621. type: string
  622. name:
  623. description: The name of the Secret resource being referred to.
  624. type: string
  625. namespace:
  626. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  627. type: string
  628. type: object
  629. clientSecret:
  630. description: The Azure ClientSecret of the service principle used for authentication.
  631. properties:
  632. key:
  633. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  634. type: string
  635. name:
  636. description: The name of the Secret resource being referred to.
  637. type: string
  638. namespace:
  639. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  640. type: string
  641. type: object
  642. type: object
  643. authType:
  644. default: ServicePrincipal
  645. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  646. enum:
  647. - ServicePrincipal
  648. - ManagedIdentity
  649. - WorkloadIdentity
  650. type: string
  651. identityId:
  652. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  653. type: string
  654. serviceAccountRef:
  655. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  656. properties:
  657. name:
  658. description: The name of the ServiceAccount resource being referred to.
  659. type: string
  660. namespace:
  661. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  662. type: string
  663. required:
  664. - name
  665. type: object
  666. tenantId:
  667. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  668. type: string
  669. vaultUrl:
  670. description: Vault Url from which the secrets to be fetched from.
  671. type: string
  672. required:
  673. - vaultUrl
  674. type: object
  675. fake:
  676. description: Fake configures a store with static key/value pairs
  677. properties:
  678. data:
  679. items:
  680. properties:
  681. key:
  682. type: string
  683. value:
  684. type: string
  685. valueMap:
  686. additionalProperties:
  687. type: string
  688. type: object
  689. version:
  690. type: string
  691. required:
  692. - key
  693. type: object
  694. type: array
  695. required:
  696. - data
  697. type: object
  698. gcpsm:
  699. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  700. properties:
  701. auth:
  702. description: Auth defines the information necessary to authenticate against GCP
  703. properties:
  704. secretRef:
  705. properties:
  706. secretAccessKeySecretRef:
  707. description: The SecretAccessKey is used for authentication
  708. properties:
  709. key:
  710. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  711. type: string
  712. name:
  713. description: The name of the Secret resource being referred to.
  714. type: string
  715. namespace:
  716. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  717. type: string
  718. type: object
  719. type: object
  720. workloadIdentity:
  721. properties:
  722. clusterLocation:
  723. type: string
  724. clusterName:
  725. type: string
  726. clusterProjectID:
  727. type: string
  728. serviceAccountRef:
  729. description: A reference to a ServiceAccount resource.
  730. properties:
  731. name:
  732. description: The name of the ServiceAccount resource being referred to.
  733. type: string
  734. namespace:
  735. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  736. type: string
  737. required:
  738. - name
  739. type: object
  740. required:
  741. - clusterLocation
  742. - clusterName
  743. - serviceAccountRef
  744. type: object
  745. type: object
  746. projectID:
  747. description: ProjectID project where secret is located
  748. type: string
  749. type: object
  750. gitlab:
  751. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  752. properties:
  753. auth:
  754. description: Auth configures how secret-manager authenticates with a GitLab instance.
  755. properties:
  756. SecretRef:
  757. properties:
  758. accessToken:
  759. description: AccessToken is used for authentication.
  760. properties:
  761. key:
  762. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  763. type: string
  764. name:
  765. description: The name of the Secret resource being referred to.
  766. type: string
  767. namespace:
  768. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  769. type: string
  770. type: object
  771. type: object
  772. required:
  773. - SecretRef
  774. type: object
  775. projectID:
  776. description: ProjectID specifies a project where secrets are located.
  777. type: string
  778. url:
  779. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  780. type: string
  781. required:
  782. - auth
  783. type: object
  784. ibm:
  785. description: IBM configures this store to sync secrets using IBM Cloud provider
  786. properties:
  787. auth:
  788. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  789. properties:
  790. secretRef:
  791. properties:
  792. secretApiKeySecretRef:
  793. description: The SecretAccessKey is used for authentication
  794. properties:
  795. key:
  796. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  797. type: string
  798. name:
  799. description: The name of the Secret resource being referred to.
  800. type: string
  801. namespace:
  802. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  803. type: string
  804. type: object
  805. type: object
  806. required:
  807. - secretRef
  808. type: object
  809. serviceUrl:
  810. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  811. type: string
  812. required:
  813. - auth
  814. type: object
  815. kubernetes:
  816. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  817. properties:
  818. auth:
  819. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  820. maxProperties: 1
  821. minProperties: 1
  822. properties:
  823. cert:
  824. description: has both clientCert and clientKey as secretKeySelector
  825. properties:
  826. clientCert:
  827. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  828. properties:
  829. key:
  830. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  831. type: string
  832. name:
  833. description: The name of the Secret resource being referred to.
  834. type: string
  835. namespace:
  836. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  837. type: string
  838. type: object
  839. clientKey:
  840. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  841. properties:
  842. key:
  843. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  844. type: string
  845. name:
  846. description: The name of the Secret resource being referred to.
  847. type: string
  848. namespace:
  849. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  850. type: string
  851. type: object
  852. type: object
  853. serviceAccount:
  854. description: points to a service account that should be used for authentication
  855. properties:
  856. serviceAccount:
  857. description: A reference to a ServiceAccount resource.
  858. properties:
  859. name:
  860. description: The name of the ServiceAccount resource being referred to.
  861. type: string
  862. namespace:
  863. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  864. type: string
  865. required:
  866. - name
  867. type: object
  868. type: object
  869. token:
  870. description: use static token to authenticate with
  871. properties:
  872. bearerToken:
  873. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  874. properties:
  875. key:
  876. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  877. type: string
  878. name:
  879. description: The name of the Secret resource being referred to.
  880. type: string
  881. namespace:
  882. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  883. type: string
  884. type: object
  885. type: object
  886. type: object
  887. remoteNamespace:
  888. default: default
  889. description: Remote namespace to fetch the secrets from
  890. type: string
  891. server:
  892. description: configures the Kubernetes server Address.
  893. properties:
  894. caBundle:
  895. description: CABundle is a base64-encoded CA certificate
  896. format: byte
  897. type: string
  898. caProvider:
  899. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  900. properties:
  901. key:
  902. description: The key the value inside of the provider type to use, only used with "Secret" type
  903. type: string
  904. name:
  905. description: The name of the object located at the provider type.
  906. type: string
  907. namespace:
  908. description: The namespace the Provider type is in.
  909. type: string
  910. type:
  911. description: The type of provider to use such as "Secret", or "ConfigMap".
  912. enum:
  913. - Secret
  914. - ConfigMap
  915. type: string
  916. required:
  917. - name
  918. - type
  919. type: object
  920. url:
  921. default: kubernetes.default
  922. description: configures the Kubernetes server Address.
  923. type: string
  924. type: object
  925. required:
  926. - auth
  927. type: object
  928. oracle:
  929. description: Oracle configures this store to sync secrets using Oracle Vault provider
  930. properties:
  931. auth:
  932. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  933. properties:
  934. secretRef:
  935. description: SecretRef to pass through sensitive information.
  936. properties:
  937. fingerprint:
  938. description: Fingerprint is the fingerprint of the API private key.
  939. properties:
  940. key:
  941. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  942. type: string
  943. name:
  944. description: The name of the Secret resource being referred to.
  945. type: string
  946. namespace:
  947. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  948. type: string
  949. type: object
  950. privatekey:
  951. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  952. properties:
  953. key:
  954. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  955. type: string
  956. name:
  957. description: The name of the Secret resource being referred to.
  958. type: string
  959. namespace:
  960. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  961. type: string
  962. type: object
  963. required:
  964. - fingerprint
  965. - privatekey
  966. type: object
  967. tenancy:
  968. description: Tenancy is the tenancy OCID where user is located.
  969. type: string
  970. user:
  971. description: User is an access OCID specific to the account.
  972. type: string
  973. required:
  974. - secretRef
  975. - tenancy
  976. - user
  977. type: object
  978. region:
  979. description: Region is the region where vault is located.
  980. type: string
  981. vault:
  982. description: Vault is the vault's OCID of the specific vault where secret is located.
  983. type: string
  984. required:
  985. - region
  986. - vault
  987. type: object
  988. vault:
  989. description: Vault configures this store to sync secrets using Hashi provider
  990. properties:
  991. auth:
  992. description: Auth configures how secret-manager authenticates with the Vault server.
  993. properties:
  994. appRole:
  995. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  996. properties:
  997. path:
  998. default: approle
  999. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  1000. type: string
  1001. roleId:
  1002. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  1003. type: string
  1004. secretRef:
  1005. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  1006. properties:
  1007. key:
  1008. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1009. type: string
  1010. name:
  1011. description: The name of the Secret resource being referred to.
  1012. type: string
  1013. namespace:
  1014. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1015. type: string
  1016. type: object
  1017. required:
  1018. - path
  1019. - roleId
  1020. - secretRef
  1021. type: object
  1022. cert:
  1023. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  1024. properties:
  1025. clientCert:
  1026. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  1027. properties:
  1028. key:
  1029. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1030. type: string
  1031. name:
  1032. description: The name of the Secret resource being referred to.
  1033. type: string
  1034. namespace:
  1035. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1036. type: string
  1037. type: object
  1038. secretRef:
  1039. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  1040. properties:
  1041. key:
  1042. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1043. type: string
  1044. name:
  1045. description: The name of the Secret resource being referred to.
  1046. type: string
  1047. namespace:
  1048. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1049. type: string
  1050. type: object
  1051. type: object
  1052. jwt:
  1053. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  1054. properties:
  1055. kubernetesServiceAccountToken:
  1056. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  1057. properties:
  1058. audiences:
  1059. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  1060. items:
  1061. type: string
  1062. type: array
  1063. expirationSeconds:
  1064. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  1065. format: int64
  1066. type: integer
  1067. serviceAccountRef:
  1068. description: Service account field containing the name of a kubernetes ServiceAccount.
  1069. properties:
  1070. name:
  1071. description: The name of the ServiceAccount resource being referred to.
  1072. type: string
  1073. namespace:
  1074. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1075. type: string
  1076. required:
  1077. - name
  1078. type: object
  1079. required:
  1080. - serviceAccountRef
  1081. type: object
  1082. path:
  1083. default: jwt
  1084. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  1085. type: string
  1086. role:
  1087. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  1088. type: string
  1089. secretRef:
  1090. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  1091. properties:
  1092. key:
  1093. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1094. type: string
  1095. name:
  1096. description: The name of the Secret resource being referred to.
  1097. type: string
  1098. namespace:
  1099. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1100. type: string
  1101. type: object
  1102. required:
  1103. - path
  1104. type: object
  1105. kubernetes:
  1106. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  1107. properties:
  1108. mountPath:
  1109. default: kubernetes
  1110. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  1111. type: string
  1112. role:
  1113. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  1114. type: string
  1115. secretRef:
  1116. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  1117. properties:
  1118. key:
  1119. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1120. type: string
  1121. name:
  1122. description: The name of the Secret resource being referred to.
  1123. type: string
  1124. namespace:
  1125. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1126. type: string
  1127. type: object
  1128. serviceAccountRef:
  1129. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  1130. properties:
  1131. name:
  1132. description: The name of the ServiceAccount resource being referred to.
  1133. type: string
  1134. namespace:
  1135. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1136. type: string
  1137. required:
  1138. - name
  1139. type: object
  1140. required:
  1141. - mountPath
  1142. - role
  1143. type: object
  1144. ldap:
  1145. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  1146. properties:
  1147. path:
  1148. default: ldap
  1149. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  1150. type: string
  1151. secretRef:
  1152. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  1153. properties:
  1154. key:
  1155. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1156. type: string
  1157. name:
  1158. description: The name of the Secret resource being referred to.
  1159. type: string
  1160. namespace:
  1161. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1162. type: string
  1163. type: object
  1164. username:
  1165. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  1166. type: string
  1167. required:
  1168. - path
  1169. - username
  1170. type: object
  1171. tokenSecretRef:
  1172. description: TokenSecretRef authenticates with Vault by presenting a token.
  1173. properties:
  1174. key:
  1175. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1176. type: string
  1177. name:
  1178. description: The name of the Secret resource being referred to.
  1179. type: string
  1180. namespace:
  1181. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1182. type: string
  1183. type: object
  1184. type: object
  1185. caBundle:
  1186. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1187. format: byte
  1188. type: string
  1189. caProvider:
  1190. description: The provider for the CA bundle to use to validate Vault server certificate.
  1191. properties:
  1192. key:
  1193. description: The key the value inside of the provider type to use, only used with "Secret" type
  1194. type: string
  1195. name:
  1196. description: The name of the object located at the provider type.
  1197. type: string
  1198. namespace:
  1199. description: The namespace the Provider type is in.
  1200. type: string
  1201. type:
  1202. description: The type of provider to use such as "Secret", or "ConfigMap".
  1203. enum:
  1204. - Secret
  1205. - ConfigMap
  1206. type: string
  1207. required:
  1208. - name
  1209. - type
  1210. type: object
  1211. forwardInconsistent:
  1212. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1213. type: boolean
  1214. namespace:
  1215. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  1216. type: string
  1217. path:
  1218. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  1219. type: string
  1220. readYourWrites:
  1221. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  1222. type: boolean
  1223. server:
  1224. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1225. type: string
  1226. version:
  1227. default: v2
  1228. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  1229. enum:
  1230. - v1
  1231. - v2
  1232. type: string
  1233. required:
  1234. - auth
  1235. - server
  1236. type: object
  1237. webhook:
  1238. description: Webhook configures this store to sync secrets using a generic templated webhook
  1239. properties:
  1240. body:
  1241. description: Body
  1242. type: string
  1243. caBundle:
  1244. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  1245. format: byte
  1246. type: string
  1247. caProvider:
  1248. description: The provider for the CA bundle to use to validate webhook server certificate.
  1249. properties:
  1250. key:
  1251. description: The key the value inside of the provider type to use, only used with "Secret" type
  1252. type: string
  1253. name:
  1254. description: The name of the object located at the provider type.
  1255. type: string
  1256. namespace:
  1257. description: The namespace the Provider type is in.
  1258. type: string
  1259. type:
  1260. description: The type of provider to use such as "Secret", or "ConfigMap".
  1261. enum:
  1262. - Secret
  1263. - ConfigMap
  1264. type: string
  1265. required:
  1266. - name
  1267. - type
  1268. type: object
  1269. headers:
  1270. additionalProperties:
  1271. type: string
  1272. description: Headers
  1273. type: object
  1274. method:
  1275. description: Webhook Method
  1276. type: string
  1277. result:
  1278. description: Result formatting
  1279. properties:
  1280. jsonPath:
  1281. description: Json path of return value
  1282. type: string
  1283. type: object
  1284. secrets:
  1285. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  1286. items:
  1287. properties:
  1288. name:
  1289. description: Name of this secret in templates
  1290. type: string
  1291. secretRef:
  1292. description: Secret ref to fill in credentials
  1293. properties:
  1294. key:
  1295. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1296. type: string
  1297. name:
  1298. description: The name of the Secret resource being referred to.
  1299. type: string
  1300. namespace:
  1301. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1302. type: string
  1303. type: object
  1304. required:
  1305. - name
  1306. - secretRef
  1307. type: object
  1308. type: array
  1309. timeout:
  1310. description: Timeout
  1311. type: string
  1312. url:
  1313. description: Webhook url to call
  1314. type: string
  1315. required:
  1316. - result
  1317. - url
  1318. type: object
  1319. yandexlockbox:
  1320. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1321. properties:
  1322. apiEndpoint:
  1323. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1324. type: string
  1325. auth:
  1326. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1327. properties:
  1328. authorizedKeySecretRef:
  1329. description: The authorized key used for authentication
  1330. properties:
  1331. key:
  1332. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1333. type: string
  1334. name:
  1335. description: The name of the Secret resource being referred to.
  1336. type: string
  1337. namespace:
  1338. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1339. type: string
  1340. type: object
  1341. type: object
  1342. caProvider:
  1343. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1344. properties:
  1345. certSecretRef:
  1346. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1347. properties:
  1348. key:
  1349. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1350. type: string
  1351. name:
  1352. description: The name of the Secret resource being referred to.
  1353. type: string
  1354. namespace:
  1355. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1356. type: string
  1357. type: object
  1358. type: object
  1359. required:
  1360. - auth
  1361. type: object
  1362. type: object
  1363. retrySettings:
  1364. description: Used to configure http retries if failed
  1365. properties:
  1366. maxRetries:
  1367. format: int32
  1368. type: integer
  1369. retryInterval:
  1370. type: string
  1371. type: object
  1372. required:
  1373. - provider
  1374. type: object
  1375. status:
  1376. description: SecretStoreStatus defines the observed state of the SecretStore.
  1377. properties:
  1378. conditions:
  1379. items:
  1380. properties:
  1381. lastTransitionTime:
  1382. format: date-time
  1383. type: string
  1384. message:
  1385. type: string
  1386. reason:
  1387. type: string
  1388. status:
  1389. type: string
  1390. type:
  1391. type: string
  1392. required:
  1393. - status
  1394. - type
  1395. type: object
  1396. type: array
  1397. type: object
  1398. type: object
  1399. served: true
  1400. storage: false
  1401. subresources:
  1402. status: {}
  1403. - additionalPrinterColumns:
  1404. - jsonPath: .metadata.creationTimestamp
  1405. name: AGE
  1406. type: date
  1407. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1408. name: Status
  1409. type: string
  1410. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  1411. name: Ready
  1412. type: string
  1413. name: v1beta1
  1414. schema:
  1415. openAPIV3Schema:
  1416. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1417. properties:
  1418. apiVersion:
  1419. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  1420. type: string
  1421. kind:
  1422. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  1423. type: string
  1424. metadata:
  1425. type: object
  1426. spec:
  1427. description: SecretStoreSpec defines the desired state of SecretStore.
  1428. properties:
  1429. controller:
  1430. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  1431. type: string
  1432. provider:
  1433. description: Used to configure the provider. Only one provider may be set
  1434. maxProperties: 1
  1435. minProperties: 1
  1436. properties:
  1437. akeyless:
  1438. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1439. properties:
  1440. akeylessGWApiURL:
  1441. description: Akeyless GW API Url from which the secrets to be fetched from.
  1442. type: string
  1443. authSecretRef:
  1444. description: Auth configures how the operator authenticates with Akeyless.
  1445. properties:
  1446. secretRef:
  1447. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  1448. properties:
  1449. accessID:
  1450. description: The SecretAccessID is used for authentication
  1451. properties:
  1452. key:
  1453. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1454. type: string
  1455. name:
  1456. description: The name of the Secret resource being referred to.
  1457. type: string
  1458. namespace:
  1459. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1460. type: string
  1461. type: object
  1462. accessType:
  1463. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1464. properties:
  1465. key:
  1466. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1467. type: string
  1468. name:
  1469. description: The name of the Secret resource being referred to.
  1470. type: string
  1471. namespace:
  1472. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1473. type: string
  1474. type: object
  1475. accessTypeParam:
  1476. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1477. properties:
  1478. key:
  1479. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1480. type: string
  1481. name:
  1482. description: The name of the Secret resource being referred to.
  1483. type: string
  1484. namespace:
  1485. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1486. type: string
  1487. type: object
  1488. type: object
  1489. required:
  1490. - secretRef
  1491. type: object
  1492. required:
  1493. - akeylessGWApiURL
  1494. - authSecretRef
  1495. type: object
  1496. alibaba:
  1497. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1498. properties:
  1499. auth:
  1500. description: AlibabaAuth contains a secretRef for credentials.
  1501. properties:
  1502. secretRef:
  1503. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1504. properties:
  1505. accessKeyIDSecretRef:
  1506. description: The AccessKeyID is used for authentication
  1507. properties:
  1508. key:
  1509. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1510. type: string
  1511. name:
  1512. description: The name of the Secret resource being referred to.
  1513. type: string
  1514. namespace:
  1515. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1516. type: string
  1517. type: object
  1518. accessKeySecretSecretRef:
  1519. description: The AccessKeySecret is used for authentication
  1520. properties:
  1521. key:
  1522. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1523. type: string
  1524. name:
  1525. description: The name of the Secret resource being referred to.
  1526. type: string
  1527. namespace:
  1528. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1529. type: string
  1530. type: object
  1531. required:
  1532. - accessKeyIDSecretRef
  1533. - accessKeySecretSecretRef
  1534. type: object
  1535. required:
  1536. - secretRef
  1537. type: object
  1538. endpoint:
  1539. type: string
  1540. regionID:
  1541. description: Alibaba Region to be used for the provider
  1542. type: string
  1543. required:
  1544. - auth
  1545. - regionID
  1546. type: object
  1547. aws:
  1548. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1549. properties:
  1550. auth:
  1551. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  1552. properties:
  1553. jwt:
  1554. description: Authenticate against AWS using service account tokens.
  1555. properties:
  1556. serviceAccountRef:
  1557. description: A reference to a ServiceAccount resource.
  1558. properties:
  1559. name:
  1560. description: The name of the ServiceAccount resource being referred to.
  1561. type: string
  1562. namespace:
  1563. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1564. type: string
  1565. required:
  1566. - name
  1567. type: object
  1568. type: object
  1569. secretRef:
  1570. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1571. properties:
  1572. accessKeyIDSecretRef:
  1573. description: The AccessKeyID is used for authentication
  1574. properties:
  1575. key:
  1576. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1577. type: string
  1578. name:
  1579. description: The name of the Secret resource being referred to.
  1580. type: string
  1581. namespace:
  1582. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1583. type: string
  1584. type: object
  1585. secretAccessKeySecretRef:
  1586. description: The SecretAccessKey is used for authentication
  1587. properties:
  1588. key:
  1589. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1590. type: string
  1591. name:
  1592. description: The name of the Secret resource being referred to.
  1593. type: string
  1594. namespace:
  1595. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1596. type: string
  1597. type: object
  1598. type: object
  1599. type: object
  1600. region:
  1601. description: AWS Region to be used for the provider
  1602. type: string
  1603. role:
  1604. description: Role is a Role ARN which the SecretManager provider will assume
  1605. type: string
  1606. service:
  1607. description: Service defines which service should be used to fetch the secrets
  1608. enum:
  1609. - SecretsManager
  1610. - ParameterStore
  1611. type: string
  1612. required:
  1613. - region
  1614. - service
  1615. type: object
  1616. azurekv:
  1617. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1618. properties:
  1619. authSecretRef:
  1620. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1621. properties:
  1622. clientId:
  1623. description: The Azure clientId of the service principle used for authentication.
  1624. properties:
  1625. key:
  1626. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1627. type: string
  1628. name:
  1629. description: The name of the Secret resource being referred to.
  1630. type: string
  1631. namespace:
  1632. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1633. type: string
  1634. type: object
  1635. clientSecret:
  1636. description: The Azure ClientSecret of the service principle used for authentication.
  1637. properties:
  1638. key:
  1639. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1640. type: string
  1641. name:
  1642. description: The name of the Secret resource being referred to.
  1643. type: string
  1644. namespace:
  1645. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1646. type: string
  1647. type: object
  1648. type: object
  1649. authType:
  1650. default: ServicePrincipal
  1651. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  1652. enum:
  1653. - ServicePrincipal
  1654. - ManagedIdentity
  1655. - WorkloadIdentity
  1656. type: string
  1657. identityId:
  1658. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1659. type: string
  1660. serviceAccountRef:
  1661. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  1662. properties:
  1663. name:
  1664. description: The name of the ServiceAccount resource being referred to.
  1665. type: string
  1666. namespace:
  1667. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1668. type: string
  1669. required:
  1670. - name
  1671. type: object
  1672. tenantId:
  1673. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1674. type: string
  1675. vaultUrl:
  1676. description: Vault Url from which the secrets to be fetched from.
  1677. type: string
  1678. required:
  1679. - vaultUrl
  1680. type: object
  1681. fake:
  1682. description: Fake configures a store with static key/value pairs
  1683. properties:
  1684. data:
  1685. items:
  1686. properties:
  1687. key:
  1688. type: string
  1689. value:
  1690. type: string
  1691. valueMap:
  1692. additionalProperties:
  1693. type: string
  1694. type: object
  1695. version:
  1696. type: string
  1697. required:
  1698. - key
  1699. type: object
  1700. type: array
  1701. required:
  1702. - data
  1703. type: object
  1704. gcpsm:
  1705. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1706. properties:
  1707. auth:
  1708. description: Auth defines the information necessary to authenticate against GCP
  1709. properties:
  1710. secretRef:
  1711. properties:
  1712. secretAccessKeySecretRef:
  1713. description: The SecretAccessKey is used for authentication
  1714. properties:
  1715. key:
  1716. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1717. type: string
  1718. name:
  1719. description: The name of the Secret resource being referred to.
  1720. type: string
  1721. namespace:
  1722. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1723. type: string
  1724. type: object
  1725. type: object
  1726. workloadIdentity:
  1727. properties:
  1728. clusterLocation:
  1729. type: string
  1730. clusterName:
  1731. type: string
  1732. clusterProjectID:
  1733. type: string
  1734. serviceAccountRef:
  1735. description: A reference to a ServiceAccount resource.
  1736. properties:
  1737. name:
  1738. description: The name of the ServiceAccount resource being referred to.
  1739. type: string
  1740. namespace:
  1741. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1742. type: string
  1743. required:
  1744. - name
  1745. type: object
  1746. required:
  1747. - clusterLocation
  1748. - clusterName
  1749. - serviceAccountRef
  1750. type: object
  1751. type: object
  1752. projectID:
  1753. description: ProjectID project where secret is located
  1754. type: string
  1755. type: object
  1756. gitlab:
  1757. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  1758. properties:
  1759. auth:
  1760. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1761. properties:
  1762. SecretRef:
  1763. properties:
  1764. accessToken:
  1765. description: AccessToken is used for authentication.
  1766. properties:
  1767. key:
  1768. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1769. type: string
  1770. name:
  1771. description: The name of the Secret resource being referred to.
  1772. type: string
  1773. namespace:
  1774. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1775. type: string
  1776. type: object
  1777. type: object
  1778. required:
  1779. - SecretRef
  1780. type: object
  1781. projectID:
  1782. description: ProjectID specifies a project where secrets are located.
  1783. type: string
  1784. url:
  1785. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1786. type: string
  1787. required:
  1788. - auth
  1789. type: object
  1790. ibm:
  1791. description: IBM configures this store to sync secrets using IBM Cloud provider
  1792. properties:
  1793. auth:
  1794. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1795. maxProperties: 1
  1796. minProperties: 1
  1797. properties:
  1798. containerAuth:
  1799. description: IBM Container-based auth with IAM Trusted Profile.
  1800. properties:
  1801. iamEndpoint:
  1802. type: string
  1803. profile:
  1804. description: the IBM Trusted Profile
  1805. type: string
  1806. tokenLocation:
  1807. description: Location the token is mounted on the pod
  1808. type: string
  1809. required:
  1810. - profile
  1811. type: object
  1812. secretRef:
  1813. properties:
  1814. secretApiKeySecretRef:
  1815. description: The SecretAccessKey is used for authentication
  1816. properties:
  1817. key:
  1818. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1819. type: string
  1820. name:
  1821. description: The name of the Secret resource being referred to.
  1822. type: string
  1823. namespace:
  1824. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1825. type: string
  1826. type: object
  1827. type: object
  1828. type: object
  1829. serviceUrl:
  1830. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1831. type: string
  1832. required:
  1833. - auth
  1834. type: object
  1835. kubernetes:
  1836. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1837. properties:
  1838. auth:
  1839. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1840. maxProperties: 1
  1841. minProperties: 1
  1842. properties:
  1843. cert:
  1844. description: has both clientCert and clientKey as secretKeySelector
  1845. properties:
  1846. clientCert:
  1847. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1848. properties:
  1849. key:
  1850. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1851. type: string
  1852. name:
  1853. description: The name of the Secret resource being referred to.
  1854. type: string
  1855. namespace:
  1856. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1857. type: string
  1858. type: object
  1859. clientKey:
  1860. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1861. properties:
  1862. key:
  1863. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1864. type: string
  1865. name:
  1866. description: The name of the Secret resource being referred to.
  1867. type: string
  1868. namespace:
  1869. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1870. type: string
  1871. type: object
  1872. type: object
  1873. serviceAccount:
  1874. description: points to a service account that should be used for authentication
  1875. properties:
  1876. name:
  1877. description: The name of the ServiceAccount resource being referred to.
  1878. type: string
  1879. namespace:
  1880. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1881. type: string
  1882. required:
  1883. - name
  1884. type: object
  1885. token:
  1886. description: use static token to authenticate with
  1887. properties:
  1888. bearerToken:
  1889. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  1890. properties:
  1891. key:
  1892. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1893. type: string
  1894. name:
  1895. description: The name of the Secret resource being referred to.
  1896. type: string
  1897. namespace:
  1898. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1899. type: string
  1900. type: object
  1901. type: object
  1902. type: object
  1903. remoteNamespace:
  1904. default: default
  1905. description: Remote namespace to fetch the secrets from
  1906. type: string
  1907. server:
  1908. description: configures the Kubernetes server Address.
  1909. properties:
  1910. caBundle:
  1911. description: CABundle is a base64-encoded CA certificate
  1912. format: byte
  1913. type: string
  1914. caProvider:
  1915. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1916. properties:
  1917. key:
  1918. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  1919. type: string
  1920. name:
  1921. description: The name of the object located at the provider type.
  1922. type: string
  1923. namespace:
  1924. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  1925. type: string
  1926. type:
  1927. description: The type of provider to use such as "Secret", or "ConfigMap".
  1928. enum:
  1929. - Secret
  1930. - ConfigMap
  1931. type: string
  1932. required:
  1933. - name
  1934. - type
  1935. type: object
  1936. url:
  1937. default: kubernetes.default
  1938. description: configures the Kubernetes server Address.
  1939. type: string
  1940. type: object
  1941. required:
  1942. - auth
  1943. type: object
  1944. onepassword:
  1945. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  1946. properties:
  1947. auth:
  1948. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  1949. properties:
  1950. secretRef:
  1951. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  1952. properties:
  1953. connectTokenSecretRef:
  1954. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  1955. properties:
  1956. key:
  1957. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1958. type: string
  1959. name:
  1960. description: The name of the Secret resource being referred to.
  1961. type: string
  1962. namespace:
  1963. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  1964. type: string
  1965. type: object
  1966. required:
  1967. - connectTokenSecretRef
  1968. type: object
  1969. required:
  1970. - secretRef
  1971. type: object
  1972. connectHost:
  1973. description: ConnectHost defines the OnePassword Connect Server to connect to
  1974. type: string
  1975. vaults:
  1976. additionalProperties:
  1977. type: integer
  1978. description: Vaults defines which OnePassword vaults to search in which order
  1979. type: object
  1980. required:
  1981. - auth
  1982. - connectHost
  1983. - vaults
  1984. type: object
  1985. oracle:
  1986. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1987. properties:
  1988. auth:
  1989. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  1990. properties:
  1991. secretRef:
  1992. description: SecretRef to pass through sensitive information.
  1993. properties:
  1994. fingerprint:
  1995. description: Fingerprint is the fingerprint of the API private key.
  1996. properties:
  1997. key:
  1998. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  1999. type: string
  2000. name:
  2001. description: The name of the Secret resource being referred to.
  2002. type: string
  2003. namespace:
  2004. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2005. type: string
  2006. type: object
  2007. privatekey:
  2008. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  2009. properties:
  2010. key:
  2011. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2012. type: string
  2013. name:
  2014. description: The name of the Secret resource being referred to.
  2015. type: string
  2016. namespace:
  2017. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2018. type: string
  2019. type: object
  2020. required:
  2021. - fingerprint
  2022. - privatekey
  2023. type: object
  2024. tenancy:
  2025. description: Tenancy is the tenancy OCID where user is located.
  2026. type: string
  2027. user:
  2028. description: User is an access OCID specific to the account.
  2029. type: string
  2030. required:
  2031. - secretRef
  2032. - tenancy
  2033. - user
  2034. type: object
  2035. region:
  2036. description: Region is the region where vault is located.
  2037. type: string
  2038. vault:
  2039. description: Vault is the vault's OCID of the specific vault where secret is located.
  2040. type: string
  2041. required:
  2042. - region
  2043. - vault
  2044. type: object
  2045. senhasegura:
  2046. description: Senhasegura configures this store to sync secrets using senhasegura provider
  2047. properties:
  2048. auth:
  2049. description: Auth defines parameters to authenticate in senhasegura
  2050. properties:
  2051. clientId:
  2052. type: string
  2053. clientSecretSecretRef:
  2054. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2055. properties:
  2056. key:
  2057. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2058. type: string
  2059. name:
  2060. description: The name of the Secret resource being referred to.
  2061. type: string
  2062. namespace:
  2063. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2064. type: string
  2065. type: object
  2066. required:
  2067. - clientId
  2068. - clientSecretSecretRef
  2069. type: object
  2070. ignoreSslCertificate:
  2071. default: false
  2072. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  2073. type: boolean
  2074. module:
  2075. description: Module defines which senhasegura module should be used to get secrets
  2076. type: string
  2077. url:
  2078. description: URL of senhasegura
  2079. type: string
  2080. required:
  2081. - auth
  2082. - module
  2083. - url
  2084. type: object
  2085. vault:
  2086. description: Vault configures this store to sync secrets using Hashi provider
  2087. properties:
  2088. auth:
  2089. description: Auth configures how secret-manager authenticates with the Vault server.
  2090. properties:
  2091. appRole:
  2092. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  2093. properties:
  2094. path:
  2095. default: approle
  2096. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  2097. type: string
  2098. roleId:
  2099. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  2100. type: string
  2101. secretRef:
  2102. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  2103. properties:
  2104. key:
  2105. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2106. type: string
  2107. name:
  2108. description: The name of the Secret resource being referred to.
  2109. type: string
  2110. namespace:
  2111. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2112. type: string
  2113. type: object
  2114. required:
  2115. - path
  2116. - roleId
  2117. - secretRef
  2118. type: object
  2119. cert:
  2120. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  2121. properties:
  2122. clientCert:
  2123. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  2124. properties:
  2125. key:
  2126. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2127. type: string
  2128. name:
  2129. description: The name of the Secret resource being referred to.
  2130. type: string
  2131. namespace:
  2132. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2133. type: string
  2134. type: object
  2135. secretRef:
  2136. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  2137. properties:
  2138. key:
  2139. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2140. type: string
  2141. name:
  2142. description: The name of the Secret resource being referred to.
  2143. type: string
  2144. namespace:
  2145. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2146. type: string
  2147. type: object
  2148. type: object
  2149. jwt:
  2150. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  2151. properties:
  2152. kubernetesServiceAccountToken:
  2153. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  2154. properties:
  2155. audiences:
  2156. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  2157. items:
  2158. type: string
  2159. type: array
  2160. expirationSeconds:
  2161. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  2162. format: int64
  2163. type: integer
  2164. serviceAccountRef:
  2165. description: Service account field containing the name of a kubernetes ServiceAccount.
  2166. properties:
  2167. name:
  2168. description: The name of the ServiceAccount resource being referred to.
  2169. type: string
  2170. namespace:
  2171. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2172. type: string
  2173. required:
  2174. - name
  2175. type: object
  2176. required:
  2177. - serviceAccountRef
  2178. type: object
  2179. path:
  2180. default: jwt
  2181. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  2182. type: string
  2183. role:
  2184. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  2185. type: string
  2186. secretRef:
  2187. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  2188. properties:
  2189. key:
  2190. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2191. type: string
  2192. name:
  2193. description: The name of the Secret resource being referred to.
  2194. type: string
  2195. namespace:
  2196. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2197. type: string
  2198. type: object
  2199. required:
  2200. - path
  2201. type: object
  2202. kubernetes:
  2203. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  2204. properties:
  2205. mountPath:
  2206. default: kubernetes
  2207. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  2208. type: string
  2209. role:
  2210. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  2211. type: string
  2212. secretRef:
  2213. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  2214. properties:
  2215. key:
  2216. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2217. type: string
  2218. name:
  2219. description: The name of the Secret resource being referred to.
  2220. type: string
  2221. namespace:
  2222. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2223. type: string
  2224. type: object
  2225. serviceAccountRef:
  2226. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  2227. properties:
  2228. name:
  2229. description: The name of the ServiceAccount resource being referred to.
  2230. type: string
  2231. namespace:
  2232. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2233. type: string
  2234. required:
  2235. - name
  2236. type: object
  2237. required:
  2238. - mountPath
  2239. - role
  2240. type: object
  2241. ldap:
  2242. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  2243. properties:
  2244. path:
  2245. default: ldap
  2246. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  2247. type: string
  2248. secretRef:
  2249. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  2250. properties:
  2251. key:
  2252. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2253. type: string
  2254. name:
  2255. description: The name of the Secret resource being referred to.
  2256. type: string
  2257. namespace:
  2258. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2259. type: string
  2260. type: object
  2261. username:
  2262. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  2263. type: string
  2264. required:
  2265. - path
  2266. - username
  2267. type: object
  2268. tokenSecretRef:
  2269. description: TokenSecretRef authenticates with Vault by presenting a token.
  2270. properties:
  2271. key:
  2272. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2273. type: string
  2274. name:
  2275. description: The name of the Secret resource being referred to.
  2276. type: string
  2277. namespace:
  2278. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2279. type: string
  2280. type: object
  2281. type: object
  2282. caBundle:
  2283. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2284. format: byte
  2285. type: string
  2286. caProvider:
  2287. description: The provider for the CA bundle to use to validate Vault server certificate.
  2288. properties:
  2289. key:
  2290. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2291. type: string
  2292. name:
  2293. description: The name of the object located at the provider type.
  2294. type: string
  2295. namespace:
  2296. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  2297. type: string
  2298. type:
  2299. description: The type of provider to use such as "Secret", or "ConfigMap".
  2300. enum:
  2301. - Secret
  2302. - ConfigMap
  2303. type: string
  2304. required:
  2305. - name
  2306. - type
  2307. type: object
  2308. forwardInconsistent:
  2309. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  2310. type: boolean
  2311. namespace:
  2312. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  2313. type: string
  2314. path:
  2315. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  2316. type: string
  2317. readYourWrites:
  2318. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  2319. type: boolean
  2320. server:
  2321. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  2322. type: string
  2323. version:
  2324. default: v2
  2325. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  2326. enum:
  2327. - v1
  2328. - v2
  2329. type: string
  2330. required:
  2331. - auth
  2332. - server
  2333. type: object
  2334. webhook:
  2335. description: Webhook configures this store to sync secrets using a generic templated webhook
  2336. properties:
  2337. body:
  2338. description: Body
  2339. type: string
  2340. caBundle:
  2341. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  2342. format: byte
  2343. type: string
  2344. caProvider:
  2345. description: The provider for the CA bundle to use to validate webhook server certificate.
  2346. properties:
  2347. key:
  2348. description: The key the value inside of the provider type to use, only used with "Secret" type
  2349. type: string
  2350. name:
  2351. description: The name of the object located at the provider type.
  2352. type: string
  2353. namespace:
  2354. description: The namespace the Provider type is in.
  2355. type: string
  2356. type:
  2357. description: The type of provider to use such as "Secret", or "ConfigMap".
  2358. enum:
  2359. - Secret
  2360. - ConfigMap
  2361. type: string
  2362. required:
  2363. - name
  2364. - type
  2365. type: object
  2366. headers:
  2367. additionalProperties:
  2368. type: string
  2369. description: Headers
  2370. type: object
  2371. method:
  2372. description: Webhook Method
  2373. type: string
  2374. result:
  2375. description: Result formatting
  2376. properties:
  2377. jsonPath:
  2378. description: Json path of return value
  2379. type: string
  2380. type: object
  2381. secrets:
  2382. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  2383. items:
  2384. properties:
  2385. name:
  2386. description: Name of this secret in templates
  2387. type: string
  2388. secretRef:
  2389. description: Secret ref to fill in credentials
  2390. properties:
  2391. key:
  2392. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2393. type: string
  2394. name:
  2395. description: The name of the Secret resource being referred to.
  2396. type: string
  2397. namespace:
  2398. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2399. type: string
  2400. type: object
  2401. required:
  2402. - name
  2403. - secretRef
  2404. type: object
  2405. type: array
  2406. timeout:
  2407. description: Timeout
  2408. type: string
  2409. url:
  2410. description: Webhook url to call
  2411. type: string
  2412. required:
  2413. - result
  2414. - url
  2415. type: object
  2416. yandexcertificatemanager:
  2417. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  2418. properties:
  2419. apiEndpoint:
  2420. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2421. type: string
  2422. auth:
  2423. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  2424. properties:
  2425. authorizedKeySecretRef:
  2426. description: The authorized key used for authentication
  2427. properties:
  2428. key:
  2429. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2430. type: string
  2431. name:
  2432. description: The name of the Secret resource being referred to.
  2433. type: string
  2434. namespace:
  2435. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2436. type: string
  2437. type: object
  2438. type: object
  2439. caProvider:
  2440. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2441. properties:
  2442. certSecretRef:
  2443. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2444. properties:
  2445. key:
  2446. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2447. type: string
  2448. name:
  2449. description: The name of the Secret resource being referred to.
  2450. type: string
  2451. namespace:
  2452. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2453. type: string
  2454. type: object
  2455. type: object
  2456. required:
  2457. - auth
  2458. type: object
  2459. yandexlockbox:
  2460. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2461. properties:
  2462. apiEndpoint:
  2463. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2464. type: string
  2465. auth:
  2466. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2467. properties:
  2468. authorizedKeySecretRef:
  2469. description: The authorized key used for authentication
  2470. properties:
  2471. key:
  2472. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2473. type: string
  2474. name:
  2475. description: The name of the Secret resource being referred to.
  2476. type: string
  2477. namespace:
  2478. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2479. type: string
  2480. type: object
  2481. type: object
  2482. caProvider:
  2483. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2484. properties:
  2485. certSecretRef:
  2486. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  2487. properties:
  2488. key:
  2489. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  2490. type: string
  2491. name:
  2492. description: The name of the Secret resource being referred to.
  2493. type: string
  2494. namespace:
  2495. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  2496. type: string
  2497. type: object
  2498. type: object
  2499. required:
  2500. - auth
  2501. type: object
  2502. type: object
  2503. refreshInterval:
  2504. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  2505. type: integer
  2506. retrySettings:
  2507. description: Used to configure http retries if failed
  2508. properties:
  2509. maxRetries:
  2510. format: int32
  2511. type: integer
  2512. retryInterval:
  2513. type: string
  2514. type: object
  2515. required:
  2516. - provider
  2517. type: object
  2518. status:
  2519. description: SecretStoreStatus defines the observed state of the SecretStore.
  2520. properties:
  2521. capabilities:
  2522. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  2523. type: string
  2524. conditions:
  2525. items:
  2526. properties:
  2527. lastTransitionTime:
  2528. format: date-time
  2529. type: string
  2530. message:
  2531. type: string
  2532. reason:
  2533. type: string
  2534. status:
  2535. type: string
  2536. type:
  2537. type: string
  2538. required:
  2539. - status
  2540. - type
  2541. type: object
  2542. type: array
  2543. type: object
  2544. type: object
  2545. served: true
  2546. storage: true
  2547. subresources:
  2548. status: {}
  2549. conversion:
  2550. strategy: Webhook
  2551. webhook:
  2552. conversionReviewVersions:
  2553. - v1
  2554. clientConfig:
  2555. service:
  2556. name: kubernetes
  2557. namespace: default
  2558. path: /convert
  2559. ---
  2560. apiVersion: apiextensions.k8s.io/v1
  2561. kind: CustomResourceDefinition
  2562. metadata:
  2563. annotations:
  2564. controller-gen.kubebuilder.io/version: v0.9.2
  2565. creationTimestamp: null
  2566. name: externalsecrets.external-secrets.io
  2567. spec:
  2568. group: external-secrets.io
  2569. names:
  2570. categories:
  2571. - externalsecrets
  2572. kind: ExternalSecret
  2573. listKind: ExternalSecretList
  2574. plural: externalsecrets
  2575. shortNames:
  2576. - es
  2577. singular: externalsecret
  2578. scope: Namespaced
  2579. versions:
  2580. - additionalPrinterColumns:
  2581. - jsonPath: .spec.secretStoreRef.name
  2582. name: Store
  2583. type: string
  2584. - jsonPath: .spec.refreshInterval
  2585. name: Refresh Interval
  2586. type: string
  2587. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2588. name: Status
  2589. type: string
  2590. deprecated: true
  2591. name: v1alpha1
  2592. schema:
  2593. openAPIV3Schema:
  2594. description: ExternalSecret is the Schema for the external-secrets API.
  2595. properties:
  2596. apiVersion:
  2597. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2598. type: string
  2599. kind:
  2600. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2601. type: string
  2602. metadata:
  2603. type: object
  2604. spec:
  2605. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2606. properties:
  2607. data:
  2608. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2609. items:
  2610. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2611. properties:
  2612. remoteRef:
  2613. description: ExternalSecretDataRemoteRef defines Provider data location.
  2614. properties:
  2615. conversionStrategy:
  2616. default: Default
  2617. description: Used to define a conversion Strategy
  2618. type: string
  2619. key:
  2620. description: Key is the key used in the Provider, mandatory
  2621. type: string
  2622. property:
  2623. description: Used to select a specific property of the Provider value (if a map), if supported
  2624. type: string
  2625. version:
  2626. description: Used to select a specific version of the Provider value, if supported
  2627. type: string
  2628. required:
  2629. - key
  2630. type: object
  2631. secretKey:
  2632. type: string
  2633. required:
  2634. - remoteRef
  2635. - secretKey
  2636. type: object
  2637. type: array
  2638. dataFrom:
  2639. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2640. items:
  2641. description: ExternalSecretDataRemoteRef defines Provider data location.
  2642. properties:
  2643. conversionStrategy:
  2644. default: Default
  2645. description: Used to define a conversion Strategy
  2646. type: string
  2647. key:
  2648. description: Key is the key used in the Provider, mandatory
  2649. type: string
  2650. property:
  2651. description: Used to select a specific property of the Provider value (if a map), if supported
  2652. type: string
  2653. version:
  2654. description: Used to select a specific version of the Provider value, if supported
  2655. type: string
  2656. required:
  2657. - key
  2658. type: object
  2659. type: array
  2660. refreshInterval:
  2661. default: 1h
  2662. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2663. type: string
  2664. secretStoreRef:
  2665. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2666. properties:
  2667. kind:
  2668. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2669. type: string
  2670. name:
  2671. description: Name of the SecretStore resource
  2672. type: string
  2673. required:
  2674. - name
  2675. type: object
  2676. target:
  2677. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2678. properties:
  2679. creationPolicy:
  2680. default: Owner
  2681. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2682. type: string
  2683. immutable:
  2684. description: Immutable defines if the final secret will be immutable
  2685. type: boolean
  2686. name:
  2687. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2688. type: string
  2689. template:
  2690. description: Template defines a blueprint for the created Secret resource.
  2691. properties:
  2692. data:
  2693. additionalProperties:
  2694. type: string
  2695. type: object
  2696. engineVersion:
  2697. default: v1
  2698. description: EngineVersion specifies the template engine version that should be used to compile/execute the template specified in .data and .templateFrom[].
  2699. type: string
  2700. metadata:
  2701. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2702. properties:
  2703. annotations:
  2704. additionalProperties:
  2705. type: string
  2706. type: object
  2707. labels:
  2708. additionalProperties:
  2709. type: string
  2710. type: object
  2711. type: object
  2712. templateFrom:
  2713. items:
  2714. maxProperties: 1
  2715. minProperties: 1
  2716. properties:
  2717. configMap:
  2718. properties:
  2719. items:
  2720. items:
  2721. properties:
  2722. key:
  2723. type: string
  2724. required:
  2725. - key
  2726. type: object
  2727. type: array
  2728. name:
  2729. type: string
  2730. required:
  2731. - items
  2732. - name
  2733. type: object
  2734. secret:
  2735. properties:
  2736. items:
  2737. items:
  2738. properties:
  2739. key:
  2740. type: string
  2741. required:
  2742. - key
  2743. type: object
  2744. type: array
  2745. name:
  2746. type: string
  2747. required:
  2748. - items
  2749. - name
  2750. type: object
  2751. type: object
  2752. type: array
  2753. type:
  2754. type: string
  2755. type: object
  2756. type: object
  2757. required:
  2758. - secretStoreRef
  2759. - target
  2760. type: object
  2761. status:
  2762. properties:
  2763. conditions:
  2764. items:
  2765. properties:
  2766. lastTransitionTime:
  2767. format: date-time
  2768. type: string
  2769. message:
  2770. type: string
  2771. reason:
  2772. type: string
  2773. status:
  2774. type: string
  2775. type:
  2776. type: string
  2777. required:
  2778. - status
  2779. - type
  2780. type: object
  2781. type: array
  2782. refreshTime:
  2783. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  2784. format: date-time
  2785. nullable: true
  2786. type: string
  2787. syncedResourceVersion:
  2788. description: SyncedResourceVersion keeps track of the last synced version
  2789. type: string
  2790. type: object
  2791. type: object
  2792. served: true
  2793. storage: false
  2794. subresources:
  2795. status: {}
  2796. - additionalPrinterColumns:
  2797. - jsonPath: .spec.secretStoreRef.name
  2798. name: Store
  2799. type: string
  2800. - jsonPath: .spec.refreshInterval
  2801. name: Refresh Interval
  2802. type: string
  2803. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2804. name: Status
  2805. type: string
  2806. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2807. name: Ready
  2808. type: string
  2809. name: v1beta1
  2810. schema:
  2811. openAPIV3Schema:
  2812. description: ExternalSecret is the Schema for the external-secrets API.
  2813. properties:
  2814. apiVersion:
  2815. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  2816. type: string
  2817. kind:
  2818. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  2819. type: string
  2820. metadata:
  2821. type: object
  2822. spec:
  2823. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  2824. properties:
  2825. data:
  2826. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  2827. items:
  2828. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  2829. properties:
  2830. remoteRef:
  2831. description: ExternalSecretDataRemoteRef defines Provider data location.
  2832. properties:
  2833. conversionStrategy:
  2834. default: Default
  2835. description: Used to define a conversion Strategy
  2836. type: string
  2837. decodingStrategy:
  2838. default: None
  2839. description: Used to define a decoding Strategy
  2840. type: string
  2841. key:
  2842. description: Key is the key used in the Provider, mandatory
  2843. type: string
  2844. metadataPolicy:
  2845. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2846. type: string
  2847. property:
  2848. description: Used to select a specific property of the Provider value (if a map), if supported
  2849. type: string
  2850. version:
  2851. description: Used to select a specific version of the Provider value, if supported
  2852. type: string
  2853. required:
  2854. - key
  2855. type: object
  2856. secretKey:
  2857. type: string
  2858. required:
  2859. - remoteRef
  2860. - secretKey
  2861. type: object
  2862. type: array
  2863. dataFrom:
  2864. description: DataFrom is used to fetch all properties from a specific Provider data If multiple entries are specified, the Secret keys are merged in the specified order
  2865. items:
  2866. properties:
  2867. extract:
  2868. description: Used to extract multiple key/value pairs from one secret
  2869. properties:
  2870. conversionStrategy:
  2871. default: Default
  2872. description: Used to define a conversion Strategy
  2873. type: string
  2874. decodingStrategy:
  2875. default: None
  2876. description: Used to define a decoding Strategy
  2877. type: string
  2878. key:
  2879. description: Key is the key used in the Provider, mandatory
  2880. type: string
  2881. metadataPolicy:
  2882. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  2883. type: string
  2884. property:
  2885. description: Used to select a specific property of the Provider value (if a map), if supported
  2886. type: string
  2887. version:
  2888. description: Used to select a specific version of the Provider value, if supported
  2889. type: string
  2890. required:
  2891. - key
  2892. type: object
  2893. find:
  2894. description: Used to find secrets based on tags or regular expressions
  2895. properties:
  2896. conversionStrategy:
  2897. default: Default
  2898. description: Used to define a conversion Strategy
  2899. type: string
  2900. decodingStrategy:
  2901. default: None
  2902. description: Used to define a decoding Strategy
  2903. type: string
  2904. name:
  2905. description: Finds secrets based on the name.
  2906. properties:
  2907. regexp:
  2908. description: Finds secrets base
  2909. type: string
  2910. type: object
  2911. path:
  2912. description: A root path to start the find operations.
  2913. type: string
  2914. tags:
  2915. additionalProperties:
  2916. type: string
  2917. description: Find secrets based on tags.
  2918. type: object
  2919. type: object
  2920. rewrite:
  2921. description: Used to rewrite secret Keys after getting them from the secret Provider Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  2922. items:
  2923. properties:
  2924. regexp:
  2925. description: Used to rewrite with regular expressions. The resulting key will be the output of a regexp.ReplaceAll operation.
  2926. properties:
  2927. source:
  2928. description: Used to define the regular expression of a re.Compiler.
  2929. type: string
  2930. target:
  2931. description: Used to define the target pattern of a ReplaceAll operation.
  2932. type: string
  2933. required:
  2934. - source
  2935. - target
  2936. type: object
  2937. type: object
  2938. type: array
  2939. type: object
  2940. type: array
  2941. refreshInterval:
  2942. default: 1h
  2943. description: RefreshInterval is the amount of time before the values are read again from the SecretStore provider Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" May be set to zero to fetch and create it once. Defaults to 1h.
  2944. type: string
  2945. secretStoreRef:
  2946. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  2947. properties:
  2948. kind:
  2949. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  2950. type: string
  2951. name:
  2952. description: Name of the SecretStore resource
  2953. type: string
  2954. required:
  2955. - name
  2956. type: object
  2957. target:
  2958. default:
  2959. creationPolicy: Owner
  2960. deletionPolicy: Retain
  2961. description: ExternalSecretTarget defines the Kubernetes Secret to be created There can be only one target per ExternalSecret.
  2962. properties:
  2963. creationPolicy:
  2964. default: Owner
  2965. description: CreationPolicy defines rules on how to create the resulting Secret Defaults to 'Owner'
  2966. enum:
  2967. - Owner
  2968. - Orphan
  2969. - Merge
  2970. - None
  2971. type: string
  2972. deletionPolicy:
  2973. default: Retain
  2974. description: DeletionPolicy defines rules on how to delete the resulting Secret Defaults to 'Retain'
  2975. enum:
  2976. - Delete
  2977. - Merge
  2978. - Retain
  2979. type: string
  2980. immutable:
  2981. description: Immutable defines if the final secret will be immutable
  2982. type: boolean
  2983. name:
  2984. description: Name defines the name of the Secret resource to be managed This field is immutable Defaults to the .metadata.name of the ExternalSecret resource
  2985. type: string
  2986. template:
  2987. description: Template defines a blueprint for the created Secret resource.
  2988. properties:
  2989. data:
  2990. additionalProperties:
  2991. type: string
  2992. type: object
  2993. engineVersion:
  2994. default: v2
  2995. type: string
  2996. metadata:
  2997. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2998. properties:
  2999. annotations:
  3000. additionalProperties:
  3001. type: string
  3002. type: object
  3003. labels:
  3004. additionalProperties:
  3005. type: string
  3006. type: object
  3007. type: object
  3008. templateFrom:
  3009. items:
  3010. maxProperties: 1
  3011. minProperties: 1
  3012. properties:
  3013. configMap:
  3014. properties:
  3015. items:
  3016. items:
  3017. properties:
  3018. key:
  3019. type: string
  3020. required:
  3021. - key
  3022. type: object
  3023. type: array
  3024. name:
  3025. type: string
  3026. required:
  3027. - items
  3028. - name
  3029. type: object
  3030. secret:
  3031. properties:
  3032. items:
  3033. items:
  3034. properties:
  3035. key:
  3036. type: string
  3037. required:
  3038. - key
  3039. type: object
  3040. type: array
  3041. name:
  3042. type: string
  3043. required:
  3044. - items
  3045. - name
  3046. type: object
  3047. type: object
  3048. type: array
  3049. type:
  3050. type: string
  3051. type: object
  3052. type: object
  3053. required:
  3054. - secretStoreRef
  3055. type: object
  3056. status:
  3057. properties:
  3058. conditions:
  3059. items:
  3060. properties:
  3061. lastTransitionTime:
  3062. format: date-time
  3063. type: string
  3064. message:
  3065. type: string
  3066. reason:
  3067. type: string
  3068. status:
  3069. type: string
  3070. type:
  3071. type: string
  3072. required:
  3073. - status
  3074. - type
  3075. type: object
  3076. type: array
  3077. refreshTime:
  3078. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3079. format: date-time
  3080. nullable: true
  3081. type: string
  3082. syncedResourceVersion:
  3083. description: SyncedResourceVersion keeps track of the last synced version
  3084. type: string
  3085. type: object
  3086. type: object
  3087. served: true
  3088. storage: true
  3089. subresources:
  3090. status: {}
  3091. conversion:
  3092. strategy: Webhook
  3093. webhook:
  3094. conversionReviewVersions:
  3095. - v1
  3096. clientConfig:
  3097. service:
  3098. name: kubernetes
  3099. namespace: default
  3100. path: /convert
  3101. ---
  3102. apiVersion: apiextensions.k8s.io/v1
  3103. kind: CustomResourceDefinition
  3104. metadata:
  3105. annotations:
  3106. controller-gen.kubebuilder.io/version: v0.9.2
  3107. creationTimestamp: null
  3108. name: pushsecrets.external-secrets.io
  3109. spec:
  3110. group: external-secrets.io
  3111. names:
  3112. categories:
  3113. - pushsecrets
  3114. kind: PushSecret
  3115. listKind: PushSecretList
  3116. plural: pushsecrets
  3117. singular: pushsecret
  3118. scope: Namespaced
  3119. versions:
  3120. - additionalPrinterColumns:
  3121. - jsonPath: .metadata.creationTimestamp
  3122. name: AGE
  3123. type: date
  3124. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3125. name: Status
  3126. type: string
  3127. name: v1alpha1
  3128. schema:
  3129. openAPIV3Schema:
  3130. properties:
  3131. apiVersion:
  3132. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3133. type: string
  3134. kind:
  3135. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3136. type: string
  3137. metadata:
  3138. type: object
  3139. spec:
  3140. description: PushSecretSpec configures the behavior of the PushSecret.
  3141. properties:
  3142. data:
  3143. items:
  3144. properties:
  3145. match:
  3146. items:
  3147. properties:
  3148. remoteRefs:
  3149. items:
  3150. properties:
  3151. remoteKey:
  3152. type: string
  3153. required:
  3154. - remoteKey
  3155. type: object
  3156. type: array
  3157. secretKey:
  3158. type: string
  3159. required:
  3160. - remoteRefs
  3161. - secretKey
  3162. type: object
  3163. type: array
  3164. required:
  3165. - match
  3166. type: object
  3167. type: array
  3168. refreshInterval:
  3169. type: string
  3170. secretStoreRefs:
  3171. items:
  3172. properties:
  3173. kind:
  3174. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore) Defaults to `SecretStore`
  3175. type: string
  3176. name:
  3177. description: Name of the SecretStore resource
  3178. type: string
  3179. required:
  3180. - name
  3181. type: object
  3182. type: array
  3183. selector:
  3184. properties:
  3185. secret:
  3186. properties:
  3187. name:
  3188. type: string
  3189. required:
  3190. - name
  3191. type: object
  3192. required:
  3193. - secret
  3194. type: object
  3195. required:
  3196. - secretStoreRefs
  3197. - selector
  3198. type: object
  3199. status:
  3200. description: PushSecretStatus indicates the history of the status of PushSecret.
  3201. properties:
  3202. conditions:
  3203. items:
  3204. description: PushSecretStatusCondition indicates the status of the PushSecret.
  3205. properties:
  3206. lastTransitionTime:
  3207. format: date-time
  3208. type: string
  3209. message:
  3210. type: string
  3211. reason:
  3212. type: string
  3213. status:
  3214. type: string
  3215. type:
  3216. description: PushSecretConditionType indicates the condition of the PushSecret.
  3217. type: string
  3218. required:
  3219. - status
  3220. - type
  3221. type: object
  3222. type: array
  3223. refreshTime:
  3224. description: refreshTime is the time and date the external secret was fetched and the target secret updated
  3225. format: date-time
  3226. nullable: true
  3227. type: string
  3228. syncedResourceVersion:
  3229. description: SyncedResourceVersion keeps track of the last synced version.
  3230. type: string
  3231. type: object
  3232. type: object
  3233. served: true
  3234. storage: true
  3235. subresources:
  3236. status: {}
  3237. conversion:
  3238. strategy: Webhook
  3239. webhook:
  3240. conversionReviewVersions:
  3241. - v1
  3242. clientConfig:
  3243. service:
  3244. name: kubernetes
  3245. namespace: default
  3246. path: /convert
  3247. ---
  3248. apiVersion: apiextensions.k8s.io/v1
  3249. kind: CustomResourceDefinition
  3250. metadata:
  3251. annotations:
  3252. controller-gen.kubebuilder.io/version: v0.9.0
  3253. creationTimestamp: null
  3254. name: secretstores.external-secrets.io
  3255. spec:
  3256. group: external-secrets.io
  3257. names:
  3258. categories:
  3259. - externalsecrets
  3260. kind: SecretStore
  3261. listKind: SecretStoreList
  3262. plural: secretstores
  3263. shortNames:
  3264. - ss
  3265. singular: secretstore
  3266. scope: Namespaced
  3267. versions:
  3268. - additionalPrinterColumns:
  3269. - jsonPath: .metadata.creationTimestamp
  3270. name: AGE
  3271. type: date
  3272. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  3273. name: Status
  3274. type: string
  3275. deprecated: true
  3276. name: v1alpha1
  3277. schema:
  3278. openAPIV3Schema:
  3279. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  3280. properties:
  3281. apiVersion:
  3282. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  3283. type: string
  3284. kind:
  3285. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  3286. type: string
  3287. metadata:
  3288. type: object
  3289. spec:
  3290. description: SecretStoreSpec defines the desired state of SecretStore.
  3291. properties:
  3292. controller:
  3293. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  3294. type: string
  3295. provider:
  3296. description: Used to configure the provider. Only one provider may be set
  3297. maxProperties: 1
  3298. minProperties: 1
  3299. properties:
  3300. akeyless:
  3301. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  3302. properties:
  3303. akeylessGWApiURL:
  3304. description: Akeyless GW API Url from which the secrets to be fetched from.
  3305. type: string
  3306. authSecretRef:
  3307. description: Auth configures how the operator authenticates with Akeyless.
  3308. properties:
  3309. secretRef:
  3310. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  3311. properties:
  3312. accessID:
  3313. description: The SecretAccessID is used for authentication
  3314. properties:
  3315. key:
  3316. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3317. type: string
  3318. name:
  3319. description: The name of the Secret resource being referred to.
  3320. type: string
  3321. namespace:
  3322. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3323. type: string
  3324. type: object
  3325. accessType:
  3326. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3327. properties:
  3328. key:
  3329. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3330. type: string
  3331. name:
  3332. description: The name of the Secret resource being referred to.
  3333. type: string
  3334. namespace:
  3335. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3336. type: string
  3337. type: object
  3338. accessTypeParam:
  3339. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3340. properties:
  3341. key:
  3342. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3343. type: string
  3344. name:
  3345. description: The name of the Secret resource being referred to.
  3346. type: string
  3347. namespace:
  3348. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3349. type: string
  3350. type: object
  3351. type: object
  3352. required:
  3353. - secretRef
  3354. type: object
  3355. required:
  3356. - akeylessGWApiURL
  3357. - authSecretRef
  3358. type: object
  3359. alibaba:
  3360. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  3361. properties:
  3362. auth:
  3363. description: AlibabaAuth contains a secretRef for credentials.
  3364. properties:
  3365. secretRef:
  3366. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  3367. properties:
  3368. accessKeyIDSecretRef:
  3369. description: The AccessKeyID is used for authentication
  3370. properties:
  3371. key:
  3372. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3373. type: string
  3374. name:
  3375. description: The name of the Secret resource being referred to.
  3376. type: string
  3377. namespace:
  3378. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3379. type: string
  3380. type: object
  3381. accessKeySecretSecretRef:
  3382. description: The AccessKeySecret is used for authentication
  3383. properties:
  3384. key:
  3385. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3386. type: string
  3387. name:
  3388. description: The name of the Secret resource being referred to.
  3389. type: string
  3390. namespace:
  3391. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3392. type: string
  3393. type: object
  3394. required:
  3395. - accessKeyIDSecretRef
  3396. - accessKeySecretSecretRef
  3397. type: object
  3398. required:
  3399. - secretRef
  3400. type: object
  3401. endpoint:
  3402. type: string
  3403. regionID:
  3404. description: Alibaba Region to be used for the provider
  3405. type: string
  3406. required:
  3407. - auth
  3408. - regionID
  3409. type: object
  3410. aws:
  3411. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  3412. properties:
  3413. auth:
  3414. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  3415. properties:
  3416. jwt:
  3417. description: Authenticate against AWS using service account tokens.
  3418. properties:
  3419. serviceAccountRef:
  3420. description: A reference to a ServiceAccount resource.
  3421. properties:
  3422. name:
  3423. description: The name of the ServiceAccount resource being referred to.
  3424. type: string
  3425. namespace:
  3426. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3427. type: string
  3428. required:
  3429. - name
  3430. type: object
  3431. type: object
  3432. secretRef:
  3433. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  3434. properties:
  3435. accessKeyIDSecretRef:
  3436. description: The AccessKeyID is used for authentication
  3437. properties:
  3438. key:
  3439. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3440. type: string
  3441. name:
  3442. description: The name of the Secret resource being referred to.
  3443. type: string
  3444. namespace:
  3445. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3446. type: string
  3447. type: object
  3448. secretAccessKeySecretRef:
  3449. description: The SecretAccessKey is used for authentication
  3450. properties:
  3451. key:
  3452. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3453. type: string
  3454. name:
  3455. description: The name of the Secret resource being referred to.
  3456. type: string
  3457. namespace:
  3458. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3459. type: string
  3460. type: object
  3461. type: object
  3462. type: object
  3463. region:
  3464. description: AWS Region to be used for the provider
  3465. type: string
  3466. role:
  3467. description: Role is a Role ARN which the SecretManager provider will assume
  3468. type: string
  3469. service:
  3470. description: Service defines which service should be used to fetch the secrets
  3471. enum:
  3472. - SecretsManager
  3473. - ParameterStore
  3474. type: string
  3475. required:
  3476. - region
  3477. - service
  3478. type: object
  3479. azurekv:
  3480. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  3481. properties:
  3482. authSecretRef:
  3483. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  3484. properties:
  3485. clientId:
  3486. description: The Azure clientId of the service principle used for authentication.
  3487. properties:
  3488. key:
  3489. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3490. type: string
  3491. name:
  3492. description: The name of the Secret resource being referred to.
  3493. type: string
  3494. namespace:
  3495. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3496. type: string
  3497. type: object
  3498. clientSecret:
  3499. description: The Azure ClientSecret of the service principle used for authentication.
  3500. properties:
  3501. key:
  3502. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3503. type: string
  3504. name:
  3505. description: The name of the Secret resource being referred to.
  3506. type: string
  3507. namespace:
  3508. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3509. type: string
  3510. type: object
  3511. type: object
  3512. authType:
  3513. default: ServicePrincipal
  3514. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  3515. enum:
  3516. - ServicePrincipal
  3517. - ManagedIdentity
  3518. - WorkloadIdentity
  3519. type: string
  3520. identityId:
  3521. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3522. type: string
  3523. serviceAccountRef:
  3524. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  3525. properties:
  3526. name:
  3527. description: The name of the ServiceAccount resource being referred to.
  3528. type: string
  3529. namespace:
  3530. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3531. type: string
  3532. required:
  3533. - name
  3534. type: object
  3535. tenantId:
  3536. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  3537. type: string
  3538. vaultUrl:
  3539. description: Vault Url from which the secrets to be fetched from.
  3540. type: string
  3541. required:
  3542. - vaultUrl
  3543. type: object
  3544. fake:
  3545. description: Fake configures a store with static key/value pairs
  3546. properties:
  3547. data:
  3548. items:
  3549. properties:
  3550. key:
  3551. type: string
  3552. value:
  3553. type: string
  3554. valueMap:
  3555. additionalProperties:
  3556. type: string
  3557. type: object
  3558. version:
  3559. type: string
  3560. required:
  3561. - key
  3562. type: object
  3563. type: array
  3564. required:
  3565. - data
  3566. type: object
  3567. gcpsm:
  3568. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3569. properties:
  3570. auth:
  3571. description: Auth defines the information necessary to authenticate against GCP
  3572. properties:
  3573. secretRef:
  3574. properties:
  3575. secretAccessKeySecretRef:
  3576. description: The SecretAccessKey is used for authentication
  3577. properties:
  3578. key:
  3579. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3580. type: string
  3581. name:
  3582. description: The name of the Secret resource being referred to.
  3583. type: string
  3584. namespace:
  3585. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3586. type: string
  3587. type: object
  3588. type: object
  3589. workloadIdentity:
  3590. properties:
  3591. clusterLocation:
  3592. type: string
  3593. clusterName:
  3594. type: string
  3595. clusterProjectID:
  3596. type: string
  3597. serviceAccountRef:
  3598. description: A reference to a ServiceAccount resource.
  3599. properties:
  3600. name:
  3601. description: The name of the ServiceAccount resource being referred to.
  3602. type: string
  3603. namespace:
  3604. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3605. type: string
  3606. required:
  3607. - name
  3608. type: object
  3609. required:
  3610. - clusterLocation
  3611. - clusterName
  3612. - serviceAccountRef
  3613. type: object
  3614. type: object
  3615. projectID:
  3616. description: ProjectID project where secret is located
  3617. type: string
  3618. type: object
  3619. gitlab:
  3620. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  3621. properties:
  3622. auth:
  3623. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3624. properties:
  3625. SecretRef:
  3626. properties:
  3627. accessToken:
  3628. description: AccessToken is used for authentication.
  3629. properties:
  3630. key:
  3631. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3632. type: string
  3633. name:
  3634. description: The name of the Secret resource being referred to.
  3635. type: string
  3636. namespace:
  3637. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3638. type: string
  3639. type: object
  3640. type: object
  3641. required:
  3642. - SecretRef
  3643. type: object
  3644. projectID:
  3645. description: ProjectID specifies a project where secrets are located.
  3646. type: string
  3647. url:
  3648. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3649. type: string
  3650. required:
  3651. - auth
  3652. type: object
  3653. ibm:
  3654. description: IBM configures this store to sync secrets using IBM Cloud provider
  3655. properties:
  3656. auth:
  3657. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3658. properties:
  3659. secretRef:
  3660. properties:
  3661. secretApiKeySecretRef:
  3662. description: The SecretAccessKey is used for authentication
  3663. properties:
  3664. key:
  3665. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3666. type: string
  3667. name:
  3668. description: The name of the Secret resource being referred to.
  3669. type: string
  3670. namespace:
  3671. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3672. type: string
  3673. type: object
  3674. type: object
  3675. required:
  3676. - secretRef
  3677. type: object
  3678. serviceUrl:
  3679. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3680. type: string
  3681. required:
  3682. - auth
  3683. type: object
  3684. kubernetes:
  3685. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3686. properties:
  3687. auth:
  3688. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3689. maxProperties: 1
  3690. minProperties: 1
  3691. properties:
  3692. cert:
  3693. description: has both clientCert and clientKey as secretKeySelector
  3694. properties:
  3695. clientCert:
  3696. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3697. properties:
  3698. key:
  3699. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3700. type: string
  3701. name:
  3702. description: The name of the Secret resource being referred to.
  3703. type: string
  3704. namespace:
  3705. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3706. type: string
  3707. type: object
  3708. clientKey:
  3709. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3710. properties:
  3711. key:
  3712. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3713. type: string
  3714. name:
  3715. description: The name of the Secret resource being referred to.
  3716. type: string
  3717. namespace:
  3718. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3719. type: string
  3720. type: object
  3721. type: object
  3722. serviceAccount:
  3723. description: points to a service account that should be used for authentication
  3724. properties:
  3725. serviceAccount:
  3726. description: A reference to a ServiceAccount resource.
  3727. properties:
  3728. name:
  3729. description: The name of the ServiceAccount resource being referred to.
  3730. type: string
  3731. namespace:
  3732. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3733. type: string
  3734. required:
  3735. - name
  3736. type: object
  3737. type: object
  3738. token:
  3739. description: use static token to authenticate with
  3740. properties:
  3741. bearerToken:
  3742. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  3743. properties:
  3744. key:
  3745. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3746. type: string
  3747. name:
  3748. description: The name of the Secret resource being referred to.
  3749. type: string
  3750. namespace:
  3751. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3752. type: string
  3753. type: object
  3754. type: object
  3755. type: object
  3756. remoteNamespace:
  3757. default: default
  3758. description: Remote namespace to fetch the secrets from
  3759. type: string
  3760. server:
  3761. description: configures the Kubernetes server Address.
  3762. properties:
  3763. caBundle:
  3764. description: CABundle is a base64-encoded CA certificate
  3765. format: byte
  3766. type: string
  3767. caProvider:
  3768. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3769. properties:
  3770. key:
  3771. description: The key the value inside of the provider type to use, only used with "Secret" type
  3772. type: string
  3773. name:
  3774. description: The name of the object located at the provider type.
  3775. type: string
  3776. namespace:
  3777. description: The namespace the Provider type is in.
  3778. type: string
  3779. type:
  3780. description: The type of provider to use such as "Secret", or "ConfigMap".
  3781. enum:
  3782. - Secret
  3783. - ConfigMap
  3784. type: string
  3785. required:
  3786. - name
  3787. - type
  3788. type: object
  3789. url:
  3790. default: kubernetes.default
  3791. description: configures the Kubernetes server Address.
  3792. type: string
  3793. type: object
  3794. required:
  3795. - auth
  3796. type: object
  3797. oracle:
  3798. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3799. properties:
  3800. auth:
  3801. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3802. properties:
  3803. secretRef:
  3804. description: SecretRef to pass through sensitive information.
  3805. properties:
  3806. fingerprint:
  3807. description: Fingerprint is the fingerprint of the API private key.
  3808. properties:
  3809. key:
  3810. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3811. type: string
  3812. name:
  3813. description: The name of the Secret resource being referred to.
  3814. type: string
  3815. namespace:
  3816. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3817. type: string
  3818. type: object
  3819. privatekey:
  3820. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3821. properties:
  3822. key:
  3823. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3824. type: string
  3825. name:
  3826. description: The name of the Secret resource being referred to.
  3827. type: string
  3828. namespace:
  3829. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3830. type: string
  3831. type: object
  3832. required:
  3833. - fingerprint
  3834. - privatekey
  3835. type: object
  3836. tenancy:
  3837. description: Tenancy is the tenancy OCID where user is located.
  3838. type: string
  3839. user:
  3840. description: User is an access OCID specific to the account.
  3841. type: string
  3842. required:
  3843. - secretRef
  3844. - tenancy
  3845. - user
  3846. type: object
  3847. region:
  3848. description: Region is the region where vault is located.
  3849. type: string
  3850. vault:
  3851. description: Vault is the vault's OCID of the specific vault where secret is located.
  3852. type: string
  3853. required:
  3854. - region
  3855. - vault
  3856. type: object
  3857. vault:
  3858. description: Vault configures this store to sync secrets using Hashi provider
  3859. properties:
  3860. auth:
  3861. description: Auth configures how secret-manager authenticates with the Vault server.
  3862. properties:
  3863. appRole:
  3864. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  3865. properties:
  3866. path:
  3867. default: approle
  3868. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  3869. type: string
  3870. roleId:
  3871. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  3872. type: string
  3873. secretRef:
  3874. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  3875. properties:
  3876. key:
  3877. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3878. type: string
  3879. name:
  3880. description: The name of the Secret resource being referred to.
  3881. type: string
  3882. namespace:
  3883. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3884. type: string
  3885. type: object
  3886. required:
  3887. - path
  3888. - roleId
  3889. - secretRef
  3890. type: object
  3891. cert:
  3892. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  3893. properties:
  3894. clientCert:
  3895. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  3896. properties:
  3897. key:
  3898. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3899. type: string
  3900. name:
  3901. description: The name of the Secret resource being referred to.
  3902. type: string
  3903. namespace:
  3904. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3905. type: string
  3906. type: object
  3907. secretRef:
  3908. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  3909. properties:
  3910. key:
  3911. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3912. type: string
  3913. name:
  3914. description: The name of the Secret resource being referred to.
  3915. type: string
  3916. namespace:
  3917. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3918. type: string
  3919. type: object
  3920. type: object
  3921. jwt:
  3922. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  3923. properties:
  3924. kubernetesServiceAccountToken:
  3925. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  3926. properties:
  3927. audiences:
  3928. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  3929. items:
  3930. type: string
  3931. type: array
  3932. expirationSeconds:
  3933. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  3934. format: int64
  3935. type: integer
  3936. serviceAccountRef:
  3937. description: Service account field containing the name of a kubernetes ServiceAccount.
  3938. properties:
  3939. name:
  3940. description: The name of the ServiceAccount resource being referred to.
  3941. type: string
  3942. namespace:
  3943. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3944. type: string
  3945. required:
  3946. - name
  3947. type: object
  3948. required:
  3949. - serviceAccountRef
  3950. type: object
  3951. path:
  3952. default: jwt
  3953. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  3954. type: string
  3955. role:
  3956. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  3957. type: string
  3958. secretRef:
  3959. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  3960. properties:
  3961. key:
  3962. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3963. type: string
  3964. name:
  3965. description: The name of the Secret resource being referred to.
  3966. type: string
  3967. namespace:
  3968. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3969. type: string
  3970. type: object
  3971. required:
  3972. - path
  3973. type: object
  3974. kubernetes:
  3975. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  3976. properties:
  3977. mountPath:
  3978. default: kubernetes
  3979. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  3980. type: string
  3981. role:
  3982. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  3983. type: string
  3984. secretRef:
  3985. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  3986. properties:
  3987. key:
  3988. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  3989. type: string
  3990. name:
  3991. description: The name of the Secret resource being referred to.
  3992. type: string
  3993. namespace:
  3994. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  3995. type: string
  3996. type: object
  3997. serviceAccountRef:
  3998. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  3999. properties:
  4000. name:
  4001. description: The name of the ServiceAccount resource being referred to.
  4002. type: string
  4003. namespace:
  4004. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4005. type: string
  4006. required:
  4007. - name
  4008. type: object
  4009. required:
  4010. - mountPath
  4011. - role
  4012. type: object
  4013. ldap:
  4014. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  4015. properties:
  4016. path:
  4017. default: ldap
  4018. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  4019. type: string
  4020. secretRef:
  4021. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  4022. properties:
  4023. key:
  4024. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4025. type: string
  4026. name:
  4027. description: The name of the Secret resource being referred to.
  4028. type: string
  4029. namespace:
  4030. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4031. type: string
  4032. type: object
  4033. username:
  4034. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  4035. type: string
  4036. required:
  4037. - path
  4038. - username
  4039. type: object
  4040. tokenSecretRef:
  4041. description: TokenSecretRef authenticates with Vault by presenting a token.
  4042. properties:
  4043. key:
  4044. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4045. type: string
  4046. name:
  4047. description: The name of the Secret resource being referred to.
  4048. type: string
  4049. namespace:
  4050. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4051. type: string
  4052. type: object
  4053. type: object
  4054. caBundle:
  4055. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4056. format: byte
  4057. type: string
  4058. caProvider:
  4059. description: The provider for the CA bundle to use to validate Vault server certificate.
  4060. properties:
  4061. key:
  4062. description: The key the value inside of the provider type to use, only used with "Secret" type
  4063. type: string
  4064. name:
  4065. description: The name of the object located at the provider type.
  4066. type: string
  4067. namespace:
  4068. description: The namespace the Provider type is in.
  4069. type: string
  4070. type:
  4071. description: The type of provider to use such as "Secret", or "ConfigMap".
  4072. enum:
  4073. - Secret
  4074. - ConfigMap
  4075. type: string
  4076. required:
  4077. - name
  4078. - type
  4079. type: object
  4080. forwardInconsistent:
  4081. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4082. type: boolean
  4083. namespace:
  4084. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  4085. type: string
  4086. path:
  4087. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  4088. type: string
  4089. readYourWrites:
  4090. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  4091. type: boolean
  4092. server:
  4093. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4094. type: string
  4095. version:
  4096. default: v2
  4097. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  4098. enum:
  4099. - v1
  4100. - v2
  4101. type: string
  4102. required:
  4103. - auth
  4104. - server
  4105. type: object
  4106. webhook:
  4107. description: Webhook configures this store to sync secrets using a generic templated webhook
  4108. properties:
  4109. body:
  4110. description: Body
  4111. type: string
  4112. caBundle:
  4113. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  4114. format: byte
  4115. type: string
  4116. caProvider:
  4117. description: The provider for the CA bundle to use to validate webhook server certificate.
  4118. properties:
  4119. key:
  4120. description: The key the value inside of the provider type to use, only used with "Secret" type
  4121. type: string
  4122. name:
  4123. description: The name of the object located at the provider type.
  4124. type: string
  4125. namespace:
  4126. description: The namespace the Provider type is in.
  4127. type: string
  4128. type:
  4129. description: The type of provider to use such as "Secret", or "ConfigMap".
  4130. enum:
  4131. - Secret
  4132. - ConfigMap
  4133. type: string
  4134. required:
  4135. - name
  4136. - type
  4137. type: object
  4138. headers:
  4139. additionalProperties:
  4140. type: string
  4141. description: Headers
  4142. type: object
  4143. method:
  4144. description: Webhook Method
  4145. type: string
  4146. result:
  4147. description: Result formatting
  4148. properties:
  4149. jsonPath:
  4150. description: Json path of return value
  4151. type: string
  4152. type: object
  4153. secrets:
  4154. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  4155. items:
  4156. properties:
  4157. name:
  4158. description: Name of this secret in templates
  4159. type: string
  4160. secretRef:
  4161. description: Secret ref to fill in credentials
  4162. properties:
  4163. key:
  4164. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4165. type: string
  4166. name:
  4167. description: The name of the Secret resource being referred to.
  4168. type: string
  4169. namespace:
  4170. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4171. type: string
  4172. type: object
  4173. required:
  4174. - name
  4175. - secretRef
  4176. type: object
  4177. type: array
  4178. timeout:
  4179. description: Timeout
  4180. type: string
  4181. url:
  4182. description: Webhook url to call
  4183. type: string
  4184. required:
  4185. - result
  4186. - url
  4187. type: object
  4188. yandexlockbox:
  4189. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4190. properties:
  4191. apiEndpoint:
  4192. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4193. type: string
  4194. auth:
  4195. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4196. properties:
  4197. authorizedKeySecretRef:
  4198. description: The authorized key used for authentication
  4199. properties:
  4200. key:
  4201. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4202. type: string
  4203. name:
  4204. description: The name of the Secret resource being referred to.
  4205. type: string
  4206. namespace:
  4207. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4208. type: string
  4209. type: object
  4210. type: object
  4211. caProvider:
  4212. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4213. properties:
  4214. certSecretRef:
  4215. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4216. properties:
  4217. key:
  4218. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4219. type: string
  4220. name:
  4221. description: The name of the Secret resource being referred to.
  4222. type: string
  4223. namespace:
  4224. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4225. type: string
  4226. type: object
  4227. type: object
  4228. required:
  4229. - auth
  4230. type: object
  4231. type: object
  4232. retrySettings:
  4233. description: Used to configure http retries if failed
  4234. properties:
  4235. maxRetries:
  4236. format: int32
  4237. type: integer
  4238. retryInterval:
  4239. type: string
  4240. type: object
  4241. required:
  4242. - provider
  4243. type: object
  4244. status:
  4245. description: SecretStoreStatus defines the observed state of the SecretStore.
  4246. properties:
  4247. conditions:
  4248. items:
  4249. properties:
  4250. lastTransitionTime:
  4251. format: date-time
  4252. type: string
  4253. message:
  4254. type: string
  4255. reason:
  4256. type: string
  4257. status:
  4258. type: string
  4259. type:
  4260. type: string
  4261. required:
  4262. - status
  4263. - type
  4264. type: object
  4265. type: array
  4266. type: object
  4267. type: object
  4268. served: true
  4269. storage: false
  4270. subresources:
  4271. status: {}
  4272. - additionalPrinterColumns:
  4273. - jsonPath: .metadata.creationTimestamp
  4274. name: AGE
  4275. type: date
  4276. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  4277. name: Status
  4278. type: string
  4279. - jsonPath: .status.capabilities
  4280. name: Capabilities
  4281. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  4282. name: Ready
  4283. type: string
  4284. name: v1beta1
  4285. schema:
  4286. openAPIV3Schema:
  4287. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  4288. properties:
  4289. apiVersion:
  4290. description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
  4291. type: string
  4292. kind:
  4293. description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
  4294. type: string
  4295. metadata:
  4296. type: object
  4297. spec:
  4298. description: SecretStoreSpec defines the desired state of SecretStore.
  4299. properties:
  4300. controller:
  4301. description: 'Used to select the correct KES controller (think: ingress.ingressClassName) The KES controller is instantiated with a specific controller name and filters ES based on this property'
  4302. type: string
  4303. provider:
  4304. description: Used to configure the provider. Only one provider may be set
  4305. maxProperties: 1
  4306. minProperties: 1
  4307. properties:
  4308. akeyless:
  4309. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  4310. properties:
  4311. akeylessGWApiURL:
  4312. description: Akeyless GW API Url from which the secrets to be fetched from.
  4313. type: string
  4314. authSecretRef:
  4315. description: Auth configures how the operator authenticates with Akeyless.
  4316. properties:
  4317. secretRef:
  4318. description: 'AkeylessAuthSecretRef AKEYLESS_ACCESS_TYPE_PARAM: AZURE_OBJ_ID OR GCP_AUDIENCE OR ACCESS_KEY OR KUB_CONFIG_NAME.'
  4319. properties:
  4320. accessID:
  4321. description: The SecretAccessID is used for authentication
  4322. properties:
  4323. key:
  4324. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4325. type: string
  4326. name:
  4327. description: The name of the Secret resource being referred to.
  4328. type: string
  4329. namespace:
  4330. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4331. type: string
  4332. type: object
  4333. accessType:
  4334. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4335. properties:
  4336. key:
  4337. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4338. type: string
  4339. name:
  4340. description: The name of the Secret resource being referred to.
  4341. type: string
  4342. namespace:
  4343. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4344. type: string
  4345. type: object
  4346. accessTypeParam:
  4347. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4348. properties:
  4349. key:
  4350. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4351. type: string
  4352. name:
  4353. description: The name of the Secret resource being referred to.
  4354. type: string
  4355. namespace:
  4356. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4357. type: string
  4358. type: object
  4359. type: object
  4360. required:
  4361. - secretRef
  4362. type: object
  4363. required:
  4364. - akeylessGWApiURL
  4365. - authSecretRef
  4366. type: object
  4367. alibaba:
  4368. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  4369. properties:
  4370. auth:
  4371. description: AlibabaAuth contains a secretRef for credentials.
  4372. properties:
  4373. secretRef:
  4374. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  4375. properties:
  4376. accessKeyIDSecretRef:
  4377. description: The AccessKeyID is used for authentication
  4378. properties:
  4379. key:
  4380. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4381. type: string
  4382. name:
  4383. description: The name of the Secret resource being referred to.
  4384. type: string
  4385. namespace:
  4386. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4387. type: string
  4388. type: object
  4389. accessKeySecretSecretRef:
  4390. description: The AccessKeySecret is used for authentication
  4391. properties:
  4392. key:
  4393. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4394. type: string
  4395. name:
  4396. description: The name of the Secret resource being referred to.
  4397. type: string
  4398. namespace:
  4399. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4400. type: string
  4401. type: object
  4402. required:
  4403. - accessKeyIDSecretRef
  4404. - accessKeySecretSecretRef
  4405. type: object
  4406. required:
  4407. - secretRef
  4408. type: object
  4409. endpoint:
  4410. type: string
  4411. regionID:
  4412. description: Alibaba Region to be used for the provider
  4413. type: string
  4414. required:
  4415. - auth
  4416. - regionID
  4417. type: object
  4418. aws:
  4419. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  4420. properties:
  4421. auth:
  4422. description: 'Auth defines the information necessary to authenticate against AWS if not set aws sdk will infer credentials from your environment see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials'
  4423. properties:
  4424. jwt:
  4425. description: Authenticate against AWS using service account tokens.
  4426. properties:
  4427. serviceAccountRef:
  4428. description: A reference to a ServiceAccount resource.
  4429. properties:
  4430. name:
  4431. description: The name of the ServiceAccount resource being referred to.
  4432. type: string
  4433. namespace:
  4434. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4435. type: string
  4436. required:
  4437. - name
  4438. type: object
  4439. type: object
  4440. secretRef:
  4441. description: AWSAuthSecretRef holds secret references for AWS credentials both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  4442. properties:
  4443. accessKeyIDSecretRef:
  4444. description: The AccessKeyID is used for authentication
  4445. properties:
  4446. key:
  4447. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4448. type: string
  4449. name:
  4450. description: The name of the Secret resource being referred to.
  4451. type: string
  4452. namespace:
  4453. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4454. type: string
  4455. type: object
  4456. secretAccessKeySecretRef:
  4457. description: The SecretAccessKey is used for authentication
  4458. properties:
  4459. key:
  4460. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4461. type: string
  4462. name:
  4463. description: The name of the Secret resource being referred to.
  4464. type: string
  4465. namespace:
  4466. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4467. type: string
  4468. type: object
  4469. type: object
  4470. type: object
  4471. region:
  4472. description: AWS Region to be used for the provider
  4473. type: string
  4474. role:
  4475. description: Role is a Role ARN which the SecretManager provider will assume
  4476. type: string
  4477. service:
  4478. description: Service defines which service should be used to fetch the secrets
  4479. enum:
  4480. - SecretsManager
  4481. - ParameterStore
  4482. type: string
  4483. required:
  4484. - region
  4485. - service
  4486. type: object
  4487. azurekv:
  4488. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  4489. properties:
  4490. authSecretRef:
  4491. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  4492. properties:
  4493. clientId:
  4494. description: The Azure clientId of the service principle used for authentication.
  4495. properties:
  4496. key:
  4497. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4498. type: string
  4499. name:
  4500. description: The name of the Secret resource being referred to.
  4501. type: string
  4502. namespace:
  4503. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4504. type: string
  4505. type: object
  4506. clientSecret:
  4507. description: The Azure ClientSecret of the service principle used for authentication.
  4508. properties:
  4509. key:
  4510. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4511. type: string
  4512. name:
  4513. description: The name of the Secret resource being referred to.
  4514. type: string
  4515. namespace:
  4516. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4517. type: string
  4518. type: object
  4519. type: object
  4520. authType:
  4521. default: ServicePrincipal
  4522. description: 'Auth type defines how to authenticate to the keyvault service. Valid values are: - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret) - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)'
  4523. enum:
  4524. - ServicePrincipal
  4525. - ManagedIdentity
  4526. - WorkloadIdentity
  4527. type: string
  4528. identityId:
  4529. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  4530. type: string
  4531. serviceAccountRef:
  4532. description: ServiceAccountRef specified the service account that should be used when authenticating with WorkloadIdentity.
  4533. properties:
  4534. name:
  4535. description: The name of the ServiceAccount resource being referred to.
  4536. type: string
  4537. namespace:
  4538. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4539. type: string
  4540. required:
  4541. - name
  4542. type: object
  4543. tenantId:
  4544. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  4545. type: string
  4546. vaultUrl:
  4547. description: Vault Url from which the secrets to be fetched from.
  4548. type: string
  4549. required:
  4550. - vaultUrl
  4551. type: object
  4552. fake:
  4553. description: Fake configures a store with static key/value pairs
  4554. properties:
  4555. data:
  4556. items:
  4557. properties:
  4558. key:
  4559. type: string
  4560. value:
  4561. type: string
  4562. valueMap:
  4563. additionalProperties:
  4564. type: string
  4565. type: object
  4566. version:
  4567. type: string
  4568. required:
  4569. - key
  4570. type: object
  4571. type: array
  4572. required:
  4573. - data
  4574. type: object
  4575. gcpsm:
  4576. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4577. properties:
  4578. auth:
  4579. description: Auth defines the information necessary to authenticate against GCP
  4580. properties:
  4581. secretRef:
  4582. properties:
  4583. secretAccessKeySecretRef:
  4584. description: The SecretAccessKey is used for authentication
  4585. properties:
  4586. key:
  4587. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4588. type: string
  4589. name:
  4590. description: The name of the Secret resource being referred to.
  4591. type: string
  4592. namespace:
  4593. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4594. type: string
  4595. type: object
  4596. type: object
  4597. workloadIdentity:
  4598. properties:
  4599. clusterLocation:
  4600. type: string
  4601. clusterName:
  4602. type: string
  4603. clusterProjectID:
  4604. type: string
  4605. serviceAccountRef:
  4606. description: A reference to a ServiceAccount resource.
  4607. properties:
  4608. name:
  4609. description: The name of the ServiceAccount resource being referred to.
  4610. type: string
  4611. namespace:
  4612. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4613. type: string
  4614. required:
  4615. - name
  4616. type: object
  4617. required:
  4618. - clusterLocation
  4619. - clusterName
  4620. - serviceAccountRef
  4621. type: object
  4622. type: object
  4623. projectID:
  4624. description: ProjectID project where secret is located
  4625. type: string
  4626. type: object
  4627. gitlab:
  4628. description: Gitlab configures this store to sync secrets using Gitlab Variables provider
  4629. properties:
  4630. auth:
  4631. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4632. properties:
  4633. SecretRef:
  4634. properties:
  4635. accessToken:
  4636. description: AccessToken is used for authentication.
  4637. properties:
  4638. key:
  4639. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4640. type: string
  4641. name:
  4642. description: The name of the Secret resource being referred to.
  4643. type: string
  4644. namespace:
  4645. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4646. type: string
  4647. type: object
  4648. type: object
  4649. required:
  4650. - SecretRef
  4651. type: object
  4652. projectID:
  4653. description: ProjectID specifies a project where secrets are located.
  4654. type: string
  4655. url:
  4656. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4657. type: string
  4658. required:
  4659. - auth
  4660. type: object
  4661. ibm:
  4662. description: IBM configures this store to sync secrets using IBM Cloud provider
  4663. properties:
  4664. auth:
  4665. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4666. maxProperties: 1
  4667. minProperties: 1
  4668. properties:
  4669. containerAuth:
  4670. description: IBM Container-based auth with IAM Trusted Profile.
  4671. properties:
  4672. iamEndpoint:
  4673. type: string
  4674. profile:
  4675. description: the IBM Trusted Profile
  4676. type: string
  4677. tokenLocation:
  4678. description: Location the token is mounted on the pod
  4679. type: string
  4680. required:
  4681. - profile
  4682. type: object
  4683. secretRef:
  4684. properties:
  4685. secretApiKeySecretRef:
  4686. description: The SecretAccessKey is used for authentication
  4687. properties:
  4688. key:
  4689. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4690. type: string
  4691. name:
  4692. description: The name of the Secret resource being referred to.
  4693. type: string
  4694. namespace:
  4695. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4696. type: string
  4697. type: object
  4698. type: object
  4699. type: object
  4700. serviceUrl:
  4701. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4702. type: string
  4703. required:
  4704. - auth
  4705. type: object
  4706. kubernetes:
  4707. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  4708. properties:
  4709. auth:
  4710. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  4711. maxProperties: 1
  4712. minProperties: 1
  4713. properties:
  4714. cert:
  4715. description: has both clientCert and clientKey as secretKeySelector
  4716. properties:
  4717. clientCert:
  4718. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4719. properties:
  4720. key:
  4721. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4722. type: string
  4723. name:
  4724. description: The name of the Secret resource being referred to.
  4725. type: string
  4726. namespace:
  4727. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4728. type: string
  4729. type: object
  4730. clientKey:
  4731. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4732. properties:
  4733. key:
  4734. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4735. type: string
  4736. name:
  4737. description: The name of the Secret resource being referred to.
  4738. type: string
  4739. namespace:
  4740. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4741. type: string
  4742. type: object
  4743. type: object
  4744. serviceAccount:
  4745. description: points to a service account that should be used for authentication
  4746. properties:
  4747. name:
  4748. description: The name of the ServiceAccount resource being referred to.
  4749. type: string
  4750. namespace:
  4751. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4752. type: string
  4753. required:
  4754. - name
  4755. type: object
  4756. token:
  4757. description: use static token to authenticate with
  4758. properties:
  4759. bearerToken:
  4760. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4761. properties:
  4762. key:
  4763. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4764. type: string
  4765. name:
  4766. description: The name of the Secret resource being referred to.
  4767. type: string
  4768. namespace:
  4769. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4770. type: string
  4771. type: object
  4772. type: object
  4773. type: object
  4774. remoteNamespace:
  4775. default: default
  4776. description: Remote namespace to fetch the secrets from
  4777. type: string
  4778. server:
  4779. description: configures the Kubernetes server Address.
  4780. properties:
  4781. caBundle:
  4782. description: CABundle is a base64-encoded CA certificate
  4783. format: byte
  4784. type: string
  4785. caProvider:
  4786. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  4787. properties:
  4788. key:
  4789. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4790. type: string
  4791. name:
  4792. description: The name of the object located at the provider type.
  4793. type: string
  4794. namespace:
  4795. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  4796. type: string
  4797. type:
  4798. description: The type of provider to use such as "Secret", or "ConfigMap".
  4799. enum:
  4800. - Secret
  4801. - ConfigMap
  4802. type: string
  4803. required:
  4804. - name
  4805. - type
  4806. type: object
  4807. url:
  4808. default: kubernetes.default
  4809. description: configures the Kubernetes server Address.
  4810. type: string
  4811. type: object
  4812. required:
  4813. - auth
  4814. type: object
  4815. onepassword:
  4816. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  4817. properties:
  4818. auth:
  4819. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  4820. properties:
  4821. secretRef:
  4822. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  4823. properties:
  4824. connectTokenSecretRef:
  4825. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  4826. properties:
  4827. key:
  4828. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4829. type: string
  4830. name:
  4831. description: The name of the Secret resource being referred to.
  4832. type: string
  4833. namespace:
  4834. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4835. type: string
  4836. type: object
  4837. required:
  4838. - connectTokenSecretRef
  4839. type: object
  4840. required:
  4841. - secretRef
  4842. type: object
  4843. connectHost:
  4844. description: ConnectHost defines the OnePassword Connect Server to connect to
  4845. type: string
  4846. vaults:
  4847. additionalProperties:
  4848. type: integer
  4849. description: Vaults defines which OnePassword vaults to search in which order
  4850. type: object
  4851. required:
  4852. - auth
  4853. - connectHost
  4854. - vaults
  4855. type: object
  4856. oracle:
  4857. description: Oracle configures this store to sync secrets using Oracle Vault provider
  4858. properties:
  4859. auth:
  4860. description: Auth configures how secret-manager authenticates with the Oracle Vault. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  4861. properties:
  4862. secretRef:
  4863. description: SecretRef to pass through sensitive information.
  4864. properties:
  4865. fingerprint:
  4866. description: Fingerprint is the fingerprint of the API private key.
  4867. properties:
  4868. key:
  4869. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4870. type: string
  4871. name:
  4872. description: The name of the Secret resource being referred to.
  4873. type: string
  4874. namespace:
  4875. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4876. type: string
  4877. type: object
  4878. privatekey:
  4879. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  4880. properties:
  4881. key:
  4882. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4883. type: string
  4884. name:
  4885. description: The name of the Secret resource being referred to.
  4886. type: string
  4887. namespace:
  4888. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4889. type: string
  4890. type: object
  4891. required:
  4892. - fingerprint
  4893. - privatekey
  4894. type: object
  4895. tenancy:
  4896. description: Tenancy is the tenancy OCID where user is located.
  4897. type: string
  4898. user:
  4899. description: User is an access OCID specific to the account.
  4900. type: string
  4901. required:
  4902. - secretRef
  4903. - tenancy
  4904. - user
  4905. type: object
  4906. region:
  4907. description: Region is the region where vault is located.
  4908. type: string
  4909. vault:
  4910. description: Vault is the vault's OCID of the specific vault where secret is located.
  4911. type: string
  4912. required:
  4913. - region
  4914. - vault
  4915. type: object
  4916. senhasegura:
  4917. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4918. properties:
  4919. auth:
  4920. description: Auth defines parameters to authenticate in senhasegura
  4921. properties:
  4922. clientId:
  4923. type: string
  4924. clientSecretSecretRef:
  4925. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  4926. properties:
  4927. key:
  4928. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4929. type: string
  4930. name:
  4931. description: The name of the Secret resource being referred to.
  4932. type: string
  4933. namespace:
  4934. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4935. type: string
  4936. type: object
  4937. required:
  4938. - clientId
  4939. - clientSecretSecretRef
  4940. type: object
  4941. ignoreSslCertificate:
  4942. default: false
  4943. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4944. type: boolean
  4945. module:
  4946. description: Module defines which senhasegura module should be used to get secrets
  4947. type: string
  4948. url:
  4949. description: URL of senhasegura
  4950. type: string
  4951. required:
  4952. - auth
  4953. - module
  4954. - url
  4955. type: object
  4956. vault:
  4957. description: Vault configures this store to sync secrets using Hashi provider
  4958. properties:
  4959. auth:
  4960. description: Auth configures how secret-manager authenticates with the Vault server.
  4961. properties:
  4962. appRole:
  4963. description: AppRole authenticates with Vault using the App Role auth mechanism, with the role and secret stored in a Kubernetes Secret resource.
  4964. properties:
  4965. path:
  4966. default: approle
  4967. description: 'Path where the App Role authentication backend is mounted in Vault, e.g: "approle"'
  4968. type: string
  4969. roleId:
  4970. description: RoleID configured in the App Role authentication backend when setting up the authentication backend in Vault.
  4971. type: string
  4972. secretRef:
  4973. description: Reference to a key in a Secret that contains the App Role secret used to authenticate with Vault. The `key` field must be specified and denotes which entry within the Secret resource is used as the app role secret.
  4974. properties:
  4975. key:
  4976. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4977. type: string
  4978. name:
  4979. description: The name of the Secret resource being referred to.
  4980. type: string
  4981. namespace:
  4982. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  4983. type: string
  4984. type: object
  4985. required:
  4986. - path
  4987. - roleId
  4988. - secretRef
  4989. type: object
  4990. cert:
  4991. description: Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate Cert authentication method
  4992. properties:
  4993. clientCert:
  4994. description: ClientCert is a certificate to authenticate using the Cert Vault authentication method
  4995. properties:
  4996. key:
  4997. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  4998. type: string
  4999. name:
  5000. description: The name of the Secret resource being referred to.
  5001. type: string
  5002. namespace:
  5003. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5004. type: string
  5005. type: object
  5006. secretRef:
  5007. description: SecretRef to a key in a Secret resource containing client private key to authenticate with Vault using the Cert authentication method
  5008. properties:
  5009. key:
  5010. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5011. type: string
  5012. name:
  5013. description: The name of the Secret resource being referred to.
  5014. type: string
  5015. namespace:
  5016. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5017. type: string
  5018. type: object
  5019. type: object
  5020. jwt:
  5021. description: Jwt authenticates with Vault by passing role and JWT token using the JWT/OIDC authentication method
  5022. properties:
  5023. kubernetesServiceAccountToken:
  5024. description: Optional ServiceAccountToken specifies the Kubernetes service account for which to request a token for with the `TokenRequest` API.
  5025. properties:
  5026. audiences:
  5027. description: Optional audiences field that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to a single audience `vault` it not specified.
  5028. items:
  5029. type: string
  5030. type: array
  5031. expirationSeconds:
  5032. description: Optional expiration time in seconds that will be used to request a temporary Kubernetes service account token for the service account referenced by `serviceAccountRef`. Defaults to 10 minutes.
  5033. format: int64
  5034. type: integer
  5035. serviceAccountRef:
  5036. description: Service account field containing the name of a kubernetes ServiceAccount.
  5037. properties:
  5038. name:
  5039. description: The name of the ServiceAccount resource being referred to.
  5040. type: string
  5041. namespace:
  5042. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5043. type: string
  5044. required:
  5045. - name
  5046. type: object
  5047. required:
  5048. - serviceAccountRef
  5049. type: object
  5050. path:
  5051. default: jwt
  5052. description: 'Path where the JWT authentication backend is mounted in Vault, e.g: "jwt"'
  5053. type: string
  5054. role:
  5055. description: Role is a JWT role to authenticate using the JWT/OIDC Vault authentication method
  5056. type: string
  5057. secretRef:
  5058. description: Optional SecretRef that refers to a key in a Secret resource containing JWT token to authenticate with Vault using the JWT/OIDC authentication method.
  5059. properties:
  5060. key:
  5061. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5062. type: string
  5063. name:
  5064. description: The name of the Secret resource being referred to.
  5065. type: string
  5066. namespace:
  5067. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5068. type: string
  5069. type: object
  5070. required:
  5071. - path
  5072. type: object
  5073. kubernetes:
  5074. description: Kubernetes authenticates with Vault by passing the ServiceAccount token stored in the named Secret resource to the Vault server.
  5075. properties:
  5076. mountPath:
  5077. default: kubernetes
  5078. description: 'Path where the Kubernetes authentication backend is mounted in Vault, e.g: "kubernetes"'
  5079. type: string
  5080. role:
  5081. description: A required field containing the Vault Role to assume. A Role binds a Kubernetes ServiceAccount with a set of Vault policies.
  5082. type: string
  5083. secretRef:
  5084. description: Optional secret field containing a Kubernetes ServiceAccount JWT used for authenticating with Vault. If a name is specified without a key, `token` is the default. If one is not specified, the one bound to the controller will be used.
  5085. properties:
  5086. key:
  5087. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5088. type: string
  5089. name:
  5090. description: The name of the Secret resource being referred to.
  5091. type: string
  5092. namespace:
  5093. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5094. type: string
  5095. type: object
  5096. serviceAccountRef:
  5097. description: Optional service account field containing the name of a kubernetes ServiceAccount. If the service account is specified, the service account secret token JWT will be used for authenticating with Vault. If the service account selector is not supplied, the secretRef will be used instead.
  5098. properties:
  5099. name:
  5100. description: The name of the ServiceAccount resource being referred to.
  5101. type: string
  5102. namespace:
  5103. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5104. type: string
  5105. required:
  5106. - name
  5107. type: object
  5108. required:
  5109. - mountPath
  5110. - role
  5111. type: object
  5112. ldap:
  5113. description: Ldap authenticates with Vault by passing username/password pair using the LDAP authentication method
  5114. properties:
  5115. path:
  5116. default: ldap
  5117. description: 'Path where the LDAP authentication backend is mounted in Vault, e.g: "ldap"'
  5118. type: string
  5119. secretRef:
  5120. description: SecretRef to a key in a Secret resource containing password for the LDAP user used to authenticate with Vault using the LDAP authentication method
  5121. properties:
  5122. key:
  5123. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5124. type: string
  5125. name:
  5126. description: The name of the Secret resource being referred to.
  5127. type: string
  5128. namespace:
  5129. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5130. type: string
  5131. type: object
  5132. username:
  5133. description: Username is a LDAP user name used to authenticate using the LDAP Vault authentication method
  5134. type: string
  5135. required:
  5136. - path
  5137. - username
  5138. type: object
  5139. tokenSecretRef:
  5140. description: TokenSecretRef authenticates with Vault by presenting a token.
  5141. properties:
  5142. key:
  5143. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5144. type: string
  5145. name:
  5146. description: The name of the Secret resource being referred to.
  5147. type: string
  5148. namespace:
  5149. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5150. type: string
  5151. type: object
  5152. type: object
  5153. caBundle:
  5154. description: PEM encoded CA bundle used to validate Vault server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5155. format: byte
  5156. type: string
  5157. caProvider:
  5158. description: The provider for the CA bundle to use to validate Vault server certificate.
  5159. properties:
  5160. key:
  5161. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5162. type: string
  5163. name:
  5164. description: The name of the object located at the provider type.
  5165. type: string
  5166. namespace:
  5167. description: The namespace the Provider type is in. Can only be defined when used in a ClusterSecretStore.
  5168. type: string
  5169. type:
  5170. description: The type of provider to use such as "Secret", or "ConfigMap".
  5171. enum:
  5172. - Secret
  5173. - ConfigMap
  5174. type: string
  5175. required:
  5176. - name
  5177. - type
  5178. type: object
  5179. forwardInconsistent:
  5180. description: ForwardInconsistent tells Vault to forward read-after-write requests to the Vault leader instead of simply retrying within a loop. This can increase performance if the option is enabled serverside. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  5181. type: boolean
  5182. namespace:
  5183. description: 'Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows Vault environments to support Secure Multi-tenancy. e.g: "ns1". More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces'
  5184. type: string
  5185. path:
  5186. description: 'Path is the mount path of the Vault KV backend endpoint, e.g: "secret". The v2 KV secret engine version specific "/data" path suffix for fetching secrets from Vault is optional and will be appended if not present in specified path.'
  5187. type: string
  5188. readYourWrites:
  5189. description: ReadYourWrites ensures isolated read-after-write semantics by providing discovered cluster replication states in each request. More information about eventual consistency in Vault can be found here https://www.vaultproject.io/docs/enterprise/consistency
  5190. type: boolean
  5191. server:
  5192. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  5193. type: string
  5194. version:
  5195. default: v2
  5196. description: Version is the Vault KV secret engine version. This can be either "v1" or "v2". Version defaults to "v2".
  5197. enum:
  5198. - v1
  5199. - v2
  5200. type: string
  5201. required:
  5202. - auth
  5203. - server
  5204. type: object
  5205. webhook:
  5206. description: Webhook configures this store to sync secrets using a generic templated webhook
  5207. properties:
  5208. body:
  5209. description: Body
  5210. type: string
  5211. caBundle:
  5212. description: PEM encoded CA bundle used to validate webhook server certificate. Only used if the Server URL is using HTTPS protocol. This parameter is ignored for plain HTTP protocol connection. If not set the system root certificates are used to validate the TLS connection.
  5213. format: byte
  5214. type: string
  5215. caProvider:
  5216. description: The provider for the CA bundle to use to validate webhook server certificate.
  5217. properties:
  5218. key:
  5219. description: The key the value inside of the provider type to use, only used with "Secret" type
  5220. type: string
  5221. name:
  5222. description: The name of the object located at the provider type.
  5223. type: string
  5224. namespace:
  5225. description: The namespace the Provider type is in.
  5226. type: string
  5227. type:
  5228. description: The type of provider to use such as "Secret", or "ConfigMap".
  5229. enum:
  5230. - Secret
  5231. - ConfigMap
  5232. type: string
  5233. required:
  5234. - name
  5235. - type
  5236. type: object
  5237. headers:
  5238. additionalProperties:
  5239. type: string
  5240. description: Headers
  5241. type: object
  5242. method:
  5243. description: Webhook Method
  5244. type: string
  5245. result:
  5246. description: Result formatting
  5247. properties:
  5248. jsonPath:
  5249. description: Json path of return value
  5250. type: string
  5251. type: object
  5252. secrets:
  5253. description: Secrets to fill in templates These secrets will be passed to the templating function as key value pairs under the given name
  5254. items:
  5255. properties:
  5256. name:
  5257. description: Name of this secret in templates
  5258. type: string
  5259. secretRef:
  5260. description: Secret ref to fill in credentials
  5261. properties:
  5262. key:
  5263. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5264. type: string
  5265. name:
  5266. description: The name of the Secret resource being referred to.
  5267. type: string
  5268. namespace:
  5269. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5270. type: string
  5271. type: object
  5272. required:
  5273. - name
  5274. - secretRef
  5275. type: object
  5276. type: array
  5277. timeout:
  5278. description: Timeout
  5279. type: string
  5280. url:
  5281. description: Webhook url to call
  5282. type: string
  5283. required:
  5284. - result
  5285. - url
  5286. type: object
  5287. yandexcertificatemanager:
  5288. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  5289. properties:
  5290. apiEndpoint:
  5291. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5292. type: string
  5293. auth:
  5294. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  5295. properties:
  5296. authorizedKeySecretRef:
  5297. description: The authorized key used for authentication
  5298. properties:
  5299. key:
  5300. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5301. type: string
  5302. name:
  5303. description: The name of the Secret resource being referred to.
  5304. type: string
  5305. namespace:
  5306. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5307. type: string
  5308. type: object
  5309. type: object
  5310. caProvider:
  5311. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5312. properties:
  5313. certSecretRef:
  5314. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5315. properties:
  5316. key:
  5317. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5318. type: string
  5319. name:
  5320. description: The name of the Secret resource being referred to.
  5321. type: string
  5322. namespace:
  5323. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5324. type: string
  5325. type: object
  5326. type: object
  5327. required:
  5328. - auth
  5329. type: object
  5330. yandexlockbox:
  5331. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  5332. properties:
  5333. apiEndpoint:
  5334. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  5335. type: string
  5336. auth:
  5337. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  5338. properties:
  5339. authorizedKeySecretRef:
  5340. description: The authorized key used for authentication
  5341. properties:
  5342. key:
  5343. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5344. type: string
  5345. name:
  5346. description: The name of the Secret resource being referred to.
  5347. type: string
  5348. namespace:
  5349. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5350. type: string
  5351. type: object
  5352. type: object
  5353. caProvider:
  5354. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  5355. properties:
  5356. certSecretRef:
  5357. description: A reference to a specific 'key' within a Secret resource, In some instances, `key` is a required field.
  5358. properties:
  5359. key:
  5360. description: The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be defaulted, in others it may be required.
  5361. type: string
  5362. name:
  5363. description: The name of the Secret resource being referred to.
  5364. type: string
  5365. namespace:
  5366. description: Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults to the namespace of the referent.
  5367. type: string
  5368. type: object
  5369. type: object
  5370. required:
  5371. - auth
  5372. type: object
  5373. type: object
  5374. refreshInterval:
  5375. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5376. type: integer
  5377. retrySettings:
  5378. description: Used to configure http retries if failed
  5379. properties:
  5380. maxRetries:
  5381. format: int32
  5382. type: integer
  5383. retryInterval:
  5384. type: string
  5385. type: object
  5386. required:
  5387. - provider
  5388. type: object
  5389. status:
  5390. description: SecretStoreStatus defines the observed state of the SecretStore.
  5391. properties:
  5392. capabilities:
  5393. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5394. type: string
  5395. conditions:
  5396. items:
  5397. properties:
  5398. lastTransitionTime:
  5399. format: date-time
  5400. type: string
  5401. message:
  5402. type: string
  5403. reason:
  5404. type: string
  5405. status:
  5406. type: string
  5407. type:
  5408. type: string
  5409. required:
  5410. - status
  5411. - type
  5412. type: object
  5413. type: array
  5414. type: object
  5415. type: object
  5416. served: true
  5417. storage: true
  5418. subresources:
  5419. status: {}
  5420. conversion:
  5421. strategy: Webhook
  5422. webhook:
  5423. conversionReviewVersions:
  5424. - v1
  5425. clientConfig:
  5426. service:
  5427. name: kubernetes
  5428. namespace: default
  5429. path: /convert