bundle.yaml 1.7 MB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524352535263527352835293530353135323533353435353536353735383539354035413542354335443545354635473548354935503551355235533554355535563557355835593560356135623563356435653566356735683569357035713572357335743575357635773578357935803581358235833584358535863587358835893590359135923593359435953596359735983599360036013602360336043605360636073608360936103611361236133614361536163617361836193620362136223623362436253626362736283629363036313632363336343635363636373638363936403641364236433644364536463647364836493650365136523653365436553656365736583659366036613662366336643665366636673668366936703671367236733674367536763677367836793680368136823683368436853686368736883689369036913692369336943695369636973698369937003701370237033704370537063707370837093710371137123713371437153716371737183719372037213722372337243725372637273728372937303731373237333734373537363737373837393740374137423743374437453746374737483749375037513752375337543755375637573758375937603761376237633764376537663767376837693770377137723773377437753776377737783779378037813782378337843785378637873788378937903791379237933794379537963797379837993800380138023803380438053806380738083809381038113812381338143815381638173818381938203821382238233824382538263827382838293830383138323833383438353836383738383839384038413842384338443845384638473848384938503851385238533854385538563857385838593860386138623863386438653866386738683869387038713872387338743875387638773878387938803881388238833884388538863887388838893890389138923893389438953896389738983899390039013902390339043905390639073908390939103911391239133914391539163917391839193920392139223923392439253926392739283929393039313932393339343935393639373938393939403941394239433944394539463947394839493950395139523953395439553956395739583959396039613962396339643965396639673968396939703971397239733974397539763977397839793980398139823983398439853986398739883989399039913992399339943995399639973998399940004001400240034004400540064007400840094010401140124013401440154016401740184019402040214022402340244025402640274028402940304031403240334034403540364037403840394040404140424043404440454046404740484049405040514052405340544055405640574058405940604061406240634064406540664067406840694070407140724073407440754076407740784079408040814082408340844085408640874088408940904091409240934094409540964097409840994100410141024103410441054106410741084109411041114112411341144115411641174118411941204121412241234124412541264127412841294130413141324133413441354136413741384139414041414142414341444145414641474148414941504151415241534154415541564157415841594160416141624163416441654166416741684169417041714172417341744175417641774178417941804181418241834184418541864187418841894190419141924193419441954196419741984199420042014202420342044205420642074208420942104211421242134214421542164217421842194220422142224223422442254226422742284229423042314232423342344235423642374238423942404241424242434244424542464247424842494250425142524253425442554256425742584259426042614262426342644265426642674268426942704271427242734274427542764277427842794280428142824283428442854286428742884289429042914292429342944295429642974298429943004301430243034304430543064307430843094310431143124313431443154316431743184319432043214322432343244325432643274328432943304331433243334334433543364337433843394340434143424343434443454346434743484349435043514352435343544355435643574358435943604361436243634364436543664367436843694370437143724373437443754376437743784379438043814382438343844385438643874388438943904391439243934394439543964397439843994400440144024403440444054406440744084409441044114412441344144415441644174418441944204421442244234424442544264427442844294430443144324433443444354436443744384439444044414442444344444445444644474448444944504451445244534454445544564457445844594460446144624463446444654466446744684469447044714472447344744475447644774478447944804481448244834484448544864487448844894490449144924493449444954496449744984499450045014502450345044505450645074508450945104511451245134514451545164517451845194520452145224523452445254526452745284529453045314532453345344535453645374538453945404541454245434544454545464547454845494550455145524553455445554556455745584559456045614562456345644565456645674568456945704571457245734574457545764577457845794580458145824583458445854586458745884589459045914592459345944595459645974598459946004601460246034604460546064607460846094610461146124613461446154616461746184619462046214622462346244625462646274628462946304631463246334634463546364637463846394640464146424643464446454646464746484649465046514652465346544655465646574658465946604661466246634664466546664667466846694670467146724673467446754676467746784679468046814682468346844685468646874688468946904691469246934694469546964697469846994700470147024703470447054706470747084709471047114712471347144715471647174718471947204721472247234724472547264727472847294730473147324733473447354736473747384739474047414742474347444745474647474748474947504751475247534754475547564757475847594760476147624763476447654766476747684769477047714772477347744775477647774778477947804781478247834784478547864787478847894790479147924793479447954796479747984799480048014802480348044805480648074808480948104811481248134814481548164817481848194820482148224823482448254826482748284829483048314832483348344835483648374838483948404841484248434844484548464847484848494850485148524853485448554856485748584859486048614862486348644865486648674868486948704871487248734874487548764877487848794880488148824883488448854886488748884889489048914892489348944895489648974898489949004901490249034904490549064907490849094910491149124913491449154916491749184919492049214922492349244925492649274928492949304931493249334934493549364937493849394940494149424943494449454946494749484949495049514952495349544955495649574958495949604961496249634964496549664967496849694970497149724973497449754976497749784979498049814982498349844985498649874988498949904991499249934994499549964997499849995000500150025003500450055006500750085009501050115012501350145015501650175018501950205021502250235024502550265027502850295030503150325033503450355036503750385039504050415042504350445045504650475048504950505051505250535054505550565057505850595060506150625063506450655066506750685069507050715072507350745075507650775078507950805081508250835084508550865087508850895090509150925093509450955096509750985099510051015102510351045105510651075108510951105111511251135114511551165117511851195120512151225123512451255126512751285129513051315132513351345135513651375138513951405141514251435144514551465147514851495150515151525153515451555156515751585159516051615162516351645165516651675168516951705171517251735174517551765177517851795180518151825183518451855186518751885189519051915192519351945195519651975198519952005201520252035204520552065207520852095210521152125213521452155216521752185219522052215222522352245225522652275228522952305231523252335234523552365237523852395240524152425243524452455246524752485249525052515252525352545255525652575258525952605261526252635264526552665267526852695270527152725273527452755276527752785279528052815282528352845285528652875288528952905291529252935294529552965297529852995300530153025303530453055306530753085309531053115312531353145315531653175318531953205321532253235324532553265327532853295330533153325333533453355336533753385339534053415342534353445345534653475348534953505351535253535354535553565357535853595360536153625363536453655366536753685369537053715372537353745375537653775378537953805381538253835384538553865387538853895390539153925393539453955396539753985399540054015402540354045405540654075408540954105411541254135414541554165417541854195420542154225423542454255426542754285429543054315432543354345435543654375438543954405441544254435444544554465447544854495450545154525453545454555456545754585459546054615462546354645465546654675468546954705471547254735474547554765477547854795480548154825483548454855486548754885489549054915492549354945495549654975498549955005501550255035504550555065507550855095510551155125513551455155516551755185519552055215522552355245525552655275528552955305531553255335534553555365537553855395540554155425543554455455546554755485549555055515552555355545555555655575558555955605561556255635564556555665567556855695570557155725573557455755576557755785579558055815582558355845585558655875588558955905591559255935594559555965597559855995600560156025603560456055606560756085609561056115612561356145615561656175618561956205621562256235624562556265627562856295630563156325633563456355636563756385639564056415642564356445645564656475648564956505651565256535654565556565657565856595660566156625663566456655666566756685669567056715672567356745675567656775678567956805681568256835684568556865687568856895690569156925693569456955696569756985699570057015702570357045705570657075708570957105711571257135714571557165717571857195720572157225723572457255726572757285729573057315732573357345735573657375738573957405741574257435744574557465747574857495750575157525753575457555756575757585759576057615762576357645765576657675768576957705771577257735774577557765777577857795780578157825783578457855786578757885789579057915792579357945795579657975798579958005801580258035804580558065807580858095810581158125813581458155816581758185819582058215822582358245825582658275828582958305831583258335834583558365837583858395840584158425843584458455846584758485849585058515852585358545855585658575858585958605861586258635864586558665867586858695870587158725873587458755876587758785879588058815882588358845885588658875888588958905891589258935894589558965897589858995900590159025903590459055906590759085909591059115912591359145915591659175918591959205921592259235924592559265927592859295930593159325933593459355936593759385939594059415942594359445945594659475948594959505951595259535954595559565957595859595960596159625963596459655966596759685969597059715972597359745975597659775978597959805981598259835984598559865987598859895990599159925993599459955996599759985999600060016002600360046005600660076008600960106011601260136014601560166017601860196020602160226023602460256026602760286029603060316032603360346035603660376038603960406041604260436044604560466047604860496050605160526053605460556056605760586059606060616062606360646065606660676068606960706071607260736074607560766077607860796080608160826083608460856086608760886089609060916092609360946095609660976098609961006101610261036104610561066107610861096110611161126113611461156116611761186119612061216122612361246125612661276128612961306131613261336134613561366137613861396140614161426143614461456146614761486149615061516152615361546155615661576158615961606161616261636164616561666167616861696170617161726173617461756176617761786179618061816182618361846185618661876188618961906191619261936194619561966197619861996200620162026203620462056206620762086209621062116212621362146215621662176218621962206221622262236224622562266227622862296230623162326233623462356236623762386239624062416242624362446245624662476248624962506251625262536254625562566257625862596260626162626263626462656266626762686269627062716272627362746275627662776278627962806281628262836284628562866287628862896290629162926293629462956296629762986299630063016302630363046305630663076308630963106311631263136314631563166317631863196320632163226323632463256326632763286329633063316332633363346335633663376338633963406341634263436344634563466347634863496350635163526353635463556356635763586359636063616362636363646365636663676368636963706371637263736374637563766377637863796380638163826383638463856386638763886389639063916392639363946395639663976398639964006401640264036404640564066407640864096410641164126413641464156416641764186419642064216422642364246425642664276428642964306431643264336434643564366437643864396440644164426443644464456446644764486449645064516452645364546455645664576458645964606461646264636464646564666467646864696470647164726473647464756476647764786479648064816482648364846485648664876488648964906491649264936494649564966497649864996500650165026503650465056506650765086509651065116512651365146515651665176518651965206521652265236524652565266527652865296530653165326533653465356536653765386539654065416542654365446545654665476548654965506551655265536554655565566557655865596560656165626563656465656566656765686569657065716572657365746575657665776578657965806581658265836584658565866587658865896590659165926593659465956596659765986599660066016602660366046605660666076608660966106611661266136614661566166617661866196620662166226623662466256626662766286629663066316632663366346635663666376638663966406641664266436644664566466647664866496650665166526653665466556656665766586659666066616662666366646665666666676668666966706671667266736674667566766677667866796680668166826683668466856686668766886689669066916692669366946695669666976698669967006701670267036704670567066707670867096710671167126713671467156716671767186719672067216722672367246725672667276728672967306731673267336734673567366737673867396740674167426743674467456746674767486749675067516752675367546755675667576758675967606761676267636764676567666767676867696770677167726773677467756776677767786779678067816782678367846785678667876788678967906791679267936794679567966797679867996800680168026803680468056806680768086809681068116812681368146815681668176818681968206821682268236824682568266827682868296830683168326833683468356836683768386839684068416842684368446845684668476848684968506851685268536854685568566857685868596860686168626863686468656866686768686869687068716872687368746875687668776878687968806881688268836884688568866887688868896890689168926893689468956896689768986899690069016902690369046905690669076908690969106911691269136914691569166917691869196920692169226923692469256926692769286929693069316932693369346935693669376938693969406941694269436944694569466947694869496950695169526953695469556956695769586959696069616962696369646965696669676968696969706971697269736974697569766977697869796980698169826983698469856986698769886989699069916992699369946995699669976998699970007001700270037004700570067007700870097010701170127013701470157016701770187019702070217022702370247025702670277028702970307031703270337034703570367037703870397040704170427043704470457046704770487049705070517052705370547055705670577058705970607061706270637064706570667067706870697070707170727073707470757076707770787079708070817082708370847085708670877088708970907091709270937094709570967097709870997100710171027103710471057106710771087109711071117112711371147115711671177118711971207121712271237124712571267127712871297130713171327133713471357136713771387139714071417142714371447145714671477148714971507151715271537154715571567157715871597160716171627163716471657166716771687169717071717172717371747175717671777178717971807181718271837184718571867187718871897190719171927193719471957196719771987199720072017202720372047205720672077208720972107211721272137214721572167217721872197220722172227223722472257226722772287229723072317232723372347235723672377238723972407241724272437244724572467247724872497250725172527253725472557256725772587259726072617262726372647265726672677268726972707271727272737274727572767277727872797280728172827283728472857286728772887289729072917292729372947295729672977298729973007301730273037304730573067307730873097310731173127313731473157316731773187319732073217322732373247325732673277328732973307331733273337334733573367337733873397340734173427343734473457346734773487349735073517352735373547355735673577358735973607361736273637364736573667367736873697370737173727373737473757376737773787379738073817382738373847385738673877388738973907391739273937394739573967397739873997400740174027403740474057406740774087409741074117412741374147415741674177418741974207421742274237424742574267427742874297430743174327433743474357436743774387439744074417442744374447445744674477448744974507451745274537454745574567457745874597460746174627463746474657466746774687469747074717472747374747475747674777478747974807481748274837484748574867487748874897490749174927493749474957496749774987499750075017502750375047505750675077508750975107511751275137514751575167517751875197520752175227523752475257526752775287529753075317532753375347535753675377538753975407541754275437544754575467547754875497550755175527553755475557556755775587559756075617562756375647565756675677568756975707571757275737574757575767577757875797580758175827583758475857586758775887589759075917592759375947595759675977598759976007601760276037604760576067607760876097610761176127613761476157616761776187619762076217622762376247625762676277628762976307631763276337634763576367637763876397640764176427643764476457646764776487649765076517652765376547655765676577658765976607661766276637664766576667667766876697670767176727673767476757676767776787679768076817682768376847685768676877688768976907691769276937694769576967697769876997700770177027703770477057706770777087709771077117712771377147715771677177718771977207721772277237724772577267727772877297730773177327733773477357736773777387739774077417742774377447745774677477748774977507751775277537754775577567757775877597760776177627763776477657766776777687769777077717772777377747775777677777778777977807781778277837784778577867787778877897790779177927793779477957796779777987799780078017802780378047805780678077808780978107811781278137814781578167817781878197820782178227823782478257826782778287829783078317832783378347835783678377838783978407841784278437844784578467847784878497850785178527853785478557856785778587859786078617862786378647865786678677868786978707871787278737874787578767877787878797880788178827883788478857886788778887889789078917892789378947895789678977898789979007901790279037904790579067907790879097910791179127913791479157916791779187919792079217922792379247925792679277928792979307931793279337934793579367937793879397940794179427943794479457946794779487949795079517952795379547955795679577958795979607961796279637964796579667967796879697970797179727973797479757976797779787979798079817982798379847985798679877988798979907991799279937994799579967997799879998000800180028003800480058006800780088009801080118012801380148015801680178018801980208021802280238024802580268027802880298030803180328033803480358036803780388039804080418042804380448045804680478048804980508051805280538054805580568057805880598060806180628063806480658066806780688069807080718072807380748075807680778078807980808081808280838084808580868087808880898090809180928093809480958096809780988099810081018102810381048105810681078108810981108111811281138114811581168117811881198120812181228123812481258126812781288129813081318132813381348135813681378138813981408141814281438144814581468147814881498150815181528153815481558156815781588159816081618162816381648165816681678168816981708171817281738174817581768177817881798180818181828183818481858186818781888189819081918192819381948195819681978198819982008201820282038204820582068207820882098210821182128213821482158216821782188219822082218222822382248225822682278228822982308231823282338234823582368237823882398240824182428243824482458246824782488249825082518252825382548255825682578258825982608261826282638264826582668267826882698270827182728273827482758276827782788279828082818282828382848285828682878288828982908291829282938294829582968297829882998300830183028303830483058306830783088309831083118312831383148315831683178318831983208321832283238324832583268327832883298330833183328333833483358336833783388339834083418342834383448345834683478348834983508351835283538354835583568357835883598360836183628363836483658366836783688369837083718372837383748375837683778378837983808381838283838384838583868387838883898390839183928393839483958396839783988399840084018402840384048405840684078408840984108411841284138414841584168417841884198420842184228423842484258426842784288429843084318432843384348435843684378438843984408441844284438444844584468447844884498450845184528453845484558456845784588459846084618462846384648465846684678468846984708471847284738474847584768477847884798480848184828483848484858486848784888489849084918492849384948495849684978498849985008501850285038504850585068507850885098510851185128513851485158516851785188519852085218522852385248525852685278528852985308531853285338534853585368537853885398540854185428543854485458546854785488549855085518552855385548555855685578558855985608561856285638564856585668567856885698570857185728573857485758576857785788579858085818582858385848585858685878588858985908591859285938594859585968597859885998600860186028603860486058606860786088609861086118612861386148615861686178618861986208621862286238624862586268627862886298630863186328633863486358636863786388639864086418642864386448645864686478648864986508651865286538654865586568657865886598660866186628663866486658666866786688669867086718672867386748675867686778678867986808681868286838684868586868687868886898690869186928693869486958696869786988699870087018702870387048705870687078708870987108711871287138714871587168717871887198720872187228723872487258726872787288729873087318732873387348735873687378738873987408741874287438744874587468747874887498750875187528753875487558756875787588759876087618762876387648765876687678768876987708771877287738774877587768777877887798780878187828783878487858786878787888789879087918792879387948795879687978798879988008801880288038804880588068807880888098810881188128813881488158816881788188819882088218822882388248825882688278828882988308831883288338834883588368837883888398840884188428843884488458846884788488849885088518852885388548855885688578858885988608861886288638864886588668867886888698870887188728873887488758876887788788879888088818882888388848885888688878888888988908891889288938894889588968897889888998900890189028903890489058906890789088909891089118912891389148915891689178918891989208921892289238924892589268927892889298930893189328933893489358936893789388939894089418942894389448945894689478948894989508951895289538954895589568957895889598960896189628963896489658966896789688969897089718972897389748975897689778978897989808981898289838984898589868987898889898990899189928993899489958996899789988999900090019002900390049005900690079008900990109011901290139014901590169017901890199020902190229023902490259026902790289029903090319032903390349035903690379038903990409041904290439044904590469047904890499050905190529053905490559056905790589059906090619062906390649065906690679068906990709071907290739074907590769077907890799080908190829083908490859086908790889089909090919092909390949095909690979098909991009101910291039104910591069107910891099110911191129113911491159116911791189119912091219122912391249125912691279128912991309131913291339134913591369137913891399140914191429143914491459146914791489149915091519152915391549155915691579158915991609161916291639164916591669167916891699170917191729173917491759176917791789179918091819182918391849185918691879188918991909191919291939194919591969197919891999200920192029203920492059206920792089209921092119212921392149215921692179218921992209221922292239224922592269227922892299230923192329233923492359236923792389239924092419242924392449245924692479248924992509251925292539254925592569257925892599260926192629263926492659266926792689269927092719272927392749275927692779278927992809281928292839284928592869287928892899290929192929293929492959296929792989299930093019302930393049305930693079308930993109311931293139314931593169317931893199320932193229323932493259326932793289329933093319332933393349335933693379338933993409341934293439344934593469347934893499350935193529353935493559356935793589359936093619362936393649365936693679368936993709371937293739374937593769377937893799380938193829383938493859386938793889389939093919392939393949395939693979398939994009401940294039404940594069407940894099410941194129413941494159416941794189419942094219422942394249425942694279428942994309431943294339434943594369437943894399440944194429443944494459446944794489449945094519452945394549455945694579458945994609461946294639464946594669467946894699470947194729473947494759476947794789479948094819482948394849485948694879488948994909491949294939494949594969497949894999500950195029503950495059506950795089509951095119512951395149515951695179518951995209521952295239524952595269527952895299530953195329533953495359536953795389539954095419542954395449545954695479548954995509551955295539554955595569557955895599560956195629563956495659566956795689569957095719572957395749575957695779578957995809581958295839584958595869587958895899590959195929593959495959596959795989599960096019602960396049605960696079608960996109611961296139614961596169617961896199620962196229623962496259626962796289629963096319632963396349635963696379638963996409641964296439644964596469647964896499650965196529653965496559656965796589659966096619662966396649665966696679668966996709671967296739674967596769677967896799680968196829683968496859686968796889689969096919692969396949695969696979698969997009701970297039704970597069707970897099710971197129713971497159716971797189719972097219722972397249725972697279728972997309731973297339734973597369737973897399740974197429743974497459746974797489749975097519752975397549755975697579758975997609761976297639764976597669767976897699770977197729773977497759776977797789779978097819782978397849785978697879788978997909791979297939794979597969797979897999800980198029803980498059806980798089809981098119812981398149815981698179818981998209821982298239824982598269827982898299830983198329833983498359836983798389839984098419842984398449845984698479848984998509851985298539854985598569857985898599860986198629863986498659866986798689869987098719872987398749875987698779878987998809881988298839884988598869887988898899890989198929893989498959896989798989899990099019902990399049905990699079908990999109911991299139914991599169917991899199920992199229923992499259926992799289929993099319932993399349935993699379938993999409941994299439944994599469947994899499950995199529953995499559956995799589959996099619962996399649965996699679968996999709971997299739974997599769977997899799980998199829983998499859986998799889989999099919992999399949995999699979998999910000100011000210003100041000510006100071000810009100101001110012100131001410015100161001710018100191002010021100221002310024100251002610027100281002910030100311003210033100341003510036100371003810039100401004110042100431004410045100461004710048100491005010051100521005310054100551005610057100581005910060100611006210063100641006510066100671006810069100701007110072100731007410075100761007710078100791008010081100821008310084100851008610087100881008910090100911009210093100941009510096100971009810099101001010110102101031010410105101061010710108101091011010111101121011310114101151011610117101181011910120101211012210123101241012510126101271012810129101301013110132101331013410135101361013710138101391014010141101421014310144101451014610147101481014910150101511015210153101541015510156101571015810159101601016110162101631016410165101661016710168101691017010171101721017310174101751017610177101781017910180101811018210183101841018510186101871018810189101901019110192101931019410195101961019710198101991020010201102021020310204102051020610207102081020910210102111021210213102141021510216102171021810219102201022110222102231022410225102261022710228102291023010231102321023310234102351023610237102381023910240102411024210243102441024510246102471024810249102501025110252102531025410255102561025710258102591026010261102621026310264102651026610267102681026910270102711027210273102741027510276102771027810279102801028110282102831028410285102861028710288102891029010291102921029310294102951029610297102981029910300103011030210303103041030510306103071030810309103101031110312103131031410315103161031710318103191032010321103221032310324103251032610327103281032910330103311033210333103341033510336103371033810339103401034110342103431034410345103461034710348103491035010351103521035310354103551035610357103581035910360103611036210363103641036510366103671036810369103701037110372103731037410375103761037710378103791038010381103821038310384103851038610387103881038910390103911039210393103941039510396103971039810399104001040110402104031040410405104061040710408104091041010411104121041310414104151041610417104181041910420104211042210423104241042510426104271042810429104301043110432104331043410435104361043710438104391044010441104421044310444104451044610447104481044910450104511045210453104541045510456104571045810459104601046110462104631046410465104661046710468104691047010471104721047310474104751047610477104781047910480104811048210483104841048510486104871048810489104901049110492104931049410495104961049710498104991050010501105021050310504105051050610507105081050910510105111051210513105141051510516105171051810519105201052110522105231052410525105261052710528105291053010531105321053310534105351053610537105381053910540105411054210543105441054510546105471054810549105501055110552105531055410555105561055710558105591056010561105621056310564105651056610567105681056910570105711057210573105741057510576105771057810579105801058110582105831058410585105861058710588105891059010591105921059310594105951059610597105981059910600106011060210603106041060510606106071060810609106101061110612106131061410615106161061710618106191062010621106221062310624106251062610627106281062910630106311063210633106341063510636106371063810639106401064110642106431064410645106461064710648106491065010651106521065310654106551065610657106581065910660106611066210663106641066510666106671066810669106701067110672106731067410675106761067710678106791068010681106821068310684106851068610687106881068910690106911069210693106941069510696106971069810699107001070110702107031070410705107061070710708107091071010711107121071310714107151071610717107181071910720107211072210723107241072510726107271072810729107301073110732107331073410735107361073710738107391074010741107421074310744107451074610747107481074910750107511075210753107541075510756107571075810759107601076110762107631076410765107661076710768107691077010771107721077310774107751077610777107781077910780107811078210783107841078510786107871078810789107901079110792107931079410795107961079710798107991080010801108021080310804108051080610807108081080910810108111081210813108141081510816108171081810819108201082110822108231082410825108261082710828108291083010831108321083310834108351083610837108381083910840108411084210843108441084510846108471084810849108501085110852108531085410855108561085710858108591086010861108621086310864108651086610867108681086910870108711087210873108741087510876108771087810879108801088110882108831088410885108861088710888108891089010891108921089310894108951089610897108981089910900109011090210903109041090510906109071090810909109101091110912109131091410915109161091710918109191092010921109221092310924109251092610927109281092910930109311093210933109341093510936109371093810939109401094110942109431094410945109461094710948109491095010951109521095310954109551095610957109581095910960109611096210963109641096510966109671096810969109701097110972109731097410975109761097710978109791098010981109821098310984109851098610987109881098910990109911099210993109941099510996109971099810999110001100111002110031100411005110061100711008110091101011011110121101311014110151101611017110181101911020110211102211023110241102511026110271102811029110301103111032110331103411035110361103711038110391104011041110421104311044110451104611047110481104911050110511105211053110541105511056110571105811059110601106111062110631106411065110661106711068110691107011071110721107311074110751107611077110781107911080110811108211083110841108511086110871108811089110901109111092110931109411095110961109711098110991110011101111021110311104111051110611107111081110911110111111111211113111141111511116111171111811119111201112111122111231112411125111261112711128111291113011131111321113311134111351113611137111381113911140111411114211143111441114511146111471114811149111501115111152111531115411155111561115711158111591116011161111621116311164111651116611167111681116911170111711117211173111741117511176111771117811179111801118111182111831118411185111861118711188111891119011191111921119311194111951119611197111981119911200112011120211203112041120511206112071120811209112101121111212112131121411215112161121711218112191122011221112221122311224112251122611227112281122911230112311123211233112341123511236112371123811239112401124111242112431124411245112461124711248112491125011251112521125311254112551125611257112581125911260112611126211263112641126511266112671126811269112701127111272112731127411275112761127711278112791128011281112821128311284112851128611287112881128911290112911129211293112941129511296112971129811299113001130111302113031130411305113061130711308113091131011311113121131311314113151131611317113181131911320113211132211323113241132511326113271132811329113301133111332113331133411335113361133711338113391134011341113421134311344113451134611347113481134911350113511135211353113541135511356113571135811359113601136111362113631136411365113661136711368113691137011371113721137311374113751137611377113781137911380113811138211383113841138511386113871138811389113901139111392113931139411395113961139711398113991140011401114021140311404114051140611407114081140911410114111141211413114141141511416114171141811419114201142111422114231142411425114261142711428114291143011431114321143311434114351143611437114381143911440114411144211443114441144511446114471144811449114501145111452114531145411455114561145711458114591146011461114621146311464114651146611467114681146911470114711147211473114741147511476114771147811479114801148111482114831148411485114861148711488114891149011491114921149311494114951149611497114981149911500115011150211503115041150511506115071150811509115101151111512115131151411515115161151711518115191152011521115221152311524115251152611527115281152911530115311153211533115341153511536115371153811539115401154111542115431154411545115461154711548115491155011551115521155311554115551155611557115581155911560115611156211563115641156511566115671156811569115701157111572115731157411575115761157711578115791158011581115821158311584115851158611587115881158911590115911159211593115941159511596115971159811599116001160111602116031160411605116061160711608116091161011611116121161311614116151161611617116181161911620116211162211623116241162511626116271162811629116301163111632116331163411635116361163711638116391164011641116421164311644116451164611647116481164911650116511165211653116541165511656116571165811659116601166111662116631166411665116661166711668116691167011671116721167311674116751167611677116781167911680116811168211683116841168511686116871168811689116901169111692116931169411695116961169711698116991170011701117021170311704117051170611707117081170911710117111171211713117141171511716117171171811719117201172111722117231172411725117261172711728117291173011731117321173311734117351173611737117381173911740117411174211743117441174511746117471174811749117501175111752117531175411755117561175711758117591176011761117621176311764117651176611767117681176911770117711177211773117741177511776117771177811779117801178111782117831178411785117861178711788117891179011791117921179311794117951179611797117981179911800118011180211803118041180511806118071180811809118101181111812118131181411815118161181711818118191182011821118221182311824118251182611827118281182911830118311183211833118341183511836118371183811839118401184111842118431184411845118461184711848118491185011851118521185311854118551185611857118581185911860118611186211863118641186511866118671186811869118701187111872118731187411875118761187711878118791188011881118821188311884118851188611887118881188911890118911189211893118941189511896118971189811899119001190111902119031190411905119061190711908119091191011911119121191311914119151191611917119181191911920119211192211923119241192511926119271192811929119301193111932119331193411935119361193711938119391194011941119421194311944119451194611947119481194911950119511195211953119541195511956119571195811959119601196111962119631196411965119661196711968119691197011971119721197311974119751197611977119781197911980119811198211983119841198511986119871198811989119901199111992119931199411995119961199711998119991200012001120021200312004120051200612007120081200912010120111201212013120141201512016120171201812019120201202112022120231202412025120261202712028120291203012031120321203312034120351203612037120381203912040120411204212043120441204512046120471204812049120501205112052120531205412055120561205712058120591206012061120621206312064120651206612067120681206912070120711207212073120741207512076120771207812079120801208112082120831208412085120861208712088120891209012091120921209312094120951209612097120981209912100121011210212103121041210512106121071210812109121101211112112121131211412115121161211712118121191212012121121221212312124121251212612127121281212912130121311213212133121341213512136121371213812139121401214112142121431214412145121461214712148121491215012151121521215312154121551215612157121581215912160121611216212163121641216512166121671216812169121701217112172121731217412175121761217712178121791218012181121821218312184121851218612187121881218912190121911219212193121941219512196121971219812199122001220112202122031220412205122061220712208122091221012211122121221312214122151221612217122181221912220122211222212223122241222512226122271222812229122301223112232122331223412235122361223712238122391224012241122421224312244122451224612247122481224912250122511225212253122541225512256122571225812259122601226112262122631226412265122661226712268122691227012271122721227312274122751227612277122781227912280122811228212283122841228512286122871228812289122901229112292122931229412295122961229712298122991230012301123021230312304123051230612307123081230912310123111231212313123141231512316123171231812319123201232112322123231232412325123261232712328123291233012331123321233312334123351233612337123381233912340123411234212343123441234512346123471234812349123501235112352123531235412355123561235712358123591236012361123621236312364123651236612367123681236912370123711237212373123741237512376123771237812379123801238112382123831238412385123861238712388123891239012391123921239312394123951239612397123981239912400124011240212403124041240512406124071240812409124101241112412124131241412415124161241712418124191242012421124221242312424124251242612427124281242912430124311243212433124341243512436124371243812439124401244112442124431244412445124461244712448124491245012451124521245312454124551245612457124581245912460124611246212463124641246512466124671246812469124701247112472124731247412475124761247712478124791248012481124821248312484124851248612487124881248912490124911249212493124941249512496124971249812499125001250112502125031250412505125061250712508125091251012511125121251312514125151251612517125181251912520125211252212523125241252512526125271252812529125301253112532125331253412535125361253712538125391254012541125421254312544125451254612547125481254912550125511255212553125541255512556125571255812559125601256112562125631256412565125661256712568125691257012571125721257312574125751257612577125781257912580125811258212583125841258512586125871258812589125901259112592125931259412595125961259712598125991260012601126021260312604126051260612607126081260912610126111261212613126141261512616126171261812619126201262112622126231262412625126261262712628126291263012631126321263312634126351263612637126381263912640126411264212643126441264512646126471264812649126501265112652126531265412655126561265712658126591266012661126621266312664126651266612667126681266912670126711267212673126741267512676126771267812679126801268112682126831268412685126861268712688126891269012691126921269312694126951269612697126981269912700127011270212703127041270512706127071270812709127101271112712127131271412715127161271712718127191272012721127221272312724127251272612727127281272912730127311273212733127341273512736127371273812739127401274112742127431274412745127461274712748127491275012751127521275312754127551275612757127581275912760127611276212763127641276512766127671276812769127701277112772127731277412775127761277712778127791278012781127821278312784127851278612787127881278912790127911279212793127941279512796127971279812799128001280112802128031280412805128061280712808128091281012811128121281312814128151281612817128181281912820128211282212823128241282512826128271282812829128301283112832128331283412835128361283712838128391284012841128421284312844128451284612847128481284912850128511285212853128541285512856128571285812859128601286112862128631286412865128661286712868128691287012871128721287312874128751287612877128781287912880128811288212883128841288512886128871288812889128901289112892128931289412895128961289712898128991290012901129021290312904129051290612907129081290912910129111291212913129141291512916129171291812919129201292112922129231292412925129261292712928129291293012931129321293312934129351293612937129381293912940129411294212943129441294512946129471294812949129501295112952129531295412955129561295712958129591296012961129621296312964129651296612967129681296912970129711297212973129741297512976129771297812979129801298112982129831298412985129861298712988129891299012991129921299312994129951299612997129981299913000130011300213003130041300513006130071300813009130101301113012130131301413015130161301713018130191302013021130221302313024130251302613027130281302913030130311303213033130341303513036130371303813039130401304113042130431304413045130461304713048130491305013051130521305313054130551305613057130581305913060130611306213063130641306513066130671306813069130701307113072130731307413075130761307713078130791308013081130821308313084130851308613087130881308913090130911309213093130941309513096130971309813099131001310113102131031310413105131061310713108131091311013111131121311313114131151311613117131181311913120131211312213123131241312513126131271312813129131301313113132131331313413135131361313713138131391314013141131421314313144131451314613147131481314913150131511315213153131541315513156131571315813159131601316113162131631316413165131661316713168131691317013171131721317313174131751317613177131781317913180131811318213183131841318513186131871318813189131901319113192131931319413195131961319713198131991320013201132021320313204132051320613207132081320913210132111321213213132141321513216132171321813219132201322113222132231322413225132261322713228132291323013231132321323313234132351323613237132381323913240132411324213243132441324513246132471324813249132501325113252132531325413255132561325713258132591326013261132621326313264132651326613267132681326913270132711327213273132741327513276132771327813279132801328113282132831328413285132861328713288132891329013291132921329313294132951329613297132981329913300133011330213303133041330513306133071330813309133101331113312133131331413315133161331713318133191332013321133221332313324133251332613327133281332913330133311333213333133341333513336133371333813339133401334113342133431334413345133461334713348133491335013351133521335313354133551335613357133581335913360133611336213363133641336513366133671336813369133701337113372133731337413375133761337713378133791338013381133821338313384133851338613387133881338913390133911339213393133941339513396133971339813399134001340113402134031340413405134061340713408134091341013411134121341313414134151341613417134181341913420134211342213423134241342513426134271342813429134301343113432134331343413435134361343713438134391344013441134421344313444134451344613447134481344913450134511345213453134541345513456134571345813459134601346113462134631346413465134661346713468134691347013471134721347313474134751347613477134781347913480134811348213483134841348513486134871348813489134901349113492134931349413495134961349713498134991350013501135021350313504135051350613507135081350913510135111351213513135141351513516135171351813519135201352113522135231352413525135261352713528135291353013531135321353313534135351353613537135381353913540135411354213543135441354513546135471354813549135501355113552135531355413555135561355713558135591356013561135621356313564135651356613567135681356913570135711357213573135741357513576135771357813579135801358113582135831358413585135861358713588135891359013591135921359313594135951359613597135981359913600136011360213603136041360513606136071360813609136101361113612136131361413615136161361713618136191362013621136221362313624136251362613627136281362913630136311363213633136341363513636136371363813639136401364113642136431364413645136461364713648136491365013651136521365313654136551365613657136581365913660136611366213663136641366513666136671366813669136701367113672136731367413675136761367713678136791368013681136821368313684136851368613687136881368913690136911369213693136941369513696136971369813699137001370113702137031370413705137061370713708137091371013711137121371313714137151371613717137181371913720137211372213723137241372513726137271372813729137301373113732137331373413735137361373713738137391374013741137421374313744137451374613747137481374913750137511375213753137541375513756137571375813759137601376113762137631376413765137661376713768137691377013771137721377313774137751377613777137781377913780137811378213783137841378513786137871378813789137901379113792137931379413795137961379713798137991380013801138021380313804138051380613807138081380913810138111381213813138141381513816138171381813819138201382113822138231382413825138261382713828138291383013831138321383313834138351383613837138381383913840138411384213843138441384513846138471384813849138501385113852138531385413855138561385713858138591386013861138621386313864138651386613867138681386913870138711387213873138741387513876138771387813879138801388113882138831388413885138861388713888138891389013891138921389313894138951389613897138981389913900139011390213903139041390513906139071390813909139101391113912139131391413915139161391713918139191392013921139221392313924139251392613927139281392913930139311393213933139341393513936139371393813939139401394113942139431394413945139461394713948139491395013951139521395313954139551395613957139581395913960139611396213963139641396513966139671396813969139701397113972139731397413975139761397713978139791398013981139821398313984139851398613987139881398913990139911399213993139941399513996139971399813999140001400114002140031400414005140061400714008140091401014011140121401314014140151401614017140181401914020140211402214023140241402514026140271402814029140301403114032140331403414035140361403714038140391404014041140421404314044140451404614047140481404914050140511405214053140541405514056140571405814059140601406114062140631406414065140661406714068140691407014071140721407314074140751407614077140781407914080140811408214083140841408514086140871408814089140901409114092140931409414095140961409714098140991410014101141021410314104141051410614107141081410914110141111411214113141141411514116141171411814119141201412114122141231412414125141261412714128141291413014131141321413314134141351413614137141381413914140141411414214143141441414514146141471414814149141501415114152141531415414155141561415714158141591416014161141621416314164141651416614167141681416914170141711417214173141741417514176141771417814179141801418114182141831418414185141861418714188141891419014191141921419314194141951419614197141981419914200142011420214203142041420514206142071420814209142101421114212142131421414215142161421714218142191422014221142221422314224142251422614227142281422914230142311423214233142341423514236142371423814239142401424114242142431424414245142461424714248142491425014251142521425314254142551425614257142581425914260142611426214263142641426514266142671426814269142701427114272142731427414275142761427714278142791428014281142821428314284142851428614287142881428914290142911429214293142941429514296142971429814299143001430114302143031430414305143061430714308143091431014311143121431314314143151431614317143181431914320143211432214323143241432514326143271432814329143301433114332143331433414335143361433714338143391434014341143421434314344143451434614347143481434914350143511435214353143541435514356143571435814359143601436114362143631436414365143661436714368143691437014371143721437314374143751437614377143781437914380143811438214383143841438514386143871438814389143901439114392143931439414395143961439714398143991440014401144021440314404144051440614407144081440914410144111441214413144141441514416144171441814419144201442114422144231442414425144261442714428144291443014431144321443314434144351443614437144381443914440144411444214443144441444514446144471444814449144501445114452144531445414455144561445714458144591446014461144621446314464144651446614467144681446914470144711447214473144741447514476144771447814479144801448114482144831448414485144861448714488144891449014491144921449314494144951449614497144981449914500145011450214503145041450514506145071450814509145101451114512145131451414515145161451714518145191452014521145221452314524145251452614527145281452914530145311453214533145341453514536145371453814539145401454114542145431454414545145461454714548145491455014551145521455314554145551455614557145581455914560145611456214563145641456514566145671456814569145701457114572145731457414575145761457714578145791458014581145821458314584145851458614587145881458914590145911459214593145941459514596145971459814599146001460114602146031460414605146061460714608146091461014611146121461314614146151461614617146181461914620146211462214623146241462514626146271462814629146301463114632146331463414635146361463714638146391464014641146421464314644146451464614647146481464914650146511465214653146541465514656146571465814659146601466114662146631466414665146661466714668146691467014671146721467314674146751467614677146781467914680146811468214683146841468514686146871468814689146901469114692146931469414695146961469714698146991470014701147021470314704147051470614707147081470914710147111471214713147141471514716147171471814719147201472114722147231472414725147261472714728147291473014731147321473314734147351473614737147381473914740147411474214743147441474514746147471474814749147501475114752147531475414755147561475714758147591476014761147621476314764147651476614767147681476914770147711477214773147741477514776147771477814779147801478114782147831478414785147861478714788147891479014791147921479314794147951479614797147981479914800148011480214803148041480514806148071480814809148101481114812148131481414815148161481714818148191482014821148221482314824148251482614827148281482914830148311483214833148341483514836148371483814839148401484114842148431484414845148461484714848148491485014851148521485314854148551485614857148581485914860148611486214863148641486514866148671486814869148701487114872148731487414875148761487714878148791488014881148821488314884148851488614887148881488914890148911489214893148941489514896148971489814899149001490114902149031490414905149061490714908149091491014911149121491314914149151491614917149181491914920149211492214923149241492514926149271492814929149301493114932149331493414935149361493714938149391494014941149421494314944149451494614947149481494914950149511495214953149541495514956149571495814959149601496114962149631496414965149661496714968149691497014971149721497314974149751497614977149781497914980149811498214983149841498514986149871498814989149901499114992149931499414995149961499714998149991500015001150021500315004150051500615007150081500915010150111501215013150141501515016150171501815019150201502115022150231502415025150261502715028150291503015031150321503315034150351503615037150381503915040150411504215043150441504515046150471504815049150501505115052150531505415055150561505715058150591506015061150621506315064150651506615067150681506915070150711507215073150741507515076150771507815079150801508115082150831508415085150861508715088150891509015091150921509315094150951509615097150981509915100151011510215103151041510515106151071510815109151101511115112151131511415115151161511715118151191512015121151221512315124151251512615127151281512915130151311513215133151341513515136151371513815139151401514115142151431514415145151461514715148151491515015151151521515315154151551515615157151581515915160151611516215163151641516515166151671516815169151701517115172151731517415175151761517715178151791518015181151821518315184151851518615187151881518915190151911519215193151941519515196151971519815199152001520115202152031520415205152061520715208152091521015211152121521315214152151521615217152181521915220152211522215223152241522515226152271522815229152301523115232152331523415235152361523715238152391524015241152421524315244152451524615247152481524915250152511525215253152541525515256152571525815259152601526115262152631526415265152661526715268152691527015271152721527315274152751527615277152781527915280152811528215283152841528515286152871528815289152901529115292152931529415295152961529715298152991530015301153021530315304153051530615307153081530915310153111531215313153141531515316153171531815319153201532115322153231532415325153261532715328153291533015331153321533315334153351533615337153381533915340153411534215343153441534515346153471534815349153501535115352153531535415355153561535715358153591536015361153621536315364153651536615367153681536915370153711537215373153741537515376153771537815379153801538115382153831538415385153861538715388153891539015391153921539315394153951539615397153981539915400154011540215403154041540515406154071540815409154101541115412154131541415415154161541715418154191542015421154221542315424154251542615427154281542915430154311543215433154341543515436154371543815439154401544115442154431544415445154461544715448154491545015451154521545315454154551545615457154581545915460154611546215463154641546515466154671546815469154701547115472154731547415475154761547715478154791548015481154821548315484154851548615487154881548915490154911549215493154941549515496154971549815499155001550115502155031550415505155061550715508155091551015511155121551315514155151551615517155181551915520155211552215523155241552515526155271552815529155301553115532155331553415535155361553715538155391554015541155421554315544155451554615547155481554915550155511555215553155541555515556155571555815559155601556115562155631556415565155661556715568155691557015571155721557315574155751557615577155781557915580155811558215583155841558515586155871558815589155901559115592155931559415595155961559715598155991560015601156021560315604156051560615607156081560915610156111561215613156141561515616156171561815619156201562115622156231562415625156261562715628156291563015631156321563315634156351563615637156381563915640156411564215643156441564515646156471564815649156501565115652156531565415655156561565715658156591566015661156621566315664156651566615667156681566915670156711567215673156741567515676156771567815679156801568115682156831568415685156861568715688156891569015691156921569315694156951569615697156981569915700157011570215703157041570515706157071570815709157101571115712157131571415715157161571715718157191572015721157221572315724157251572615727157281572915730157311573215733157341573515736157371573815739157401574115742157431574415745157461574715748157491575015751157521575315754157551575615757157581575915760157611576215763157641576515766157671576815769157701577115772157731577415775157761577715778157791578015781157821578315784157851578615787157881578915790157911579215793157941579515796157971579815799158001580115802158031580415805158061580715808158091581015811158121581315814158151581615817158181581915820158211582215823158241582515826158271582815829158301583115832158331583415835158361583715838158391584015841158421584315844158451584615847158481584915850158511585215853158541585515856158571585815859158601586115862158631586415865158661586715868158691587015871158721587315874158751587615877158781587915880158811588215883158841588515886158871588815889158901589115892158931589415895158961589715898158991590015901159021590315904159051590615907159081590915910159111591215913159141591515916159171591815919159201592115922159231592415925159261592715928159291593015931159321593315934159351593615937159381593915940159411594215943159441594515946159471594815949159501595115952159531595415955159561595715958159591596015961159621596315964159651596615967159681596915970159711597215973159741597515976159771597815979159801598115982159831598415985159861598715988159891599015991159921599315994159951599615997159981599916000160011600216003160041600516006160071600816009160101601116012160131601416015160161601716018160191602016021160221602316024160251602616027160281602916030160311603216033160341603516036160371603816039160401604116042160431604416045160461604716048160491605016051160521605316054160551605616057160581605916060160611606216063160641606516066160671606816069160701607116072160731607416075160761607716078160791608016081160821608316084160851608616087160881608916090160911609216093160941609516096160971609816099161001610116102161031610416105161061610716108161091611016111161121611316114161151611616117161181611916120161211612216123161241612516126161271612816129161301613116132161331613416135161361613716138161391614016141161421614316144161451614616147161481614916150161511615216153161541615516156161571615816159161601616116162161631616416165161661616716168161691617016171161721617316174161751617616177161781617916180161811618216183161841618516186161871618816189161901619116192161931619416195161961619716198161991620016201162021620316204162051620616207162081620916210162111621216213162141621516216162171621816219162201622116222162231622416225162261622716228162291623016231162321623316234162351623616237162381623916240162411624216243162441624516246162471624816249162501625116252162531625416255162561625716258162591626016261162621626316264162651626616267162681626916270162711627216273162741627516276162771627816279162801628116282162831628416285162861628716288162891629016291162921629316294162951629616297162981629916300163011630216303163041630516306163071630816309163101631116312163131631416315163161631716318163191632016321163221632316324163251632616327163281632916330163311633216333163341633516336163371633816339163401634116342163431634416345163461634716348163491635016351163521635316354163551635616357163581635916360163611636216363163641636516366163671636816369163701637116372163731637416375163761637716378163791638016381163821638316384163851638616387163881638916390163911639216393163941639516396163971639816399164001640116402164031640416405164061640716408164091641016411164121641316414164151641616417164181641916420164211642216423164241642516426164271642816429164301643116432164331643416435164361643716438164391644016441164421644316444164451644616447164481644916450164511645216453164541645516456164571645816459164601646116462164631646416465164661646716468164691647016471164721647316474164751647616477164781647916480164811648216483164841648516486164871648816489164901649116492164931649416495164961649716498164991650016501165021650316504165051650616507165081650916510165111651216513165141651516516165171651816519165201652116522165231652416525165261652716528165291653016531165321653316534165351653616537165381653916540165411654216543165441654516546165471654816549165501655116552165531655416555165561655716558165591656016561165621656316564165651656616567165681656916570165711657216573165741657516576165771657816579165801658116582165831658416585165861658716588165891659016591165921659316594165951659616597165981659916600166011660216603166041660516606166071660816609166101661116612166131661416615166161661716618166191662016621166221662316624166251662616627166281662916630166311663216633166341663516636166371663816639166401664116642166431664416645166461664716648166491665016651166521665316654166551665616657166581665916660166611666216663166641666516666166671666816669166701667116672166731667416675166761667716678166791668016681166821668316684166851668616687166881668916690166911669216693166941669516696166971669816699167001670116702167031670416705167061670716708167091671016711167121671316714167151671616717167181671916720167211672216723167241672516726167271672816729167301673116732167331673416735167361673716738167391674016741167421674316744167451674616747167481674916750167511675216753167541675516756167571675816759167601676116762167631676416765167661676716768167691677016771167721677316774167751677616777167781677916780167811678216783167841678516786167871678816789167901679116792167931679416795167961679716798167991680016801168021680316804168051680616807168081680916810168111681216813168141681516816168171681816819168201682116822168231682416825168261682716828168291683016831168321683316834168351683616837168381683916840168411684216843168441684516846168471684816849168501685116852168531685416855168561685716858168591686016861168621686316864168651686616867168681686916870168711687216873168741687516876168771687816879168801688116882168831688416885168861688716888168891689016891168921689316894168951689616897168981689916900169011690216903169041690516906169071690816909169101691116912169131691416915169161691716918169191692016921169221692316924169251692616927169281692916930169311693216933169341693516936169371693816939169401694116942169431694416945169461694716948169491695016951169521695316954169551695616957169581695916960169611696216963169641696516966169671696816969169701697116972169731697416975169761697716978169791698016981169821698316984169851698616987169881698916990169911699216993169941699516996169971699816999170001700117002170031700417005170061700717008170091701017011170121701317014170151701617017170181701917020170211702217023170241702517026170271702817029170301703117032170331703417035170361703717038170391704017041170421704317044170451704617047170481704917050170511705217053170541705517056170571705817059170601706117062170631706417065170661706717068170691707017071170721707317074170751707617077170781707917080170811708217083170841708517086170871708817089170901709117092170931709417095170961709717098170991710017101171021710317104171051710617107171081710917110171111711217113171141711517116171171711817119171201712117122171231712417125171261712717128171291713017131171321713317134171351713617137171381713917140171411714217143171441714517146171471714817149171501715117152171531715417155171561715717158171591716017161171621716317164171651716617167171681716917170171711717217173171741717517176171771717817179171801718117182171831718417185171861718717188171891719017191171921719317194171951719617197171981719917200172011720217203172041720517206172071720817209172101721117212172131721417215172161721717218172191722017221172221722317224172251722617227172281722917230172311723217233172341723517236172371723817239172401724117242172431724417245172461724717248172491725017251172521725317254172551725617257172581725917260172611726217263172641726517266172671726817269172701727117272172731727417275172761727717278172791728017281172821728317284172851728617287172881728917290172911729217293172941729517296172971729817299173001730117302173031730417305173061730717308173091731017311173121731317314173151731617317173181731917320173211732217323173241732517326173271732817329173301733117332173331733417335173361733717338173391734017341173421734317344173451734617347173481734917350173511735217353173541735517356173571735817359173601736117362173631736417365173661736717368173691737017371173721737317374173751737617377173781737917380173811738217383173841738517386173871738817389173901739117392173931739417395173961739717398173991740017401174021740317404174051740617407174081740917410174111741217413174141741517416174171741817419174201742117422174231742417425174261742717428174291743017431174321743317434174351743617437174381743917440174411744217443174441744517446174471744817449174501745117452174531745417455174561745717458174591746017461174621746317464174651746617467174681746917470174711747217473174741747517476174771747817479174801748117482174831748417485174861748717488174891749017491174921749317494174951749617497174981749917500175011750217503175041750517506175071750817509175101751117512175131751417515175161751717518175191752017521175221752317524175251752617527175281752917530175311753217533175341753517536175371753817539175401754117542175431754417545175461754717548175491755017551175521755317554175551755617557175581755917560175611756217563175641756517566175671756817569175701757117572175731757417575175761757717578175791758017581175821758317584175851758617587175881758917590175911759217593175941759517596175971759817599176001760117602176031760417605176061760717608176091761017611176121761317614176151761617617176181761917620176211762217623176241762517626176271762817629176301763117632176331763417635176361763717638176391764017641176421764317644176451764617647176481764917650176511765217653176541765517656176571765817659176601766117662176631766417665176661766717668176691767017671176721767317674176751767617677176781767917680176811768217683176841768517686176871768817689176901769117692176931769417695176961769717698176991770017701177021770317704177051770617707177081770917710177111771217713177141771517716177171771817719177201772117722177231772417725177261772717728177291773017731177321773317734177351773617737177381773917740177411774217743177441774517746177471774817749177501775117752177531775417755177561775717758177591776017761177621776317764177651776617767177681776917770177711777217773177741777517776177771777817779177801778117782177831778417785177861778717788177891779017791177921779317794177951779617797177981779917800178011780217803178041780517806178071780817809178101781117812178131781417815178161781717818178191782017821178221782317824178251782617827178281782917830178311783217833178341783517836178371783817839178401784117842178431784417845178461784717848178491785017851178521785317854178551785617857178581785917860178611786217863178641786517866178671786817869178701787117872178731787417875178761787717878178791788017881178821788317884178851788617887178881788917890178911789217893178941789517896178971789817899179001790117902179031790417905179061790717908179091791017911179121791317914179151791617917179181791917920179211792217923179241792517926179271792817929179301793117932179331793417935179361793717938179391794017941179421794317944179451794617947179481794917950179511795217953179541795517956179571795817959179601796117962179631796417965179661796717968179691797017971179721797317974179751797617977179781797917980179811798217983179841798517986179871798817989179901799117992179931799417995179961799717998179991800018001180021800318004180051800618007180081800918010180111801218013180141801518016180171801818019180201802118022180231802418025180261802718028180291803018031180321803318034180351803618037180381803918040180411804218043180441804518046180471804818049180501805118052180531805418055180561805718058180591806018061180621806318064180651806618067180681806918070180711807218073180741807518076180771807818079180801808118082180831808418085180861808718088180891809018091180921809318094180951809618097180981809918100181011810218103181041810518106181071810818109181101811118112181131811418115181161811718118181191812018121181221812318124181251812618127181281812918130181311813218133181341813518136181371813818139181401814118142181431814418145181461814718148181491815018151181521815318154181551815618157181581815918160181611816218163181641816518166181671816818169181701817118172181731817418175181761817718178181791818018181181821818318184181851818618187181881818918190181911819218193181941819518196181971819818199182001820118202182031820418205182061820718208182091821018211182121821318214182151821618217182181821918220182211822218223182241822518226182271822818229182301823118232182331823418235182361823718238182391824018241182421824318244182451824618247182481824918250182511825218253182541825518256182571825818259182601826118262182631826418265182661826718268182691827018271182721827318274182751827618277182781827918280182811828218283182841828518286182871828818289182901829118292182931829418295182961829718298182991830018301183021830318304183051830618307183081830918310183111831218313183141831518316183171831818319183201832118322183231832418325183261832718328183291833018331183321833318334183351833618337183381833918340183411834218343183441834518346183471834818349183501835118352183531835418355183561835718358183591836018361183621836318364183651836618367183681836918370183711837218373183741837518376183771837818379183801838118382183831838418385183861838718388183891839018391183921839318394183951839618397183981839918400184011840218403184041840518406184071840818409184101841118412184131841418415184161841718418184191842018421184221842318424184251842618427184281842918430184311843218433184341843518436184371843818439184401844118442184431844418445184461844718448184491845018451184521845318454184551845618457184581845918460184611846218463184641846518466184671846818469184701847118472184731847418475184761847718478184791848018481184821848318484184851848618487184881848918490184911849218493184941849518496184971849818499185001850118502185031850418505185061850718508185091851018511185121851318514185151851618517185181851918520185211852218523185241852518526185271852818529185301853118532185331853418535185361853718538185391854018541185421854318544185451854618547185481854918550185511855218553185541855518556185571855818559185601856118562185631856418565185661856718568185691857018571185721857318574185751857618577185781857918580185811858218583185841858518586185871858818589185901859118592185931859418595185961859718598185991860018601186021860318604186051860618607186081860918610186111861218613186141861518616186171861818619186201862118622186231862418625186261862718628186291863018631186321863318634186351863618637186381863918640186411864218643186441864518646186471864818649186501865118652186531865418655186561865718658186591866018661186621866318664186651866618667186681866918670186711867218673186741867518676186771867818679186801868118682186831868418685186861868718688186891869018691186921869318694186951869618697186981869918700187011870218703187041870518706187071870818709187101871118712187131871418715187161871718718187191872018721187221872318724187251872618727187281872918730187311873218733187341873518736187371873818739187401874118742187431874418745187461874718748187491875018751187521875318754187551875618757187581875918760187611876218763187641876518766187671876818769187701877118772187731877418775187761877718778187791878018781187821878318784187851878618787187881878918790187911879218793187941879518796187971879818799188001880118802188031880418805188061880718808188091881018811188121881318814188151881618817188181881918820188211882218823188241882518826188271882818829188301883118832188331883418835188361883718838188391884018841188421884318844188451884618847188481884918850188511885218853188541885518856188571885818859188601886118862188631886418865188661886718868188691887018871188721887318874188751887618877188781887918880188811888218883188841888518886188871888818889188901889118892188931889418895188961889718898188991890018901189021890318904189051890618907189081890918910189111891218913189141891518916189171891818919189201892118922189231892418925189261892718928189291893018931189321893318934189351893618937189381893918940189411894218943189441894518946189471894818949189501895118952189531895418955189561895718958189591896018961189621896318964189651896618967189681896918970189711897218973189741897518976189771897818979189801898118982189831898418985189861898718988189891899018991189921899318994189951899618997189981899919000190011900219003190041900519006190071900819009190101901119012190131901419015190161901719018190191902019021190221902319024190251902619027190281902919030190311903219033190341903519036190371903819039190401904119042190431904419045190461904719048190491905019051190521905319054190551905619057190581905919060190611906219063190641906519066190671906819069190701907119072190731907419075190761907719078190791908019081190821908319084190851908619087190881908919090190911909219093190941909519096190971909819099191001910119102191031910419105191061910719108191091911019111191121911319114191151911619117191181911919120191211912219123191241912519126191271912819129191301913119132191331913419135191361913719138191391914019141191421914319144191451914619147191481914919150191511915219153191541915519156191571915819159191601916119162191631916419165191661916719168191691917019171191721917319174191751917619177191781917919180191811918219183191841918519186191871918819189191901919119192191931919419195191961919719198191991920019201192021920319204192051920619207192081920919210192111921219213192141921519216192171921819219192201922119222192231922419225192261922719228192291923019231192321923319234192351923619237192381923919240192411924219243192441924519246192471924819249192501925119252192531925419255192561925719258192591926019261192621926319264192651926619267192681926919270192711927219273192741927519276192771927819279192801928119282192831928419285192861928719288192891929019291192921929319294192951929619297192981929919300193011930219303193041930519306193071930819309193101931119312193131931419315193161931719318193191932019321193221932319324193251932619327193281932919330193311933219333193341933519336193371933819339193401934119342193431934419345193461934719348193491935019351193521935319354193551935619357193581935919360193611936219363193641936519366193671936819369193701937119372193731937419375193761937719378193791938019381193821938319384193851938619387193881938919390193911939219393193941939519396193971939819399194001940119402194031940419405194061940719408194091941019411194121941319414194151941619417194181941919420194211942219423194241942519426194271942819429194301943119432194331943419435194361943719438194391944019441194421944319444194451944619447194481944919450194511945219453194541945519456194571945819459194601946119462194631946419465194661946719468194691947019471194721947319474194751947619477194781947919480194811948219483194841948519486194871948819489194901949119492194931949419495194961949719498194991950019501195021950319504195051950619507195081950919510195111951219513195141951519516195171951819519195201952119522195231952419525195261952719528195291953019531195321953319534195351953619537195381953919540195411954219543195441954519546195471954819549195501955119552195531955419555195561955719558195591956019561195621956319564195651956619567195681956919570195711957219573195741957519576195771957819579195801958119582195831958419585195861958719588195891959019591195921959319594195951959619597195981959919600196011960219603196041960519606196071960819609196101961119612196131961419615196161961719618196191962019621196221962319624196251962619627196281962919630196311963219633196341963519636196371963819639196401964119642196431964419645196461964719648196491965019651196521965319654196551965619657196581965919660196611966219663196641966519666196671966819669196701967119672196731967419675196761967719678196791968019681196821968319684196851968619687196881968919690196911969219693196941969519696196971969819699197001970119702197031970419705197061970719708197091971019711197121971319714197151971619717197181971919720197211972219723197241972519726197271972819729197301973119732197331973419735197361973719738197391974019741197421974319744197451974619747197481974919750197511975219753197541975519756197571975819759197601976119762197631976419765197661976719768197691977019771197721977319774197751977619777197781977919780197811978219783197841978519786197871978819789197901979119792197931979419795197961979719798197991980019801198021980319804198051980619807198081980919810198111981219813198141981519816198171981819819198201982119822198231982419825198261982719828198291983019831198321983319834198351983619837198381983919840198411984219843198441984519846198471984819849198501985119852198531985419855198561985719858198591986019861198621986319864198651986619867198681986919870198711987219873198741987519876198771987819879198801988119882198831988419885198861988719888198891989019891198921989319894198951989619897198981989919900199011990219903199041990519906199071990819909199101991119912199131991419915199161991719918199191992019921199221992319924199251992619927199281992919930199311993219933199341993519936199371993819939199401994119942199431994419945199461994719948199491995019951199521995319954199551995619957199581995919960199611996219963199641996519966199671996819969199701997119972199731997419975199761997719978199791998019981199821998319984199851998619987199881998919990199911999219993199941999519996199971999819999200002000120002200032000420005200062000720008200092001020011200122001320014200152001620017200182001920020200212002220023200242002520026200272002820029200302003120032200332003420035200362003720038200392004020041200422004320044200452004620047200482004920050200512005220053200542005520056200572005820059200602006120062200632006420065200662006720068200692007020071200722007320074200752007620077200782007920080200812008220083200842008520086200872008820089200902009120092200932009420095200962009720098200992010020101201022010320104201052010620107201082010920110201112011220113201142011520116201172011820119201202012120122201232012420125201262012720128201292013020131201322013320134201352013620137201382013920140201412014220143201442014520146201472014820149201502015120152201532015420155201562015720158201592016020161201622016320164201652016620167201682016920170201712017220173201742017520176201772017820179201802018120182201832018420185201862018720188201892019020191201922019320194201952019620197201982019920200202012020220203202042020520206202072020820209202102021120212202132021420215202162021720218202192022020221202222022320224202252022620227202282022920230202312023220233202342023520236202372023820239202402024120242202432024420245202462024720248202492025020251202522025320254202552025620257202582025920260202612026220263202642026520266202672026820269202702027120272202732027420275202762027720278202792028020281202822028320284202852028620287202882028920290202912029220293202942029520296202972029820299203002030120302203032030420305203062030720308203092031020311203122031320314203152031620317203182031920320203212032220323203242032520326203272032820329203302033120332203332033420335203362033720338203392034020341203422034320344203452034620347203482034920350203512035220353203542035520356203572035820359203602036120362203632036420365203662036720368203692037020371203722037320374203752037620377203782037920380203812038220383203842038520386203872038820389203902039120392203932039420395203962039720398203992040020401204022040320404204052040620407204082040920410204112041220413204142041520416204172041820419204202042120422204232042420425204262042720428204292043020431204322043320434204352043620437204382043920440204412044220443204442044520446204472044820449204502045120452204532045420455204562045720458204592046020461204622046320464204652046620467204682046920470204712047220473204742047520476204772047820479204802048120482204832048420485204862048720488204892049020491204922049320494204952049620497204982049920500205012050220503205042050520506205072050820509205102051120512205132051420515205162051720518205192052020521205222052320524205252052620527205282052920530205312053220533205342053520536205372053820539205402054120542205432054420545205462054720548205492055020551205522055320554205552055620557205582055920560205612056220563205642056520566205672056820569205702057120572205732057420575205762057720578205792058020581205822058320584205852058620587205882058920590205912059220593205942059520596205972059820599206002060120602206032060420605206062060720608206092061020611206122061320614206152061620617206182061920620206212062220623206242062520626206272062820629206302063120632206332063420635206362063720638206392064020641206422064320644206452064620647206482064920650206512065220653206542065520656206572065820659206602066120662206632066420665206662066720668206692067020671206722067320674206752067620677206782067920680206812068220683206842068520686206872068820689206902069120692206932069420695206962069720698206992070020701207022070320704207052070620707207082070920710207112071220713207142071520716207172071820719207202072120722207232072420725207262072720728207292073020731207322073320734207352073620737207382073920740207412074220743207442074520746207472074820749207502075120752207532075420755207562075720758207592076020761207622076320764207652076620767207682076920770207712077220773207742077520776207772077820779207802078120782207832078420785207862078720788207892079020791207922079320794207952079620797207982079920800208012080220803208042080520806208072080820809208102081120812208132081420815208162081720818208192082020821208222082320824208252082620827208282082920830208312083220833208342083520836208372083820839208402084120842208432084420845208462084720848208492085020851208522085320854208552085620857208582085920860208612086220863208642086520866208672086820869208702087120872208732087420875208762087720878208792088020881208822088320884208852088620887208882088920890208912089220893208942089520896208972089820899209002090120902209032090420905209062090720908209092091020911209122091320914209152091620917209182091920920209212092220923209242092520926209272092820929209302093120932209332093420935209362093720938209392094020941209422094320944209452094620947209482094920950209512095220953209542095520956209572095820959209602096120962209632096420965209662096720968209692097020971209722097320974209752097620977209782097920980209812098220983209842098520986209872098820989209902099120992209932099420995209962099720998209992100021001210022100321004210052100621007210082100921010210112101221013210142101521016210172101821019210202102121022210232102421025210262102721028210292103021031210322103321034210352103621037210382103921040210412104221043210442104521046210472104821049210502105121052210532105421055210562105721058210592106021061210622106321064210652106621067210682106921070210712107221073210742107521076210772107821079210802108121082210832108421085210862108721088210892109021091210922109321094210952109621097210982109921100211012110221103211042110521106211072110821109211102111121112211132111421115211162111721118211192112021121211222112321124211252112621127211282112921130211312113221133211342113521136211372113821139211402114121142211432114421145211462114721148211492115021151211522115321154211552115621157211582115921160211612116221163211642116521166211672116821169211702117121172211732117421175211762117721178211792118021181211822118321184211852118621187211882118921190211912119221193211942119521196211972119821199212002120121202212032120421205212062120721208212092121021211212122121321214212152121621217212182121921220212212122221223212242122521226212272122821229212302123121232212332123421235212362123721238212392124021241212422124321244212452124621247212482124921250212512125221253212542125521256212572125821259212602126121262212632126421265212662126721268212692127021271212722127321274212752127621277212782127921280212812128221283212842128521286212872128821289212902129121292212932129421295212962129721298212992130021301213022130321304213052130621307213082130921310213112131221313213142131521316213172131821319213202132121322213232132421325213262132721328213292133021331213322133321334213352133621337213382133921340213412134221343213442134521346213472134821349213502135121352213532135421355213562135721358213592136021361213622136321364213652136621367213682136921370213712137221373213742137521376213772137821379213802138121382213832138421385213862138721388213892139021391213922139321394213952139621397213982139921400214012140221403214042140521406214072140821409214102141121412214132141421415214162141721418214192142021421214222142321424214252142621427214282142921430214312143221433214342143521436214372143821439214402144121442214432144421445214462144721448214492145021451214522145321454214552145621457214582145921460214612146221463214642146521466214672146821469214702147121472214732147421475214762147721478214792148021481214822148321484214852148621487214882148921490214912149221493214942149521496214972149821499215002150121502215032150421505215062150721508215092151021511215122151321514215152151621517215182151921520215212152221523215242152521526215272152821529215302153121532215332153421535215362153721538215392154021541215422154321544215452154621547215482154921550215512155221553215542155521556215572155821559215602156121562215632156421565215662156721568215692157021571215722157321574215752157621577215782157921580215812158221583215842158521586215872158821589215902159121592215932159421595215962159721598215992160021601216022160321604216052160621607216082160921610216112161221613216142161521616216172161821619216202162121622216232162421625216262162721628216292163021631216322163321634216352163621637216382163921640216412164221643216442164521646216472164821649216502165121652216532165421655216562165721658216592166021661216622166321664216652166621667216682166921670216712167221673216742167521676216772167821679216802168121682216832168421685216862168721688216892169021691216922169321694216952169621697216982169921700217012170221703217042170521706217072170821709217102171121712217132171421715217162171721718217192172021721217222172321724217252172621727217282172921730217312173221733217342173521736217372173821739217402174121742217432174421745217462174721748217492175021751217522175321754217552175621757217582175921760217612176221763217642176521766217672176821769217702177121772217732177421775217762177721778217792178021781217822178321784217852178621787217882178921790217912179221793217942179521796217972179821799218002180121802218032180421805218062180721808218092181021811218122181321814218152181621817218182181921820218212182221823218242182521826218272182821829218302183121832218332183421835218362183721838218392184021841218422184321844218452184621847218482184921850218512185221853218542185521856218572185821859218602186121862218632186421865218662186721868218692187021871218722187321874218752187621877218782187921880218812188221883218842188521886218872188821889218902189121892218932189421895218962189721898218992190021901219022190321904219052190621907219082190921910219112191221913219142191521916219172191821919219202192121922219232192421925219262192721928219292193021931219322193321934219352193621937219382193921940219412194221943219442194521946219472194821949219502195121952219532195421955219562195721958219592196021961219622196321964219652196621967219682196921970219712197221973219742197521976219772197821979219802198121982219832198421985219862198721988219892199021991219922199321994219952199621997219982199922000220012200222003220042200522006220072200822009220102201122012220132201422015220162201722018220192202022021220222202322024220252202622027220282202922030220312203222033220342203522036220372203822039220402204122042220432204422045220462204722048220492205022051220522205322054220552205622057220582205922060220612206222063220642206522066220672206822069220702207122072220732207422075220762207722078220792208022081220822208322084220852208622087220882208922090220912209222093220942209522096220972209822099221002210122102221032210422105221062210722108221092211022111221122211322114221152211622117221182211922120221212212222123221242212522126221272212822129221302213122132221332213422135221362213722138221392214022141221422214322144221452214622147221482214922150221512215222153221542215522156221572215822159221602216122162221632216422165221662216722168221692217022171221722217322174221752217622177221782217922180221812218222183221842218522186221872218822189221902219122192221932219422195221962219722198221992220022201222022220322204222052220622207222082220922210222112221222213222142221522216222172221822219222202222122222222232222422225222262222722228222292223022231222322223322234222352223622237222382223922240222412224222243222442224522246222472224822249222502225122252222532225422255222562225722258222592226022261222622226322264222652226622267222682226922270222712227222273222742227522276222772227822279222802228122282222832228422285222862228722288222892229022291222922229322294222952229622297222982229922300223012230222303223042230522306223072230822309223102231122312223132231422315223162231722318223192232022321223222232322324223252232622327223282232922330223312233222333223342233522336223372233822339223402234122342223432234422345223462234722348223492235022351223522235322354223552235622357223582235922360223612236222363223642236522366223672236822369223702237122372223732237422375223762237722378223792238022381223822238322384223852238622387223882238922390223912239222393223942239522396223972239822399224002240122402224032240422405224062240722408224092241022411224122241322414224152241622417224182241922420224212242222423224242242522426224272242822429224302243122432224332243422435224362243722438224392244022441224422244322444224452244622447224482244922450224512245222453224542245522456224572245822459224602246122462224632246422465224662246722468224692247022471224722247322474224752247622477224782247922480224812248222483224842248522486224872248822489224902249122492224932249422495224962249722498224992250022501225022250322504225052250622507225082250922510225112251222513225142251522516225172251822519225202252122522225232252422525225262252722528225292253022531225322253322534225352253622537225382253922540225412254222543225442254522546225472254822549225502255122552225532255422555225562255722558225592256022561225622256322564225652256622567225682256922570225712257222573225742257522576225772257822579225802258122582225832258422585225862258722588225892259022591225922259322594225952259622597225982259922600226012260222603226042260522606226072260822609226102261122612226132261422615226162261722618226192262022621226222262322624226252262622627226282262922630226312263222633226342263522636226372263822639226402264122642226432264422645226462264722648226492265022651226522265322654226552265622657226582265922660226612266222663226642266522666226672266822669226702267122672226732267422675226762267722678226792268022681226822268322684226852268622687226882268922690226912269222693226942269522696226972269822699227002270122702227032270422705227062270722708227092271022711227122271322714227152271622717227182271922720227212272222723227242272522726227272272822729227302273122732227332273422735227362273722738227392274022741227422274322744227452274622747227482274922750227512275222753227542275522756227572275822759227602276122762227632276422765227662276722768227692277022771227722277322774227752277622777227782277922780227812278222783227842278522786227872278822789227902279122792227932279422795227962279722798227992280022801228022280322804228052280622807228082280922810228112281222813228142281522816228172281822819228202282122822228232282422825228262282722828228292283022831228322283322834228352283622837228382283922840228412284222843228442284522846228472284822849228502285122852228532285422855228562285722858228592286022861228622286322864228652286622867228682286922870228712287222873228742287522876228772287822879228802288122882228832288422885228862288722888228892289022891228922289322894228952289622897228982289922900229012290222903229042290522906229072290822909229102291122912229132291422915229162291722918229192292022921229222292322924229252292622927229282292922930229312293222933229342293522936229372293822939229402294122942229432294422945229462294722948229492295022951229522295322954229552295622957229582295922960229612296222963229642296522966229672296822969229702297122972229732297422975229762297722978229792298022981229822298322984229852298622987229882298922990229912299222993229942299522996229972299822999230002300123002230032300423005230062300723008230092301023011230122301323014230152301623017230182301923020230212302223023230242302523026230272302823029230302303123032230332303423035230362303723038230392304023041230422304323044230452304623047230482304923050230512305223053230542305523056230572305823059230602306123062230632306423065230662306723068230692307023071230722307323074230752307623077230782307923080230812308223083230842308523086230872308823089230902309123092230932309423095230962309723098230992310023101231022310323104231052310623107231082310923110231112311223113231142311523116231172311823119231202312123122231232312423125231262312723128231292313023131231322313323134231352313623137231382313923140231412314223143231442314523146231472314823149231502315123152231532315423155231562315723158231592316023161231622316323164231652316623167231682316923170231712317223173231742317523176231772317823179231802318123182231832318423185231862318723188231892319023191231922319323194231952319623197231982319923200232012320223203232042320523206232072320823209232102321123212232132321423215232162321723218232192322023221232222322323224232252322623227232282322923230232312323223233232342323523236232372323823239232402324123242232432324423245232462324723248232492325023251232522325323254232552325623257232582325923260232612326223263232642326523266232672326823269232702327123272232732327423275232762327723278232792328023281232822328323284232852328623287232882328923290232912329223293232942329523296232972329823299233002330123302233032330423305233062330723308233092331023311233122331323314233152331623317233182331923320233212332223323233242332523326233272332823329233302333123332233332333423335233362333723338233392334023341233422334323344233452334623347233482334923350233512335223353233542335523356233572335823359233602336123362233632336423365233662336723368233692337023371233722337323374233752337623377233782337923380233812338223383233842338523386233872338823389233902339123392233932339423395233962339723398233992340023401234022340323404234052340623407234082340923410234112341223413234142341523416234172341823419234202342123422234232342423425234262342723428234292343023431234322343323434234352343623437234382343923440234412344223443234442344523446234472344823449234502345123452234532345423455234562345723458234592346023461234622346323464234652346623467234682346923470234712347223473234742347523476234772347823479234802348123482234832348423485234862348723488234892349023491234922349323494234952349623497234982349923500235012350223503235042350523506235072350823509235102351123512235132351423515235162351723518235192352023521235222352323524235252352623527235282352923530235312353223533235342353523536235372353823539235402354123542235432354423545235462354723548235492355023551235522355323554235552355623557235582355923560235612356223563235642356523566235672356823569235702357123572235732357423575235762357723578235792358023581235822358323584235852358623587235882358923590235912359223593235942359523596235972359823599236002360123602236032360423605236062360723608236092361023611236122361323614236152361623617236182361923620236212362223623236242362523626236272362823629236302363123632236332363423635236362363723638236392364023641236422364323644236452364623647236482364923650236512365223653236542365523656236572365823659236602366123662236632366423665236662366723668236692367023671236722367323674236752367623677236782367923680236812368223683236842368523686236872368823689236902369123692236932369423695236962369723698236992370023701237022370323704237052370623707237082370923710237112371223713237142371523716237172371823719237202372123722237232372423725237262372723728237292373023731237322373323734237352373623737237382373923740237412374223743237442374523746237472374823749237502375123752237532375423755237562375723758237592376023761237622376323764237652376623767237682376923770237712377223773237742377523776237772377823779237802378123782237832378423785237862378723788237892379023791237922379323794237952379623797237982379923800238012380223803238042380523806238072380823809238102381123812238132381423815238162381723818238192382023821238222382323824238252382623827238282382923830238312383223833238342383523836238372383823839238402384123842238432384423845238462384723848238492385023851238522385323854238552385623857238582385923860238612386223863238642386523866238672386823869238702387123872238732387423875238762387723878238792388023881238822388323884238852388623887238882388923890238912389223893238942389523896238972389823899239002390123902239032390423905239062390723908239092391023911239122391323914239152391623917239182391923920239212392223923239242392523926239272392823929239302393123932239332393423935239362393723938239392394023941239422394323944239452394623947239482394923950239512395223953239542395523956239572395823959239602396123962239632396423965239662396723968239692397023971239722397323974239752397623977239782397923980239812398223983239842398523986239872398823989239902399123992239932399423995239962399723998239992400024001240022400324004240052400624007240082400924010240112401224013240142401524016240172401824019240202402124022240232402424025240262402724028240292403024031240322403324034240352403624037240382403924040240412404224043240442404524046240472404824049240502405124052240532405424055240562405724058240592406024061240622406324064240652406624067240682406924070240712407224073240742407524076240772407824079240802408124082240832408424085240862408724088240892409024091240922409324094240952409624097240982409924100241012410224103241042410524106241072410824109241102411124112241132411424115241162411724118241192412024121241222412324124241252412624127241282412924130241312413224133241342413524136241372413824139241402414124142241432414424145241462414724148241492415024151241522415324154241552415624157241582415924160241612416224163241642416524166241672416824169241702417124172241732417424175241762417724178241792418024181241822418324184241852418624187241882418924190241912419224193241942419524196241972419824199242002420124202242032420424205242062420724208242092421024211242122421324214242152421624217242182421924220242212422224223242242422524226242272422824229242302423124232242332423424235242362423724238242392424024241242422424324244242452424624247242482424924250242512425224253242542425524256242572425824259242602426124262242632426424265242662426724268242692427024271242722427324274242752427624277242782427924280242812428224283242842428524286242872428824289242902429124292242932429424295242962429724298242992430024301243022430324304243052430624307243082430924310243112431224313243142431524316243172431824319243202432124322243232432424325243262432724328243292433024331243322433324334243352433624337243382433924340243412434224343243442434524346243472434824349243502435124352243532435424355243562435724358243592436024361243622436324364243652436624367243682436924370243712437224373243742437524376243772437824379243802438124382243832438424385243862438724388243892439024391243922439324394243952439624397243982439924400244012440224403244042440524406244072440824409244102441124412244132441424415244162441724418244192442024421244222442324424244252442624427244282442924430244312443224433244342443524436244372443824439244402444124442244432444424445244462444724448244492445024451244522445324454244552445624457244582445924460244612446224463244642446524466244672446824469244702447124472244732447424475244762447724478244792448024481244822448324484244852448624487244882448924490244912449224493244942449524496244972449824499245002450124502245032450424505245062450724508245092451024511245122451324514245152451624517245182451924520245212452224523245242452524526245272452824529245302453124532245332453424535245362453724538245392454024541245422454324544245452454624547245482454924550245512455224553245542455524556245572455824559245602456124562245632456424565245662456724568245692457024571245722457324574245752457624577245782457924580245812458224583245842458524586245872458824589245902459124592245932459424595245962459724598245992460024601246022460324604246052460624607246082460924610246112461224613246142461524616246172461824619246202462124622246232462424625246262462724628246292463024631246322463324634246352463624637246382463924640246412464224643246442464524646246472464824649246502465124652246532465424655246562465724658246592466024661246622466324664246652466624667246682466924670246712467224673246742467524676246772467824679246802468124682246832468424685246862468724688246892469024691246922469324694246952469624697246982469924700247012470224703247042470524706247072470824709247102471124712247132471424715247162471724718247192472024721247222472324724247252472624727247282472924730247312473224733247342473524736247372473824739247402474124742247432474424745247462474724748247492475024751247522475324754247552475624757247582475924760247612476224763247642476524766247672476824769247702477124772247732477424775247762477724778247792478024781247822478324784247852478624787247882478924790247912479224793247942479524796247972479824799248002480124802248032480424805248062480724808248092481024811248122481324814248152481624817248182481924820248212482224823248242482524826248272482824829248302483124832248332483424835248362483724838248392484024841248422484324844248452484624847248482484924850248512485224853248542485524856248572485824859248602486124862248632486424865248662486724868248692487024871248722487324874248752487624877248782487924880248812488224883248842488524886248872488824889248902489124892248932489424895248962489724898248992490024901249022490324904249052490624907249082490924910249112491224913249142491524916249172491824919249202492124922249232492424925249262492724928249292493024931249322493324934249352493624937249382493924940249412494224943249442494524946249472494824949249502495124952249532495424955249562495724958249592496024961249622496324964249652496624967249682496924970249712497224973249742497524976249772497824979249802498124982249832498424985249862498724988249892499024991249922499324994249952499624997249982499925000250012500225003250042500525006250072500825009250102501125012250132501425015250162501725018250192502025021250222502325024250252502625027250282502925030250312503225033250342503525036250372503825039250402504125042250432504425045250462504725048250492505025051250522505325054250552505625057250582505925060250612506225063250642506525066250672506825069250702507125072250732507425075250762507725078250792508025081250822508325084250852508625087250882508925090250912509225093250942509525096250972509825099251002510125102251032510425105251062510725108251092511025111251122511325114251152511625117251182511925120251212512225123251242512525126251272512825129251302513125132251332513425135251362513725138251392514025141251422514325144251452514625147251482514925150251512515225153251542515525156251572515825159251602516125162251632516425165251662516725168251692517025171251722517325174251752517625177251782517925180251812518225183251842518525186251872518825189251902519125192251932519425195251962519725198251992520025201252022520325204252052520625207252082520925210252112521225213252142521525216252172521825219252202522125222252232522425225252262522725228252292523025231252322523325234252352523625237252382523925240252412524225243252442524525246252472524825249252502525125252252532525425255252562525725258252592526025261252622526325264252652526625267252682526925270252712527225273252742527525276252772527825279252802528125282252832528425285252862528725288252892529025291252922529325294252952529625297252982529925300253012530225303253042530525306253072530825309253102531125312253132531425315253162531725318253192532025321253222532325324253252532625327253282532925330253312533225333253342533525336253372533825339253402534125342253432534425345253462534725348253492535025351253522535325354253552535625357253582535925360253612536225363253642536525366253672536825369253702537125372253732537425375253762537725378253792538025381253822538325384253852538625387253882538925390253912539225393253942539525396253972539825399254002540125402254032540425405254062540725408254092541025411254122541325414254152541625417254182541925420254212542225423254242542525426254272542825429254302543125432254332543425435254362543725438254392544025441254422544325444254452544625447254482544925450254512545225453254542545525456254572545825459254602546125462254632546425465254662546725468254692547025471254722547325474254752547625477254782547925480254812548225483254842548525486254872548825489254902549125492254932549425495254962549725498254992550025501255022550325504255052550625507255082550925510255112551225513255142551525516255172551825519255202552125522255232552425525255262552725528255292553025531255322553325534255352553625537255382553925540255412554225543255442554525546255472554825549255502555125552255532555425555255562555725558255592556025561255622556325564255652556625567255682556925570255712557225573255742557525576255772557825579255802558125582255832558425585255862558725588255892559025591255922559325594255952559625597255982559925600256012560225603256042560525606256072560825609256102561125612256132561425615256162561725618256192562025621256222562325624256252562625627256282562925630256312563225633256342563525636256372563825639256402564125642256432564425645256462564725648256492565025651256522565325654256552565625657256582565925660256612566225663256642566525666256672566825669256702567125672256732567425675256762567725678256792568025681256822568325684256852568625687256882568925690256912569225693256942569525696256972569825699257002570125702257032570425705257062570725708257092571025711257122571325714257152571625717257182571925720257212572225723257242572525726257272572825729257302573125732257332573425735257362573725738257392574025741257422574325744257452574625747257482574925750257512575225753257542575525756257572575825759257602576125762257632576425765257662576725768257692577025771257722577325774257752577625777257782577925780257812578225783257842578525786257872578825789257902579125792257932579425795257962579725798257992580025801258022580325804258052580625807258082580925810258112581225813258142581525816258172581825819258202582125822258232582425825258262582725828258292583025831258322583325834258352583625837258382583925840258412584225843258442584525846258472584825849258502585125852258532585425855258562585725858258592586025861258622586325864258652586625867258682586925870258712587225873258742587525876258772587825879258802588125882258832588425885258862588725888258892589025891258922589325894258952589625897258982589925900259012590225903259042590525906259072590825909259102591125912259132591425915259162591725918259192592025921259222592325924259252592625927259282592925930259312593225933259342593525936259372593825939259402594125942259432594425945259462594725948259492595025951259522595325954259552595625957259582595925960259612596225963259642596525966259672596825969259702597125972259732597425975259762597725978259792598025981259822598325984259852598625987259882598925990259912599225993259942599525996259972599825999260002600126002260032600426005260062600726008260092601026011260122601326014260152601626017260182601926020260212602226023260242602526026260272602826029260302603126032260332603426035260362603726038260392604026041260422604326044260452604626047260482604926050260512605226053260542605526056260572605826059260602606126062260632606426065260662606726068260692607026071260722607326074260752607626077260782607926080260812608226083260842608526086260872608826089260902609126092260932609426095260962609726098260992610026101261022610326104261052610626107261082610926110261112611226113261142611526116261172611826119261202612126122261232612426125261262612726128261292613026131261322613326134261352613626137261382613926140261412614226143261442614526146261472614826149261502615126152261532615426155261562615726158261592616026161261622616326164261652616626167261682616926170261712617226173261742617526176261772617826179261802618126182261832618426185261862618726188261892619026191261922619326194261952619626197261982619926200262012620226203262042620526206262072620826209262102621126212262132621426215262162621726218262192622026221262222622326224262252622626227262282622926230262312623226233262342623526236262372623826239262402624126242262432624426245262462624726248262492625026251262522625326254262552625626257262582625926260262612626226263262642626526266262672626826269262702627126272262732627426275262762627726278262792628026281262822628326284262852628626287262882628926290262912629226293262942629526296262972629826299263002630126302263032630426305263062630726308263092631026311263122631326314263152631626317263182631926320263212632226323263242632526326263272632826329263302633126332263332633426335263362633726338263392634026341263422634326344263452634626347263482634926350263512635226353263542635526356263572635826359263602636126362263632636426365263662636726368263692637026371263722637326374263752637626377263782637926380263812638226383263842638526386263872638826389263902639126392263932639426395263962639726398263992640026401264022640326404264052640626407264082640926410264112641226413264142641526416264172641826419264202642126422264232642426425264262642726428264292643026431264322643326434264352643626437264382643926440264412644226443264442644526446264472644826449264502645126452264532645426455264562645726458264592646026461264622646326464264652646626467264682646926470264712647226473264742647526476264772647826479264802648126482264832648426485264862648726488264892649026491264922649326494264952649626497264982649926500265012650226503265042650526506265072650826509265102651126512265132651426515265162651726518265192652026521265222652326524265252652626527265282652926530265312653226533265342653526536265372653826539265402654126542265432654426545265462654726548265492655026551265522655326554265552655626557265582655926560265612656226563265642656526566265672656826569265702657126572265732657426575265762657726578265792658026581265822658326584265852658626587265882658926590265912659226593265942659526596265972659826599266002660126602266032660426605266062660726608266092661026611266122661326614266152661626617266182661926620266212662226623266242662526626266272662826629266302663126632266332663426635266362663726638266392664026641266422664326644266452664626647266482664926650266512665226653266542665526656266572665826659266602666126662266632666426665266662666726668266692667026671266722667326674266752667626677266782667926680266812668226683266842668526686266872668826689266902669126692266932669426695266962669726698266992670026701267022670326704267052670626707267082670926710267112671226713267142671526716267172671826719267202672126722267232672426725267262672726728267292673026731267322673326734267352673626737267382673926740267412674226743267442674526746267472674826749267502675126752267532675426755267562675726758267592676026761267622676326764267652676626767267682676926770267712677226773267742677526776267772677826779267802678126782267832678426785267862678726788267892679026791267922679326794267952679626797267982679926800268012680226803268042680526806268072680826809268102681126812268132681426815268162681726818268192682026821268222682326824268252682626827268282682926830268312683226833268342683526836268372683826839268402684126842268432684426845268462684726848268492685026851268522685326854268552685626857268582685926860268612686226863268642686526866268672686826869268702687126872268732687426875268762687726878268792688026881268822688326884268852688626887268882688926890268912689226893268942689526896268972689826899269002690126902269032690426905269062690726908269092691026911269122691326914269152691626917269182691926920269212692226923269242692526926269272692826929269302693126932269332693426935269362693726938269392694026941269422694326944269452694626947269482694926950269512695226953269542695526956269572695826959269602696126962269632696426965269662696726968269692697026971269722697326974269752697626977269782697926980269812698226983269842698526986269872698826989269902699126992269932699426995269962699726998269992700027001270022700327004270052700627007270082700927010270112701227013270142701527016270172701827019270202702127022270232702427025270262702727028270292703027031270322703327034270352703627037270382703927040270412704227043270442704527046270472704827049270502705127052270532705427055270562705727058270592706027061270622706327064270652706627067270682706927070270712707227073270742707527076270772707827079270802708127082270832708427085270862708727088270892709027091270922709327094270952709627097270982709927100271012710227103271042710527106271072710827109271102711127112271132711427115271162711727118271192712027121271222712327124271252712627127271282712927130271312713227133271342713527136271372713827139271402714127142271432714427145271462714727148271492715027151271522715327154271552715627157271582715927160271612716227163271642716527166271672716827169271702717127172271732717427175271762717727178271792718027181271822718327184271852718627187271882718927190271912719227193271942719527196271972719827199272002720127202272032720427205272062720727208272092721027211272122721327214272152721627217272182721927220272212722227223272242722527226272272722827229272302723127232272332723427235272362723727238272392724027241272422724327244272452724627247272482724927250272512725227253272542725527256272572725827259272602726127262272632726427265272662726727268272692727027271272722727327274272752727627277272782727927280272812728227283272842728527286272872728827289272902729127292272932729427295272962729727298272992730027301273022730327304273052730627307273082730927310273112731227313273142731527316273172731827319273202732127322273232732427325273262732727328273292733027331273322733327334273352733627337273382733927340273412734227343273442734527346273472734827349273502735127352273532735427355273562735727358273592736027361273622736327364273652736627367273682736927370273712737227373273742737527376273772737827379273802738127382273832738427385273862738727388273892739027391273922739327394273952739627397273982739927400274012740227403274042740527406274072740827409274102741127412274132741427415274162741727418274192742027421274222742327424274252742627427274282742927430274312743227433274342743527436274372743827439274402744127442274432744427445274462744727448274492745027451274522745327454274552745627457274582745927460274612746227463274642746527466274672746827469274702747127472274732747427475274762747727478274792748027481274822748327484274852748627487274882748927490274912749227493274942749527496274972749827499275002750127502275032750427505275062750727508275092751027511275122751327514275152751627517275182751927520275212752227523275242752527526275272752827529275302753127532275332753427535275362753727538275392754027541275422754327544275452754627547275482754927550275512755227553275542755527556275572755827559275602756127562275632756427565275662756727568275692757027571275722757327574275752757627577275782757927580275812758227583275842758527586275872758827589275902759127592275932759427595275962759727598275992760027601276022760327604276052760627607276082760927610276112761227613276142761527616276172761827619276202762127622276232762427625276262762727628276292763027631276322763327634276352763627637276382763927640276412764227643276442764527646276472764827649276502765127652276532765427655276562765727658276592766027661276622766327664276652766627667276682766927670276712767227673276742767527676276772767827679276802768127682276832768427685276862768727688276892769027691276922769327694276952769627697276982769927700277012770227703277042770527706277072770827709277102771127712277132771427715277162771727718277192772027721277222772327724277252772627727277282772927730277312773227733277342773527736277372773827739277402774127742277432774427745277462774727748277492775027751277522775327754277552775627757277582775927760277612776227763277642776527766277672776827769277702777127772277732777427775277762777727778277792778027781277822778327784277852778627787277882778927790277912779227793277942779527796277972779827799278002780127802278032780427805278062780727808278092781027811278122781327814278152781627817278182781927820278212782227823278242782527826278272782827829278302783127832278332783427835278362783727838278392784027841278422784327844278452784627847278482784927850278512785227853278542785527856278572785827859278602786127862278632786427865278662786727868278692787027871278722787327874278752787627877278782787927880278812788227883278842788527886278872788827889278902789127892278932789427895278962789727898278992790027901279022790327904279052790627907279082790927910279112791227913279142791527916279172791827919279202792127922279232792427925279262792727928279292793027931279322793327934279352793627937279382793927940279412794227943279442794527946279472794827949279502795127952279532795427955279562795727958279592796027961279622796327964279652796627967279682796927970279712797227973279742797527976279772797827979279802798127982279832798427985279862798727988279892799027991279922799327994279952799627997279982799928000280012800228003280042800528006280072800828009280102801128012280132801428015280162801728018280192802028021280222802328024280252802628027280282802928030280312803228033280342803528036280372803828039280402804128042280432804428045280462804728048280492805028051280522805328054280552805628057280582805928060280612806228063280642806528066280672806828069280702807128072280732807428075280762807728078280792808028081280822808328084280852808628087280882808928090280912809228093280942809528096280972809828099281002810128102281032810428105281062810728108281092811028111281122811328114281152811628117281182811928120281212812228123281242812528126281272812828129281302813128132281332813428135281362813728138281392814028141281422814328144281452814628147281482814928150281512815228153281542815528156281572815828159281602816128162281632816428165281662816728168281692817028171281722817328174281752817628177281782817928180281812818228183281842818528186281872818828189281902819128192281932819428195281962819728198281992820028201282022820328204282052820628207282082820928210282112821228213282142821528216282172821828219282202822128222282232822428225282262822728228282292823028231282322823328234282352823628237282382823928240282412824228243282442824528246282472824828249282502825128252282532825428255282562825728258282592826028261282622826328264282652826628267282682826928270282712827228273282742827528276282772827828279282802828128282282832828428285282862828728288282892829028291282922829328294282952829628297282982829928300283012830228303283042830528306283072830828309283102831128312283132831428315283162831728318283192832028321283222832328324283252832628327283282832928330283312833228333283342833528336283372833828339283402834128342283432834428345283462834728348283492835028351283522835328354283552835628357283582835928360283612836228363283642836528366283672836828369283702837128372283732837428375283762837728378283792838028381283822838328384283852838628387283882838928390283912839228393283942839528396283972839828399284002840128402284032840428405284062840728408284092841028411284122841328414284152841628417284182841928420284212842228423284242842528426284272842828429284302843128432284332843428435284362843728438284392844028441284422844328444284452844628447284482844928450284512845228453284542845528456284572845828459284602846128462284632846428465284662846728468284692847028471284722847328474284752847628477284782847928480284812848228483284842848528486284872848828489284902849128492284932849428495284962849728498284992850028501285022850328504285052850628507285082850928510285112851228513285142851528516285172851828519285202852128522285232852428525285262852728528285292853028531285322853328534285352853628537285382853928540285412854228543285442854528546285472854828549285502855128552285532855428555285562855728558285592856028561285622856328564285652856628567285682856928570285712857228573285742857528576285772857828579285802858128582285832858428585285862858728588285892859028591285922859328594285952859628597285982859928600286012860228603286042860528606286072860828609286102861128612286132861428615286162861728618286192862028621286222862328624286252862628627286282862928630286312863228633286342863528636286372863828639286402864128642286432864428645286462864728648286492865028651286522865328654286552865628657286582865928660286612866228663286642866528666286672866828669286702867128672286732867428675286762867728678286792868028681286822868328684286852868628687286882868928690286912869228693286942869528696286972869828699287002870128702287032870428705287062870728708287092871028711287122871328714287152871628717287182871928720287212872228723287242872528726287272872828729287302873128732287332873428735287362873728738287392874028741287422874328744287452874628747287482874928750287512875228753287542875528756287572875828759287602876128762287632876428765287662876728768287692877028771287722877328774287752877628777287782877928780287812878228783287842878528786287872878828789287902879128792287932879428795287962879728798287992880028801288022880328804288052880628807288082880928810288112881228813288142881528816288172881828819288202882128822288232882428825288262882728828288292883028831288322883328834288352883628837288382883928840288412884228843288442884528846288472884828849288502885128852288532885428855288562885728858288592886028861288622886328864288652886628867288682886928870288712887228873288742887528876288772887828879288802888128882288832888428885288862888728888288892889028891288922889328894288952889628897288982889928900289012890228903289042890528906289072890828909289102891128912289132891428915289162891728918289192892028921289222892328924289252892628927289282892928930289312893228933289342893528936289372893828939289402894128942289432894428945289462894728948289492895028951289522895328954289552895628957289582895928960289612896228963289642896528966289672896828969289702897128972289732897428975289762897728978289792898028981289822898328984289852898628987289882898928990289912899228993289942899528996289972899828999290002900129002290032900429005290062900729008290092901029011290122901329014290152901629017290182901929020290212902229023290242902529026290272902829029290302903129032290332903429035290362903729038290392904029041290422904329044290452904629047290482904929050290512905229053290542905529056290572905829059290602906129062290632906429065290662906729068290692907029071290722907329074290752907629077290782907929080290812908229083290842908529086290872908829089290902909129092290932909429095290962909729098290992910029101291022910329104291052910629107291082910929110291112911229113291142911529116291172911829119291202912129122291232912429125291262912729128291292913029131291322913329134291352913629137291382913929140291412914229143291442914529146291472914829149291502915129152291532915429155291562915729158291592916029161291622916329164291652916629167291682916929170291712917229173291742917529176291772917829179291802918129182291832918429185291862918729188291892919029191291922919329194291952919629197291982919929200292012920229203292042920529206292072920829209292102921129212292132921429215292162921729218292192922029221292222922329224292252922629227292282922929230292312923229233292342923529236292372923829239292402924129242292432924429245292462924729248292492925029251292522925329254292552925629257292582925929260292612926229263292642926529266292672926829269292702927129272292732927429275292762927729278292792928029281292822928329284292852928629287292882928929290292912929229293292942929529296292972929829299293002930129302293032930429305293062930729308293092931029311293122931329314293152931629317293182931929320293212932229323293242932529326293272932829329293302933129332293332933429335293362933729338293392934029341293422934329344293452934629347293482934929350293512935229353293542935529356293572935829359293602936129362293632936429365293662936729368293692937029371293722937329374293752937629377293782937929380293812938229383293842938529386293872938829389293902939129392293932939429395293962939729398293992940029401294022940329404294052940629407294082940929410294112941229413294142941529416294172941829419294202942129422294232942429425294262942729428294292943029431294322943329434294352943629437294382943929440294412944229443294442944529446294472944829449294502945129452294532945429455294562945729458294592946029461294622946329464294652946629467294682946929470294712947229473294742947529476294772947829479294802948129482294832948429485294862948729488294892949029491294922949329494294952949629497294982949929500295012950229503295042950529506295072950829509295102951129512295132951429515295162951729518295192952029521295222952329524295252952629527295282952929530295312953229533295342953529536295372953829539295402954129542295432954429545295462954729548295492955029551295522955329554295552955629557295582955929560295612956229563295642956529566295672956829569295702957129572295732957429575295762957729578295792958029581295822958329584295852958629587295882958929590295912959229593295942959529596295972959829599296002960129602296032960429605296062960729608296092961029611296122961329614296152961629617296182961929620296212962229623296242962529626296272962829629296302963129632296332963429635296362963729638296392964029641296422964329644296452964629647296482964929650296512965229653296542965529656296572965829659296602966129662296632966429665296662966729668296692967029671296722967329674296752967629677296782967929680296812968229683296842968529686296872968829689296902969129692296932969429695296962969729698296992970029701297022970329704297052970629707297082970929710297112971229713297142971529716297172971829719297202972129722297232972429725297262972729728297292973029731297322973329734297352973629737297382973929740297412974229743297442974529746297472974829749297502975129752297532975429755297562975729758297592976029761297622976329764297652976629767297682976929770297712977229773297742977529776297772977829779297802978129782297832978429785297862978729788297892979029791297922979329794297952979629797297982979929800298012980229803298042980529806298072980829809298102981129812298132981429815298162981729818298192982029821298222982329824298252982629827298282982929830298312983229833298342983529836298372983829839298402984129842298432984429845298462984729848298492985029851298522985329854298552985629857298582985929860298612986229863298642986529866298672986829869298702987129872298732987429875298762987729878298792988029881298822988329884298852988629887298882988929890298912989229893298942989529896298972989829899299002990129902299032990429905299062990729908299092991029911299122991329914299152991629917299182991929920299212992229923299242992529926299272992829929299302993129932299332993429935299362993729938299392994029941299422994329944299452994629947299482994929950299512995229953299542995529956299572995829959299602996129962299632996429965299662996729968299692997029971299722997329974299752997629977299782997929980299812998229983299842998529986299872998829989299902999129992299932999429995299962999729998299993000030001300023000330004300053000630007300083000930010300113001230013300143001530016300173001830019300203002130022300233002430025300263002730028300293003030031300323003330034300353003630037300383003930040300413004230043300443004530046300473004830049300503005130052300533005430055300563005730058300593006030061300623006330064300653006630067300683006930070300713007230073300743007530076300773007830079300803008130082300833008430085300863008730088300893009030091300923009330094300953009630097300983009930100301013010230103301043010530106301073010830109301103011130112301133011430115301163011730118301193012030121301223012330124301253012630127301283012930130301313013230133301343013530136301373013830139301403014130142301433014430145301463014730148301493015030151301523015330154301553015630157301583015930160301613016230163301643016530166301673016830169301703017130172301733017430175301763017730178301793018030181301823018330184301853018630187301883018930190301913019230193301943019530196301973019830199302003020130202302033020430205302063020730208302093021030211302123021330214302153021630217302183021930220302213022230223302243022530226302273022830229302303023130232302333023430235302363023730238302393024030241
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. default: Ignore
  118. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  119. enum:
  120. - Ignore
  121. - Fail
  122. type: string
  123. property:
  124. description: Used to select a specific property of the Provider value (if a map), if supported
  125. type: string
  126. version:
  127. description: Used to select a specific version of the Provider value, if supported
  128. type: string
  129. required:
  130. - key
  131. type: object
  132. secretKey:
  133. description: The key in the Kubernetes Secret to store the value.
  134. maxLength: 253
  135. minLength: 1
  136. pattern: ^[-._a-zA-Z0-9]+$
  137. type: string
  138. sourceRef:
  139. description: |-
  140. SourceRef allows you to override the source
  141. from which the value will be pulled.
  142. maxProperties: 1
  143. minProperties: 1
  144. properties:
  145. generatorRef:
  146. description: |-
  147. GeneratorRef points to a generator custom resource.
  148. Deprecated: The generatorRef is not implemented in .data[].
  149. this will be removed with v1.
  150. properties:
  151. apiVersion:
  152. default: generators.external-secrets.io/v1alpha1
  153. description: Specify the apiVersion of the generator resource
  154. type: string
  155. kind:
  156. description: Specify the Kind of the generator resource
  157. enum:
  158. - ACRAccessToken
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - QuayAccessToken
  166. - Password
  167. - SSHKey
  168. - STSSessionToken
  169. - UUID
  170. - VaultDynamicSecret
  171. - Webhook
  172. - Grafana
  173. - MFA
  174. type: string
  175. name:
  176. description: Specify the name of the generator resource
  177. maxLength: 253
  178. minLength: 1
  179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  180. type: string
  181. required:
  182. - kind
  183. - name
  184. type: object
  185. storeRef:
  186. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  187. properties:
  188. kind:
  189. description: |-
  190. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  191. Defaults to `SecretStore`
  192. enum:
  193. - SecretStore
  194. - ClusterSecretStore
  195. type: string
  196. name:
  197. description: Name of the SecretStore resource
  198. maxLength: 253
  199. minLength: 1
  200. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  201. type: string
  202. type: object
  203. type: object
  204. required:
  205. - remoteRef
  206. - secretKey
  207. type: object
  208. type: array
  209. dataFrom:
  210. description: |-
  211. DataFrom is used to fetch all properties from a specific Provider data
  212. If multiple entries are specified, the Secret keys are merged in the specified order
  213. items:
  214. description: |-
  215. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  216. when using DataFrom to fetch multiple values from a Provider.
  217. properties:
  218. extract:
  219. description: |-
  220. Used to extract multiple key/value pairs from one secret
  221. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  222. properties:
  223. conversionStrategy:
  224. default: Default
  225. description: Used to define a conversion Strategy
  226. enum:
  227. - Default
  228. - Unicode
  229. type: string
  230. decodingStrategy:
  231. default: None
  232. description: Used to define a decoding Strategy
  233. enum:
  234. - Auto
  235. - Base64
  236. - Base64URL
  237. - None
  238. type: string
  239. key:
  240. description: Key is the key used in the Provider, mandatory
  241. type: string
  242. metadataPolicy:
  243. default: None
  244. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  245. enum:
  246. - None
  247. - Fetch
  248. type: string
  249. nullBytePolicy:
  250. default: Ignore
  251. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  252. enum:
  253. - Ignore
  254. - Fail
  255. type: string
  256. property:
  257. description: Used to select a specific property of the Provider value (if a map), if supported
  258. type: string
  259. version:
  260. description: Used to select a specific version of the Provider value, if supported
  261. type: string
  262. required:
  263. - key
  264. type: object
  265. find:
  266. description: |-
  267. Used to find secrets based on tags or regular expressions
  268. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  269. properties:
  270. conversionStrategy:
  271. default: Default
  272. description: Used to define a conversion Strategy
  273. enum:
  274. - Default
  275. - Unicode
  276. type: string
  277. decodingStrategy:
  278. default: None
  279. description: Used to define a decoding Strategy
  280. enum:
  281. - Auto
  282. - Base64
  283. - Base64URL
  284. - None
  285. type: string
  286. name:
  287. description: Finds secrets based on the name.
  288. properties:
  289. regexp:
  290. description: Finds secrets base
  291. type: string
  292. type: object
  293. nullBytePolicy:
  294. default: Ignore
  295. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  296. enum:
  297. - Ignore
  298. - Fail
  299. type: string
  300. path:
  301. description: A root path to start the find operations.
  302. type: string
  303. tags:
  304. additionalProperties:
  305. type: string
  306. description: Find secrets based on tags.
  307. type: object
  308. type: object
  309. rewrite:
  310. description: |-
  311. Used to rewrite secret Keys after getting them from the secret Provider
  312. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  313. items:
  314. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  315. maxProperties: 1
  316. minProperties: 1
  317. properties:
  318. merge:
  319. description: |-
  320. Used to merge key/values in one single Secret
  321. The resulting key will contain all values from the specified secrets
  322. properties:
  323. conflictPolicy:
  324. default: Error
  325. description: Used to define the policy to use in conflict resolution.
  326. enum:
  327. - Ignore
  328. - Error
  329. type: string
  330. into:
  331. default: ""
  332. description: |-
  333. Used to define the target key of the merge operation.
  334. Required if strategy is JSON. Ignored otherwise.
  335. type: string
  336. priority:
  337. description: Used to define key priority in conflict resolution.
  338. items:
  339. type: string
  340. type: array
  341. priorityPolicy:
  342. default: Strict
  343. description: Used to define the policy when a key in the priority list does not exist in the input.
  344. enum:
  345. - IgnoreNotFound
  346. - Strict
  347. type: string
  348. strategy:
  349. default: Extract
  350. description: Used to define the strategy to use in the merge operation.
  351. enum:
  352. - Extract
  353. - JSON
  354. type: string
  355. type: object
  356. regexp:
  357. description: |-
  358. Used to rewrite with regular expressions.
  359. The resulting key will be the output of a regexp.ReplaceAll operation.
  360. properties:
  361. source:
  362. description: Used to define the regular expression of a re.Compiler.
  363. type: string
  364. target:
  365. description: Used to define the target pattern of a ReplaceAll operation.
  366. type: string
  367. required:
  368. - source
  369. - target
  370. type: object
  371. transform:
  372. description: |-
  373. Used to apply string transformation on the secrets.
  374. The resulting key will be the output of the template applied by the operation.
  375. properties:
  376. template:
  377. description: |-
  378. Used to define the template to apply on the secret name.
  379. `.value ` will specify the secret name in the template.
  380. type: string
  381. required:
  382. - template
  383. type: object
  384. type: object
  385. type: array
  386. sourceRef:
  387. description: |-
  388. SourceRef points to a store or generator
  389. which contains secret values ready to use.
  390. Use this in combination with Extract or Find pull values out of
  391. a specific SecretStore.
  392. When sourceRef points to a generator Extract or Find is not supported.
  393. The generator returns a static map of values
  394. maxProperties: 1
  395. minProperties: 1
  396. properties:
  397. generatorRef:
  398. description: GeneratorRef points to a generator custom resource.
  399. properties:
  400. apiVersion:
  401. default: generators.external-secrets.io/v1alpha1
  402. description: Specify the apiVersion of the generator resource
  403. type: string
  404. kind:
  405. description: Specify the Kind of the generator resource
  406. enum:
  407. - ACRAccessToken
  408. - ClusterGenerator
  409. - CloudsmithAccessToken
  410. - ECRAuthorizationToken
  411. - Fake
  412. - GCRAccessToken
  413. - GithubAccessToken
  414. - QuayAccessToken
  415. - Password
  416. - SSHKey
  417. - STSSessionToken
  418. - UUID
  419. - VaultDynamicSecret
  420. - Webhook
  421. - Grafana
  422. - MFA
  423. type: string
  424. name:
  425. description: Specify the name of the generator resource
  426. maxLength: 253
  427. minLength: 1
  428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  429. type: string
  430. required:
  431. - kind
  432. - name
  433. type: object
  434. storeRef:
  435. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  436. properties:
  437. kind:
  438. description: |-
  439. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  440. Defaults to `SecretStore`
  441. enum:
  442. - SecretStore
  443. - ClusterSecretStore
  444. type: string
  445. name:
  446. description: Name of the SecretStore resource
  447. maxLength: 253
  448. minLength: 1
  449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  450. type: string
  451. type: object
  452. type: object
  453. type: object
  454. type: array
  455. refreshInterval:
  456. default: 1h0m0s
  457. description: |-
  458. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  459. specified as Golang Duration strings.
  460. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  461. Example values: "1h0m0s", "2h30m0s", "10m0s"
  462. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  463. type: string
  464. refreshPolicy:
  465. description: |-
  466. RefreshPolicy determines how the ExternalSecret should be refreshed:
  467. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  468. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  469. No periodic updates occur if refreshInterval is 0.
  470. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  471. enum:
  472. - CreatedOnce
  473. - Periodic
  474. - OnChange
  475. type: string
  476. secretStoreRef:
  477. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  478. properties:
  479. kind:
  480. description: |-
  481. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  482. Defaults to `SecretStore`
  483. enum:
  484. - SecretStore
  485. - ClusterSecretStore
  486. type: string
  487. name:
  488. description: Name of the SecretStore resource
  489. maxLength: 253
  490. minLength: 1
  491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  492. type: string
  493. type: object
  494. target:
  495. default:
  496. creationPolicy: Owner
  497. deletionPolicy: Retain
  498. description: |-
  499. ExternalSecretTarget defines the Kubernetes Secret to be created,
  500. there can be only one target per ExternalSecret.
  501. properties:
  502. creationPolicy:
  503. default: Owner
  504. description: |-
  505. CreationPolicy defines rules on how to create the resulting Secret.
  506. Defaults to "Owner"
  507. enum:
  508. - Owner
  509. - Orphan
  510. - Merge
  511. - None
  512. type: string
  513. deletionPolicy:
  514. default: Retain
  515. description: |-
  516. DeletionPolicy defines rules on how to delete the resulting Secret.
  517. Defaults to "Retain"
  518. enum:
  519. - Delete
  520. - Merge
  521. - Retain
  522. type: string
  523. immutable:
  524. description: Immutable defines if the final secret will be immutable
  525. type: boolean
  526. manifest:
  527. description: |-
  528. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  529. When specified, ExternalSecret will create the resource type defined here
  530. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  531. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  532. properties:
  533. apiVersion:
  534. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  535. minLength: 1
  536. type: string
  537. kind:
  538. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  539. minLength: 1
  540. type: string
  541. required:
  542. - apiVersion
  543. - kind
  544. type: object
  545. name:
  546. description: |-
  547. The name of the Secret resource to be managed.
  548. Defaults to the .metadata.name of the ExternalSecret resource
  549. maxLength: 253
  550. minLength: 1
  551. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  552. type: string
  553. template:
  554. description: Template defines a blueprint for the created Secret resource.
  555. properties:
  556. data:
  557. additionalProperties:
  558. type: string
  559. type: object
  560. engineVersion:
  561. default: v2
  562. description: |-
  563. EngineVersion specifies the template engine version
  564. that should be used to compile/execute the
  565. template specified in .data and .templateFrom[].
  566. enum:
  567. - v2
  568. type: string
  569. mergePolicy:
  570. default: Replace
  571. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  572. enum:
  573. - Replace
  574. - Merge
  575. type: string
  576. metadata:
  577. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  578. properties:
  579. annotations:
  580. additionalProperties:
  581. type: string
  582. type: object
  583. finalizers:
  584. items:
  585. type: string
  586. type: array
  587. labels:
  588. additionalProperties:
  589. type: string
  590. type: object
  591. type: object
  592. templateFrom:
  593. items:
  594. description: |-
  595. TemplateFrom specifies a source for templates.
  596. Each item in the list can either reference a ConfigMap or a Secret resource.
  597. properties:
  598. configMap:
  599. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  600. properties:
  601. items:
  602. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  603. items:
  604. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  605. properties:
  606. key:
  607. description: A key in the ConfigMap/Secret
  608. maxLength: 253
  609. minLength: 1
  610. pattern: ^[-._a-zA-Z0-9]+$
  611. type: string
  612. templateAs:
  613. default: Values
  614. description: TemplateScope specifies how the template keys should be interpreted.
  615. enum:
  616. - Values
  617. - KeysAndValues
  618. type: string
  619. required:
  620. - key
  621. type: object
  622. type: array
  623. name:
  624. description: The name of the ConfigMap/Secret resource
  625. maxLength: 253
  626. minLength: 1
  627. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  628. type: string
  629. required:
  630. - items
  631. - name
  632. type: object
  633. literal:
  634. type: string
  635. secret:
  636. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  637. properties:
  638. items:
  639. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  640. items:
  641. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  642. properties:
  643. key:
  644. description: A key in the ConfigMap/Secret
  645. maxLength: 253
  646. minLength: 1
  647. pattern: ^[-._a-zA-Z0-9]+$
  648. type: string
  649. templateAs:
  650. default: Values
  651. description: TemplateScope specifies how the template keys should be interpreted.
  652. enum:
  653. - Values
  654. - KeysAndValues
  655. type: string
  656. required:
  657. - key
  658. type: object
  659. type: array
  660. name:
  661. description: The name of the ConfigMap/Secret resource
  662. maxLength: 253
  663. minLength: 1
  664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  665. type: string
  666. required:
  667. - items
  668. - name
  669. type: object
  670. target:
  671. default: Data
  672. description: |-
  673. Target specifies where to place the template result.
  674. For Secret resources, common values are: "Data", "Annotations", "Labels".
  675. For custom resources (when spec.target.manifest is set), this supports
  676. nested paths like "spec.database.config" or "data".
  677. type: string
  678. type: object
  679. type: array
  680. type:
  681. type: string
  682. type: object
  683. type: object
  684. type: object
  685. namespaceSelector:
  686. description: |-
  687. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  688. Deprecated: Use NamespaceSelectors instead.
  689. properties:
  690. matchExpressions:
  691. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  692. items:
  693. description: |-
  694. A label selector requirement is a selector that contains values, a key, and an operator that
  695. relates the key and values.
  696. properties:
  697. key:
  698. description: key is the label key that the selector applies to.
  699. type: string
  700. operator:
  701. description: |-
  702. operator represents a key's relationship to a set of values.
  703. Valid operators are In, NotIn, Exists and DoesNotExist.
  704. type: string
  705. values:
  706. description: |-
  707. values is an array of string values. If the operator is In or NotIn,
  708. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  709. the values array must be empty. This array is replaced during a strategic
  710. merge patch.
  711. items:
  712. type: string
  713. type: array
  714. x-kubernetes-list-type: atomic
  715. required:
  716. - key
  717. - operator
  718. type: object
  719. type: array
  720. x-kubernetes-list-type: atomic
  721. matchLabels:
  722. additionalProperties:
  723. type: string
  724. description: |-
  725. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  726. map is equivalent to an element of matchExpressions, whose key field is "key", the
  727. operator is "In", and the values array contains only "value". The requirements are ANDed.
  728. type: object
  729. type: object
  730. x-kubernetes-map-type: atomic
  731. namespaceSelectors:
  732. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  733. items:
  734. description: |-
  735. A label selector is a label query over a set of resources. The result of matchLabels and
  736. matchExpressions are ANDed. An empty label selector matches all objects. A null
  737. label selector matches no objects.
  738. properties:
  739. matchExpressions:
  740. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  741. items:
  742. description: |-
  743. A label selector requirement is a selector that contains values, a key, and an operator that
  744. relates the key and values.
  745. properties:
  746. key:
  747. description: key is the label key that the selector applies to.
  748. type: string
  749. operator:
  750. description: |-
  751. operator represents a key's relationship to a set of values.
  752. Valid operators are In, NotIn, Exists and DoesNotExist.
  753. type: string
  754. values:
  755. description: |-
  756. values is an array of string values. If the operator is In or NotIn,
  757. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  758. the values array must be empty. This array is replaced during a strategic
  759. merge patch.
  760. items:
  761. type: string
  762. type: array
  763. x-kubernetes-list-type: atomic
  764. required:
  765. - key
  766. - operator
  767. type: object
  768. type: array
  769. x-kubernetes-list-type: atomic
  770. matchLabels:
  771. additionalProperties:
  772. type: string
  773. description: |-
  774. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  775. map is equivalent to an element of matchExpressions, whose key field is "key", the
  776. operator is "In", and the values array contains only "value". The requirements are ANDed.
  777. type: object
  778. type: object
  779. x-kubernetes-map-type: atomic
  780. type: array
  781. namespaces:
  782. description: |-
  783. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  784. Deprecated: Use NamespaceSelectors instead.
  785. items:
  786. maxLength: 63
  787. minLength: 1
  788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  789. type: string
  790. type: array
  791. refreshTime:
  792. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  793. type: string
  794. required:
  795. - externalSecretSpec
  796. type: object
  797. status:
  798. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  799. properties:
  800. conditions:
  801. items:
  802. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  803. properties:
  804. message:
  805. type: string
  806. status:
  807. type: string
  808. type:
  809. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  810. type: string
  811. required:
  812. - status
  813. - type
  814. type: object
  815. type: array
  816. externalSecretName:
  817. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  818. type: string
  819. failedNamespaces:
  820. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  821. items:
  822. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  823. properties:
  824. namespace:
  825. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  826. type: string
  827. reason:
  828. description: Reason is why the ExternalSecret failed to apply to the namespace
  829. type: string
  830. required:
  831. - namespace
  832. type: object
  833. type: array
  834. provisionedNamespaces:
  835. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  836. items:
  837. type: string
  838. type: array
  839. type: object
  840. type: object
  841. served: true
  842. storage: true
  843. subresources:
  844. status: {}
  845. - additionalPrinterColumns:
  846. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  847. name: Store
  848. type: string
  849. - jsonPath: .spec.refreshTime
  850. name: Refresh Interval
  851. type: string
  852. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  853. name: Ready
  854. type: string
  855. deprecated: true
  856. name: v1beta1
  857. schema:
  858. openAPIV3Schema:
  859. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  860. properties:
  861. apiVersion:
  862. description: |-
  863. APIVersion defines the versioned schema of this representation of an object.
  864. Servers should convert recognized schemas to the latest internal value, and
  865. may reject unrecognized values.
  866. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  867. type: string
  868. kind:
  869. description: |-
  870. Kind is a string value representing the REST resource this object represents.
  871. Servers may infer this from the endpoint the client submits requests to.
  872. Cannot be updated.
  873. In CamelCase.
  874. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  875. type: string
  876. metadata:
  877. type: object
  878. spec:
  879. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  880. properties:
  881. externalSecretMetadata:
  882. description: The metadata of the external secrets to be created
  883. properties:
  884. annotations:
  885. additionalProperties:
  886. type: string
  887. type: object
  888. labels:
  889. additionalProperties:
  890. type: string
  891. type: object
  892. type: object
  893. externalSecretName:
  894. description: |-
  895. The name of the external secrets to be created.
  896. Defaults to the name of the ClusterExternalSecret
  897. maxLength: 253
  898. minLength: 1
  899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  900. type: string
  901. externalSecretSpec:
  902. description: The spec for the ExternalSecrets to be created
  903. properties:
  904. data:
  905. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  906. items:
  907. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  908. properties:
  909. remoteRef:
  910. description: |-
  911. RemoteRef points to the remote secret and defines
  912. which secret (version/property/..) to fetch.
  913. properties:
  914. conversionStrategy:
  915. default: Default
  916. description: Used to define a conversion Strategy
  917. enum:
  918. - Default
  919. - Unicode
  920. type: string
  921. decodingStrategy:
  922. default: None
  923. description: Used to define a decoding Strategy
  924. enum:
  925. - Auto
  926. - Base64
  927. - Base64URL
  928. - None
  929. type: string
  930. key:
  931. description: Key is the key used in the Provider, mandatory
  932. type: string
  933. metadataPolicy:
  934. default: None
  935. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  936. enum:
  937. - None
  938. - Fetch
  939. type: string
  940. property:
  941. description: Used to select a specific property of the Provider value (if a map), if supported
  942. type: string
  943. version:
  944. description: Used to select a specific version of the Provider value, if supported
  945. type: string
  946. required:
  947. - key
  948. type: object
  949. secretKey:
  950. description: The key in the Kubernetes Secret to store the value.
  951. maxLength: 253
  952. minLength: 1
  953. pattern: ^[-._a-zA-Z0-9]+$
  954. type: string
  955. sourceRef:
  956. description: |-
  957. SourceRef allows you to override the source
  958. from which the value will be pulled.
  959. maxProperties: 1
  960. minProperties: 1
  961. properties:
  962. generatorRef:
  963. description: |-
  964. GeneratorRef points to a generator custom resource.
  965. Deprecated: The generatorRef is not implemented in .data[].
  966. this will be removed with v1.
  967. properties:
  968. apiVersion:
  969. default: generators.external-secrets.io/v1alpha1
  970. description: Specify the apiVersion of the generator resource
  971. type: string
  972. kind:
  973. description: Specify the Kind of the generator resource
  974. enum:
  975. - ACRAccessToken
  976. - ClusterGenerator
  977. - ECRAuthorizationToken
  978. - Fake
  979. - GCRAccessToken
  980. - GithubAccessToken
  981. - QuayAccessToken
  982. - Password
  983. - SSHKey
  984. - STSSessionToken
  985. - UUID
  986. - VaultDynamicSecret
  987. - Webhook
  988. - Grafana
  989. type: string
  990. name:
  991. description: Specify the name of the generator resource
  992. maxLength: 253
  993. minLength: 1
  994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  995. type: string
  996. required:
  997. - kind
  998. - name
  999. type: object
  1000. storeRef:
  1001. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1002. properties:
  1003. kind:
  1004. description: |-
  1005. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1006. Defaults to `SecretStore`
  1007. enum:
  1008. - SecretStore
  1009. - ClusterSecretStore
  1010. type: string
  1011. name:
  1012. description: Name of the SecretStore resource
  1013. maxLength: 253
  1014. minLength: 1
  1015. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1016. type: string
  1017. type: object
  1018. type: object
  1019. required:
  1020. - remoteRef
  1021. - secretKey
  1022. type: object
  1023. type: array
  1024. dataFrom:
  1025. description: |-
  1026. DataFrom is used to fetch all properties from a specific Provider data
  1027. If multiple entries are specified, the Secret keys are merged in the specified order
  1028. items:
  1029. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1030. properties:
  1031. extract:
  1032. description: |-
  1033. Used to extract multiple key/value pairs from one secret
  1034. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1035. properties:
  1036. conversionStrategy:
  1037. default: Default
  1038. description: Used to define a conversion Strategy
  1039. enum:
  1040. - Default
  1041. - Unicode
  1042. type: string
  1043. decodingStrategy:
  1044. default: None
  1045. description: Used to define a decoding Strategy
  1046. enum:
  1047. - Auto
  1048. - Base64
  1049. - Base64URL
  1050. - None
  1051. type: string
  1052. key:
  1053. description: Key is the key used in the Provider, mandatory
  1054. type: string
  1055. metadataPolicy:
  1056. default: None
  1057. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1058. enum:
  1059. - None
  1060. - Fetch
  1061. type: string
  1062. property:
  1063. description: Used to select a specific property of the Provider value (if a map), if supported
  1064. type: string
  1065. version:
  1066. description: Used to select a specific version of the Provider value, if supported
  1067. type: string
  1068. required:
  1069. - key
  1070. type: object
  1071. find:
  1072. description: |-
  1073. Used to find secrets based on tags or regular expressions
  1074. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1075. properties:
  1076. conversionStrategy:
  1077. default: Default
  1078. description: Used to define a conversion Strategy
  1079. enum:
  1080. - Default
  1081. - Unicode
  1082. type: string
  1083. decodingStrategy:
  1084. default: None
  1085. description: Used to define a decoding Strategy
  1086. enum:
  1087. - Auto
  1088. - Base64
  1089. - Base64URL
  1090. - None
  1091. type: string
  1092. name:
  1093. description: Finds secrets based on the name.
  1094. properties:
  1095. regexp:
  1096. description: Finds secrets base
  1097. type: string
  1098. type: object
  1099. path:
  1100. description: A root path to start the find operations.
  1101. type: string
  1102. tags:
  1103. additionalProperties:
  1104. type: string
  1105. description: Find secrets based on tags.
  1106. type: object
  1107. type: object
  1108. rewrite:
  1109. description: |-
  1110. Used to rewrite secret Keys after getting them from the secret Provider
  1111. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1112. items:
  1113. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1114. maxProperties: 1
  1115. minProperties: 1
  1116. properties:
  1117. regexp:
  1118. description: |-
  1119. Used to rewrite with regular expressions.
  1120. The resulting key will be the output of a regexp.ReplaceAll operation.
  1121. properties:
  1122. source:
  1123. description: Used to define the regular expression of a re.Compiler.
  1124. type: string
  1125. target:
  1126. description: Used to define the target pattern of a ReplaceAll operation.
  1127. type: string
  1128. required:
  1129. - source
  1130. - target
  1131. type: object
  1132. transform:
  1133. description: |-
  1134. Used to apply string transformation on the secrets.
  1135. The resulting key will be the output of the template applied by the operation.
  1136. properties:
  1137. template:
  1138. description: |-
  1139. Used to define the template to apply on the secret name.
  1140. `.value ` will specify the secret name in the template.
  1141. type: string
  1142. required:
  1143. - template
  1144. type: object
  1145. type: object
  1146. type: array
  1147. sourceRef:
  1148. description: |-
  1149. SourceRef points to a store or generator
  1150. which contains secret values ready to use.
  1151. Use this in combination with Extract or Find pull values out of
  1152. a specific SecretStore.
  1153. When sourceRef points to a generator Extract or Find is not supported.
  1154. The generator returns a static map of values
  1155. maxProperties: 1
  1156. minProperties: 1
  1157. properties:
  1158. generatorRef:
  1159. description: GeneratorRef points to a generator custom resource.
  1160. properties:
  1161. apiVersion:
  1162. default: generators.external-secrets.io/v1alpha1
  1163. description: Specify the apiVersion of the generator resource
  1164. type: string
  1165. kind:
  1166. description: Specify the Kind of the generator resource
  1167. enum:
  1168. - ACRAccessToken
  1169. - ClusterGenerator
  1170. - ECRAuthorizationToken
  1171. - Fake
  1172. - GCRAccessToken
  1173. - GithubAccessToken
  1174. - QuayAccessToken
  1175. - Password
  1176. - SSHKey
  1177. - STSSessionToken
  1178. - UUID
  1179. - VaultDynamicSecret
  1180. - Webhook
  1181. - Grafana
  1182. type: string
  1183. name:
  1184. description: Specify the name of the generator resource
  1185. maxLength: 253
  1186. minLength: 1
  1187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1188. type: string
  1189. required:
  1190. - kind
  1191. - name
  1192. type: object
  1193. storeRef:
  1194. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1195. properties:
  1196. kind:
  1197. description: |-
  1198. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1199. Defaults to `SecretStore`
  1200. enum:
  1201. - SecretStore
  1202. - ClusterSecretStore
  1203. type: string
  1204. name:
  1205. description: Name of the SecretStore resource
  1206. maxLength: 253
  1207. minLength: 1
  1208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1209. type: string
  1210. type: object
  1211. type: object
  1212. type: object
  1213. type: array
  1214. refreshInterval:
  1215. default: 1h0m0s
  1216. description: |-
  1217. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1218. specified as Golang Duration strings.
  1219. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1220. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1221. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1222. type: string
  1223. refreshPolicy:
  1224. description: |-
  1225. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1226. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1227. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1228. No periodic updates occur if refreshInterval is 0.
  1229. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1230. enum:
  1231. - CreatedOnce
  1232. - Periodic
  1233. - OnChange
  1234. type: string
  1235. secretStoreRef:
  1236. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1237. properties:
  1238. kind:
  1239. description: |-
  1240. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1241. Defaults to `SecretStore`
  1242. enum:
  1243. - SecretStore
  1244. - ClusterSecretStore
  1245. type: string
  1246. name:
  1247. description: Name of the SecretStore resource
  1248. maxLength: 253
  1249. minLength: 1
  1250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1251. type: string
  1252. type: object
  1253. target:
  1254. default:
  1255. creationPolicy: Owner
  1256. deletionPolicy: Retain
  1257. description: |-
  1258. ExternalSecretTarget defines the Kubernetes Secret to be created
  1259. There can be only one target per ExternalSecret.
  1260. properties:
  1261. creationPolicy:
  1262. default: Owner
  1263. description: |-
  1264. CreationPolicy defines rules on how to create the resulting Secret.
  1265. Defaults to "Owner"
  1266. enum:
  1267. - Owner
  1268. - Orphan
  1269. - Merge
  1270. - None
  1271. type: string
  1272. deletionPolicy:
  1273. default: Retain
  1274. description: |-
  1275. DeletionPolicy defines rules on how to delete the resulting Secret.
  1276. Defaults to "Retain"
  1277. enum:
  1278. - Delete
  1279. - Merge
  1280. - Retain
  1281. type: string
  1282. immutable:
  1283. description: Immutable defines if the final secret will be immutable
  1284. type: boolean
  1285. name:
  1286. description: |-
  1287. The name of the Secret resource to be managed.
  1288. Defaults to the .metadata.name of the ExternalSecret resource
  1289. maxLength: 253
  1290. minLength: 1
  1291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1292. type: string
  1293. template:
  1294. description: Template defines a blueprint for the created Secret resource.
  1295. properties:
  1296. data:
  1297. additionalProperties:
  1298. type: string
  1299. type: object
  1300. engineVersion:
  1301. default: v2
  1302. description: |-
  1303. EngineVersion specifies the template engine version
  1304. that should be used to compile/execute the
  1305. template specified in .data and .templateFrom[].
  1306. enum:
  1307. - v2
  1308. type: string
  1309. mergePolicy:
  1310. default: Replace
  1311. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1312. enum:
  1313. - Replace
  1314. - Merge
  1315. type: string
  1316. metadata:
  1317. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1318. properties:
  1319. annotations:
  1320. additionalProperties:
  1321. type: string
  1322. type: object
  1323. labels:
  1324. additionalProperties:
  1325. type: string
  1326. type: object
  1327. type: object
  1328. templateFrom:
  1329. items:
  1330. description: TemplateFrom defines a source for template data.
  1331. properties:
  1332. configMap:
  1333. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1334. properties:
  1335. items:
  1336. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1337. items:
  1338. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1339. properties:
  1340. key:
  1341. description: A key in the ConfigMap/Secret
  1342. maxLength: 253
  1343. minLength: 1
  1344. pattern: ^[-._a-zA-Z0-9]+$
  1345. type: string
  1346. templateAs:
  1347. default: Values
  1348. description: TemplateScope defines the scope of the template when processing template data.
  1349. enum:
  1350. - Values
  1351. - KeysAndValues
  1352. type: string
  1353. required:
  1354. - key
  1355. type: object
  1356. type: array
  1357. name:
  1358. description: The name of the ConfigMap/Secret resource
  1359. maxLength: 253
  1360. minLength: 1
  1361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1362. type: string
  1363. required:
  1364. - items
  1365. - name
  1366. type: object
  1367. literal:
  1368. type: string
  1369. secret:
  1370. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1371. properties:
  1372. items:
  1373. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1374. items:
  1375. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1376. properties:
  1377. key:
  1378. description: A key in the ConfigMap/Secret
  1379. maxLength: 253
  1380. minLength: 1
  1381. pattern: ^[-._a-zA-Z0-9]+$
  1382. type: string
  1383. templateAs:
  1384. default: Values
  1385. description: TemplateScope defines the scope of the template when processing template data.
  1386. enum:
  1387. - Values
  1388. - KeysAndValues
  1389. type: string
  1390. required:
  1391. - key
  1392. type: object
  1393. type: array
  1394. name:
  1395. description: The name of the ConfigMap/Secret resource
  1396. maxLength: 253
  1397. minLength: 1
  1398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1399. type: string
  1400. required:
  1401. - items
  1402. - name
  1403. type: object
  1404. target:
  1405. default: Data
  1406. description: TemplateTarget defines the target field where the template result will be stored.
  1407. enum:
  1408. - Data
  1409. - Annotations
  1410. - Labels
  1411. type: string
  1412. type: object
  1413. type: array
  1414. type:
  1415. type: string
  1416. type: object
  1417. type: object
  1418. type: object
  1419. namespaceSelector:
  1420. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1421. properties:
  1422. matchExpressions:
  1423. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1424. items:
  1425. description: |-
  1426. A label selector requirement is a selector that contains values, a key, and an operator that
  1427. relates the key and values.
  1428. properties:
  1429. key:
  1430. description: key is the label key that the selector applies to.
  1431. type: string
  1432. operator:
  1433. description: |-
  1434. operator represents a key's relationship to a set of values.
  1435. Valid operators are In, NotIn, Exists and DoesNotExist.
  1436. type: string
  1437. values:
  1438. description: |-
  1439. values is an array of string values. If the operator is In or NotIn,
  1440. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1441. the values array must be empty. This array is replaced during a strategic
  1442. merge patch.
  1443. items:
  1444. type: string
  1445. type: array
  1446. x-kubernetes-list-type: atomic
  1447. required:
  1448. - key
  1449. - operator
  1450. type: object
  1451. type: array
  1452. x-kubernetes-list-type: atomic
  1453. matchLabels:
  1454. additionalProperties:
  1455. type: string
  1456. description: |-
  1457. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1458. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1459. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1460. type: object
  1461. type: object
  1462. x-kubernetes-map-type: atomic
  1463. namespaceSelectors:
  1464. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1465. items:
  1466. description: |-
  1467. A label selector is a label query over a set of resources. The result of matchLabels and
  1468. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1469. label selector matches no objects.
  1470. properties:
  1471. matchExpressions:
  1472. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1473. items:
  1474. description: |-
  1475. A label selector requirement is a selector that contains values, a key, and an operator that
  1476. relates the key and values.
  1477. properties:
  1478. key:
  1479. description: key is the label key that the selector applies to.
  1480. type: string
  1481. operator:
  1482. description: |-
  1483. operator represents a key's relationship to a set of values.
  1484. Valid operators are In, NotIn, Exists and DoesNotExist.
  1485. type: string
  1486. values:
  1487. description: |-
  1488. values is an array of string values. If the operator is In or NotIn,
  1489. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1490. the values array must be empty. This array is replaced during a strategic
  1491. merge patch.
  1492. items:
  1493. type: string
  1494. type: array
  1495. x-kubernetes-list-type: atomic
  1496. required:
  1497. - key
  1498. - operator
  1499. type: object
  1500. type: array
  1501. x-kubernetes-list-type: atomic
  1502. matchLabels:
  1503. additionalProperties:
  1504. type: string
  1505. description: |-
  1506. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1507. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1508. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1509. type: object
  1510. type: object
  1511. x-kubernetes-map-type: atomic
  1512. type: array
  1513. namespaces:
  1514. description: |-
  1515. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1516. Deprecated: Use NamespaceSelectors instead.
  1517. items:
  1518. maxLength: 63
  1519. minLength: 1
  1520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1521. type: string
  1522. type: array
  1523. refreshTime:
  1524. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1525. type: string
  1526. required:
  1527. - externalSecretSpec
  1528. type: object
  1529. status:
  1530. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1531. properties:
  1532. conditions:
  1533. items:
  1534. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1535. properties:
  1536. message:
  1537. type: string
  1538. status:
  1539. type: string
  1540. type:
  1541. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1542. type: string
  1543. required:
  1544. - status
  1545. - type
  1546. type: object
  1547. type: array
  1548. externalSecretName:
  1549. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1550. type: string
  1551. failedNamespaces:
  1552. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1553. items:
  1554. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1555. properties:
  1556. namespace:
  1557. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1558. type: string
  1559. reason:
  1560. description: Reason is why the ExternalSecret failed to apply to the namespace
  1561. type: string
  1562. required:
  1563. - namespace
  1564. type: object
  1565. type: array
  1566. provisionedNamespaces:
  1567. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1568. items:
  1569. type: string
  1570. type: array
  1571. type: object
  1572. type: object
  1573. served: false
  1574. storage: false
  1575. subresources:
  1576. status: {}
  1577. ---
  1578. apiVersion: apiextensions.k8s.io/v1
  1579. kind: CustomResourceDefinition
  1580. metadata:
  1581. annotations:
  1582. controller-gen.kubebuilder.io/version: v0.19.0
  1583. labels:
  1584. external-secrets.io/component: controller
  1585. name: clusterpushsecrets.external-secrets.io
  1586. spec:
  1587. group: external-secrets.io
  1588. names:
  1589. categories:
  1590. - external-secrets
  1591. kind: ClusterPushSecret
  1592. listKind: ClusterPushSecretList
  1593. plural: clusterpushsecrets
  1594. singular: clusterpushsecret
  1595. scope: Cluster
  1596. versions:
  1597. - additionalPrinterColumns:
  1598. - jsonPath: .metadata.creationTimestamp
  1599. name: AGE
  1600. type: date
  1601. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1602. name: Status
  1603. type: string
  1604. name: v1alpha1
  1605. schema:
  1606. openAPIV3Schema:
  1607. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1608. properties:
  1609. apiVersion:
  1610. description: |-
  1611. APIVersion defines the versioned schema of this representation of an object.
  1612. Servers should convert recognized schemas to the latest internal value, and
  1613. may reject unrecognized values.
  1614. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1615. type: string
  1616. kind:
  1617. description: |-
  1618. Kind is a string value representing the REST resource this object represents.
  1619. Servers may infer this from the endpoint the client submits requests to.
  1620. Cannot be updated.
  1621. In CamelCase.
  1622. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1623. type: string
  1624. metadata:
  1625. type: object
  1626. spec:
  1627. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1628. properties:
  1629. namespaceSelectors:
  1630. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1631. items:
  1632. description: |-
  1633. A label selector is a label query over a set of resources. The result of matchLabels and
  1634. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1635. label selector matches no objects.
  1636. properties:
  1637. matchExpressions:
  1638. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1639. items:
  1640. description: |-
  1641. A label selector requirement is a selector that contains values, a key, and an operator that
  1642. relates the key and values.
  1643. properties:
  1644. key:
  1645. description: key is the label key that the selector applies to.
  1646. type: string
  1647. operator:
  1648. description: |-
  1649. operator represents a key's relationship to a set of values.
  1650. Valid operators are In, NotIn, Exists and DoesNotExist.
  1651. type: string
  1652. values:
  1653. description: |-
  1654. values is an array of string values. If the operator is In or NotIn,
  1655. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1656. the values array must be empty. This array is replaced during a strategic
  1657. merge patch.
  1658. items:
  1659. type: string
  1660. type: array
  1661. x-kubernetes-list-type: atomic
  1662. required:
  1663. - key
  1664. - operator
  1665. type: object
  1666. type: array
  1667. x-kubernetes-list-type: atomic
  1668. matchLabels:
  1669. additionalProperties:
  1670. type: string
  1671. description: |-
  1672. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1673. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1674. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1675. type: object
  1676. type: object
  1677. x-kubernetes-map-type: atomic
  1678. type: array
  1679. pushSecretMetadata:
  1680. description: The metadata of the external secrets to be created
  1681. properties:
  1682. annotations:
  1683. additionalProperties:
  1684. type: string
  1685. type: object
  1686. labels:
  1687. additionalProperties:
  1688. type: string
  1689. type: object
  1690. type: object
  1691. pushSecretName:
  1692. description: |-
  1693. The name of the push secrets to be created.
  1694. Defaults to the name of the ClusterPushSecret
  1695. maxLength: 253
  1696. minLength: 1
  1697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1698. type: string
  1699. pushSecretSpec:
  1700. description: PushSecretSpec defines what to do with the secrets.
  1701. properties:
  1702. data:
  1703. description: Secret Data that should be pushed to providers
  1704. items:
  1705. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1706. properties:
  1707. conversionStrategy:
  1708. default: None
  1709. description: Used to define a conversion Strategy for the secret keys
  1710. enum:
  1711. - None
  1712. - ReverseUnicode
  1713. type: string
  1714. match:
  1715. description: Match a given Secret Key to be pushed to the provider.
  1716. properties:
  1717. remoteRef:
  1718. description: Remote Refs to push to providers.
  1719. properties:
  1720. property:
  1721. description: Name of the property in the resulting secret
  1722. type: string
  1723. remoteKey:
  1724. description: Name of the resulting provider secret.
  1725. type: string
  1726. required:
  1727. - remoteKey
  1728. type: object
  1729. secretKey:
  1730. description: Secret Key to be pushed
  1731. type: string
  1732. required:
  1733. - remoteRef
  1734. type: object
  1735. metadata:
  1736. description: |-
  1737. Metadata is metadata attached to the secret.
  1738. The structure of metadata is provider specific, please look it up in the provider documentation.
  1739. x-kubernetes-preserve-unknown-fields: true
  1740. required:
  1741. - match
  1742. type: object
  1743. type: array
  1744. dataTo:
  1745. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1746. items:
  1747. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1748. properties:
  1749. conversionStrategy:
  1750. default: None
  1751. description: Used to define a conversion Strategy for the secret keys
  1752. enum:
  1753. - None
  1754. - ReverseUnicode
  1755. type: string
  1756. match:
  1757. description: |-
  1758. Match pattern for selecting keys from the source Secret.
  1759. If not specified, all keys are selected.
  1760. properties:
  1761. regexp:
  1762. description: |-
  1763. Regexp matches keys by regular expression.
  1764. If not specified, all keys are matched.
  1765. type: string
  1766. type: object
  1767. metadata:
  1768. description: |-
  1769. Metadata is metadata attached to the secret.
  1770. The structure of metadata is provider specific, please look it up in the provider documentation.
  1771. x-kubernetes-preserve-unknown-fields: true
  1772. remoteKey:
  1773. description: |-
  1774. RemoteKey is the name of the single provider secret that will receive ALL
  1775. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1776. When set, per-key expansion is skipped and a single push is performed.
  1777. The provider's store prefix (if any) is still prepended to this value.
  1778. When not set, each matched key is pushed as its own individual provider secret.
  1779. type: string
  1780. rewrite:
  1781. description: |-
  1782. Rewrite operations to transform keys before pushing to the provider.
  1783. Operations are applied sequentially.
  1784. items:
  1785. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1786. properties:
  1787. regexp:
  1788. description: Used to rewrite with regular expressions.
  1789. properties:
  1790. source:
  1791. description: Used to define the regular expression of a re.Compiler.
  1792. type: string
  1793. target:
  1794. description: Used to define the target pattern of a ReplaceAll operation.
  1795. type: string
  1796. required:
  1797. - source
  1798. - target
  1799. type: object
  1800. transform:
  1801. description: Used to apply string transformation on the secrets.
  1802. properties:
  1803. template:
  1804. description: |-
  1805. Used to define the template to apply on the secret name.
  1806. `.value ` will specify the secret name in the template.
  1807. type: string
  1808. required:
  1809. - template
  1810. type: object
  1811. type: object
  1812. x-kubernetes-validations:
  1813. - message: exactly one of regexp or transform must be set
  1814. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1815. type: array
  1816. storeRef:
  1817. description: StoreRef specifies which SecretStore to push to. Required.
  1818. properties:
  1819. kind:
  1820. default: SecretStore
  1821. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1822. enum:
  1823. - SecretStore
  1824. - ClusterSecretStore
  1825. type: string
  1826. labelSelector:
  1827. description: Optionally, sync to secret stores with label selector
  1828. properties:
  1829. matchExpressions:
  1830. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1831. items:
  1832. description: |-
  1833. A label selector requirement is a selector that contains values, a key, and an operator that
  1834. relates the key and values.
  1835. properties:
  1836. key:
  1837. description: key is the label key that the selector applies to.
  1838. type: string
  1839. operator:
  1840. description: |-
  1841. operator represents a key's relationship to a set of values.
  1842. Valid operators are In, NotIn, Exists and DoesNotExist.
  1843. type: string
  1844. values:
  1845. description: |-
  1846. values is an array of string values. If the operator is In or NotIn,
  1847. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1848. the values array must be empty. This array is replaced during a strategic
  1849. merge patch.
  1850. items:
  1851. type: string
  1852. type: array
  1853. x-kubernetes-list-type: atomic
  1854. required:
  1855. - key
  1856. - operator
  1857. type: object
  1858. type: array
  1859. x-kubernetes-list-type: atomic
  1860. matchLabels:
  1861. additionalProperties:
  1862. type: string
  1863. description: |-
  1864. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1865. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1866. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1867. type: object
  1868. type: object
  1869. x-kubernetes-map-type: atomic
  1870. name:
  1871. description: Optionally, sync to the SecretStore of the given name
  1872. maxLength: 253
  1873. minLength: 1
  1874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1875. type: string
  1876. type: object
  1877. type: object
  1878. x-kubernetes-validations:
  1879. - message: storeRef must specify either name or labelSelector
  1880. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1881. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1882. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1883. type: array
  1884. deletionPolicy:
  1885. default: None
  1886. description: Deletion Policy to handle Secrets in the provider.
  1887. enum:
  1888. - Delete
  1889. - None
  1890. type: string
  1891. refreshInterval:
  1892. default: 1h0m0s
  1893. description: The Interval to which External Secrets will try to push a secret definition
  1894. type: string
  1895. secretStoreRefs:
  1896. items:
  1897. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1898. properties:
  1899. kind:
  1900. default: SecretStore
  1901. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1902. enum:
  1903. - SecretStore
  1904. - ClusterSecretStore
  1905. type: string
  1906. labelSelector:
  1907. description: Optionally, sync to secret stores with label selector
  1908. properties:
  1909. matchExpressions:
  1910. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1911. items:
  1912. description: |-
  1913. A label selector requirement is a selector that contains values, a key, and an operator that
  1914. relates the key and values.
  1915. properties:
  1916. key:
  1917. description: key is the label key that the selector applies to.
  1918. type: string
  1919. operator:
  1920. description: |-
  1921. operator represents a key's relationship to a set of values.
  1922. Valid operators are In, NotIn, Exists and DoesNotExist.
  1923. type: string
  1924. values:
  1925. description: |-
  1926. values is an array of string values. If the operator is In or NotIn,
  1927. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1928. the values array must be empty. This array is replaced during a strategic
  1929. merge patch.
  1930. items:
  1931. type: string
  1932. type: array
  1933. x-kubernetes-list-type: atomic
  1934. required:
  1935. - key
  1936. - operator
  1937. type: object
  1938. type: array
  1939. x-kubernetes-list-type: atomic
  1940. matchLabels:
  1941. additionalProperties:
  1942. type: string
  1943. description: |-
  1944. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1945. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1946. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1947. type: object
  1948. type: object
  1949. x-kubernetes-map-type: atomic
  1950. name:
  1951. description: Optionally, sync to the SecretStore of the given name
  1952. maxLength: 253
  1953. minLength: 1
  1954. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1955. type: string
  1956. type: object
  1957. type: array
  1958. selector:
  1959. description: The Secret Selector (k8s source) for the Push Secret
  1960. maxProperties: 1
  1961. minProperties: 1
  1962. properties:
  1963. generatorRef:
  1964. description: Point to a generator to create a Secret.
  1965. properties:
  1966. apiVersion:
  1967. default: generators.external-secrets.io/v1alpha1
  1968. description: Specify the apiVersion of the generator resource
  1969. type: string
  1970. kind:
  1971. description: Specify the Kind of the generator resource
  1972. enum:
  1973. - ACRAccessToken
  1974. - ClusterGenerator
  1975. - CloudsmithAccessToken
  1976. - ECRAuthorizationToken
  1977. - Fake
  1978. - GCRAccessToken
  1979. - GithubAccessToken
  1980. - QuayAccessToken
  1981. - Password
  1982. - SSHKey
  1983. - STSSessionToken
  1984. - UUID
  1985. - VaultDynamicSecret
  1986. - Webhook
  1987. - Grafana
  1988. - MFA
  1989. type: string
  1990. name:
  1991. description: Specify the name of the generator resource
  1992. maxLength: 253
  1993. minLength: 1
  1994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1995. type: string
  1996. required:
  1997. - kind
  1998. - name
  1999. type: object
  2000. secret:
  2001. description: Select a Secret to Push.
  2002. properties:
  2003. name:
  2004. description: |-
  2005. Name of the Secret.
  2006. The Secret must exist in the same namespace as the PushSecret manifest.
  2007. maxLength: 253
  2008. minLength: 1
  2009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2010. type: string
  2011. selector:
  2012. description: Selector chooses secrets using a labelSelector.
  2013. properties:
  2014. matchExpressions:
  2015. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2016. items:
  2017. description: |-
  2018. A label selector requirement is a selector that contains values, a key, and an operator that
  2019. relates the key and values.
  2020. properties:
  2021. key:
  2022. description: key is the label key that the selector applies to.
  2023. type: string
  2024. operator:
  2025. description: |-
  2026. operator represents a key's relationship to a set of values.
  2027. Valid operators are In, NotIn, Exists and DoesNotExist.
  2028. type: string
  2029. values:
  2030. description: |-
  2031. values is an array of string values. If the operator is In or NotIn,
  2032. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2033. the values array must be empty. This array is replaced during a strategic
  2034. merge patch.
  2035. items:
  2036. type: string
  2037. type: array
  2038. x-kubernetes-list-type: atomic
  2039. required:
  2040. - key
  2041. - operator
  2042. type: object
  2043. type: array
  2044. x-kubernetes-list-type: atomic
  2045. matchLabels:
  2046. additionalProperties:
  2047. type: string
  2048. description: |-
  2049. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2050. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2051. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2052. type: object
  2053. type: object
  2054. x-kubernetes-map-type: atomic
  2055. type: object
  2056. type: object
  2057. template:
  2058. description: Template defines a blueprint for the created Secret resource.
  2059. properties:
  2060. data:
  2061. additionalProperties:
  2062. type: string
  2063. type: object
  2064. engineVersion:
  2065. default: v2
  2066. description: |-
  2067. EngineVersion specifies the template engine version
  2068. that should be used to compile/execute the
  2069. template specified in .data and .templateFrom[].
  2070. enum:
  2071. - v2
  2072. type: string
  2073. mergePolicy:
  2074. default: Replace
  2075. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2076. enum:
  2077. - Replace
  2078. - Merge
  2079. type: string
  2080. metadata:
  2081. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2082. properties:
  2083. annotations:
  2084. additionalProperties:
  2085. type: string
  2086. type: object
  2087. finalizers:
  2088. items:
  2089. type: string
  2090. type: array
  2091. labels:
  2092. additionalProperties:
  2093. type: string
  2094. type: object
  2095. type: object
  2096. templateFrom:
  2097. items:
  2098. description: |-
  2099. TemplateFrom specifies a source for templates.
  2100. Each item in the list can either reference a ConfigMap or a Secret resource.
  2101. properties:
  2102. configMap:
  2103. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2104. properties:
  2105. items:
  2106. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2107. items:
  2108. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2109. properties:
  2110. key:
  2111. description: A key in the ConfigMap/Secret
  2112. maxLength: 253
  2113. minLength: 1
  2114. pattern: ^[-._a-zA-Z0-9]+$
  2115. type: string
  2116. templateAs:
  2117. default: Values
  2118. description: TemplateScope specifies how the template keys should be interpreted.
  2119. enum:
  2120. - Values
  2121. - KeysAndValues
  2122. type: string
  2123. required:
  2124. - key
  2125. type: object
  2126. type: array
  2127. name:
  2128. description: The name of the ConfigMap/Secret resource
  2129. maxLength: 253
  2130. minLength: 1
  2131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2132. type: string
  2133. required:
  2134. - items
  2135. - name
  2136. type: object
  2137. literal:
  2138. type: string
  2139. secret:
  2140. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2141. properties:
  2142. items:
  2143. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2144. items:
  2145. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2146. properties:
  2147. key:
  2148. description: A key in the ConfigMap/Secret
  2149. maxLength: 253
  2150. minLength: 1
  2151. pattern: ^[-._a-zA-Z0-9]+$
  2152. type: string
  2153. templateAs:
  2154. default: Values
  2155. description: TemplateScope specifies how the template keys should be interpreted.
  2156. enum:
  2157. - Values
  2158. - KeysAndValues
  2159. type: string
  2160. required:
  2161. - key
  2162. type: object
  2163. type: array
  2164. name:
  2165. description: The name of the ConfigMap/Secret resource
  2166. maxLength: 253
  2167. minLength: 1
  2168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2169. type: string
  2170. required:
  2171. - items
  2172. - name
  2173. type: object
  2174. target:
  2175. default: Data
  2176. description: |-
  2177. Target specifies where to place the template result.
  2178. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2179. For custom resources (when spec.target.manifest is set), this supports
  2180. nested paths like "spec.database.config" or "data".
  2181. type: string
  2182. type: object
  2183. type: array
  2184. type:
  2185. type: string
  2186. type: object
  2187. updatePolicy:
  2188. default: Replace
  2189. description: UpdatePolicy to handle Secrets in the provider.
  2190. enum:
  2191. - Replace
  2192. - IfNotExists
  2193. type: string
  2194. required:
  2195. - secretStoreRefs
  2196. - selector
  2197. type: object
  2198. refreshTime:
  2199. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2200. type: string
  2201. required:
  2202. - pushSecretSpec
  2203. type: object
  2204. status:
  2205. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2206. properties:
  2207. conditions:
  2208. items:
  2209. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2210. properties:
  2211. lastTransitionTime:
  2212. format: date-time
  2213. type: string
  2214. message:
  2215. type: string
  2216. reason:
  2217. type: string
  2218. status:
  2219. type: string
  2220. type:
  2221. description: PushSecretConditionType indicates the condition of the PushSecret.
  2222. type: string
  2223. required:
  2224. - status
  2225. - type
  2226. type: object
  2227. type: array
  2228. failedNamespaces:
  2229. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2230. items:
  2231. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2232. properties:
  2233. namespace:
  2234. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2235. type: string
  2236. reason:
  2237. description: Reason is why the PushSecret failed to apply to the namespace
  2238. type: string
  2239. required:
  2240. - namespace
  2241. type: object
  2242. type: array
  2243. provisionedNamespaces:
  2244. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2245. items:
  2246. type: string
  2247. type: array
  2248. pushSecretName:
  2249. type: string
  2250. type: object
  2251. type: object
  2252. served: true
  2253. storage: true
  2254. subresources:
  2255. status: {}
  2256. ---
  2257. apiVersion: apiextensions.k8s.io/v1
  2258. kind: CustomResourceDefinition
  2259. metadata:
  2260. annotations:
  2261. controller-gen.kubebuilder.io/version: v0.19.0
  2262. labels:
  2263. external-secrets.io/component: controller
  2264. name: clustersecretstores.external-secrets.io
  2265. spec:
  2266. group: external-secrets.io
  2267. names:
  2268. categories:
  2269. - external-secrets
  2270. kind: ClusterSecretStore
  2271. listKind: ClusterSecretStoreList
  2272. plural: clustersecretstores
  2273. shortNames:
  2274. - css
  2275. singular: clustersecretstore
  2276. scope: Cluster
  2277. versions:
  2278. - additionalPrinterColumns:
  2279. - jsonPath: .metadata.creationTimestamp
  2280. name: AGE
  2281. type: date
  2282. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2283. name: Status
  2284. type: string
  2285. - jsonPath: .status.capabilities
  2286. name: Capabilities
  2287. type: string
  2288. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2289. name: Ready
  2290. type: string
  2291. name: v1
  2292. schema:
  2293. openAPIV3Schema:
  2294. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2295. properties:
  2296. apiVersion:
  2297. description: |-
  2298. APIVersion defines the versioned schema of this representation of an object.
  2299. Servers should convert recognized schemas to the latest internal value, and
  2300. may reject unrecognized values.
  2301. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2302. type: string
  2303. kind:
  2304. description: |-
  2305. Kind is a string value representing the REST resource this object represents.
  2306. Servers may infer this from the endpoint the client submits requests to.
  2307. Cannot be updated.
  2308. In CamelCase.
  2309. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2310. type: string
  2311. metadata:
  2312. type: object
  2313. spec:
  2314. description: SecretStoreSpec defines the desired state of SecretStore.
  2315. properties:
  2316. conditions:
  2317. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2318. items:
  2319. description: |-
  2320. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2321. for a ClusterSecretStore instance.
  2322. properties:
  2323. namespaceRegexes:
  2324. description: Choose namespaces by using regex matching
  2325. items:
  2326. type: string
  2327. type: array
  2328. namespaceSelector:
  2329. description: Choose namespace using a labelSelector
  2330. properties:
  2331. matchExpressions:
  2332. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2333. items:
  2334. description: |-
  2335. A label selector requirement is a selector that contains values, a key, and an operator that
  2336. relates the key and values.
  2337. properties:
  2338. key:
  2339. description: key is the label key that the selector applies to.
  2340. type: string
  2341. operator:
  2342. description: |-
  2343. operator represents a key's relationship to a set of values.
  2344. Valid operators are In, NotIn, Exists and DoesNotExist.
  2345. type: string
  2346. values:
  2347. description: |-
  2348. values is an array of string values. If the operator is In or NotIn,
  2349. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2350. the values array must be empty. This array is replaced during a strategic
  2351. merge patch.
  2352. items:
  2353. type: string
  2354. type: array
  2355. x-kubernetes-list-type: atomic
  2356. required:
  2357. - key
  2358. - operator
  2359. type: object
  2360. type: array
  2361. x-kubernetes-list-type: atomic
  2362. matchLabels:
  2363. additionalProperties:
  2364. type: string
  2365. description: |-
  2366. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2367. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2368. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2369. type: object
  2370. type: object
  2371. x-kubernetes-map-type: atomic
  2372. namespaces:
  2373. description: Choose namespaces by name
  2374. items:
  2375. maxLength: 63
  2376. minLength: 1
  2377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2378. type: string
  2379. type: array
  2380. type: object
  2381. type: array
  2382. controller:
  2383. description: |-
  2384. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2385. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2386. type: string
  2387. provider:
  2388. description: Used to configure the provider. Only one provider may be set
  2389. maxProperties: 1
  2390. minProperties: 1
  2391. properties:
  2392. akeyless:
  2393. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2394. properties:
  2395. akeylessGWApiURL:
  2396. description: Akeyless GW API Url from which the secrets to be fetched from.
  2397. type: string
  2398. authSecretRef:
  2399. description: Auth configures how the operator authenticates with Akeyless.
  2400. properties:
  2401. kubernetesAuth:
  2402. description: |-
  2403. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2404. token stored in the named Secret resource.
  2405. properties:
  2406. accessID:
  2407. description: the Akeyless Kubernetes auth-method access-id
  2408. type: string
  2409. k8sConfName:
  2410. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2411. type: string
  2412. secretRef:
  2413. description: |-
  2414. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2415. for authenticating with Akeyless. If a name is specified without a key,
  2416. `token` is the default. If one is not specified, the one bound to
  2417. the controller will be used.
  2418. properties:
  2419. key:
  2420. description: |-
  2421. A key in the referenced Secret.
  2422. Some instances of this field may be defaulted, in others it may be required.
  2423. maxLength: 253
  2424. minLength: 1
  2425. pattern: ^[-._a-zA-Z0-9]+$
  2426. type: string
  2427. name:
  2428. description: The name of the Secret resource being referred to.
  2429. maxLength: 253
  2430. minLength: 1
  2431. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2432. type: string
  2433. namespace:
  2434. description: |-
  2435. The namespace of the Secret resource being referred to.
  2436. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2437. maxLength: 63
  2438. minLength: 1
  2439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2440. type: string
  2441. type: object
  2442. serviceAccountRef:
  2443. description: |-
  2444. Optional service account field containing the name of a kubernetes ServiceAccount.
  2445. If the service account is specified, the service account secret token JWT will be used
  2446. for authenticating with Akeyless. If the service account selector is not supplied,
  2447. the secretRef will be used instead.
  2448. properties:
  2449. audiences:
  2450. description: |-
  2451. Audience specifies the `aud` claim for the service account token
  2452. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2453. then this audiences will be appended to the list
  2454. items:
  2455. type: string
  2456. type: array
  2457. name:
  2458. description: The name of the ServiceAccount resource being referred to.
  2459. maxLength: 253
  2460. minLength: 1
  2461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2462. type: string
  2463. namespace:
  2464. description: |-
  2465. Namespace of the resource being referred to.
  2466. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2467. maxLength: 63
  2468. minLength: 1
  2469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2470. type: string
  2471. required:
  2472. - name
  2473. type: object
  2474. required:
  2475. - accessID
  2476. - k8sConfName
  2477. type: object
  2478. secretRef:
  2479. description: |-
  2480. Reference to a Secret that contains the details
  2481. to authenticate with Akeyless.
  2482. properties:
  2483. accessID:
  2484. description: The SecretAccessID is used for authentication
  2485. properties:
  2486. key:
  2487. description: |-
  2488. A key in the referenced Secret.
  2489. Some instances of this field may be defaulted, in others it may be required.
  2490. maxLength: 253
  2491. minLength: 1
  2492. pattern: ^[-._a-zA-Z0-9]+$
  2493. type: string
  2494. name:
  2495. description: The name of the Secret resource being referred to.
  2496. maxLength: 253
  2497. minLength: 1
  2498. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2499. type: string
  2500. namespace:
  2501. description: |-
  2502. The namespace of the Secret resource being referred to.
  2503. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2504. maxLength: 63
  2505. minLength: 1
  2506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2507. type: string
  2508. type: object
  2509. accessType:
  2510. description: |-
  2511. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2512. In some instances, `key` is a required field.
  2513. properties:
  2514. key:
  2515. description: |-
  2516. A key in the referenced Secret.
  2517. Some instances of this field may be defaulted, in others it may be required.
  2518. maxLength: 253
  2519. minLength: 1
  2520. pattern: ^[-._a-zA-Z0-9]+$
  2521. type: string
  2522. name:
  2523. description: The name of the Secret resource being referred to.
  2524. maxLength: 253
  2525. minLength: 1
  2526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2527. type: string
  2528. namespace:
  2529. description: |-
  2530. The namespace of the Secret resource being referred to.
  2531. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2532. maxLength: 63
  2533. minLength: 1
  2534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2535. type: string
  2536. type: object
  2537. accessTypeParam:
  2538. description: |-
  2539. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2540. In some instances, `key` is a required field.
  2541. properties:
  2542. key:
  2543. description: |-
  2544. A key in the referenced Secret.
  2545. Some instances of this field may be defaulted, in others it may be required.
  2546. maxLength: 253
  2547. minLength: 1
  2548. pattern: ^[-._a-zA-Z0-9]+$
  2549. type: string
  2550. name:
  2551. description: The name of the Secret resource being referred to.
  2552. maxLength: 253
  2553. minLength: 1
  2554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2555. type: string
  2556. namespace:
  2557. description: |-
  2558. The namespace of the Secret resource being referred to.
  2559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2560. maxLength: 63
  2561. minLength: 1
  2562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2563. type: string
  2564. type: object
  2565. type: object
  2566. type: object
  2567. caBundle:
  2568. description: |-
  2569. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2570. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2571. are used to validate the TLS connection.
  2572. format: byte
  2573. type: string
  2574. caProvider:
  2575. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2576. properties:
  2577. key:
  2578. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2579. maxLength: 253
  2580. minLength: 1
  2581. pattern: ^[-._a-zA-Z0-9]+$
  2582. type: string
  2583. name:
  2584. description: The name of the object located at the provider type.
  2585. maxLength: 253
  2586. minLength: 1
  2587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2588. type: string
  2589. namespace:
  2590. description: |-
  2591. The namespace the Provider type is in.
  2592. Can only be defined when used in a ClusterSecretStore.
  2593. maxLength: 63
  2594. minLength: 1
  2595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2596. type: string
  2597. type:
  2598. description: The type of provider to use such as "Secret", or "ConfigMap".
  2599. enum:
  2600. - Secret
  2601. - ConfigMap
  2602. type: string
  2603. required:
  2604. - name
  2605. - type
  2606. type: object
  2607. required:
  2608. - akeylessGWApiURL
  2609. - authSecretRef
  2610. type: object
  2611. aws:
  2612. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2613. properties:
  2614. additionalRoles:
  2615. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2616. items:
  2617. type: string
  2618. type: array
  2619. auth:
  2620. description: |-
  2621. Auth defines the information necessary to authenticate against AWS
  2622. if not set aws sdk will infer credentials from your environment
  2623. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2624. properties:
  2625. jwt:
  2626. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2627. properties:
  2628. serviceAccountRef:
  2629. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2630. properties:
  2631. audiences:
  2632. description: |-
  2633. Audience specifies the `aud` claim for the service account token
  2634. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2635. then this audiences will be appended to the list
  2636. items:
  2637. type: string
  2638. type: array
  2639. name:
  2640. description: The name of the ServiceAccount resource being referred to.
  2641. maxLength: 253
  2642. minLength: 1
  2643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2644. type: string
  2645. namespace:
  2646. description: |-
  2647. Namespace of the resource being referred to.
  2648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2649. maxLength: 63
  2650. minLength: 1
  2651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2652. type: string
  2653. required:
  2654. - name
  2655. type: object
  2656. type: object
  2657. secretRef:
  2658. description: |-
  2659. AWSAuthSecretRef holds secret references for AWS credentials
  2660. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2661. properties:
  2662. accessKeyIDSecretRef:
  2663. description: The AccessKeyID is used for authentication
  2664. properties:
  2665. key:
  2666. description: |-
  2667. A key in the referenced Secret.
  2668. Some instances of this field may be defaulted, in others it may be required.
  2669. maxLength: 253
  2670. minLength: 1
  2671. pattern: ^[-._a-zA-Z0-9]+$
  2672. type: string
  2673. name:
  2674. description: The name of the Secret resource being referred to.
  2675. maxLength: 253
  2676. minLength: 1
  2677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2678. type: string
  2679. namespace:
  2680. description: |-
  2681. The namespace of the Secret resource being referred to.
  2682. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2683. maxLength: 63
  2684. minLength: 1
  2685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2686. type: string
  2687. type: object
  2688. secretAccessKeySecretRef:
  2689. description: The SecretAccessKey is used for authentication
  2690. properties:
  2691. key:
  2692. description: |-
  2693. A key in the referenced Secret.
  2694. Some instances of this field may be defaulted, in others it may be required.
  2695. maxLength: 253
  2696. minLength: 1
  2697. pattern: ^[-._a-zA-Z0-9]+$
  2698. type: string
  2699. name:
  2700. description: The name of the Secret resource being referred to.
  2701. maxLength: 253
  2702. minLength: 1
  2703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2704. type: string
  2705. namespace:
  2706. description: |-
  2707. The namespace of the Secret resource being referred to.
  2708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2709. maxLength: 63
  2710. minLength: 1
  2711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2712. type: string
  2713. type: object
  2714. sessionTokenSecretRef:
  2715. description: |-
  2716. The SessionToken used for authentication
  2717. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2718. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2719. properties:
  2720. key:
  2721. description: |-
  2722. A key in the referenced Secret.
  2723. Some instances of this field may be defaulted, in others it may be required.
  2724. maxLength: 253
  2725. minLength: 1
  2726. pattern: ^[-._a-zA-Z0-9]+$
  2727. type: string
  2728. name:
  2729. description: The name of the Secret resource being referred to.
  2730. maxLength: 253
  2731. minLength: 1
  2732. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2733. type: string
  2734. namespace:
  2735. description: |-
  2736. The namespace of the Secret resource being referred to.
  2737. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2738. maxLength: 63
  2739. minLength: 1
  2740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2741. type: string
  2742. type: object
  2743. type: object
  2744. type: object
  2745. customSessionTags:
  2746. additionalProperties:
  2747. type: string
  2748. description: |-
  2749. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2750. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2751. type: object
  2752. x-kubernetes-validations:
  2753. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2754. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2755. externalID:
  2756. description: AWS External ID set on assumed IAM roles
  2757. type: string
  2758. prefix:
  2759. description: Prefix adds a prefix to all retrieved values.
  2760. type: string
  2761. region:
  2762. description: AWS Region to be used for the provider
  2763. type: string
  2764. role:
  2765. description: Role is a Role ARN which the provider will assume
  2766. type: string
  2767. secretsManager:
  2768. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2769. properties:
  2770. forceDeleteWithoutRecovery:
  2771. description: |-
  2772. Specifies whether to delete the secret without any recovery window. You
  2773. can't use both this parameter and RecoveryWindowInDays in the same call.
  2774. If you don't use either, then by default Secrets Manager uses a 30 day
  2775. recovery window.
  2776. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2777. type: boolean
  2778. recoveryWindowInDays:
  2779. description: |-
  2780. The number of days from 7 to 30 that Secrets Manager waits before
  2781. permanently deleting the secret. You can't use both this parameter and
  2782. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2783. then by default Secrets Manager uses a 30-day recovery window.
  2784. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2785. format: int64
  2786. type: integer
  2787. type: object
  2788. service:
  2789. description: Service defines which service should be used to fetch the secrets
  2790. enum:
  2791. - SecretsManager
  2792. - ParameterStore
  2793. type: string
  2794. sessionTags:
  2795. description: AWS STS assume role session tags
  2796. items:
  2797. description: |-
  2798. Tag is a key-value pair that can be attached to an AWS resource.
  2799. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2800. properties:
  2801. key:
  2802. type: string
  2803. value:
  2804. type: string
  2805. required:
  2806. - key
  2807. - value
  2808. type: object
  2809. type: array
  2810. sessionTagsPolicy:
  2811. default: None
  2812. description: |-
  2813. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2814. None (default): no tags are added.
  2815. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2816. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2817. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2818. enum:
  2819. - None
  2820. - Simple
  2821. - Custom
  2822. type: string
  2823. transitiveTagKeys:
  2824. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2825. items:
  2826. type: string
  2827. type: array
  2828. required:
  2829. - region
  2830. - service
  2831. type: object
  2832. azurekv:
  2833. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2834. properties:
  2835. authSecretRef:
  2836. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2837. properties:
  2838. clientCertificate:
  2839. description: The Azure ClientCertificate of the service principle used for authentication.
  2840. properties:
  2841. key:
  2842. description: |-
  2843. A key in the referenced Secret.
  2844. Some instances of this field may be defaulted, in others it may be required.
  2845. maxLength: 253
  2846. minLength: 1
  2847. pattern: ^[-._a-zA-Z0-9]+$
  2848. type: string
  2849. name:
  2850. description: The name of the Secret resource being referred to.
  2851. maxLength: 253
  2852. minLength: 1
  2853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2854. type: string
  2855. namespace:
  2856. description: |-
  2857. The namespace of the Secret resource being referred to.
  2858. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2859. maxLength: 63
  2860. minLength: 1
  2861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2862. type: string
  2863. type: object
  2864. clientId:
  2865. description: The Azure clientId of the service principle or managed identity used for authentication.
  2866. properties:
  2867. key:
  2868. description: |-
  2869. A key in the referenced Secret.
  2870. Some instances of this field may be defaulted, in others it may be required.
  2871. maxLength: 253
  2872. minLength: 1
  2873. pattern: ^[-._a-zA-Z0-9]+$
  2874. type: string
  2875. name:
  2876. description: The name of the Secret resource being referred to.
  2877. maxLength: 253
  2878. minLength: 1
  2879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2880. type: string
  2881. namespace:
  2882. description: |-
  2883. The namespace of the Secret resource being referred to.
  2884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2885. maxLength: 63
  2886. minLength: 1
  2887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2888. type: string
  2889. type: object
  2890. clientSecret:
  2891. description: The Azure ClientSecret of the service principle used for authentication.
  2892. properties:
  2893. key:
  2894. description: |-
  2895. A key in the referenced Secret.
  2896. Some instances of this field may be defaulted, in others it may be required.
  2897. maxLength: 253
  2898. minLength: 1
  2899. pattern: ^[-._a-zA-Z0-9]+$
  2900. type: string
  2901. name:
  2902. description: The name of the Secret resource being referred to.
  2903. maxLength: 253
  2904. minLength: 1
  2905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2906. type: string
  2907. namespace:
  2908. description: |-
  2909. The namespace of the Secret resource being referred to.
  2910. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2911. maxLength: 63
  2912. minLength: 1
  2913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2914. type: string
  2915. type: object
  2916. tenantId:
  2917. description: The Azure tenantId of the managed identity used for authentication.
  2918. properties:
  2919. key:
  2920. description: |-
  2921. A key in the referenced Secret.
  2922. Some instances of this field may be defaulted, in others it may be required.
  2923. maxLength: 253
  2924. minLength: 1
  2925. pattern: ^[-._a-zA-Z0-9]+$
  2926. type: string
  2927. name:
  2928. description: The name of the Secret resource being referred to.
  2929. maxLength: 253
  2930. minLength: 1
  2931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2932. type: string
  2933. namespace:
  2934. description: |-
  2935. The namespace of the Secret resource being referred to.
  2936. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2937. maxLength: 63
  2938. minLength: 1
  2939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2940. type: string
  2941. type: object
  2942. type: object
  2943. authType:
  2944. default: ServicePrincipal
  2945. description: |-
  2946. Auth type defines how to authenticate to the keyvault service.
  2947. Valid values are:
  2948. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2949. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2950. enum:
  2951. - ServicePrincipal
  2952. - ManagedIdentity
  2953. - WorkloadIdentity
  2954. type: string
  2955. customCloudConfig:
  2956. description: |-
  2957. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  2958. Required when EnvironmentType is AzureStackCloud.
  2959. Optional for other environment types - useful for Azure China when using Workload Identity
  2960. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  2961. standard China Cloud endpoint (login.chinacloudapi.cn).
  2962. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  2963. configuration is not supported with the legacy go-autorest SDK.
  2964. properties:
  2965. activeDirectoryEndpoint:
  2966. description: |-
  2967. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  2968. Required when using custom cloud configuration
  2969. type: string
  2970. keyVaultDNSSuffix:
  2971. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  2972. type: string
  2973. keyVaultEndpoint:
  2974. description: KeyVaultEndpoint is the Key Vault service endpoint
  2975. type: string
  2976. resourceManagerEndpoint:
  2977. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  2978. type: string
  2979. required:
  2980. - activeDirectoryEndpoint
  2981. type: object
  2982. environmentType:
  2983. default: PublicCloud
  2984. description: |-
  2985. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2986. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2987. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2988. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  2989. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  2990. enum:
  2991. - PublicCloud
  2992. - USGovernmentCloud
  2993. - ChinaCloud
  2994. - GermanCloud
  2995. - AzureStackCloud
  2996. type: string
  2997. identityId:
  2998. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2999. type: string
  3000. serviceAccountRef:
  3001. description: |-
  3002. ServiceAccountRef specified the service account
  3003. that should be used when authenticating with WorkloadIdentity.
  3004. properties:
  3005. audiences:
  3006. description: |-
  3007. Audience specifies the `aud` claim for the service account token
  3008. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3009. then this audiences will be appended to the list
  3010. items:
  3011. type: string
  3012. type: array
  3013. name:
  3014. description: The name of the ServiceAccount resource being referred to.
  3015. maxLength: 253
  3016. minLength: 1
  3017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3018. type: string
  3019. namespace:
  3020. description: |-
  3021. Namespace of the resource being referred to.
  3022. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3023. maxLength: 63
  3024. minLength: 1
  3025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3026. type: string
  3027. required:
  3028. - name
  3029. type: object
  3030. tenantId:
  3031. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3032. type: string
  3033. useAzureSDK:
  3034. default: false
  3035. description: |-
  3036. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3037. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3038. type: boolean
  3039. vaultUrl:
  3040. description: Vault Url from which the secrets to be fetched from.
  3041. type: string
  3042. required:
  3043. - vaultUrl
  3044. type: object
  3045. barbican:
  3046. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3047. properties:
  3048. auth:
  3049. description: BarbicanAuth contains the authentication information for Barbican.
  3050. properties:
  3051. password:
  3052. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3053. properties:
  3054. secretRef:
  3055. description: |-
  3056. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3057. In some instances, `key` is a required field.
  3058. properties:
  3059. key:
  3060. description: |-
  3061. A key in the referenced Secret.
  3062. Some instances of this field may be defaulted, in others it may be required.
  3063. maxLength: 253
  3064. minLength: 1
  3065. pattern: ^[-._a-zA-Z0-9]+$
  3066. type: string
  3067. name:
  3068. description: The name of the Secret resource being referred to.
  3069. maxLength: 253
  3070. minLength: 1
  3071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3072. type: string
  3073. namespace:
  3074. description: |-
  3075. The namespace of the Secret resource being referred to.
  3076. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3077. maxLength: 63
  3078. minLength: 1
  3079. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3080. type: string
  3081. type: object
  3082. required:
  3083. - secretRef
  3084. type: object
  3085. username:
  3086. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3087. maxProperties: 1
  3088. minProperties: 1
  3089. properties:
  3090. secretRef:
  3091. description: |-
  3092. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3093. In some instances, `key` is a required field.
  3094. properties:
  3095. key:
  3096. description: |-
  3097. A key in the referenced Secret.
  3098. Some instances of this field may be defaulted, in others it may be required.
  3099. maxLength: 253
  3100. minLength: 1
  3101. pattern: ^[-._a-zA-Z0-9]+$
  3102. type: string
  3103. name:
  3104. description: The name of the Secret resource being referred to.
  3105. maxLength: 253
  3106. minLength: 1
  3107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3108. type: string
  3109. namespace:
  3110. description: |-
  3111. The namespace of the Secret resource being referred to.
  3112. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3113. maxLength: 63
  3114. minLength: 1
  3115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3116. type: string
  3117. type: object
  3118. value:
  3119. type: string
  3120. type: object
  3121. required:
  3122. - password
  3123. - username
  3124. type: object
  3125. authURL:
  3126. type: string
  3127. domainName:
  3128. type: string
  3129. region:
  3130. type: string
  3131. tenantName:
  3132. type: string
  3133. required:
  3134. - auth
  3135. type: object
  3136. beyondtrust:
  3137. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3138. properties:
  3139. auth:
  3140. description: Auth configures how the operator authenticates with Beyondtrust.
  3141. properties:
  3142. apiKey:
  3143. description: APIKey If not provided then ClientID/ClientSecret become required.
  3144. properties:
  3145. secretRef:
  3146. description: SecretRef references a key in a secret that will be used as value.
  3147. properties:
  3148. key:
  3149. description: |-
  3150. A key in the referenced Secret.
  3151. Some instances of this field may be defaulted, in others it may be required.
  3152. maxLength: 253
  3153. minLength: 1
  3154. pattern: ^[-._a-zA-Z0-9]+$
  3155. type: string
  3156. name:
  3157. description: The name of the Secret resource being referred to.
  3158. maxLength: 253
  3159. minLength: 1
  3160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3161. type: string
  3162. namespace:
  3163. description: |-
  3164. The namespace of the Secret resource being referred to.
  3165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3166. maxLength: 63
  3167. minLength: 1
  3168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3169. type: string
  3170. type: object
  3171. value:
  3172. description: Value can be specified directly to set a value without using a secret.
  3173. type: string
  3174. type: object
  3175. certificate:
  3176. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3177. properties:
  3178. secretRef:
  3179. description: SecretRef references a key in a secret that will be used as value.
  3180. properties:
  3181. key:
  3182. description: |-
  3183. A key in the referenced Secret.
  3184. Some instances of this field may be defaulted, in others it may be required.
  3185. maxLength: 253
  3186. minLength: 1
  3187. pattern: ^[-._a-zA-Z0-9]+$
  3188. type: string
  3189. name:
  3190. description: The name of the Secret resource being referred to.
  3191. maxLength: 253
  3192. minLength: 1
  3193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3194. type: string
  3195. namespace:
  3196. description: |-
  3197. The namespace of the Secret resource being referred to.
  3198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3199. maxLength: 63
  3200. minLength: 1
  3201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3202. type: string
  3203. type: object
  3204. value:
  3205. description: Value can be specified directly to set a value without using a secret.
  3206. type: string
  3207. type: object
  3208. certificateKey:
  3209. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3210. properties:
  3211. secretRef:
  3212. description: SecretRef references a key in a secret that will be used as value.
  3213. properties:
  3214. key:
  3215. description: |-
  3216. A key in the referenced Secret.
  3217. Some instances of this field may be defaulted, in others it may be required.
  3218. maxLength: 253
  3219. minLength: 1
  3220. pattern: ^[-._a-zA-Z0-9]+$
  3221. type: string
  3222. name:
  3223. description: The name of the Secret resource being referred to.
  3224. maxLength: 253
  3225. minLength: 1
  3226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3227. type: string
  3228. namespace:
  3229. description: |-
  3230. The namespace of the Secret resource being referred to.
  3231. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3232. maxLength: 63
  3233. minLength: 1
  3234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3235. type: string
  3236. type: object
  3237. value:
  3238. description: Value can be specified directly to set a value without using a secret.
  3239. type: string
  3240. type: object
  3241. clientId:
  3242. description: ClientID is the API OAuth Client ID.
  3243. properties:
  3244. secretRef:
  3245. description: SecretRef references a key in a secret that will be used as value.
  3246. properties:
  3247. key:
  3248. description: |-
  3249. A key in the referenced Secret.
  3250. Some instances of this field may be defaulted, in others it may be required.
  3251. maxLength: 253
  3252. minLength: 1
  3253. pattern: ^[-._a-zA-Z0-9]+$
  3254. type: string
  3255. name:
  3256. description: The name of the Secret resource being referred to.
  3257. maxLength: 253
  3258. minLength: 1
  3259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3260. type: string
  3261. namespace:
  3262. description: |-
  3263. The namespace of the Secret resource being referred to.
  3264. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3265. maxLength: 63
  3266. minLength: 1
  3267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3268. type: string
  3269. type: object
  3270. value:
  3271. description: Value can be specified directly to set a value without using a secret.
  3272. type: string
  3273. type: object
  3274. clientSecret:
  3275. description: ClientSecret is the API OAuth Client Secret.
  3276. properties:
  3277. secretRef:
  3278. description: SecretRef references a key in a secret that will be used as value.
  3279. properties:
  3280. key:
  3281. description: |-
  3282. A key in the referenced Secret.
  3283. Some instances of this field may be defaulted, in others it may be required.
  3284. maxLength: 253
  3285. minLength: 1
  3286. pattern: ^[-._a-zA-Z0-9]+$
  3287. type: string
  3288. name:
  3289. description: The name of the Secret resource being referred to.
  3290. maxLength: 253
  3291. minLength: 1
  3292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3293. type: string
  3294. namespace:
  3295. description: |-
  3296. The namespace of the Secret resource being referred to.
  3297. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3298. maxLength: 63
  3299. minLength: 1
  3300. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3301. type: string
  3302. type: object
  3303. value:
  3304. description: Value can be specified directly to set a value without using a secret.
  3305. type: string
  3306. type: object
  3307. type: object
  3308. server:
  3309. description: Auth configures how API server works.
  3310. properties:
  3311. apiUrl:
  3312. type: string
  3313. apiVersion:
  3314. type: string
  3315. clientTimeOutSeconds:
  3316. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3317. type: integer
  3318. decrypt:
  3319. default: true
  3320. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3321. type: boolean
  3322. retrievalType:
  3323. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3324. type: string
  3325. separator:
  3326. description: A character that separates the folder names.
  3327. type: string
  3328. verifyCA:
  3329. type: boolean
  3330. required:
  3331. - apiUrl
  3332. - verifyCA
  3333. type: object
  3334. required:
  3335. - auth
  3336. - server
  3337. type: object
  3338. bitwardensecretsmanager:
  3339. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3340. properties:
  3341. apiURL:
  3342. type: string
  3343. auth:
  3344. description: |-
  3345. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3346. Make sure that the token being used has permissions on the given secret.
  3347. properties:
  3348. secretRef:
  3349. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3350. properties:
  3351. credentials:
  3352. description: AccessToken used for the bitwarden instance.
  3353. properties:
  3354. key:
  3355. description: |-
  3356. A key in the referenced Secret.
  3357. Some instances of this field may be defaulted, in others it may be required.
  3358. maxLength: 253
  3359. minLength: 1
  3360. pattern: ^[-._a-zA-Z0-9]+$
  3361. type: string
  3362. name:
  3363. description: The name of the Secret resource being referred to.
  3364. maxLength: 253
  3365. minLength: 1
  3366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3367. type: string
  3368. namespace:
  3369. description: |-
  3370. The namespace of the Secret resource being referred to.
  3371. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3372. maxLength: 63
  3373. minLength: 1
  3374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3375. type: string
  3376. type: object
  3377. required:
  3378. - credentials
  3379. type: object
  3380. required:
  3381. - secretRef
  3382. type: object
  3383. bitwardenServerSDKURL:
  3384. type: string
  3385. caBundle:
  3386. description: |-
  3387. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3388. can be performed.
  3389. type: string
  3390. caProvider:
  3391. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3392. properties:
  3393. key:
  3394. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3395. maxLength: 253
  3396. minLength: 1
  3397. pattern: ^[-._a-zA-Z0-9]+$
  3398. type: string
  3399. name:
  3400. description: The name of the object located at the provider type.
  3401. maxLength: 253
  3402. minLength: 1
  3403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3404. type: string
  3405. namespace:
  3406. description: |-
  3407. The namespace the Provider type is in.
  3408. Can only be defined when used in a ClusterSecretStore.
  3409. maxLength: 63
  3410. minLength: 1
  3411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3412. type: string
  3413. type:
  3414. description: The type of provider to use such as "Secret", or "ConfigMap".
  3415. enum:
  3416. - Secret
  3417. - ConfigMap
  3418. type: string
  3419. required:
  3420. - name
  3421. - type
  3422. type: object
  3423. identityURL:
  3424. type: string
  3425. organizationID:
  3426. description: OrganizationID determines which organization this secret store manages.
  3427. type: string
  3428. projectID:
  3429. description: ProjectID determines which project this secret store manages.
  3430. type: string
  3431. required:
  3432. - auth
  3433. - organizationID
  3434. - projectID
  3435. type: object
  3436. chef:
  3437. description: Chef configures this store to sync secrets with chef server
  3438. properties:
  3439. auth:
  3440. description: Auth defines the information necessary to authenticate against chef Server
  3441. properties:
  3442. secretRef:
  3443. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3444. properties:
  3445. privateKeySecretRef:
  3446. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3447. properties:
  3448. key:
  3449. description: |-
  3450. A key in the referenced Secret.
  3451. Some instances of this field may be defaulted, in others it may be required.
  3452. maxLength: 253
  3453. minLength: 1
  3454. pattern: ^[-._a-zA-Z0-9]+$
  3455. type: string
  3456. name:
  3457. description: The name of the Secret resource being referred to.
  3458. maxLength: 253
  3459. minLength: 1
  3460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3461. type: string
  3462. namespace:
  3463. description: |-
  3464. The namespace of the Secret resource being referred to.
  3465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3466. maxLength: 63
  3467. minLength: 1
  3468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3469. type: string
  3470. type: object
  3471. required:
  3472. - privateKeySecretRef
  3473. type: object
  3474. required:
  3475. - secretRef
  3476. type: object
  3477. serverUrl:
  3478. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3479. type: string
  3480. username:
  3481. description: UserName should be the user ID on the chef server
  3482. type: string
  3483. required:
  3484. - auth
  3485. - serverUrl
  3486. - username
  3487. type: object
  3488. cloudrusm:
  3489. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3490. properties:
  3491. auth:
  3492. description: CSMAuth contains a secretRef for credentials.
  3493. properties:
  3494. secretRef:
  3495. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3496. properties:
  3497. accessKeyIDSecretRef:
  3498. description: The AccessKeyID is used for authentication
  3499. properties:
  3500. key:
  3501. description: |-
  3502. A key in the referenced Secret.
  3503. Some instances of this field may be defaulted, in others it may be required.
  3504. maxLength: 253
  3505. minLength: 1
  3506. pattern: ^[-._a-zA-Z0-9]+$
  3507. type: string
  3508. name:
  3509. description: The name of the Secret resource being referred to.
  3510. maxLength: 253
  3511. minLength: 1
  3512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3513. type: string
  3514. namespace:
  3515. description: |-
  3516. The namespace of the Secret resource being referred to.
  3517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3518. maxLength: 63
  3519. minLength: 1
  3520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3521. type: string
  3522. type: object
  3523. accessKeySecretSecretRef:
  3524. description: The AccessKeySecret is used for authentication
  3525. properties:
  3526. key:
  3527. description: |-
  3528. A key in the referenced Secret.
  3529. Some instances of this field may be defaulted, in others it may be required.
  3530. maxLength: 253
  3531. minLength: 1
  3532. pattern: ^[-._a-zA-Z0-9]+$
  3533. type: string
  3534. name:
  3535. description: The name of the Secret resource being referred to.
  3536. maxLength: 253
  3537. minLength: 1
  3538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3539. type: string
  3540. namespace:
  3541. description: |-
  3542. The namespace of the Secret resource being referred to.
  3543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3544. maxLength: 63
  3545. minLength: 1
  3546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3547. type: string
  3548. type: object
  3549. required:
  3550. - accessKeyIDSecretRef
  3551. - accessKeySecretSecretRef
  3552. type: object
  3553. type: object
  3554. projectID:
  3555. description: ProjectID is the project, which the secrets are stored in.
  3556. type: string
  3557. required:
  3558. - auth
  3559. type: object
  3560. conjur:
  3561. description: Conjur configures this store to sync secrets using conjur provider
  3562. properties:
  3563. auth:
  3564. description: Defines authentication settings for connecting to Conjur.
  3565. properties:
  3566. apikey:
  3567. description: Authenticates with Conjur using an API key.
  3568. properties:
  3569. account:
  3570. description: Account is the Conjur organization account name.
  3571. type: string
  3572. apiKeyRef:
  3573. description: |-
  3574. A reference to a specific 'key' containing the Conjur API key
  3575. within a Secret resource. In some instances, `key` is a required field.
  3576. properties:
  3577. key:
  3578. description: |-
  3579. A key in the referenced Secret.
  3580. Some instances of this field may be defaulted, in others it may be required.
  3581. maxLength: 253
  3582. minLength: 1
  3583. pattern: ^[-._a-zA-Z0-9]+$
  3584. type: string
  3585. name:
  3586. description: The name of the Secret resource being referred to.
  3587. maxLength: 253
  3588. minLength: 1
  3589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3590. type: string
  3591. namespace:
  3592. description: |-
  3593. The namespace of the Secret resource being referred to.
  3594. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3595. maxLength: 63
  3596. minLength: 1
  3597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3598. type: string
  3599. type: object
  3600. userRef:
  3601. description: |-
  3602. A reference to a specific 'key' containing the Conjur username
  3603. within a Secret resource. In some instances, `key` is a required field.
  3604. properties:
  3605. key:
  3606. description: |-
  3607. A key in the referenced Secret.
  3608. Some instances of this field may be defaulted, in others it may be required.
  3609. maxLength: 253
  3610. minLength: 1
  3611. pattern: ^[-._a-zA-Z0-9]+$
  3612. type: string
  3613. name:
  3614. description: The name of the Secret resource being referred to.
  3615. maxLength: 253
  3616. minLength: 1
  3617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3618. type: string
  3619. namespace:
  3620. description: |-
  3621. The namespace of the Secret resource being referred to.
  3622. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3623. maxLength: 63
  3624. minLength: 1
  3625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3626. type: string
  3627. type: object
  3628. required:
  3629. - account
  3630. - apiKeyRef
  3631. - userRef
  3632. type: object
  3633. jwt:
  3634. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3635. properties:
  3636. account:
  3637. description: Account is the Conjur organization account name.
  3638. type: string
  3639. hostId:
  3640. description: |-
  3641. Optional HostID for JWT authentication. This may be used depending
  3642. on how the Conjur JWT authenticator policy is configured.
  3643. type: string
  3644. secretRef:
  3645. description: |-
  3646. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3647. authenticate with Conjur using the JWT authentication method.
  3648. properties:
  3649. key:
  3650. description: |-
  3651. A key in the referenced Secret.
  3652. Some instances of this field may be defaulted, in others it may be required.
  3653. maxLength: 253
  3654. minLength: 1
  3655. pattern: ^[-._a-zA-Z0-9]+$
  3656. type: string
  3657. name:
  3658. description: The name of the Secret resource being referred to.
  3659. maxLength: 253
  3660. minLength: 1
  3661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3662. type: string
  3663. namespace:
  3664. description: |-
  3665. The namespace of the Secret resource being referred to.
  3666. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3667. maxLength: 63
  3668. minLength: 1
  3669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3670. type: string
  3671. type: object
  3672. serviceAccountRef:
  3673. description: |-
  3674. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3675. a token for with the `TokenRequest` API.
  3676. properties:
  3677. audiences:
  3678. description: |-
  3679. Audience specifies the `aud` claim for the service account token
  3680. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3681. then this audiences will be appended to the list
  3682. items:
  3683. type: string
  3684. type: array
  3685. name:
  3686. description: The name of the ServiceAccount resource being referred to.
  3687. maxLength: 253
  3688. minLength: 1
  3689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3690. type: string
  3691. namespace:
  3692. description: |-
  3693. Namespace of the resource being referred to.
  3694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3695. maxLength: 63
  3696. minLength: 1
  3697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3698. type: string
  3699. required:
  3700. - name
  3701. type: object
  3702. serviceID:
  3703. description: The conjur authn jwt webservice id
  3704. type: string
  3705. required:
  3706. - account
  3707. - serviceID
  3708. type: object
  3709. type: object
  3710. caBundle:
  3711. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3712. type: string
  3713. caProvider:
  3714. description: |-
  3715. Used to provide custom certificate authority (CA) certificates
  3716. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3717. that contains a PEM-encoded certificate.
  3718. properties:
  3719. key:
  3720. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3721. maxLength: 253
  3722. minLength: 1
  3723. pattern: ^[-._a-zA-Z0-9]+$
  3724. type: string
  3725. name:
  3726. description: The name of the object located at the provider type.
  3727. maxLength: 253
  3728. minLength: 1
  3729. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3730. type: string
  3731. namespace:
  3732. description: |-
  3733. The namespace the Provider type is in.
  3734. Can only be defined when used in a ClusterSecretStore.
  3735. maxLength: 63
  3736. minLength: 1
  3737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3738. type: string
  3739. type:
  3740. description: The type of provider to use such as "Secret", or "ConfigMap".
  3741. enum:
  3742. - Secret
  3743. - ConfigMap
  3744. type: string
  3745. required:
  3746. - name
  3747. - type
  3748. type: object
  3749. url:
  3750. description: URL is the endpoint of the Conjur instance.
  3751. type: string
  3752. required:
  3753. - auth
  3754. - url
  3755. type: object
  3756. delinea:
  3757. description: |-
  3758. Delinea DevOps Secrets Vault
  3759. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3760. properties:
  3761. clientId:
  3762. description: ClientID is the non-secret part of the credential.
  3763. properties:
  3764. secretRef:
  3765. description: SecretRef references a key in a secret that will be used as value.
  3766. properties:
  3767. key:
  3768. description: |-
  3769. A key in the referenced Secret.
  3770. Some instances of this field may be defaulted, in others it may be required.
  3771. maxLength: 253
  3772. minLength: 1
  3773. pattern: ^[-._a-zA-Z0-9]+$
  3774. type: string
  3775. name:
  3776. description: The name of the Secret resource being referred to.
  3777. maxLength: 253
  3778. minLength: 1
  3779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3780. type: string
  3781. namespace:
  3782. description: |-
  3783. The namespace of the Secret resource being referred to.
  3784. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3785. maxLength: 63
  3786. minLength: 1
  3787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3788. type: string
  3789. type: object
  3790. value:
  3791. description: Value can be specified directly to set a value without using a secret.
  3792. type: string
  3793. type: object
  3794. clientSecret:
  3795. description: ClientSecret is the secret part of the credential.
  3796. properties:
  3797. secretRef:
  3798. description: SecretRef references a key in a secret that will be used as value.
  3799. properties:
  3800. key:
  3801. description: |-
  3802. A key in the referenced Secret.
  3803. Some instances of this field may be defaulted, in others it may be required.
  3804. maxLength: 253
  3805. minLength: 1
  3806. pattern: ^[-._a-zA-Z0-9]+$
  3807. type: string
  3808. name:
  3809. description: The name of the Secret resource being referred to.
  3810. maxLength: 253
  3811. minLength: 1
  3812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3813. type: string
  3814. namespace:
  3815. description: |-
  3816. The namespace of the Secret resource being referred to.
  3817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3818. maxLength: 63
  3819. minLength: 1
  3820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3821. type: string
  3822. type: object
  3823. value:
  3824. description: Value can be specified directly to set a value without using a secret.
  3825. type: string
  3826. type: object
  3827. tenant:
  3828. description: Tenant is the chosen hostname / site name.
  3829. type: string
  3830. tld:
  3831. description: |-
  3832. TLD is based on the server location that was chosen during provisioning.
  3833. If unset, defaults to "com".
  3834. type: string
  3835. urlTemplate:
  3836. description: |-
  3837. URLTemplate
  3838. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3839. type: string
  3840. required:
  3841. - clientId
  3842. - clientSecret
  3843. - tenant
  3844. type: object
  3845. doppler:
  3846. description: Doppler configures this store to sync secrets using the Doppler provider
  3847. properties:
  3848. auth:
  3849. description: Auth configures how the Operator authenticates with the Doppler API
  3850. properties:
  3851. oidcConfig:
  3852. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  3853. properties:
  3854. expirationSeconds:
  3855. default: 600
  3856. description: |-
  3857. ExpirationSeconds sets the ServiceAccount token validity duration.
  3858. Defaults to 10 minutes.
  3859. format: int64
  3860. type: integer
  3861. identity:
  3862. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  3863. type: string
  3864. serviceAccountRef:
  3865. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  3866. properties:
  3867. audiences:
  3868. description: |-
  3869. Audience specifies the `aud` claim for the service account token
  3870. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3871. then this audiences will be appended to the list
  3872. items:
  3873. type: string
  3874. type: array
  3875. name:
  3876. description: The name of the ServiceAccount resource being referred to.
  3877. maxLength: 253
  3878. minLength: 1
  3879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3880. type: string
  3881. namespace:
  3882. description: |-
  3883. Namespace of the resource being referred to.
  3884. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3885. maxLength: 63
  3886. minLength: 1
  3887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3888. type: string
  3889. required:
  3890. - name
  3891. type: object
  3892. required:
  3893. - identity
  3894. - serviceAccountRef
  3895. type: object
  3896. secretRef:
  3897. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  3898. properties:
  3899. dopplerToken:
  3900. description: |-
  3901. The DopplerToken is used for authentication.
  3902. See https://docs.doppler.com/reference/api#authentication for auth token types.
  3903. The Key attribute defaults to dopplerToken if not specified.
  3904. properties:
  3905. key:
  3906. description: |-
  3907. A key in the referenced Secret.
  3908. Some instances of this field may be defaulted, in others it may be required.
  3909. maxLength: 253
  3910. minLength: 1
  3911. pattern: ^[-._a-zA-Z0-9]+$
  3912. type: string
  3913. name:
  3914. description: The name of the Secret resource being referred to.
  3915. maxLength: 253
  3916. minLength: 1
  3917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3918. type: string
  3919. namespace:
  3920. description: |-
  3921. The namespace of the Secret resource being referred to.
  3922. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3923. maxLength: 63
  3924. minLength: 1
  3925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3926. type: string
  3927. type: object
  3928. required:
  3929. - dopplerToken
  3930. type: object
  3931. type: object
  3932. x-kubernetes-validations:
  3933. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  3934. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  3935. config:
  3936. description: Doppler config (required if not using a Service Token)
  3937. type: string
  3938. format:
  3939. description: Format enables the downloading of secrets as a file (string)
  3940. enum:
  3941. - json
  3942. - dotnet-json
  3943. - env
  3944. - yaml
  3945. - docker
  3946. type: string
  3947. nameTransformer:
  3948. description: Environment variable compatible name transforms that change secret names to a different format
  3949. enum:
  3950. - upper-camel
  3951. - camel
  3952. - lower-snake
  3953. - tf-var
  3954. - dotnet-env
  3955. - lower-kebab
  3956. type: string
  3957. project:
  3958. description: Doppler project (required if not using a Service Token)
  3959. type: string
  3960. required:
  3961. - auth
  3962. type: object
  3963. dvls:
  3964. description: DVLS configures this store to sync secrets using Devolutions Server provider
  3965. properties:
  3966. auth:
  3967. description: Auth defines the authentication method to use.
  3968. properties:
  3969. secretRef:
  3970. description: SecretRef contains the Application ID and Application Secret for authentication.
  3971. properties:
  3972. appId:
  3973. description: AppID is the reference to the secret containing the Application ID.
  3974. properties:
  3975. key:
  3976. description: |-
  3977. A key in the referenced Secret.
  3978. Some instances of this field may be defaulted, in others it may be required.
  3979. maxLength: 253
  3980. minLength: 1
  3981. pattern: ^[-._a-zA-Z0-9]+$
  3982. type: string
  3983. name:
  3984. description: The name of the Secret resource being referred to.
  3985. maxLength: 253
  3986. minLength: 1
  3987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3988. type: string
  3989. namespace:
  3990. description: |-
  3991. The namespace of the Secret resource being referred to.
  3992. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3993. maxLength: 63
  3994. minLength: 1
  3995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3996. type: string
  3997. type: object
  3998. appSecret:
  3999. description: AppSecret is the reference to the secret containing the Application Secret.
  4000. properties:
  4001. key:
  4002. description: |-
  4003. A key in the referenced Secret.
  4004. Some instances of this field may be defaulted, in others it may be required.
  4005. maxLength: 253
  4006. minLength: 1
  4007. pattern: ^[-._a-zA-Z0-9]+$
  4008. type: string
  4009. name:
  4010. description: The name of the Secret resource being referred to.
  4011. maxLength: 253
  4012. minLength: 1
  4013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4014. type: string
  4015. namespace:
  4016. description: |-
  4017. The namespace of the Secret resource being referred to.
  4018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4019. maxLength: 63
  4020. minLength: 1
  4021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4022. type: string
  4023. type: object
  4024. required:
  4025. - appId
  4026. - appSecret
  4027. type: object
  4028. required:
  4029. - secretRef
  4030. type: object
  4031. insecure:
  4032. description: |-
  4033. Insecure allows connecting to DVLS over plain HTTP.
  4034. This is NOT RECOMMENDED for production use.
  4035. Set to true only if you understand the security implications.
  4036. type: boolean
  4037. serverUrl:
  4038. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4039. type: string
  4040. vault:
  4041. description: |-
  4042. Vault is the name or UUID of the vault to fetch secrets from.
  4043. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4044. type: string
  4045. required:
  4046. - auth
  4047. - serverUrl
  4048. type: object
  4049. fake:
  4050. description: Fake configures a store with static key/value pairs
  4051. properties:
  4052. data:
  4053. items:
  4054. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4055. properties:
  4056. key:
  4057. type: string
  4058. value:
  4059. type: string
  4060. version:
  4061. type: string
  4062. required:
  4063. - key
  4064. - value
  4065. type: object
  4066. type: array
  4067. validationResult:
  4068. description: ValidationResult is defined type for the number of validation results.
  4069. type: integer
  4070. required:
  4071. - data
  4072. type: object
  4073. fortanix:
  4074. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4075. properties:
  4076. apiKey:
  4077. description: APIKey is the API token to access SDKMS Applications.
  4078. properties:
  4079. secretRef:
  4080. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4081. properties:
  4082. key:
  4083. description: |-
  4084. A key in the referenced Secret.
  4085. Some instances of this field may be defaulted, in others it may be required.
  4086. maxLength: 253
  4087. minLength: 1
  4088. pattern: ^[-._a-zA-Z0-9]+$
  4089. type: string
  4090. name:
  4091. description: The name of the Secret resource being referred to.
  4092. maxLength: 253
  4093. minLength: 1
  4094. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4095. type: string
  4096. namespace:
  4097. description: |-
  4098. The namespace of the Secret resource being referred to.
  4099. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4100. maxLength: 63
  4101. minLength: 1
  4102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4103. type: string
  4104. type: object
  4105. type: object
  4106. apiUrl:
  4107. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4108. type: string
  4109. type: object
  4110. gcpsm:
  4111. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4112. properties:
  4113. auth:
  4114. description: Auth defines the information necessary to authenticate against GCP
  4115. properties:
  4116. secretRef:
  4117. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4118. properties:
  4119. secretAccessKeySecretRef:
  4120. description: The SecretAccessKey is used for authentication
  4121. properties:
  4122. key:
  4123. description: |-
  4124. A key in the referenced Secret.
  4125. Some instances of this field may be defaulted, in others it may be required.
  4126. maxLength: 253
  4127. minLength: 1
  4128. pattern: ^[-._a-zA-Z0-9]+$
  4129. type: string
  4130. name:
  4131. description: The name of the Secret resource being referred to.
  4132. maxLength: 253
  4133. minLength: 1
  4134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4135. type: string
  4136. namespace:
  4137. description: |-
  4138. The namespace of the Secret resource being referred to.
  4139. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4140. maxLength: 63
  4141. minLength: 1
  4142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4143. type: string
  4144. type: object
  4145. type: object
  4146. workloadIdentity:
  4147. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4148. properties:
  4149. clusterLocation:
  4150. description: |-
  4151. ClusterLocation is the location of the cluster
  4152. If not specified, it fetches information from the metadata server
  4153. type: string
  4154. clusterName:
  4155. description: |-
  4156. ClusterName is the name of the cluster
  4157. If not specified, it fetches information from the metadata server
  4158. type: string
  4159. clusterProjectID:
  4160. description: |-
  4161. ClusterProjectID is the project ID of the cluster
  4162. If not specified, it fetches information from the metadata server
  4163. type: string
  4164. serviceAccountRef:
  4165. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4166. properties:
  4167. audiences:
  4168. description: |-
  4169. Audience specifies the `aud` claim for the service account token
  4170. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4171. then this audiences will be appended to the list
  4172. items:
  4173. type: string
  4174. type: array
  4175. name:
  4176. description: The name of the ServiceAccount resource being referred to.
  4177. maxLength: 253
  4178. minLength: 1
  4179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4180. type: string
  4181. namespace:
  4182. description: |-
  4183. Namespace of the resource being referred to.
  4184. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4185. maxLength: 63
  4186. minLength: 1
  4187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4188. type: string
  4189. required:
  4190. - name
  4191. type: object
  4192. required:
  4193. - serviceAccountRef
  4194. type: object
  4195. workloadIdentityFederation:
  4196. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4197. properties:
  4198. audience:
  4199. description: |-
  4200. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4201. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4202. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4203. type: string
  4204. awsSecurityCredentials:
  4205. description: |-
  4206. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4207. when using the AWS metadata server is not an option.
  4208. properties:
  4209. awsCredentialsSecretRef:
  4210. description: |-
  4211. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4212. Secret should be created with below names for keys
  4213. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4214. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4215. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4216. properties:
  4217. name:
  4218. description: name of the secret.
  4219. maxLength: 253
  4220. minLength: 1
  4221. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4222. type: string
  4223. namespace:
  4224. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4225. maxLength: 63
  4226. minLength: 1
  4227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4228. type: string
  4229. required:
  4230. - name
  4231. type: object
  4232. region:
  4233. description: region is for configuring the AWS region to be used.
  4234. example: ap-south-1
  4235. maxLength: 50
  4236. minLength: 1
  4237. pattern: ^[a-z0-9-]+$
  4238. type: string
  4239. required:
  4240. - awsCredentialsSecretRef
  4241. - region
  4242. type: object
  4243. credConfig:
  4244. description: |-
  4245. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4246. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4247. serviceAccountRef must be used by providing operators service account details.
  4248. properties:
  4249. key:
  4250. description: key name holding the external account credential config.
  4251. maxLength: 253
  4252. minLength: 1
  4253. pattern: ^[-._a-zA-Z0-9]+$
  4254. type: string
  4255. name:
  4256. description: name of the configmap.
  4257. maxLength: 253
  4258. minLength: 1
  4259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4260. type: string
  4261. namespace:
  4262. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4263. maxLength: 63
  4264. minLength: 1
  4265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4266. type: string
  4267. required:
  4268. - key
  4269. - name
  4270. type: object
  4271. externalTokenEndpoint:
  4272. description: |-
  4273. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4274. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4275. URL is having the expected value.
  4276. type: string
  4277. gcpServiceAccountEmail:
  4278. description: |-
  4279. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4280. after Workload Identity Federation. Use this to grant access through the service account's
  4281. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4282. service_account_impersonation_url in the external account JSON from credConfig;
  4283. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4284. on that ServiceAccount.
  4285. example: my-gsa@my-project.iam.gserviceaccount.com
  4286. minLength: 1
  4287. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4288. type: string
  4289. serviceAccountRef:
  4290. description: |-
  4291. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4292. when Kubernetes is configured as provider in workload identity pool.
  4293. properties:
  4294. audiences:
  4295. description: |-
  4296. Audience specifies the `aud` claim for the service account token
  4297. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4298. then this audiences will be appended to the list
  4299. items:
  4300. type: string
  4301. type: array
  4302. name:
  4303. description: The name of the ServiceAccount resource being referred to.
  4304. maxLength: 253
  4305. minLength: 1
  4306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4307. type: string
  4308. namespace:
  4309. description: |-
  4310. Namespace of the resource being referred to.
  4311. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4312. maxLength: 63
  4313. minLength: 1
  4314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4315. type: string
  4316. required:
  4317. - name
  4318. type: object
  4319. type: object
  4320. type: object
  4321. location:
  4322. description: Location optionally defines a location for a secret
  4323. type: string
  4324. projectID:
  4325. description: ProjectID project where secret is located
  4326. type: string
  4327. secretVersionSelectionPolicy:
  4328. default: LatestOrFail
  4329. description: |-
  4330. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4331. when "latest" is disabled or destroyed.
  4332. Possible values are:
  4333. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4334. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4335. type: string
  4336. type: object
  4337. github:
  4338. description: |-
  4339. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4340. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4341. properties:
  4342. appID:
  4343. description: appID specifies the Github APP that will be used to authenticate the client
  4344. format: int64
  4345. type: integer
  4346. auth:
  4347. description: auth configures how secret-manager authenticates with a Github instance.
  4348. properties:
  4349. privateKey:
  4350. description: |-
  4351. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4352. In some instances, `key` is a required field.
  4353. properties:
  4354. key:
  4355. description: |-
  4356. A key in the referenced Secret.
  4357. Some instances of this field may be defaulted, in others it may be required.
  4358. maxLength: 253
  4359. minLength: 1
  4360. pattern: ^[-._a-zA-Z0-9]+$
  4361. type: string
  4362. name:
  4363. description: The name of the Secret resource being referred to.
  4364. maxLength: 253
  4365. minLength: 1
  4366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4367. type: string
  4368. namespace:
  4369. description: |-
  4370. The namespace of the Secret resource being referred to.
  4371. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4372. maxLength: 63
  4373. minLength: 1
  4374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4375. type: string
  4376. type: object
  4377. required:
  4378. - privateKey
  4379. type: object
  4380. environment:
  4381. description: environment will be used to fetch secrets from a particular environment within a github repository
  4382. type: string
  4383. installationID:
  4384. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4385. format: int64
  4386. type: integer
  4387. orgSecretVisibility:
  4388. description: |-
  4389. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4390. Valid values are "all" or "private".
  4391. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4392. whatever visibility they already have in GitHub.
  4393. enum:
  4394. - all
  4395. - private
  4396. type: string
  4397. organization:
  4398. description: organization will be used to fetch secrets from the Github organization
  4399. type: string
  4400. repository:
  4401. description: repository will be used to fetch secrets from the Github repository within an organization
  4402. type: string
  4403. uploadURL:
  4404. description: Upload URL for enterprise instances. Default to URL.
  4405. type: string
  4406. url:
  4407. default: https://github.com/
  4408. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4409. type: string
  4410. required:
  4411. - appID
  4412. - auth
  4413. - installationID
  4414. - organization
  4415. type: object
  4416. gitlab:
  4417. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4418. properties:
  4419. auth:
  4420. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4421. properties:
  4422. SecretRef:
  4423. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4424. properties:
  4425. accessToken:
  4426. description: AccessToken is used for authentication.
  4427. properties:
  4428. key:
  4429. description: |-
  4430. A key in the referenced Secret.
  4431. Some instances of this field may be defaulted, in others it may be required.
  4432. maxLength: 253
  4433. minLength: 1
  4434. pattern: ^[-._a-zA-Z0-9]+$
  4435. type: string
  4436. name:
  4437. description: The name of the Secret resource being referred to.
  4438. maxLength: 253
  4439. minLength: 1
  4440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4441. type: string
  4442. namespace:
  4443. description: |-
  4444. The namespace of the Secret resource being referred to.
  4445. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4446. maxLength: 63
  4447. minLength: 1
  4448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4449. type: string
  4450. type: object
  4451. type: object
  4452. required:
  4453. - SecretRef
  4454. type: object
  4455. caBundle:
  4456. description: |-
  4457. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4458. can be performed.
  4459. format: byte
  4460. type: string
  4461. caProvider:
  4462. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4463. properties:
  4464. key:
  4465. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4466. maxLength: 253
  4467. minLength: 1
  4468. pattern: ^[-._a-zA-Z0-9]+$
  4469. type: string
  4470. name:
  4471. description: The name of the object located at the provider type.
  4472. maxLength: 253
  4473. minLength: 1
  4474. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4475. type: string
  4476. namespace:
  4477. description: |-
  4478. The namespace the Provider type is in.
  4479. Can only be defined when used in a ClusterSecretStore.
  4480. maxLength: 63
  4481. minLength: 1
  4482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4483. type: string
  4484. type:
  4485. description: The type of provider to use such as "Secret", or "ConfigMap".
  4486. enum:
  4487. - Secret
  4488. - ConfigMap
  4489. type: string
  4490. required:
  4491. - name
  4492. - type
  4493. type: object
  4494. environment:
  4495. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4496. type: string
  4497. groupIDs:
  4498. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4499. items:
  4500. type: string
  4501. type: array
  4502. inheritFromGroups:
  4503. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4504. type: boolean
  4505. projectID:
  4506. description: ProjectID specifies a project where secrets are located.
  4507. type: string
  4508. url:
  4509. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4510. type: string
  4511. required:
  4512. - auth
  4513. type: object
  4514. ibm:
  4515. description: IBM configures this store to sync secrets using IBM Cloud provider
  4516. properties:
  4517. auth:
  4518. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4519. maxProperties: 1
  4520. minProperties: 1
  4521. properties:
  4522. containerAuth:
  4523. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4524. properties:
  4525. iamEndpoint:
  4526. type: string
  4527. profile:
  4528. description: the IBM Trusted Profile
  4529. type: string
  4530. tokenLocation:
  4531. description: Location the token is mounted on the pod
  4532. type: string
  4533. required:
  4534. - profile
  4535. type: object
  4536. secretRef:
  4537. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4538. properties:
  4539. iamEndpoint:
  4540. description: The IAM endpoint used to obain a token
  4541. type: string
  4542. secretApiKeySecretRef:
  4543. description: The SecretAccessKey is used for authentication
  4544. properties:
  4545. key:
  4546. description: |-
  4547. A key in the referenced Secret.
  4548. Some instances of this field may be defaulted, in others it may be required.
  4549. maxLength: 253
  4550. minLength: 1
  4551. pattern: ^[-._a-zA-Z0-9]+$
  4552. type: string
  4553. name:
  4554. description: The name of the Secret resource being referred to.
  4555. maxLength: 253
  4556. minLength: 1
  4557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4558. type: string
  4559. namespace:
  4560. description: |-
  4561. The namespace of the Secret resource being referred to.
  4562. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4563. maxLength: 63
  4564. minLength: 1
  4565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4566. type: string
  4567. type: object
  4568. type: object
  4569. type: object
  4570. serviceUrl:
  4571. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4572. type: string
  4573. required:
  4574. - auth
  4575. type: object
  4576. infisical:
  4577. description: Infisical configures this store to sync secrets using the Infisical provider
  4578. properties:
  4579. auth:
  4580. description: Auth configures how the Operator authenticates with the Infisical API
  4581. properties:
  4582. awsAuthCredentials:
  4583. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4584. properties:
  4585. identityId:
  4586. description: |-
  4587. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4588. In some instances, `key` is a required field.
  4589. properties:
  4590. key:
  4591. description: |-
  4592. A key in the referenced Secret.
  4593. Some instances of this field may be defaulted, in others it may be required.
  4594. maxLength: 253
  4595. minLength: 1
  4596. pattern: ^[-._a-zA-Z0-9]+$
  4597. type: string
  4598. name:
  4599. description: The name of the Secret resource being referred to.
  4600. maxLength: 253
  4601. minLength: 1
  4602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4603. type: string
  4604. namespace:
  4605. description: |-
  4606. The namespace of the Secret resource being referred to.
  4607. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4608. maxLength: 63
  4609. minLength: 1
  4610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4611. type: string
  4612. type: object
  4613. required:
  4614. - identityId
  4615. type: object
  4616. azureAuthCredentials:
  4617. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4618. properties:
  4619. identityId:
  4620. description: |-
  4621. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4622. In some instances, `key` is a required field.
  4623. properties:
  4624. key:
  4625. description: |-
  4626. A key in the referenced Secret.
  4627. Some instances of this field may be defaulted, in others it may be required.
  4628. maxLength: 253
  4629. minLength: 1
  4630. pattern: ^[-._a-zA-Z0-9]+$
  4631. type: string
  4632. name:
  4633. description: The name of the Secret resource being referred to.
  4634. maxLength: 253
  4635. minLength: 1
  4636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4637. type: string
  4638. namespace:
  4639. description: |-
  4640. The namespace of the Secret resource being referred to.
  4641. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4642. maxLength: 63
  4643. minLength: 1
  4644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4645. type: string
  4646. type: object
  4647. resource:
  4648. description: |-
  4649. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4650. In some instances, `key` is a required field.
  4651. properties:
  4652. key:
  4653. description: |-
  4654. A key in the referenced Secret.
  4655. Some instances of this field may be defaulted, in others it may be required.
  4656. maxLength: 253
  4657. minLength: 1
  4658. pattern: ^[-._a-zA-Z0-9]+$
  4659. type: string
  4660. name:
  4661. description: The name of the Secret resource being referred to.
  4662. maxLength: 253
  4663. minLength: 1
  4664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4665. type: string
  4666. namespace:
  4667. description: |-
  4668. The namespace of the Secret resource being referred to.
  4669. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4670. maxLength: 63
  4671. minLength: 1
  4672. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4673. type: string
  4674. type: object
  4675. required:
  4676. - identityId
  4677. type: object
  4678. gcpIamAuthCredentials:
  4679. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4680. properties:
  4681. identityId:
  4682. description: |-
  4683. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4684. In some instances, `key` is a required field.
  4685. properties:
  4686. key:
  4687. description: |-
  4688. A key in the referenced Secret.
  4689. Some instances of this field may be defaulted, in others it may be required.
  4690. maxLength: 253
  4691. minLength: 1
  4692. pattern: ^[-._a-zA-Z0-9]+$
  4693. type: string
  4694. name:
  4695. description: The name of the Secret resource being referred to.
  4696. maxLength: 253
  4697. minLength: 1
  4698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4699. type: string
  4700. namespace:
  4701. description: |-
  4702. The namespace of the Secret resource being referred to.
  4703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4704. maxLength: 63
  4705. minLength: 1
  4706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4707. type: string
  4708. type: object
  4709. serviceAccountKeyFilePath:
  4710. description: |-
  4711. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4712. In some instances, `key` is a required field.
  4713. properties:
  4714. key:
  4715. description: |-
  4716. A key in the referenced Secret.
  4717. Some instances of this field may be defaulted, in others it may be required.
  4718. maxLength: 253
  4719. minLength: 1
  4720. pattern: ^[-._a-zA-Z0-9]+$
  4721. type: string
  4722. name:
  4723. description: The name of the Secret resource being referred to.
  4724. maxLength: 253
  4725. minLength: 1
  4726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4727. type: string
  4728. namespace:
  4729. description: |-
  4730. The namespace of the Secret resource being referred to.
  4731. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4732. maxLength: 63
  4733. minLength: 1
  4734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4735. type: string
  4736. type: object
  4737. required:
  4738. - identityId
  4739. - serviceAccountKeyFilePath
  4740. type: object
  4741. gcpIdTokenAuthCredentials:
  4742. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4743. properties:
  4744. identityId:
  4745. description: |-
  4746. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4747. In some instances, `key` is a required field.
  4748. properties:
  4749. key:
  4750. description: |-
  4751. A key in the referenced Secret.
  4752. Some instances of this field may be defaulted, in others it may be required.
  4753. maxLength: 253
  4754. minLength: 1
  4755. pattern: ^[-._a-zA-Z0-9]+$
  4756. type: string
  4757. name:
  4758. description: The name of the Secret resource being referred to.
  4759. maxLength: 253
  4760. minLength: 1
  4761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4762. type: string
  4763. namespace:
  4764. description: |-
  4765. The namespace of the Secret resource being referred to.
  4766. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4767. maxLength: 63
  4768. minLength: 1
  4769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4770. type: string
  4771. type: object
  4772. required:
  4773. - identityId
  4774. type: object
  4775. jwtAuthCredentials:
  4776. description: JwtAuthCredentials represents the credentials for JWT authentication.
  4777. properties:
  4778. identityId:
  4779. description: |-
  4780. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4781. In some instances, `key` is a required field.
  4782. properties:
  4783. key:
  4784. description: |-
  4785. A key in the referenced Secret.
  4786. Some instances of this field may be defaulted, in others it may be required.
  4787. maxLength: 253
  4788. minLength: 1
  4789. pattern: ^[-._a-zA-Z0-9]+$
  4790. type: string
  4791. name:
  4792. description: The name of the Secret resource being referred to.
  4793. maxLength: 253
  4794. minLength: 1
  4795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4796. type: string
  4797. namespace:
  4798. description: |-
  4799. The namespace of the Secret resource being referred to.
  4800. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4801. maxLength: 63
  4802. minLength: 1
  4803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4804. type: string
  4805. type: object
  4806. jwt:
  4807. description: |-
  4808. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4809. In some instances, `key` is a required field.
  4810. properties:
  4811. key:
  4812. description: |-
  4813. A key in the referenced Secret.
  4814. Some instances of this field may be defaulted, in others it may be required.
  4815. maxLength: 253
  4816. minLength: 1
  4817. pattern: ^[-._a-zA-Z0-9]+$
  4818. type: string
  4819. name:
  4820. description: The name of the Secret resource being referred to.
  4821. maxLength: 253
  4822. minLength: 1
  4823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4824. type: string
  4825. namespace:
  4826. description: |-
  4827. The namespace of the Secret resource being referred to.
  4828. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4829. maxLength: 63
  4830. minLength: 1
  4831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4832. type: string
  4833. type: object
  4834. required:
  4835. - identityId
  4836. - jwt
  4837. type: object
  4838. kubernetesAuthCredentials:
  4839. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  4840. properties:
  4841. identityId:
  4842. description: |-
  4843. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4844. In some instances, `key` is a required field.
  4845. properties:
  4846. key:
  4847. description: |-
  4848. A key in the referenced Secret.
  4849. Some instances of this field may be defaulted, in others it may be required.
  4850. maxLength: 253
  4851. minLength: 1
  4852. pattern: ^[-._a-zA-Z0-9]+$
  4853. type: string
  4854. name:
  4855. description: The name of the Secret resource being referred to.
  4856. maxLength: 253
  4857. minLength: 1
  4858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4859. type: string
  4860. namespace:
  4861. description: |-
  4862. The namespace of the Secret resource being referred to.
  4863. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4864. maxLength: 63
  4865. minLength: 1
  4866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4867. type: string
  4868. type: object
  4869. serviceAccountTokenPath:
  4870. description: |-
  4871. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4872. In some instances, `key` is a required field.
  4873. properties:
  4874. key:
  4875. description: |-
  4876. A key in the referenced Secret.
  4877. Some instances of this field may be defaulted, in others it may be required.
  4878. maxLength: 253
  4879. minLength: 1
  4880. pattern: ^[-._a-zA-Z0-9]+$
  4881. type: string
  4882. name:
  4883. description: The name of the Secret resource being referred to.
  4884. maxLength: 253
  4885. minLength: 1
  4886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4887. type: string
  4888. namespace:
  4889. description: |-
  4890. The namespace of the Secret resource being referred to.
  4891. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4892. maxLength: 63
  4893. minLength: 1
  4894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4895. type: string
  4896. type: object
  4897. required:
  4898. - identityId
  4899. type: object
  4900. ldapAuthCredentials:
  4901. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  4902. properties:
  4903. identityId:
  4904. description: |-
  4905. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4906. In some instances, `key` is a required field.
  4907. properties:
  4908. key:
  4909. description: |-
  4910. A key in the referenced Secret.
  4911. Some instances of this field may be defaulted, in others it may be required.
  4912. maxLength: 253
  4913. minLength: 1
  4914. pattern: ^[-._a-zA-Z0-9]+$
  4915. type: string
  4916. name:
  4917. description: The name of the Secret resource being referred to.
  4918. maxLength: 253
  4919. minLength: 1
  4920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4921. type: string
  4922. namespace:
  4923. description: |-
  4924. The namespace of the Secret resource being referred to.
  4925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4926. maxLength: 63
  4927. minLength: 1
  4928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4929. type: string
  4930. type: object
  4931. ldapPassword:
  4932. description: |-
  4933. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4934. In some instances, `key` is a required field.
  4935. properties:
  4936. key:
  4937. description: |-
  4938. A key in the referenced Secret.
  4939. Some instances of this field may be defaulted, in others it may be required.
  4940. maxLength: 253
  4941. minLength: 1
  4942. pattern: ^[-._a-zA-Z0-9]+$
  4943. type: string
  4944. name:
  4945. description: The name of the Secret resource being referred to.
  4946. maxLength: 253
  4947. minLength: 1
  4948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4949. type: string
  4950. namespace:
  4951. description: |-
  4952. The namespace of the Secret resource being referred to.
  4953. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4954. maxLength: 63
  4955. minLength: 1
  4956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4957. type: string
  4958. type: object
  4959. ldapUsername:
  4960. description: |-
  4961. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4962. In some instances, `key` is a required field.
  4963. properties:
  4964. key:
  4965. description: |-
  4966. A key in the referenced Secret.
  4967. Some instances of this field may be defaulted, in others it may be required.
  4968. maxLength: 253
  4969. minLength: 1
  4970. pattern: ^[-._a-zA-Z0-9]+$
  4971. type: string
  4972. name:
  4973. description: The name of the Secret resource being referred to.
  4974. maxLength: 253
  4975. minLength: 1
  4976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4977. type: string
  4978. namespace:
  4979. description: |-
  4980. The namespace of the Secret resource being referred to.
  4981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4982. maxLength: 63
  4983. minLength: 1
  4984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4985. type: string
  4986. type: object
  4987. required:
  4988. - identityId
  4989. - ldapPassword
  4990. - ldapUsername
  4991. type: object
  4992. ociAuthCredentials:
  4993. description: OciAuthCredentials represents the credentials for OCI authentication.
  4994. properties:
  4995. fingerprint:
  4996. description: |-
  4997. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4998. In some instances, `key` is a required field.
  4999. properties:
  5000. key:
  5001. description: |-
  5002. A key in the referenced Secret.
  5003. Some instances of this field may be defaulted, in others it may be required.
  5004. maxLength: 253
  5005. minLength: 1
  5006. pattern: ^[-._a-zA-Z0-9]+$
  5007. type: string
  5008. name:
  5009. description: The name of the Secret resource being referred to.
  5010. maxLength: 253
  5011. minLength: 1
  5012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5013. type: string
  5014. namespace:
  5015. description: |-
  5016. The namespace of the Secret resource being referred to.
  5017. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5018. maxLength: 63
  5019. minLength: 1
  5020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5021. type: string
  5022. type: object
  5023. identityId:
  5024. description: |-
  5025. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5026. In some instances, `key` is a required field.
  5027. properties:
  5028. key:
  5029. description: |-
  5030. A key in the referenced Secret.
  5031. Some instances of this field may be defaulted, in others it may be required.
  5032. maxLength: 253
  5033. minLength: 1
  5034. pattern: ^[-._a-zA-Z0-9]+$
  5035. type: string
  5036. name:
  5037. description: The name of the Secret resource being referred to.
  5038. maxLength: 253
  5039. minLength: 1
  5040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5041. type: string
  5042. namespace:
  5043. description: |-
  5044. The namespace of the Secret resource being referred to.
  5045. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5046. maxLength: 63
  5047. minLength: 1
  5048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5049. type: string
  5050. type: object
  5051. privateKey:
  5052. description: |-
  5053. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5054. In some instances, `key` is a required field.
  5055. properties:
  5056. key:
  5057. description: |-
  5058. A key in the referenced Secret.
  5059. Some instances of this field may be defaulted, in others it may be required.
  5060. maxLength: 253
  5061. minLength: 1
  5062. pattern: ^[-._a-zA-Z0-9]+$
  5063. type: string
  5064. name:
  5065. description: The name of the Secret resource being referred to.
  5066. maxLength: 253
  5067. minLength: 1
  5068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5069. type: string
  5070. namespace:
  5071. description: |-
  5072. The namespace of the Secret resource being referred to.
  5073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5074. maxLength: 63
  5075. minLength: 1
  5076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5077. type: string
  5078. type: object
  5079. privateKeyPassphrase:
  5080. description: |-
  5081. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5082. In some instances, `key` is a required field.
  5083. properties:
  5084. key:
  5085. description: |-
  5086. A key in the referenced Secret.
  5087. Some instances of this field may be defaulted, in others it may be required.
  5088. maxLength: 253
  5089. minLength: 1
  5090. pattern: ^[-._a-zA-Z0-9]+$
  5091. type: string
  5092. name:
  5093. description: The name of the Secret resource being referred to.
  5094. maxLength: 253
  5095. minLength: 1
  5096. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5097. type: string
  5098. namespace:
  5099. description: |-
  5100. The namespace of the Secret resource being referred to.
  5101. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5102. maxLength: 63
  5103. minLength: 1
  5104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5105. type: string
  5106. type: object
  5107. region:
  5108. description: |-
  5109. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5110. In some instances, `key` is a required field.
  5111. properties:
  5112. key:
  5113. description: |-
  5114. A key in the referenced Secret.
  5115. Some instances of this field may be defaulted, in others it may be required.
  5116. maxLength: 253
  5117. minLength: 1
  5118. pattern: ^[-._a-zA-Z0-9]+$
  5119. type: string
  5120. name:
  5121. description: The name of the Secret resource being referred to.
  5122. maxLength: 253
  5123. minLength: 1
  5124. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5125. type: string
  5126. namespace:
  5127. description: |-
  5128. The namespace of the Secret resource being referred to.
  5129. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5130. maxLength: 63
  5131. minLength: 1
  5132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5133. type: string
  5134. type: object
  5135. tenancyId:
  5136. description: |-
  5137. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5138. In some instances, `key` is a required field.
  5139. properties:
  5140. key:
  5141. description: |-
  5142. A key in the referenced Secret.
  5143. Some instances of this field may be defaulted, in others it may be required.
  5144. maxLength: 253
  5145. minLength: 1
  5146. pattern: ^[-._a-zA-Z0-9]+$
  5147. type: string
  5148. name:
  5149. description: The name of the Secret resource being referred to.
  5150. maxLength: 253
  5151. minLength: 1
  5152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5153. type: string
  5154. namespace:
  5155. description: |-
  5156. The namespace of the Secret resource being referred to.
  5157. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5158. maxLength: 63
  5159. minLength: 1
  5160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5161. type: string
  5162. type: object
  5163. userId:
  5164. description: |-
  5165. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5166. In some instances, `key` is a required field.
  5167. properties:
  5168. key:
  5169. description: |-
  5170. A key in the referenced Secret.
  5171. Some instances of this field may be defaulted, in others it may be required.
  5172. maxLength: 253
  5173. minLength: 1
  5174. pattern: ^[-._a-zA-Z0-9]+$
  5175. type: string
  5176. name:
  5177. description: The name of the Secret resource being referred to.
  5178. maxLength: 253
  5179. minLength: 1
  5180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5181. type: string
  5182. namespace:
  5183. description: |-
  5184. The namespace of the Secret resource being referred to.
  5185. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5186. maxLength: 63
  5187. minLength: 1
  5188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5189. type: string
  5190. type: object
  5191. required:
  5192. - fingerprint
  5193. - identityId
  5194. - privateKey
  5195. - region
  5196. - tenancyId
  5197. - userId
  5198. type: object
  5199. tokenAuthCredentials:
  5200. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5201. properties:
  5202. accessToken:
  5203. description: |-
  5204. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5205. In some instances, `key` is a required field.
  5206. properties:
  5207. key:
  5208. description: |-
  5209. A key in the referenced Secret.
  5210. Some instances of this field may be defaulted, in others it may be required.
  5211. maxLength: 253
  5212. minLength: 1
  5213. pattern: ^[-._a-zA-Z0-9]+$
  5214. type: string
  5215. name:
  5216. description: The name of the Secret resource being referred to.
  5217. maxLength: 253
  5218. minLength: 1
  5219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5220. type: string
  5221. namespace:
  5222. description: |-
  5223. The namespace of the Secret resource being referred to.
  5224. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5225. maxLength: 63
  5226. minLength: 1
  5227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5228. type: string
  5229. type: object
  5230. required:
  5231. - accessToken
  5232. type: object
  5233. universalAuthCredentials:
  5234. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5235. properties:
  5236. clientId:
  5237. description: |-
  5238. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5239. In some instances, `key` is a required field.
  5240. properties:
  5241. key:
  5242. description: |-
  5243. A key in the referenced Secret.
  5244. Some instances of this field may be defaulted, in others it may be required.
  5245. maxLength: 253
  5246. minLength: 1
  5247. pattern: ^[-._a-zA-Z0-9]+$
  5248. type: string
  5249. name:
  5250. description: The name of the Secret resource being referred to.
  5251. maxLength: 253
  5252. minLength: 1
  5253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5254. type: string
  5255. namespace:
  5256. description: |-
  5257. The namespace of the Secret resource being referred to.
  5258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5259. maxLength: 63
  5260. minLength: 1
  5261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5262. type: string
  5263. type: object
  5264. clientSecret:
  5265. description: |-
  5266. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5267. In some instances, `key` is a required field.
  5268. properties:
  5269. key:
  5270. description: |-
  5271. A key in the referenced Secret.
  5272. Some instances of this field may be defaulted, in others it may be required.
  5273. maxLength: 253
  5274. minLength: 1
  5275. pattern: ^[-._a-zA-Z0-9]+$
  5276. type: string
  5277. name:
  5278. description: The name of the Secret resource being referred to.
  5279. maxLength: 253
  5280. minLength: 1
  5281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5282. type: string
  5283. namespace:
  5284. description: |-
  5285. The namespace of the Secret resource being referred to.
  5286. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5287. maxLength: 63
  5288. minLength: 1
  5289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5290. type: string
  5291. type: object
  5292. required:
  5293. - clientId
  5294. - clientSecret
  5295. type: object
  5296. type: object
  5297. caBundle:
  5298. description: |-
  5299. CABundle is a PEM-encoded CA certificate bundle used to validate
  5300. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5301. format: byte
  5302. type: string
  5303. caProvider:
  5304. description: |-
  5305. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5306. The certificate is used to validate the Infisical server's TLS certificate.
  5307. Mutually exclusive with CABundle.
  5308. properties:
  5309. key:
  5310. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5311. maxLength: 253
  5312. minLength: 1
  5313. pattern: ^[-._a-zA-Z0-9]+$
  5314. type: string
  5315. name:
  5316. description: The name of the object located at the provider type.
  5317. maxLength: 253
  5318. minLength: 1
  5319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5320. type: string
  5321. namespace:
  5322. description: |-
  5323. The namespace the Provider type is in.
  5324. Can only be defined when used in a ClusterSecretStore.
  5325. maxLength: 63
  5326. minLength: 1
  5327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5328. type: string
  5329. type:
  5330. description: The type of provider to use such as "Secret", or "ConfigMap".
  5331. enum:
  5332. - Secret
  5333. - ConfigMap
  5334. type: string
  5335. required:
  5336. - name
  5337. - type
  5338. type: object
  5339. hostAPI:
  5340. default: https://app.infisical.com/api
  5341. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5342. type: string
  5343. secretsScope:
  5344. description: SecretsScope defines the scope of the secrets within the workspace
  5345. properties:
  5346. environmentSlug:
  5347. description: EnvironmentSlug is the required slug identifier for the environment.
  5348. type: string
  5349. expandSecretReferences:
  5350. default: true
  5351. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5352. type: boolean
  5353. projectSlug:
  5354. description: ProjectSlug is the required slug identifier for the project.
  5355. type: string
  5356. recursive:
  5357. default: false
  5358. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5359. type: boolean
  5360. secretsPath:
  5361. default: /
  5362. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5363. type: string
  5364. required:
  5365. - environmentSlug
  5366. - projectSlug
  5367. type: object
  5368. required:
  5369. - auth
  5370. - secretsScope
  5371. type: object
  5372. keepersecurity:
  5373. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5374. properties:
  5375. authRef:
  5376. description: |-
  5377. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5378. In some instances, `key` is a required field.
  5379. properties:
  5380. key:
  5381. description: |-
  5382. A key in the referenced Secret.
  5383. Some instances of this field may be defaulted, in others it may be required.
  5384. maxLength: 253
  5385. minLength: 1
  5386. pattern: ^[-._a-zA-Z0-9]+$
  5387. type: string
  5388. name:
  5389. description: The name of the Secret resource being referred to.
  5390. maxLength: 253
  5391. minLength: 1
  5392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5393. type: string
  5394. namespace:
  5395. description: |-
  5396. The namespace of the Secret resource being referred to.
  5397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5398. maxLength: 63
  5399. minLength: 1
  5400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5401. type: string
  5402. type: object
  5403. folderID:
  5404. type: string
  5405. getByTitleFallback:
  5406. type: boolean
  5407. required:
  5408. - authRef
  5409. - folderID
  5410. type: object
  5411. kubernetes:
  5412. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5413. properties:
  5414. auth:
  5415. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5416. maxProperties: 1
  5417. minProperties: 1
  5418. properties:
  5419. cert:
  5420. description: has both clientCert and clientKey as secretKeySelector
  5421. properties:
  5422. clientCert:
  5423. description: |-
  5424. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5425. In some instances, `key` is a required field.
  5426. properties:
  5427. key:
  5428. description: |-
  5429. A key in the referenced Secret.
  5430. Some instances of this field may be defaulted, in others it may be required.
  5431. maxLength: 253
  5432. minLength: 1
  5433. pattern: ^[-._a-zA-Z0-9]+$
  5434. type: string
  5435. name:
  5436. description: The name of the Secret resource being referred to.
  5437. maxLength: 253
  5438. minLength: 1
  5439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5440. type: string
  5441. namespace:
  5442. description: |-
  5443. The namespace of the Secret resource being referred to.
  5444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5445. maxLength: 63
  5446. minLength: 1
  5447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5448. type: string
  5449. type: object
  5450. clientKey:
  5451. description: |-
  5452. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5453. In some instances, `key` is a required field.
  5454. properties:
  5455. key:
  5456. description: |-
  5457. A key in the referenced Secret.
  5458. Some instances of this field may be defaulted, in others it may be required.
  5459. maxLength: 253
  5460. minLength: 1
  5461. pattern: ^[-._a-zA-Z0-9]+$
  5462. type: string
  5463. name:
  5464. description: The name of the Secret resource being referred to.
  5465. maxLength: 253
  5466. minLength: 1
  5467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5468. type: string
  5469. namespace:
  5470. description: |-
  5471. The namespace of the Secret resource being referred to.
  5472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5473. maxLength: 63
  5474. minLength: 1
  5475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5476. type: string
  5477. type: object
  5478. type: object
  5479. serviceAccount:
  5480. description: points to a service account that should be used for authentication
  5481. properties:
  5482. audiences:
  5483. description: |-
  5484. Audience specifies the `aud` claim for the service account token
  5485. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5486. then this audiences will be appended to the list
  5487. items:
  5488. type: string
  5489. type: array
  5490. name:
  5491. description: The name of the ServiceAccount resource being referred to.
  5492. maxLength: 253
  5493. minLength: 1
  5494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5495. type: string
  5496. namespace:
  5497. description: |-
  5498. Namespace of the resource being referred to.
  5499. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5500. maxLength: 63
  5501. minLength: 1
  5502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5503. type: string
  5504. required:
  5505. - name
  5506. type: object
  5507. token:
  5508. description: use static token to authenticate with
  5509. properties:
  5510. bearerToken:
  5511. description: |-
  5512. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5513. In some instances, `key` is a required field.
  5514. properties:
  5515. key:
  5516. description: |-
  5517. A key in the referenced Secret.
  5518. Some instances of this field may be defaulted, in others it may be required.
  5519. maxLength: 253
  5520. minLength: 1
  5521. pattern: ^[-._a-zA-Z0-9]+$
  5522. type: string
  5523. name:
  5524. description: The name of the Secret resource being referred to.
  5525. maxLength: 253
  5526. minLength: 1
  5527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5528. type: string
  5529. namespace:
  5530. description: |-
  5531. The namespace of the Secret resource being referred to.
  5532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5533. maxLength: 63
  5534. minLength: 1
  5535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5536. type: string
  5537. type: object
  5538. type: object
  5539. type: object
  5540. authRef:
  5541. description: A reference to a secret that contains the auth information.
  5542. properties:
  5543. key:
  5544. description: |-
  5545. A key in the referenced Secret.
  5546. Some instances of this field may be defaulted, in others it may be required.
  5547. maxLength: 253
  5548. minLength: 1
  5549. pattern: ^[-._a-zA-Z0-9]+$
  5550. type: string
  5551. name:
  5552. description: The name of the Secret resource being referred to.
  5553. maxLength: 253
  5554. minLength: 1
  5555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5556. type: string
  5557. namespace:
  5558. description: |-
  5559. The namespace of the Secret resource being referred to.
  5560. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5561. maxLength: 63
  5562. minLength: 1
  5563. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5564. type: string
  5565. type: object
  5566. remoteNamespace:
  5567. default: default
  5568. description: Remote namespace to fetch the secrets from
  5569. maxLength: 63
  5570. minLength: 1
  5571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5572. type: string
  5573. server:
  5574. description: configures the Kubernetes server Address.
  5575. properties:
  5576. caBundle:
  5577. description: CABundle is a base64-encoded CA certificate
  5578. format: byte
  5579. type: string
  5580. caProvider:
  5581. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5582. properties:
  5583. key:
  5584. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5585. maxLength: 253
  5586. minLength: 1
  5587. pattern: ^[-._a-zA-Z0-9]+$
  5588. type: string
  5589. name:
  5590. description: The name of the object located at the provider type.
  5591. maxLength: 253
  5592. minLength: 1
  5593. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5594. type: string
  5595. namespace:
  5596. description: |-
  5597. The namespace the Provider type is in.
  5598. Can only be defined when used in a ClusterSecretStore.
  5599. maxLength: 63
  5600. minLength: 1
  5601. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5602. type: string
  5603. type:
  5604. description: The type of provider to use such as "Secret", or "ConfigMap".
  5605. enum:
  5606. - Secret
  5607. - ConfigMap
  5608. type: string
  5609. required:
  5610. - name
  5611. - type
  5612. type: object
  5613. url:
  5614. default: kubernetes.default
  5615. description: configures the Kubernetes server Address.
  5616. type: string
  5617. type: object
  5618. type: object
  5619. nebiusmysterybox:
  5620. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5621. properties:
  5622. apiDomain:
  5623. description: NebiusMysterybox API endpoint
  5624. type: string
  5625. auth:
  5626. description: Auth defines parameters to authenticate in MysteryBox
  5627. properties:
  5628. serviceAccountCredsSecretRef:
  5629. description: |-
  5630. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5631. document with service account credentials used to get an IAM token.
  5632. Expected JSON structure:
  5633. {
  5634. "subject-credentials": {
  5635. "alg": "RS256",
  5636. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5637. "kid": "<public-key-id>",
  5638. "iss": "<issuer-service-account-id>",
  5639. "sub": "<subject-service-account-id>"
  5640. }
  5641. }
  5642. properties:
  5643. key:
  5644. description: |-
  5645. A key in the referenced Secret.
  5646. Some instances of this field may be defaulted, in others it may be required.
  5647. maxLength: 253
  5648. minLength: 1
  5649. pattern: ^[-._a-zA-Z0-9]+$
  5650. type: string
  5651. name:
  5652. description: The name of the Secret resource being referred to.
  5653. maxLength: 253
  5654. minLength: 1
  5655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5656. type: string
  5657. namespace:
  5658. description: |-
  5659. The namespace of the Secret resource being referred to.
  5660. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5661. maxLength: 63
  5662. minLength: 1
  5663. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5664. type: string
  5665. type: object
  5666. tokenSecretRef:
  5667. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5668. properties:
  5669. key:
  5670. description: |-
  5671. A key in the referenced Secret.
  5672. Some instances of this field may be defaulted, in others it may be required.
  5673. maxLength: 253
  5674. minLength: 1
  5675. pattern: ^[-._a-zA-Z0-9]+$
  5676. type: string
  5677. name:
  5678. description: The name of the Secret resource being referred to.
  5679. maxLength: 253
  5680. minLength: 1
  5681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5682. type: string
  5683. namespace:
  5684. description: |-
  5685. The namespace of the Secret resource being referred to.
  5686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5687. maxLength: 63
  5688. minLength: 1
  5689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5690. type: string
  5691. type: object
  5692. type: object
  5693. x-kubernetes-validations:
  5694. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5695. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5696. caProvider:
  5697. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5698. properties:
  5699. certSecretRef:
  5700. description: |-
  5701. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5702. In some instances, `key` is a required field.
  5703. properties:
  5704. key:
  5705. description: |-
  5706. A key in the referenced Secret.
  5707. Some instances of this field may be defaulted, in others it may be required.
  5708. maxLength: 253
  5709. minLength: 1
  5710. pattern: ^[-._a-zA-Z0-9]+$
  5711. type: string
  5712. name:
  5713. description: The name of the Secret resource being referred to.
  5714. maxLength: 253
  5715. minLength: 1
  5716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5717. type: string
  5718. namespace:
  5719. description: |-
  5720. The namespace of the Secret resource being referred to.
  5721. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5722. maxLength: 63
  5723. minLength: 1
  5724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5725. type: string
  5726. type: object
  5727. type: object
  5728. required:
  5729. - apiDomain
  5730. - auth
  5731. type: object
  5732. ngrok:
  5733. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5734. properties:
  5735. apiUrl:
  5736. default: https://api.ngrok.com
  5737. description: APIURL is the URL of the ngrok API.
  5738. type: string
  5739. auth:
  5740. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5741. maxProperties: 1
  5742. minProperties: 1
  5743. properties:
  5744. apiKey:
  5745. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5746. properties:
  5747. secretRef:
  5748. description: SecretRef is a reference to a secret containing the ngrok API key.
  5749. properties:
  5750. key:
  5751. description: |-
  5752. A key in the referenced Secret.
  5753. Some instances of this field may be defaulted, in others it may be required.
  5754. maxLength: 253
  5755. minLength: 1
  5756. pattern: ^[-._a-zA-Z0-9]+$
  5757. type: string
  5758. name:
  5759. description: The name of the Secret resource being referred to.
  5760. maxLength: 253
  5761. minLength: 1
  5762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5763. type: string
  5764. namespace:
  5765. description: |-
  5766. The namespace of the Secret resource being referred to.
  5767. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5768. maxLength: 63
  5769. minLength: 1
  5770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5771. type: string
  5772. type: object
  5773. type: object
  5774. type: object
  5775. vault:
  5776. description: Vault configures the ngrok vault to sync secrets with.
  5777. properties:
  5778. name:
  5779. description: Name is the name of the ngrok vault to sync secrets with.
  5780. type: string
  5781. required:
  5782. - name
  5783. type: object
  5784. required:
  5785. - auth
  5786. - vault
  5787. type: object
  5788. onboardbase:
  5789. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  5790. properties:
  5791. apiHost:
  5792. default: https://public.onboardbase.com/api/v1/
  5793. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  5794. type: string
  5795. auth:
  5796. description: Auth configures how the Operator authenticates with the Onboardbase API
  5797. properties:
  5798. apiKeyRef:
  5799. description: |-
  5800. OnboardbaseAPIKey is the APIKey generated by an admin account.
  5801. It is used to recognize and authorize access to a project and environment within onboardbase
  5802. properties:
  5803. key:
  5804. description: |-
  5805. A key in the referenced Secret.
  5806. Some instances of this field may be defaulted, in others it may be required.
  5807. maxLength: 253
  5808. minLength: 1
  5809. pattern: ^[-._a-zA-Z0-9]+$
  5810. type: string
  5811. name:
  5812. description: The name of the Secret resource being referred to.
  5813. maxLength: 253
  5814. minLength: 1
  5815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5816. type: string
  5817. namespace:
  5818. description: |-
  5819. The namespace of the Secret resource being referred to.
  5820. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5821. maxLength: 63
  5822. minLength: 1
  5823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5824. type: string
  5825. type: object
  5826. passcodeRef:
  5827. description: OnboardbasePasscode is the passcode attached to the API Key
  5828. properties:
  5829. key:
  5830. description: |-
  5831. A key in the referenced Secret.
  5832. Some instances of this field may be defaulted, in others it may be required.
  5833. maxLength: 253
  5834. minLength: 1
  5835. pattern: ^[-._a-zA-Z0-9]+$
  5836. type: string
  5837. name:
  5838. description: The name of the Secret resource being referred to.
  5839. maxLength: 253
  5840. minLength: 1
  5841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5842. type: string
  5843. namespace:
  5844. description: |-
  5845. The namespace of the Secret resource being referred to.
  5846. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5847. maxLength: 63
  5848. minLength: 1
  5849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5850. type: string
  5851. type: object
  5852. required:
  5853. - apiKeyRef
  5854. - passcodeRef
  5855. type: object
  5856. environment:
  5857. default: development
  5858. description: Environment is the name of an environmnent within a project to pull the secrets from
  5859. type: string
  5860. project:
  5861. default: development
  5862. description: Project is an onboardbase project that the secrets should be pulled from
  5863. type: string
  5864. required:
  5865. - apiHost
  5866. - auth
  5867. - environment
  5868. - project
  5869. type: object
  5870. onepassword:
  5871. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  5872. properties:
  5873. auth:
  5874. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  5875. properties:
  5876. secretRef:
  5877. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  5878. properties:
  5879. connectTokenSecretRef:
  5880. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  5881. properties:
  5882. key:
  5883. description: |-
  5884. A key in the referenced Secret.
  5885. Some instances of this field may be defaulted, in others it may be required.
  5886. maxLength: 253
  5887. minLength: 1
  5888. pattern: ^[-._a-zA-Z0-9]+$
  5889. type: string
  5890. name:
  5891. description: The name of the Secret resource being referred to.
  5892. maxLength: 253
  5893. minLength: 1
  5894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5895. type: string
  5896. namespace:
  5897. description: |-
  5898. The namespace of the Secret resource being referred to.
  5899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5900. maxLength: 63
  5901. minLength: 1
  5902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5903. type: string
  5904. type: object
  5905. required:
  5906. - connectTokenSecretRef
  5907. type: object
  5908. required:
  5909. - secretRef
  5910. type: object
  5911. connectHost:
  5912. description: ConnectHost defines the OnePassword Connect Server to connect to
  5913. type: string
  5914. vaults:
  5915. additionalProperties:
  5916. type: integer
  5917. description: Vaults defines which OnePassword vaults to search in which order
  5918. type: object
  5919. required:
  5920. - auth
  5921. - connectHost
  5922. - vaults
  5923. type: object
  5924. onepasswordSDK:
  5925. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  5926. properties:
  5927. auth:
  5928. description: Auth defines the information necessary to authenticate against OnePassword API.
  5929. properties:
  5930. serviceAccountSecretRef:
  5931. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  5932. properties:
  5933. key:
  5934. description: |-
  5935. A key in the referenced Secret.
  5936. Some instances of this field may be defaulted, in others it may be required.
  5937. maxLength: 253
  5938. minLength: 1
  5939. pattern: ^[-._a-zA-Z0-9]+$
  5940. type: string
  5941. name:
  5942. description: The name of the Secret resource being referred to.
  5943. maxLength: 253
  5944. minLength: 1
  5945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5946. type: string
  5947. namespace:
  5948. description: |-
  5949. The namespace of the Secret resource being referred to.
  5950. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5951. maxLength: 63
  5952. minLength: 1
  5953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5954. type: string
  5955. type: object
  5956. required:
  5957. - serviceAccountSecretRef
  5958. type: object
  5959. cache:
  5960. description: |-
  5961. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  5962. When enabled, secrets are cached with the specified TTL.
  5963. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  5964. If omitted, caching is disabled (default).
  5965. cache: {} is a valid option to set.
  5966. properties:
  5967. maxSize:
  5968. default: 100
  5969. description: |-
  5970. MaxSize is the maximum number of secrets to cache.
  5971. When the cache is full, least-recently-used entries are evicted.
  5972. minimum: 1
  5973. type: integer
  5974. ttl:
  5975. default: 5m
  5976. description: |-
  5977. TTL is the time-to-live for cached secrets.
  5978. Format: duration string (e.g., "5m", "1h", "30s")
  5979. type: string
  5980. type: object
  5981. integrationInfo:
  5982. description: |-
  5983. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  5984. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  5985. properties:
  5986. name:
  5987. default: 1Password SDK
  5988. description: Name defaults to "1Password SDK".
  5989. type: string
  5990. version:
  5991. default: v1.0.0
  5992. description: Version defaults to "v1.0.0".
  5993. type: string
  5994. type: object
  5995. vault:
  5996. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  5997. type: string
  5998. required:
  5999. - auth
  6000. - vault
  6001. type: object
  6002. openBao:
  6003. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6004. properties:
  6005. auth:
  6006. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6007. properties:
  6008. tokenSecretRef:
  6009. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6010. properties:
  6011. key:
  6012. description: |-
  6013. A key in the referenced Secret.
  6014. Some instances of this field may be defaulted, in others it may be required.
  6015. maxLength: 253
  6016. minLength: 1
  6017. pattern: ^[-._a-zA-Z0-9]+$
  6018. type: string
  6019. name:
  6020. description: The name of the Secret resource being referred to.
  6021. maxLength: 253
  6022. minLength: 1
  6023. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6024. type: string
  6025. namespace:
  6026. description: |-
  6027. The namespace of the Secret resource being referred to.
  6028. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6029. maxLength: 63
  6030. minLength: 1
  6031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6032. type: string
  6033. type: object
  6034. type: object
  6035. path:
  6036. description: |-
  6037. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6038. "secret". The v2 KV secret engine version specific "/data" path suffix
  6039. for fetching secrets from OpenBao is optional and will be appended
  6040. if not present in specified path.
  6041. type: string
  6042. server:
  6043. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6044. type: string
  6045. version:
  6046. default: v2
  6047. description: |-
  6048. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6049. "v2". Version defaults to "v2".
  6050. enum:
  6051. - v1
  6052. - v2
  6053. type: string
  6054. required:
  6055. - server
  6056. type: object
  6057. oracle:
  6058. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6059. properties:
  6060. auth:
  6061. description: |-
  6062. Auth configures how secret-manager authenticates with the Oracle Vault.
  6063. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6064. properties:
  6065. secretRef:
  6066. description: SecretRef to pass through sensitive information.
  6067. properties:
  6068. fingerprint:
  6069. description: Fingerprint is the fingerprint of the API private key.
  6070. properties:
  6071. key:
  6072. description: |-
  6073. A key in the referenced Secret.
  6074. Some instances of this field may be defaulted, in others it may be required.
  6075. maxLength: 253
  6076. minLength: 1
  6077. pattern: ^[-._a-zA-Z0-9]+$
  6078. type: string
  6079. name:
  6080. description: The name of the Secret resource being referred to.
  6081. maxLength: 253
  6082. minLength: 1
  6083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6084. type: string
  6085. namespace:
  6086. description: |-
  6087. The namespace of the Secret resource being referred to.
  6088. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6089. maxLength: 63
  6090. minLength: 1
  6091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6092. type: string
  6093. type: object
  6094. privatekey:
  6095. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6096. properties:
  6097. key:
  6098. description: |-
  6099. A key in the referenced Secret.
  6100. Some instances of this field may be defaulted, in others it may be required.
  6101. maxLength: 253
  6102. minLength: 1
  6103. pattern: ^[-._a-zA-Z0-9]+$
  6104. type: string
  6105. name:
  6106. description: The name of the Secret resource being referred to.
  6107. maxLength: 253
  6108. minLength: 1
  6109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6110. type: string
  6111. namespace:
  6112. description: |-
  6113. The namespace of the Secret resource being referred to.
  6114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6115. maxLength: 63
  6116. minLength: 1
  6117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6118. type: string
  6119. type: object
  6120. required:
  6121. - fingerprint
  6122. - privatekey
  6123. type: object
  6124. tenancy:
  6125. description: Tenancy is the tenancy OCID where user is located.
  6126. type: string
  6127. user:
  6128. description: User is an access OCID specific to the account.
  6129. type: string
  6130. required:
  6131. - secretRef
  6132. - tenancy
  6133. - user
  6134. type: object
  6135. compartment:
  6136. description: |-
  6137. Compartment is the vault compartment OCID.
  6138. Required for PushSecret
  6139. type: string
  6140. encryptionKey:
  6141. description: |-
  6142. EncryptionKey is the OCID of the encryption key within the vault.
  6143. Required for PushSecret
  6144. type: string
  6145. principalType:
  6146. description: |-
  6147. The type of principal to use for authentication. If left blank, the Auth struct will
  6148. determine the principal type. This optional field must be specified if using
  6149. workload identity.
  6150. enum:
  6151. - ""
  6152. - UserPrincipal
  6153. - InstancePrincipal
  6154. - Workload
  6155. type: string
  6156. region:
  6157. description: Region is the region where vault is located.
  6158. type: string
  6159. serviceAccountRef:
  6160. description: |-
  6161. ServiceAccountRef specified the service account
  6162. that should be used when authenticating with WorkloadIdentity.
  6163. properties:
  6164. audiences:
  6165. description: |-
  6166. Audience specifies the `aud` claim for the service account token
  6167. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6168. then this audiences will be appended to the list
  6169. items:
  6170. type: string
  6171. type: array
  6172. name:
  6173. description: The name of the ServiceAccount resource being referred to.
  6174. maxLength: 253
  6175. minLength: 1
  6176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6177. type: string
  6178. namespace:
  6179. description: |-
  6180. Namespace of the resource being referred to.
  6181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6182. maxLength: 63
  6183. minLength: 1
  6184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6185. type: string
  6186. required:
  6187. - name
  6188. type: object
  6189. vault:
  6190. description: Vault is the vault's OCID of the specific vault where secret is located.
  6191. type: string
  6192. required:
  6193. - region
  6194. - vault
  6195. type: object
  6196. ovh:
  6197. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6198. properties:
  6199. auth:
  6200. description: Authentication method (mtls or token).
  6201. properties:
  6202. mtls:
  6203. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6204. properties:
  6205. caBundle:
  6206. format: byte
  6207. type: string
  6208. caProvider:
  6209. description: |-
  6210. CAProvider provides a custom certificate authority for accessing the provider's store.
  6211. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6212. properties:
  6213. key:
  6214. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6215. maxLength: 253
  6216. minLength: 1
  6217. pattern: ^[-._a-zA-Z0-9]+$
  6218. type: string
  6219. name:
  6220. description: The name of the object located at the provider type.
  6221. maxLength: 253
  6222. minLength: 1
  6223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6224. type: string
  6225. namespace:
  6226. description: |-
  6227. The namespace the Provider type is in.
  6228. Can only be defined when used in a ClusterSecretStore.
  6229. maxLength: 63
  6230. minLength: 1
  6231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6232. type: string
  6233. type:
  6234. description: The type of provider to use such as "Secret", or "ConfigMap".
  6235. enum:
  6236. - Secret
  6237. - ConfigMap
  6238. type: string
  6239. required:
  6240. - name
  6241. - type
  6242. type: object
  6243. certSecretRef:
  6244. description: |-
  6245. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6246. In some instances, `key` is a required field.
  6247. properties:
  6248. key:
  6249. description: |-
  6250. A key in the referenced Secret.
  6251. Some instances of this field may be defaulted, in others it may be required.
  6252. maxLength: 253
  6253. minLength: 1
  6254. pattern: ^[-._a-zA-Z0-9]+$
  6255. type: string
  6256. name:
  6257. description: The name of the Secret resource being referred to.
  6258. maxLength: 253
  6259. minLength: 1
  6260. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6261. type: string
  6262. namespace:
  6263. description: |-
  6264. The namespace of the Secret resource being referred to.
  6265. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6266. maxLength: 63
  6267. minLength: 1
  6268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6269. type: string
  6270. type: object
  6271. keySecretRef:
  6272. description: |-
  6273. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6274. In some instances, `key` is a required field.
  6275. properties:
  6276. key:
  6277. description: |-
  6278. A key in the referenced Secret.
  6279. Some instances of this field may be defaulted, in others it may be required.
  6280. maxLength: 253
  6281. minLength: 1
  6282. pattern: ^[-._a-zA-Z0-9]+$
  6283. type: string
  6284. name:
  6285. description: The name of the Secret resource being referred to.
  6286. maxLength: 253
  6287. minLength: 1
  6288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6289. type: string
  6290. namespace:
  6291. description: |-
  6292. The namespace of the Secret resource being referred to.
  6293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6294. maxLength: 63
  6295. minLength: 1
  6296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6297. type: string
  6298. type: object
  6299. required:
  6300. - certSecretRef
  6301. - keySecretRef
  6302. type: object
  6303. token:
  6304. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6305. properties:
  6306. tokenSecretRef:
  6307. description: |-
  6308. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6309. In some instances, `key` is a required field.
  6310. properties:
  6311. key:
  6312. description: |-
  6313. A key in the referenced Secret.
  6314. Some instances of this field may be defaulted, in others it may be required.
  6315. maxLength: 253
  6316. minLength: 1
  6317. pattern: ^[-._a-zA-Z0-9]+$
  6318. type: string
  6319. name:
  6320. description: The name of the Secret resource being referred to.
  6321. maxLength: 253
  6322. minLength: 1
  6323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6324. type: string
  6325. namespace:
  6326. description: |-
  6327. The namespace of the Secret resource being referred to.
  6328. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6329. maxLength: 63
  6330. minLength: 1
  6331. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6332. type: string
  6333. type: object
  6334. required:
  6335. - tokenSecretRef
  6336. type: object
  6337. type: object
  6338. casRequired:
  6339. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6340. type: boolean
  6341. okmsTimeout:
  6342. default: 30
  6343. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6344. format: int32
  6345. minimum: 1
  6346. type: integer
  6347. okmsid:
  6348. description: specifies the OKMS ID.
  6349. type: string
  6350. server:
  6351. description: specifies the OKMS server endpoint.
  6352. type: string
  6353. required:
  6354. - auth
  6355. - okmsid
  6356. - server
  6357. type: object
  6358. passbolt:
  6359. description: |-
  6360. PassboltProvider provides access to Passbolt secrets manager.
  6361. See: https://www.passbolt.com.
  6362. properties:
  6363. auth:
  6364. description: Auth defines the information necessary to authenticate against Passbolt Server
  6365. properties:
  6366. passwordSecretRef:
  6367. description: |-
  6368. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6369. In some instances, `key` is a required field.
  6370. properties:
  6371. key:
  6372. description: |-
  6373. A key in the referenced Secret.
  6374. Some instances of this field may be defaulted, in others it may be required.
  6375. maxLength: 253
  6376. minLength: 1
  6377. pattern: ^[-._a-zA-Z0-9]+$
  6378. type: string
  6379. name:
  6380. description: The name of the Secret resource being referred to.
  6381. maxLength: 253
  6382. minLength: 1
  6383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6384. type: string
  6385. namespace:
  6386. description: |-
  6387. The namespace of the Secret resource being referred to.
  6388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6389. maxLength: 63
  6390. minLength: 1
  6391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6392. type: string
  6393. type: object
  6394. privateKeySecretRef:
  6395. description: |-
  6396. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6397. In some instances, `key` is a required field.
  6398. properties:
  6399. key:
  6400. description: |-
  6401. A key in the referenced Secret.
  6402. Some instances of this field may be defaulted, in others it may be required.
  6403. maxLength: 253
  6404. minLength: 1
  6405. pattern: ^[-._a-zA-Z0-9]+$
  6406. type: string
  6407. name:
  6408. description: The name of the Secret resource being referred to.
  6409. maxLength: 253
  6410. minLength: 1
  6411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6412. type: string
  6413. namespace:
  6414. description: |-
  6415. The namespace of the Secret resource being referred to.
  6416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6417. maxLength: 63
  6418. minLength: 1
  6419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6420. type: string
  6421. type: object
  6422. required:
  6423. - passwordSecretRef
  6424. - privateKeySecretRef
  6425. type: object
  6426. caBundle:
  6427. description: |-
  6428. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6429. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6430. are used to validate the TLS connection.
  6431. format: byte
  6432. type: string
  6433. caProvider:
  6434. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6435. properties:
  6436. key:
  6437. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6438. maxLength: 253
  6439. minLength: 1
  6440. pattern: ^[-._a-zA-Z0-9]+$
  6441. type: string
  6442. name:
  6443. description: The name of the object located at the provider type.
  6444. maxLength: 253
  6445. minLength: 1
  6446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6447. type: string
  6448. namespace:
  6449. description: |-
  6450. The namespace the Provider type is in.
  6451. Can only be defined when used in a ClusterSecretStore.
  6452. maxLength: 63
  6453. minLength: 1
  6454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6455. type: string
  6456. type:
  6457. description: The type of provider to use such as "Secret", or "ConfigMap".
  6458. enum:
  6459. - Secret
  6460. - ConfigMap
  6461. type: string
  6462. required:
  6463. - name
  6464. - type
  6465. type: object
  6466. host:
  6467. description: Host defines the Passbolt Server to connect to
  6468. type: string
  6469. required:
  6470. - auth
  6471. - host
  6472. type: object
  6473. passworddepot:
  6474. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6475. properties:
  6476. auth:
  6477. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6478. properties:
  6479. secretRef:
  6480. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6481. properties:
  6482. credentials:
  6483. description: Username / Password is used for authentication.
  6484. properties:
  6485. key:
  6486. description: |-
  6487. A key in the referenced Secret.
  6488. Some instances of this field may be defaulted, in others it may be required.
  6489. maxLength: 253
  6490. minLength: 1
  6491. pattern: ^[-._a-zA-Z0-9]+$
  6492. type: string
  6493. name:
  6494. description: The name of the Secret resource being referred to.
  6495. maxLength: 253
  6496. minLength: 1
  6497. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6498. type: string
  6499. namespace:
  6500. description: |-
  6501. The namespace of the Secret resource being referred to.
  6502. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6503. maxLength: 63
  6504. minLength: 1
  6505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6506. type: string
  6507. type: object
  6508. type: object
  6509. required:
  6510. - secretRef
  6511. type: object
  6512. database:
  6513. description: Database to use as source
  6514. type: string
  6515. host:
  6516. description: URL configures the Password Depot instance URL.
  6517. type: string
  6518. required:
  6519. - auth
  6520. - database
  6521. - host
  6522. type: object
  6523. previder:
  6524. description: Previder configures this store to sync secrets using the Previder provider
  6525. properties:
  6526. auth:
  6527. description: PreviderAuth contains a secretRef for credentials.
  6528. properties:
  6529. secretRef:
  6530. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6531. properties:
  6532. accessToken:
  6533. description: The AccessToken is used for authentication
  6534. properties:
  6535. key:
  6536. description: |-
  6537. A key in the referenced Secret.
  6538. Some instances of this field may be defaulted, in others it may be required.
  6539. maxLength: 253
  6540. minLength: 1
  6541. pattern: ^[-._a-zA-Z0-9]+$
  6542. type: string
  6543. name:
  6544. description: The name of the Secret resource being referred to.
  6545. maxLength: 253
  6546. minLength: 1
  6547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6548. type: string
  6549. namespace:
  6550. description: |-
  6551. The namespace of the Secret resource being referred to.
  6552. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6553. maxLength: 63
  6554. minLength: 1
  6555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6556. type: string
  6557. type: object
  6558. required:
  6559. - accessToken
  6560. type: object
  6561. type: object
  6562. baseUri:
  6563. type: string
  6564. required:
  6565. - auth
  6566. type: object
  6567. pulumi:
  6568. description: Pulumi configures this store to sync secrets using the Pulumi provider
  6569. properties:
  6570. accessToken:
  6571. description: |-
  6572. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  6573. Deprecated: Use auth.accessToken instead.
  6574. properties:
  6575. secretRef:
  6576. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6577. properties:
  6578. key:
  6579. description: |-
  6580. A key in the referenced Secret.
  6581. Some instances of this field may be defaulted, in others it may be required.
  6582. maxLength: 253
  6583. minLength: 1
  6584. pattern: ^[-._a-zA-Z0-9]+$
  6585. type: string
  6586. name:
  6587. description: The name of the Secret resource being referred to.
  6588. maxLength: 253
  6589. minLength: 1
  6590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6591. type: string
  6592. namespace:
  6593. description: |-
  6594. The namespace of the Secret resource being referred to.
  6595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6596. maxLength: 63
  6597. minLength: 1
  6598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6599. type: string
  6600. type: object
  6601. type: object
  6602. apiUrl:
  6603. default: https://api.pulumi.com/api/esc
  6604. description: APIURL is the URL of the Pulumi API.
  6605. type: string
  6606. auth:
  6607. description: |-
  6608. Auth configures how the Operator authenticates with the Pulumi API.
  6609. Either auth or the deprecated accessToken field must be specified.
  6610. properties:
  6611. accessToken:
  6612. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  6613. properties:
  6614. secretRef:
  6615. description: SecretRef is a reference to a secret containing the Pulumi API token.
  6616. properties:
  6617. key:
  6618. description: |-
  6619. A key in the referenced Secret.
  6620. Some instances of this field may be defaulted, in others it may be required.
  6621. maxLength: 253
  6622. minLength: 1
  6623. pattern: ^[-._a-zA-Z0-9]+$
  6624. type: string
  6625. name:
  6626. description: The name of the Secret resource being referred to.
  6627. maxLength: 253
  6628. minLength: 1
  6629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6630. type: string
  6631. namespace:
  6632. description: |-
  6633. The namespace of the Secret resource being referred to.
  6634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6635. maxLength: 63
  6636. minLength: 1
  6637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6638. type: string
  6639. type: object
  6640. type: object
  6641. oidcConfig:
  6642. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  6643. properties:
  6644. expirationSeconds:
  6645. default: 600
  6646. description: |-
  6647. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  6648. Defaults to 10 minutes.
  6649. format: int64
  6650. minimum: 600
  6651. type: integer
  6652. organization:
  6653. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  6654. type: string
  6655. serviceAccountRef:
  6656. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  6657. properties:
  6658. audiences:
  6659. description: |-
  6660. Audience specifies the `aud` claim for the service account token
  6661. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6662. then this audiences will be appended to the list
  6663. items:
  6664. type: string
  6665. type: array
  6666. name:
  6667. description: The name of the ServiceAccount resource being referred to.
  6668. maxLength: 253
  6669. minLength: 1
  6670. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6671. type: string
  6672. namespace:
  6673. description: |-
  6674. Namespace of the resource being referred to.
  6675. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6676. maxLength: 63
  6677. minLength: 1
  6678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6679. type: string
  6680. required:
  6681. - name
  6682. type: object
  6683. required:
  6684. - organization
  6685. - serviceAccountRef
  6686. type: object
  6687. type: object
  6688. x-kubernetes-validations:
  6689. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  6690. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  6691. environment:
  6692. description: |-
  6693. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  6694. dynamically retrieved values from supported providers including all major clouds,
  6695. and other Pulumi ESC environments.
  6696. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  6697. type: string
  6698. organization:
  6699. description: |-
  6700. Organization are a space to collaborate on shared projects and stacks.
  6701. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  6702. type: string
  6703. project:
  6704. description: Project is the name of the Pulumi ESC project the environment belongs to.
  6705. type: string
  6706. required:
  6707. - environment
  6708. - organization
  6709. - project
  6710. type: object
  6711. x-kubernetes-validations:
  6712. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  6713. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  6714. scaleway:
  6715. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  6716. properties:
  6717. accessKey:
  6718. description: AccessKey is the non-secret part of the api key.
  6719. properties:
  6720. secretRef:
  6721. description: SecretRef references a key in a secret that will be used as value.
  6722. properties:
  6723. key:
  6724. description: |-
  6725. A key in the referenced Secret.
  6726. Some instances of this field may be defaulted, in others it may be required.
  6727. maxLength: 253
  6728. minLength: 1
  6729. pattern: ^[-._a-zA-Z0-9]+$
  6730. type: string
  6731. name:
  6732. description: The name of the Secret resource being referred to.
  6733. maxLength: 253
  6734. minLength: 1
  6735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6736. type: string
  6737. namespace:
  6738. description: |-
  6739. The namespace of the Secret resource being referred to.
  6740. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6741. maxLength: 63
  6742. minLength: 1
  6743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6744. type: string
  6745. type: object
  6746. value:
  6747. description: Value can be specified directly to set a value without using a secret.
  6748. type: string
  6749. type: object
  6750. apiUrl:
  6751. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  6752. type: string
  6753. projectId:
  6754. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  6755. type: string
  6756. region:
  6757. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  6758. type: string
  6759. secretKey:
  6760. description: SecretKey is the non-secret part of the api key.
  6761. properties:
  6762. secretRef:
  6763. description: SecretRef references a key in a secret that will be used as value.
  6764. properties:
  6765. key:
  6766. description: |-
  6767. A key in the referenced Secret.
  6768. Some instances of this field may be defaulted, in others it may be required.
  6769. maxLength: 253
  6770. minLength: 1
  6771. pattern: ^[-._a-zA-Z0-9]+$
  6772. type: string
  6773. name:
  6774. description: The name of the Secret resource being referred to.
  6775. maxLength: 253
  6776. minLength: 1
  6777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6778. type: string
  6779. namespace:
  6780. description: |-
  6781. The namespace of the Secret resource being referred to.
  6782. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6783. maxLength: 63
  6784. minLength: 1
  6785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6786. type: string
  6787. type: object
  6788. value:
  6789. description: Value can be specified directly to set a value without using a secret.
  6790. type: string
  6791. type: object
  6792. required:
  6793. - accessKey
  6794. - projectId
  6795. - region
  6796. - secretKey
  6797. type: object
  6798. secretserver:
  6799. description: |-
  6800. SecretServer configures this store to sync secrets using SecretServer provider
  6801. https://docs.delinea.com/online-help/secret-server/start.htm
  6802. properties:
  6803. caBundle:
  6804. description: |-
  6805. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  6806. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  6807. are used to validate the TLS connection.
  6808. format: byte
  6809. type: string
  6810. caProvider:
  6811. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  6812. properties:
  6813. key:
  6814. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6815. maxLength: 253
  6816. minLength: 1
  6817. pattern: ^[-._a-zA-Z0-9]+$
  6818. type: string
  6819. name:
  6820. description: The name of the object located at the provider type.
  6821. maxLength: 253
  6822. minLength: 1
  6823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6824. type: string
  6825. namespace:
  6826. description: |-
  6827. The namespace the Provider type is in.
  6828. Can only be defined when used in a ClusterSecretStore.
  6829. maxLength: 63
  6830. minLength: 1
  6831. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6832. type: string
  6833. type:
  6834. description: The type of provider to use such as "Secret", or "ConfigMap".
  6835. enum:
  6836. - Secret
  6837. - ConfigMap
  6838. type: string
  6839. required:
  6840. - name
  6841. - type
  6842. type: object
  6843. domain:
  6844. description: Domain is the secret server domain.
  6845. type: string
  6846. password:
  6847. description: Password is the secret server account password.
  6848. properties:
  6849. secretRef:
  6850. description: SecretRef references a key in a secret that will be used as value.
  6851. properties:
  6852. key:
  6853. description: |-
  6854. A key in the referenced Secret.
  6855. Some instances of this field may be defaulted, in others it may be required.
  6856. maxLength: 253
  6857. minLength: 1
  6858. pattern: ^[-._a-zA-Z0-9]+$
  6859. type: string
  6860. name:
  6861. description: The name of the Secret resource being referred to.
  6862. maxLength: 253
  6863. minLength: 1
  6864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6865. type: string
  6866. namespace:
  6867. description: |-
  6868. The namespace of the Secret resource being referred to.
  6869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6870. maxLength: 63
  6871. minLength: 1
  6872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6873. type: string
  6874. type: object
  6875. value:
  6876. description: Value can be specified directly to set a value without using a secret.
  6877. type: string
  6878. type: object
  6879. serverURL:
  6880. description: |-
  6881. ServerURL
  6882. URL to your secret server installation
  6883. type: string
  6884. username:
  6885. description: Username is the secret server account username.
  6886. properties:
  6887. secretRef:
  6888. description: SecretRef references a key in a secret that will be used as value.
  6889. properties:
  6890. key:
  6891. description: |-
  6892. A key in the referenced Secret.
  6893. Some instances of this field may be defaulted, in others it may be required.
  6894. maxLength: 253
  6895. minLength: 1
  6896. pattern: ^[-._a-zA-Z0-9]+$
  6897. type: string
  6898. name:
  6899. description: The name of the Secret resource being referred to.
  6900. maxLength: 253
  6901. minLength: 1
  6902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6903. type: string
  6904. namespace:
  6905. description: |-
  6906. The namespace of the Secret resource being referred to.
  6907. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6908. maxLength: 63
  6909. minLength: 1
  6910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6911. type: string
  6912. type: object
  6913. value:
  6914. description: Value can be specified directly to set a value without using a secret.
  6915. type: string
  6916. type: object
  6917. required:
  6918. - password
  6919. - serverURL
  6920. - username
  6921. type: object
  6922. senhasegura:
  6923. description: Senhasegura configures this store to sync secrets using senhasegura provider
  6924. properties:
  6925. auth:
  6926. description: Auth defines parameters to authenticate in senhasegura
  6927. properties:
  6928. clientId:
  6929. type: string
  6930. clientSecretSecretRef:
  6931. description: |-
  6932. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6933. In some instances, `key` is a required field.
  6934. properties:
  6935. key:
  6936. description: |-
  6937. A key in the referenced Secret.
  6938. Some instances of this field may be defaulted, in others it may be required.
  6939. maxLength: 253
  6940. minLength: 1
  6941. pattern: ^[-._a-zA-Z0-9]+$
  6942. type: string
  6943. name:
  6944. description: The name of the Secret resource being referred to.
  6945. maxLength: 253
  6946. minLength: 1
  6947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6948. type: string
  6949. namespace:
  6950. description: |-
  6951. The namespace of the Secret resource being referred to.
  6952. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6953. maxLength: 63
  6954. minLength: 1
  6955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6956. type: string
  6957. type: object
  6958. required:
  6959. - clientId
  6960. - clientSecretSecretRef
  6961. type: object
  6962. ignoreSslCertificate:
  6963. default: false
  6964. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  6965. type: boolean
  6966. module:
  6967. description: Module defines which senhasegura module should be used to get secrets
  6968. type: string
  6969. url:
  6970. description: URL of senhasegura
  6971. type: string
  6972. required:
  6973. - auth
  6974. - module
  6975. - url
  6976. type: object
  6977. vault:
  6978. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  6979. properties:
  6980. auth:
  6981. description: Auth configures how secret-manager authenticates with the Vault server.
  6982. properties:
  6983. appRole:
  6984. description: |-
  6985. AppRole authenticates with Vault using the App Role auth mechanism,
  6986. with the role and secret stored in a Kubernetes Secret resource.
  6987. properties:
  6988. path:
  6989. default: approle
  6990. description: |-
  6991. Path where the App Role authentication backend is mounted
  6992. in Vault, e.g: "approle"
  6993. type: string
  6994. roleId:
  6995. description: |-
  6996. RoleID configured in the App Role authentication backend when setting
  6997. up the authentication backend in Vault.
  6998. type: string
  6999. roleRef:
  7000. description: |-
  7001. Reference to a key in a Secret that contains the App Role ID used
  7002. to authenticate with Vault.
  7003. The `key` field must be specified and denotes which entry within the Secret
  7004. resource is used as the app role id.
  7005. properties:
  7006. key:
  7007. description: |-
  7008. A key in the referenced Secret.
  7009. Some instances of this field may be defaulted, in others it may be required.
  7010. maxLength: 253
  7011. minLength: 1
  7012. pattern: ^[-._a-zA-Z0-9]+$
  7013. type: string
  7014. name:
  7015. description: The name of the Secret resource being referred to.
  7016. maxLength: 253
  7017. minLength: 1
  7018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7019. type: string
  7020. namespace:
  7021. description: |-
  7022. The namespace of the Secret resource being referred to.
  7023. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7024. maxLength: 63
  7025. minLength: 1
  7026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7027. type: string
  7028. type: object
  7029. secretRef:
  7030. description: |-
  7031. Reference to a key in a Secret that contains the App Role secret used
  7032. to authenticate with Vault.
  7033. The `key` field must be specified and denotes which entry within the Secret
  7034. resource is used as the app role secret.
  7035. properties:
  7036. key:
  7037. description: |-
  7038. A key in the referenced Secret.
  7039. Some instances of this field may be defaulted, in others it may be required.
  7040. maxLength: 253
  7041. minLength: 1
  7042. pattern: ^[-._a-zA-Z0-9]+$
  7043. type: string
  7044. name:
  7045. description: The name of the Secret resource being referred to.
  7046. maxLength: 253
  7047. minLength: 1
  7048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7049. type: string
  7050. namespace:
  7051. description: |-
  7052. The namespace of the Secret resource being referred to.
  7053. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7054. maxLength: 63
  7055. minLength: 1
  7056. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7057. type: string
  7058. type: object
  7059. required:
  7060. - path
  7061. - secretRef
  7062. type: object
  7063. cert:
  7064. description: |-
  7065. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7066. Cert authentication method
  7067. properties:
  7068. clientCert:
  7069. description: |-
  7070. ClientCert is a certificate to authenticate using the Cert Vault
  7071. authentication method
  7072. properties:
  7073. key:
  7074. description: |-
  7075. A key in the referenced Secret.
  7076. Some instances of this field may be defaulted, in others it may be required.
  7077. maxLength: 253
  7078. minLength: 1
  7079. pattern: ^[-._a-zA-Z0-9]+$
  7080. type: string
  7081. name:
  7082. description: The name of the Secret resource being referred to.
  7083. maxLength: 253
  7084. minLength: 1
  7085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7086. type: string
  7087. namespace:
  7088. description: |-
  7089. The namespace of the Secret resource being referred to.
  7090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7091. maxLength: 63
  7092. minLength: 1
  7093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7094. type: string
  7095. type: object
  7096. path:
  7097. default: cert
  7098. description: |-
  7099. Path where the Certificate authentication backend is mounted
  7100. in Vault, e.g: "cert"
  7101. type: string
  7102. secretRef:
  7103. description: |-
  7104. SecretRef to a key in a Secret resource containing client private key to
  7105. authenticate with Vault using the Cert authentication method
  7106. properties:
  7107. key:
  7108. description: |-
  7109. A key in the referenced Secret.
  7110. Some instances of this field may be defaulted, in others it may be required.
  7111. maxLength: 253
  7112. minLength: 1
  7113. pattern: ^[-._a-zA-Z0-9]+$
  7114. type: string
  7115. name:
  7116. description: The name of the Secret resource being referred to.
  7117. maxLength: 253
  7118. minLength: 1
  7119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7120. type: string
  7121. namespace:
  7122. description: |-
  7123. The namespace of the Secret resource being referred to.
  7124. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7125. maxLength: 63
  7126. minLength: 1
  7127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7128. type: string
  7129. type: object
  7130. vaultRole:
  7131. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7132. type: string
  7133. type: object
  7134. gcp:
  7135. description: |-
  7136. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7137. GCP authentication method
  7138. properties:
  7139. location:
  7140. description: Location optionally defines a location/region for the secret
  7141. type: string
  7142. path:
  7143. default: gcp
  7144. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7145. type: string
  7146. projectID:
  7147. description: Project ID of the Google Cloud Platform project
  7148. type: string
  7149. role:
  7150. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7151. type: string
  7152. secretRef:
  7153. description: Specify credentials in a Secret object
  7154. properties:
  7155. secretAccessKeySecretRef:
  7156. description: The SecretAccessKey is used for authentication
  7157. properties:
  7158. key:
  7159. description: |-
  7160. A key in the referenced Secret.
  7161. Some instances of this field may be defaulted, in others it may be required.
  7162. maxLength: 253
  7163. minLength: 1
  7164. pattern: ^[-._a-zA-Z0-9]+$
  7165. type: string
  7166. name:
  7167. description: The name of the Secret resource being referred to.
  7168. maxLength: 253
  7169. minLength: 1
  7170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7171. type: string
  7172. namespace:
  7173. description: |-
  7174. The namespace of the Secret resource being referred to.
  7175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7176. maxLength: 63
  7177. minLength: 1
  7178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7179. type: string
  7180. type: object
  7181. type: object
  7182. serviceAccountRef:
  7183. description: ServiceAccountRef to a service account for impersonation
  7184. properties:
  7185. audiences:
  7186. description: |-
  7187. Audience specifies the `aud` claim for the service account token
  7188. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7189. then this audiences will be appended to the list
  7190. items:
  7191. type: string
  7192. type: array
  7193. name:
  7194. description: The name of the ServiceAccount resource being referred to.
  7195. maxLength: 253
  7196. minLength: 1
  7197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7198. type: string
  7199. namespace:
  7200. description: |-
  7201. Namespace of the resource being referred to.
  7202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7203. maxLength: 63
  7204. minLength: 1
  7205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7206. type: string
  7207. required:
  7208. - name
  7209. type: object
  7210. workloadIdentity:
  7211. description: Specify a service account with Workload Identity
  7212. properties:
  7213. clusterLocation:
  7214. description: |-
  7215. ClusterLocation is the location of the cluster
  7216. If not specified, it fetches information from the metadata server
  7217. type: string
  7218. clusterName:
  7219. description: |-
  7220. ClusterName is the name of the cluster
  7221. If not specified, it fetches information from the metadata server
  7222. type: string
  7223. clusterProjectID:
  7224. description: |-
  7225. ClusterProjectID is the project ID of the cluster
  7226. If not specified, it fetches information from the metadata server
  7227. type: string
  7228. serviceAccountRef:
  7229. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7230. properties:
  7231. audiences:
  7232. description: |-
  7233. Audience specifies the `aud` claim for the service account token
  7234. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7235. then this audiences will be appended to the list
  7236. items:
  7237. type: string
  7238. type: array
  7239. name:
  7240. description: The name of the ServiceAccount resource being referred to.
  7241. maxLength: 253
  7242. minLength: 1
  7243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7244. type: string
  7245. namespace:
  7246. description: |-
  7247. Namespace of the resource being referred to.
  7248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7249. maxLength: 63
  7250. minLength: 1
  7251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7252. type: string
  7253. required:
  7254. - name
  7255. type: object
  7256. required:
  7257. - serviceAccountRef
  7258. type: object
  7259. required:
  7260. - role
  7261. type: object
  7262. iam:
  7263. description: |-
  7264. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7265. AWS IAM authentication method
  7266. properties:
  7267. externalID:
  7268. description: AWS External ID set on assumed IAM roles
  7269. type: string
  7270. jwt:
  7271. description: Specify a service account with IRSA enabled
  7272. properties:
  7273. serviceAccountRef:
  7274. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7275. properties:
  7276. audiences:
  7277. description: |-
  7278. Audience specifies the `aud` claim for the service account token
  7279. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7280. then this audiences will be appended to the list
  7281. items:
  7282. type: string
  7283. type: array
  7284. name:
  7285. description: The name of the ServiceAccount resource being referred to.
  7286. maxLength: 253
  7287. minLength: 1
  7288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7289. type: string
  7290. namespace:
  7291. description: |-
  7292. Namespace of the resource being referred to.
  7293. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7294. maxLength: 63
  7295. minLength: 1
  7296. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7297. type: string
  7298. required:
  7299. - name
  7300. type: object
  7301. type: object
  7302. path:
  7303. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7304. type: string
  7305. region:
  7306. description: AWS region
  7307. type: string
  7308. role:
  7309. description: This is the AWS role to be assumed before talking to vault
  7310. type: string
  7311. secretRef:
  7312. description: Specify credentials in a Secret object
  7313. properties:
  7314. accessKeyIDSecretRef:
  7315. description: The AccessKeyID is used for authentication
  7316. properties:
  7317. key:
  7318. description: |-
  7319. A key in the referenced Secret.
  7320. Some instances of this field may be defaulted, in others it may be required.
  7321. maxLength: 253
  7322. minLength: 1
  7323. pattern: ^[-._a-zA-Z0-9]+$
  7324. type: string
  7325. name:
  7326. description: The name of the Secret resource being referred to.
  7327. maxLength: 253
  7328. minLength: 1
  7329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7330. type: string
  7331. namespace:
  7332. description: |-
  7333. The namespace of the Secret resource being referred to.
  7334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7335. maxLength: 63
  7336. minLength: 1
  7337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7338. type: string
  7339. type: object
  7340. secretAccessKeySecretRef:
  7341. description: The SecretAccessKey is used for authentication
  7342. properties:
  7343. key:
  7344. description: |-
  7345. A key in the referenced Secret.
  7346. Some instances of this field may be defaulted, in others it may be required.
  7347. maxLength: 253
  7348. minLength: 1
  7349. pattern: ^[-._a-zA-Z0-9]+$
  7350. type: string
  7351. name:
  7352. description: The name of the Secret resource being referred to.
  7353. maxLength: 253
  7354. minLength: 1
  7355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7356. type: string
  7357. namespace:
  7358. description: |-
  7359. The namespace of the Secret resource being referred to.
  7360. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7361. maxLength: 63
  7362. minLength: 1
  7363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7364. type: string
  7365. type: object
  7366. sessionTokenSecretRef:
  7367. description: |-
  7368. The SessionToken used for authentication
  7369. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7370. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7371. properties:
  7372. key:
  7373. description: |-
  7374. A key in the referenced Secret.
  7375. Some instances of this field may be defaulted, in others it may be required.
  7376. maxLength: 253
  7377. minLength: 1
  7378. pattern: ^[-._a-zA-Z0-9]+$
  7379. type: string
  7380. name:
  7381. description: The name of the Secret resource being referred to.
  7382. maxLength: 253
  7383. minLength: 1
  7384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7385. type: string
  7386. namespace:
  7387. description: |-
  7388. The namespace of the Secret resource being referred to.
  7389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7390. maxLength: 63
  7391. minLength: 1
  7392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7393. type: string
  7394. type: object
  7395. type: object
  7396. vaultAwsIamServerID:
  7397. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7398. type: string
  7399. vaultRole:
  7400. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7401. type: string
  7402. required:
  7403. - vaultRole
  7404. type: object
  7405. jwt:
  7406. description: |-
  7407. Jwt authenticates with Vault by passing role and JWT token using the
  7408. JWT/OIDC authentication method
  7409. properties:
  7410. kubernetesServiceAccountToken:
  7411. description: |-
  7412. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7413. a token for with the `TokenRequest` API.
  7414. properties:
  7415. audiences:
  7416. description: |-
  7417. Optional audiences field that will be used to request a temporary Kubernetes service
  7418. account token for the service account referenced by `serviceAccountRef`.
  7419. Defaults to a single audience `vault` it not specified.
  7420. Deprecated: use serviceAccountRef.Audiences instead
  7421. items:
  7422. type: string
  7423. type: array
  7424. expirationSeconds:
  7425. description: |-
  7426. Optional expiration time in seconds that will be used to request a temporary
  7427. Kubernetes service account token for the service account referenced by
  7428. `serviceAccountRef`.
  7429. Deprecated: this will be removed in the future.
  7430. Defaults to 10 minutes.
  7431. format: int64
  7432. type: integer
  7433. serviceAccountRef:
  7434. description: Service account field containing the name of a kubernetes ServiceAccount.
  7435. properties:
  7436. audiences:
  7437. description: |-
  7438. Audience specifies the `aud` claim for the service account token
  7439. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7440. then this audiences will be appended to the list
  7441. items:
  7442. type: string
  7443. type: array
  7444. name:
  7445. description: The name of the ServiceAccount resource being referred to.
  7446. maxLength: 253
  7447. minLength: 1
  7448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7449. type: string
  7450. namespace:
  7451. description: |-
  7452. Namespace of the resource being referred to.
  7453. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7454. maxLength: 63
  7455. minLength: 1
  7456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7457. type: string
  7458. required:
  7459. - name
  7460. type: object
  7461. required:
  7462. - serviceAccountRef
  7463. type: object
  7464. path:
  7465. default: jwt
  7466. description: |-
  7467. Path where the JWT authentication backend is mounted
  7468. in Vault, e.g: "jwt"
  7469. type: string
  7470. role:
  7471. description: |-
  7472. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7473. authentication method
  7474. type: string
  7475. secretRef:
  7476. description: |-
  7477. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7478. authenticate with Vault using the JWT/OIDC authentication method.
  7479. properties:
  7480. key:
  7481. description: |-
  7482. A key in the referenced Secret.
  7483. Some instances of this field may be defaulted, in others it may be required.
  7484. maxLength: 253
  7485. minLength: 1
  7486. pattern: ^[-._a-zA-Z0-9]+$
  7487. type: string
  7488. name:
  7489. description: The name of the Secret resource being referred to.
  7490. maxLength: 253
  7491. minLength: 1
  7492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7493. type: string
  7494. namespace:
  7495. description: |-
  7496. The namespace of the Secret resource being referred to.
  7497. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7498. maxLength: 63
  7499. minLength: 1
  7500. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7501. type: string
  7502. type: object
  7503. required:
  7504. - path
  7505. type: object
  7506. kubernetes:
  7507. description: |-
  7508. Kubernetes authenticates with Vault by passing the ServiceAccount
  7509. token stored in the named Secret resource to the Vault server.
  7510. properties:
  7511. mountPath:
  7512. default: kubernetes
  7513. description: |-
  7514. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7515. "kubernetes"
  7516. type: string
  7517. role:
  7518. description: |-
  7519. A required field containing the Vault Role to assume. A Role binds a
  7520. Kubernetes ServiceAccount with a set of Vault policies.
  7521. type: string
  7522. secretRef:
  7523. description: |-
  7524. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7525. for authenticating with Vault. If a name is specified without a key,
  7526. `token` is the default. If one is not specified, the one bound to
  7527. the controller will be used.
  7528. properties:
  7529. key:
  7530. description: |-
  7531. A key in the referenced Secret.
  7532. Some instances of this field may be defaulted, in others it may be required.
  7533. maxLength: 253
  7534. minLength: 1
  7535. pattern: ^[-._a-zA-Z0-9]+$
  7536. type: string
  7537. name:
  7538. description: The name of the Secret resource being referred to.
  7539. maxLength: 253
  7540. minLength: 1
  7541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7542. type: string
  7543. namespace:
  7544. description: |-
  7545. The namespace of the Secret resource being referred to.
  7546. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7547. maxLength: 63
  7548. minLength: 1
  7549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7550. type: string
  7551. type: object
  7552. serviceAccountRef:
  7553. description: |-
  7554. Optional service account field containing the name of a kubernetes ServiceAccount.
  7555. If the service account is specified, the service account secret token JWT will be used
  7556. for authenticating with Vault. If the service account selector is not supplied,
  7557. the secretRef will be used instead.
  7558. properties:
  7559. audiences:
  7560. description: |-
  7561. Audience specifies the `aud` claim for the service account token
  7562. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7563. then this audiences will be appended to the list
  7564. items:
  7565. type: string
  7566. type: array
  7567. name:
  7568. description: The name of the ServiceAccount resource being referred to.
  7569. maxLength: 253
  7570. minLength: 1
  7571. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7572. type: string
  7573. namespace:
  7574. description: |-
  7575. Namespace of the resource being referred to.
  7576. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7577. maxLength: 63
  7578. minLength: 1
  7579. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7580. type: string
  7581. required:
  7582. - name
  7583. type: object
  7584. required:
  7585. - mountPath
  7586. - role
  7587. type: object
  7588. ldap:
  7589. description: |-
  7590. Ldap authenticates with Vault by passing username/password pair using
  7591. the LDAP authentication method
  7592. properties:
  7593. path:
  7594. default: ldap
  7595. description: |-
  7596. Path where the LDAP authentication backend is mounted
  7597. in Vault, e.g: "ldap"
  7598. type: string
  7599. secretRef:
  7600. description: |-
  7601. SecretRef to a key in a Secret resource containing password for the LDAP
  7602. user used to authenticate with Vault using the LDAP authentication
  7603. method
  7604. properties:
  7605. key:
  7606. description: |-
  7607. A key in the referenced Secret.
  7608. Some instances of this field may be defaulted, in others it may be required.
  7609. maxLength: 253
  7610. minLength: 1
  7611. pattern: ^[-._a-zA-Z0-9]+$
  7612. type: string
  7613. name:
  7614. description: The name of the Secret resource being referred to.
  7615. maxLength: 253
  7616. minLength: 1
  7617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7618. type: string
  7619. namespace:
  7620. description: |-
  7621. The namespace of the Secret resource being referred to.
  7622. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7623. maxLength: 63
  7624. minLength: 1
  7625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7626. type: string
  7627. type: object
  7628. username:
  7629. description: |-
  7630. Username is an LDAP username used to authenticate using the LDAP Vault
  7631. authentication method
  7632. type: string
  7633. required:
  7634. - path
  7635. - username
  7636. type: object
  7637. namespace:
  7638. description: |-
  7639. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  7640. Namespaces is a set of features within Vault Enterprise that allows
  7641. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7642. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7643. This will default to Vault.Namespace field if set, or empty otherwise
  7644. type: string
  7645. tokenSecretRef:
  7646. description: TokenSecretRef authenticates with Vault by presenting a token.
  7647. properties:
  7648. key:
  7649. description: |-
  7650. A key in the referenced Secret.
  7651. Some instances of this field may be defaulted, in others it may be required.
  7652. maxLength: 253
  7653. minLength: 1
  7654. pattern: ^[-._a-zA-Z0-9]+$
  7655. type: string
  7656. name:
  7657. description: The name of the Secret resource being referred to.
  7658. maxLength: 253
  7659. minLength: 1
  7660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7661. type: string
  7662. namespace:
  7663. description: |-
  7664. The namespace of the Secret resource being referred to.
  7665. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7666. maxLength: 63
  7667. minLength: 1
  7668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7669. type: string
  7670. type: object
  7671. userPass:
  7672. description: UserPass authenticates with Vault by passing username/password pair
  7673. properties:
  7674. path:
  7675. default: userpass
  7676. description: |-
  7677. Path where the UserPassword authentication backend is mounted
  7678. in Vault, e.g: "userpass"
  7679. type: string
  7680. secretRef:
  7681. description: |-
  7682. SecretRef to a key in a Secret resource containing password for the
  7683. user used to authenticate with Vault using the UserPass authentication
  7684. method
  7685. properties:
  7686. key:
  7687. description: |-
  7688. A key in the referenced Secret.
  7689. Some instances of this field may be defaulted, in others it may be required.
  7690. maxLength: 253
  7691. minLength: 1
  7692. pattern: ^[-._a-zA-Z0-9]+$
  7693. type: string
  7694. name:
  7695. description: The name of the Secret resource being referred to.
  7696. maxLength: 253
  7697. minLength: 1
  7698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7699. type: string
  7700. namespace:
  7701. description: |-
  7702. The namespace of the Secret resource being referred to.
  7703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7704. maxLength: 63
  7705. minLength: 1
  7706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7707. type: string
  7708. type: object
  7709. username:
  7710. description: |-
  7711. Username is a username used to authenticate using the UserPass Vault
  7712. authentication method
  7713. type: string
  7714. required:
  7715. - path
  7716. - username
  7717. type: object
  7718. type: object
  7719. caBundle:
  7720. description: |-
  7721. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7722. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7723. plain HTTP protocol connection. If not set the system root certificates
  7724. are used to validate the TLS connection.
  7725. format: byte
  7726. type: string
  7727. caProvider:
  7728. description: The provider for the CA bundle to use to validate Vault server certificate.
  7729. properties:
  7730. key:
  7731. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7732. maxLength: 253
  7733. minLength: 1
  7734. pattern: ^[-._a-zA-Z0-9]+$
  7735. type: string
  7736. name:
  7737. description: The name of the object located at the provider type.
  7738. maxLength: 253
  7739. minLength: 1
  7740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7741. type: string
  7742. namespace:
  7743. description: |-
  7744. The namespace the Provider type is in.
  7745. Can only be defined when used in a ClusterSecretStore.
  7746. maxLength: 63
  7747. minLength: 1
  7748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7749. type: string
  7750. type:
  7751. description: The type of provider to use such as "Secret", or "ConfigMap".
  7752. enum:
  7753. - Secret
  7754. - ConfigMap
  7755. type: string
  7756. required:
  7757. - name
  7758. - type
  7759. type: object
  7760. checkAndSet:
  7761. description: |-
  7762. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  7763. Only applies to Vault KV v2 stores. When enabled, write operations must include
  7764. the current version of the secret to prevent unintentional overwrites.
  7765. properties:
  7766. required:
  7767. description: |-
  7768. Required when true, all write operations must include a check-and-set parameter.
  7769. This helps prevent unintentional overwrites of secrets.
  7770. type: boolean
  7771. type: object
  7772. forwardInconsistent:
  7773. description: |-
  7774. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7775. leader instead of simply retrying within a loop. This can increase performance if
  7776. the option is enabled serverside.
  7777. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7778. type: boolean
  7779. headers:
  7780. additionalProperties:
  7781. type: string
  7782. description: Headers to be added in Vault request
  7783. type: object
  7784. namespace:
  7785. description: |-
  7786. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7787. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7788. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7789. type: string
  7790. path:
  7791. description: |-
  7792. Path is the mount path of the Vault KV backend endpoint, e.g:
  7793. "secret". The v2 KV secret engine version specific "/data" path suffix
  7794. for fetching secrets from Vault is optional and will be appended
  7795. if not present in specified path.
  7796. type: string
  7797. readYourWrites:
  7798. description: |-
  7799. ReadYourWrites ensures isolated read-after-write semantics by
  7800. providing discovered cluster replication states in each request.
  7801. More information about eventual consistency in Vault can be found here
  7802. https://www.vaultproject.io/docs/enterprise/consistency
  7803. type: boolean
  7804. server:
  7805. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7806. type: string
  7807. tls:
  7808. description: |-
  7809. The configuration used for client side related TLS communication, when the Vault server
  7810. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  7811. This parameter is ignored for plain HTTP protocol connection.
  7812. It's worth noting this configuration is different from the "TLS certificates auth method",
  7813. which is available under the `auth.cert` section.
  7814. properties:
  7815. certSecretRef:
  7816. description: |-
  7817. CertSecretRef is a certificate added to the transport layer
  7818. when communicating with the Vault server.
  7819. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  7820. properties:
  7821. key:
  7822. description: |-
  7823. A key in the referenced Secret.
  7824. Some instances of this field may be defaulted, in others it may be required.
  7825. maxLength: 253
  7826. minLength: 1
  7827. pattern: ^[-._a-zA-Z0-9]+$
  7828. type: string
  7829. name:
  7830. description: The name of the Secret resource being referred to.
  7831. maxLength: 253
  7832. minLength: 1
  7833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7834. type: string
  7835. namespace:
  7836. description: |-
  7837. The namespace of the Secret resource being referred to.
  7838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7839. maxLength: 63
  7840. minLength: 1
  7841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7842. type: string
  7843. type: object
  7844. keySecretRef:
  7845. description: |-
  7846. KeySecretRef to a key in a Secret resource containing client private key
  7847. added to the transport layer when communicating with the Vault server.
  7848. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  7849. properties:
  7850. key:
  7851. description: |-
  7852. A key in the referenced Secret.
  7853. Some instances of this field may be defaulted, in others it may be required.
  7854. maxLength: 253
  7855. minLength: 1
  7856. pattern: ^[-._a-zA-Z0-9]+$
  7857. type: string
  7858. name:
  7859. description: The name of the Secret resource being referred to.
  7860. maxLength: 253
  7861. minLength: 1
  7862. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7863. type: string
  7864. namespace:
  7865. description: |-
  7866. The namespace of the Secret resource being referred to.
  7867. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7868. maxLength: 63
  7869. minLength: 1
  7870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7871. type: string
  7872. type: object
  7873. type: object
  7874. version:
  7875. default: v2
  7876. description: |-
  7877. Version is the Vault KV secret engine version. This can be either "v1" or
  7878. "v2". Version defaults to "v2".
  7879. enum:
  7880. - v1
  7881. - v2
  7882. type: string
  7883. required:
  7884. - server
  7885. type: object
  7886. volcengine:
  7887. description: Volcengine configures this store to sync secrets using the Volcengine provider
  7888. properties:
  7889. auth:
  7890. description: |-
  7891. Auth defines the authentication method to use.
  7892. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  7893. properties:
  7894. secretRef:
  7895. description: |-
  7896. SecretRef defines the static credentials to use for authentication.
  7897. If not set, IRSA is used.
  7898. properties:
  7899. accessKeyID:
  7900. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  7901. properties:
  7902. key:
  7903. description: |-
  7904. A key in the referenced Secret.
  7905. Some instances of this field may be defaulted, in others it may be required.
  7906. maxLength: 253
  7907. minLength: 1
  7908. pattern: ^[-._a-zA-Z0-9]+$
  7909. type: string
  7910. name:
  7911. description: The name of the Secret resource being referred to.
  7912. maxLength: 253
  7913. minLength: 1
  7914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7915. type: string
  7916. namespace:
  7917. description: |-
  7918. The namespace of the Secret resource being referred to.
  7919. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7920. maxLength: 63
  7921. minLength: 1
  7922. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7923. type: string
  7924. type: object
  7925. secretAccessKey:
  7926. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  7927. properties:
  7928. key:
  7929. description: |-
  7930. A key in the referenced Secret.
  7931. Some instances of this field may be defaulted, in others it may be required.
  7932. maxLength: 253
  7933. minLength: 1
  7934. pattern: ^[-._a-zA-Z0-9]+$
  7935. type: string
  7936. name:
  7937. description: The name of the Secret resource being referred to.
  7938. maxLength: 253
  7939. minLength: 1
  7940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7941. type: string
  7942. namespace:
  7943. description: |-
  7944. The namespace of the Secret resource being referred to.
  7945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7946. maxLength: 63
  7947. minLength: 1
  7948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7949. type: string
  7950. type: object
  7951. token:
  7952. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  7953. properties:
  7954. key:
  7955. description: |-
  7956. A key in the referenced Secret.
  7957. Some instances of this field may be defaulted, in others it may be required.
  7958. maxLength: 253
  7959. minLength: 1
  7960. pattern: ^[-._a-zA-Z0-9]+$
  7961. type: string
  7962. name:
  7963. description: The name of the Secret resource being referred to.
  7964. maxLength: 253
  7965. minLength: 1
  7966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7967. type: string
  7968. namespace:
  7969. description: |-
  7970. The namespace of the Secret resource being referred to.
  7971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7972. maxLength: 63
  7973. minLength: 1
  7974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7975. type: string
  7976. type: object
  7977. required:
  7978. - accessKeyID
  7979. - secretAccessKey
  7980. type: object
  7981. type: object
  7982. region:
  7983. description: Region specifies the Volcengine region to connect to.
  7984. type: string
  7985. required:
  7986. - region
  7987. type: object
  7988. webhook:
  7989. description: Webhook configures this store to sync secrets using a generic templated webhook
  7990. properties:
  7991. auth:
  7992. description: Auth specifies a authorization protocol. Only one protocol may be set.
  7993. maxProperties: 1
  7994. minProperties: 1
  7995. properties:
  7996. ntlm:
  7997. description: NTLMProtocol configures the store to use NTLM for auth
  7998. properties:
  7999. passwordSecret:
  8000. description: |-
  8001. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8002. In some instances, `key` is a required field.
  8003. properties:
  8004. key:
  8005. description: |-
  8006. A key in the referenced Secret.
  8007. Some instances of this field may be defaulted, in others it may be required.
  8008. maxLength: 253
  8009. minLength: 1
  8010. pattern: ^[-._a-zA-Z0-9]+$
  8011. type: string
  8012. name:
  8013. description: The name of the Secret resource being referred to.
  8014. maxLength: 253
  8015. minLength: 1
  8016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8017. type: string
  8018. namespace:
  8019. description: |-
  8020. The namespace of the Secret resource being referred to.
  8021. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8022. maxLength: 63
  8023. minLength: 1
  8024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8025. type: string
  8026. type: object
  8027. usernameSecret:
  8028. description: |-
  8029. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8030. In some instances, `key` is a required field.
  8031. properties:
  8032. key:
  8033. description: |-
  8034. A key in the referenced Secret.
  8035. Some instances of this field may be defaulted, in others it may be required.
  8036. maxLength: 253
  8037. minLength: 1
  8038. pattern: ^[-._a-zA-Z0-9]+$
  8039. type: string
  8040. name:
  8041. description: The name of the Secret resource being referred to.
  8042. maxLength: 253
  8043. minLength: 1
  8044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8045. type: string
  8046. namespace:
  8047. description: |-
  8048. The namespace of the Secret resource being referred to.
  8049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8050. maxLength: 63
  8051. minLength: 1
  8052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8053. type: string
  8054. type: object
  8055. required:
  8056. - passwordSecret
  8057. - usernameSecret
  8058. type: object
  8059. type: object
  8060. body:
  8061. description: Body
  8062. type: string
  8063. caBundle:
  8064. description: |-
  8065. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8066. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8067. plain HTTP protocol connection. If not set the system root certificates
  8068. are used to validate the TLS connection.
  8069. format: byte
  8070. type: string
  8071. caProvider:
  8072. description: The provider for the CA bundle to use to validate webhook server certificate.
  8073. properties:
  8074. key:
  8075. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8076. maxLength: 253
  8077. minLength: 1
  8078. pattern: ^[-._a-zA-Z0-9]+$
  8079. type: string
  8080. name:
  8081. description: The name of the object located at the provider type.
  8082. maxLength: 253
  8083. minLength: 1
  8084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8085. type: string
  8086. namespace:
  8087. description: The namespace the Provider type is in.
  8088. maxLength: 63
  8089. minLength: 1
  8090. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8091. type: string
  8092. type:
  8093. description: The type of provider to use such as "Secret", or "ConfigMap".
  8094. enum:
  8095. - Secret
  8096. - ConfigMap
  8097. type: string
  8098. required:
  8099. - name
  8100. - type
  8101. type: object
  8102. headers:
  8103. additionalProperties:
  8104. type: string
  8105. description: Headers
  8106. type: object
  8107. method:
  8108. description: Webhook Method
  8109. type: string
  8110. result:
  8111. description: Result formatting
  8112. properties:
  8113. jsonPath:
  8114. description: Json path of return value
  8115. type: string
  8116. type: object
  8117. secrets:
  8118. description: |-
  8119. Secrets to fill in templates
  8120. These secrets will be passed to the templating function as key value pairs under the given name
  8121. items:
  8122. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8123. properties:
  8124. name:
  8125. description: Name of this secret in templates
  8126. type: string
  8127. secretRef:
  8128. description: Secret ref to fill in credentials
  8129. properties:
  8130. key:
  8131. description: |-
  8132. A key in the referenced Secret.
  8133. Some instances of this field may be defaulted, in others it may be required.
  8134. maxLength: 253
  8135. minLength: 1
  8136. pattern: ^[-._a-zA-Z0-9]+$
  8137. type: string
  8138. name:
  8139. description: The name of the Secret resource being referred to.
  8140. maxLength: 253
  8141. minLength: 1
  8142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8143. type: string
  8144. namespace:
  8145. description: |-
  8146. The namespace of the Secret resource being referred to.
  8147. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8148. maxLength: 63
  8149. minLength: 1
  8150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8151. type: string
  8152. type: object
  8153. required:
  8154. - name
  8155. - secretRef
  8156. type: object
  8157. type: array
  8158. timeout:
  8159. description: Timeout
  8160. type: string
  8161. url:
  8162. description: Webhook url to call
  8163. type: string
  8164. required:
  8165. - url
  8166. type: object
  8167. yandexcertificatemanager:
  8168. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8169. properties:
  8170. apiEndpoint:
  8171. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8172. type: string
  8173. auth:
  8174. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8175. properties:
  8176. authorizedKeySecretRef:
  8177. description: The authorized key used for authentication
  8178. properties:
  8179. key:
  8180. description: |-
  8181. A key in the referenced Secret.
  8182. Some instances of this field may be defaulted, in others it may be required.
  8183. maxLength: 253
  8184. minLength: 1
  8185. pattern: ^[-._a-zA-Z0-9]+$
  8186. type: string
  8187. name:
  8188. description: The name of the Secret resource being referred to.
  8189. maxLength: 253
  8190. minLength: 1
  8191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8192. type: string
  8193. namespace:
  8194. description: |-
  8195. The namespace of the Secret resource being referred to.
  8196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8197. maxLength: 63
  8198. minLength: 1
  8199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8200. type: string
  8201. type: object
  8202. type: object
  8203. caProvider:
  8204. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8205. properties:
  8206. certSecretRef:
  8207. description: |-
  8208. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8209. In some instances, `key` is a required field.
  8210. properties:
  8211. key:
  8212. description: |-
  8213. A key in the referenced Secret.
  8214. Some instances of this field may be defaulted, in others it may be required.
  8215. maxLength: 253
  8216. minLength: 1
  8217. pattern: ^[-._a-zA-Z0-9]+$
  8218. type: string
  8219. name:
  8220. description: The name of the Secret resource being referred to.
  8221. maxLength: 253
  8222. minLength: 1
  8223. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8224. type: string
  8225. namespace:
  8226. description: |-
  8227. The namespace of the Secret resource being referred to.
  8228. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8229. maxLength: 63
  8230. minLength: 1
  8231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8232. type: string
  8233. type: object
  8234. type: object
  8235. fetching:
  8236. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8237. maxProperties: 1
  8238. minProperties: 1
  8239. properties:
  8240. byID:
  8241. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8242. type: object
  8243. byName:
  8244. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8245. properties:
  8246. folderID:
  8247. description: The folder to fetch secrets from
  8248. type: string
  8249. required:
  8250. - folderID
  8251. type: object
  8252. type: object
  8253. required:
  8254. - auth
  8255. type: object
  8256. yandexlockbox:
  8257. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8258. properties:
  8259. apiEndpoint:
  8260. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8261. type: string
  8262. auth:
  8263. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8264. properties:
  8265. authorizedKeySecretRef:
  8266. description: The authorized key used for authentication
  8267. properties:
  8268. key:
  8269. description: |-
  8270. A key in the referenced Secret.
  8271. Some instances of this field may be defaulted, in others it may be required.
  8272. maxLength: 253
  8273. minLength: 1
  8274. pattern: ^[-._a-zA-Z0-9]+$
  8275. type: string
  8276. name:
  8277. description: The name of the Secret resource being referred to.
  8278. maxLength: 253
  8279. minLength: 1
  8280. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8281. type: string
  8282. namespace:
  8283. description: |-
  8284. The namespace of the Secret resource being referred to.
  8285. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8286. maxLength: 63
  8287. minLength: 1
  8288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8289. type: string
  8290. type: object
  8291. type: object
  8292. caProvider:
  8293. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8294. properties:
  8295. certSecretRef:
  8296. description: |-
  8297. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8298. In some instances, `key` is a required field.
  8299. properties:
  8300. key:
  8301. description: |-
  8302. A key in the referenced Secret.
  8303. Some instances of this field may be defaulted, in others it may be required.
  8304. maxLength: 253
  8305. minLength: 1
  8306. pattern: ^[-._a-zA-Z0-9]+$
  8307. type: string
  8308. name:
  8309. description: The name of the Secret resource being referred to.
  8310. maxLength: 253
  8311. minLength: 1
  8312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8313. type: string
  8314. namespace:
  8315. description: |-
  8316. The namespace of the Secret resource being referred to.
  8317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8318. maxLength: 63
  8319. minLength: 1
  8320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8321. type: string
  8322. type: object
  8323. type: object
  8324. fetching:
  8325. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8326. maxProperties: 1
  8327. minProperties: 1
  8328. properties:
  8329. byID:
  8330. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8331. type: object
  8332. byName:
  8333. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8334. properties:
  8335. folderID:
  8336. description: The folder to fetch secrets from
  8337. type: string
  8338. required:
  8339. - folderID
  8340. type: object
  8341. type: object
  8342. required:
  8343. - auth
  8344. type: object
  8345. type: object
  8346. refreshInterval:
  8347. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8348. type: integer
  8349. retrySettings:
  8350. description: Used to configure HTTP retries on failures.
  8351. properties:
  8352. maxRetries:
  8353. format: int32
  8354. type: integer
  8355. retryInterval:
  8356. type: string
  8357. type: object
  8358. required:
  8359. - provider
  8360. type: object
  8361. status:
  8362. description: SecretStoreStatus defines the observed state of the SecretStore.
  8363. properties:
  8364. capabilities:
  8365. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8366. type: string
  8367. conditions:
  8368. items:
  8369. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8370. properties:
  8371. lastTransitionTime:
  8372. format: date-time
  8373. type: string
  8374. message:
  8375. type: string
  8376. reason:
  8377. type: string
  8378. status:
  8379. type: string
  8380. type:
  8381. description: SecretStoreConditionType represents the condition of the SecretStore.
  8382. type: string
  8383. required:
  8384. - status
  8385. - type
  8386. type: object
  8387. type: array
  8388. type: object
  8389. type: object
  8390. served: true
  8391. storage: true
  8392. subresources:
  8393. status: {}
  8394. - additionalPrinterColumns:
  8395. - jsonPath: .metadata.creationTimestamp
  8396. name: AGE
  8397. type: date
  8398. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8399. name: Status
  8400. type: string
  8401. - jsonPath: .status.capabilities
  8402. name: Capabilities
  8403. type: string
  8404. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8405. name: Ready
  8406. type: string
  8407. deprecated: true
  8408. name: v1beta1
  8409. schema:
  8410. openAPIV3Schema:
  8411. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8412. properties:
  8413. apiVersion:
  8414. description: |-
  8415. APIVersion defines the versioned schema of this representation of an object.
  8416. Servers should convert recognized schemas to the latest internal value, and
  8417. may reject unrecognized values.
  8418. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8419. type: string
  8420. kind:
  8421. description: |-
  8422. Kind is a string value representing the REST resource this object represents.
  8423. Servers may infer this from the endpoint the client submits requests to.
  8424. Cannot be updated.
  8425. In CamelCase.
  8426. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8427. type: string
  8428. metadata:
  8429. type: object
  8430. spec:
  8431. description: SecretStoreSpec defines the desired state of SecretStore.
  8432. properties:
  8433. conditions:
  8434. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8435. items:
  8436. description: |-
  8437. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8438. for a ClusterSecretStore instance.
  8439. properties:
  8440. namespaceRegexes:
  8441. description: Choose namespaces by using regex matching
  8442. items:
  8443. type: string
  8444. type: array
  8445. namespaceSelector:
  8446. description: Choose namespace using a labelSelector
  8447. properties:
  8448. matchExpressions:
  8449. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8450. items:
  8451. description: |-
  8452. A label selector requirement is a selector that contains values, a key, and an operator that
  8453. relates the key and values.
  8454. properties:
  8455. key:
  8456. description: key is the label key that the selector applies to.
  8457. type: string
  8458. operator:
  8459. description: |-
  8460. operator represents a key's relationship to a set of values.
  8461. Valid operators are In, NotIn, Exists and DoesNotExist.
  8462. type: string
  8463. values:
  8464. description: |-
  8465. values is an array of string values. If the operator is In or NotIn,
  8466. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8467. the values array must be empty. This array is replaced during a strategic
  8468. merge patch.
  8469. items:
  8470. type: string
  8471. type: array
  8472. x-kubernetes-list-type: atomic
  8473. required:
  8474. - key
  8475. - operator
  8476. type: object
  8477. type: array
  8478. x-kubernetes-list-type: atomic
  8479. matchLabels:
  8480. additionalProperties:
  8481. type: string
  8482. description: |-
  8483. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8484. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8485. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8486. type: object
  8487. type: object
  8488. x-kubernetes-map-type: atomic
  8489. namespaces:
  8490. description: Choose namespaces by name
  8491. items:
  8492. maxLength: 63
  8493. minLength: 1
  8494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8495. type: string
  8496. type: array
  8497. type: object
  8498. type: array
  8499. controller:
  8500. description: |-
  8501. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8502. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8503. type: string
  8504. provider:
  8505. description: Used to configure the provider. Only one provider may be set
  8506. maxProperties: 1
  8507. minProperties: 1
  8508. properties:
  8509. akeyless:
  8510. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8511. properties:
  8512. akeylessGWApiURL:
  8513. description: Akeyless GW API Url from which the secrets to be fetched from.
  8514. type: string
  8515. authSecretRef:
  8516. description: Auth configures how the operator authenticates with Akeyless.
  8517. properties:
  8518. kubernetesAuth:
  8519. description: |-
  8520. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8521. token stored in the named Secret resource.
  8522. properties:
  8523. accessID:
  8524. description: the Akeyless Kubernetes auth-method access-id
  8525. type: string
  8526. k8sConfName:
  8527. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8528. type: string
  8529. secretRef:
  8530. description: |-
  8531. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8532. for authenticating with Akeyless. If a name is specified without a key,
  8533. `token` is the default. If one is not specified, the one bound to
  8534. the controller will be used.
  8535. properties:
  8536. key:
  8537. description: |-
  8538. A key in the referenced Secret.
  8539. Some instances of this field may be defaulted, in others it may be required.
  8540. maxLength: 253
  8541. minLength: 1
  8542. pattern: ^[-._a-zA-Z0-9]+$
  8543. type: string
  8544. name:
  8545. description: The name of the Secret resource being referred to.
  8546. maxLength: 253
  8547. minLength: 1
  8548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8549. type: string
  8550. namespace:
  8551. description: |-
  8552. The namespace of the Secret resource being referred to.
  8553. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8554. maxLength: 63
  8555. minLength: 1
  8556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8557. type: string
  8558. type: object
  8559. serviceAccountRef:
  8560. description: |-
  8561. Optional service account field containing the name of a kubernetes ServiceAccount.
  8562. If the service account is specified, the service account secret token JWT will be used
  8563. for authenticating with Akeyless. If the service account selector is not supplied,
  8564. the secretRef will be used instead.
  8565. properties:
  8566. audiences:
  8567. description: |-
  8568. Audience specifies the `aud` claim for the service account token
  8569. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8570. then this audiences will be appended to the list
  8571. items:
  8572. type: string
  8573. type: array
  8574. name:
  8575. description: The name of the ServiceAccount resource being referred to.
  8576. maxLength: 253
  8577. minLength: 1
  8578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8579. type: string
  8580. namespace:
  8581. description: |-
  8582. Namespace of the resource being referred to.
  8583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8584. maxLength: 63
  8585. minLength: 1
  8586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8587. type: string
  8588. required:
  8589. - name
  8590. type: object
  8591. required:
  8592. - accessID
  8593. - k8sConfName
  8594. type: object
  8595. secretRef:
  8596. description: |-
  8597. Reference to a Secret that contains the details
  8598. to authenticate with Akeyless.
  8599. properties:
  8600. accessID:
  8601. description: The SecretAccessID is used for authentication
  8602. properties:
  8603. key:
  8604. description: |-
  8605. A key in the referenced Secret.
  8606. Some instances of this field may be defaulted, in others it may be required.
  8607. maxLength: 253
  8608. minLength: 1
  8609. pattern: ^[-._a-zA-Z0-9]+$
  8610. type: string
  8611. name:
  8612. description: The name of the Secret resource being referred to.
  8613. maxLength: 253
  8614. minLength: 1
  8615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8616. type: string
  8617. namespace:
  8618. description: |-
  8619. The namespace of the Secret resource being referred to.
  8620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8621. maxLength: 63
  8622. minLength: 1
  8623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8624. type: string
  8625. type: object
  8626. accessType:
  8627. description: |-
  8628. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8629. In some instances, `key` is a required field.
  8630. properties:
  8631. key:
  8632. description: |-
  8633. A key in the referenced Secret.
  8634. Some instances of this field may be defaulted, in others it may be required.
  8635. maxLength: 253
  8636. minLength: 1
  8637. pattern: ^[-._a-zA-Z0-9]+$
  8638. type: string
  8639. name:
  8640. description: The name of the Secret resource being referred to.
  8641. maxLength: 253
  8642. minLength: 1
  8643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8644. type: string
  8645. namespace:
  8646. description: |-
  8647. The namespace of the Secret resource being referred to.
  8648. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8649. maxLength: 63
  8650. minLength: 1
  8651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8652. type: string
  8653. type: object
  8654. accessTypeParam:
  8655. description: |-
  8656. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8657. In some instances, `key` is a required field.
  8658. properties:
  8659. key:
  8660. description: |-
  8661. A key in the referenced Secret.
  8662. Some instances of this field may be defaulted, in others it may be required.
  8663. maxLength: 253
  8664. minLength: 1
  8665. pattern: ^[-._a-zA-Z0-9]+$
  8666. type: string
  8667. name:
  8668. description: The name of the Secret resource being referred to.
  8669. maxLength: 253
  8670. minLength: 1
  8671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8672. type: string
  8673. namespace:
  8674. description: |-
  8675. The namespace of the Secret resource being referred to.
  8676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8677. maxLength: 63
  8678. minLength: 1
  8679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8680. type: string
  8681. type: object
  8682. type: object
  8683. type: object
  8684. caBundle:
  8685. description: |-
  8686. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  8687. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  8688. are used to validate the TLS connection.
  8689. format: byte
  8690. type: string
  8691. caProvider:
  8692. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  8693. properties:
  8694. key:
  8695. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8696. maxLength: 253
  8697. minLength: 1
  8698. pattern: ^[-._a-zA-Z0-9]+$
  8699. type: string
  8700. name:
  8701. description: The name of the object located at the provider type.
  8702. maxLength: 253
  8703. minLength: 1
  8704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8705. type: string
  8706. namespace:
  8707. description: |-
  8708. The namespace the Provider type is in.
  8709. Can only be defined when used in a ClusterSecretStore.
  8710. maxLength: 63
  8711. minLength: 1
  8712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8713. type: string
  8714. type:
  8715. description: The type of provider to use such as "Secret", or "ConfigMap".
  8716. enum:
  8717. - Secret
  8718. - ConfigMap
  8719. type: string
  8720. required:
  8721. - name
  8722. - type
  8723. type: object
  8724. required:
  8725. - akeylessGWApiURL
  8726. - authSecretRef
  8727. type: object
  8728. alibaba:
  8729. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  8730. properties:
  8731. auth:
  8732. description: AlibabaAuth contains a secretRef for credentials.
  8733. properties:
  8734. rrsa:
  8735. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  8736. properties:
  8737. oidcProviderArn:
  8738. type: string
  8739. oidcTokenFilePath:
  8740. type: string
  8741. roleArn:
  8742. type: string
  8743. sessionName:
  8744. type: string
  8745. required:
  8746. - oidcProviderArn
  8747. - oidcTokenFilePath
  8748. - roleArn
  8749. - sessionName
  8750. type: object
  8751. secretRef:
  8752. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  8753. properties:
  8754. accessKeyIDSecretRef:
  8755. description: The AccessKeyID is used for authentication
  8756. properties:
  8757. key:
  8758. description: |-
  8759. A key in the referenced Secret.
  8760. Some instances of this field may be defaulted, in others it may be required.
  8761. maxLength: 253
  8762. minLength: 1
  8763. pattern: ^[-._a-zA-Z0-9]+$
  8764. type: string
  8765. name:
  8766. description: The name of the Secret resource being referred to.
  8767. maxLength: 253
  8768. minLength: 1
  8769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8770. type: string
  8771. namespace:
  8772. description: |-
  8773. The namespace of the Secret resource being referred to.
  8774. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8775. maxLength: 63
  8776. minLength: 1
  8777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8778. type: string
  8779. type: object
  8780. accessKeySecretSecretRef:
  8781. description: The AccessKeySecret is used for authentication
  8782. properties:
  8783. key:
  8784. description: |-
  8785. A key in the referenced Secret.
  8786. Some instances of this field may be defaulted, in others it may be required.
  8787. maxLength: 253
  8788. minLength: 1
  8789. pattern: ^[-._a-zA-Z0-9]+$
  8790. type: string
  8791. name:
  8792. description: The name of the Secret resource being referred to.
  8793. maxLength: 253
  8794. minLength: 1
  8795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8796. type: string
  8797. namespace:
  8798. description: |-
  8799. The namespace of the Secret resource being referred to.
  8800. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8801. maxLength: 63
  8802. minLength: 1
  8803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8804. type: string
  8805. type: object
  8806. required:
  8807. - accessKeyIDSecretRef
  8808. - accessKeySecretSecretRef
  8809. type: object
  8810. type: object
  8811. regionID:
  8812. description: Alibaba Region to be used for the provider
  8813. type: string
  8814. required:
  8815. - auth
  8816. - regionID
  8817. type: object
  8818. aws:
  8819. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  8820. properties:
  8821. additionalRoles:
  8822. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  8823. items:
  8824. type: string
  8825. type: array
  8826. auth:
  8827. description: |-
  8828. Auth defines the information necessary to authenticate against AWS
  8829. if not set aws sdk will infer credentials from your environment
  8830. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  8831. properties:
  8832. jwt:
  8833. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  8834. properties:
  8835. serviceAccountRef:
  8836. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  8837. properties:
  8838. audiences:
  8839. description: |-
  8840. Audience specifies the `aud` claim for the service account token
  8841. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8842. then this audiences will be appended to the list
  8843. items:
  8844. type: string
  8845. type: array
  8846. name:
  8847. description: The name of the ServiceAccount resource being referred to.
  8848. maxLength: 253
  8849. minLength: 1
  8850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8851. type: string
  8852. namespace:
  8853. description: |-
  8854. Namespace of the resource being referred to.
  8855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8856. maxLength: 63
  8857. minLength: 1
  8858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8859. type: string
  8860. required:
  8861. - name
  8862. type: object
  8863. type: object
  8864. secretRef:
  8865. description: |-
  8866. AWSAuthSecretRef holds secret references for AWS credentials
  8867. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  8868. properties:
  8869. accessKeyIDSecretRef:
  8870. description: The AccessKeyID is used for authentication
  8871. properties:
  8872. key:
  8873. description: |-
  8874. A key in the referenced Secret.
  8875. Some instances of this field may be defaulted, in others it may be required.
  8876. maxLength: 253
  8877. minLength: 1
  8878. pattern: ^[-._a-zA-Z0-9]+$
  8879. type: string
  8880. name:
  8881. description: The name of the Secret resource being referred to.
  8882. maxLength: 253
  8883. minLength: 1
  8884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8885. type: string
  8886. namespace:
  8887. description: |-
  8888. The namespace of the Secret resource being referred to.
  8889. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8890. maxLength: 63
  8891. minLength: 1
  8892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8893. type: string
  8894. type: object
  8895. secretAccessKeySecretRef:
  8896. description: The SecretAccessKey is used for authentication
  8897. properties:
  8898. key:
  8899. description: |-
  8900. A key in the referenced Secret.
  8901. Some instances of this field may be defaulted, in others it may be required.
  8902. maxLength: 253
  8903. minLength: 1
  8904. pattern: ^[-._a-zA-Z0-9]+$
  8905. type: string
  8906. name:
  8907. description: The name of the Secret resource being referred to.
  8908. maxLength: 253
  8909. minLength: 1
  8910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8911. type: string
  8912. namespace:
  8913. description: |-
  8914. The namespace of the Secret resource being referred to.
  8915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8916. maxLength: 63
  8917. minLength: 1
  8918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8919. type: string
  8920. type: object
  8921. sessionTokenSecretRef:
  8922. description: |-
  8923. The SessionToken used for authentication
  8924. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  8925. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  8926. properties:
  8927. key:
  8928. description: |-
  8929. A key in the referenced Secret.
  8930. Some instances of this field may be defaulted, in others it may be required.
  8931. maxLength: 253
  8932. minLength: 1
  8933. pattern: ^[-._a-zA-Z0-9]+$
  8934. type: string
  8935. name:
  8936. description: The name of the Secret resource being referred to.
  8937. maxLength: 253
  8938. minLength: 1
  8939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8940. type: string
  8941. namespace:
  8942. description: |-
  8943. The namespace of the Secret resource being referred to.
  8944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8945. maxLength: 63
  8946. minLength: 1
  8947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8948. type: string
  8949. type: object
  8950. type: object
  8951. type: object
  8952. externalID:
  8953. description: AWS External ID set on assumed IAM roles
  8954. type: string
  8955. prefix:
  8956. description: Prefix adds a prefix to all retrieved values.
  8957. type: string
  8958. region:
  8959. description: AWS Region to be used for the provider
  8960. type: string
  8961. role:
  8962. description: Role is a Role ARN which the provider will assume
  8963. type: string
  8964. secretsManager:
  8965. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  8966. properties:
  8967. forceDeleteWithoutRecovery:
  8968. description: |-
  8969. Specifies whether to delete the secret without any recovery window. You
  8970. can't use both this parameter and RecoveryWindowInDays in the same call.
  8971. If you don't use either, then by default Secrets Manager uses a 30 day
  8972. recovery window.
  8973. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  8974. type: boolean
  8975. recoveryWindowInDays:
  8976. description: |-
  8977. The number of days from 7 to 30 that Secrets Manager waits before
  8978. permanently deleting the secret. You can't use both this parameter and
  8979. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  8980. then by default Secrets Manager uses a 30 day recovery window.
  8981. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  8982. format: int64
  8983. type: integer
  8984. type: object
  8985. service:
  8986. description: Service defines which service should be used to fetch the secrets
  8987. enum:
  8988. - SecretsManager
  8989. - ParameterStore
  8990. type: string
  8991. sessionTags:
  8992. description: AWS STS assume role session tags
  8993. items:
  8994. description: Tag defines a tag key and value for AWS resources.
  8995. properties:
  8996. key:
  8997. type: string
  8998. value:
  8999. type: string
  9000. required:
  9001. - key
  9002. - value
  9003. type: object
  9004. type: array
  9005. transitiveTagKeys:
  9006. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9007. items:
  9008. type: string
  9009. type: array
  9010. required:
  9011. - region
  9012. - service
  9013. type: object
  9014. azurekv:
  9015. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9016. properties:
  9017. authSecretRef:
  9018. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9019. properties:
  9020. clientCertificate:
  9021. description: The Azure ClientCertificate of the service principle used for authentication.
  9022. properties:
  9023. key:
  9024. description: |-
  9025. A key in the referenced Secret.
  9026. Some instances of this field may be defaulted, in others it may be required.
  9027. maxLength: 253
  9028. minLength: 1
  9029. pattern: ^[-._a-zA-Z0-9]+$
  9030. type: string
  9031. name:
  9032. description: The name of the Secret resource being referred to.
  9033. maxLength: 253
  9034. minLength: 1
  9035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9036. type: string
  9037. namespace:
  9038. description: |-
  9039. The namespace of the Secret resource being referred to.
  9040. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9041. maxLength: 63
  9042. minLength: 1
  9043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9044. type: string
  9045. type: object
  9046. clientId:
  9047. description: The Azure clientId of the service principle or managed identity used for authentication.
  9048. properties:
  9049. key:
  9050. description: |-
  9051. A key in the referenced Secret.
  9052. Some instances of this field may be defaulted, in others it may be required.
  9053. maxLength: 253
  9054. minLength: 1
  9055. pattern: ^[-._a-zA-Z0-9]+$
  9056. type: string
  9057. name:
  9058. description: The name of the Secret resource being referred to.
  9059. maxLength: 253
  9060. minLength: 1
  9061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9062. type: string
  9063. namespace:
  9064. description: |-
  9065. The namespace of the Secret resource being referred to.
  9066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9067. maxLength: 63
  9068. minLength: 1
  9069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9070. type: string
  9071. type: object
  9072. clientSecret:
  9073. description: The Azure ClientSecret of the service principle used for authentication.
  9074. properties:
  9075. key:
  9076. description: |-
  9077. A key in the referenced Secret.
  9078. Some instances of this field may be defaulted, in others it may be required.
  9079. maxLength: 253
  9080. minLength: 1
  9081. pattern: ^[-._a-zA-Z0-9]+$
  9082. type: string
  9083. name:
  9084. description: The name of the Secret resource being referred to.
  9085. maxLength: 253
  9086. minLength: 1
  9087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9088. type: string
  9089. namespace:
  9090. description: |-
  9091. The namespace of the Secret resource being referred to.
  9092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9093. maxLength: 63
  9094. minLength: 1
  9095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9096. type: string
  9097. type: object
  9098. tenantId:
  9099. description: The Azure tenantId of the managed identity used for authentication.
  9100. properties:
  9101. key:
  9102. description: |-
  9103. A key in the referenced Secret.
  9104. Some instances of this field may be defaulted, in others it may be required.
  9105. maxLength: 253
  9106. minLength: 1
  9107. pattern: ^[-._a-zA-Z0-9]+$
  9108. type: string
  9109. name:
  9110. description: The name of the Secret resource being referred to.
  9111. maxLength: 253
  9112. minLength: 1
  9113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9114. type: string
  9115. namespace:
  9116. description: |-
  9117. The namespace of the Secret resource being referred to.
  9118. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9119. maxLength: 63
  9120. minLength: 1
  9121. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9122. type: string
  9123. type: object
  9124. type: object
  9125. authType:
  9126. default: ServicePrincipal
  9127. description: |-
  9128. Auth type defines how to authenticate to the keyvault service.
  9129. Valid values are:
  9130. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9131. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9132. enum:
  9133. - ServicePrincipal
  9134. - ManagedIdentity
  9135. - WorkloadIdentity
  9136. type: string
  9137. environmentType:
  9138. default: PublicCloud
  9139. description: |-
  9140. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9141. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9142. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9143. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9144. enum:
  9145. - PublicCloud
  9146. - USGovernmentCloud
  9147. - ChinaCloud
  9148. - GermanCloud
  9149. type: string
  9150. identityId:
  9151. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9152. type: string
  9153. serviceAccountRef:
  9154. description: |-
  9155. ServiceAccountRef specified the service account
  9156. that should be used when authenticating with WorkloadIdentity.
  9157. properties:
  9158. audiences:
  9159. description: |-
  9160. Audience specifies the `aud` claim for the service account token
  9161. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9162. then this audiences will be appended to the list
  9163. items:
  9164. type: string
  9165. type: array
  9166. name:
  9167. description: The name of the ServiceAccount resource being referred to.
  9168. maxLength: 253
  9169. minLength: 1
  9170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9171. type: string
  9172. namespace:
  9173. description: |-
  9174. Namespace of the resource being referred to.
  9175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9176. maxLength: 63
  9177. minLength: 1
  9178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9179. type: string
  9180. required:
  9181. - name
  9182. type: object
  9183. tenantId:
  9184. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9185. type: string
  9186. vaultUrl:
  9187. description: Vault Url from which the secrets to be fetched from.
  9188. type: string
  9189. required:
  9190. - vaultUrl
  9191. type: object
  9192. beyondtrust:
  9193. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9194. properties:
  9195. auth:
  9196. description: Auth configures how the operator authenticates with Beyondtrust.
  9197. properties:
  9198. apiKey:
  9199. description: APIKey If not provided then ClientID/ClientSecret become required.
  9200. properties:
  9201. secretRef:
  9202. description: SecretRef references a key in a secret that will be used as value.
  9203. properties:
  9204. key:
  9205. description: |-
  9206. A key in the referenced Secret.
  9207. Some instances of this field may be defaulted, in others it may be required.
  9208. maxLength: 253
  9209. minLength: 1
  9210. pattern: ^[-._a-zA-Z0-9]+$
  9211. type: string
  9212. name:
  9213. description: The name of the Secret resource being referred to.
  9214. maxLength: 253
  9215. minLength: 1
  9216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9217. type: string
  9218. namespace:
  9219. description: |-
  9220. The namespace of the Secret resource being referred to.
  9221. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9222. maxLength: 63
  9223. minLength: 1
  9224. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9225. type: string
  9226. type: object
  9227. value:
  9228. description: Value can be specified directly to set a value without using a secret.
  9229. type: string
  9230. type: object
  9231. certificate:
  9232. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9233. properties:
  9234. secretRef:
  9235. description: SecretRef references a key in a secret that will be used as value.
  9236. properties:
  9237. key:
  9238. description: |-
  9239. A key in the referenced Secret.
  9240. Some instances of this field may be defaulted, in others it may be required.
  9241. maxLength: 253
  9242. minLength: 1
  9243. pattern: ^[-._a-zA-Z0-9]+$
  9244. type: string
  9245. name:
  9246. description: The name of the Secret resource being referred to.
  9247. maxLength: 253
  9248. minLength: 1
  9249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9250. type: string
  9251. namespace:
  9252. description: |-
  9253. The namespace of the Secret resource being referred to.
  9254. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9255. maxLength: 63
  9256. minLength: 1
  9257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9258. type: string
  9259. type: object
  9260. value:
  9261. description: Value can be specified directly to set a value without using a secret.
  9262. type: string
  9263. type: object
  9264. certificateKey:
  9265. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9266. properties:
  9267. secretRef:
  9268. description: SecretRef references a key in a secret that will be used as value.
  9269. properties:
  9270. key:
  9271. description: |-
  9272. A key in the referenced Secret.
  9273. Some instances of this field may be defaulted, in others it may be required.
  9274. maxLength: 253
  9275. minLength: 1
  9276. pattern: ^[-._a-zA-Z0-9]+$
  9277. type: string
  9278. name:
  9279. description: The name of the Secret resource being referred to.
  9280. maxLength: 253
  9281. minLength: 1
  9282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9283. type: string
  9284. namespace:
  9285. description: |-
  9286. The namespace of the Secret resource being referred to.
  9287. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9288. maxLength: 63
  9289. minLength: 1
  9290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9291. type: string
  9292. type: object
  9293. value:
  9294. description: Value can be specified directly to set a value without using a secret.
  9295. type: string
  9296. type: object
  9297. clientId:
  9298. description: ClientID is the API OAuth Client ID.
  9299. properties:
  9300. secretRef:
  9301. description: SecretRef references a key in a secret that will be used as value.
  9302. properties:
  9303. key:
  9304. description: |-
  9305. A key in the referenced Secret.
  9306. Some instances of this field may be defaulted, in others it may be required.
  9307. maxLength: 253
  9308. minLength: 1
  9309. pattern: ^[-._a-zA-Z0-9]+$
  9310. type: string
  9311. name:
  9312. description: The name of the Secret resource being referred to.
  9313. maxLength: 253
  9314. minLength: 1
  9315. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9316. type: string
  9317. namespace:
  9318. description: |-
  9319. The namespace of the Secret resource being referred to.
  9320. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9321. maxLength: 63
  9322. minLength: 1
  9323. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9324. type: string
  9325. type: object
  9326. value:
  9327. description: Value can be specified directly to set a value without using a secret.
  9328. type: string
  9329. type: object
  9330. clientSecret:
  9331. description: ClientSecret is the API OAuth Client Secret.
  9332. properties:
  9333. secretRef:
  9334. description: SecretRef references a key in a secret that will be used as value.
  9335. properties:
  9336. key:
  9337. description: |-
  9338. A key in the referenced Secret.
  9339. Some instances of this field may be defaulted, in others it may be required.
  9340. maxLength: 253
  9341. minLength: 1
  9342. pattern: ^[-._a-zA-Z0-9]+$
  9343. type: string
  9344. name:
  9345. description: The name of the Secret resource being referred to.
  9346. maxLength: 253
  9347. minLength: 1
  9348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9349. type: string
  9350. namespace:
  9351. description: |-
  9352. The namespace of the Secret resource being referred to.
  9353. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9354. maxLength: 63
  9355. minLength: 1
  9356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9357. type: string
  9358. type: object
  9359. value:
  9360. description: Value can be specified directly to set a value without using a secret.
  9361. type: string
  9362. type: object
  9363. type: object
  9364. server:
  9365. description: Auth configures how API server works.
  9366. properties:
  9367. apiUrl:
  9368. type: string
  9369. apiVersion:
  9370. type: string
  9371. clientTimeOutSeconds:
  9372. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9373. type: integer
  9374. decrypt:
  9375. default: true
  9376. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9377. type: boolean
  9378. retrievalType:
  9379. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9380. type: string
  9381. separator:
  9382. description: A character that separates the folder names.
  9383. type: string
  9384. verifyCA:
  9385. type: boolean
  9386. required:
  9387. - apiUrl
  9388. - verifyCA
  9389. type: object
  9390. required:
  9391. - auth
  9392. - server
  9393. type: object
  9394. bitwardensecretsmanager:
  9395. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9396. properties:
  9397. apiURL:
  9398. type: string
  9399. auth:
  9400. description: |-
  9401. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9402. Make sure that the token being used has permissions on the given secret.
  9403. properties:
  9404. secretRef:
  9405. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9406. properties:
  9407. credentials:
  9408. description: AccessToken used for the bitwarden instance.
  9409. properties:
  9410. key:
  9411. description: |-
  9412. A key in the referenced Secret.
  9413. Some instances of this field may be defaulted, in others it may be required.
  9414. maxLength: 253
  9415. minLength: 1
  9416. pattern: ^[-._a-zA-Z0-9]+$
  9417. type: string
  9418. name:
  9419. description: The name of the Secret resource being referred to.
  9420. maxLength: 253
  9421. minLength: 1
  9422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9423. type: string
  9424. namespace:
  9425. description: |-
  9426. The namespace of the Secret resource being referred to.
  9427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9428. maxLength: 63
  9429. minLength: 1
  9430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9431. type: string
  9432. type: object
  9433. required:
  9434. - credentials
  9435. type: object
  9436. required:
  9437. - secretRef
  9438. type: object
  9439. bitwardenServerSDKURL:
  9440. type: string
  9441. caBundle:
  9442. description: |-
  9443. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9444. can be performed.
  9445. type: string
  9446. caProvider:
  9447. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9448. properties:
  9449. key:
  9450. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9451. maxLength: 253
  9452. minLength: 1
  9453. pattern: ^[-._a-zA-Z0-9]+$
  9454. type: string
  9455. name:
  9456. description: The name of the object located at the provider type.
  9457. maxLength: 253
  9458. minLength: 1
  9459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9460. type: string
  9461. namespace:
  9462. description: |-
  9463. The namespace the Provider type is in.
  9464. Can only be defined when used in a ClusterSecretStore.
  9465. maxLength: 63
  9466. minLength: 1
  9467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9468. type: string
  9469. type:
  9470. description: The type of provider to use such as "Secret", or "ConfigMap".
  9471. enum:
  9472. - Secret
  9473. - ConfigMap
  9474. type: string
  9475. required:
  9476. - name
  9477. - type
  9478. type: object
  9479. identityURL:
  9480. type: string
  9481. organizationID:
  9482. description: OrganizationID determines which organization this secret store manages.
  9483. type: string
  9484. projectID:
  9485. description: ProjectID determines which project this secret store manages.
  9486. type: string
  9487. required:
  9488. - auth
  9489. - organizationID
  9490. - projectID
  9491. type: object
  9492. chef:
  9493. description: Chef configures this store to sync secrets with chef server
  9494. properties:
  9495. auth:
  9496. description: Auth defines the information necessary to authenticate against chef Server
  9497. properties:
  9498. secretRef:
  9499. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9500. properties:
  9501. privateKeySecretRef:
  9502. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9503. properties:
  9504. key:
  9505. description: |-
  9506. A key in the referenced Secret.
  9507. Some instances of this field may be defaulted, in others it may be required.
  9508. maxLength: 253
  9509. minLength: 1
  9510. pattern: ^[-._a-zA-Z0-9]+$
  9511. type: string
  9512. name:
  9513. description: The name of the Secret resource being referred to.
  9514. maxLength: 253
  9515. minLength: 1
  9516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9517. type: string
  9518. namespace:
  9519. description: |-
  9520. The namespace of the Secret resource being referred to.
  9521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9522. maxLength: 63
  9523. minLength: 1
  9524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9525. type: string
  9526. type: object
  9527. required:
  9528. - privateKeySecretRef
  9529. type: object
  9530. required:
  9531. - secretRef
  9532. type: object
  9533. serverUrl:
  9534. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9535. type: string
  9536. username:
  9537. description: UserName should be the user ID on the chef server
  9538. type: string
  9539. required:
  9540. - auth
  9541. - serverUrl
  9542. - username
  9543. type: object
  9544. cloudrusm:
  9545. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9546. properties:
  9547. auth:
  9548. description: CSMAuth contains a secretRef for credentials.
  9549. properties:
  9550. secretRef:
  9551. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9552. properties:
  9553. accessKeyIDSecretRef:
  9554. description: The AccessKeyID is used for authentication
  9555. properties:
  9556. key:
  9557. description: |-
  9558. A key in the referenced Secret.
  9559. Some instances of this field may be defaulted, in others it may be required.
  9560. maxLength: 253
  9561. minLength: 1
  9562. pattern: ^[-._a-zA-Z0-9]+$
  9563. type: string
  9564. name:
  9565. description: The name of the Secret resource being referred to.
  9566. maxLength: 253
  9567. minLength: 1
  9568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9569. type: string
  9570. namespace:
  9571. description: |-
  9572. The namespace of the Secret resource being referred to.
  9573. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9574. maxLength: 63
  9575. minLength: 1
  9576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9577. type: string
  9578. type: object
  9579. accessKeySecretSecretRef:
  9580. description: The AccessKeySecret is used for authentication
  9581. properties:
  9582. key:
  9583. description: |-
  9584. A key in the referenced Secret.
  9585. Some instances of this field may be defaulted, in others it may be required.
  9586. maxLength: 253
  9587. minLength: 1
  9588. pattern: ^[-._a-zA-Z0-9]+$
  9589. type: string
  9590. name:
  9591. description: The name of the Secret resource being referred to.
  9592. maxLength: 253
  9593. minLength: 1
  9594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9595. type: string
  9596. namespace:
  9597. description: |-
  9598. The namespace of the Secret resource being referred to.
  9599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9600. maxLength: 63
  9601. minLength: 1
  9602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9603. type: string
  9604. type: object
  9605. required:
  9606. - accessKeyIDSecretRef
  9607. - accessKeySecretSecretRef
  9608. type: object
  9609. type: object
  9610. projectID:
  9611. description: ProjectID is the project, which the secrets are stored in.
  9612. type: string
  9613. required:
  9614. - auth
  9615. type: object
  9616. conjur:
  9617. description: Conjur configures this store to sync secrets using conjur provider
  9618. properties:
  9619. auth:
  9620. description: Defines authentication settings for connecting to Conjur.
  9621. properties:
  9622. apikey:
  9623. description: Authenticates with Conjur using an API key.
  9624. properties:
  9625. account:
  9626. description: Account is the Conjur organization account name.
  9627. type: string
  9628. apiKeyRef:
  9629. description: |-
  9630. A reference to a specific 'key' containing the Conjur API key
  9631. within a Secret resource. In some instances, `key` is a required field.
  9632. properties:
  9633. key:
  9634. description: |-
  9635. A key in the referenced Secret.
  9636. Some instances of this field may be defaulted, in others it may be required.
  9637. maxLength: 253
  9638. minLength: 1
  9639. pattern: ^[-._a-zA-Z0-9]+$
  9640. type: string
  9641. name:
  9642. description: The name of the Secret resource being referred to.
  9643. maxLength: 253
  9644. minLength: 1
  9645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9646. type: string
  9647. namespace:
  9648. description: |-
  9649. The namespace of the Secret resource being referred to.
  9650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9651. maxLength: 63
  9652. minLength: 1
  9653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9654. type: string
  9655. type: object
  9656. userRef:
  9657. description: |-
  9658. A reference to a specific 'key' containing the Conjur username
  9659. within a Secret resource. In some instances, `key` is a required field.
  9660. properties:
  9661. key:
  9662. description: |-
  9663. A key in the referenced Secret.
  9664. Some instances of this field may be defaulted, in others it may be required.
  9665. maxLength: 253
  9666. minLength: 1
  9667. pattern: ^[-._a-zA-Z0-9]+$
  9668. type: string
  9669. name:
  9670. description: The name of the Secret resource being referred to.
  9671. maxLength: 253
  9672. minLength: 1
  9673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9674. type: string
  9675. namespace:
  9676. description: |-
  9677. The namespace of the Secret resource being referred to.
  9678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9679. maxLength: 63
  9680. minLength: 1
  9681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9682. type: string
  9683. type: object
  9684. required:
  9685. - account
  9686. - apiKeyRef
  9687. - userRef
  9688. type: object
  9689. jwt:
  9690. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  9691. properties:
  9692. account:
  9693. description: Account is the Conjur organization account name.
  9694. type: string
  9695. hostId:
  9696. description: |-
  9697. Optional HostID for JWT authentication. This may be used depending
  9698. on how the Conjur JWT authenticator policy is configured.
  9699. type: string
  9700. secretRef:
  9701. description: |-
  9702. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  9703. authenticate with Conjur using the JWT authentication method.
  9704. properties:
  9705. key:
  9706. description: |-
  9707. A key in the referenced Secret.
  9708. Some instances of this field may be defaulted, in others it may be required.
  9709. maxLength: 253
  9710. minLength: 1
  9711. pattern: ^[-._a-zA-Z0-9]+$
  9712. type: string
  9713. name:
  9714. description: The name of the Secret resource being referred to.
  9715. maxLength: 253
  9716. minLength: 1
  9717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9718. type: string
  9719. namespace:
  9720. description: |-
  9721. The namespace of the Secret resource being referred to.
  9722. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9723. maxLength: 63
  9724. minLength: 1
  9725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9726. type: string
  9727. type: object
  9728. serviceAccountRef:
  9729. description: |-
  9730. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  9731. a token for with the `TokenRequest` API.
  9732. properties:
  9733. audiences:
  9734. description: |-
  9735. Audience specifies the `aud` claim for the service account token
  9736. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9737. then this audiences will be appended to the list
  9738. items:
  9739. type: string
  9740. type: array
  9741. name:
  9742. description: The name of the ServiceAccount resource being referred to.
  9743. maxLength: 253
  9744. minLength: 1
  9745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9746. type: string
  9747. namespace:
  9748. description: |-
  9749. Namespace of the resource being referred to.
  9750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9751. maxLength: 63
  9752. minLength: 1
  9753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9754. type: string
  9755. required:
  9756. - name
  9757. type: object
  9758. serviceID:
  9759. description: The conjur authn jwt webservice id
  9760. type: string
  9761. required:
  9762. - account
  9763. - serviceID
  9764. type: object
  9765. type: object
  9766. caBundle:
  9767. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  9768. type: string
  9769. caProvider:
  9770. description: |-
  9771. Used to provide custom certificate authority (CA) certificates
  9772. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  9773. that contains a PEM-encoded certificate.
  9774. properties:
  9775. key:
  9776. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9777. maxLength: 253
  9778. minLength: 1
  9779. pattern: ^[-._a-zA-Z0-9]+$
  9780. type: string
  9781. name:
  9782. description: The name of the object located at the provider type.
  9783. maxLength: 253
  9784. minLength: 1
  9785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9786. type: string
  9787. namespace:
  9788. description: |-
  9789. The namespace the Provider type is in.
  9790. Can only be defined when used in a ClusterSecretStore.
  9791. maxLength: 63
  9792. minLength: 1
  9793. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9794. type: string
  9795. type:
  9796. description: The type of provider to use such as "Secret", or "ConfigMap".
  9797. enum:
  9798. - Secret
  9799. - ConfigMap
  9800. type: string
  9801. required:
  9802. - name
  9803. - type
  9804. type: object
  9805. url:
  9806. description: URL is the endpoint of the Conjur instance.
  9807. type: string
  9808. required:
  9809. - auth
  9810. - url
  9811. type: object
  9812. delinea:
  9813. description: |-
  9814. Delinea DevOps Secrets Vault
  9815. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  9816. properties:
  9817. clientId:
  9818. description: ClientID is the non-secret part of the credential.
  9819. properties:
  9820. secretRef:
  9821. description: SecretRef references a key in a secret that will be used as value.
  9822. properties:
  9823. key:
  9824. description: |-
  9825. A key in the referenced Secret.
  9826. Some instances of this field may be defaulted, in others it may be required.
  9827. maxLength: 253
  9828. minLength: 1
  9829. pattern: ^[-._a-zA-Z0-9]+$
  9830. type: string
  9831. name:
  9832. description: The name of the Secret resource being referred to.
  9833. maxLength: 253
  9834. minLength: 1
  9835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9836. type: string
  9837. namespace:
  9838. description: |-
  9839. The namespace of the Secret resource being referred to.
  9840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9841. maxLength: 63
  9842. minLength: 1
  9843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9844. type: string
  9845. type: object
  9846. value:
  9847. description: Value can be specified directly to set a value without using a secret.
  9848. type: string
  9849. type: object
  9850. clientSecret:
  9851. description: ClientSecret is the secret part of the credential.
  9852. properties:
  9853. secretRef:
  9854. description: SecretRef references a key in a secret that will be used as value.
  9855. properties:
  9856. key:
  9857. description: |-
  9858. A key in the referenced Secret.
  9859. Some instances of this field may be defaulted, in others it may be required.
  9860. maxLength: 253
  9861. minLength: 1
  9862. pattern: ^[-._a-zA-Z0-9]+$
  9863. type: string
  9864. name:
  9865. description: The name of the Secret resource being referred to.
  9866. maxLength: 253
  9867. minLength: 1
  9868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9869. type: string
  9870. namespace:
  9871. description: |-
  9872. The namespace of the Secret resource being referred to.
  9873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9874. maxLength: 63
  9875. minLength: 1
  9876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9877. type: string
  9878. type: object
  9879. value:
  9880. description: Value can be specified directly to set a value without using a secret.
  9881. type: string
  9882. type: object
  9883. tenant:
  9884. description: Tenant is the chosen hostname / site name.
  9885. type: string
  9886. tld:
  9887. description: |-
  9888. TLD is based on the server location that was chosen during provisioning.
  9889. If unset, defaults to "com".
  9890. type: string
  9891. urlTemplate:
  9892. description: |-
  9893. URLTemplate
  9894. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  9895. type: string
  9896. required:
  9897. - clientId
  9898. - clientSecret
  9899. - tenant
  9900. type: object
  9901. device42:
  9902. description: Device42 configures this store to sync secrets using the Device42 provider
  9903. properties:
  9904. auth:
  9905. description: Auth configures how secret-manager authenticates with a Device42 instance.
  9906. properties:
  9907. secretRef:
  9908. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  9909. properties:
  9910. credentials:
  9911. description: Username / Password is used for authentication.
  9912. properties:
  9913. key:
  9914. description: |-
  9915. A key in the referenced Secret.
  9916. Some instances of this field may be defaulted, in others it may be required.
  9917. maxLength: 253
  9918. minLength: 1
  9919. pattern: ^[-._a-zA-Z0-9]+$
  9920. type: string
  9921. name:
  9922. description: The name of the Secret resource being referred to.
  9923. maxLength: 253
  9924. minLength: 1
  9925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9926. type: string
  9927. namespace:
  9928. description: |-
  9929. The namespace of the Secret resource being referred to.
  9930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9931. maxLength: 63
  9932. minLength: 1
  9933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9934. type: string
  9935. type: object
  9936. type: object
  9937. required:
  9938. - secretRef
  9939. type: object
  9940. host:
  9941. description: URL configures the Device42 instance URL.
  9942. type: string
  9943. required:
  9944. - auth
  9945. - host
  9946. type: object
  9947. doppler:
  9948. description: Doppler configures this store to sync secrets using the Doppler provider
  9949. properties:
  9950. auth:
  9951. description: Auth configures how the Operator authenticates with the Doppler API
  9952. properties:
  9953. secretRef:
  9954. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  9955. properties:
  9956. dopplerToken:
  9957. description: |-
  9958. The DopplerToken is used for authentication.
  9959. See https://docs.doppler.com/reference/api#authentication for auth token types.
  9960. The Key attribute defaults to dopplerToken if not specified.
  9961. properties:
  9962. key:
  9963. description: |-
  9964. A key in the referenced Secret.
  9965. Some instances of this field may be defaulted, in others it may be required.
  9966. maxLength: 253
  9967. minLength: 1
  9968. pattern: ^[-._a-zA-Z0-9]+$
  9969. type: string
  9970. name:
  9971. description: The name of the Secret resource being referred to.
  9972. maxLength: 253
  9973. minLength: 1
  9974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9975. type: string
  9976. namespace:
  9977. description: |-
  9978. The namespace of the Secret resource being referred to.
  9979. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9980. maxLength: 63
  9981. minLength: 1
  9982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9983. type: string
  9984. type: object
  9985. required:
  9986. - dopplerToken
  9987. type: object
  9988. required:
  9989. - secretRef
  9990. type: object
  9991. config:
  9992. description: Doppler config (required if not using a Service Token)
  9993. type: string
  9994. format:
  9995. description: Format enables the downloading of secrets as a file (string)
  9996. enum:
  9997. - json
  9998. - dotnet-json
  9999. - env
  10000. - yaml
  10001. - docker
  10002. type: string
  10003. nameTransformer:
  10004. description: Environment variable compatible name transforms that change secret names to a different format
  10005. enum:
  10006. - upper-camel
  10007. - camel
  10008. - lower-snake
  10009. - tf-var
  10010. - dotnet-env
  10011. - lower-kebab
  10012. type: string
  10013. project:
  10014. description: Doppler project (required if not using a Service Token)
  10015. type: string
  10016. required:
  10017. - auth
  10018. type: object
  10019. fake:
  10020. description: Fake configures a store with static key/value pairs
  10021. properties:
  10022. data:
  10023. items:
  10024. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10025. properties:
  10026. key:
  10027. type: string
  10028. value:
  10029. type: string
  10030. version:
  10031. type: string
  10032. required:
  10033. - key
  10034. - value
  10035. type: object
  10036. type: array
  10037. required:
  10038. - data
  10039. type: object
  10040. fortanix:
  10041. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10042. properties:
  10043. apiKey:
  10044. description: APIKey is the API token to access SDKMS Applications.
  10045. properties:
  10046. secretRef:
  10047. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10048. properties:
  10049. key:
  10050. description: |-
  10051. A key in the referenced Secret.
  10052. Some instances of this field may be defaulted, in others it may be required.
  10053. maxLength: 253
  10054. minLength: 1
  10055. pattern: ^[-._a-zA-Z0-9]+$
  10056. type: string
  10057. name:
  10058. description: The name of the Secret resource being referred to.
  10059. maxLength: 253
  10060. minLength: 1
  10061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10062. type: string
  10063. namespace:
  10064. description: |-
  10065. The namespace of the Secret resource being referred to.
  10066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10067. maxLength: 63
  10068. minLength: 1
  10069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10070. type: string
  10071. type: object
  10072. type: object
  10073. apiUrl:
  10074. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10075. type: string
  10076. type: object
  10077. gcpsm:
  10078. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10079. properties:
  10080. auth:
  10081. description: Auth defines the information necessary to authenticate against GCP
  10082. properties:
  10083. secretRef:
  10084. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10085. properties:
  10086. secretAccessKeySecretRef:
  10087. description: The SecretAccessKey is used for authentication
  10088. properties:
  10089. key:
  10090. description: |-
  10091. A key in the referenced Secret.
  10092. Some instances of this field may be defaulted, in others it may be required.
  10093. maxLength: 253
  10094. minLength: 1
  10095. pattern: ^[-._a-zA-Z0-9]+$
  10096. type: string
  10097. name:
  10098. description: The name of the Secret resource being referred to.
  10099. maxLength: 253
  10100. minLength: 1
  10101. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10102. type: string
  10103. namespace:
  10104. description: |-
  10105. The namespace of the Secret resource being referred to.
  10106. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10107. maxLength: 63
  10108. minLength: 1
  10109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10110. type: string
  10111. type: object
  10112. type: object
  10113. workloadIdentity:
  10114. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10115. properties:
  10116. clusterLocation:
  10117. description: |-
  10118. ClusterLocation is the location of the cluster
  10119. If not specified, it fetches information from the metadata server
  10120. type: string
  10121. clusterName:
  10122. description: |-
  10123. ClusterName is the name of the cluster
  10124. If not specified, it fetches information from the metadata server
  10125. type: string
  10126. clusterProjectID:
  10127. description: |-
  10128. ClusterProjectID is the project ID of the cluster
  10129. If not specified, it fetches information from the metadata server
  10130. type: string
  10131. serviceAccountRef:
  10132. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10133. properties:
  10134. audiences:
  10135. description: |-
  10136. Audience specifies the `aud` claim for the service account token
  10137. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10138. then this audiences will be appended to the list
  10139. items:
  10140. type: string
  10141. type: array
  10142. name:
  10143. description: The name of the ServiceAccount resource being referred to.
  10144. maxLength: 253
  10145. minLength: 1
  10146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10147. type: string
  10148. namespace:
  10149. description: |-
  10150. Namespace of the resource being referred to.
  10151. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10152. maxLength: 63
  10153. minLength: 1
  10154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10155. type: string
  10156. required:
  10157. - name
  10158. type: object
  10159. required:
  10160. - serviceAccountRef
  10161. type: object
  10162. type: object
  10163. location:
  10164. description: Location optionally defines a location for a secret
  10165. type: string
  10166. projectID:
  10167. description: ProjectID project where secret is located
  10168. type: string
  10169. type: object
  10170. github:
  10171. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10172. properties:
  10173. appID:
  10174. description: appID specifies the Github APP that will be used to authenticate the client
  10175. format: int64
  10176. type: integer
  10177. auth:
  10178. description: auth configures how secret-manager authenticates with a Github instance.
  10179. properties:
  10180. privateKey:
  10181. description: |-
  10182. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10183. In some instances, `key` is a required field.
  10184. properties:
  10185. key:
  10186. description: |-
  10187. A key in the referenced Secret.
  10188. Some instances of this field may be defaulted, in others it may be required.
  10189. maxLength: 253
  10190. minLength: 1
  10191. pattern: ^[-._a-zA-Z0-9]+$
  10192. type: string
  10193. name:
  10194. description: The name of the Secret resource being referred to.
  10195. maxLength: 253
  10196. minLength: 1
  10197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10198. type: string
  10199. namespace:
  10200. description: |-
  10201. The namespace of the Secret resource being referred to.
  10202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10203. maxLength: 63
  10204. minLength: 1
  10205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10206. type: string
  10207. type: object
  10208. required:
  10209. - privateKey
  10210. type: object
  10211. environment:
  10212. description: environment will be used to fetch secrets from a particular environment within a github repository
  10213. type: string
  10214. installationID:
  10215. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10216. format: int64
  10217. type: integer
  10218. organization:
  10219. description: organization will be used to fetch secrets from the Github organization
  10220. type: string
  10221. repository:
  10222. description: repository will be used to fetch secrets from the Github repository within an organization
  10223. type: string
  10224. uploadURL:
  10225. description: Upload URL for enterprise instances. Default to URL.
  10226. type: string
  10227. url:
  10228. default: https://github.com/
  10229. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10230. type: string
  10231. required:
  10232. - appID
  10233. - auth
  10234. - installationID
  10235. - organization
  10236. type: object
  10237. gitlab:
  10238. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10239. properties:
  10240. auth:
  10241. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10242. properties:
  10243. SecretRef:
  10244. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10245. properties:
  10246. accessToken:
  10247. description: AccessToken is used for authentication.
  10248. properties:
  10249. key:
  10250. description: |-
  10251. A key in the referenced Secret.
  10252. Some instances of this field may be defaulted, in others it may be required.
  10253. maxLength: 253
  10254. minLength: 1
  10255. pattern: ^[-._a-zA-Z0-9]+$
  10256. type: string
  10257. name:
  10258. description: The name of the Secret resource being referred to.
  10259. maxLength: 253
  10260. minLength: 1
  10261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10262. type: string
  10263. namespace:
  10264. description: |-
  10265. The namespace of the Secret resource being referred to.
  10266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10267. maxLength: 63
  10268. minLength: 1
  10269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10270. type: string
  10271. type: object
  10272. type: object
  10273. required:
  10274. - SecretRef
  10275. type: object
  10276. caBundle:
  10277. description: |-
  10278. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10279. can be performed.
  10280. format: byte
  10281. type: string
  10282. caProvider:
  10283. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10284. properties:
  10285. key:
  10286. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10287. maxLength: 253
  10288. minLength: 1
  10289. pattern: ^[-._a-zA-Z0-9]+$
  10290. type: string
  10291. name:
  10292. description: The name of the object located at the provider type.
  10293. maxLength: 253
  10294. minLength: 1
  10295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10296. type: string
  10297. namespace:
  10298. description: |-
  10299. The namespace the Provider type is in.
  10300. Can only be defined when used in a ClusterSecretStore.
  10301. maxLength: 63
  10302. minLength: 1
  10303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10304. type: string
  10305. type:
  10306. description: The type of provider to use such as "Secret", or "ConfigMap".
  10307. enum:
  10308. - Secret
  10309. - ConfigMap
  10310. type: string
  10311. required:
  10312. - name
  10313. - type
  10314. type: object
  10315. environment:
  10316. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10317. type: string
  10318. groupIDs:
  10319. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10320. items:
  10321. type: string
  10322. type: array
  10323. inheritFromGroups:
  10324. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10325. type: boolean
  10326. projectID:
  10327. description: ProjectID specifies a project where secrets are located.
  10328. type: string
  10329. url:
  10330. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10331. type: string
  10332. required:
  10333. - auth
  10334. type: object
  10335. ibm:
  10336. description: IBM configures this store to sync secrets using IBM Cloud provider
  10337. properties:
  10338. auth:
  10339. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10340. maxProperties: 1
  10341. minProperties: 1
  10342. properties:
  10343. containerAuth:
  10344. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10345. properties:
  10346. iamEndpoint:
  10347. type: string
  10348. profile:
  10349. description: the IBM Trusted Profile
  10350. type: string
  10351. tokenLocation:
  10352. description: Location the token is mounted on the pod
  10353. type: string
  10354. required:
  10355. - profile
  10356. type: object
  10357. secretRef:
  10358. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10359. properties:
  10360. secretApiKeySecretRef:
  10361. description: The SecretAccessKey is used for authentication
  10362. properties:
  10363. key:
  10364. description: |-
  10365. A key in the referenced Secret.
  10366. Some instances of this field may be defaulted, in others it may be required.
  10367. maxLength: 253
  10368. minLength: 1
  10369. pattern: ^[-._a-zA-Z0-9]+$
  10370. type: string
  10371. name:
  10372. description: The name of the Secret resource being referred to.
  10373. maxLength: 253
  10374. minLength: 1
  10375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10376. type: string
  10377. namespace:
  10378. description: |-
  10379. The namespace of the Secret resource being referred to.
  10380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10381. maxLength: 63
  10382. minLength: 1
  10383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10384. type: string
  10385. type: object
  10386. type: object
  10387. type: object
  10388. serviceUrl:
  10389. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10390. type: string
  10391. required:
  10392. - auth
  10393. type: object
  10394. infisical:
  10395. description: Infisical configures this store to sync secrets using the Infisical provider
  10396. properties:
  10397. auth:
  10398. description: Auth configures how the Operator authenticates with the Infisical API
  10399. properties:
  10400. universalAuthCredentials:
  10401. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10402. properties:
  10403. clientId:
  10404. description: |-
  10405. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10406. In some instances, `key` is a required field.
  10407. properties:
  10408. key:
  10409. description: |-
  10410. A key in the referenced Secret.
  10411. Some instances of this field may be defaulted, in others it may be required.
  10412. maxLength: 253
  10413. minLength: 1
  10414. pattern: ^[-._a-zA-Z0-9]+$
  10415. type: string
  10416. name:
  10417. description: The name of the Secret resource being referred to.
  10418. maxLength: 253
  10419. minLength: 1
  10420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10421. type: string
  10422. namespace:
  10423. description: |-
  10424. The namespace of the Secret resource being referred to.
  10425. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10426. maxLength: 63
  10427. minLength: 1
  10428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10429. type: string
  10430. type: object
  10431. clientSecret:
  10432. description: |-
  10433. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10434. In some instances, `key` is a required field.
  10435. properties:
  10436. key:
  10437. description: |-
  10438. A key in the referenced Secret.
  10439. Some instances of this field may be defaulted, in others it may be required.
  10440. maxLength: 253
  10441. minLength: 1
  10442. pattern: ^[-._a-zA-Z0-9]+$
  10443. type: string
  10444. name:
  10445. description: The name of the Secret resource being referred to.
  10446. maxLength: 253
  10447. minLength: 1
  10448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10449. type: string
  10450. namespace:
  10451. description: |-
  10452. The namespace of the Secret resource being referred to.
  10453. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10454. maxLength: 63
  10455. minLength: 1
  10456. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10457. type: string
  10458. type: object
  10459. required:
  10460. - clientId
  10461. - clientSecret
  10462. type: object
  10463. type: object
  10464. hostAPI:
  10465. default: https://app.infisical.com/api
  10466. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10467. type: string
  10468. secretsScope:
  10469. description: SecretsScope defines the scope of the secrets within the workspace
  10470. properties:
  10471. environmentSlug:
  10472. description: EnvironmentSlug is the required slug identifier for the environment.
  10473. type: string
  10474. expandSecretReferences:
  10475. default: true
  10476. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10477. type: boolean
  10478. projectSlug:
  10479. description: ProjectSlug is the required slug identifier for the project.
  10480. type: string
  10481. recursive:
  10482. default: false
  10483. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10484. type: boolean
  10485. secretsPath:
  10486. default: /
  10487. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10488. type: string
  10489. required:
  10490. - environmentSlug
  10491. - projectSlug
  10492. type: object
  10493. required:
  10494. - auth
  10495. - secretsScope
  10496. type: object
  10497. keepersecurity:
  10498. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10499. properties:
  10500. authRef:
  10501. description: |-
  10502. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10503. In some instances, `key` is a required field.
  10504. properties:
  10505. key:
  10506. description: |-
  10507. A key in the referenced Secret.
  10508. Some instances of this field may be defaulted, in others it may be required.
  10509. maxLength: 253
  10510. minLength: 1
  10511. pattern: ^[-._a-zA-Z0-9]+$
  10512. type: string
  10513. name:
  10514. description: The name of the Secret resource being referred to.
  10515. maxLength: 253
  10516. minLength: 1
  10517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10518. type: string
  10519. namespace:
  10520. description: |-
  10521. The namespace of the Secret resource being referred to.
  10522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10523. maxLength: 63
  10524. minLength: 1
  10525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10526. type: string
  10527. type: object
  10528. folderID:
  10529. type: string
  10530. required:
  10531. - authRef
  10532. - folderID
  10533. type: object
  10534. kubernetes:
  10535. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10536. properties:
  10537. auth:
  10538. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10539. maxProperties: 1
  10540. minProperties: 1
  10541. properties:
  10542. cert:
  10543. description: has both clientCert and clientKey as secretKeySelector
  10544. properties:
  10545. clientCert:
  10546. description: |-
  10547. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10548. In some instances, `key` is a required field.
  10549. properties:
  10550. key:
  10551. description: |-
  10552. A key in the referenced Secret.
  10553. Some instances of this field may be defaulted, in others it may be required.
  10554. maxLength: 253
  10555. minLength: 1
  10556. pattern: ^[-._a-zA-Z0-9]+$
  10557. type: string
  10558. name:
  10559. description: The name of the Secret resource being referred to.
  10560. maxLength: 253
  10561. minLength: 1
  10562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10563. type: string
  10564. namespace:
  10565. description: |-
  10566. The namespace of the Secret resource being referred to.
  10567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10568. maxLength: 63
  10569. minLength: 1
  10570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10571. type: string
  10572. type: object
  10573. clientKey:
  10574. description: |-
  10575. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10576. In some instances, `key` is a required field.
  10577. properties:
  10578. key:
  10579. description: |-
  10580. A key in the referenced Secret.
  10581. Some instances of this field may be defaulted, in others it may be required.
  10582. maxLength: 253
  10583. minLength: 1
  10584. pattern: ^[-._a-zA-Z0-9]+$
  10585. type: string
  10586. name:
  10587. description: The name of the Secret resource being referred to.
  10588. maxLength: 253
  10589. minLength: 1
  10590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10591. type: string
  10592. namespace:
  10593. description: |-
  10594. The namespace of the Secret resource being referred to.
  10595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10596. maxLength: 63
  10597. minLength: 1
  10598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10599. type: string
  10600. type: object
  10601. type: object
  10602. serviceAccount:
  10603. description: points to a service account that should be used for authentication
  10604. properties:
  10605. audiences:
  10606. description: |-
  10607. Audience specifies the `aud` claim for the service account token
  10608. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10609. then this audiences will be appended to the list
  10610. items:
  10611. type: string
  10612. type: array
  10613. name:
  10614. description: The name of the ServiceAccount resource being referred to.
  10615. maxLength: 253
  10616. minLength: 1
  10617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10618. type: string
  10619. namespace:
  10620. description: |-
  10621. Namespace of the resource being referred to.
  10622. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10623. maxLength: 63
  10624. minLength: 1
  10625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10626. type: string
  10627. required:
  10628. - name
  10629. type: object
  10630. token:
  10631. description: use static token to authenticate with
  10632. properties:
  10633. bearerToken:
  10634. description: |-
  10635. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10636. In some instances, `key` is a required field.
  10637. properties:
  10638. key:
  10639. description: |-
  10640. A key in the referenced Secret.
  10641. Some instances of this field may be defaulted, in others it may be required.
  10642. maxLength: 253
  10643. minLength: 1
  10644. pattern: ^[-._a-zA-Z0-9]+$
  10645. type: string
  10646. name:
  10647. description: The name of the Secret resource being referred to.
  10648. maxLength: 253
  10649. minLength: 1
  10650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10651. type: string
  10652. namespace:
  10653. description: |-
  10654. The namespace of the Secret resource being referred to.
  10655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10656. maxLength: 63
  10657. minLength: 1
  10658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10659. type: string
  10660. type: object
  10661. type: object
  10662. type: object
  10663. authRef:
  10664. description: A reference to a secret that contains the auth information.
  10665. properties:
  10666. key:
  10667. description: |-
  10668. A key in the referenced Secret.
  10669. Some instances of this field may be defaulted, in others it may be required.
  10670. maxLength: 253
  10671. minLength: 1
  10672. pattern: ^[-._a-zA-Z0-9]+$
  10673. type: string
  10674. name:
  10675. description: The name of the Secret resource being referred to.
  10676. maxLength: 253
  10677. minLength: 1
  10678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10679. type: string
  10680. namespace:
  10681. description: |-
  10682. The namespace of the Secret resource being referred to.
  10683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10684. maxLength: 63
  10685. minLength: 1
  10686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10687. type: string
  10688. type: object
  10689. remoteNamespace:
  10690. default: default
  10691. description: Remote namespace to fetch the secrets from
  10692. maxLength: 63
  10693. minLength: 1
  10694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10695. type: string
  10696. server:
  10697. description: configures the Kubernetes server Address.
  10698. properties:
  10699. caBundle:
  10700. description: CABundle is a base64-encoded CA certificate
  10701. format: byte
  10702. type: string
  10703. caProvider:
  10704. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  10705. properties:
  10706. key:
  10707. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10708. maxLength: 253
  10709. minLength: 1
  10710. pattern: ^[-._a-zA-Z0-9]+$
  10711. type: string
  10712. name:
  10713. description: The name of the object located at the provider type.
  10714. maxLength: 253
  10715. minLength: 1
  10716. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10717. type: string
  10718. namespace:
  10719. description: |-
  10720. The namespace the Provider type is in.
  10721. Can only be defined when used in a ClusterSecretStore.
  10722. maxLength: 63
  10723. minLength: 1
  10724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10725. type: string
  10726. type:
  10727. description: The type of provider to use such as "Secret", or "ConfigMap".
  10728. enum:
  10729. - Secret
  10730. - ConfigMap
  10731. type: string
  10732. required:
  10733. - name
  10734. - type
  10735. type: object
  10736. url:
  10737. default: kubernetes.default
  10738. description: configures the Kubernetes server Address.
  10739. type: string
  10740. type: object
  10741. type: object
  10742. onboardbase:
  10743. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  10744. properties:
  10745. apiHost:
  10746. default: https://public.onboardbase.com/api/v1/
  10747. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  10748. type: string
  10749. auth:
  10750. description: Auth configures how the Operator authenticates with the Onboardbase API
  10751. properties:
  10752. apiKeyRef:
  10753. description: |-
  10754. OnboardbaseAPIKey is the APIKey generated by an admin account.
  10755. It is used to recognize and authorize access to a project and environment within onboardbase
  10756. properties:
  10757. key:
  10758. description: |-
  10759. A key in the referenced Secret.
  10760. Some instances of this field may be defaulted, in others it may be required.
  10761. maxLength: 253
  10762. minLength: 1
  10763. pattern: ^[-._a-zA-Z0-9]+$
  10764. type: string
  10765. name:
  10766. description: The name of the Secret resource being referred to.
  10767. maxLength: 253
  10768. minLength: 1
  10769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10770. type: string
  10771. namespace:
  10772. description: |-
  10773. The namespace of the Secret resource being referred to.
  10774. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10775. maxLength: 63
  10776. minLength: 1
  10777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10778. type: string
  10779. type: object
  10780. passcodeRef:
  10781. description: OnboardbasePasscode is the passcode attached to the API Key
  10782. properties:
  10783. key:
  10784. description: |-
  10785. A key in the referenced Secret.
  10786. Some instances of this field may be defaulted, in others it may be required.
  10787. maxLength: 253
  10788. minLength: 1
  10789. pattern: ^[-._a-zA-Z0-9]+$
  10790. type: string
  10791. name:
  10792. description: The name of the Secret resource being referred to.
  10793. maxLength: 253
  10794. minLength: 1
  10795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10796. type: string
  10797. namespace:
  10798. description: |-
  10799. The namespace of the Secret resource being referred to.
  10800. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10801. maxLength: 63
  10802. minLength: 1
  10803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10804. type: string
  10805. type: object
  10806. required:
  10807. - apiKeyRef
  10808. - passcodeRef
  10809. type: object
  10810. environment:
  10811. default: development
  10812. description: Environment is the name of an environmnent within a project to pull the secrets from
  10813. type: string
  10814. project:
  10815. default: development
  10816. description: Project is an onboardbase project that the secrets should be pulled from
  10817. type: string
  10818. required:
  10819. - apiHost
  10820. - auth
  10821. - environment
  10822. - project
  10823. type: object
  10824. onepassword:
  10825. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  10826. properties:
  10827. auth:
  10828. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  10829. properties:
  10830. secretRef:
  10831. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  10832. properties:
  10833. connectTokenSecretRef:
  10834. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  10835. properties:
  10836. key:
  10837. description: |-
  10838. A key in the referenced Secret.
  10839. Some instances of this field may be defaulted, in others it may be required.
  10840. maxLength: 253
  10841. minLength: 1
  10842. pattern: ^[-._a-zA-Z0-9]+$
  10843. type: string
  10844. name:
  10845. description: The name of the Secret resource being referred to.
  10846. maxLength: 253
  10847. minLength: 1
  10848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10849. type: string
  10850. namespace:
  10851. description: |-
  10852. The namespace of the Secret resource being referred to.
  10853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10854. maxLength: 63
  10855. minLength: 1
  10856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10857. type: string
  10858. type: object
  10859. required:
  10860. - connectTokenSecretRef
  10861. type: object
  10862. required:
  10863. - secretRef
  10864. type: object
  10865. connectHost:
  10866. description: ConnectHost defines the OnePassword Connect Server to connect to
  10867. type: string
  10868. vaults:
  10869. additionalProperties:
  10870. type: integer
  10871. description: Vaults defines which OnePassword vaults to search in which order
  10872. type: object
  10873. required:
  10874. - auth
  10875. - connectHost
  10876. - vaults
  10877. type: object
  10878. oracle:
  10879. description: Oracle configures this store to sync secrets using Oracle Vault provider
  10880. properties:
  10881. auth:
  10882. description: |-
  10883. Auth configures how secret-manager authenticates with the Oracle Vault.
  10884. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  10885. properties:
  10886. secretRef:
  10887. description: SecretRef to pass through sensitive information.
  10888. properties:
  10889. fingerprint:
  10890. description: Fingerprint is the fingerprint of the API private key.
  10891. properties:
  10892. key:
  10893. description: |-
  10894. A key in the referenced Secret.
  10895. Some instances of this field may be defaulted, in others it may be required.
  10896. maxLength: 253
  10897. minLength: 1
  10898. pattern: ^[-._a-zA-Z0-9]+$
  10899. type: string
  10900. name:
  10901. description: The name of the Secret resource being referred to.
  10902. maxLength: 253
  10903. minLength: 1
  10904. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10905. type: string
  10906. namespace:
  10907. description: |-
  10908. The namespace of the Secret resource being referred to.
  10909. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10910. maxLength: 63
  10911. minLength: 1
  10912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10913. type: string
  10914. type: object
  10915. privatekey:
  10916. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  10917. properties:
  10918. key:
  10919. description: |-
  10920. A key in the referenced Secret.
  10921. Some instances of this field may be defaulted, in others it may be required.
  10922. maxLength: 253
  10923. minLength: 1
  10924. pattern: ^[-._a-zA-Z0-9]+$
  10925. type: string
  10926. name:
  10927. description: The name of the Secret resource being referred to.
  10928. maxLength: 253
  10929. minLength: 1
  10930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10931. type: string
  10932. namespace:
  10933. description: |-
  10934. The namespace of the Secret resource being referred to.
  10935. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10936. maxLength: 63
  10937. minLength: 1
  10938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10939. type: string
  10940. type: object
  10941. required:
  10942. - fingerprint
  10943. - privatekey
  10944. type: object
  10945. tenancy:
  10946. description: Tenancy is the tenancy OCID where user is located.
  10947. type: string
  10948. user:
  10949. description: User is an access OCID specific to the account.
  10950. type: string
  10951. required:
  10952. - secretRef
  10953. - tenancy
  10954. - user
  10955. type: object
  10956. compartment:
  10957. description: |-
  10958. Compartment is the vault compartment OCID.
  10959. Required for PushSecret
  10960. type: string
  10961. encryptionKey:
  10962. description: |-
  10963. EncryptionKey is the OCID of the encryption key within the vault.
  10964. Required for PushSecret
  10965. type: string
  10966. principalType:
  10967. description: |-
  10968. The type of principal to use for authentication. If left blank, the Auth struct will
  10969. determine the principal type. This optional field must be specified if using
  10970. workload identity.
  10971. enum:
  10972. - ""
  10973. - UserPrincipal
  10974. - InstancePrincipal
  10975. - Workload
  10976. type: string
  10977. region:
  10978. description: Region is the region where vault is located.
  10979. type: string
  10980. serviceAccountRef:
  10981. description: |-
  10982. ServiceAccountRef specified the service account
  10983. that should be used when authenticating with WorkloadIdentity.
  10984. properties:
  10985. audiences:
  10986. description: |-
  10987. Audience specifies the `aud` claim for the service account token
  10988. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10989. then this audiences will be appended to the list
  10990. items:
  10991. type: string
  10992. type: array
  10993. name:
  10994. description: The name of the ServiceAccount resource being referred to.
  10995. maxLength: 253
  10996. minLength: 1
  10997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10998. type: string
  10999. namespace:
  11000. description: |-
  11001. Namespace of the resource being referred to.
  11002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11003. maxLength: 63
  11004. minLength: 1
  11005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11006. type: string
  11007. required:
  11008. - name
  11009. type: object
  11010. vault:
  11011. description: Vault is the vault's OCID of the specific vault where secret is located.
  11012. type: string
  11013. required:
  11014. - region
  11015. - vault
  11016. type: object
  11017. passbolt:
  11018. description: PassboltProvider defines configuration for the Passbolt provider.
  11019. properties:
  11020. auth:
  11021. description: Auth defines the information necessary to authenticate against Passbolt Server
  11022. properties:
  11023. passwordSecretRef:
  11024. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11025. properties:
  11026. key:
  11027. description: |-
  11028. A key in the referenced Secret.
  11029. Some instances of this field may be defaulted, in others it may be required.
  11030. maxLength: 253
  11031. minLength: 1
  11032. pattern: ^[-._a-zA-Z0-9]+$
  11033. type: string
  11034. name:
  11035. description: The name of the Secret resource being referred to.
  11036. maxLength: 253
  11037. minLength: 1
  11038. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11039. type: string
  11040. namespace:
  11041. description: |-
  11042. The namespace of the Secret resource being referred to.
  11043. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11044. maxLength: 63
  11045. minLength: 1
  11046. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11047. type: string
  11048. type: object
  11049. privateKeySecretRef:
  11050. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11051. properties:
  11052. key:
  11053. description: |-
  11054. A key in the referenced Secret.
  11055. Some instances of this field may be defaulted, in others it may be required.
  11056. maxLength: 253
  11057. minLength: 1
  11058. pattern: ^[-._a-zA-Z0-9]+$
  11059. type: string
  11060. name:
  11061. description: The name of the Secret resource being referred to.
  11062. maxLength: 253
  11063. minLength: 1
  11064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11065. type: string
  11066. namespace:
  11067. description: |-
  11068. The namespace of the Secret resource being referred to.
  11069. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11070. maxLength: 63
  11071. minLength: 1
  11072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11073. type: string
  11074. type: object
  11075. required:
  11076. - passwordSecretRef
  11077. - privateKeySecretRef
  11078. type: object
  11079. host:
  11080. description: Host defines the Passbolt Server to connect to
  11081. type: string
  11082. required:
  11083. - auth
  11084. - host
  11085. type: object
  11086. passworddepot:
  11087. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11088. properties:
  11089. auth:
  11090. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11091. properties:
  11092. secretRef:
  11093. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11094. properties:
  11095. credentials:
  11096. description: Username / Password is used for authentication.
  11097. properties:
  11098. key:
  11099. description: |-
  11100. A key in the referenced Secret.
  11101. Some instances of this field may be defaulted, in others it may be required.
  11102. maxLength: 253
  11103. minLength: 1
  11104. pattern: ^[-._a-zA-Z0-9]+$
  11105. type: string
  11106. name:
  11107. description: The name of the Secret resource being referred to.
  11108. maxLength: 253
  11109. minLength: 1
  11110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11111. type: string
  11112. namespace:
  11113. description: |-
  11114. The namespace of the Secret resource being referred to.
  11115. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11116. maxLength: 63
  11117. minLength: 1
  11118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11119. type: string
  11120. type: object
  11121. type: object
  11122. required:
  11123. - secretRef
  11124. type: object
  11125. database:
  11126. description: Database to use as source
  11127. type: string
  11128. host:
  11129. description: URL configures the Password Depot instance URL.
  11130. type: string
  11131. required:
  11132. - auth
  11133. - database
  11134. - host
  11135. type: object
  11136. previder:
  11137. description: Previder configures this store to sync secrets using the Previder provider
  11138. properties:
  11139. auth:
  11140. description: PreviderAuth contains a secretRef for credentials.
  11141. properties:
  11142. secretRef:
  11143. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11144. properties:
  11145. accessToken:
  11146. description: The AccessToken is used for authentication
  11147. properties:
  11148. key:
  11149. description: |-
  11150. A key in the referenced Secret.
  11151. Some instances of this field may be defaulted, in others it may be required.
  11152. maxLength: 253
  11153. minLength: 1
  11154. pattern: ^[-._a-zA-Z0-9]+$
  11155. type: string
  11156. name:
  11157. description: The name of the Secret resource being referred to.
  11158. maxLength: 253
  11159. minLength: 1
  11160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11161. type: string
  11162. namespace:
  11163. description: |-
  11164. The namespace of the Secret resource being referred to.
  11165. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11166. maxLength: 63
  11167. minLength: 1
  11168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11169. type: string
  11170. type: object
  11171. required:
  11172. - accessToken
  11173. type: object
  11174. type: object
  11175. baseUri:
  11176. type: string
  11177. required:
  11178. - auth
  11179. type: object
  11180. pulumi:
  11181. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11182. properties:
  11183. accessToken:
  11184. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11185. properties:
  11186. secretRef:
  11187. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11188. properties:
  11189. key:
  11190. description: |-
  11191. A key in the referenced Secret.
  11192. Some instances of this field may be defaulted, in others it may be required.
  11193. maxLength: 253
  11194. minLength: 1
  11195. pattern: ^[-._a-zA-Z0-9]+$
  11196. type: string
  11197. name:
  11198. description: The name of the Secret resource being referred to.
  11199. maxLength: 253
  11200. minLength: 1
  11201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11202. type: string
  11203. namespace:
  11204. description: |-
  11205. The namespace of the Secret resource being referred to.
  11206. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11207. maxLength: 63
  11208. minLength: 1
  11209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11210. type: string
  11211. type: object
  11212. type: object
  11213. apiUrl:
  11214. default: https://api.pulumi.com/api/esc
  11215. description: APIURL is the URL of the Pulumi API.
  11216. type: string
  11217. environment:
  11218. description: |-
  11219. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11220. dynamically retrieved values from supported providers including all major clouds,
  11221. and other Pulumi ESC environments.
  11222. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11223. type: string
  11224. organization:
  11225. description: |-
  11226. Organization are a space to collaborate on shared projects and stacks.
  11227. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11228. type: string
  11229. project:
  11230. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11231. type: string
  11232. required:
  11233. - accessToken
  11234. - environment
  11235. - organization
  11236. - project
  11237. type: object
  11238. scaleway:
  11239. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11240. properties:
  11241. accessKey:
  11242. description: AccessKey is the non-secret part of the api key.
  11243. properties:
  11244. secretRef:
  11245. description: SecretRef references a key in a secret that will be used as value.
  11246. properties:
  11247. key:
  11248. description: |-
  11249. A key in the referenced Secret.
  11250. Some instances of this field may be defaulted, in others it may be required.
  11251. maxLength: 253
  11252. minLength: 1
  11253. pattern: ^[-._a-zA-Z0-9]+$
  11254. type: string
  11255. name:
  11256. description: The name of the Secret resource being referred to.
  11257. maxLength: 253
  11258. minLength: 1
  11259. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11260. type: string
  11261. namespace:
  11262. description: |-
  11263. The namespace of the Secret resource being referred to.
  11264. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11265. maxLength: 63
  11266. minLength: 1
  11267. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11268. type: string
  11269. type: object
  11270. value:
  11271. description: Value can be specified directly to set a value without using a secret.
  11272. type: string
  11273. type: object
  11274. apiUrl:
  11275. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11276. type: string
  11277. projectId:
  11278. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11279. type: string
  11280. region:
  11281. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11282. type: string
  11283. secretKey:
  11284. description: SecretKey is the non-secret part of the api key.
  11285. properties:
  11286. secretRef:
  11287. description: SecretRef references a key in a secret that will be used as value.
  11288. properties:
  11289. key:
  11290. description: |-
  11291. A key in the referenced Secret.
  11292. Some instances of this field may be defaulted, in others it may be required.
  11293. maxLength: 253
  11294. minLength: 1
  11295. pattern: ^[-._a-zA-Z0-9]+$
  11296. type: string
  11297. name:
  11298. description: The name of the Secret resource being referred to.
  11299. maxLength: 253
  11300. minLength: 1
  11301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11302. type: string
  11303. namespace:
  11304. description: |-
  11305. The namespace of the Secret resource being referred to.
  11306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11307. maxLength: 63
  11308. minLength: 1
  11309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11310. type: string
  11311. type: object
  11312. value:
  11313. description: Value can be specified directly to set a value without using a secret.
  11314. type: string
  11315. type: object
  11316. required:
  11317. - accessKey
  11318. - projectId
  11319. - region
  11320. - secretKey
  11321. type: object
  11322. secretserver:
  11323. description: |-
  11324. SecretServer configures this store to sync secrets using SecretServer provider
  11325. https://docs.delinea.com/online-help/secret-server/start.htm
  11326. properties:
  11327. password:
  11328. description: Password is the secret server account password.
  11329. properties:
  11330. secretRef:
  11331. description: SecretRef references a key in a secret that will be used as value.
  11332. properties:
  11333. key:
  11334. description: |-
  11335. A key in the referenced Secret.
  11336. Some instances of this field may be defaulted, in others it may be required.
  11337. maxLength: 253
  11338. minLength: 1
  11339. pattern: ^[-._a-zA-Z0-9]+$
  11340. type: string
  11341. name:
  11342. description: The name of the Secret resource being referred to.
  11343. maxLength: 253
  11344. minLength: 1
  11345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11346. type: string
  11347. namespace:
  11348. description: |-
  11349. The namespace of the Secret resource being referred to.
  11350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11351. maxLength: 63
  11352. minLength: 1
  11353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11354. type: string
  11355. type: object
  11356. value:
  11357. description: Value can be specified directly to set a value without using a secret.
  11358. type: string
  11359. type: object
  11360. serverURL:
  11361. description: |-
  11362. ServerURL
  11363. URL to your secret server installation
  11364. type: string
  11365. username:
  11366. description: Username is the secret server account username.
  11367. properties:
  11368. secretRef:
  11369. description: SecretRef references a key in a secret that will be used as value.
  11370. properties:
  11371. key:
  11372. description: |-
  11373. A key in the referenced Secret.
  11374. Some instances of this field may be defaulted, in others it may be required.
  11375. maxLength: 253
  11376. minLength: 1
  11377. pattern: ^[-._a-zA-Z0-9]+$
  11378. type: string
  11379. name:
  11380. description: The name of the Secret resource being referred to.
  11381. maxLength: 253
  11382. minLength: 1
  11383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11384. type: string
  11385. namespace:
  11386. description: |-
  11387. The namespace of the Secret resource being referred to.
  11388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11389. maxLength: 63
  11390. minLength: 1
  11391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11392. type: string
  11393. type: object
  11394. value:
  11395. description: Value can be specified directly to set a value without using a secret.
  11396. type: string
  11397. type: object
  11398. required:
  11399. - password
  11400. - serverURL
  11401. - username
  11402. type: object
  11403. senhasegura:
  11404. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11405. properties:
  11406. auth:
  11407. description: Auth defines parameters to authenticate in senhasegura
  11408. properties:
  11409. clientId:
  11410. type: string
  11411. clientSecretSecretRef:
  11412. description: |-
  11413. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11414. In some instances, `key` is a required field.
  11415. properties:
  11416. key:
  11417. description: |-
  11418. A key in the referenced Secret.
  11419. Some instances of this field may be defaulted, in others it may be required.
  11420. maxLength: 253
  11421. minLength: 1
  11422. pattern: ^[-._a-zA-Z0-9]+$
  11423. type: string
  11424. name:
  11425. description: The name of the Secret resource being referred to.
  11426. maxLength: 253
  11427. minLength: 1
  11428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11429. type: string
  11430. namespace:
  11431. description: |-
  11432. The namespace of the Secret resource being referred to.
  11433. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11434. maxLength: 63
  11435. minLength: 1
  11436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11437. type: string
  11438. type: object
  11439. required:
  11440. - clientId
  11441. - clientSecretSecretRef
  11442. type: object
  11443. ignoreSslCertificate:
  11444. default: false
  11445. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11446. type: boolean
  11447. module:
  11448. description: Module defines which senhasegura module should be used to get secrets
  11449. type: string
  11450. url:
  11451. description: URL of senhasegura
  11452. type: string
  11453. required:
  11454. - auth
  11455. - module
  11456. - url
  11457. type: object
  11458. vault:
  11459. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11460. properties:
  11461. auth:
  11462. description: Auth configures how secret-manager authenticates with the Vault server.
  11463. properties:
  11464. appRole:
  11465. description: |-
  11466. AppRole authenticates with Vault using the App Role auth mechanism,
  11467. with the role and secret stored in a Kubernetes Secret resource.
  11468. properties:
  11469. path:
  11470. default: approle
  11471. description: |-
  11472. Path where the App Role authentication backend is mounted
  11473. in Vault, e.g: "approle"
  11474. type: string
  11475. roleId:
  11476. description: |-
  11477. RoleID configured in the App Role authentication backend when setting
  11478. up the authentication backend in Vault.
  11479. type: string
  11480. roleRef:
  11481. description: |-
  11482. Reference to a key in a Secret that contains the App Role ID used
  11483. to authenticate with Vault.
  11484. The `key` field must be specified and denotes which entry within the Secret
  11485. resource is used as the app role id.
  11486. properties:
  11487. key:
  11488. description: |-
  11489. A key in the referenced Secret.
  11490. Some instances of this field may be defaulted, in others it may be required.
  11491. maxLength: 253
  11492. minLength: 1
  11493. pattern: ^[-._a-zA-Z0-9]+$
  11494. type: string
  11495. name:
  11496. description: The name of the Secret resource being referred to.
  11497. maxLength: 253
  11498. minLength: 1
  11499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11500. type: string
  11501. namespace:
  11502. description: |-
  11503. The namespace of the Secret resource being referred to.
  11504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11505. maxLength: 63
  11506. minLength: 1
  11507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11508. type: string
  11509. type: object
  11510. secretRef:
  11511. description: |-
  11512. Reference to a key in a Secret that contains the App Role secret used
  11513. to authenticate with Vault.
  11514. The `key` field must be specified and denotes which entry within the Secret
  11515. resource is used as the app role secret.
  11516. properties:
  11517. key:
  11518. description: |-
  11519. A key in the referenced Secret.
  11520. Some instances of this field may be defaulted, in others it may be required.
  11521. maxLength: 253
  11522. minLength: 1
  11523. pattern: ^[-._a-zA-Z0-9]+$
  11524. type: string
  11525. name:
  11526. description: The name of the Secret resource being referred to.
  11527. maxLength: 253
  11528. minLength: 1
  11529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11530. type: string
  11531. namespace:
  11532. description: |-
  11533. The namespace of the Secret resource being referred to.
  11534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11535. maxLength: 63
  11536. minLength: 1
  11537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11538. type: string
  11539. type: object
  11540. required:
  11541. - path
  11542. - secretRef
  11543. type: object
  11544. cert:
  11545. description: |-
  11546. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11547. Cert authentication method
  11548. properties:
  11549. clientCert:
  11550. description: |-
  11551. ClientCert is a certificate to authenticate using the Cert Vault
  11552. authentication method
  11553. properties:
  11554. key:
  11555. description: |-
  11556. A key in the referenced Secret.
  11557. Some instances of this field may be defaulted, in others it may be required.
  11558. maxLength: 253
  11559. minLength: 1
  11560. pattern: ^[-._a-zA-Z0-9]+$
  11561. type: string
  11562. name:
  11563. description: The name of the Secret resource being referred to.
  11564. maxLength: 253
  11565. minLength: 1
  11566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11567. type: string
  11568. namespace:
  11569. description: |-
  11570. The namespace of the Secret resource being referred to.
  11571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11572. maxLength: 63
  11573. minLength: 1
  11574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11575. type: string
  11576. type: object
  11577. secretRef:
  11578. description: |-
  11579. SecretRef to a key in a Secret resource containing client private key to
  11580. authenticate with Vault using the Cert authentication method
  11581. properties:
  11582. key:
  11583. description: |-
  11584. A key in the referenced Secret.
  11585. Some instances of this field may be defaulted, in others it may be required.
  11586. maxLength: 253
  11587. minLength: 1
  11588. pattern: ^[-._a-zA-Z0-9]+$
  11589. type: string
  11590. name:
  11591. description: The name of the Secret resource being referred to.
  11592. maxLength: 253
  11593. minLength: 1
  11594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11595. type: string
  11596. namespace:
  11597. description: |-
  11598. The namespace of the Secret resource being referred to.
  11599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11600. maxLength: 63
  11601. minLength: 1
  11602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11603. type: string
  11604. type: object
  11605. type: object
  11606. iam:
  11607. description: |-
  11608. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11609. AWS IAM authentication method
  11610. properties:
  11611. externalID:
  11612. description: AWS External ID set on assumed IAM roles
  11613. type: string
  11614. jwt:
  11615. description: Specify a service account with IRSA enabled
  11616. properties:
  11617. serviceAccountRef:
  11618. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  11619. properties:
  11620. audiences:
  11621. description: |-
  11622. Audience specifies the `aud` claim for the service account token
  11623. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11624. then this audiences will be appended to the list
  11625. items:
  11626. type: string
  11627. type: array
  11628. name:
  11629. description: The name of the ServiceAccount resource being referred to.
  11630. maxLength: 253
  11631. minLength: 1
  11632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11633. type: string
  11634. namespace:
  11635. description: |-
  11636. Namespace of the resource being referred to.
  11637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11638. maxLength: 63
  11639. minLength: 1
  11640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11641. type: string
  11642. required:
  11643. - name
  11644. type: object
  11645. type: object
  11646. path:
  11647. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11648. type: string
  11649. region:
  11650. description: AWS region
  11651. type: string
  11652. role:
  11653. description: This is the AWS role to be assumed before talking to vault
  11654. type: string
  11655. secretRef:
  11656. description: Specify credentials in a Secret object
  11657. properties:
  11658. accessKeyIDSecretRef:
  11659. description: The AccessKeyID is used for authentication
  11660. properties:
  11661. key:
  11662. description: |-
  11663. A key in the referenced Secret.
  11664. Some instances of this field may be defaulted, in others it may be required.
  11665. maxLength: 253
  11666. minLength: 1
  11667. pattern: ^[-._a-zA-Z0-9]+$
  11668. type: string
  11669. name:
  11670. description: The name of the Secret resource being referred to.
  11671. maxLength: 253
  11672. minLength: 1
  11673. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11674. type: string
  11675. namespace:
  11676. description: |-
  11677. The namespace of the Secret resource being referred to.
  11678. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11679. maxLength: 63
  11680. minLength: 1
  11681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11682. type: string
  11683. type: object
  11684. secretAccessKeySecretRef:
  11685. description: The SecretAccessKey is used for authentication
  11686. properties:
  11687. key:
  11688. description: |-
  11689. A key in the referenced Secret.
  11690. Some instances of this field may be defaulted, in others it may be required.
  11691. maxLength: 253
  11692. minLength: 1
  11693. pattern: ^[-._a-zA-Z0-9]+$
  11694. type: string
  11695. name:
  11696. description: The name of the Secret resource being referred to.
  11697. maxLength: 253
  11698. minLength: 1
  11699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11700. type: string
  11701. namespace:
  11702. description: |-
  11703. The namespace of the Secret resource being referred to.
  11704. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11705. maxLength: 63
  11706. minLength: 1
  11707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11708. type: string
  11709. type: object
  11710. sessionTokenSecretRef:
  11711. description: |-
  11712. The SessionToken used for authentication
  11713. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11714. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11715. properties:
  11716. key:
  11717. description: |-
  11718. A key in the referenced Secret.
  11719. Some instances of this field may be defaulted, in others it may be required.
  11720. maxLength: 253
  11721. minLength: 1
  11722. pattern: ^[-._a-zA-Z0-9]+$
  11723. type: string
  11724. name:
  11725. description: The name of the Secret resource being referred to.
  11726. maxLength: 253
  11727. minLength: 1
  11728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11729. type: string
  11730. namespace:
  11731. description: |-
  11732. The namespace of the Secret resource being referred to.
  11733. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11734. maxLength: 63
  11735. minLength: 1
  11736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11737. type: string
  11738. type: object
  11739. type: object
  11740. vaultAwsIamServerID:
  11741. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11742. type: string
  11743. vaultRole:
  11744. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11745. type: string
  11746. required:
  11747. - vaultRole
  11748. type: object
  11749. jwt:
  11750. description: |-
  11751. Jwt authenticates with Vault by passing role and JWT token using the
  11752. JWT/OIDC authentication method
  11753. properties:
  11754. kubernetesServiceAccountToken:
  11755. description: |-
  11756. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11757. a token for with the `TokenRequest` API.
  11758. properties:
  11759. audiences:
  11760. description: |-
  11761. Optional audiences field that will be used to request a temporary Kubernetes service
  11762. account token for the service account referenced by `serviceAccountRef`.
  11763. Defaults to a single audience `vault` it not specified.
  11764. Deprecated: use serviceAccountRef.Audiences instead
  11765. items:
  11766. type: string
  11767. type: array
  11768. expirationSeconds:
  11769. description: |-
  11770. Optional expiration time in seconds that will be used to request a temporary
  11771. Kubernetes service account token for the service account referenced by
  11772. `serviceAccountRef`.
  11773. Deprecated: this will be removed in the future.
  11774. Defaults to 10 minutes.
  11775. format: int64
  11776. type: integer
  11777. serviceAccountRef:
  11778. description: Service account field containing the name of a kubernetes ServiceAccount.
  11779. properties:
  11780. audiences:
  11781. description: |-
  11782. Audience specifies the `aud` claim for the service account token
  11783. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11784. then this audiences will be appended to the list
  11785. items:
  11786. type: string
  11787. type: array
  11788. name:
  11789. description: The name of the ServiceAccount resource being referred to.
  11790. maxLength: 253
  11791. minLength: 1
  11792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11793. type: string
  11794. namespace:
  11795. description: |-
  11796. Namespace of the resource being referred to.
  11797. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11798. maxLength: 63
  11799. minLength: 1
  11800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11801. type: string
  11802. required:
  11803. - name
  11804. type: object
  11805. required:
  11806. - serviceAccountRef
  11807. type: object
  11808. path:
  11809. default: jwt
  11810. description: |-
  11811. Path where the JWT authentication backend is mounted
  11812. in Vault, e.g: "jwt"
  11813. type: string
  11814. role:
  11815. description: |-
  11816. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11817. authentication method
  11818. type: string
  11819. secretRef:
  11820. description: |-
  11821. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11822. authenticate with Vault using the JWT/OIDC authentication method.
  11823. properties:
  11824. key:
  11825. description: |-
  11826. A key in the referenced Secret.
  11827. Some instances of this field may be defaulted, in others it may be required.
  11828. maxLength: 253
  11829. minLength: 1
  11830. pattern: ^[-._a-zA-Z0-9]+$
  11831. type: string
  11832. name:
  11833. description: The name of the Secret resource being referred to.
  11834. maxLength: 253
  11835. minLength: 1
  11836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11837. type: string
  11838. namespace:
  11839. description: |-
  11840. The namespace of the Secret resource being referred to.
  11841. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11842. maxLength: 63
  11843. minLength: 1
  11844. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11845. type: string
  11846. type: object
  11847. required:
  11848. - path
  11849. type: object
  11850. kubernetes:
  11851. description: |-
  11852. Kubernetes authenticates with Vault by passing the ServiceAccount
  11853. token stored in the named Secret resource to the Vault server.
  11854. properties:
  11855. mountPath:
  11856. default: kubernetes
  11857. description: |-
  11858. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11859. "kubernetes"
  11860. type: string
  11861. role:
  11862. description: |-
  11863. A required field containing the Vault Role to assume. A Role binds a
  11864. Kubernetes ServiceAccount with a set of Vault policies.
  11865. type: string
  11866. secretRef:
  11867. description: |-
  11868. Optional secret field containing a Kubernetes ServiceAccount JWT used
  11869. for authenticating with Vault. If a name is specified without a key,
  11870. `token` is the default. If one is not specified, the one bound to
  11871. the controller will be used.
  11872. properties:
  11873. key:
  11874. description: |-
  11875. A key in the referenced Secret.
  11876. Some instances of this field may be defaulted, in others it may be required.
  11877. maxLength: 253
  11878. minLength: 1
  11879. pattern: ^[-._a-zA-Z0-9]+$
  11880. type: string
  11881. name:
  11882. description: The name of the Secret resource being referred to.
  11883. maxLength: 253
  11884. minLength: 1
  11885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11886. type: string
  11887. namespace:
  11888. description: |-
  11889. The namespace of the Secret resource being referred to.
  11890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11891. maxLength: 63
  11892. minLength: 1
  11893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11894. type: string
  11895. type: object
  11896. serviceAccountRef:
  11897. description: |-
  11898. Optional service account field containing the name of a kubernetes ServiceAccount.
  11899. If the service account is specified, the service account secret token JWT will be used
  11900. for authenticating with Vault. If the service account selector is not supplied,
  11901. the secretRef will be used instead.
  11902. properties:
  11903. audiences:
  11904. description: |-
  11905. Audience specifies the `aud` claim for the service account token
  11906. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11907. then this audiences will be appended to the list
  11908. items:
  11909. type: string
  11910. type: array
  11911. name:
  11912. description: The name of the ServiceAccount resource being referred to.
  11913. maxLength: 253
  11914. minLength: 1
  11915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11916. type: string
  11917. namespace:
  11918. description: |-
  11919. Namespace of the resource being referred to.
  11920. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11921. maxLength: 63
  11922. minLength: 1
  11923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11924. type: string
  11925. required:
  11926. - name
  11927. type: object
  11928. required:
  11929. - mountPath
  11930. - role
  11931. type: object
  11932. ldap:
  11933. description: |-
  11934. Ldap authenticates with Vault by passing username/password pair using
  11935. the LDAP authentication method
  11936. properties:
  11937. path:
  11938. default: ldap
  11939. description: |-
  11940. Path where the LDAP authentication backend is mounted
  11941. in Vault, e.g: "ldap"
  11942. type: string
  11943. secretRef:
  11944. description: |-
  11945. SecretRef to a key in a Secret resource containing password for the LDAP
  11946. user used to authenticate with Vault using the LDAP authentication
  11947. method
  11948. properties:
  11949. key:
  11950. description: |-
  11951. A key in the referenced Secret.
  11952. Some instances of this field may be defaulted, in others it may be required.
  11953. maxLength: 253
  11954. minLength: 1
  11955. pattern: ^[-._a-zA-Z0-9]+$
  11956. type: string
  11957. name:
  11958. description: The name of the Secret resource being referred to.
  11959. maxLength: 253
  11960. minLength: 1
  11961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11962. type: string
  11963. namespace:
  11964. description: |-
  11965. The namespace of the Secret resource being referred to.
  11966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11967. maxLength: 63
  11968. minLength: 1
  11969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11970. type: string
  11971. type: object
  11972. username:
  11973. description: |-
  11974. Username is an LDAP username used to authenticate using the LDAP Vault
  11975. authentication method
  11976. type: string
  11977. required:
  11978. - path
  11979. - username
  11980. type: object
  11981. namespace:
  11982. description: |-
  11983. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  11984. Namespaces is a set of features within Vault Enterprise that allows
  11985. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11986. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11987. This will default to Vault.Namespace field if set, or empty otherwise
  11988. type: string
  11989. tokenSecretRef:
  11990. description: TokenSecretRef authenticates with Vault by presenting a token.
  11991. properties:
  11992. key:
  11993. description: |-
  11994. A key in the referenced Secret.
  11995. Some instances of this field may be defaulted, in others it may be required.
  11996. maxLength: 253
  11997. minLength: 1
  11998. pattern: ^[-._a-zA-Z0-9]+$
  11999. type: string
  12000. name:
  12001. description: The name of the Secret resource being referred to.
  12002. maxLength: 253
  12003. minLength: 1
  12004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12005. type: string
  12006. namespace:
  12007. description: |-
  12008. The namespace of the Secret resource being referred to.
  12009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12010. maxLength: 63
  12011. minLength: 1
  12012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12013. type: string
  12014. type: object
  12015. userPass:
  12016. description: UserPass authenticates with Vault by passing username/password pair
  12017. properties:
  12018. path:
  12019. default: userpass
  12020. description: |-
  12021. Path where the UserPassword authentication backend is mounted
  12022. in Vault, e.g: "userpass"
  12023. type: string
  12024. secretRef:
  12025. description: |-
  12026. SecretRef to a key in a Secret resource containing password for the
  12027. user used to authenticate with Vault using the UserPass authentication
  12028. method
  12029. properties:
  12030. key:
  12031. description: |-
  12032. A key in the referenced Secret.
  12033. Some instances of this field may be defaulted, in others it may be required.
  12034. maxLength: 253
  12035. minLength: 1
  12036. pattern: ^[-._a-zA-Z0-9]+$
  12037. type: string
  12038. name:
  12039. description: The name of the Secret resource being referred to.
  12040. maxLength: 253
  12041. minLength: 1
  12042. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12043. type: string
  12044. namespace:
  12045. description: |-
  12046. The namespace of the Secret resource being referred to.
  12047. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12048. maxLength: 63
  12049. minLength: 1
  12050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12051. type: string
  12052. type: object
  12053. username:
  12054. description: |-
  12055. Username is a username used to authenticate using the UserPass Vault
  12056. authentication method
  12057. type: string
  12058. required:
  12059. - path
  12060. - username
  12061. type: object
  12062. type: object
  12063. caBundle:
  12064. description: |-
  12065. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12066. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12067. plain HTTP protocol connection. If not set the system root certificates
  12068. are used to validate the TLS connection.
  12069. format: byte
  12070. type: string
  12071. caProvider:
  12072. description: The provider for the CA bundle to use to validate Vault server certificate.
  12073. properties:
  12074. key:
  12075. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12076. maxLength: 253
  12077. minLength: 1
  12078. pattern: ^[-._a-zA-Z0-9]+$
  12079. type: string
  12080. name:
  12081. description: The name of the object located at the provider type.
  12082. maxLength: 253
  12083. minLength: 1
  12084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12085. type: string
  12086. namespace:
  12087. description: |-
  12088. The namespace the Provider type is in.
  12089. Can only be defined when used in a ClusterSecretStore.
  12090. maxLength: 63
  12091. minLength: 1
  12092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12093. type: string
  12094. type:
  12095. description: The type of provider to use such as "Secret", or "ConfigMap".
  12096. enum:
  12097. - Secret
  12098. - ConfigMap
  12099. type: string
  12100. required:
  12101. - name
  12102. - type
  12103. type: object
  12104. forwardInconsistent:
  12105. description: |-
  12106. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12107. leader instead of simply retrying within a loop. This can increase performance if
  12108. the option is enabled serverside.
  12109. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12110. type: boolean
  12111. headers:
  12112. additionalProperties:
  12113. type: string
  12114. description: Headers to be added in Vault request
  12115. type: object
  12116. namespace:
  12117. description: |-
  12118. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12119. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12120. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12121. type: string
  12122. path:
  12123. description: |-
  12124. Path is the mount path of the Vault KV backend endpoint, e.g:
  12125. "secret". The v2 KV secret engine version specific "/data" path suffix
  12126. for fetching secrets from Vault is optional and will be appended
  12127. if not present in specified path.
  12128. type: string
  12129. readYourWrites:
  12130. description: |-
  12131. ReadYourWrites ensures isolated read-after-write semantics by
  12132. providing discovered cluster replication states in each request.
  12133. More information about eventual consistency in Vault can be found here
  12134. https://www.vaultproject.io/docs/enterprise/consistency
  12135. type: boolean
  12136. server:
  12137. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12138. type: string
  12139. tls:
  12140. description: |-
  12141. The configuration used for client side related TLS communication, when the Vault server
  12142. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12143. This parameter is ignored for plain HTTP protocol connection.
  12144. It's worth noting this configuration is different from the "TLS certificates auth method",
  12145. which is available under the `auth.cert` section.
  12146. properties:
  12147. certSecretRef:
  12148. description: |-
  12149. CertSecretRef is a certificate added to the transport layer
  12150. when communicating with the Vault server.
  12151. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12152. properties:
  12153. key:
  12154. description: |-
  12155. A key in the referenced Secret.
  12156. Some instances of this field may be defaulted, in others it may be required.
  12157. maxLength: 253
  12158. minLength: 1
  12159. pattern: ^[-._a-zA-Z0-9]+$
  12160. type: string
  12161. name:
  12162. description: The name of the Secret resource being referred to.
  12163. maxLength: 253
  12164. minLength: 1
  12165. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12166. type: string
  12167. namespace:
  12168. description: |-
  12169. The namespace of the Secret resource being referred to.
  12170. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12171. maxLength: 63
  12172. minLength: 1
  12173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12174. type: string
  12175. type: object
  12176. keySecretRef:
  12177. description: |-
  12178. KeySecretRef to a key in a Secret resource containing client private key
  12179. added to the transport layer when communicating with the Vault server.
  12180. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12181. properties:
  12182. key:
  12183. description: |-
  12184. A key in the referenced Secret.
  12185. Some instances of this field may be defaulted, in others it may be required.
  12186. maxLength: 253
  12187. minLength: 1
  12188. pattern: ^[-._a-zA-Z0-9]+$
  12189. type: string
  12190. name:
  12191. description: The name of the Secret resource being referred to.
  12192. maxLength: 253
  12193. minLength: 1
  12194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12195. type: string
  12196. namespace:
  12197. description: |-
  12198. The namespace of the Secret resource being referred to.
  12199. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12200. maxLength: 63
  12201. minLength: 1
  12202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12203. type: string
  12204. type: object
  12205. type: object
  12206. version:
  12207. default: v2
  12208. description: |-
  12209. Version is the Vault KV secret engine version. This can be either "v1" or
  12210. "v2". Version defaults to "v2".
  12211. enum:
  12212. - v1
  12213. - v2
  12214. type: string
  12215. required:
  12216. - server
  12217. type: object
  12218. webhook:
  12219. description: Webhook configures this store to sync secrets using a generic templated webhook
  12220. properties:
  12221. auth:
  12222. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12223. maxProperties: 1
  12224. minProperties: 1
  12225. properties:
  12226. ntlm:
  12227. description: NTLMProtocol configures the store to use NTLM for auth
  12228. properties:
  12229. passwordSecret:
  12230. description: |-
  12231. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12232. In some instances, `key` is a required field.
  12233. properties:
  12234. key:
  12235. description: |-
  12236. A key in the referenced Secret.
  12237. Some instances of this field may be defaulted, in others it may be required.
  12238. maxLength: 253
  12239. minLength: 1
  12240. pattern: ^[-._a-zA-Z0-9]+$
  12241. type: string
  12242. name:
  12243. description: The name of the Secret resource being referred to.
  12244. maxLength: 253
  12245. minLength: 1
  12246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12247. type: string
  12248. namespace:
  12249. description: |-
  12250. The namespace of the Secret resource being referred to.
  12251. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12252. maxLength: 63
  12253. minLength: 1
  12254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12255. type: string
  12256. type: object
  12257. usernameSecret:
  12258. description: |-
  12259. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12260. In some instances, `key` is a required field.
  12261. properties:
  12262. key:
  12263. description: |-
  12264. A key in the referenced Secret.
  12265. Some instances of this field may be defaulted, in others it may be required.
  12266. maxLength: 253
  12267. minLength: 1
  12268. pattern: ^[-._a-zA-Z0-9]+$
  12269. type: string
  12270. name:
  12271. description: The name of the Secret resource being referred to.
  12272. maxLength: 253
  12273. minLength: 1
  12274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12275. type: string
  12276. namespace:
  12277. description: |-
  12278. The namespace of the Secret resource being referred to.
  12279. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12280. maxLength: 63
  12281. minLength: 1
  12282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12283. type: string
  12284. type: object
  12285. required:
  12286. - passwordSecret
  12287. - usernameSecret
  12288. type: object
  12289. type: object
  12290. body:
  12291. description: Body
  12292. type: string
  12293. caBundle:
  12294. description: |-
  12295. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12296. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12297. plain HTTP protocol connection. If not set the system root certificates
  12298. are used to validate the TLS connection.
  12299. format: byte
  12300. type: string
  12301. caProvider:
  12302. description: The provider for the CA bundle to use to validate webhook server certificate.
  12303. properties:
  12304. key:
  12305. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12306. maxLength: 253
  12307. minLength: 1
  12308. pattern: ^[-._a-zA-Z0-9]+$
  12309. type: string
  12310. name:
  12311. description: The name of the object located at the provider type.
  12312. maxLength: 253
  12313. minLength: 1
  12314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12315. type: string
  12316. namespace:
  12317. description: The namespace the Provider type is in.
  12318. maxLength: 63
  12319. minLength: 1
  12320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12321. type: string
  12322. type:
  12323. description: The type of provider to use such as "Secret", or "ConfigMap".
  12324. enum:
  12325. - Secret
  12326. - ConfigMap
  12327. type: string
  12328. required:
  12329. - name
  12330. - type
  12331. type: object
  12332. headers:
  12333. additionalProperties:
  12334. type: string
  12335. description: Headers
  12336. type: object
  12337. method:
  12338. description: Webhook Method
  12339. type: string
  12340. result:
  12341. description: Result formatting
  12342. properties:
  12343. jsonPath:
  12344. description: Json path of return value
  12345. type: string
  12346. type: object
  12347. secrets:
  12348. description: |-
  12349. Secrets to fill in templates
  12350. These secrets will be passed to the templating function as key value pairs under the given name
  12351. items:
  12352. description: WebhookSecret defines a secret to be used in webhook templates.
  12353. properties:
  12354. name:
  12355. description: Name of this secret in templates
  12356. type: string
  12357. secretRef:
  12358. description: Secret ref to fill in credentials
  12359. properties:
  12360. key:
  12361. description: |-
  12362. A key in the referenced Secret.
  12363. Some instances of this field may be defaulted, in others it may be required.
  12364. maxLength: 253
  12365. minLength: 1
  12366. pattern: ^[-._a-zA-Z0-9]+$
  12367. type: string
  12368. name:
  12369. description: The name of the Secret resource being referred to.
  12370. maxLength: 253
  12371. minLength: 1
  12372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12373. type: string
  12374. namespace:
  12375. description: |-
  12376. The namespace of the Secret resource being referred to.
  12377. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12378. maxLength: 63
  12379. minLength: 1
  12380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12381. type: string
  12382. type: object
  12383. required:
  12384. - name
  12385. - secretRef
  12386. type: object
  12387. type: array
  12388. timeout:
  12389. description: Timeout
  12390. type: string
  12391. url:
  12392. description: Webhook url to call
  12393. type: string
  12394. required:
  12395. - result
  12396. - url
  12397. type: object
  12398. yandexcertificatemanager:
  12399. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12400. properties:
  12401. apiEndpoint:
  12402. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12403. type: string
  12404. auth:
  12405. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12406. properties:
  12407. authorizedKeySecretRef:
  12408. description: The authorized key used for authentication
  12409. properties:
  12410. key:
  12411. description: |-
  12412. A key in the referenced Secret.
  12413. Some instances of this field may be defaulted, in others it may be required.
  12414. maxLength: 253
  12415. minLength: 1
  12416. pattern: ^[-._a-zA-Z0-9]+$
  12417. type: string
  12418. name:
  12419. description: The name of the Secret resource being referred to.
  12420. maxLength: 253
  12421. minLength: 1
  12422. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12423. type: string
  12424. namespace:
  12425. description: |-
  12426. The namespace of the Secret resource being referred to.
  12427. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12428. maxLength: 63
  12429. minLength: 1
  12430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12431. type: string
  12432. type: object
  12433. type: object
  12434. caProvider:
  12435. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12436. properties:
  12437. certSecretRef:
  12438. description: |-
  12439. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12440. In some instances, `key` is a required field.
  12441. properties:
  12442. key:
  12443. description: |-
  12444. A key in the referenced Secret.
  12445. Some instances of this field may be defaulted, in others it may be required.
  12446. maxLength: 253
  12447. minLength: 1
  12448. pattern: ^[-._a-zA-Z0-9]+$
  12449. type: string
  12450. name:
  12451. description: The name of the Secret resource being referred to.
  12452. maxLength: 253
  12453. minLength: 1
  12454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12455. type: string
  12456. namespace:
  12457. description: |-
  12458. The namespace of the Secret resource being referred to.
  12459. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12460. maxLength: 63
  12461. minLength: 1
  12462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12463. type: string
  12464. type: object
  12465. type: object
  12466. required:
  12467. - auth
  12468. type: object
  12469. yandexlockbox:
  12470. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12471. properties:
  12472. apiEndpoint:
  12473. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12474. type: string
  12475. auth:
  12476. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12477. properties:
  12478. authorizedKeySecretRef:
  12479. description: The authorized key used for authentication
  12480. properties:
  12481. key:
  12482. description: |-
  12483. A key in the referenced Secret.
  12484. Some instances of this field may be defaulted, in others it may be required.
  12485. maxLength: 253
  12486. minLength: 1
  12487. pattern: ^[-._a-zA-Z0-9]+$
  12488. type: string
  12489. name:
  12490. description: The name of the Secret resource being referred to.
  12491. maxLength: 253
  12492. minLength: 1
  12493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12494. type: string
  12495. namespace:
  12496. description: |-
  12497. The namespace of the Secret resource being referred to.
  12498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12499. maxLength: 63
  12500. minLength: 1
  12501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12502. type: string
  12503. type: object
  12504. type: object
  12505. caProvider:
  12506. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12507. properties:
  12508. certSecretRef:
  12509. description: |-
  12510. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12511. In some instances, `key` is a required field.
  12512. properties:
  12513. key:
  12514. description: |-
  12515. A key in the referenced Secret.
  12516. Some instances of this field may be defaulted, in others it may be required.
  12517. maxLength: 253
  12518. minLength: 1
  12519. pattern: ^[-._a-zA-Z0-9]+$
  12520. type: string
  12521. name:
  12522. description: The name of the Secret resource being referred to.
  12523. maxLength: 253
  12524. minLength: 1
  12525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12526. type: string
  12527. namespace:
  12528. description: |-
  12529. The namespace of the Secret resource being referred to.
  12530. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12531. maxLength: 63
  12532. minLength: 1
  12533. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12534. type: string
  12535. type: object
  12536. type: object
  12537. required:
  12538. - auth
  12539. type: object
  12540. type: object
  12541. refreshInterval:
  12542. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12543. type: integer
  12544. retrySettings:
  12545. description: Used to configure HTTP retries on failures.
  12546. properties:
  12547. maxRetries:
  12548. description: MaxRetries is the maximum number of retry attempts.
  12549. format: int32
  12550. type: integer
  12551. retryInterval:
  12552. description: RetryInterval is the interval between retry attempts.
  12553. type: string
  12554. type: object
  12555. required:
  12556. - provider
  12557. type: object
  12558. status:
  12559. description: SecretStoreStatus defines the observed state of the SecretStore.
  12560. properties:
  12561. capabilities:
  12562. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12563. type: string
  12564. conditions:
  12565. items:
  12566. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  12567. properties:
  12568. lastTransitionTime:
  12569. format: date-time
  12570. type: string
  12571. message:
  12572. type: string
  12573. reason:
  12574. type: string
  12575. status:
  12576. type: string
  12577. type:
  12578. description: SecretStoreConditionType represents the condition type of the SecretStore.
  12579. type: string
  12580. required:
  12581. - status
  12582. - type
  12583. type: object
  12584. type: array
  12585. type: object
  12586. type: object
  12587. served: false
  12588. storage: false
  12589. subresources:
  12590. status: {}
  12591. ---
  12592. apiVersion: apiextensions.k8s.io/v1
  12593. kind: CustomResourceDefinition
  12594. metadata:
  12595. annotations:
  12596. controller-gen.kubebuilder.io/version: v0.19.0
  12597. labels:
  12598. external-secrets.io/component: controller
  12599. name: externalsecrets.external-secrets.io
  12600. spec:
  12601. group: external-secrets.io
  12602. names:
  12603. categories:
  12604. - external-secrets
  12605. kind: ExternalSecret
  12606. listKind: ExternalSecretList
  12607. plural: externalsecrets
  12608. shortNames:
  12609. - es
  12610. singular: externalsecret
  12611. scope: Namespaced
  12612. versions:
  12613. - additionalPrinterColumns:
  12614. - jsonPath: .spec.secretStoreRef.kind
  12615. name: StoreType
  12616. type: string
  12617. - jsonPath: .spec.secretStoreRef.name
  12618. name: Store
  12619. type: string
  12620. - jsonPath: .spec.refreshInterval
  12621. name: Refresh Interval
  12622. type: string
  12623. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  12624. name: Status
  12625. type: string
  12626. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  12627. name: Ready
  12628. type: string
  12629. - jsonPath: .status.refreshTime
  12630. name: Last Sync
  12631. type: date
  12632. name: v1
  12633. schema:
  12634. openAPIV3Schema:
  12635. description: |-
  12636. ExternalSecret is the Schema for the external-secrets API.
  12637. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  12638. properties:
  12639. apiVersion:
  12640. description: |-
  12641. APIVersion defines the versioned schema of this representation of an object.
  12642. Servers should convert recognized schemas to the latest internal value, and
  12643. may reject unrecognized values.
  12644. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12645. type: string
  12646. kind:
  12647. description: |-
  12648. Kind is a string value representing the REST resource this object represents.
  12649. Servers may infer this from the endpoint the client submits requests to.
  12650. Cannot be updated.
  12651. In CamelCase.
  12652. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12653. type: string
  12654. metadata:
  12655. type: object
  12656. spec:
  12657. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  12658. properties:
  12659. data:
  12660. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  12661. items:
  12662. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  12663. properties:
  12664. remoteRef:
  12665. description: |-
  12666. RemoteRef points to the remote secret and defines
  12667. which secret (version/property/..) to fetch.
  12668. properties:
  12669. conversionStrategy:
  12670. default: Default
  12671. description: Used to define a conversion Strategy
  12672. enum:
  12673. - Default
  12674. - Unicode
  12675. type: string
  12676. decodingStrategy:
  12677. default: None
  12678. description: Used to define a decoding Strategy
  12679. enum:
  12680. - Auto
  12681. - Base64
  12682. - Base64URL
  12683. - None
  12684. type: string
  12685. key:
  12686. description: Key is the key used in the Provider, mandatory
  12687. type: string
  12688. metadataPolicy:
  12689. default: None
  12690. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12691. enum:
  12692. - None
  12693. - Fetch
  12694. type: string
  12695. nullBytePolicy:
  12696. default: Ignore
  12697. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12698. enum:
  12699. - Ignore
  12700. - Fail
  12701. type: string
  12702. property:
  12703. description: Used to select a specific property of the Provider value (if a map), if supported
  12704. type: string
  12705. version:
  12706. description: Used to select a specific version of the Provider value, if supported
  12707. type: string
  12708. required:
  12709. - key
  12710. type: object
  12711. secretKey:
  12712. description: The key in the Kubernetes Secret to store the value.
  12713. maxLength: 253
  12714. minLength: 1
  12715. pattern: ^[-._a-zA-Z0-9]+$
  12716. type: string
  12717. sourceRef:
  12718. description: |-
  12719. SourceRef allows you to override the source
  12720. from which the value will be pulled.
  12721. maxProperties: 1
  12722. minProperties: 1
  12723. properties:
  12724. generatorRef:
  12725. description: |-
  12726. GeneratorRef points to a generator custom resource.
  12727. Deprecated: The generatorRef is not implemented in .data[].
  12728. this will be removed with v1.
  12729. properties:
  12730. apiVersion:
  12731. default: generators.external-secrets.io/v1alpha1
  12732. description: Specify the apiVersion of the generator resource
  12733. type: string
  12734. kind:
  12735. description: Specify the Kind of the generator resource
  12736. enum:
  12737. - ACRAccessToken
  12738. - ClusterGenerator
  12739. - CloudsmithAccessToken
  12740. - ECRAuthorizationToken
  12741. - Fake
  12742. - GCRAccessToken
  12743. - GithubAccessToken
  12744. - QuayAccessToken
  12745. - Password
  12746. - SSHKey
  12747. - STSSessionToken
  12748. - UUID
  12749. - VaultDynamicSecret
  12750. - Webhook
  12751. - Grafana
  12752. - MFA
  12753. type: string
  12754. name:
  12755. description: Specify the name of the generator resource
  12756. maxLength: 253
  12757. minLength: 1
  12758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12759. type: string
  12760. required:
  12761. - kind
  12762. - name
  12763. type: object
  12764. storeRef:
  12765. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  12766. properties:
  12767. kind:
  12768. description: |-
  12769. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  12770. Defaults to `SecretStore`
  12771. enum:
  12772. - SecretStore
  12773. - ClusterSecretStore
  12774. type: string
  12775. name:
  12776. description: Name of the SecretStore resource
  12777. maxLength: 253
  12778. minLength: 1
  12779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12780. type: string
  12781. type: object
  12782. type: object
  12783. required:
  12784. - remoteRef
  12785. - secretKey
  12786. type: object
  12787. type: array
  12788. dataFrom:
  12789. description: |-
  12790. DataFrom is used to fetch all properties from a specific Provider data
  12791. If multiple entries are specified, the Secret keys are merged in the specified order
  12792. items:
  12793. description: |-
  12794. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  12795. when using DataFrom to fetch multiple values from a Provider.
  12796. properties:
  12797. extract:
  12798. description: |-
  12799. Used to extract multiple key/value pairs from one secret
  12800. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12801. properties:
  12802. conversionStrategy:
  12803. default: Default
  12804. description: Used to define a conversion Strategy
  12805. enum:
  12806. - Default
  12807. - Unicode
  12808. type: string
  12809. decodingStrategy:
  12810. default: None
  12811. description: Used to define a decoding Strategy
  12812. enum:
  12813. - Auto
  12814. - Base64
  12815. - Base64URL
  12816. - None
  12817. type: string
  12818. key:
  12819. description: Key is the key used in the Provider, mandatory
  12820. type: string
  12821. metadataPolicy:
  12822. default: None
  12823. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  12824. enum:
  12825. - None
  12826. - Fetch
  12827. type: string
  12828. nullBytePolicy:
  12829. default: Ignore
  12830. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  12831. enum:
  12832. - Ignore
  12833. - Fail
  12834. type: string
  12835. property:
  12836. description: Used to select a specific property of the Provider value (if a map), if supported
  12837. type: string
  12838. version:
  12839. description: Used to select a specific version of the Provider value, if supported
  12840. type: string
  12841. required:
  12842. - key
  12843. type: object
  12844. find:
  12845. description: |-
  12846. Used to find secrets based on tags or regular expressions
  12847. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  12848. properties:
  12849. conversionStrategy:
  12850. default: Default
  12851. description: Used to define a conversion Strategy
  12852. enum:
  12853. - Default
  12854. - Unicode
  12855. type: string
  12856. decodingStrategy:
  12857. default: None
  12858. description: Used to define a decoding Strategy
  12859. enum:
  12860. - Auto
  12861. - Base64
  12862. - Base64URL
  12863. - None
  12864. type: string
  12865. name:
  12866. description: Finds secrets based on the name.
  12867. properties:
  12868. regexp:
  12869. description: Finds secrets base
  12870. type: string
  12871. type: object
  12872. nullBytePolicy:
  12873. default: Ignore
  12874. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  12875. enum:
  12876. - Ignore
  12877. - Fail
  12878. type: string
  12879. path:
  12880. description: A root path to start the find operations.
  12881. type: string
  12882. tags:
  12883. additionalProperties:
  12884. type: string
  12885. description: Find secrets based on tags.
  12886. type: object
  12887. type: object
  12888. rewrite:
  12889. description: |-
  12890. Used to rewrite secret Keys after getting them from the secret Provider
  12891. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  12892. items:
  12893. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  12894. maxProperties: 1
  12895. minProperties: 1
  12896. properties:
  12897. merge:
  12898. description: |-
  12899. Used to merge key/values in one single Secret
  12900. The resulting key will contain all values from the specified secrets
  12901. properties:
  12902. conflictPolicy:
  12903. default: Error
  12904. description: Used to define the policy to use in conflict resolution.
  12905. enum:
  12906. - Ignore
  12907. - Error
  12908. type: string
  12909. into:
  12910. default: ""
  12911. description: |-
  12912. Used to define the target key of the merge operation.
  12913. Required if strategy is JSON. Ignored otherwise.
  12914. type: string
  12915. priority:
  12916. description: Used to define key priority in conflict resolution.
  12917. items:
  12918. type: string
  12919. type: array
  12920. priorityPolicy:
  12921. default: Strict
  12922. description: Used to define the policy when a key in the priority list does not exist in the input.
  12923. enum:
  12924. - IgnoreNotFound
  12925. - Strict
  12926. type: string
  12927. strategy:
  12928. default: Extract
  12929. description: Used to define the strategy to use in the merge operation.
  12930. enum:
  12931. - Extract
  12932. - JSON
  12933. type: string
  12934. type: object
  12935. regexp:
  12936. description: |-
  12937. Used to rewrite with regular expressions.
  12938. The resulting key will be the output of a regexp.ReplaceAll operation.
  12939. properties:
  12940. source:
  12941. description: Used to define the regular expression of a re.Compiler.
  12942. type: string
  12943. target:
  12944. description: Used to define the target pattern of a ReplaceAll operation.
  12945. type: string
  12946. required:
  12947. - source
  12948. - target
  12949. type: object
  12950. transform:
  12951. description: |-
  12952. Used to apply string transformation on the secrets.
  12953. The resulting key will be the output of the template applied by the operation.
  12954. properties:
  12955. template:
  12956. description: |-
  12957. Used to define the template to apply on the secret name.
  12958. `.value ` will specify the secret name in the template.
  12959. type: string
  12960. required:
  12961. - template
  12962. type: object
  12963. type: object
  12964. type: array
  12965. sourceRef:
  12966. description: |-
  12967. SourceRef points to a store or generator
  12968. which contains secret values ready to use.
  12969. Use this in combination with Extract or Find pull values out of
  12970. a specific SecretStore.
  12971. When sourceRef points to a generator Extract or Find is not supported.
  12972. The generator returns a static map of values
  12973. maxProperties: 1
  12974. minProperties: 1
  12975. properties:
  12976. generatorRef:
  12977. description: GeneratorRef points to a generator custom resource.
  12978. properties:
  12979. apiVersion:
  12980. default: generators.external-secrets.io/v1alpha1
  12981. description: Specify the apiVersion of the generator resource
  12982. type: string
  12983. kind:
  12984. description: Specify the Kind of the generator resource
  12985. enum:
  12986. - ACRAccessToken
  12987. - ClusterGenerator
  12988. - CloudsmithAccessToken
  12989. - ECRAuthorizationToken
  12990. - Fake
  12991. - GCRAccessToken
  12992. - GithubAccessToken
  12993. - QuayAccessToken
  12994. - Password
  12995. - SSHKey
  12996. - STSSessionToken
  12997. - UUID
  12998. - VaultDynamicSecret
  12999. - Webhook
  13000. - Grafana
  13001. - MFA
  13002. type: string
  13003. name:
  13004. description: Specify the name of the generator resource
  13005. maxLength: 253
  13006. minLength: 1
  13007. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13008. type: string
  13009. required:
  13010. - kind
  13011. - name
  13012. type: object
  13013. storeRef:
  13014. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13015. properties:
  13016. kind:
  13017. description: |-
  13018. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13019. Defaults to `SecretStore`
  13020. enum:
  13021. - SecretStore
  13022. - ClusterSecretStore
  13023. type: string
  13024. name:
  13025. description: Name of the SecretStore resource
  13026. maxLength: 253
  13027. minLength: 1
  13028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13029. type: string
  13030. type: object
  13031. type: object
  13032. type: object
  13033. type: array
  13034. refreshInterval:
  13035. default: 1h0m0s
  13036. description: |-
  13037. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13038. specified as Golang Duration strings.
  13039. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13040. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13041. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13042. type: string
  13043. refreshPolicy:
  13044. description: |-
  13045. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13046. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13047. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13048. No periodic updates occur if refreshInterval is 0.
  13049. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13050. enum:
  13051. - CreatedOnce
  13052. - Periodic
  13053. - OnChange
  13054. type: string
  13055. secretStoreRef:
  13056. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13057. properties:
  13058. kind:
  13059. description: |-
  13060. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13061. Defaults to `SecretStore`
  13062. enum:
  13063. - SecretStore
  13064. - ClusterSecretStore
  13065. type: string
  13066. name:
  13067. description: Name of the SecretStore resource
  13068. maxLength: 253
  13069. minLength: 1
  13070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13071. type: string
  13072. type: object
  13073. target:
  13074. default:
  13075. creationPolicy: Owner
  13076. deletionPolicy: Retain
  13077. description: |-
  13078. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13079. there can be only one target per ExternalSecret.
  13080. properties:
  13081. creationPolicy:
  13082. default: Owner
  13083. description: |-
  13084. CreationPolicy defines rules on how to create the resulting Secret.
  13085. Defaults to "Owner"
  13086. enum:
  13087. - Owner
  13088. - Orphan
  13089. - Merge
  13090. - None
  13091. type: string
  13092. deletionPolicy:
  13093. default: Retain
  13094. description: |-
  13095. DeletionPolicy defines rules on how to delete the resulting Secret.
  13096. Defaults to "Retain"
  13097. enum:
  13098. - Delete
  13099. - Merge
  13100. - Retain
  13101. type: string
  13102. immutable:
  13103. description: Immutable defines if the final secret will be immutable
  13104. type: boolean
  13105. manifest:
  13106. description: |-
  13107. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13108. When specified, ExternalSecret will create the resource type defined here
  13109. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13110. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13111. properties:
  13112. apiVersion:
  13113. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13114. minLength: 1
  13115. type: string
  13116. kind:
  13117. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13118. minLength: 1
  13119. type: string
  13120. required:
  13121. - apiVersion
  13122. - kind
  13123. type: object
  13124. name:
  13125. description: |-
  13126. The name of the Secret resource to be managed.
  13127. Defaults to the .metadata.name of the ExternalSecret resource
  13128. maxLength: 253
  13129. minLength: 1
  13130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13131. type: string
  13132. template:
  13133. description: Template defines a blueprint for the created Secret resource.
  13134. properties:
  13135. data:
  13136. additionalProperties:
  13137. type: string
  13138. type: object
  13139. engineVersion:
  13140. default: v2
  13141. description: |-
  13142. EngineVersion specifies the template engine version
  13143. that should be used to compile/execute the
  13144. template specified in .data and .templateFrom[].
  13145. enum:
  13146. - v2
  13147. type: string
  13148. mergePolicy:
  13149. default: Replace
  13150. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13151. enum:
  13152. - Replace
  13153. - Merge
  13154. type: string
  13155. metadata:
  13156. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13157. properties:
  13158. annotations:
  13159. additionalProperties:
  13160. type: string
  13161. type: object
  13162. finalizers:
  13163. items:
  13164. type: string
  13165. type: array
  13166. labels:
  13167. additionalProperties:
  13168. type: string
  13169. type: object
  13170. type: object
  13171. templateFrom:
  13172. items:
  13173. description: |-
  13174. TemplateFrom specifies a source for templates.
  13175. Each item in the list can either reference a ConfigMap or a Secret resource.
  13176. properties:
  13177. configMap:
  13178. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13179. properties:
  13180. items:
  13181. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13182. items:
  13183. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13184. properties:
  13185. key:
  13186. description: A key in the ConfigMap/Secret
  13187. maxLength: 253
  13188. minLength: 1
  13189. pattern: ^[-._a-zA-Z0-9]+$
  13190. type: string
  13191. templateAs:
  13192. default: Values
  13193. description: TemplateScope specifies how the template keys should be interpreted.
  13194. enum:
  13195. - Values
  13196. - KeysAndValues
  13197. type: string
  13198. required:
  13199. - key
  13200. type: object
  13201. type: array
  13202. name:
  13203. description: The name of the ConfigMap/Secret resource
  13204. maxLength: 253
  13205. minLength: 1
  13206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13207. type: string
  13208. required:
  13209. - items
  13210. - name
  13211. type: object
  13212. literal:
  13213. type: string
  13214. secret:
  13215. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13216. properties:
  13217. items:
  13218. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13219. items:
  13220. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13221. properties:
  13222. key:
  13223. description: A key in the ConfigMap/Secret
  13224. maxLength: 253
  13225. minLength: 1
  13226. pattern: ^[-._a-zA-Z0-9]+$
  13227. type: string
  13228. templateAs:
  13229. default: Values
  13230. description: TemplateScope specifies how the template keys should be interpreted.
  13231. enum:
  13232. - Values
  13233. - KeysAndValues
  13234. type: string
  13235. required:
  13236. - key
  13237. type: object
  13238. type: array
  13239. name:
  13240. description: The name of the ConfigMap/Secret resource
  13241. maxLength: 253
  13242. minLength: 1
  13243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13244. type: string
  13245. required:
  13246. - items
  13247. - name
  13248. type: object
  13249. target:
  13250. default: Data
  13251. description: |-
  13252. Target specifies where to place the template result.
  13253. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13254. For custom resources (when spec.target.manifest is set), this supports
  13255. nested paths like "spec.database.config" or "data".
  13256. type: string
  13257. type: object
  13258. type: array
  13259. type:
  13260. type: string
  13261. type: object
  13262. type: object
  13263. type: object
  13264. status:
  13265. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13266. properties:
  13267. binding:
  13268. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13269. properties:
  13270. name:
  13271. default: ""
  13272. description: |-
  13273. Name of the referent.
  13274. This field is effectively required, but due to backwards compatibility is
  13275. allowed to be empty. Instances of this type with an empty value here are
  13276. almost certainly wrong.
  13277. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13278. type: string
  13279. type: object
  13280. x-kubernetes-map-type: atomic
  13281. conditions:
  13282. items:
  13283. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13284. properties:
  13285. lastTransitionTime:
  13286. format: date-time
  13287. type: string
  13288. message:
  13289. type: string
  13290. reason:
  13291. type: string
  13292. status:
  13293. type: string
  13294. type:
  13295. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13296. enum:
  13297. - Ready
  13298. - Deleted
  13299. type: string
  13300. required:
  13301. - status
  13302. - type
  13303. type: object
  13304. type: array
  13305. refreshTime:
  13306. description: |-
  13307. refreshTime is the time and date the external secret was fetched and
  13308. the target secret updated
  13309. format: date-time
  13310. nullable: true
  13311. type: string
  13312. syncedResourceVersion:
  13313. description: SyncedResourceVersion keeps track of the last synced version
  13314. type: string
  13315. type: object
  13316. type: object
  13317. selectableFields:
  13318. - jsonPath: .spec.secretStoreRef.name
  13319. - jsonPath: .spec.secretStoreRef.kind
  13320. - jsonPath: .spec.target.name
  13321. - jsonPath: .spec.refreshInterval
  13322. served: true
  13323. storage: true
  13324. subresources:
  13325. status: {}
  13326. - additionalPrinterColumns:
  13327. - jsonPath: .spec.secretStoreRef.kind
  13328. name: StoreType
  13329. type: string
  13330. - jsonPath: .spec.secretStoreRef.name
  13331. name: Store
  13332. type: string
  13333. - jsonPath: .spec.refreshInterval
  13334. name: Refresh Interval
  13335. type: string
  13336. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13337. name: Status
  13338. type: string
  13339. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13340. name: Ready
  13341. type: string
  13342. - jsonPath: .status.refreshTime
  13343. name: Last Sync
  13344. type: date
  13345. deprecated: true
  13346. name: v1beta1
  13347. schema:
  13348. openAPIV3Schema:
  13349. description: ExternalSecret is the schema for the external-secrets API.
  13350. properties:
  13351. apiVersion:
  13352. description: |-
  13353. APIVersion defines the versioned schema of this representation of an object.
  13354. Servers should convert recognized schemas to the latest internal value, and
  13355. may reject unrecognized values.
  13356. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13357. type: string
  13358. kind:
  13359. description: |-
  13360. Kind is a string value representing the REST resource this object represents.
  13361. Servers may infer this from the endpoint the client submits requests to.
  13362. Cannot be updated.
  13363. In CamelCase.
  13364. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13365. type: string
  13366. metadata:
  13367. type: object
  13368. spec:
  13369. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13370. properties:
  13371. data:
  13372. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13373. items:
  13374. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13375. properties:
  13376. remoteRef:
  13377. description: |-
  13378. RemoteRef points to the remote secret and defines
  13379. which secret (version/property/..) to fetch.
  13380. properties:
  13381. conversionStrategy:
  13382. default: Default
  13383. description: Used to define a conversion Strategy
  13384. enum:
  13385. - Default
  13386. - Unicode
  13387. type: string
  13388. decodingStrategy:
  13389. default: None
  13390. description: Used to define a decoding Strategy
  13391. enum:
  13392. - Auto
  13393. - Base64
  13394. - Base64URL
  13395. - None
  13396. type: string
  13397. key:
  13398. description: Key is the key used in the Provider, mandatory
  13399. type: string
  13400. metadataPolicy:
  13401. default: None
  13402. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13403. enum:
  13404. - None
  13405. - Fetch
  13406. type: string
  13407. property:
  13408. description: Used to select a specific property of the Provider value (if a map), if supported
  13409. type: string
  13410. version:
  13411. description: Used to select a specific version of the Provider value, if supported
  13412. type: string
  13413. required:
  13414. - key
  13415. type: object
  13416. secretKey:
  13417. description: The key in the Kubernetes Secret to store the value.
  13418. maxLength: 253
  13419. minLength: 1
  13420. pattern: ^[-._a-zA-Z0-9]+$
  13421. type: string
  13422. sourceRef:
  13423. description: |-
  13424. SourceRef allows you to override the source
  13425. from which the value will be pulled.
  13426. maxProperties: 1
  13427. minProperties: 1
  13428. properties:
  13429. generatorRef:
  13430. description: |-
  13431. GeneratorRef points to a generator custom resource.
  13432. Deprecated: The generatorRef is not implemented in .data[].
  13433. this will be removed with v1.
  13434. properties:
  13435. apiVersion:
  13436. default: generators.external-secrets.io/v1alpha1
  13437. description: Specify the apiVersion of the generator resource
  13438. type: string
  13439. kind:
  13440. description: Specify the Kind of the generator resource
  13441. enum:
  13442. - ACRAccessToken
  13443. - ClusterGenerator
  13444. - ECRAuthorizationToken
  13445. - Fake
  13446. - GCRAccessToken
  13447. - GithubAccessToken
  13448. - QuayAccessToken
  13449. - Password
  13450. - SSHKey
  13451. - STSSessionToken
  13452. - UUID
  13453. - VaultDynamicSecret
  13454. - Webhook
  13455. - Grafana
  13456. type: string
  13457. name:
  13458. description: Specify the name of the generator resource
  13459. maxLength: 253
  13460. minLength: 1
  13461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13462. type: string
  13463. required:
  13464. - kind
  13465. - name
  13466. type: object
  13467. storeRef:
  13468. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13469. properties:
  13470. kind:
  13471. description: |-
  13472. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13473. Defaults to `SecretStore`
  13474. enum:
  13475. - SecretStore
  13476. - ClusterSecretStore
  13477. type: string
  13478. name:
  13479. description: Name of the SecretStore resource
  13480. maxLength: 253
  13481. minLength: 1
  13482. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13483. type: string
  13484. type: object
  13485. type: object
  13486. required:
  13487. - remoteRef
  13488. - secretKey
  13489. type: object
  13490. type: array
  13491. dataFrom:
  13492. description: |-
  13493. DataFrom is used to fetch all properties from a specific Provider data
  13494. If multiple entries are specified, the Secret keys are merged in the specified order
  13495. items:
  13496. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13497. properties:
  13498. extract:
  13499. description: |-
  13500. Used to extract multiple key/value pairs from one secret
  13501. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13502. properties:
  13503. conversionStrategy:
  13504. default: Default
  13505. description: Used to define a conversion Strategy
  13506. enum:
  13507. - Default
  13508. - Unicode
  13509. type: string
  13510. decodingStrategy:
  13511. default: None
  13512. description: Used to define a decoding Strategy
  13513. enum:
  13514. - Auto
  13515. - Base64
  13516. - Base64URL
  13517. - None
  13518. type: string
  13519. key:
  13520. description: Key is the key used in the Provider, mandatory
  13521. type: string
  13522. metadataPolicy:
  13523. default: None
  13524. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13525. enum:
  13526. - None
  13527. - Fetch
  13528. type: string
  13529. property:
  13530. description: Used to select a specific property of the Provider value (if a map), if supported
  13531. type: string
  13532. version:
  13533. description: Used to select a specific version of the Provider value, if supported
  13534. type: string
  13535. required:
  13536. - key
  13537. type: object
  13538. find:
  13539. description: |-
  13540. Used to find secrets based on tags or regular expressions
  13541. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13542. properties:
  13543. conversionStrategy:
  13544. default: Default
  13545. description: Used to define a conversion Strategy
  13546. enum:
  13547. - Default
  13548. - Unicode
  13549. type: string
  13550. decodingStrategy:
  13551. default: None
  13552. description: Used to define a decoding Strategy
  13553. enum:
  13554. - Auto
  13555. - Base64
  13556. - Base64URL
  13557. - None
  13558. type: string
  13559. name:
  13560. description: Finds secrets based on the name.
  13561. properties:
  13562. regexp:
  13563. description: Finds secrets base
  13564. type: string
  13565. type: object
  13566. path:
  13567. description: A root path to start the find operations.
  13568. type: string
  13569. tags:
  13570. additionalProperties:
  13571. type: string
  13572. description: Find secrets based on tags.
  13573. type: object
  13574. type: object
  13575. rewrite:
  13576. description: |-
  13577. Used to rewrite secret Keys after getting them from the secret Provider
  13578. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13579. items:
  13580. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  13581. maxProperties: 1
  13582. minProperties: 1
  13583. properties:
  13584. regexp:
  13585. description: |-
  13586. Used to rewrite with regular expressions.
  13587. The resulting key will be the output of a regexp.ReplaceAll operation.
  13588. properties:
  13589. source:
  13590. description: Used to define the regular expression of a re.Compiler.
  13591. type: string
  13592. target:
  13593. description: Used to define the target pattern of a ReplaceAll operation.
  13594. type: string
  13595. required:
  13596. - source
  13597. - target
  13598. type: object
  13599. transform:
  13600. description: |-
  13601. Used to apply string transformation on the secrets.
  13602. The resulting key will be the output of the template applied by the operation.
  13603. properties:
  13604. template:
  13605. description: |-
  13606. Used to define the template to apply on the secret name.
  13607. `.value ` will specify the secret name in the template.
  13608. type: string
  13609. required:
  13610. - template
  13611. type: object
  13612. type: object
  13613. type: array
  13614. sourceRef:
  13615. description: |-
  13616. SourceRef points to a store or generator
  13617. which contains secret values ready to use.
  13618. Use this in combination with Extract or Find pull values out of
  13619. a specific SecretStore.
  13620. When sourceRef points to a generator Extract or Find is not supported.
  13621. The generator returns a static map of values
  13622. maxProperties: 1
  13623. minProperties: 1
  13624. properties:
  13625. generatorRef:
  13626. description: GeneratorRef points to a generator custom resource.
  13627. properties:
  13628. apiVersion:
  13629. default: generators.external-secrets.io/v1alpha1
  13630. description: Specify the apiVersion of the generator resource
  13631. type: string
  13632. kind:
  13633. description: Specify the Kind of the generator resource
  13634. enum:
  13635. - ACRAccessToken
  13636. - ClusterGenerator
  13637. - ECRAuthorizationToken
  13638. - Fake
  13639. - GCRAccessToken
  13640. - GithubAccessToken
  13641. - QuayAccessToken
  13642. - Password
  13643. - SSHKey
  13644. - STSSessionToken
  13645. - UUID
  13646. - VaultDynamicSecret
  13647. - Webhook
  13648. - Grafana
  13649. type: string
  13650. name:
  13651. description: Specify the name of the generator resource
  13652. maxLength: 253
  13653. minLength: 1
  13654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13655. type: string
  13656. required:
  13657. - kind
  13658. - name
  13659. type: object
  13660. storeRef:
  13661. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13662. properties:
  13663. kind:
  13664. description: |-
  13665. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13666. Defaults to `SecretStore`
  13667. enum:
  13668. - SecretStore
  13669. - ClusterSecretStore
  13670. type: string
  13671. name:
  13672. description: Name of the SecretStore resource
  13673. maxLength: 253
  13674. minLength: 1
  13675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13676. type: string
  13677. type: object
  13678. type: object
  13679. type: object
  13680. type: array
  13681. refreshInterval:
  13682. default: 1h0m0s
  13683. description: |-
  13684. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13685. specified as Golang Duration strings.
  13686. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13687. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13688. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13689. type: string
  13690. refreshPolicy:
  13691. description: |-
  13692. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13693. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13694. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13695. No periodic updates occur if refreshInterval is 0.
  13696. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13697. enum:
  13698. - CreatedOnce
  13699. - Periodic
  13700. - OnChange
  13701. type: string
  13702. secretStoreRef:
  13703. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13704. properties:
  13705. kind:
  13706. description: |-
  13707. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13708. Defaults to `SecretStore`
  13709. enum:
  13710. - SecretStore
  13711. - ClusterSecretStore
  13712. type: string
  13713. name:
  13714. description: Name of the SecretStore resource
  13715. maxLength: 253
  13716. minLength: 1
  13717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13718. type: string
  13719. type: object
  13720. target:
  13721. default:
  13722. creationPolicy: Owner
  13723. deletionPolicy: Retain
  13724. description: |-
  13725. ExternalSecretTarget defines the Kubernetes Secret to be created
  13726. There can be only one target per ExternalSecret.
  13727. properties:
  13728. creationPolicy:
  13729. default: Owner
  13730. description: |-
  13731. CreationPolicy defines rules on how to create the resulting Secret.
  13732. Defaults to "Owner"
  13733. enum:
  13734. - Owner
  13735. - Orphan
  13736. - Merge
  13737. - None
  13738. type: string
  13739. deletionPolicy:
  13740. default: Retain
  13741. description: |-
  13742. DeletionPolicy defines rules on how to delete the resulting Secret.
  13743. Defaults to "Retain"
  13744. enum:
  13745. - Delete
  13746. - Merge
  13747. - Retain
  13748. type: string
  13749. immutable:
  13750. description: Immutable defines if the final secret will be immutable
  13751. type: boolean
  13752. name:
  13753. description: |-
  13754. The name of the Secret resource to be managed.
  13755. Defaults to the .metadata.name of the ExternalSecret resource
  13756. maxLength: 253
  13757. minLength: 1
  13758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13759. type: string
  13760. template:
  13761. description: Template defines a blueprint for the created Secret resource.
  13762. properties:
  13763. data:
  13764. additionalProperties:
  13765. type: string
  13766. type: object
  13767. engineVersion:
  13768. default: v2
  13769. description: |-
  13770. EngineVersion specifies the template engine version
  13771. that should be used to compile/execute the
  13772. template specified in .data and .templateFrom[].
  13773. enum:
  13774. - v2
  13775. type: string
  13776. mergePolicy:
  13777. default: Replace
  13778. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  13779. enum:
  13780. - Replace
  13781. - Merge
  13782. type: string
  13783. metadata:
  13784. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13785. properties:
  13786. annotations:
  13787. additionalProperties:
  13788. type: string
  13789. type: object
  13790. labels:
  13791. additionalProperties:
  13792. type: string
  13793. type: object
  13794. type: object
  13795. templateFrom:
  13796. items:
  13797. description: TemplateFrom defines a source for template data.
  13798. properties:
  13799. configMap:
  13800. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13801. properties:
  13802. items:
  13803. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13804. items:
  13805. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13806. properties:
  13807. key:
  13808. description: A key in the ConfigMap/Secret
  13809. maxLength: 253
  13810. minLength: 1
  13811. pattern: ^[-._a-zA-Z0-9]+$
  13812. type: string
  13813. templateAs:
  13814. default: Values
  13815. description: TemplateScope defines the scope of the template when processing template data.
  13816. enum:
  13817. - Values
  13818. - KeysAndValues
  13819. type: string
  13820. required:
  13821. - key
  13822. type: object
  13823. type: array
  13824. name:
  13825. description: The name of the ConfigMap/Secret resource
  13826. maxLength: 253
  13827. minLength: 1
  13828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13829. type: string
  13830. required:
  13831. - items
  13832. - name
  13833. type: object
  13834. literal:
  13835. type: string
  13836. secret:
  13837. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  13838. properties:
  13839. items:
  13840. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13841. items:
  13842. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  13843. properties:
  13844. key:
  13845. description: A key in the ConfigMap/Secret
  13846. maxLength: 253
  13847. minLength: 1
  13848. pattern: ^[-._a-zA-Z0-9]+$
  13849. type: string
  13850. templateAs:
  13851. default: Values
  13852. description: TemplateScope defines the scope of the template when processing template data.
  13853. enum:
  13854. - Values
  13855. - KeysAndValues
  13856. type: string
  13857. required:
  13858. - key
  13859. type: object
  13860. type: array
  13861. name:
  13862. description: The name of the ConfigMap/Secret resource
  13863. maxLength: 253
  13864. minLength: 1
  13865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13866. type: string
  13867. required:
  13868. - items
  13869. - name
  13870. type: object
  13871. target:
  13872. default: Data
  13873. description: TemplateTarget defines the target field where the template result will be stored.
  13874. enum:
  13875. - Data
  13876. - Annotations
  13877. - Labels
  13878. type: string
  13879. type: object
  13880. type: array
  13881. type:
  13882. type: string
  13883. type: object
  13884. type: object
  13885. type: object
  13886. status:
  13887. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13888. properties:
  13889. binding:
  13890. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13891. properties:
  13892. name:
  13893. default: ""
  13894. description: |-
  13895. Name of the referent.
  13896. This field is effectively required, but due to backwards compatibility is
  13897. allowed to be empty. Instances of this type with an empty value here are
  13898. almost certainly wrong.
  13899. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13900. type: string
  13901. type: object
  13902. x-kubernetes-map-type: atomic
  13903. conditions:
  13904. items:
  13905. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  13906. properties:
  13907. lastTransitionTime:
  13908. format: date-time
  13909. type: string
  13910. message:
  13911. type: string
  13912. reason:
  13913. type: string
  13914. status:
  13915. type: string
  13916. type:
  13917. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  13918. type: string
  13919. required:
  13920. - status
  13921. - type
  13922. type: object
  13923. type: array
  13924. refreshTime:
  13925. description: |-
  13926. refreshTime is the time and date the external secret was fetched and
  13927. the target secret updated
  13928. format: date-time
  13929. nullable: true
  13930. type: string
  13931. syncedResourceVersion:
  13932. description: SyncedResourceVersion keeps track of the last synced version
  13933. type: string
  13934. type: object
  13935. type: object
  13936. served: false
  13937. storage: false
  13938. subresources:
  13939. status: {}
  13940. ---
  13941. apiVersion: apiextensions.k8s.io/v1
  13942. kind: CustomResourceDefinition
  13943. metadata:
  13944. annotations:
  13945. controller-gen.kubebuilder.io/version: v0.19.0
  13946. labels:
  13947. external-secrets.io/component: controller
  13948. name: pushsecrets.external-secrets.io
  13949. spec:
  13950. group: external-secrets.io
  13951. names:
  13952. categories:
  13953. - external-secrets
  13954. kind: PushSecret
  13955. listKind: PushSecretList
  13956. plural: pushsecrets
  13957. shortNames:
  13958. - ps
  13959. singular: pushsecret
  13960. scope: Namespaced
  13961. versions:
  13962. - additionalPrinterColumns:
  13963. - jsonPath: .metadata.creationTimestamp
  13964. name: AGE
  13965. type: date
  13966. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13967. name: Status
  13968. type: string
  13969. - jsonPath: .status.refreshTime
  13970. name: Last Sync
  13971. type: date
  13972. name: v1alpha1
  13973. schema:
  13974. openAPIV3Schema:
  13975. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  13976. properties:
  13977. apiVersion:
  13978. description: |-
  13979. APIVersion defines the versioned schema of this representation of an object.
  13980. Servers should convert recognized schemas to the latest internal value, and
  13981. may reject unrecognized values.
  13982. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13983. type: string
  13984. kind:
  13985. description: |-
  13986. Kind is a string value representing the REST resource this object represents.
  13987. Servers may infer this from the endpoint the client submits requests to.
  13988. Cannot be updated.
  13989. In CamelCase.
  13990. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13991. type: string
  13992. metadata:
  13993. type: object
  13994. spec:
  13995. description: PushSecretSpec configures the behavior of the PushSecret.
  13996. properties:
  13997. data:
  13998. description: Secret Data that should be pushed to providers
  13999. items:
  14000. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14001. properties:
  14002. conversionStrategy:
  14003. default: None
  14004. description: Used to define a conversion Strategy for the secret keys
  14005. enum:
  14006. - None
  14007. - ReverseUnicode
  14008. type: string
  14009. match:
  14010. description: Match a given Secret Key to be pushed to the provider.
  14011. properties:
  14012. remoteRef:
  14013. description: Remote Refs to push to providers.
  14014. properties:
  14015. property:
  14016. description: Name of the property in the resulting secret
  14017. type: string
  14018. remoteKey:
  14019. description: Name of the resulting provider secret.
  14020. type: string
  14021. required:
  14022. - remoteKey
  14023. type: object
  14024. secretKey:
  14025. description: Secret Key to be pushed
  14026. type: string
  14027. required:
  14028. - remoteRef
  14029. type: object
  14030. metadata:
  14031. description: |-
  14032. Metadata is metadata attached to the secret.
  14033. The structure of metadata is provider specific, please look it up in the provider documentation.
  14034. x-kubernetes-preserve-unknown-fields: true
  14035. required:
  14036. - match
  14037. type: object
  14038. type: array
  14039. dataTo:
  14040. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14041. items:
  14042. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14043. properties:
  14044. conversionStrategy:
  14045. default: None
  14046. description: Used to define a conversion Strategy for the secret keys
  14047. enum:
  14048. - None
  14049. - ReverseUnicode
  14050. type: string
  14051. match:
  14052. description: |-
  14053. Match pattern for selecting keys from the source Secret.
  14054. If not specified, all keys are selected.
  14055. properties:
  14056. regexp:
  14057. description: |-
  14058. Regexp matches keys by regular expression.
  14059. If not specified, all keys are matched.
  14060. type: string
  14061. type: object
  14062. metadata:
  14063. description: |-
  14064. Metadata is metadata attached to the secret.
  14065. The structure of metadata is provider specific, please look it up in the provider documentation.
  14066. x-kubernetes-preserve-unknown-fields: true
  14067. remoteKey:
  14068. description: |-
  14069. RemoteKey is the name of the single provider secret that will receive ALL
  14070. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14071. When set, per-key expansion is skipped and a single push is performed.
  14072. The provider's store prefix (if any) is still prepended to this value.
  14073. When not set, each matched key is pushed as its own individual provider secret.
  14074. type: string
  14075. rewrite:
  14076. description: |-
  14077. Rewrite operations to transform keys before pushing to the provider.
  14078. Operations are applied sequentially.
  14079. items:
  14080. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14081. properties:
  14082. regexp:
  14083. description: Used to rewrite with regular expressions.
  14084. properties:
  14085. source:
  14086. description: Used to define the regular expression of a re.Compiler.
  14087. type: string
  14088. target:
  14089. description: Used to define the target pattern of a ReplaceAll operation.
  14090. type: string
  14091. required:
  14092. - source
  14093. - target
  14094. type: object
  14095. transform:
  14096. description: Used to apply string transformation on the secrets.
  14097. properties:
  14098. template:
  14099. description: |-
  14100. Used to define the template to apply on the secret name.
  14101. `.value ` will specify the secret name in the template.
  14102. type: string
  14103. required:
  14104. - template
  14105. type: object
  14106. type: object
  14107. x-kubernetes-validations:
  14108. - message: exactly one of regexp or transform must be set
  14109. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14110. type: array
  14111. storeRef:
  14112. description: StoreRef specifies which SecretStore to push to. Required.
  14113. properties:
  14114. kind:
  14115. default: SecretStore
  14116. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14117. enum:
  14118. - SecretStore
  14119. - ClusterSecretStore
  14120. type: string
  14121. labelSelector:
  14122. description: Optionally, sync to secret stores with label selector
  14123. properties:
  14124. matchExpressions:
  14125. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14126. items:
  14127. description: |-
  14128. A label selector requirement is a selector that contains values, a key, and an operator that
  14129. relates the key and values.
  14130. properties:
  14131. key:
  14132. description: key is the label key that the selector applies to.
  14133. type: string
  14134. operator:
  14135. description: |-
  14136. operator represents a key's relationship to a set of values.
  14137. Valid operators are In, NotIn, Exists and DoesNotExist.
  14138. type: string
  14139. values:
  14140. description: |-
  14141. values is an array of string values. If the operator is In or NotIn,
  14142. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14143. the values array must be empty. This array is replaced during a strategic
  14144. merge patch.
  14145. items:
  14146. type: string
  14147. type: array
  14148. x-kubernetes-list-type: atomic
  14149. required:
  14150. - key
  14151. - operator
  14152. type: object
  14153. type: array
  14154. x-kubernetes-list-type: atomic
  14155. matchLabels:
  14156. additionalProperties:
  14157. type: string
  14158. description: |-
  14159. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14160. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14161. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14162. type: object
  14163. type: object
  14164. x-kubernetes-map-type: atomic
  14165. name:
  14166. description: Optionally, sync to the SecretStore of the given name
  14167. maxLength: 253
  14168. minLength: 1
  14169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14170. type: string
  14171. type: object
  14172. type: object
  14173. x-kubernetes-validations:
  14174. - message: storeRef must specify either name or labelSelector
  14175. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14176. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14177. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14178. type: array
  14179. deletionPolicy:
  14180. default: None
  14181. description: Deletion Policy to handle Secrets in the provider.
  14182. enum:
  14183. - Delete
  14184. - None
  14185. type: string
  14186. refreshInterval:
  14187. default: 1h0m0s
  14188. description: The Interval to which External Secrets will try to push a secret definition
  14189. type: string
  14190. secretStoreRefs:
  14191. items:
  14192. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14193. properties:
  14194. kind:
  14195. default: SecretStore
  14196. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14197. enum:
  14198. - SecretStore
  14199. - ClusterSecretStore
  14200. type: string
  14201. labelSelector:
  14202. description: Optionally, sync to secret stores with label selector
  14203. properties:
  14204. matchExpressions:
  14205. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14206. items:
  14207. description: |-
  14208. A label selector requirement is a selector that contains values, a key, and an operator that
  14209. relates the key and values.
  14210. properties:
  14211. key:
  14212. description: key is the label key that the selector applies to.
  14213. type: string
  14214. operator:
  14215. description: |-
  14216. operator represents a key's relationship to a set of values.
  14217. Valid operators are In, NotIn, Exists and DoesNotExist.
  14218. type: string
  14219. values:
  14220. description: |-
  14221. values is an array of string values. If the operator is In or NotIn,
  14222. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14223. the values array must be empty. This array is replaced during a strategic
  14224. merge patch.
  14225. items:
  14226. type: string
  14227. type: array
  14228. x-kubernetes-list-type: atomic
  14229. required:
  14230. - key
  14231. - operator
  14232. type: object
  14233. type: array
  14234. x-kubernetes-list-type: atomic
  14235. matchLabels:
  14236. additionalProperties:
  14237. type: string
  14238. description: |-
  14239. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14240. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14241. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14242. type: object
  14243. type: object
  14244. x-kubernetes-map-type: atomic
  14245. name:
  14246. description: Optionally, sync to the SecretStore of the given name
  14247. maxLength: 253
  14248. minLength: 1
  14249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14250. type: string
  14251. type: object
  14252. type: array
  14253. selector:
  14254. description: The Secret Selector (k8s source) for the Push Secret
  14255. maxProperties: 1
  14256. minProperties: 1
  14257. properties:
  14258. generatorRef:
  14259. description: Point to a generator to create a Secret.
  14260. properties:
  14261. apiVersion:
  14262. default: generators.external-secrets.io/v1alpha1
  14263. description: Specify the apiVersion of the generator resource
  14264. type: string
  14265. kind:
  14266. description: Specify the Kind of the generator resource
  14267. enum:
  14268. - ACRAccessToken
  14269. - ClusterGenerator
  14270. - CloudsmithAccessToken
  14271. - ECRAuthorizationToken
  14272. - Fake
  14273. - GCRAccessToken
  14274. - GithubAccessToken
  14275. - QuayAccessToken
  14276. - Password
  14277. - SSHKey
  14278. - STSSessionToken
  14279. - UUID
  14280. - VaultDynamicSecret
  14281. - Webhook
  14282. - Grafana
  14283. - MFA
  14284. type: string
  14285. name:
  14286. description: Specify the name of the generator resource
  14287. maxLength: 253
  14288. minLength: 1
  14289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14290. type: string
  14291. required:
  14292. - kind
  14293. - name
  14294. type: object
  14295. secret:
  14296. description: Select a Secret to Push.
  14297. properties:
  14298. name:
  14299. description: |-
  14300. Name of the Secret.
  14301. The Secret must exist in the same namespace as the PushSecret manifest.
  14302. maxLength: 253
  14303. minLength: 1
  14304. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14305. type: string
  14306. selector:
  14307. description: Selector chooses secrets using a labelSelector.
  14308. properties:
  14309. matchExpressions:
  14310. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14311. items:
  14312. description: |-
  14313. A label selector requirement is a selector that contains values, a key, and an operator that
  14314. relates the key and values.
  14315. properties:
  14316. key:
  14317. description: key is the label key that the selector applies to.
  14318. type: string
  14319. operator:
  14320. description: |-
  14321. operator represents a key's relationship to a set of values.
  14322. Valid operators are In, NotIn, Exists and DoesNotExist.
  14323. type: string
  14324. values:
  14325. description: |-
  14326. values is an array of string values. If the operator is In or NotIn,
  14327. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14328. the values array must be empty. This array is replaced during a strategic
  14329. merge patch.
  14330. items:
  14331. type: string
  14332. type: array
  14333. x-kubernetes-list-type: atomic
  14334. required:
  14335. - key
  14336. - operator
  14337. type: object
  14338. type: array
  14339. x-kubernetes-list-type: atomic
  14340. matchLabels:
  14341. additionalProperties:
  14342. type: string
  14343. description: |-
  14344. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14345. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14346. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14347. type: object
  14348. type: object
  14349. x-kubernetes-map-type: atomic
  14350. type: object
  14351. type: object
  14352. template:
  14353. description: Template defines a blueprint for the created Secret resource.
  14354. properties:
  14355. data:
  14356. additionalProperties:
  14357. type: string
  14358. type: object
  14359. engineVersion:
  14360. default: v2
  14361. description: |-
  14362. EngineVersion specifies the template engine version
  14363. that should be used to compile/execute the
  14364. template specified in .data and .templateFrom[].
  14365. enum:
  14366. - v2
  14367. type: string
  14368. mergePolicy:
  14369. default: Replace
  14370. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14371. enum:
  14372. - Replace
  14373. - Merge
  14374. type: string
  14375. metadata:
  14376. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14377. properties:
  14378. annotations:
  14379. additionalProperties:
  14380. type: string
  14381. type: object
  14382. finalizers:
  14383. items:
  14384. type: string
  14385. type: array
  14386. labels:
  14387. additionalProperties:
  14388. type: string
  14389. type: object
  14390. type: object
  14391. templateFrom:
  14392. items:
  14393. description: |-
  14394. TemplateFrom specifies a source for templates.
  14395. Each item in the list can either reference a ConfigMap or a Secret resource.
  14396. properties:
  14397. configMap:
  14398. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14399. properties:
  14400. items:
  14401. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14402. items:
  14403. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14404. properties:
  14405. key:
  14406. description: A key in the ConfigMap/Secret
  14407. maxLength: 253
  14408. minLength: 1
  14409. pattern: ^[-._a-zA-Z0-9]+$
  14410. type: string
  14411. templateAs:
  14412. default: Values
  14413. description: TemplateScope specifies how the template keys should be interpreted.
  14414. enum:
  14415. - Values
  14416. - KeysAndValues
  14417. type: string
  14418. required:
  14419. - key
  14420. type: object
  14421. type: array
  14422. name:
  14423. description: The name of the ConfigMap/Secret resource
  14424. maxLength: 253
  14425. minLength: 1
  14426. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14427. type: string
  14428. required:
  14429. - items
  14430. - name
  14431. type: object
  14432. literal:
  14433. type: string
  14434. secret:
  14435. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14436. properties:
  14437. items:
  14438. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14439. items:
  14440. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14441. properties:
  14442. key:
  14443. description: A key in the ConfigMap/Secret
  14444. maxLength: 253
  14445. minLength: 1
  14446. pattern: ^[-._a-zA-Z0-9]+$
  14447. type: string
  14448. templateAs:
  14449. default: Values
  14450. description: TemplateScope specifies how the template keys should be interpreted.
  14451. enum:
  14452. - Values
  14453. - KeysAndValues
  14454. type: string
  14455. required:
  14456. - key
  14457. type: object
  14458. type: array
  14459. name:
  14460. description: The name of the ConfigMap/Secret resource
  14461. maxLength: 253
  14462. minLength: 1
  14463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14464. type: string
  14465. required:
  14466. - items
  14467. - name
  14468. type: object
  14469. target:
  14470. default: Data
  14471. description: |-
  14472. Target specifies where to place the template result.
  14473. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14474. For custom resources (when spec.target.manifest is set), this supports
  14475. nested paths like "spec.database.config" or "data".
  14476. type: string
  14477. type: object
  14478. type: array
  14479. type:
  14480. type: string
  14481. type: object
  14482. updatePolicy:
  14483. default: Replace
  14484. description: UpdatePolicy to handle Secrets in the provider.
  14485. enum:
  14486. - Replace
  14487. - IfNotExists
  14488. type: string
  14489. required:
  14490. - secretStoreRefs
  14491. - selector
  14492. type: object
  14493. status:
  14494. description: PushSecretStatus indicates the history of the status of PushSecret.
  14495. properties:
  14496. conditions:
  14497. items:
  14498. description: PushSecretStatusCondition indicates the status of the PushSecret.
  14499. properties:
  14500. lastTransitionTime:
  14501. format: date-time
  14502. type: string
  14503. message:
  14504. type: string
  14505. reason:
  14506. type: string
  14507. status:
  14508. type: string
  14509. type:
  14510. description: PushSecretConditionType indicates the condition of the PushSecret.
  14511. type: string
  14512. required:
  14513. - status
  14514. - type
  14515. type: object
  14516. type: array
  14517. refreshTime:
  14518. description: |-
  14519. refreshTime is the time and date the external secret was fetched and
  14520. the target secret updated
  14521. format: date-time
  14522. nullable: true
  14523. type: string
  14524. syncedPushSecrets:
  14525. additionalProperties:
  14526. additionalProperties:
  14527. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14528. properties:
  14529. conversionStrategy:
  14530. default: None
  14531. description: Used to define a conversion Strategy for the secret keys
  14532. enum:
  14533. - None
  14534. - ReverseUnicode
  14535. type: string
  14536. match:
  14537. description: Match a given Secret Key to be pushed to the provider.
  14538. properties:
  14539. remoteRef:
  14540. description: Remote Refs to push to providers.
  14541. properties:
  14542. property:
  14543. description: Name of the property in the resulting secret
  14544. type: string
  14545. remoteKey:
  14546. description: Name of the resulting provider secret.
  14547. type: string
  14548. required:
  14549. - remoteKey
  14550. type: object
  14551. secretKey:
  14552. description: Secret Key to be pushed
  14553. type: string
  14554. required:
  14555. - remoteRef
  14556. type: object
  14557. metadata:
  14558. description: |-
  14559. Metadata is metadata attached to the secret.
  14560. The structure of metadata is provider specific, please look it up in the provider documentation.
  14561. x-kubernetes-preserve-unknown-fields: true
  14562. required:
  14563. - match
  14564. type: object
  14565. type: object
  14566. description: |-
  14567. Synced PushSecrets, including secrets that already exist in provider.
  14568. Matches secret stores to PushSecretData that was stored to that secret store.
  14569. type: object
  14570. syncedResourceVersion:
  14571. description: SyncedResourceVersion keeps track of the last synced version.
  14572. type: string
  14573. type: object
  14574. type: object
  14575. served: true
  14576. storage: true
  14577. subresources:
  14578. status: {}
  14579. ---
  14580. apiVersion: apiextensions.k8s.io/v1
  14581. kind: CustomResourceDefinition
  14582. metadata:
  14583. annotations:
  14584. controller-gen.kubebuilder.io/version: v0.19.0
  14585. labels:
  14586. external-secrets.io/component: controller
  14587. name: secretstores.external-secrets.io
  14588. spec:
  14589. group: external-secrets.io
  14590. names:
  14591. categories:
  14592. - external-secrets
  14593. kind: SecretStore
  14594. listKind: SecretStoreList
  14595. plural: secretstores
  14596. shortNames:
  14597. - ss
  14598. singular: secretstore
  14599. scope: Namespaced
  14600. versions:
  14601. - additionalPrinterColumns:
  14602. - jsonPath: .metadata.creationTimestamp
  14603. name: AGE
  14604. type: date
  14605. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14606. name: Status
  14607. type: string
  14608. - jsonPath: .status.capabilities
  14609. name: Capabilities
  14610. type: string
  14611. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  14612. name: Ready
  14613. type: string
  14614. name: v1
  14615. schema:
  14616. openAPIV3Schema:
  14617. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  14618. properties:
  14619. apiVersion:
  14620. description: |-
  14621. APIVersion defines the versioned schema of this representation of an object.
  14622. Servers should convert recognized schemas to the latest internal value, and
  14623. may reject unrecognized values.
  14624. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14625. type: string
  14626. kind:
  14627. description: |-
  14628. Kind is a string value representing the REST resource this object represents.
  14629. Servers may infer this from the endpoint the client submits requests to.
  14630. Cannot be updated.
  14631. In CamelCase.
  14632. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14633. type: string
  14634. metadata:
  14635. type: object
  14636. spec:
  14637. description: SecretStoreSpec defines the desired state of SecretStore.
  14638. properties:
  14639. conditions:
  14640. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  14641. items:
  14642. description: |-
  14643. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  14644. for a ClusterSecretStore instance.
  14645. properties:
  14646. namespaceRegexes:
  14647. description: Choose namespaces by using regex matching
  14648. items:
  14649. type: string
  14650. type: array
  14651. namespaceSelector:
  14652. description: Choose namespace using a labelSelector
  14653. properties:
  14654. matchExpressions:
  14655. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14656. items:
  14657. description: |-
  14658. A label selector requirement is a selector that contains values, a key, and an operator that
  14659. relates the key and values.
  14660. properties:
  14661. key:
  14662. description: key is the label key that the selector applies to.
  14663. type: string
  14664. operator:
  14665. description: |-
  14666. operator represents a key's relationship to a set of values.
  14667. Valid operators are In, NotIn, Exists and DoesNotExist.
  14668. type: string
  14669. values:
  14670. description: |-
  14671. values is an array of string values. If the operator is In or NotIn,
  14672. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14673. the values array must be empty. This array is replaced during a strategic
  14674. merge patch.
  14675. items:
  14676. type: string
  14677. type: array
  14678. x-kubernetes-list-type: atomic
  14679. required:
  14680. - key
  14681. - operator
  14682. type: object
  14683. type: array
  14684. x-kubernetes-list-type: atomic
  14685. matchLabels:
  14686. additionalProperties:
  14687. type: string
  14688. description: |-
  14689. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14690. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14691. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14692. type: object
  14693. type: object
  14694. x-kubernetes-map-type: atomic
  14695. namespaces:
  14696. description: Choose namespaces by name
  14697. items:
  14698. maxLength: 63
  14699. minLength: 1
  14700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14701. type: string
  14702. type: array
  14703. type: object
  14704. type: array
  14705. controller:
  14706. description: |-
  14707. Used to select the correct ESO controller (think: ingress.ingressClassName)
  14708. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  14709. type: string
  14710. provider:
  14711. description: Used to configure the provider. Only one provider may be set
  14712. maxProperties: 1
  14713. minProperties: 1
  14714. properties:
  14715. akeyless:
  14716. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  14717. properties:
  14718. akeylessGWApiURL:
  14719. description: Akeyless GW API Url from which the secrets to be fetched from.
  14720. type: string
  14721. authSecretRef:
  14722. description: Auth configures how the operator authenticates with Akeyless.
  14723. properties:
  14724. kubernetesAuth:
  14725. description: |-
  14726. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  14727. token stored in the named Secret resource.
  14728. properties:
  14729. accessID:
  14730. description: the Akeyless Kubernetes auth-method access-id
  14731. type: string
  14732. k8sConfName:
  14733. description: Kubernetes-auth configuration name in Akeyless-Gateway
  14734. type: string
  14735. secretRef:
  14736. description: |-
  14737. Optional secret field containing a Kubernetes ServiceAccount JWT used
  14738. for authenticating with Akeyless. If a name is specified without a key,
  14739. `token` is the default. If one is not specified, the one bound to
  14740. the controller will be used.
  14741. properties:
  14742. key:
  14743. description: |-
  14744. A key in the referenced Secret.
  14745. Some instances of this field may be defaulted, in others it may be required.
  14746. maxLength: 253
  14747. minLength: 1
  14748. pattern: ^[-._a-zA-Z0-9]+$
  14749. type: string
  14750. name:
  14751. description: The name of the Secret resource being referred to.
  14752. maxLength: 253
  14753. minLength: 1
  14754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14755. type: string
  14756. namespace:
  14757. description: |-
  14758. The namespace of the Secret resource being referred to.
  14759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14760. maxLength: 63
  14761. minLength: 1
  14762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14763. type: string
  14764. type: object
  14765. serviceAccountRef:
  14766. description: |-
  14767. Optional service account field containing the name of a kubernetes ServiceAccount.
  14768. If the service account is specified, the service account secret token JWT will be used
  14769. for authenticating with Akeyless. If the service account selector is not supplied,
  14770. the secretRef will be used instead.
  14771. properties:
  14772. audiences:
  14773. description: |-
  14774. Audience specifies the `aud` claim for the service account token
  14775. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14776. then this audiences will be appended to the list
  14777. items:
  14778. type: string
  14779. type: array
  14780. name:
  14781. description: The name of the ServiceAccount resource being referred to.
  14782. maxLength: 253
  14783. minLength: 1
  14784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14785. type: string
  14786. namespace:
  14787. description: |-
  14788. Namespace of the resource being referred to.
  14789. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14790. maxLength: 63
  14791. minLength: 1
  14792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14793. type: string
  14794. required:
  14795. - name
  14796. type: object
  14797. required:
  14798. - accessID
  14799. - k8sConfName
  14800. type: object
  14801. secretRef:
  14802. description: |-
  14803. Reference to a Secret that contains the details
  14804. to authenticate with Akeyless.
  14805. properties:
  14806. accessID:
  14807. description: The SecretAccessID is used for authentication
  14808. properties:
  14809. key:
  14810. description: |-
  14811. A key in the referenced Secret.
  14812. Some instances of this field may be defaulted, in others it may be required.
  14813. maxLength: 253
  14814. minLength: 1
  14815. pattern: ^[-._a-zA-Z0-9]+$
  14816. type: string
  14817. name:
  14818. description: The name of the Secret resource being referred to.
  14819. maxLength: 253
  14820. minLength: 1
  14821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14822. type: string
  14823. namespace:
  14824. description: |-
  14825. The namespace of the Secret resource being referred to.
  14826. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14827. maxLength: 63
  14828. minLength: 1
  14829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14830. type: string
  14831. type: object
  14832. accessType:
  14833. description: |-
  14834. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14835. In some instances, `key` is a required field.
  14836. properties:
  14837. key:
  14838. description: |-
  14839. A key in the referenced Secret.
  14840. Some instances of this field may be defaulted, in others it may be required.
  14841. maxLength: 253
  14842. minLength: 1
  14843. pattern: ^[-._a-zA-Z0-9]+$
  14844. type: string
  14845. name:
  14846. description: The name of the Secret resource being referred to.
  14847. maxLength: 253
  14848. minLength: 1
  14849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14850. type: string
  14851. namespace:
  14852. description: |-
  14853. The namespace of the Secret resource being referred to.
  14854. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14855. maxLength: 63
  14856. minLength: 1
  14857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14858. type: string
  14859. type: object
  14860. accessTypeParam:
  14861. description: |-
  14862. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  14863. In some instances, `key` is a required field.
  14864. properties:
  14865. key:
  14866. description: |-
  14867. A key in the referenced Secret.
  14868. Some instances of this field may be defaulted, in others it may be required.
  14869. maxLength: 253
  14870. minLength: 1
  14871. pattern: ^[-._a-zA-Z0-9]+$
  14872. type: string
  14873. name:
  14874. description: The name of the Secret resource being referred to.
  14875. maxLength: 253
  14876. minLength: 1
  14877. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14878. type: string
  14879. namespace:
  14880. description: |-
  14881. The namespace of the Secret resource being referred to.
  14882. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14883. maxLength: 63
  14884. minLength: 1
  14885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14886. type: string
  14887. type: object
  14888. type: object
  14889. type: object
  14890. caBundle:
  14891. description: |-
  14892. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  14893. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  14894. are used to validate the TLS connection.
  14895. format: byte
  14896. type: string
  14897. caProvider:
  14898. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  14899. properties:
  14900. key:
  14901. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  14902. maxLength: 253
  14903. minLength: 1
  14904. pattern: ^[-._a-zA-Z0-9]+$
  14905. type: string
  14906. name:
  14907. description: The name of the object located at the provider type.
  14908. maxLength: 253
  14909. minLength: 1
  14910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14911. type: string
  14912. namespace:
  14913. description: |-
  14914. The namespace the Provider type is in.
  14915. Can only be defined when used in a ClusterSecretStore.
  14916. maxLength: 63
  14917. minLength: 1
  14918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14919. type: string
  14920. type:
  14921. description: The type of provider to use such as "Secret", or "ConfigMap".
  14922. enum:
  14923. - Secret
  14924. - ConfigMap
  14925. type: string
  14926. required:
  14927. - name
  14928. - type
  14929. type: object
  14930. required:
  14931. - akeylessGWApiURL
  14932. - authSecretRef
  14933. type: object
  14934. aws:
  14935. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  14936. properties:
  14937. additionalRoles:
  14938. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  14939. items:
  14940. type: string
  14941. type: array
  14942. auth:
  14943. description: |-
  14944. Auth defines the information necessary to authenticate against AWS
  14945. if not set aws sdk will infer credentials from your environment
  14946. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  14947. properties:
  14948. jwt:
  14949. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  14950. properties:
  14951. serviceAccountRef:
  14952. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  14953. properties:
  14954. audiences:
  14955. description: |-
  14956. Audience specifies the `aud` claim for the service account token
  14957. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  14958. then this audiences will be appended to the list
  14959. items:
  14960. type: string
  14961. type: array
  14962. name:
  14963. description: The name of the ServiceAccount resource being referred to.
  14964. maxLength: 253
  14965. minLength: 1
  14966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14967. type: string
  14968. namespace:
  14969. description: |-
  14970. Namespace of the resource being referred to.
  14971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  14972. maxLength: 63
  14973. minLength: 1
  14974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  14975. type: string
  14976. required:
  14977. - name
  14978. type: object
  14979. type: object
  14980. secretRef:
  14981. description: |-
  14982. AWSAuthSecretRef holds secret references for AWS credentials
  14983. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  14984. properties:
  14985. accessKeyIDSecretRef:
  14986. description: The AccessKeyID is used for authentication
  14987. properties:
  14988. key:
  14989. description: |-
  14990. A key in the referenced Secret.
  14991. Some instances of this field may be defaulted, in others it may be required.
  14992. maxLength: 253
  14993. minLength: 1
  14994. pattern: ^[-._a-zA-Z0-9]+$
  14995. type: string
  14996. name:
  14997. description: The name of the Secret resource being referred to.
  14998. maxLength: 253
  14999. minLength: 1
  15000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15001. type: string
  15002. namespace:
  15003. description: |-
  15004. The namespace of the Secret resource being referred to.
  15005. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15006. maxLength: 63
  15007. minLength: 1
  15008. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15009. type: string
  15010. type: object
  15011. secretAccessKeySecretRef:
  15012. description: The SecretAccessKey is used for authentication
  15013. properties:
  15014. key:
  15015. description: |-
  15016. A key in the referenced Secret.
  15017. Some instances of this field may be defaulted, in others it may be required.
  15018. maxLength: 253
  15019. minLength: 1
  15020. pattern: ^[-._a-zA-Z0-9]+$
  15021. type: string
  15022. name:
  15023. description: The name of the Secret resource being referred to.
  15024. maxLength: 253
  15025. minLength: 1
  15026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15027. type: string
  15028. namespace:
  15029. description: |-
  15030. The namespace of the Secret resource being referred to.
  15031. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15032. maxLength: 63
  15033. minLength: 1
  15034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15035. type: string
  15036. type: object
  15037. sessionTokenSecretRef:
  15038. description: |-
  15039. The SessionToken used for authentication
  15040. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15041. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15042. properties:
  15043. key:
  15044. description: |-
  15045. A key in the referenced Secret.
  15046. Some instances of this field may be defaulted, in others it may be required.
  15047. maxLength: 253
  15048. minLength: 1
  15049. pattern: ^[-._a-zA-Z0-9]+$
  15050. type: string
  15051. name:
  15052. description: The name of the Secret resource being referred to.
  15053. maxLength: 253
  15054. minLength: 1
  15055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15056. type: string
  15057. namespace:
  15058. description: |-
  15059. The namespace of the Secret resource being referred to.
  15060. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15061. maxLength: 63
  15062. minLength: 1
  15063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15064. type: string
  15065. type: object
  15066. type: object
  15067. type: object
  15068. customSessionTags:
  15069. additionalProperties:
  15070. type: string
  15071. description: |-
  15072. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15073. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15074. type: object
  15075. x-kubernetes-validations:
  15076. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15077. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15078. externalID:
  15079. description: AWS External ID set on assumed IAM roles
  15080. type: string
  15081. prefix:
  15082. description: Prefix adds a prefix to all retrieved values.
  15083. type: string
  15084. region:
  15085. description: AWS Region to be used for the provider
  15086. type: string
  15087. role:
  15088. description: Role is a Role ARN which the provider will assume
  15089. type: string
  15090. secretsManager:
  15091. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15092. properties:
  15093. forceDeleteWithoutRecovery:
  15094. description: |-
  15095. Specifies whether to delete the secret without any recovery window. You
  15096. can't use both this parameter and RecoveryWindowInDays in the same call.
  15097. If you don't use either, then by default Secrets Manager uses a 30 day
  15098. recovery window.
  15099. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15100. type: boolean
  15101. recoveryWindowInDays:
  15102. description: |-
  15103. The number of days from 7 to 30 that Secrets Manager waits before
  15104. permanently deleting the secret. You can't use both this parameter and
  15105. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15106. then by default Secrets Manager uses a 30-day recovery window.
  15107. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15108. format: int64
  15109. type: integer
  15110. type: object
  15111. service:
  15112. description: Service defines which service should be used to fetch the secrets
  15113. enum:
  15114. - SecretsManager
  15115. - ParameterStore
  15116. type: string
  15117. sessionTags:
  15118. description: AWS STS assume role session tags
  15119. items:
  15120. description: |-
  15121. Tag is a key-value pair that can be attached to an AWS resource.
  15122. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15123. properties:
  15124. key:
  15125. type: string
  15126. value:
  15127. type: string
  15128. required:
  15129. - key
  15130. - value
  15131. type: object
  15132. type: array
  15133. sessionTagsPolicy:
  15134. default: None
  15135. description: |-
  15136. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15137. None (default): no tags are added.
  15138. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15139. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15140. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15141. enum:
  15142. - None
  15143. - Simple
  15144. - Custom
  15145. type: string
  15146. transitiveTagKeys:
  15147. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15148. items:
  15149. type: string
  15150. type: array
  15151. required:
  15152. - region
  15153. - service
  15154. type: object
  15155. azurekv:
  15156. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15157. properties:
  15158. authSecretRef:
  15159. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15160. properties:
  15161. clientCertificate:
  15162. description: The Azure ClientCertificate of the service principle used for authentication.
  15163. properties:
  15164. key:
  15165. description: |-
  15166. A key in the referenced Secret.
  15167. Some instances of this field may be defaulted, in others it may be required.
  15168. maxLength: 253
  15169. minLength: 1
  15170. pattern: ^[-._a-zA-Z0-9]+$
  15171. type: string
  15172. name:
  15173. description: The name of the Secret resource being referred to.
  15174. maxLength: 253
  15175. minLength: 1
  15176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15177. type: string
  15178. namespace:
  15179. description: |-
  15180. The namespace of the Secret resource being referred to.
  15181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15182. maxLength: 63
  15183. minLength: 1
  15184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15185. type: string
  15186. type: object
  15187. clientId:
  15188. description: The Azure clientId of the service principle or managed identity used for authentication.
  15189. properties:
  15190. key:
  15191. description: |-
  15192. A key in the referenced Secret.
  15193. Some instances of this field may be defaulted, in others it may be required.
  15194. maxLength: 253
  15195. minLength: 1
  15196. pattern: ^[-._a-zA-Z0-9]+$
  15197. type: string
  15198. name:
  15199. description: The name of the Secret resource being referred to.
  15200. maxLength: 253
  15201. minLength: 1
  15202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15203. type: string
  15204. namespace:
  15205. description: |-
  15206. The namespace of the Secret resource being referred to.
  15207. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15208. maxLength: 63
  15209. minLength: 1
  15210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15211. type: string
  15212. type: object
  15213. clientSecret:
  15214. description: The Azure ClientSecret of the service principle used for authentication.
  15215. properties:
  15216. key:
  15217. description: |-
  15218. A key in the referenced Secret.
  15219. Some instances of this field may be defaulted, in others it may be required.
  15220. maxLength: 253
  15221. minLength: 1
  15222. pattern: ^[-._a-zA-Z0-9]+$
  15223. type: string
  15224. name:
  15225. description: The name of the Secret resource being referred to.
  15226. maxLength: 253
  15227. minLength: 1
  15228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15229. type: string
  15230. namespace:
  15231. description: |-
  15232. The namespace of the Secret resource being referred to.
  15233. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15234. maxLength: 63
  15235. minLength: 1
  15236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15237. type: string
  15238. type: object
  15239. tenantId:
  15240. description: The Azure tenantId of the managed identity used for authentication.
  15241. properties:
  15242. key:
  15243. description: |-
  15244. A key in the referenced Secret.
  15245. Some instances of this field may be defaulted, in others it may be required.
  15246. maxLength: 253
  15247. minLength: 1
  15248. pattern: ^[-._a-zA-Z0-9]+$
  15249. type: string
  15250. name:
  15251. description: The name of the Secret resource being referred to.
  15252. maxLength: 253
  15253. minLength: 1
  15254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15255. type: string
  15256. namespace:
  15257. description: |-
  15258. The namespace of the Secret resource being referred to.
  15259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15260. maxLength: 63
  15261. minLength: 1
  15262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15263. type: string
  15264. type: object
  15265. type: object
  15266. authType:
  15267. default: ServicePrincipal
  15268. description: |-
  15269. Auth type defines how to authenticate to the keyvault service.
  15270. Valid values are:
  15271. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15272. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15273. enum:
  15274. - ServicePrincipal
  15275. - ManagedIdentity
  15276. - WorkloadIdentity
  15277. type: string
  15278. customCloudConfig:
  15279. description: |-
  15280. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15281. Required when EnvironmentType is AzureStackCloud.
  15282. Optional for other environment types - useful for Azure China when using Workload Identity
  15283. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15284. standard China Cloud endpoint (login.chinacloudapi.cn).
  15285. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15286. configuration is not supported with the legacy go-autorest SDK.
  15287. properties:
  15288. activeDirectoryEndpoint:
  15289. description: |-
  15290. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15291. Required when using custom cloud configuration
  15292. type: string
  15293. keyVaultDNSSuffix:
  15294. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15295. type: string
  15296. keyVaultEndpoint:
  15297. description: KeyVaultEndpoint is the Key Vault service endpoint
  15298. type: string
  15299. resourceManagerEndpoint:
  15300. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15301. type: string
  15302. required:
  15303. - activeDirectoryEndpoint
  15304. type: object
  15305. environmentType:
  15306. default: PublicCloud
  15307. description: |-
  15308. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15309. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15310. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15311. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15312. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15313. enum:
  15314. - PublicCloud
  15315. - USGovernmentCloud
  15316. - ChinaCloud
  15317. - GermanCloud
  15318. - AzureStackCloud
  15319. type: string
  15320. identityId:
  15321. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15322. type: string
  15323. serviceAccountRef:
  15324. description: |-
  15325. ServiceAccountRef specified the service account
  15326. that should be used when authenticating with WorkloadIdentity.
  15327. properties:
  15328. audiences:
  15329. description: |-
  15330. Audience specifies the `aud` claim for the service account token
  15331. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15332. then this audiences will be appended to the list
  15333. items:
  15334. type: string
  15335. type: array
  15336. name:
  15337. description: The name of the ServiceAccount resource being referred to.
  15338. maxLength: 253
  15339. minLength: 1
  15340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15341. type: string
  15342. namespace:
  15343. description: |-
  15344. Namespace of the resource being referred to.
  15345. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15346. maxLength: 63
  15347. minLength: 1
  15348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15349. type: string
  15350. required:
  15351. - name
  15352. type: object
  15353. tenantId:
  15354. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15355. type: string
  15356. useAzureSDK:
  15357. default: false
  15358. description: |-
  15359. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15360. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15361. type: boolean
  15362. vaultUrl:
  15363. description: Vault Url from which the secrets to be fetched from.
  15364. type: string
  15365. required:
  15366. - vaultUrl
  15367. type: object
  15368. barbican:
  15369. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15370. properties:
  15371. auth:
  15372. description: BarbicanAuth contains the authentication information for Barbican.
  15373. properties:
  15374. password:
  15375. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15376. properties:
  15377. secretRef:
  15378. description: |-
  15379. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15380. In some instances, `key` is a required field.
  15381. properties:
  15382. key:
  15383. description: |-
  15384. A key in the referenced Secret.
  15385. Some instances of this field may be defaulted, in others it may be required.
  15386. maxLength: 253
  15387. minLength: 1
  15388. pattern: ^[-._a-zA-Z0-9]+$
  15389. type: string
  15390. name:
  15391. description: The name of the Secret resource being referred to.
  15392. maxLength: 253
  15393. minLength: 1
  15394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15395. type: string
  15396. namespace:
  15397. description: |-
  15398. The namespace of the Secret resource being referred to.
  15399. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15400. maxLength: 63
  15401. minLength: 1
  15402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15403. type: string
  15404. type: object
  15405. required:
  15406. - secretRef
  15407. type: object
  15408. username:
  15409. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15410. maxProperties: 1
  15411. minProperties: 1
  15412. properties:
  15413. secretRef:
  15414. description: |-
  15415. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15416. In some instances, `key` is a required field.
  15417. properties:
  15418. key:
  15419. description: |-
  15420. A key in the referenced Secret.
  15421. Some instances of this field may be defaulted, in others it may be required.
  15422. maxLength: 253
  15423. minLength: 1
  15424. pattern: ^[-._a-zA-Z0-9]+$
  15425. type: string
  15426. name:
  15427. description: The name of the Secret resource being referred to.
  15428. maxLength: 253
  15429. minLength: 1
  15430. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15431. type: string
  15432. namespace:
  15433. description: |-
  15434. The namespace of the Secret resource being referred to.
  15435. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15436. maxLength: 63
  15437. minLength: 1
  15438. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15439. type: string
  15440. type: object
  15441. value:
  15442. type: string
  15443. type: object
  15444. required:
  15445. - password
  15446. - username
  15447. type: object
  15448. authURL:
  15449. type: string
  15450. domainName:
  15451. type: string
  15452. region:
  15453. type: string
  15454. tenantName:
  15455. type: string
  15456. required:
  15457. - auth
  15458. type: object
  15459. beyondtrust:
  15460. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15461. properties:
  15462. auth:
  15463. description: Auth configures how the operator authenticates with Beyondtrust.
  15464. properties:
  15465. apiKey:
  15466. description: APIKey If not provided then ClientID/ClientSecret become required.
  15467. properties:
  15468. secretRef:
  15469. description: SecretRef references a key in a secret that will be used as value.
  15470. properties:
  15471. key:
  15472. description: |-
  15473. A key in the referenced Secret.
  15474. Some instances of this field may be defaulted, in others it may be required.
  15475. maxLength: 253
  15476. minLength: 1
  15477. pattern: ^[-._a-zA-Z0-9]+$
  15478. type: string
  15479. name:
  15480. description: The name of the Secret resource being referred to.
  15481. maxLength: 253
  15482. minLength: 1
  15483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15484. type: string
  15485. namespace:
  15486. description: |-
  15487. The namespace of the Secret resource being referred to.
  15488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15489. maxLength: 63
  15490. minLength: 1
  15491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15492. type: string
  15493. type: object
  15494. value:
  15495. description: Value can be specified directly to set a value without using a secret.
  15496. type: string
  15497. type: object
  15498. certificate:
  15499. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  15500. properties:
  15501. secretRef:
  15502. description: SecretRef references a key in a secret that will be used as value.
  15503. properties:
  15504. key:
  15505. description: |-
  15506. A key in the referenced Secret.
  15507. Some instances of this field may be defaulted, in others it may be required.
  15508. maxLength: 253
  15509. minLength: 1
  15510. pattern: ^[-._a-zA-Z0-9]+$
  15511. type: string
  15512. name:
  15513. description: The name of the Secret resource being referred to.
  15514. maxLength: 253
  15515. minLength: 1
  15516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15517. type: string
  15518. namespace:
  15519. description: |-
  15520. The namespace of the Secret resource being referred to.
  15521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15522. maxLength: 63
  15523. minLength: 1
  15524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15525. type: string
  15526. type: object
  15527. value:
  15528. description: Value can be specified directly to set a value without using a secret.
  15529. type: string
  15530. type: object
  15531. certificateKey:
  15532. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  15533. properties:
  15534. secretRef:
  15535. description: SecretRef references a key in a secret that will be used as value.
  15536. properties:
  15537. key:
  15538. description: |-
  15539. A key in the referenced Secret.
  15540. Some instances of this field may be defaulted, in others it may be required.
  15541. maxLength: 253
  15542. minLength: 1
  15543. pattern: ^[-._a-zA-Z0-9]+$
  15544. type: string
  15545. name:
  15546. description: The name of the Secret resource being referred to.
  15547. maxLength: 253
  15548. minLength: 1
  15549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15550. type: string
  15551. namespace:
  15552. description: |-
  15553. The namespace of the Secret resource being referred to.
  15554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15555. maxLength: 63
  15556. minLength: 1
  15557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15558. type: string
  15559. type: object
  15560. value:
  15561. description: Value can be specified directly to set a value without using a secret.
  15562. type: string
  15563. type: object
  15564. clientId:
  15565. description: ClientID is the API OAuth Client ID.
  15566. properties:
  15567. secretRef:
  15568. description: SecretRef references a key in a secret that will be used as value.
  15569. properties:
  15570. key:
  15571. description: |-
  15572. A key in the referenced Secret.
  15573. Some instances of this field may be defaulted, in others it may be required.
  15574. maxLength: 253
  15575. minLength: 1
  15576. pattern: ^[-._a-zA-Z0-9]+$
  15577. type: string
  15578. name:
  15579. description: The name of the Secret resource being referred to.
  15580. maxLength: 253
  15581. minLength: 1
  15582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15583. type: string
  15584. namespace:
  15585. description: |-
  15586. The namespace of the Secret resource being referred to.
  15587. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15588. maxLength: 63
  15589. minLength: 1
  15590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15591. type: string
  15592. type: object
  15593. value:
  15594. description: Value can be specified directly to set a value without using a secret.
  15595. type: string
  15596. type: object
  15597. clientSecret:
  15598. description: ClientSecret is the API OAuth Client Secret.
  15599. properties:
  15600. secretRef:
  15601. description: SecretRef references a key in a secret that will be used as value.
  15602. properties:
  15603. key:
  15604. description: |-
  15605. A key in the referenced Secret.
  15606. Some instances of this field may be defaulted, in others it may be required.
  15607. maxLength: 253
  15608. minLength: 1
  15609. pattern: ^[-._a-zA-Z0-9]+$
  15610. type: string
  15611. name:
  15612. description: The name of the Secret resource being referred to.
  15613. maxLength: 253
  15614. minLength: 1
  15615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15616. type: string
  15617. namespace:
  15618. description: |-
  15619. The namespace of the Secret resource being referred to.
  15620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15621. maxLength: 63
  15622. minLength: 1
  15623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15624. type: string
  15625. type: object
  15626. value:
  15627. description: Value can be specified directly to set a value without using a secret.
  15628. type: string
  15629. type: object
  15630. type: object
  15631. server:
  15632. description: Auth configures how API server works.
  15633. properties:
  15634. apiUrl:
  15635. type: string
  15636. apiVersion:
  15637. type: string
  15638. clientTimeOutSeconds:
  15639. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  15640. type: integer
  15641. decrypt:
  15642. default: true
  15643. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  15644. type: boolean
  15645. retrievalType:
  15646. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  15647. type: string
  15648. separator:
  15649. description: A character that separates the folder names.
  15650. type: string
  15651. verifyCA:
  15652. type: boolean
  15653. required:
  15654. - apiUrl
  15655. - verifyCA
  15656. type: object
  15657. required:
  15658. - auth
  15659. - server
  15660. type: object
  15661. bitwardensecretsmanager:
  15662. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  15663. properties:
  15664. apiURL:
  15665. type: string
  15666. auth:
  15667. description: |-
  15668. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  15669. Make sure that the token being used has permissions on the given secret.
  15670. properties:
  15671. secretRef:
  15672. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  15673. properties:
  15674. credentials:
  15675. description: AccessToken used for the bitwarden instance.
  15676. properties:
  15677. key:
  15678. description: |-
  15679. A key in the referenced Secret.
  15680. Some instances of this field may be defaulted, in others it may be required.
  15681. maxLength: 253
  15682. minLength: 1
  15683. pattern: ^[-._a-zA-Z0-9]+$
  15684. type: string
  15685. name:
  15686. description: The name of the Secret resource being referred to.
  15687. maxLength: 253
  15688. minLength: 1
  15689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15690. type: string
  15691. namespace:
  15692. description: |-
  15693. The namespace of the Secret resource being referred to.
  15694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15695. maxLength: 63
  15696. minLength: 1
  15697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15698. type: string
  15699. type: object
  15700. required:
  15701. - credentials
  15702. type: object
  15703. required:
  15704. - secretRef
  15705. type: object
  15706. bitwardenServerSDKURL:
  15707. type: string
  15708. caBundle:
  15709. description: |-
  15710. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  15711. can be performed.
  15712. type: string
  15713. caProvider:
  15714. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  15715. properties:
  15716. key:
  15717. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15718. maxLength: 253
  15719. minLength: 1
  15720. pattern: ^[-._a-zA-Z0-9]+$
  15721. type: string
  15722. name:
  15723. description: The name of the object located at the provider type.
  15724. maxLength: 253
  15725. minLength: 1
  15726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15727. type: string
  15728. namespace:
  15729. description: |-
  15730. The namespace the Provider type is in.
  15731. Can only be defined when used in a ClusterSecretStore.
  15732. maxLength: 63
  15733. minLength: 1
  15734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15735. type: string
  15736. type:
  15737. description: The type of provider to use such as "Secret", or "ConfigMap".
  15738. enum:
  15739. - Secret
  15740. - ConfigMap
  15741. type: string
  15742. required:
  15743. - name
  15744. - type
  15745. type: object
  15746. identityURL:
  15747. type: string
  15748. organizationID:
  15749. description: OrganizationID determines which organization this secret store manages.
  15750. type: string
  15751. projectID:
  15752. description: ProjectID determines which project this secret store manages.
  15753. type: string
  15754. required:
  15755. - auth
  15756. - organizationID
  15757. - projectID
  15758. type: object
  15759. chef:
  15760. description: Chef configures this store to sync secrets with chef server
  15761. properties:
  15762. auth:
  15763. description: Auth defines the information necessary to authenticate against chef Server
  15764. properties:
  15765. secretRef:
  15766. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  15767. properties:
  15768. privateKeySecretRef:
  15769. description: SecretKey is the Signing Key in PEM format, used for authentication.
  15770. properties:
  15771. key:
  15772. description: |-
  15773. A key in the referenced Secret.
  15774. Some instances of this field may be defaulted, in others it may be required.
  15775. maxLength: 253
  15776. minLength: 1
  15777. pattern: ^[-._a-zA-Z0-9]+$
  15778. type: string
  15779. name:
  15780. description: The name of the Secret resource being referred to.
  15781. maxLength: 253
  15782. minLength: 1
  15783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15784. type: string
  15785. namespace:
  15786. description: |-
  15787. The namespace of the Secret resource being referred to.
  15788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15789. maxLength: 63
  15790. minLength: 1
  15791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15792. type: string
  15793. type: object
  15794. required:
  15795. - privateKeySecretRef
  15796. type: object
  15797. required:
  15798. - secretRef
  15799. type: object
  15800. serverUrl:
  15801. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  15802. type: string
  15803. username:
  15804. description: UserName should be the user ID on the chef server
  15805. type: string
  15806. required:
  15807. - auth
  15808. - serverUrl
  15809. - username
  15810. type: object
  15811. cloudrusm:
  15812. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  15813. properties:
  15814. auth:
  15815. description: CSMAuth contains a secretRef for credentials.
  15816. properties:
  15817. secretRef:
  15818. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  15819. properties:
  15820. accessKeyIDSecretRef:
  15821. description: The AccessKeyID is used for authentication
  15822. properties:
  15823. key:
  15824. description: |-
  15825. A key in the referenced Secret.
  15826. Some instances of this field may be defaulted, in others it may be required.
  15827. maxLength: 253
  15828. minLength: 1
  15829. pattern: ^[-._a-zA-Z0-9]+$
  15830. type: string
  15831. name:
  15832. description: The name of the Secret resource being referred to.
  15833. maxLength: 253
  15834. minLength: 1
  15835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15836. type: string
  15837. namespace:
  15838. description: |-
  15839. The namespace of the Secret resource being referred to.
  15840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15841. maxLength: 63
  15842. minLength: 1
  15843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15844. type: string
  15845. type: object
  15846. accessKeySecretSecretRef:
  15847. description: The AccessKeySecret is used for authentication
  15848. properties:
  15849. key:
  15850. description: |-
  15851. A key in the referenced Secret.
  15852. Some instances of this field may be defaulted, in others it may be required.
  15853. maxLength: 253
  15854. minLength: 1
  15855. pattern: ^[-._a-zA-Z0-9]+$
  15856. type: string
  15857. name:
  15858. description: The name of the Secret resource being referred to.
  15859. maxLength: 253
  15860. minLength: 1
  15861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15862. type: string
  15863. namespace:
  15864. description: |-
  15865. The namespace of the Secret resource being referred to.
  15866. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15867. maxLength: 63
  15868. minLength: 1
  15869. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15870. type: string
  15871. type: object
  15872. required:
  15873. - accessKeyIDSecretRef
  15874. - accessKeySecretSecretRef
  15875. type: object
  15876. type: object
  15877. projectID:
  15878. description: ProjectID is the project, which the secrets are stored in.
  15879. type: string
  15880. required:
  15881. - auth
  15882. type: object
  15883. conjur:
  15884. description: Conjur configures this store to sync secrets using conjur provider
  15885. properties:
  15886. auth:
  15887. description: Defines authentication settings for connecting to Conjur.
  15888. properties:
  15889. apikey:
  15890. description: Authenticates with Conjur using an API key.
  15891. properties:
  15892. account:
  15893. description: Account is the Conjur organization account name.
  15894. type: string
  15895. apiKeyRef:
  15896. description: |-
  15897. A reference to a specific 'key' containing the Conjur API key
  15898. within a Secret resource. In some instances, `key` is a required field.
  15899. properties:
  15900. key:
  15901. description: |-
  15902. A key in the referenced Secret.
  15903. Some instances of this field may be defaulted, in others it may be required.
  15904. maxLength: 253
  15905. minLength: 1
  15906. pattern: ^[-._a-zA-Z0-9]+$
  15907. type: string
  15908. name:
  15909. description: The name of the Secret resource being referred to.
  15910. maxLength: 253
  15911. minLength: 1
  15912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15913. type: string
  15914. namespace:
  15915. description: |-
  15916. The namespace of the Secret resource being referred to.
  15917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15918. maxLength: 63
  15919. minLength: 1
  15920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15921. type: string
  15922. type: object
  15923. userRef:
  15924. description: |-
  15925. A reference to a specific 'key' containing the Conjur username
  15926. within a Secret resource. In some instances, `key` is a required field.
  15927. properties:
  15928. key:
  15929. description: |-
  15930. A key in the referenced Secret.
  15931. Some instances of this field may be defaulted, in others it may be required.
  15932. maxLength: 253
  15933. minLength: 1
  15934. pattern: ^[-._a-zA-Z0-9]+$
  15935. type: string
  15936. name:
  15937. description: The name of the Secret resource being referred to.
  15938. maxLength: 253
  15939. minLength: 1
  15940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15941. type: string
  15942. namespace:
  15943. description: |-
  15944. The namespace of the Secret resource being referred to.
  15945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15946. maxLength: 63
  15947. minLength: 1
  15948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15949. type: string
  15950. type: object
  15951. required:
  15952. - account
  15953. - apiKeyRef
  15954. - userRef
  15955. type: object
  15956. jwt:
  15957. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  15958. properties:
  15959. account:
  15960. description: Account is the Conjur organization account name.
  15961. type: string
  15962. hostId:
  15963. description: |-
  15964. Optional HostID for JWT authentication. This may be used depending
  15965. on how the Conjur JWT authenticator policy is configured.
  15966. type: string
  15967. secretRef:
  15968. description: |-
  15969. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  15970. authenticate with Conjur using the JWT authentication method.
  15971. properties:
  15972. key:
  15973. description: |-
  15974. A key in the referenced Secret.
  15975. Some instances of this field may be defaulted, in others it may be required.
  15976. maxLength: 253
  15977. minLength: 1
  15978. pattern: ^[-._a-zA-Z0-9]+$
  15979. type: string
  15980. name:
  15981. description: The name of the Secret resource being referred to.
  15982. maxLength: 253
  15983. minLength: 1
  15984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15985. type: string
  15986. namespace:
  15987. description: |-
  15988. The namespace of the Secret resource being referred to.
  15989. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15990. maxLength: 63
  15991. minLength: 1
  15992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15993. type: string
  15994. type: object
  15995. serviceAccountRef:
  15996. description: |-
  15997. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  15998. a token for with the `TokenRequest` API.
  15999. properties:
  16000. audiences:
  16001. description: |-
  16002. Audience specifies the `aud` claim for the service account token
  16003. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16004. then this audiences will be appended to the list
  16005. items:
  16006. type: string
  16007. type: array
  16008. name:
  16009. description: The name of the ServiceAccount resource being referred to.
  16010. maxLength: 253
  16011. minLength: 1
  16012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16013. type: string
  16014. namespace:
  16015. description: |-
  16016. Namespace of the resource being referred to.
  16017. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16018. maxLength: 63
  16019. minLength: 1
  16020. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16021. type: string
  16022. required:
  16023. - name
  16024. type: object
  16025. serviceID:
  16026. description: The conjur authn jwt webservice id
  16027. type: string
  16028. required:
  16029. - account
  16030. - serviceID
  16031. type: object
  16032. type: object
  16033. caBundle:
  16034. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16035. type: string
  16036. caProvider:
  16037. description: |-
  16038. Used to provide custom certificate authority (CA) certificates
  16039. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16040. that contains a PEM-encoded certificate.
  16041. properties:
  16042. key:
  16043. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16044. maxLength: 253
  16045. minLength: 1
  16046. pattern: ^[-._a-zA-Z0-9]+$
  16047. type: string
  16048. name:
  16049. description: The name of the object located at the provider type.
  16050. maxLength: 253
  16051. minLength: 1
  16052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16053. type: string
  16054. namespace:
  16055. description: |-
  16056. The namespace the Provider type is in.
  16057. Can only be defined when used in a ClusterSecretStore.
  16058. maxLength: 63
  16059. minLength: 1
  16060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16061. type: string
  16062. type:
  16063. description: The type of provider to use such as "Secret", or "ConfigMap".
  16064. enum:
  16065. - Secret
  16066. - ConfigMap
  16067. type: string
  16068. required:
  16069. - name
  16070. - type
  16071. type: object
  16072. url:
  16073. description: URL is the endpoint of the Conjur instance.
  16074. type: string
  16075. required:
  16076. - auth
  16077. - url
  16078. type: object
  16079. delinea:
  16080. description: |-
  16081. Delinea DevOps Secrets Vault
  16082. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16083. properties:
  16084. clientId:
  16085. description: ClientID is the non-secret part of the credential.
  16086. properties:
  16087. secretRef:
  16088. description: SecretRef references a key in a secret that will be used as value.
  16089. properties:
  16090. key:
  16091. description: |-
  16092. A key in the referenced Secret.
  16093. Some instances of this field may be defaulted, in others it may be required.
  16094. maxLength: 253
  16095. minLength: 1
  16096. pattern: ^[-._a-zA-Z0-9]+$
  16097. type: string
  16098. name:
  16099. description: The name of the Secret resource being referred to.
  16100. maxLength: 253
  16101. minLength: 1
  16102. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16103. type: string
  16104. namespace:
  16105. description: |-
  16106. The namespace of the Secret resource being referred to.
  16107. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16108. maxLength: 63
  16109. minLength: 1
  16110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16111. type: string
  16112. type: object
  16113. value:
  16114. description: Value can be specified directly to set a value without using a secret.
  16115. type: string
  16116. type: object
  16117. clientSecret:
  16118. description: ClientSecret is the secret part of the credential.
  16119. properties:
  16120. secretRef:
  16121. description: SecretRef references a key in a secret that will be used as value.
  16122. properties:
  16123. key:
  16124. description: |-
  16125. A key in the referenced Secret.
  16126. Some instances of this field may be defaulted, in others it may be required.
  16127. maxLength: 253
  16128. minLength: 1
  16129. pattern: ^[-._a-zA-Z0-9]+$
  16130. type: string
  16131. name:
  16132. description: The name of the Secret resource being referred to.
  16133. maxLength: 253
  16134. minLength: 1
  16135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16136. type: string
  16137. namespace:
  16138. description: |-
  16139. The namespace of the Secret resource being referred to.
  16140. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16141. maxLength: 63
  16142. minLength: 1
  16143. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16144. type: string
  16145. type: object
  16146. value:
  16147. description: Value can be specified directly to set a value without using a secret.
  16148. type: string
  16149. type: object
  16150. tenant:
  16151. description: Tenant is the chosen hostname / site name.
  16152. type: string
  16153. tld:
  16154. description: |-
  16155. TLD is based on the server location that was chosen during provisioning.
  16156. If unset, defaults to "com".
  16157. type: string
  16158. urlTemplate:
  16159. description: |-
  16160. URLTemplate
  16161. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16162. type: string
  16163. required:
  16164. - clientId
  16165. - clientSecret
  16166. - tenant
  16167. type: object
  16168. doppler:
  16169. description: Doppler configures this store to sync secrets using the Doppler provider
  16170. properties:
  16171. auth:
  16172. description: Auth configures how the Operator authenticates with the Doppler API
  16173. properties:
  16174. oidcConfig:
  16175. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16176. properties:
  16177. expirationSeconds:
  16178. default: 600
  16179. description: |-
  16180. ExpirationSeconds sets the ServiceAccount token validity duration.
  16181. Defaults to 10 minutes.
  16182. format: int64
  16183. type: integer
  16184. identity:
  16185. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16186. type: string
  16187. serviceAccountRef:
  16188. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16189. properties:
  16190. audiences:
  16191. description: |-
  16192. Audience specifies the `aud` claim for the service account token
  16193. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16194. then this audiences will be appended to the list
  16195. items:
  16196. type: string
  16197. type: array
  16198. name:
  16199. description: The name of the ServiceAccount resource being referred to.
  16200. maxLength: 253
  16201. minLength: 1
  16202. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16203. type: string
  16204. namespace:
  16205. description: |-
  16206. Namespace of the resource being referred to.
  16207. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16208. maxLength: 63
  16209. minLength: 1
  16210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16211. type: string
  16212. required:
  16213. - name
  16214. type: object
  16215. required:
  16216. - identity
  16217. - serviceAccountRef
  16218. type: object
  16219. secretRef:
  16220. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16221. properties:
  16222. dopplerToken:
  16223. description: |-
  16224. The DopplerToken is used for authentication.
  16225. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16226. The Key attribute defaults to dopplerToken if not specified.
  16227. properties:
  16228. key:
  16229. description: |-
  16230. A key in the referenced Secret.
  16231. Some instances of this field may be defaulted, in others it may be required.
  16232. maxLength: 253
  16233. minLength: 1
  16234. pattern: ^[-._a-zA-Z0-9]+$
  16235. type: string
  16236. name:
  16237. description: The name of the Secret resource being referred to.
  16238. maxLength: 253
  16239. minLength: 1
  16240. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16241. type: string
  16242. namespace:
  16243. description: |-
  16244. The namespace of the Secret resource being referred to.
  16245. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16246. maxLength: 63
  16247. minLength: 1
  16248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16249. type: string
  16250. type: object
  16251. required:
  16252. - dopplerToken
  16253. type: object
  16254. type: object
  16255. x-kubernetes-validations:
  16256. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16257. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16258. config:
  16259. description: Doppler config (required if not using a Service Token)
  16260. type: string
  16261. format:
  16262. description: Format enables the downloading of secrets as a file (string)
  16263. enum:
  16264. - json
  16265. - dotnet-json
  16266. - env
  16267. - yaml
  16268. - docker
  16269. type: string
  16270. nameTransformer:
  16271. description: Environment variable compatible name transforms that change secret names to a different format
  16272. enum:
  16273. - upper-camel
  16274. - camel
  16275. - lower-snake
  16276. - tf-var
  16277. - dotnet-env
  16278. - lower-kebab
  16279. type: string
  16280. project:
  16281. description: Doppler project (required if not using a Service Token)
  16282. type: string
  16283. required:
  16284. - auth
  16285. type: object
  16286. dvls:
  16287. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16288. properties:
  16289. auth:
  16290. description: Auth defines the authentication method to use.
  16291. properties:
  16292. secretRef:
  16293. description: SecretRef contains the Application ID and Application Secret for authentication.
  16294. properties:
  16295. appId:
  16296. description: AppID is the reference to the secret containing the Application ID.
  16297. properties:
  16298. key:
  16299. description: |-
  16300. A key in the referenced Secret.
  16301. Some instances of this field may be defaulted, in others it may be required.
  16302. maxLength: 253
  16303. minLength: 1
  16304. pattern: ^[-._a-zA-Z0-9]+$
  16305. type: string
  16306. name:
  16307. description: The name of the Secret resource being referred to.
  16308. maxLength: 253
  16309. minLength: 1
  16310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16311. type: string
  16312. namespace:
  16313. description: |-
  16314. The namespace of the Secret resource being referred to.
  16315. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16316. maxLength: 63
  16317. minLength: 1
  16318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16319. type: string
  16320. type: object
  16321. appSecret:
  16322. description: AppSecret is the reference to the secret containing the Application Secret.
  16323. properties:
  16324. key:
  16325. description: |-
  16326. A key in the referenced Secret.
  16327. Some instances of this field may be defaulted, in others it may be required.
  16328. maxLength: 253
  16329. minLength: 1
  16330. pattern: ^[-._a-zA-Z0-9]+$
  16331. type: string
  16332. name:
  16333. description: The name of the Secret resource being referred to.
  16334. maxLength: 253
  16335. minLength: 1
  16336. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16337. type: string
  16338. namespace:
  16339. description: |-
  16340. The namespace of the Secret resource being referred to.
  16341. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16342. maxLength: 63
  16343. minLength: 1
  16344. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16345. type: string
  16346. type: object
  16347. required:
  16348. - appId
  16349. - appSecret
  16350. type: object
  16351. required:
  16352. - secretRef
  16353. type: object
  16354. insecure:
  16355. description: |-
  16356. Insecure allows connecting to DVLS over plain HTTP.
  16357. This is NOT RECOMMENDED for production use.
  16358. Set to true only if you understand the security implications.
  16359. type: boolean
  16360. serverUrl:
  16361. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  16362. type: string
  16363. vault:
  16364. description: |-
  16365. Vault is the name or UUID of the vault to fetch secrets from.
  16366. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  16367. type: string
  16368. required:
  16369. - auth
  16370. - serverUrl
  16371. type: object
  16372. fake:
  16373. description: Fake configures a store with static key/value pairs
  16374. properties:
  16375. data:
  16376. items:
  16377. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  16378. properties:
  16379. key:
  16380. type: string
  16381. value:
  16382. type: string
  16383. version:
  16384. type: string
  16385. required:
  16386. - key
  16387. - value
  16388. type: object
  16389. type: array
  16390. validationResult:
  16391. description: ValidationResult is defined type for the number of validation results.
  16392. type: integer
  16393. required:
  16394. - data
  16395. type: object
  16396. fortanix:
  16397. description: Fortanix configures this store to sync secrets using the Fortanix provider
  16398. properties:
  16399. apiKey:
  16400. description: APIKey is the API token to access SDKMS Applications.
  16401. properties:
  16402. secretRef:
  16403. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  16404. properties:
  16405. key:
  16406. description: |-
  16407. A key in the referenced Secret.
  16408. Some instances of this field may be defaulted, in others it may be required.
  16409. maxLength: 253
  16410. minLength: 1
  16411. pattern: ^[-._a-zA-Z0-9]+$
  16412. type: string
  16413. name:
  16414. description: The name of the Secret resource being referred to.
  16415. maxLength: 253
  16416. minLength: 1
  16417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16418. type: string
  16419. namespace:
  16420. description: |-
  16421. The namespace of the Secret resource being referred to.
  16422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16423. maxLength: 63
  16424. minLength: 1
  16425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16426. type: string
  16427. type: object
  16428. type: object
  16429. apiUrl:
  16430. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  16431. type: string
  16432. type: object
  16433. gcpsm:
  16434. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  16435. properties:
  16436. auth:
  16437. description: Auth defines the information necessary to authenticate against GCP
  16438. properties:
  16439. secretRef:
  16440. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  16441. properties:
  16442. secretAccessKeySecretRef:
  16443. description: The SecretAccessKey is used for authentication
  16444. properties:
  16445. key:
  16446. description: |-
  16447. A key in the referenced Secret.
  16448. Some instances of this field may be defaulted, in others it may be required.
  16449. maxLength: 253
  16450. minLength: 1
  16451. pattern: ^[-._a-zA-Z0-9]+$
  16452. type: string
  16453. name:
  16454. description: The name of the Secret resource being referred to.
  16455. maxLength: 253
  16456. minLength: 1
  16457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16458. type: string
  16459. namespace:
  16460. description: |-
  16461. The namespace of the Secret resource being referred to.
  16462. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16463. maxLength: 63
  16464. minLength: 1
  16465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16466. type: string
  16467. type: object
  16468. type: object
  16469. workloadIdentity:
  16470. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  16471. properties:
  16472. clusterLocation:
  16473. description: |-
  16474. ClusterLocation is the location of the cluster
  16475. If not specified, it fetches information from the metadata server
  16476. type: string
  16477. clusterName:
  16478. description: |-
  16479. ClusterName is the name of the cluster
  16480. If not specified, it fetches information from the metadata server
  16481. type: string
  16482. clusterProjectID:
  16483. description: |-
  16484. ClusterProjectID is the project ID of the cluster
  16485. If not specified, it fetches information from the metadata server
  16486. type: string
  16487. serviceAccountRef:
  16488. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  16489. properties:
  16490. audiences:
  16491. description: |-
  16492. Audience specifies the `aud` claim for the service account token
  16493. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16494. then this audiences will be appended to the list
  16495. items:
  16496. type: string
  16497. type: array
  16498. name:
  16499. description: The name of the ServiceAccount resource being referred to.
  16500. maxLength: 253
  16501. minLength: 1
  16502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16503. type: string
  16504. namespace:
  16505. description: |-
  16506. Namespace of the resource being referred to.
  16507. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16508. maxLength: 63
  16509. minLength: 1
  16510. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16511. type: string
  16512. required:
  16513. - name
  16514. type: object
  16515. required:
  16516. - serviceAccountRef
  16517. type: object
  16518. workloadIdentityFederation:
  16519. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  16520. properties:
  16521. audience:
  16522. description: |-
  16523. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  16524. If specified, Audience found in the external account credential config will be overridden with the configured value.
  16525. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  16526. type: string
  16527. awsSecurityCredentials:
  16528. description: |-
  16529. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  16530. when using the AWS metadata server is not an option.
  16531. properties:
  16532. awsCredentialsSecretRef:
  16533. description: |-
  16534. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  16535. Secret should be created with below names for keys
  16536. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  16537. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  16538. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  16539. properties:
  16540. name:
  16541. description: name of the secret.
  16542. maxLength: 253
  16543. minLength: 1
  16544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16545. type: string
  16546. namespace:
  16547. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  16548. maxLength: 63
  16549. minLength: 1
  16550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16551. type: string
  16552. required:
  16553. - name
  16554. type: object
  16555. region:
  16556. description: region is for configuring the AWS region to be used.
  16557. example: ap-south-1
  16558. maxLength: 50
  16559. minLength: 1
  16560. pattern: ^[a-z0-9-]+$
  16561. type: string
  16562. required:
  16563. - awsCredentialsSecretRef
  16564. - region
  16565. type: object
  16566. credConfig:
  16567. description: |-
  16568. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  16569. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  16570. serviceAccountRef must be used by providing operators service account details.
  16571. properties:
  16572. key:
  16573. description: key name holding the external account credential config.
  16574. maxLength: 253
  16575. minLength: 1
  16576. pattern: ^[-._a-zA-Z0-9]+$
  16577. type: string
  16578. name:
  16579. description: name of the configmap.
  16580. maxLength: 253
  16581. minLength: 1
  16582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16583. type: string
  16584. namespace:
  16585. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  16586. maxLength: 63
  16587. minLength: 1
  16588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16589. type: string
  16590. required:
  16591. - key
  16592. - name
  16593. type: object
  16594. externalTokenEndpoint:
  16595. description: |-
  16596. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  16597. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  16598. URL is having the expected value.
  16599. type: string
  16600. gcpServiceAccountEmail:
  16601. description: |-
  16602. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  16603. after Workload Identity Federation. Use this to grant access through the service account's
  16604. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  16605. service_account_impersonation_url in the external account JSON from credConfig;
  16606. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  16607. on that ServiceAccount.
  16608. example: my-gsa@my-project.iam.gserviceaccount.com
  16609. minLength: 1
  16610. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  16611. type: string
  16612. serviceAccountRef:
  16613. description: |-
  16614. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  16615. when Kubernetes is configured as provider in workload identity pool.
  16616. properties:
  16617. audiences:
  16618. description: |-
  16619. Audience specifies the `aud` claim for the service account token
  16620. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16621. then this audiences will be appended to the list
  16622. items:
  16623. type: string
  16624. type: array
  16625. name:
  16626. description: The name of the ServiceAccount resource being referred to.
  16627. maxLength: 253
  16628. minLength: 1
  16629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16630. type: string
  16631. namespace:
  16632. description: |-
  16633. Namespace of the resource being referred to.
  16634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16635. maxLength: 63
  16636. minLength: 1
  16637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16638. type: string
  16639. required:
  16640. - name
  16641. type: object
  16642. type: object
  16643. type: object
  16644. location:
  16645. description: Location optionally defines a location for a secret
  16646. type: string
  16647. projectID:
  16648. description: ProjectID project where secret is located
  16649. type: string
  16650. secretVersionSelectionPolicy:
  16651. default: LatestOrFail
  16652. description: |-
  16653. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  16654. when "latest" is disabled or destroyed.
  16655. Possible values are:
  16656. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  16657. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  16658. type: string
  16659. type: object
  16660. github:
  16661. description: |-
  16662. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  16663. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  16664. properties:
  16665. appID:
  16666. description: appID specifies the Github APP that will be used to authenticate the client
  16667. format: int64
  16668. type: integer
  16669. auth:
  16670. description: auth configures how secret-manager authenticates with a Github instance.
  16671. properties:
  16672. privateKey:
  16673. description: |-
  16674. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16675. In some instances, `key` is a required field.
  16676. properties:
  16677. key:
  16678. description: |-
  16679. A key in the referenced Secret.
  16680. Some instances of this field may be defaulted, in others it may be required.
  16681. maxLength: 253
  16682. minLength: 1
  16683. pattern: ^[-._a-zA-Z0-9]+$
  16684. type: string
  16685. name:
  16686. description: The name of the Secret resource being referred to.
  16687. maxLength: 253
  16688. minLength: 1
  16689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16690. type: string
  16691. namespace:
  16692. description: |-
  16693. The namespace of the Secret resource being referred to.
  16694. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16695. maxLength: 63
  16696. minLength: 1
  16697. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16698. type: string
  16699. type: object
  16700. required:
  16701. - privateKey
  16702. type: object
  16703. environment:
  16704. description: environment will be used to fetch secrets from a particular environment within a github repository
  16705. type: string
  16706. installationID:
  16707. description: installationID specifies the Github APP installation that will be used to authenticate the client
  16708. format: int64
  16709. type: integer
  16710. orgSecretVisibility:
  16711. description: |-
  16712. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  16713. Valid values are "all" or "private".
  16714. When unset, new secrets are created with visibility "all" and existing secrets preserve
  16715. whatever visibility they already have in GitHub.
  16716. enum:
  16717. - all
  16718. - private
  16719. type: string
  16720. organization:
  16721. description: organization will be used to fetch secrets from the Github organization
  16722. type: string
  16723. repository:
  16724. description: repository will be used to fetch secrets from the Github repository within an organization
  16725. type: string
  16726. uploadURL:
  16727. description: Upload URL for enterprise instances. Default to URL.
  16728. type: string
  16729. url:
  16730. default: https://github.com/
  16731. description: URL configures the Github instance URL. Defaults to https://github.com/.
  16732. type: string
  16733. required:
  16734. - appID
  16735. - auth
  16736. - installationID
  16737. - organization
  16738. type: object
  16739. gitlab:
  16740. description: GitLab configures this store to sync secrets using GitLab Variables provider
  16741. properties:
  16742. auth:
  16743. description: Auth configures how secret-manager authenticates with a GitLab instance.
  16744. properties:
  16745. SecretRef:
  16746. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  16747. properties:
  16748. accessToken:
  16749. description: AccessToken is used for authentication.
  16750. properties:
  16751. key:
  16752. description: |-
  16753. A key in the referenced Secret.
  16754. Some instances of this field may be defaulted, in others it may be required.
  16755. maxLength: 253
  16756. minLength: 1
  16757. pattern: ^[-._a-zA-Z0-9]+$
  16758. type: string
  16759. name:
  16760. description: The name of the Secret resource being referred to.
  16761. maxLength: 253
  16762. minLength: 1
  16763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16764. type: string
  16765. namespace:
  16766. description: |-
  16767. The namespace of the Secret resource being referred to.
  16768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16769. maxLength: 63
  16770. minLength: 1
  16771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16772. type: string
  16773. type: object
  16774. type: object
  16775. required:
  16776. - SecretRef
  16777. type: object
  16778. caBundle:
  16779. description: |-
  16780. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16781. can be performed.
  16782. format: byte
  16783. type: string
  16784. caProvider:
  16785. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16786. properties:
  16787. key:
  16788. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16789. maxLength: 253
  16790. minLength: 1
  16791. pattern: ^[-._a-zA-Z0-9]+$
  16792. type: string
  16793. name:
  16794. description: The name of the object located at the provider type.
  16795. maxLength: 253
  16796. minLength: 1
  16797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16798. type: string
  16799. namespace:
  16800. description: |-
  16801. The namespace the Provider type is in.
  16802. Can only be defined when used in a ClusterSecretStore.
  16803. maxLength: 63
  16804. minLength: 1
  16805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16806. type: string
  16807. type:
  16808. description: The type of provider to use such as "Secret", or "ConfigMap".
  16809. enum:
  16810. - Secret
  16811. - ConfigMap
  16812. type: string
  16813. required:
  16814. - name
  16815. - type
  16816. type: object
  16817. environment:
  16818. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  16819. type: string
  16820. groupIDs:
  16821. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  16822. items:
  16823. type: string
  16824. type: array
  16825. inheritFromGroups:
  16826. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  16827. type: boolean
  16828. projectID:
  16829. description: ProjectID specifies a project where secrets are located.
  16830. type: string
  16831. url:
  16832. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  16833. type: string
  16834. required:
  16835. - auth
  16836. type: object
  16837. ibm:
  16838. description: IBM configures this store to sync secrets using IBM Cloud provider
  16839. properties:
  16840. auth:
  16841. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  16842. maxProperties: 1
  16843. minProperties: 1
  16844. properties:
  16845. containerAuth:
  16846. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  16847. properties:
  16848. iamEndpoint:
  16849. type: string
  16850. profile:
  16851. description: the IBM Trusted Profile
  16852. type: string
  16853. tokenLocation:
  16854. description: Location the token is mounted on the pod
  16855. type: string
  16856. required:
  16857. - profile
  16858. type: object
  16859. secretRef:
  16860. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  16861. properties:
  16862. iamEndpoint:
  16863. description: The IAM endpoint used to obain a token
  16864. type: string
  16865. secretApiKeySecretRef:
  16866. description: The SecretAccessKey is used for authentication
  16867. properties:
  16868. key:
  16869. description: |-
  16870. A key in the referenced Secret.
  16871. Some instances of this field may be defaulted, in others it may be required.
  16872. maxLength: 253
  16873. minLength: 1
  16874. pattern: ^[-._a-zA-Z0-9]+$
  16875. type: string
  16876. name:
  16877. description: The name of the Secret resource being referred to.
  16878. maxLength: 253
  16879. minLength: 1
  16880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16881. type: string
  16882. namespace:
  16883. description: |-
  16884. The namespace of the Secret resource being referred to.
  16885. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16886. maxLength: 63
  16887. minLength: 1
  16888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16889. type: string
  16890. type: object
  16891. type: object
  16892. type: object
  16893. serviceUrl:
  16894. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  16895. type: string
  16896. required:
  16897. - auth
  16898. type: object
  16899. infisical:
  16900. description: Infisical configures this store to sync secrets using the Infisical provider
  16901. properties:
  16902. auth:
  16903. description: Auth configures how the Operator authenticates with the Infisical API
  16904. properties:
  16905. awsAuthCredentials:
  16906. description: AwsAuthCredentials represents the credentials for AWS authentication.
  16907. properties:
  16908. identityId:
  16909. description: |-
  16910. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16911. In some instances, `key` is a required field.
  16912. properties:
  16913. key:
  16914. description: |-
  16915. A key in the referenced Secret.
  16916. Some instances of this field may be defaulted, in others it may be required.
  16917. maxLength: 253
  16918. minLength: 1
  16919. pattern: ^[-._a-zA-Z0-9]+$
  16920. type: string
  16921. name:
  16922. description: The name of the Secret resource being referred to.
  16923. maxLength: 253
  16924. minLength: 1
  16925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16926. type: string
  16927. namespace:
  16928. description: |-
  16929. The namespace of the Secret resource being referred to.
  16930. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16931. maxLength: 63
  16932. minLength: 1
  16933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16934. type: string
  16935. type: object
  16936. required:
  16937. - identityId
  16938. type: object
  16939. azureAuthCredentials:
  16940. description: AzureAuthCredentials represents the credentials for Azure authentication.
  16941. properties:
  16942. identityId:
  16943. description: |-
  16944. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16945. In some instances, `key` is a required field.
  16946. properties:
  16947. key:
  16948. description: |-
  16949. A key in the referenced Secret.
  16950. Some instances of this field may be defaulted, in others it may be required.
  16951. maxLength: 253
  16952. minLength: 1
  16953. pattern: ^[-._a-zA-Z0-9]+$
  16954. type: string
  16955. name:
  16956. description: The name of the Secret resource being referred to.
  16957. maxLength: 253
  16958. minLength: 1
  16959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16960. type: string
  16961. namespace:
  16962. description: |-
  16963. The namespace of the Secret resource being referred to.
  16964. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16965. maxLength: 63
  16966. minLength: 1
  16967. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16968. type: string
  16969. type: object
  16970. resource:
  16971. description: |-
  16972. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  16973. In some instances, `key` is a required field.
  16974. properties:
  16975. key:
  16976. description: |-
  16977. A key in the referenced Secret.
  16978. Some instances of this field may be defaulted, in others it may be required.
  16979. maxLength: 253
  16980. minLength: 1
  16981. pattern: ^[-._a-zA-Z0-9]+$
  16982. type: string
  16983. name:
  16984. description: The name of the Secret resource being referred to.
  16985. maxLength: 253
  16986. minLength: 1
  16987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16988. type: string
  16989. namespace:
  16990. description: |-
  16991. The namespace of the Secret resource being referred to.
  16992. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16993. maxLength: 63
  16994. minLength: 1
  16995. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16996. type: string
  16997. type: object
  16998. required:
  16999. - identityId
  17000. type: object
  17001. gcpIamAuthCredentials:
  17002. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17003. properties:
  17004. identityId:
  17005. description: |-
  17006. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17007. In some instances, `key` is a required field.
  17008. properties:
  17009. key:
  17010. description: |-
  17011. A key in the referenced Secret.
  17012. Some instances of this field may be defaulted, in others it may be required.
  17013. maxLength: 253
  17014. minLength: 1
  17015. pattern: ^[-._a-zA-Z0-9]+$
  17016. type: string
  17017. name:
  17018. description: The name of the Secret resource being referred to.
  17019. maxLength: 253
  17020. minLength: 1
  17021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17022. type: string
  17023. namespace:
  17024. description: |-
  17025. The namespace of the Secret resource being referred to.
  17026. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17027. maxLength: 63
  17028. minLength: 1
  17029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17030. type: string
  17031. type: object
  17032. serviceAccountKeyFilePath:
  17033. description: |-
  17034. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17035. In some instances, `key` is a required field.
  17036. properties:
  17037. key:
  17038. description: |-
  17039. A key in the referenced Secret.
  17040. Some instances of this field may be defaulted, in others it may be required.
  17041. maxLength: 253
  17042. minLength: 1
  17043. pattern: ^[-._a-zA-Z0-9]+$
  17044. type: string
  17045. name:
  17046. description: The name of the Secret resource being referred to.
  17047. maxLength: 253
  17048. minLength: 1
  17049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17050. type: string
  17051. namespace:
  17052. description: |-
  17053. The namespace of the Secret resource being referred to.
  17054. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17055. maxLength: 63
  17056. minLength: 1
  17057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17058. type: string
  17059. type: object
  17060. required:
  17061. - identityId
  17062. - serviceAccountKeyFilePath
  17063. type: object
  17064. gcpIdTokenAuthCredentials:
  17065. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17066. properties:
  17067. identityId:
  17068. description: |-
  17069. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17070. In some instances, `key` is a required field.
  17071. properties:
  17072. key:
  17073. description: |-
  17074. A key in the referenced Secret.
  17075. Some instances of this field may be defaulted, in others it may be required.
  17076. maxLength: 253
  17077. minLength: 1
  17078. pattern: ^[-._a-zA-Z0-9]+$
  17079. type: string
  17080. name:
  17081. description: The name of the Secret resource being referred to.
  17082. maxLength: 253
  17083. minLength: 1
  17084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17085. type: string
  17086. namespace:
  17087. description: |-
  17088. The namespace of the Secret resource being referred to.
  17089. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17090. maxLength: 63
  17091. minLength: 1
  17092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17093. type: string
  17094. type: object
  17095. required:
  17096. - identityId
  17097. type: object
  17098. jwtAuthCredentials:
  17099. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17100. properties:
  17101. identityId:
  17102. description: |-
  17103. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17104. In some instances, `key` is a required field.
  17105. properties:
  17106. key:
  17107. description: |-
  17108. A key in the referenced Secret.
  17109. Some instances of this field may be defaulted, in others it may be required.
  17110. maxLength: 253
  17111. minLength: 1
  17112. pattern: ^[-._a-zA-Z0-9]+$
  17113. type: string
  17114. name:
  17115. description: The name of the Secret resource being referred to.
  17116. maxLength: 253
  17117. minLength: 1
  17118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17119. type: string
  17120. namespace:
  17121. description: |-
  17122. The namespace of the Secret resource being referred to.
  17123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17124. maxLength: 63
  17125. minLength: 1
  17126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17127. type: string
  17128. type: object
  17129. jwt:
  17130. description: |-
  17131. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17132. In some instances, `key` is a required field.
  17133. properties:
  17134. key:
  17135. description: |-
  17136. A key in the referenced Secret.
  17137. Some instances of this field may be defaulted, in others it may be required.
  17138. maxLength: 253
  17139. minLength: 1
  17140. pattern: ^[-._a-zA-Z0-9]+$
  17141. type: string
  17142. name:
  17143. description: The name of the Secret resource being referred to.
  17144. maxLength: 253
  17145. minLength: 1
  17146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17147. type: string
  17148. namespace:
  17149. description: |-
  17150. The namespace of the Secret resource being referred to.
  17151. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17152. maxLength: 63
  17153. minLength: 1
  17154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17155. type: string
  17156. type: object
  17157. required:
  17158. - identityId
  17159. - jwt
  17160. type: object
  17161. kubernetesAuthCredentials:
  17162. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17163. properties:
  17164. identityId:
  17165. description: |-
  17166. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17167. In some instances, `key` is a required field.
  17168. properties:
  17169. key:
  17170. description: |-
  17171. A key in the referenced Secret.
  17172. Some instances of this field may be defaulted, in others it may be required.
  17173. maxLength: 253
  17174. minLength: 1
  17175. pattern: ^[-._a-zA-Z0-9]+$
  17176. type: string
  17177. name:
  17178. description: The name of the Secret resource being referred to.
  17179. maxLength: 253
  17180. minLength: 1
  17181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17182. type: string
  17183. namespace:
  17184. description: |-
  17185. The namespace of the Secret resource being referred to.
  17186. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17187. maxLength: 63
  17188. minLength: 1
  17189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17190. type: string
  17191. type: object
  17192. serviceAccountTokenPath:
  17193. description: |-
  17194. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17195. In some instances, `key` is a required field.
  17196. properties:
  17197. key:
  17198. description: |-
  17199. A key in the referenced Secret.
  17200. Some instances of this field may be defaulted, in others it may be required.
  17201. maxLength: 253
  17202. minLength: 1
  17203. pattern: ^[-._a-zA-Z0-9]+$
  17204. type: string
  17205. name:
  17206. description: The name of the Secret resource being referred to.
  17207. maxLength: 253
  17208. minLength: 1
  17209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17210. type: string
  17211. namespace:
  17212. description: |-
  17213. The namespace of the Secret resource being referred to.
  17214. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17215. maxLength: 63
  17216. minLength: 1
  17217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17218. type: string
  17219. type: object
  17220. required:
  17221. - identityId
  17222. type: object
  17223. ldapAuthCredentials:
  17224. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17225. properties:
  17226. identityId:
  17227. description: |-
  17228. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17229. In some instances, `key` is a required field.
  17230. properties:
  17231. key:
  17232. description: |-
  17233. A key in the referenced Secret.
  17234. Some instances of this field may be defaulted, in others it may be required.
  17235. maxLength: 253
  17236. minLength: 1
  17237. pattern: ^[-._a-zA-Z0-9]+$
  17238. type: string
  17239. name:
  17240. description: The name of the Secret resource being referred to.
  17241. maxLength: 253
  17242. minLength: 1
  17243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17244. type: string
  17245. namespace:
  17246. description: |-
  17247. The namespace of the Secret resource being referred to.
  17248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17249. maxLength: 63
  17250. minLength: 1
  17251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17252. type: string
  17253. type: object
  17254. ldapPassword:
  17255. description: |-
  17256. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17257. In some instances, `key` is a required field.
  17258. properties:
  17259. key:
  17260. description: |-
  17261. A key in the referenced Secret.
  17262. Some instances of this field may be defaulted, in others it may be required.
  17263. maxLength: 253
  17264. minLength: 1
  17265. pattern: ^[-._a-zA-Z0-9]+$
  17266. type: string
  17267. name:
  17268. description: The name of the Secret resource being referred to.
  17269. maxLength: 253
  17270. minLength: 1
  17271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17272. type: string
  17273. namespace:
  17274. description: |-
  17275. The namespace of the Secret resource being referred to.
  17276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17277. maxLength: 63
  17278. minLength: 1
  17279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17280. type: string
  17281. type: object
  17282. ldapUsername:
  17283. description: |-
  17284. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17285. In some instances, `key` is a required field.
  17286. properties:
  17287. key:
  17288. description: |-
  17289. A key in the referenced Secret.
  17290. Some instances of this field may be defaulted, in others it may be required.
  17291. maxLength: 253
  17292. minLength: 1
  17293. pattern: ^[-._a-zA-Z0-9]+$
  17294. type: string
  17295. name:
  17296. description: The name of the Secret resource being referred to.
  17297. maxLength: 253
  17298. minLength: 1
  17299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17300. type: string
  17301. namespace:
  17302. description: |-
  17303. The namespace of the Secret resource being referred to.
  17304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17305. maxLength: 63
  17306. minLength: 1
  17307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17308. type: string
  17309. type: object
  17310. required:
  17311. - identityId
  17312. - ldapPassword
  17313. - ldapUsername
  17314. type: object
  17315. ociAuthCredentials:
  17316. description: OciAuthCredentials represents the credentials for OCI authentication.
  17317. properties:
  17318. fingerprint:
  17319. description: |-
  17320. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17321. In some instances, `key` is a required field.
  17322. properties:
  17323. key:
  17324. description: |-
  17325. A key in the referenced Secret.
  17326. Some instances of this field may be defaulted, in others it may be required.
  17327. maxLength: 253
  17328. minLength: 1
  17329. pattern: ^[-._a-zA-Z0-9]+$
  17330. type: string
  17331. name:
  17332. description: The name of the Secret resource being referred to.
  17333. maxLength: 253
  17334. minLength: 1
  17335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17336. type: string
  17337. namespace:
  17338. description: |-
  17339. The namespace of the Secret resource being referred to.
  17340. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17341. maxLength: 63
  17342. minLength: 1
  17343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17344. type: string
  17345. type: object
  17346. identityId:
  17347. description: |-
  17348. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17349. In some instances, `key` is a required field.
  17350. properties:
  17351. key:
  17352. description: |-
  17353. A key in the referenced Secret.
  17354. Some instances of this field may be defaulted, in others it may be required.
  17355. maxLength: 253
  17356. minLength: 1
  17357. pattern: ^[-._a-zA-Z0-9]+$
  17358. type: string
  17359. name:
  17360. description: The name of the Secret resource being referred to.
  17361. maxLength: 253
  17362. minLength: 1
  17363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17364. type: string
  17365. namespace:
  17366. description: |-
  17367. The namespace of the Secret resource being referred to.
  17368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17369. maxLength: 63
  17370. minLength: 1
  17371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17372. type: string
  17373. type: object
  17374. privateKey:
  17375. description: |-
  17376. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17377. In some instances, `key` is a required field.
  17378. properties:
  17379. key:
  17380. description: |-
  17381. A key in the referenced Secret.
  17382. Some instances of this field may be defaulted, in others it may be required.
  17383. maxLength: 253
  17384. minLength: 1
  17385. pattern: ^[-._a-zA-Z0-9]+$
  17386. type: string
  17387. name:
  17388. description: The name of the Secret resource being referred to.
  17389. maxLength: 253
  17390. minLength: 1
  17391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17392. type: string
  17393. namespace:
  17394. description: |-
  17395. The namespace of the Secret resource being referred to.
  17396. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17397. maxLength: 63
  17398. minLength: 1
  17399. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17400. type: string
  17401. type: object
  17402. privateKeyPassphrase:
  17403. description: |-
  17404. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17405. In some instances, `key` is a required field.
  17406. properties:
  17407. key:
  17408. description: |-
  17409. A key in the referenced Secret.
  17410. Some instances of this field may be defaulted, in others it may be required.
  17411. maxLength: 253
  17412. minLength: 1
  17413. pattern: ^[-._a-zA-Z0-9]+$
  17414. type: string
  17415. name:
  17416. description: The name of the Secret resource being referred to.
  17417. maxLength: 253
  17418. minLength: 1
  17419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17420. type: string
  17421. namespace:
  17422. description: |-
  17423. The namespace of the Secret resource being referred to.
  17424. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17425. maxLength: 63
  17426. minLength: 1
  17427. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17428. type: string
  17429. type: object
  17430. region:
  17431. description: |-
  17432. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17433. In some instances, `key` is a required field.
  17434. properties:
  17435. key:
  17436. description: |-
  17437. A key in the referenced Secret.
  17438. Some instances of this field may be defaulted, in others it may be required.
  17439. maxLength: 253
  17440. minLength: 1
  17441. pattern: ^[-._a-zA-Z0-9]+$
  17442. type: string
  17443. name:
  17444. description: The name of the Secret resource being referred to.
  17445. maxLength: 253
  17446. minLength: 1
  17447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17448. type: string
  17449. namespace:
  17450. description: |-
  17451. The namespace of the Secret resource being referred to.
  17452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17453. maxLength: 63
  17454. minLength: 1
  17455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17456. type: string
  17457. type: object
  17458. tenancyId:
  17459. description: |-
  17460. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17461. In some instances, `key` is a required field.
  17462. properties:
  17463. key:
  17464. description: |-
  17465. A key in the referenced Secret.
  17466. Some instances of this field may be defaulted, in others it may be required.
  17467. maxLength: 253
  17468. minLength: 1
  17469. pattern: ^[-._a-zA-Z0-9]+$
  17470. type: string
  17471. name:
  17472. description: The name of the Secret resource being referred to.
  17473. maxLength: 253
  17474. minLength: 1
  17475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17476. type: string
  17477. namespace:
  17478. description: |-
  17479. The namespace of the Secret resource being referred to.
  17480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17481. maxLength: 63
  17482. minLength: 1
  17483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17484. type: string
  17485. type: object
  17486. userId:
  17487. description: |-
  17488. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17489. In some instances, `key` is a required field.
  17490. properties:
  17491. key:
  17492. description: |-
  17493. A key in the referenced Secret.
  17494. Some instances of this field may be defaulted, in others it may be required.
  17495. maxLength: 253
  17496. minLength: 1
  17497. pattern: ^[-._a-zA-Z0-9]+$
  17498. type: string
  17499. name:
  17500. description: The name of the Secret resource being referred to.
  17501. maxLength: 253
  17502. minLength: 1
  17503. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17504. type: string
  17505. namespace:
  17506. description: |-
  17507. The namespace of the Secret resource being referred to.
  17508. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17509. maxLength: 63
  17510. minLength: 1
  17511. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17512. type: string
  17513. type: object
  17514. required:
  17515. - fingerprint
  17516. - identityId
  17517. - privateKey
  17518. - region
  17519. - tenancyId
  17520. - userId
  17521. type: object
  17522. tokenAuthCredentials:
  17523. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  17524. properties:
  17525. accessToken:
  17526. description: |-
  17527. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17528. In some instances, `key` is a required field.
  17529. properties:
  17530. key:
  17531. description: |-
  17532. A key in the referenced Secret.
  17533. Some instances of this field may be defaulted, in others it may be required.
  17534. maxLength: 253
  17535. minLength: 1
  17536. pattern: ^[-._a-zA-Z0-9]+$
  17537. type: string
  17538. name:
  17539. description: The name of the Secret resource being referred to.
  17540. maxLength: 253
  17541. minLength: 1
  17542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17543. type: string
  17544. namespace:
  17545. description: |-
  17546. The namespace of the Secret resource being referred to.
  17547. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17548. maxLength: 63
  17549. minLength: 1
  17550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17551. type: string
  17552. type: object
  17553. required:
  17554. - accessToken
  17555. type: object
  17556. universalAuthCredentials:
  17557. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  17558. properties:
  17559. clientId:
  17560. description: |-
  17561. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17562. In some instances, `key` is a required field.
  17563. properties:
  17564. key:
  17565. description: |-
  17566. A key in the referenced Secret.
  17567. Some instances of this field may be defaulted, in others it may be required.
  17568. maxLength: 253
  17569. minLength: 1
  17570. pattern: ^[-._a-zA-Z0-9]+$
  17571. type: string
  17572. name:
  17573. description: The name of the Secret resource being referred to.
  17574. maxLength: 253
  17575. minLength: 1
  17576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17577. type: string
  17578. namespace:
  17579. description: |-
  17580. The namespace of the Secret resource being referred to.
  17581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17582. maxLength: 63
  17583. minLength: 1
  17584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17585. type: string
  17586. type: object
  17587. clientSecret:
  17588. description: |-
  17589. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17590. In some instances, `key` is a required field.
  17591. properties:
  17592. key:
  17593. description: |-
  17594. A key in the referenced Secret.
  17595. Some instances of this field may be defaulted, in others it may be required.
  17596. maxLength: 253
  17597. minLength: 1
  17598. pattern: ^[-._a-zA-Z0-9]+$
  17599. type: string
  17600. name:
  17601. description: The name of the Secret resource being referred to.
  17602. maxLength: 253
  17603. minLength: 1
  17604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17605. type: string
  17606. namespace:
  17607. description: |-
  17608. The namespace of the Secret resource being referred to.
  17609. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17610. maxLength: 63
  17611. minLength: 1
  17612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17613. type: string
  17614. type: object
  17615. required:
  17616. - clientId
  17617. - clientSecret
  17618. type: object
  17619. type: object
  17620. caBundle:
  17621. description: |-
  17622. CABundle is a PEM-encoded CA certificate bundle used to validate
  17623. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  17624. format: byte
  17625. type: string
  17626. caProvider:
  17627. description: |-
  17628. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  17629. The certificate is used to validate the Infisical server's TLS certificate.
  17630. Mutually exclusive with CABundle.
  17631. properties:
  17632. key:
  17633. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17634. maxLength: 253
  17635. minLength: 1
  17636. pattern: ^[-._a-zA-Z0-9]+$
  17637. type: string
  17638. name:
  17639. description: The name of the object located at the provider type.
  17640. maxLength: 253
  17641. minLength: 1
  17642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17643. type: string
  17644. namespace:
  17645. description: |-
  17646. The namespace the Provider type is in.
  17647. Can only be defined when used in a ClusterSecretStore.
  17648. maxLength: 63
  17649. minLength: 1
  17650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17651. type: string
  17652. type:
  17653. description: The type of provider to use such as "Secret", or "ConfigMap".
  17654. enum:
  17655. - Secret
  17656. - ConfigMap
  17657. type: string
  17658. required:
  17659. - name
  17660. - type
  17661. type: object
  17662. hostAPI:
  17663. default: https://app.infisical.com/api
  17664. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  17665. type: string
  17666. secretsScope:
  17667. description: SecretsScope defines the scope of the secrets within the workspace
  17668. properties:
  17669. environmentSlug:
  17670. description: EnvironmentSlug is the required slug identifier for the environment.
  17671. type: string
  17672. expandSecretReferences:
  17673. default: true
  17674. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  17675. type: boolean
  17676. projectSlug:
  17677. description: ProjectSlug is the required slug identifier for the project.
  17678. type: string
  17679. recursive:
  17680. default: false
  17681. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  17682. type: boolean
  17683. secretsPath:
  17684. default: /
  17685. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  17686. type: string
  17687. required:
  17688. - environmentSlug
  17689. - projectSlug
  17690. type: object
  17691. required:
  17692. - auth
  17693. - secretsScope
  17694. type: object
  17695. keepersecurity:
  17696. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  17697. properties:
  17698. authRef:
  17699. description: |-
  17700. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17701. In some instances, `key` is a required field.
  17702. properties:
  17703. key:
  17704. description: |-
  17705. A key in the referenced Secret.
  17706. Some instances of this field may be defaulted, in others it may be required.
  17707. maxLength: 253
  17708. minLength: 1
  17709. pattern: ^[-._a-zA-Z0-9]+$
  17710. type: string
  17711. name:
  17712. description: The name of the Secret resource being referred to.
  17713. maxLength: 253
  17714. minLength: 1
  17715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17716. type: string
  17717. namespace:
  17718. description: |-
  17719. The namespace of the Secret resource being referred to.
  17720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17721. maxLength: 63
  17722. minLength: 1
  17723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17724. type: string
  17725. type: object
  17726. folderID:
  17727. type: string
  17728. getByTitleFallback:
  17729. type: boolean
  17730. required:
  17731. - authRef
  17732. - folderID
  17733. type: object
  17734. kubernetes:
  17735. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  17736. properties:
  17737. auth:
  17738. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  17739. maxProperties: 1
  17740. minProperties: 1
  17741. properties:
  17742. cert:
  17743. description: has both clientCert and clientKey as secretKeySelector
  17744. properties:
  17745. clientCert:
  17746. description: |-
  17747. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17748. In some instances, `key` is a required field.
  17749. properties:
  17750. key:
  17751. description: |-
  17752. A key in the referenced Secret.
  17753. Some instances of this field may be defaulted, in others it may be required.
  17754. maxLength: 253
  17755. minLength: 1
  17756. pattern: ^[-._a-zA-Z0-9]+$
  17757. type: string
  17758. name:
  17759. description: The name of the Secret resource being referred to.
  17760. maxLength: 253
  17761. minLength: 1
  17762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17763. type: string
  17764. namespace:
  17765. description: |-
  17766. The namespace of the Secret resource being referred to.
  17767. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17768. maxLength: 63
  17769. minLength: 1
  17770. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17771. type: string
  17772. type: object
  17773. clientKey:
  17774. description: |-
  17775. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17776. In some instances, `key` is a required field.
  17777. properties:
  17778. key:
  17779. description: |-
  17780. A key in the referenced Secret.
  17781. Some instances of this field may be defaulted, in others it may be required.
  17782. maxLength: 253
  17783. minLength: 1
  17784. pattern: ^[-._a-zA-Z0-9]+$
  17785. type: string
  17786. name:
  17787. description: The name of the Secret resource being referred to.
  17788. maxLength: 253
  17789. minLength: 1
  17790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17791. type: string
  17792. namespace:
  17793. description: |-
  17794. The namespace of the Secret resource being referred to.
  17795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17796. maxLength: 63
  17797. minLength: 1
  17798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17799. type: string
  17800. type: object
  17801. type: object
  17802. serviceAccount:
  17803. description: points to a service account that should be used for authentication
  17804. properties:
  17805. audiences:
  17806. description: |-
  17807. Audience specifies the `aud` claim for the service account token
  17808. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17809. then this audiences will be appended to the list
  17810. items:
  17811. type: string
  17812. type: array
  17813. name:
  17814. description: The name of the ServiceAccount resource being referred to.
  17815. maxLength: 253
  17816. minLength: 1
  17817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17818. type: string
  17819. namespace:
  17820. description: |-
  17821. Namespace of the resource being referred to.
  17822. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17823. maxLength: 63
  17824. minLength: 1
  17825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17826. type: string
  17827. required:
  17828. - name
  17829. type: object
  17830. token:
  17831. description: use static token to authenticate with
  17832. properties:
  17833. bearerToken:
  17834. description: |-
  17835. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17836. In some instances, `key` is a required field.
  17837. properties:
  17838. key:
  17839. description: |-
  17840. A key in the referenced Secret.
  17841. Some instances of this field may be defaulted, in others it may be required.
  17842. maxLength: 253
  17843. minLength: 1
  17844. pattern: ^[-._a-zA-Z0-9]+$
  17845. type: string
  17846. name:
  17847. description: The name of the Secret resource being referred to.
  17848. maxLength: 253
  17849. minLength: 1
  17850. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17851. type: string
  17852. namespace:
  17853. description: |-
  17854. The namespace of the Secret resource being referred to.
  17855. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17856. maxLength: 63
  17857. minLength: 1
  17858. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17859. type: string
  17860. type: object
  17861. type: object
  17862. type: object
  17863. authRef:
  17864. description: A reference to a secret that contains the auth information.
  17865. properties:
  17866. key:
  17867. description: |-
  17868. A key in the referenced Secret.
  17869. Some instances of this field may be defaulted, in others it may be required.
  17870. maxLength: 253
  17871. minLength: 1
  17872. pattern: ^[-._a-zA-Z0-9]+$
  17873. type: string
  17874. name:
  17875. description: The name of the Secret resource being referred to.
  17876. maxLength: 253
  17877. minLength: 1
  17878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17879. type: string
  17880. namespace:
  17881. description: |-
  17882. The namespace of the Secret resource being referred to.
  17883. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17884. maxLength: 63
  17885. minLength: 1
  17886. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17887. type: string
  17888. type: object
  17889. remoteNamespace:
  17890. default: default
  17891. description: Remote namespace to fetch the secrets from
  17892. maxLength: 63
  17893. minLength: 1
  17894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17895. type: string
  17896. server:
  17897. description: configures the Kubernetes server Address.
  17898. properties:
  17899. caBundle:
  17900. description: CABundle is a base64-encoded CA certificate
  17901. format: byte
  17902. type: string
  17903. caProvider:
  17904. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  17905. properties:
  17906. key:
  17907. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17908. maxLength: 253
  17909. minLength: 1
  17910. pattern: ^[-._a-zA-Z0-9]+$
  17911. type: string
  17912. name:
  17913. description: The name of the object located at the provider type.
  17914. maxLength: 253
  17915. minLength: 1
  17916. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17917. type: string
  17918. namespace:
  17919. description: |-
  17920. The namespace the Provider type is in.
  17921. Can only be defined when used in a ClusterSecretStore.
  17922. maxLength: 63
  17923. minLength: 1
  17924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17925. type: string
  17926. type:
  17927. description: The type of provider to use such as "Secret", or "ConfigMap".
  17928. enum:
  17929. - Secret
  17930. - ConfigMap
  17931. type: string
  17932. required:
  17933. - name
  17934. - type
  17935. type: object
  17936. url:
  17937. default: kubernetes.default
  17938. description: configures the Kubernetes server Address.
  17939. type: string
  17940. type: object
  17941. type: object
  17942. nebiusmysterybox:
  17943. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  17944. properties:
  17945. apiDomain:
  17946. description: NebiusMysterybox API endpoint
  17947. type: string
  17948. auth:
  17949. description: Auth defines parameters to authenticate in MysteryBox
  17950. properties:
  17951. serviceAccountCredsSecretRef:
  17952. description: |-
  17953. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  17954. document with service account credentials used to get an IAM token.
  17955. Expected JSON structure:
  17956. {
  17957. "subject-credentials": {
  17958. "alg": "RS256",
  17959. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  17960. "kid": "<public-key-id>",
  17961. "iss": "<issuer-service-account-id>",
  17962. "sub": "<subject-service-account-id>"
  17963. }
  17964. }
  17965. properties:
  17966. key:
  17967. description: |-
  17968. A key in the referenced Secret.
  17969. Some instances of this field may be defaulted, in others it may be required.
  17970. maxLength: 253
  17971. minLength: 1
  17972. pattern: ^[-._a-zA-Z0-9]+$
  17973. type: string
  17974. name:
  17975. description: The name of the Secret resource being referred to.
  17976. maxLength: 253
  17977. minLength: 1
  17978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17979. type: string
  17980. namespace:
  17981. description: |-
  17982. The namespace of the Secret resource being referred to.
  17983. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17984. maxLength: 63
  17985. minLength: 1
  17986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17987. type: string
  17988. type: object
  17989. tokenSecretRef:
  17990. description: Token authenticates with Nebius Mysterybox by presenting a token.
  17991. properties:
  17992. key:
  17993. description: |-
  17994. A key in the referenced Secret.
  17995. Some instances of this field may be defaulted, in others it may be required.
  17996. maxLength: 253
  17997. minLength: 1
  17998. pattern: ^[-._a-zA-Z0-9]+$
  17999. type: string
  18000. name:
  18001. description: The name of the Secret resource being referred to.
  18002. maxLength: 253
  18003. minLength: 1
  18004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18005. type: string
  18006. namespace:
  18007. description: |-
  18008. The namespace of the Secret resource being referred to.
  18009. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18010. maxLength: 63
  18011. minLength: 1
  18012. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18013. type: string
  18014. type: object
  18015. type: object
  18016. x-kubernetes-validations:
  18017. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18018. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18019. caProvider:
  18020. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18021. properties:
  18022. certSecretRef:
  18023. description: |-
  18024. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18025. In some instances, `key` is a required field.
  18026. properties:
  18027. key:
  18028. description: |-
  18029. A key in the referenced Secret.
  18030. Some instances of this field may be defaulted, in others it may be required.
  18031. maxLength: 253
  18032. minLength: 1
  18033. pattern: ^[-._a-zA-Z0-9]+$
  18034. type: string
  18035. name:
  18036. description: The name of the Secret resource being referred to.
  18037. maxLength: 253
  18038. minLength: 1
  18039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18040. type: string
  18041. namespace:
  18042. description: |-
  18043. The namespace of the Secret resource being referred to.
  18044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18045. maxLength: 63
  18046. minLength: 1
  18047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18048. type: string
  18049. type: object
  18050. type: object
  18051. required:
  18052. - apiDomain
  18053. - auth
  18054. type: object
  18055. ngrok:
  18056. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18057. properties:
  18058. apiUrl:
  18059. default: https://api.ngrok.com
  18060. description: APIURL is the URL of the ngrok API.
  18061. type: string
  18062. auth:
  18063. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18064. maxProperties: 1
  18065. minProperties: 1
  18066. properties:
  18067. apiKey:
  18068. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18069. properties:
  18070. secretRef:
  18071. description: SecretRef is a reference to a secret containing the ngrok API key.
  18072. properties:
  18073. key:
  18074. description: |-
  18075. A key in the referenced Secret.
  18076. Some instances of this field may be defaulted, in others it may be required.
  18077. maxLength: 253
  18078. minLength: 1
  18079. pattern: ^[-._a-zA-Z0-9]+$
  18080. type: string
  18081. name:
  18082. description: The name of the Secret resource being referred to.
  18083. maxLength: 253
  18084. minLength: 1
  18085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18086. type: string
  18087. namespace:
  18088. description: |-
  18089. The namespace of the Secret resource being referred to.
  18090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18091. maxLength: 63
  18092. minLength: 1
  18093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18094. type: string
  18095. type: object
  18096. type: object
  18097. type: object
  18098. vault:
  18099. description: Vault configures the ngrok vault to sync secrets with.
  18100. properties:
  18101. name:
  18102. description: Name is the name of the ngrok vault to sync secrets with.
  18103. type: string
  18104. required:
  18105. - name
  18106. type: object
  18107. required:
  18108. - auth
  18109. - vault
  18110. type: object
  18111. onboardbase:
  18112. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18113. properties:
  18114. apiHost:
  18115. default: https://public.onboardbase.com/api/v1/
  18116. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18117. type: string
  18118. auth:
  18119. description: Auth configures how the Operator authenticates with the Onboardbase API
  18120. properties:
  18121. apiKeyRef:
  18122. description: |-
  18123. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18124. It is used to recognize and authorize access to a project and environment within onboardbase
  18125. properties:
  18126. key:
  18127. description: |-
  18128. A key in the referenced Secret.
  18129. Some instances of this field may be defaulted, in others it may be required.
  18130. maxLength: 253
  18131. minLength: 1
  18132. pattern: ^[-._a-zA-Z0-9]+$
  18133. type: string
  18134. name:
  18135. description: The name of the Secret resource being referred to.
  18136. maxLength: 253
  18137. minLength: 1
  18138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18139. type: string
  18140. namespace:
  18141. description: |-
  18142. The namespace of the Secret resource being referred to.
  18143. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18144. maxLength: 63
  18145. minLength: 1
  18146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18147. type: string
  18148. type: object
  18149. passcodeRef:
  18150. description: OnboardbasePasscode is the passcode attached to the API Key
  18151. properties:
  18152. key:
  18153. description: |-
  18154. A key in the referenced Secret.
  18155. Some instances of this field may be defaulted, in others it may be required.
  18156. maxLength: 253
  18157. minLength: 1
  18158. pattern: ^[-._a-zA-Z0-9]+$
  18159. type: string
  18160. name:
  18161. description: The name of the Secret resource being referred to.
  18162. maxLength: 253
  18163. minLength: 1
  18164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18165. type: string
  18166. namespace:
  18167. description: |-
  18168. The namespace of the Secret resource being referred to.
  18169. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18170. maxLength: 63
  18171. minLength: 1
  18172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18173. type: string
  18174. type: object
  18175. required:
  18176. - apiKeyRef
  18177. - passcodeRef
  18178. type: object
  18179. environment:
  18180. default: development
  18181. description: Environment is the name of an environmnent within a project to pull the secrets from
  18182. type: string
  18183. project:
  18184. default: development
  18185. description: Project is an onboardbase project that the secrets should be pulled from
  18186. type: string
  18187. required:
  18188. - apiHost
  18189. - auth
  18190. - environment
  18191. - project
  18192. type: object
  18193. onepassword:
  18194. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18195. properties:
  18196. auth:
  18197. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18198. properties:
  18199. secretRef:
  18200. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18201. properties:
  18202. connectTokenSecretRef:
  18203. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18204. properties:
  18205. key:
  18206. description: |-
  18207. A key in the referenced Secret.
  18208. Some instances of this field may be defaulted, in others it may be required.
  18209. maxLength: 253
  18210. minLength: 1
  18211. pattern: ^[-._a-zA-Z0-9]+$
  18212. type: string
  18213. name:
  18214. description: The name of the Secret resource being referred to.
  18215. maxLength: 253
  18216. minLength: 1
  18217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18218. type: string
  18219. namespace:
  18220. description: |-
  18221. The namespace of the Secret resource being referred to.
  18222. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18223. maxLength: 63
  18224. minLength: 1
  18225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18226. type: string
  18227. type: object
  18228. required:
  18229. - connectTokenSecretRef
  18230. type: object
  18231. required:
  18232. - secretRef
  18233. type: object
  18234. connectHost:
  18235. description: ConnectHost defines the OnePassword Connect Server to connect to
  18236. type: string
  18237. vaults:
  18238. additionalProperties:
  18239. type: integer
  18240. description: Vaults defines which OnePassword vaults to search in which order
  18241. type: object
  18242. required:
  18243. - auth
  18244. - connectHost
  18245. - vaults
  18246. type: object
  18247. onepasswordSDK:
  18248. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18249. properties:
  18250. auth:
  18251. description: Auth defines the information necessary to authenticate against OnePassword API.
  18252. properties:
  18253. serviceAccountSecretRef:
  18254. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18255. properties:
  18256. key:
  18257. description: |-
  18258. A key in the referenced Secret.
  18259. Some instances of this field may be defaulted, in others it may be required.
  18260. maxLength: 253
  18261. minLength: 1
  18262. pattern: ^[-._a-zA-Z0-9]+$
  18263. type: string
  18264. name:
  18265. description: The name of the Secret resource being referred to.
  18266. maxLength: 253
  18267. minLength: 1
  18268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18269. type: string
  18270. namespace:
  18271. description: |-
  18272. The namespace of the Secret resource being referred to.
  18273. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18274. maxLength: 63
  18275. minLength: 1
  18276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18277. type: string
  18278. type: object
  18279. required:
  18280. - serviceAccountSecretRef
  18281. type: object
  18282. cache:
  18283. description: |-
  18284. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18285. When enabled, secrets are cached with the specified TTL.
  18286. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18287. If omitted, caching is disabled (default).
  18288. cache: {} is a valid option to set.
  18289. properties:
  18290. maxSize:
  18291. default: 100
  18292. description: |-
  18293. MaxSize is the maximum number of secrets to cache.
  18294. When the cache is full, least-recently-used entries are evicted.
  18295. minimum: 1
  18296. type: integer
  18297. ttl:
  18298. default: 5m
  18299. description: |-
  18300. TTL is the time-to-live for cached secrets.
  18301. Format: duration string (e.g., "5m", "1h", "30s")
  18302. type: string
  18303. type: object
  18304. integrationInfo:
  18305. description: |-
  18306. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18307. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18308. properties:
  18309. name:
  18310. default: 1Password SDK
  18311. description: Name defaults to "1Password SDK".
  18312. type: string
  18313. version:
  18314. default: v1.0.0
  18315. description: Version defaults to "v1.0.0".
  18316. type: string
  18317. type: object
  18318. vault:
  18319. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18320. type: string
  18321. required:
  18322. - auth
  18323. - vault
  18324. type: object
  18325. openBao:
  18326. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18327. properties:
  18328. auth:
  18329. description: Auth configures how secret-manager authenticates with the OpenBao server.
  18330. properties:
  18331. tokenSecretRef:
  18332. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  18333. properties:
  18334. key:
  18335. description: |-
  18336. A key in the referenced Secret.
  18337. Some instances of this field may be defaulted, in others it may be required.
  18338. maxLength: 253
  18339. minLength: 1
  18340. pattern: ^[-._a-zA-Z0-9]+$
  18341. type: string
  18342. name:
  18343. description: The name of the Secret resource being referred to.
  18344. maxLength: 253
  18345. minLength: 1
  18346. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18347. type: string
  18348. namespace:
  18349. description: |-
  18350. The namespace of the Secret resource being referred to.
  18351. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18352. maxLength: 63
  18353. minLength: 1
  18354. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18355. type: string
  18356. type: object
  18357. type: object
  18358. path:
  18359. description: |-
  18360. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  18361. "secret". The v2 KV secret engine version specific "/data" path suffix
  18362. for fetching secrets from OpenBao is optional and will be appended
  18363. if not present in specified path.
  18364. type: string
  18365. server:
  18366. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  18367. type: string
  18368. version:
  18369. default: v2
  18370. description: |-
  18371. Version is the OpenBao KV secret engine version. This can be either "v1" or
  18372. "v2". Version defaults to "v2".
  18373. enum:
  18374. - v1
  18375. - v2
  18376. type: string
  18377. required:
  18378. - server
  18379. type: object
  18380. oracle:
  18381. description: Oracle configures this store to sync secrets using Oracle Vault provider
  18382. properties:
  18383. auth:
  18384. description: |-
  18385. Auth configures how secret-manager authenticates with the Oracle Vault.
  18386. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  18387. properties:
  18388. secretRef:
  18389. description: SecretRef to pass through sensitive information.
  18390. properties:
  18391. fingerprint:
  18392. description: Fingerprint is the fingerprint of the API private key.
  18393. properties:
  18394. key:
  18395. description: |-
  18396. A key in the referenced Secret.
  18397. Some instances of this field may be defaulted, in others it may be required.
  18398. maxLength: 253
  18399. minLength: 1
  18400. pattern: ^[-._a-zA-Z0-9]+$
  18401. type: string
  18402. name:
  18403. description: The name of the Secret resource being referred to.
  18404. maxLength: 253
  18405. minLength: 1
  18406. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18407. type: string
  18408. namespace:
  18409. description: |-
  18410. The namespace of the Secret resource being referred to.
  18411. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18412. maxLength: 63
  18413. minLength: 1
  18414. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18415. type: string
  18416. type: object
  18417. privatekey:
  18418. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  18419. properties:
  18420. key:
  18421. description: |-
  18422. A key in the referenced Secret.
  18423. Some instances of this field may be defaulted, in others it may be required.
  18424. maxLength: 253
  18425. minLength: 1
  18426. pattern: ^[-._a-zA-Z0-9]+$
  18427. type: string
  18428. name:
  18429. description: The name of the Secret resource being referred to.
  18430. maxLength: 253
  18431. minLength: 1
  18432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18433. type: string
  18434. namespace:
  18435. description: |-
  18436. The namespace of the Secret resource being referred to.
  18437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18438. maxLength: 63
  18439. minLength: 1
  18440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18441. type: string
  18442. type: object
  18443. required:
  18444. - fingerprint
  18445. - privatekey
  18446. type: object
  18447. tenancy:
  18448. description: Tenancy is the tenancy OCID where user is located.
  18449. type: string
  18450. user:
  18451. description: User is an access OCID specific to the account.
  18452. type: string
  18453. required:
  18454. - secretRef
  18455. - tenancy
  18456. - user
  18457. type: object
  18458. compartment:
  18459. description: |-
  18460. Compartment is the vault compartment OCID.
  18461. Required for PushSecret
  18462. type: string
  18463. encryptionKey:
  18464. description: |-
  18465. EncryptionKey is the OCID of the encryption key within the vault.
  18466. Required for PushSecret
  18467. type: string
  18468. principalType:
  18469. description: |-
  18470. The type of principal to use for authentication. If left blank, the Auth struct will
  18471. determine the principal type. This optional field must be specified if using
  18472. workload identity.
  18473. enum:
  18474. - ""
  18475. - UserPrincipal
  18476. - InstancePrincipal
  18477. - Workload
  18478. type: string
  18479. region:
  18480. description: Region is the region where vault is located.
  18481. type: string
  18482. serviceAccountRef:
  18483. description: |-
  18484. ServiceAccountRef specified the service account
  18485. that should be used when authenticating with WorkloadIdentity.
  18486. properties:
  18487. audiences:
  18488. description: |-
  18489. Audience specifies the `aud` claim for the service account token
  18490. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18491. then this audiences will be appended to the list
  18492. items:
  18493. type: string
  18494. type: array
  18495. name:
  18496. description: The name of the ServiceAccount resource being referred to.
  18497. maxLength: 253
  18498. minLength: 1
  18499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18500. type: string
  18501. namespace:
  18502. description: |-
  18503. Namespace of the resource being referred to.
  18504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18505. maxLength: 63
  18506. minLength: 1
  18507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18508. type: string
  18509. required:
  18510. - name
  18511. type: object
  18512. vault:
  18513. description: Vault is the vault's OCID of the specific vault where secret is located.
  18514. type: string
  18515. required:
  18516. - region
  18517. - vault
  18518. type: object
  18519. ovh:
  18520. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  18521. properties:
  18522. auth:
  18523. description: Authentication method (mtls or token).
  18524. properties:
  18525. mtls:
  18526. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  18527. properties:
  18528. caBundle:
  18529. format: byte
  18530. type: string
  18531. caProvider:
  18532. description: |-
  18533. CAProvider provides a custom certificate authority for accessing the provider's store.
  18534. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  18535. properties:
  18536. key:
  18537. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18538. maxLength: 253
  18539. minLength: 1
  18540. pattern: ^[-._a-zA-Z0-9]+$
  18541. type: string
  18542. name:
  18543. description: The name of the object located at the provider type.
  18544. maxLength: 253
  18545. minLength: 1
  18546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18547. type: string
  18548. namespace:
  18549. description: |-
  18550. The namespace the Provider type is in.
  18551. Can only be defined when used in a ClusterSecretStore.
  18552. maxLength: 63
  18553. minLength: 1
  18554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18555. type: string
  18556. type:
  18557. description: The type of provider to use such as "Secret", or "ConfigMap".
  18558. enum:
  18559. - Secret
  18560. - ConfigMap
  18561. type: string
  18562. required:
  18563. - name
  18564. - type
  18565. type: object
  18566. certSecretRef:
  18567. description: |-
  18568. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18569. In some instances, `key` is a required field.
  18570. properties:
  18571. key:
  18572. description: |-
  18573. A key in the referenced Secret.
  18574. Some instances of this field may be defaulted, in others it may be required.
  18575. maxLength: 253
  18576. minLength: 1
  18577. pattern: ^[-._a-zA-Z0-9]+$
  18578. type: string
  18579. name:
  18580. description: The name of the Secret resource being referred to.
  18581. maxLength: 253
  18582. minLength: 1
  18583. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18584. type: string
  18585. namespace:
  18586. description: |-
  18587. The namespace of the Secret resource being referred to.
  18588. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18589. maxLength: 63
  18590. minLength: 1
  18591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18592. type: string
  18593. type: object
  18594. keySecretRef:
  18595. description: |-
  18596. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18597. In some instances, `key` is a required field.
  18598. properties:
  18599. key:
  18600. description: |-
  18601. A key in the referenced Secret.
  18602. Some instances of this field may be defaulted, in others it may be required.
  18603. maxLength: 253
  18604. minLength: 1
  18605. pattern: ^[-._a-zA-Z0-9]+$
  18606. type: string
  18607. name:
  18608. description: The name of the Secret resource being referred to.
  18609. maxLength: 253
  18610. minLength: 1
  18611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18612. type: string
  18613. namespace:
  18614. description: |-
  18615. The namespace of the Secret resource being referred to.
  18616. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18617. maxLength: 63
  18618. minLength: 1
  18619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18620. type: string
  18621. type: object
  18622. required:
  18623. - certSecretRef
  18624. - keySecretRef
  18625. type: object
  18626. token:
  18627. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  18628. properties:
  18629. tokenSecretRef:
  18630. description: |-
  18631. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18632. In some instances, `key` is a required field.
  18633. properties:
  18634. key:
  18635. description: |-
  18636. A key in the referenced Secret.
  18637. Some instances of this field may be defaulted, in others it may be required.
  18638. maxLength: 253
  18639. minLength: 1
  18640. pattern: ^[-._a-zA-Z0-9]+$
  18641. type: string
  18642. name:
  18643. description: The name of the Secret resource being referred to.
  18644. maxLength: 253
  18645. minLength: 1
  18646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18647. type: string
  18648. namespace:
  18649. description: |-
  18650. The namespace of the Secret resource being referred to.
  18651. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18652. maxLength: 63
  18653. minLength: 1
  18654. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18655. type: string
  18656. type: object
  18657. required:
  18658. - tokenSecretRef
  18659. type: object
  18660. type: object
  18661. casRequired:
  18662. description: 'Enables or disables check-and-set (CAS) (default: false).'
  18663. type: boolean
  18664. okmsTimeout:
  18665. default: 30
  18666. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  18667. format: int32
  18668. minimum: 1
  18669. type: integer
  18670. okmsid:
  18671. description: specifies the OKMS ID.
  18672. type: string
  18673. server:
  18674. description: specifies the OKMS server endpoint.
  18675. type: string
  18676. required:
  18677. - auth
  18678. - okmsid
  18679. - server
  18680. type: object
  18681. passbolt:
  18682. description: |-
  18683. PassboltProvider provides access to Passbolt secrets manager.
  18684. See: https://www.passbolt.com.
  18685. properties:
  18686. auth:
  18687. description: Auth defines the information necessary to authenticate against Passbolt Server
  18688. properties:
  18689. passwordSecretRef:
  18690. description: |-
  18691. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18692. In some instances, `key` is a required field.
  18693. properties:
  18694. key:
  18695. description: |-
  18696. A key in the referenced Secret.
  18697. Some instances of this field may be defaulted, in others it may be required.
  18698. maxLength: 253
  18699. minLength: 1
  18700. pattern: ^[-._a-zA-Z0-9]+$
  18701. type: string
  18702. name:
  18703. description: The name of the Secret resource being referred to.
  18704. maxLength: 253
  18705. minLength: 1
  18706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18707. type: string
  18708. namespace:
  18709. description: |-
  18710. The namespace of the Secret resource being referred to.
  18711. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18712. maxLength: 63
  18713. minLength: 1
  18714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18715. type: string
  18716. type: object
  18717. privateKeySecretRef:
  18718. description: |-
  18719. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18720. In some instances, `key` is a required field.
  18721. properties:
  18722. key:
  18723. description: |-
  18724. A key in the referenced Secret.
  18725. Some instances of this field may be defaulted, in others it may be required.
  18726. maxLength: 253
  18727. minLength: 1
  18728. pattern: ^[-._a-zA-Z0-9]+$
  18729. type: string
  18730. name:
  18731. description: The name of the Secret resource being referred to.
  18732. maxLength: 253
  18733. minLength: 1
  18734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18735. type: string
  18736. namespace:
  18737. description: |-
  18738. The namespace of the Secret resource being referred to.
  18739. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18740. maxLength: 63
  18741. minLength: 1
  18742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18743. type: string
  18744. type: object
  18745. required:
  18746. - passwordSecretRef
  18747. - privateKeySecretRef
  18748. type: object
  18749. caBundle:
  18750. description: |-
  18751. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  18752. if the Host URL is using HTTPS protocol. If not set the system root certificates
  18753. are used to validate the TLS connection.
  18754. format: byte
  18755. type: string
  18756. caProvider:
  18757. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  18758. properties:
  18759. key:
  18760. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18761. maxLength: 253
  18762. minLength: 1
  18763. pattern: ^[-._a-zA-Z0-9]+$
  18764. type: string
  18765. name:
  18766. description: The name of the object located at the provider type.
  18767. maxLength: 253
  18768. minLength: 1
  18769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18770. type: string
  18771. namespace:
  18772. description: |-
  18773. The namespace the Provider type is in.
  18774. Can only be defined when used in a ClusterSecretStore.
  18775. maxLength: 63
  18776. minLength: 1
  18777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18778. type: string
  18779. type:
  18780. description: The type of provider to use such as "Secret", or "ConfigMap".
  18781. enum:
  18782. - Secret
  18783. - ConfigMap
  18784. type: string
  18785. required:
  18786. - name
  18787. - type
  18788. type: object
  18789. host:
  18790. description: Host defines the Passbolt Server to connect to
  18791. type: string
  18792. required:
  18793. - auth
  18794. - host
  18795. type: object
  18796. passworddepot:
  18797. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  18798. properties:
  18799. auth:
  18800. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  18801. properties:
  18802. secretRef:
  18803. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  18804. properties:
  18805. credentials:
  18806. description: Username / Password is used for authentication.
  18807. properties:
  18808. key:
  18809. description: |-
  18810. A key in the referenced Secret.
  18811. Some instances of this field may be defaulted, in others it may be required.
  18812. maxLength: 253
  18813. minLength: 1
  18814. pattern: ^[-._a-zA-Z0-9]+$
  18815. type: string
  18816. name:
  18817. description: The name of the Secret resource being referred to.
  18818. maxLength: 253
  18819. minLength: 1
  18820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18821. type: string
  18822. namespace:
  18823. description: |-
  18824. The namespace of the Secret resource being referred to.
  18825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18826. maxLength: 63
  18827. minLength: 1
  18828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18829. type: string
  18830. type: object
  18831. type: object
  18832. required:
  18833. - secretRef
  18834. type: object
  18835. database:
  18836. description: Database to use as source
  18837. type: string
  18838. host:
  18839. description: URL configures the Password Depot instance URL.
  18840. type: string
  18841. required:
  18842. - auth
  18843. - database
  18844. - host
  18845. type: object
  18846. previder:
  18847. description: Previder configures this store to sync secrets using the Previder provider
  18848. properties:
  18849. auth:
  18850. description: PreviderAuth contains a secretRef for credentials.
  18851. properties:
  18852. secretRef:
  18853. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  18854. properties:
  18855. accessToken:
  18856. description: The AccessToken is used for authentication
  18857. properties:
  18858. key:
  18859. description: |-
  18860. A key in the referenced Secret.
  18861. Some instances of this field may be defaulted, in others it may be required.
  18862. maxLength: 253
  18863. minLength: 1
  18864. pattern: ^[-._a-zA-Z0-9]+$
  18865. type: string
  18866. name:
  18867. description: The name of the Secret resource being referred to.
  18868. maxLength: 253
  18869. minLength: 1
  18870. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18871. type: string
  18872. namespace:
  18873. description: |-
  18874. The namespace of the Secret resource being referred to.
  18875. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18876. maxLength: 63
  18877. minLength: 1
  18878. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18879. type: string
  18880. type: object
  18881. required:
  18882. - accessToken
  18883. type: object
  18884. type: object
  18885. baseUri:
  18886. type: string
  18887. required:
  18888. - auth
  18889. type: object
  18890. pulumi:
  18891. description: Pulumi configures this store to sync secrets using the Pulumi provider
  18892. properties:
  18893. accessToken:
  18894. description: |-
  18895. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  18896. Deprecated: Use auth.accessToken instead.
  18897. properties:
  18898. secretRef:
  18899. description: SecretRef is a reference to a secret containing the Pulumi API token.
  18900. properties:
  18901. key:
  18902. description: |-
  18903. A key in the referenced Secret.
  18904. Some instances of this field may be defaulted, in others it may be required.
  18905. maxLength: 253
  18906. minLength: 1
  18907. pattern: ^[-._a-zA-Z0-9]+$
  18908. type: string
  18909. name:
  18910. description: The name of the Secret resource being referred to.
  18911. maxLength: 253
  18912. minLength: 1
  18913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18914. type: string
  18915. namespace:
  18916. description: |-
  18917. The namespace of the Secret resource being referred to.
  18918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18919. maxLength: 63
  18920. minLength: 1
  18921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18922. type: string
  18923. type: object
  18924. type: object
  18925. apiUrl:
  18926. default: https://api.pulumi.com/api/esc
  18927. description: APIURL is the URL of the Pulumi API.
  18928. type: string
  18929. auth:
  18930. description: |-
  18931. Auth configures how the Operator authenticates with the Pulumi API.
  18932. Either auth or the deprecated accessToken field must be specified.
  18933. properties:
  18934. accessToken:
  18935. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  18936. properties:
  18937. secretRef:
  18938. description: SecretRef is a reference to a secret containing the Pulumi API token.
  18939. properties:
  18940. key:
  18941. description: |-
  18942. A key in the referenced Secret.
  18943. Some instances of this field may be defaulted, in others it may be required.
  18944. maxLength: 253
  18945. minLength: 1
  18946. pattern: ^[-._a-zA-Z0-9]+$
  18947. type: string
  18948. name:
  18949. description: The name of the Secret resource being referred to.
  18950. maxLength: 253
  18951. minLength: 1
  18952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18953. type: string
  18954. namespace:
  18955. description: |-
  18956. The namespace of the Secret resource being referred to.
  18957. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18958. maxLength: 63
  18959. minLength: 1
  18960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18961. type: string
  18962. type: object
  18963. type: object
  18964. oidcConfig:
  18965. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  18966. properties:
  18967. expirationSeconds:
  18968. default: 600
  18969. description: |-
  18970. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  18971. Defaults to 10 minutes.
  18972. format: int64
  18973. minimum: 600
  18974. type: integer
  18975. organization:
  18976. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  18977. type: string
  18978. serviceAccountRef:
  18979. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  18980. properties:
  18981. audiences:
  18982. description: |-
  18983. Audience specifies the `aud` claim for the service account token
  18984. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18985. then this audiences will be appended to the list
  18986. items:
  18987. type: string
  18988. type: array
  18989. name:
  18990. description: The name of the ServiceAccount resource being referred to.
  18991. maxLength: 253
  18992. minLength: 1
  18993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18994. type: string
  18995. namespace:
  18996. description: |-
  18997. Namespace of the resource being referred to.
  18998. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18999. maxLength: 63
  19000. minLength: 1
  19001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19002. type: string
  19003. required:
  19004. - name
  19005. type: object
  19006. required:
  19007. - organization
  19008. - serviceAccountRef
  19009. type: object
  19010. type: object
  19011. x-kubernetes-validations:
  19012. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19013. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19014. environment:
  19015. description: |-
  19016. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19017. dynamically retrieved values from supported providers including all major clouds,
  19018. and other Pulumi ESC environments.
  19019. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19020. type: string
  19021. organization:
  19022. description: |-
  19023. Organization are a space to collaborate on shared projects and stacks.
  19024. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19025. type: string
  19026. project:
  19027. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19028. type: string
  19029. required:
  19030. - environment
  19031. - organization
  19032. - project
  19033. type: object
  19034. x-kubernetes-validations:
  19035. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19036. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19037. scaleway:
  19038. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19039. properties:
  19040. accessKey:
  19041. description: AccessKey is the non-secret part of the api key.
  19042. properties:
  19043. secretRef:
  19044. description: SecretRef references a key in a secret that will be used as value.
  19045. properties:
  19046. key:
  19047. description: |-
  19048. A key in the referenced Secret.
  19049. Some instances of this field may be defaulted, in others it may be required.
  19050. maxLength: 253
  19051. minLength: 1
  19052. pattern: ^[-._a-zA-Z0-9]+$
  19053. type: string
  19054. name:
  19055. description: The name of the Secret resource being referred to.
  19056. maxLength: 253
  19057. minLength: 1
  19058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19059. type: string
  19060. namespace:
  19061. description: |-
  19062. The namespace of the Secret resource being referred to.
  19063. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19064. maxLength: 63
  19065. minLength: 1
  19066. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19067. type: string
  19068. type: object
  19069. value:
  19070. description: Value can be specified directly to set a value without using a secret.
  19071. type: string
  19072. type: object
  19073. apiUrl:
  19074. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19075. type: string
  19076. projectId:
  19077. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19078. type: string
  19079. region:
  19080. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19081. type: string
  19082. secretKey:
  19083. description: SecretKey is the non-secret part of the api key.
  19084. properties:
  19085. secretRef:
  19086. description: SecretRef references a key in a secret that will be used as value.
  19087. properties:
  19088. key:
  19089. description: |-
  19090. A key in the referenced Secret.
  19091. Some instances of this field may be defaulted, in others it may be required.
  19092. maxLength: 253
  19093. minLength: 1
  19094. pattern: ^[-._a-zA-Z0-9]+$
  19095. type: string
  19096. name:
  19097. description: The name of the Secret resource being referred to.
  19098. maxLength: 253
  19099. minLength: 1
  19100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19101. type: string
  19102. namespace:
  19103. description: |-
  19104. The namespace of the Secret resource being referred to.
  19105. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19106. maxLength: 63
  19107. minLength: 1
  19108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19109. type: string
  19110. type: object
  19111. value:
  19112. description: Value can be specified directly to set a value without using a secret.
  19113. type: string
  19114. type: object
  19115. required:
  19116. - accessKey
  19117. - projectId
  19118. - region
  19119. - secretKey
  19120. type: object
  19121. secretserver:
  19122. description: |-
  19123. SecretServer configures this store to sync secrets using SecretServer provider
  19124. https://docs.delinea.com/online-help/secret-server/start.htm
  19125. properties:
  19126. caBundle:
  19127. description: |-
  19128. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19129. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  19130. are used to validate the TLS connection.
  19131. format: byte
  19132. type: string
  19133. caProvider:
  19134. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  19135. properties:
  19136. key:
  19137. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19138. maxLength: 253
  19139. minLength: 1
  19140. pattern: ^[-._a-zA-Z0-9]+$
  19141. type: string
  19142. name:
  19143. description: The name of the object located at the provider type.
  19144. maxLength: 253
  19145. minLength: 1
  19146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19147. type: string
  19148. namespace:
  19149. description: |-
  19150. The namespace the Provider type is in.
  19151. Can only be defined when used in a ClusterSecretStore.
  19152. maxLength: 63
  19153. minLength: 1
  19154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19155. type: string
  19156. type:
  19157. description: The type of provider to use such as "Secret", or "ConfigMap".
  19158. enum:
  19159. - Secret
  19160. - ConfigMap
  19161. type: string
  19162. required:
  19163. - name
  19164. - type
  19165. type: object
  19166. domain:
  19167. description: Domain is the secret server domain.
  19168. type: string
  19169. password:
  19170. description: Password is the secret server account password.
  19171. properties:
  19172. secretRef:
  19173. description: SecretRef references a key in a secret that will be used as value.
  19174. properties:
  19175. key:
  19176. description: |-
  19177. A key in the referenced Secret.
  19178. Some instances of this field may be defaulted, in others it may be required.
  19179. maxLength: 253
  19180. minLength: 1
  19181. pattern: ^[-._a-zA-Z0-9]+$
  19182. type: string
  19183. name:
  19184. description: The name of the Secret resource being referred to.
  19185. maxLength: 253
  19186. minLength: 1
  19187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19188. type: string
  19189. namespace:
  19190. description: |-
  19191. The namespace of the Secret resource being referred to.
  19192. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19193. maxLength: 63
  19194. minLength: 1
  19195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19196. type: string
  19197. type: object
  19198. value:
  19199. description: Value can be specified directly to set a value without using a secret.
  19200. type: string
  19201. type: object
  19202. serverURL:
  19203. description: |-
  19204. ServerURL
  19205. URL to your secret server installation
  19206. type: string
  19207. username:
  19208. description: Username is the secret server account username.
  19209. properties:
  19210. secretRef:
  19211. description: SecretRef references a key in a secret that will be used as value.
  19212. properties:
  19213. key:
  19214. description: |-
  19215. A key in the referenced Secret.
  19216. Some instances of this field may be defaulted, in others it may be required.
  19217. maxLength: 253
  19218. minLength: 1
  19219. pattern: ^[-._a-zA-Z0-9]+$
  19220. type: string
  19221. name:
  19222. description: The name of the Secret resource being referred to.
  19223. maxLength: 253
  19224. minLength: 1
  19225. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19226. type: string
  19227. namespace:
  19228. description: |-
  19229. The namespace of the Secret resource being referred to.
  19230. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19231. maxLength: 63
  19232. minLength: 1
  19233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19234. type: string
  19235. type: object
  19236. value:
  19237. description: Value can be specified directly to set a value without using a secret.
  19238. type: string
  19239. type: object
  19240. required:
  19241. - password
  19242. - serverURL
  19243. - username
  19244. type: object
  19245. senhasegura:
  19246. description: Senhasegura configures this store to sync secrets using senhasegura provider
  19247. properties:
  19248. auth:
  19249. description: Auth defines parameters to authenticate in senhasegura
  19250. properties:
  19251. clientId:
  19252. type: string
  19253. clientSecretSecretRef:
  19254. description: |-
  19255. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19256. In some instances, `key` is a required field.
  19257. properties:
  19258. key:
  19259. description: |-
  19260. A key in the referenced Secret.
  19261. Some instances of this field may be defaulted, in others it may be required.
  19262. maxLength: 253
  19263. minLength: 1
  19264. pattern: ^[-._a-zA-Z0-9]+$
  19265. type: string
  19266. name:
  19267. description: The name of the Secret resource being referred to.
  19268. maxLength: 253
  19269. minLength: 1
  19270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19271. type: string
  19272. namespace:
  19273. description: |-
  19274. The namespace of the Secret resource being referred to.
  19275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19276. maxLength: 63
  19277. minLength: 1
  19278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19279. type: string
  19280. type: object
  19281. required:
  19282. - clientId
  19283. - clientSecretSecretRef
  19284. type: object
  19285. ignoreSslCertificate:
  19286. default: false
  19287. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  19288. type: boolean
  19289. module:
  19290. description: Module defines which senhasegura module should be used to get secrets
  19291. type: string
  19292. url:
  19293. description: URL of senhasegura
  19294. type: string
  19295. required:
  19296. - auth
  19297. - module
  19298. - url
  19299. type: object
  19300. vault:
  19301. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  19302. properties:
  19303. auth:
  19304. description: Auth configures how secret-manager authenticates with the Vault server.
  19305. properties:
  19306. appRole:
  19307. description: |-
  19308. AppRole authenticates with Vault using the App Role auth mechanism,
  19309. with the role and secret stored in a Kubernetes Secret resource.
  19310. properties:
  19311. path:
  19312. default: approle
  19313. description: |-
  19314. Path where the App Role authentication backend is mounted
  19315. in Vault, e.g: "approle"
  19316. type: string
  19317. roleId:
  19318. description: |-
  19319. RoleID configured in the App Role authentication backend when setting
  19320. up the authentication backend in Vault.
  19321. type: string
  19322. roleRef:
  19323. description: |-
  19324. Reference to a key in a Secret that contains the App Role ID used
  19325. to authenticate with Vault.
  19326. The `key` field must be specified and denotes which entry within the Secret
  19327. resource is used as the app role id.
  19328. properties:
  19329. key:
  19330. description: |-
  19331. A key in the referenced Secret.
  19332. Some instances of this field may be defaulted, in others it may be required.
  19333. maxLength: 253
  19334. minLength: 1
  19335. pattern: ^[-._a-zA-Z0-9]+$
  19336. type: string
  19337. name:
  19338. description: The name of the Secret resource being referred to.
  19339. maxLength: 253
  19340. minLength: 1
  19341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19342. type: string
  19343. namespace:
  19344. description: |-
  19345. The namespace of the Secret resource being referred to.
  19346. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19347. maxLength: 63
  19348. minLength: 1
  19349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19350. type: string
  19351. type: object
  19352. secretRef:
  19353. description: |-
  19354. Reference to a key in a Secret that contains the App Role secret used
  19355. to authenticate with Vault.
  19356. The `key` field must be specified and denotes which entry within the Secret
  19357. resource is used as the app role secret.
  19358. properties:
  19359. key:
  19360. description: |-
  19361. A key in the referenced Secret.
  19362. Some instances of this field may be defaulted, in others it may be required.
  19363. maxLength: 253
  19364. minLength: 1
  19365. pattern: ^[-._a-zA-Z0-9]+$
  19366. type: string
  19367. name:
  19368. description: The name of the Secret resource being referred to.
  19369. maxLength: 253
  19370. minLength: 1
  19371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19372. type: string
  19373. namespace:
  19374. description: |-
  19375. The namespace of the Secret resource being referred to.
  19376. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19377. maxLength: 63
  19378. minLength: 1
  19379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19380. type: string
  19381. type: object
  19382. required:
  19383. - path
  19384. - secretRef
  19385. type: object
  19386. cert:
  19387. description: |-
  19388. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  19389. Cert authentication method
  19390. properties:
  19391. clientCert:
  19392. description: |-
  19393. ClientCert is a certificate to authenticate using the Cert Vault
  19394. authentication method
  19395. properties:
  19396. key:
  19397. description: |-
  19398. A key in the referenced Secret.
  19399. Some instances of this field may be defaulted, in others it may be required.
  19400. maxLength: 253
  19401. minLength: 1
  19402. pattern: ^[-._a-zA-Z0-9]+$
  19403. type: string
  19404. name:
  19405. description: The name of the Secret resource being referred to.
  19406. maxLength: 253
  19407. minLength: 1
  19408. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19409. type: string
  19410. namespace:
  19411. description: |-
  19412. The namespace of the Secret resource being referred to.
  19413. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19414. maxLength: 63
  19415. minLength: 1
  19416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19417. type: string
  19418. type: object
  19419. path:
  19420. default: cert
  19421. description: |-
  19422. Path where the Certificate authentication backend is mounted
  19423. in Vault, e.g: "cert"
  19424. type: string
  19425. secretRef:
  19426. description: |-
  19427. SecretRef to a key in a Secret resource containing client private key to
  19428. authenticate with Vault using the Cert authentication method
  19429. properties:
  19430. key:
  19431. description: |-
  19432. A key in the referenced Secret.
  19433. Some instances of this field may be defaulted, in others it may be required.
  19434. maxLength: 253
  19435. minLength: 1
  19436. pattern: ^[-._a-zA-Z0-9]+$
  19437. type: string
  19438. name:
  19439. description: The name of the Secret resource being referred to.
  19440. maxLength: 253
  19441. minLength: 1
  19442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19443. type: string
  19444. namespace:
  19445. description: |-
  19446. The namespace of the Secret resource being referred to.
  19447. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19448. maxLength: 63
  19449. minLength: 1
  19450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19451. type: string
  19452. type: object
  19453. vaultRole:
  19454. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  19455. type: string
  19456. type: object
  19457. gcp:
  19458. description: |-
  19459. Gcp authenticates with Vault using Google Cloud Platform authentication method
  19460. GCP authentication method
  19461. properties:
  19462. location:
  19463. description: Location optionally defines a location/region for the secret
  19464. type: string
  19465. path:
  19466. default: gcp
  19467. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  19468. type: string
  19469. projectID:
  19470. description: Project ID of the Google Cloud Platform project
  19471. type: string
  19472. role:
  19473. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  19474. type: string
  19475. secretRef:
  19476. description: Specify credentials in a Secret object
  19477. properties:
  19478. secretAccessKeySecretRef:
  19479. description: The SecretAccessKey is used for authentication
  19480. properties:
  19481. key:
  19482. description: |-
  19483. A key in the referenced Secret.
  19484. Some instances of this field may be defaulted, in others it may be required.
  19485. maxLength: 253
  19486. minLength: 1
  19487. pattern: ^[-._a-zA-Z0-9]+$
  19488. type: string
  19489. name:
  19490. description: The name of the Secret resource being referred to.
  19491. maxLength: 253
  19492. minLength: 1
  19493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19494. type: string
  19495. namespace:
  19496. description: |-
  19497. The namespace of the Secret resource being referred to.
  19498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19499. maxLength: 63
  19500. minLength: 1
  19501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19502. type: string
  19503. type: object
  19504. type: object
  19505. serviceAccountRef:
  19506. description: ServiceAccountRef to a service account for impersonation
  19507. properties:
  19508. audiences:
  19509. description: |-
  19510. Audience specifies the `aud` claim for the service account token
  19511. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19512. then this audiences will be appended to the list
  19513. items:
  19514. type: string
  19515. type: array
  19516. name:
  19517. description: The name of the ServiceAccount resource being referred to.
  19518. maxLength: 253
  19519. minLength: 1
  19520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19521. type: string
  19522. namespace:
  19523. description: |-
  19524. Namespace of the resource being referred to.
  19525. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19526. maxLength: 63
  19527. minLength: 1
  19528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19529. type: string
  19530. required:
  19531. - name
  19532. type: object
  19533. workloadIdentity:
  19534. description: Specify a service account with Workload Identity
  19535. properties:
  19536. clusterLocation:
  19537. description: |-
  19538. ClusterLocation is the location of the cluster
  19539. If not specified, it fetches information from the metadata server
  19540. type: string
  19541. clusterName:
  19542. description: |-
  19543. ClusterName is the name of the cluster
  19544. If not specified, it fetches information from the metadata server
  19545. type: string
  19546. clusterProjectID:
  19547. description: |-
  19548. ClusterProjectID is the project ID of the cluster
  19549. If not specified, it fetches information from the metadata server
  19550. type: string
  19551. serviceAccountRef:
  19552. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19553. properties:
  19554. audiences:
  19555. description: |-
  19556. Audience specifies the `aud` claim for the service account token
  19557. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19558. then this audiences will be appended to the list
  19559. items:
  19560. type: string
  19561. type: array
  19562. name:
  19563. description: The name of the ServiceAccount resource being referred to.
  19564. maxLength: 253
  19565. minLength: 1
  19566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19567. type: string
  19568. namespace:
  19569. description: |-
  19570. Namespace of the resource being referred to.
  19571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19572. maxLength: 63
  19573. minLength: 1
  19574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19575. type: string
  19576. required:
  19577. - name
  19578. type: object
  19579. required:
  19580. - serviceAccountRef
  19581. type: object
  19582. required:
  19583. - role
  19584. type: object
  19585. iam:
  19586. description: |-
  19587. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  19588. AWS IAM authentication method
  19589. properties:
  19590. externalID:
  19591. description: AWS External ID set on assumed IAM roles
  19592. type: string
  19593. jwt:
  19594. description: Specify a service account with IRSA enabled
  19595. properties:
  19596. serviceAccountRef:
  19597. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  19598. properties:
  19599. audiences:
  19600. description: |-
  19601. Audience specifies the `aud` claim for the service account token
  19602. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19603. then this audiences will be appended to the list
  19604. items:
  19605. type: string
  19606. type: array
  19607. name:
  19608. description: The name of the ServiceAccount resource being referred to.
  19609. maxLength: 253
  19610. minLength: 1
  19611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19612. type: string
  19613. namespace:
  19614. description: |-
  19615. Namespace of the resource being referred to.
  19616. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19617. maxLength: 63
  19618. minLength: 1
  19619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19620. type: string
  19621. required:
  19622. - name
  19623. type: object
  19624. type: object
  19625. path:
  19626. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  19627. type: string
  19628. region:
  19629. description: AWS region
  19630. type: string
  19631. role:
  19632. description: This is the AWS role to be assumed before talking to vault
  19633. type: string
  19634. secretRef:
  19635. description: Specify credentials in a Secret object
  19636. properties:
  19637. accessKeyIDSecretRef:
  19638. description: The AccessKeyID is used for authentication
  19639. properties:
  19640. key:
  19641. description: |-
  19642. A key in the referenced Secret.
  19643. Some instances of this field may be defaulted, in others it may be required.
  19644. maxLength: 253
  19645. minLength: 1
  19646. pattern: ^[-._a-zA-Z0-9]+$
  19647. type: string
  19648. name:
  19649. description: The name of the Secret resource being referred to.
  19650. maxLength: 253
  19651. minLength: 1
  19652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19653. type: string
  19654. namespace:
  19655. description: |-
  19656. The namespace of the Secret resource being referred to.
  19657. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19658. maxLength: 63
  19659. minLength: 1
  19660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19661. type: string
  19662. type: object
  19663. secretAccessKeySecretRef:
  19664. description: The SecretAccessKey is used for authentication
  19665. properties:
  19666. key:
  19667. description: |-
  19668. A key in the referenced Secret.
  19669. Some instances of this field may be defaulted, in others it may be required.
  19670. maxLength: 253
  19671. minLength: 1
  19672. pattern: ^[-._a-zA-Z0-9]+$
  19673. type: string
  19674. name:
  19675. description: The name of the Secret resource being referred to.
  19676. maxLength: 253
  19677. minLength: 1
  19678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19679. type: string
  19680. namespace:
  19681. description: |-
  19682. The namespace of the Secret resource being referred to.
  19683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19684. maxLength: 63
  19685. minLength: 1
  19686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19687. type: string
  19688. type: object
  19689. sessionTokenSecretRef:
  19690. description: |-
  19691. The SessionToken used for authentication
  19692. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  19693. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  19694. properties:
  19695. key:
  19696. description: |-
  19697. A key in the referenced Secret.
  19698. Some instances of this field may be defaulted, in others it may be required.
  19699. maxLength: 253
  19700. minLength: 1
  19701. pattern: ^[-._a-zA-Z0-9]+$
  19702. type: string
  19703. name:
  19704. description: The name of the Secret resource being referred to.
  19705. maxLength: 253
  19706. minLength: 1
  19707. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19708. type: string
  19709. namespace:
  19710. description: |-
  19711. The namespace of the Secret resource being referred to.
  19712. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19713. maxLength: 63
  19714. minLength: 1
  19715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19716. type: string
  19717. type: object
  19718. type: object
  19719. vaultAwsIamServerID:
  19720. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  19721. type: string
  19722. vaultRole:
  19723. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  19724. type: string
  19725. required:
  19726. - vaultRole
  19727. type: object
  19728. jwt:
  19729. description: |-
  19730. Jwt authenticates with Vault by passing role and JWT token using the
  19731. JWT/OIDC authentication method
  19732. properties:
  19733. kubernetesServiceAccountToken:
  19734. description: |-
  19735. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  19736. a token for with the `TokenRequest` API.
  19737. properties:
  19738. audiences:
  19739. description: |-
  19740. Optional audiences field that will be used to request a temporary Kubernetes service
  19741. account token for the service account referenced by `serviceAccountRef`.
  19742. Defaults to a single audience `vault` it not specified.
  19743. Deprecated: use serviceAccountRef.Audiences instead
  19744. items:
  19745. type: string
  19746. type: array
  19747. expirationSeconds:
  19748. description: |-
  19749. Optional expiration time in seconds that will be used to request a temporary
  19750. Kubernetes service account token for the service account referenced by
  19751. `serviceAccountRef`.
  19752. Deprecated: this will be removed in the future.
  19753. Defaults to 10 minutes.
  19754. format: int64
  19755. type: integer
  19756. serviceAccountRef:
  19757. description: Service account field containing the name of a kubernetes ServiceAccount.
  19758. properties:
  19759. audiences:
  19760. description: |-
  19761. Audience specifies the `aud` claim for the service account token
  19762. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19763. then this audiences will be appended to the list
  19764. items:
  19765. type: string
  19766. type: array
  19767. name:
  19768. description: The name of the ServiceAccount resource being referred to.
  19769. maxLength: 253
  19770. minLength: 1
  19771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19772. type: string
  19773. namespace:
  19774. description: |-
  19775. Namespace of the resource being referred to.
  19776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19777. maxLength: 63
  19778. minLength: 1
  19779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19780. type: string
  19781. required:
  19782. - name
  19783. type: object
  19784. required:
  19785. - serviceAccountRef
  19786. type: object
  19787. path:
  19788. default: jwt
  19789. description: |-
  19790. Path where the JWT authentication backend is mounted
  19791. in Vault, e.g: "jwt"
  19792. type: string
  19793. role:
  19794. description: |-
  19795. Role is a JWT role to authenticate using the JWT/OIDC Vault
  19796. authentication method
  19797. type: string
  19798. secretRef:
  19799. description: |-
  19800. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  19801. authenticate with Vault using the JWT/OIDC authentication method.
  19802. properties:
  19803. key:
  19804. description: |-
  19805. A key in the referenced Secret.
  19806. Some instances of this field may be defaulted, in others it may be required.
  19807. maxLength: 253
  19808. minLength: 1
  19809. pattern: ^[-._a-zA-Z0-9]+$
  19810. type: string
  19811. name:
  19812. description: The name of the Secret resource being referred to.
  19813. maxLength: 253
  19814. minLength: 1
  19815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19816. type: string
  19817. namespace:
  19818. description: |-
  19819. The namespace of the Secret resource being referred to.
  19820. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19821. maxLength: 63
  19822. minLength: 1
  19823. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19824. type: string
  19825. type: object
  19826. required:
  19827. - path
  19828. type: object
  19829. kubernetes:
  19830. description: |-
  19831. Kubernetes authenticates with Vault by passing the ServiceAccount
  19832. token stored in the named Secret resource to the Vault server.
  19833. properties:
  19834. mountPath:
  19835. default: kubernetes
  19836. description: |-
  19837. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  19838. "kubernetes"
  19839. type: string
  19840. role:
  19841. description: |-
  19842. A required field containing the Vault Role to assume. A Role binds a
  19843. Kubernetes ServiceAccount with a set of Vault policies.
  19844. type: string
  19845. secretRef:
  19846. description: |-
  19847. Optional secret field containing a Kubernetes ServiceAccount JWT used
  19848. for authenticating with Vault. If a name is specified without a key,
  19849. `token` is the default. If one is not specified, the one bound to
  19850. the controller will be used.
  19851. properties:
  19852. key:
  19853. description: |-
  19854. A key in the referenced Secret.
  19855. Some instances of this field may be defaulted, in others it may be required.
  19856. maxLength: 253
  19857. minLength: 1
  19858. pattern: ^[-._a-zA-Z0-9]+$
  19859. type: string
  19860. name:
  19861. description: The name of the Secret resource being referred to.
  19862. maxLength: 253
  19863. minLength: 1
  19864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19865. type: string
  19866. namespace:
  19867. description: |-
  19868. The namespace of the Secret resource being referred to.
  19869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19870. maxLength: 63
  19871. minLength: 1
  19872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19873. type: string
  19874. type: object
  19875. serviceAccountRef:
  19876. description: |-
  19877. Optional service account field containing the name of a kubernetes ServiceAccount.
  19878. If the service account is specified, the service account secret token JWT will be used
  19879. for authenticating with Vault. If the service account selector is not supplied,
  19880. the secretRef will be used instead.
  19881. properties:
  19882. audiences:
  19883. description: |-
  19884. Audience specifies the `aud` claim for the service account token
  19885. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19886. then this audiences will be appended to the list
  19887. items:
  19888. type: string
  19889. type: array
  19890. name:
  19891. description: The name of the ServiceAccount resource being referred to.
  19892. maxLength: 253
  19893. minLength: 1
  19894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19895. type: string
  19896. namespace:
  19897. description: |-
  19898. Namespace of the resource being referred to.
  19899. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19900. maxLength: 63
  19901. minLength: 1
  19902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19903. type: string
  19904. required:
  19905. - name
  19906. type: object
  19907. required:
  19908. - mountPath
  19909. - role
  19910. type: object
  19911. ldap:
  19912. description: |-
  19913. Ldap authenticates with Vault by passing username/password pair using
  19914. the LDAP authentication method
  19915. properties:
  19916. path:
  19917. default: ldap
  19918. description: |-
  19919. Path where the LDAP authentication backend is mounted
  19920. in Vault, e.g: "ldap"
  19921. type: string
  19922. secretRef:
  19923. description: |-
  19924. SecretRef to a key in a Secret resource containing password for the LDAP
  19925. user used to authenticate with Vault using the LDAP authentication
  19926. method
  19927. properties:
  19928. key:
  19929. description: |-
  19930. A key in the referenced Secret.
  19931. Some instances of this field may be defaulted, in others it may be required.
  19932. maxLength: 253
  19933. minLength: 1
  19934. pattern: ^[-._a-zA-Z0-9]+$
  19935. type: string
  19936. name:
  19937. description: The name of the Secret resource being referred to.
  19938. maxLength: 253
  19939. minLength: 1
  19940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19941. type: string
  19942. namespace:
  19943. description: |-
  19944. The namespace of the Secret resource being referred to.
  19945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19946. maxLength: 63
  19947. minLength: 1
  19948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19949. type: string
  19950. type: object
  19951. username:
  19952. description: |-
  19953. Username is an LDAP username used to authenticate using the LDAP Vault
  19954. authentication method
  19955. type: string
  19956. required:
  19957. - path
  19958. - username
  19959. type: object
  19960. namespace:
  19961. description: |-
  19962. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  19963. Namespaces is a set of features within Vault Enterprise that allows
  19964. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  19965. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  19966. This will default to Vault.Namespace field if set, or empty otherwise
  19967. type: string
  19968. tokenSecretRef:
  19969. description: TokenSecretRef authenticates with Vault by presenting a token.
  19970. properties:
  19971. key:
  19972. description: |-
  19973. A key in the referenced Secret.
  19974. Some instances of this field may be defaulted, in others it may be required.
  19975. maxLength: 253
  19976. minLength: 1
  19977. pattern: ^[-._a-zA-Z0-9]+$
  19978. type: string
  19979. name:
  19980. description: The name of the Secret resource being referred to.
  19981. maxLength: 253
  19982. minLength: 1
  19983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19984. type: string
  19985. namespace:
  19986. description: |-
  19987. The namespace of the Secret resource being referred to.
  19988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19989. maxLength: 63
  19990. minLength: 1
  19991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19992. type: string
  19993. type: object
  19994. userPass:
  19995. description: UserPass authenticates with Vault by passing username/password pair
  19996. properties:
  19997. path:
  19998. default: userpass
  19999. description: |-
  20000. Path where the UserPassword authentication backend is mounted
  20001. in Vault, e.g: "userpass"
  20002. type: string
  20003. secretRef:
  20004. description: |-
  20005. SecretRef to a key in a Secret resource containing password for the
  20006. user used to authenticate with Vault using the UserPass authentication
  20007. method
  20008. properties:
  20009. key:
  20010. description: |-
  20011. A key in the referenced Secret.
  20012. Some instances of this field may be defaulted, in others it may be required.
  20013. maxLength: 253
  20014. minLength: 1
  20015. pattern: ^[-._a-zA-Z0-9]+$
  20016. type: string
  20017. name:
  20018. description: The name of the Secret resource being referred to.
  20019. maxLength: 253
  20020. minLength: 1
  20021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20022. type: string
  20023. namespace:
  20024. description: |-
  20025. The namespace of the Secret resource being referred to.
  20026. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20027. maxLength: 63
  20028. minLength: 1
  20029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20030. type: string
  20031. type: object
  20032. username:
  20033. description: |-
  20034. Username is a username used to authenticate using the UserPass Vault
  20035. authentication method
  20036. type: string
  20037. required:
  20038. - path
  20039. - username
  20040. type: object
  20041. type: object
  20042. caBundle:
  20043. description: |-
  20044. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20045. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20046. plain HTTP protocol connection. If not set the system root certificates
  20047. are used to validate the TLS connection.
  20048. format: byte
  20049. type: string
  20050. caProvider:
  20051. description: The provider for the CA bundle to use to validate Vault server certificate.
  20052. properties:
  20053. key:
  20054. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20055. maxLength: 253
  20056. minLength: 1
  20057. pattern: ^[-._a-zA-Z0-9]+$
  20058. type: string
  20059. name:
  20060. description: The name of the object located at the provider type.
  20061. maxLength: 253
  20062. minLength: 1
  20063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20064. type: string
  20065. namespace:
  20066. description: |-
  20067. The namespace the Provider type is in.
  20068. Can only be defined when used in a ClusterSecretStore.
  20069. maxLength: 63
  20070. minLength: 1
  20071. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20072. type: string
  20073. type:
  20074. description: The type of provider to use such as "Secret", or "ConfigMap".
  20075. enum:
  20076. - Secret
  20077. - ConfigMap
  20078. type: string
  20079. required:
  20080. - name
  20081. - type
  20082. type: object
  20083. checkAndSet:
  20084. description: |-
  20085. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20086. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20087. the current version of the secret to prevent unintentional overwrites.
  20088. properties:
  20089. required:
  20090. description: |-
  20091. Required when true, all write operations must include a check-and-set parameter.
  20092. This helps prevent unintentional overwrites of secrets.
  20093. type: boolean
  20094. type: object
  20095. forwardInconsistent:
  20096. description: |-
  20097. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20098. leader instead of simply retrying within a loop. This can increase performance if
  20099. the option is enabled serverside.
  20100. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20101. type: boolean
  20102. headers:
  20103. additionalProperties:
  20104. type: string
  20105. description: Headers to be added in Vault request
  20106. type: object
  20107. namespace:
  20108. description: |-
  20109. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20110. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20111. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20112. type: string
  20113. path:
  20114. description: |-
  20115. Path is the mount path of the Vault KV backend endpoint, e.g:
  20116. "secret". The v2 KV secret engine version specific "/data" path suffix
  20117. for fetching secrets from Vault is optional and will be appended
  20118. if not present in specified path.
  20119. type: string
  20120. readYourWrites:
  20121. description: |-
  20122. ReadYourWrites ensures isolated read-after-write semantics by
  20123. providing discovered cluster replication states in each request.
  20124. More information about eventual consistency in Vault can be found here
  20125. https://www.vaultproject.io/docs/enterprise/consistency
  20126. type: boolean
  20127. server:
  20128. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20129. type: string
  20130. tls:
  20131. description: |-
  20132. The configuration used for client side related TLS communication, when the Vault server
  20133. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  20134. This parameter is ignored for plain HTTP protocol connection.
  20135. It's worth noting this configuration is different from the "TLS certificates auth method",
  20136. which is available under the `auth.cert` section.
  20137. properties:
  20138. certSecretRef:
  20139. description: |-
  20140. CertSecretRef is a certificate added to the transport layer
  20141. when communicating with the Vault server.
  20142. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  20143. properties:
  20144. key:
  20145. description: |-
  20146. A key in the referenced Secret.
  20147. Some instances of this field may be defaulted, in others it may be required.
  20148. maxLength: 253
  20149. minLength: 1
  20150. pattern: ^[-._a-zA-Z0-9]+$
  20151. type: string
  20152. name:
  20153. description: The name of the Secret resource being referred to.
  20154. maxLength: 253
  20155. minLength: 1
  20156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20157. type: string
  20158. namespace:
  20159. description: |-
  20160. The namespace of the Secret resource being referred to.
  20161. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20162. maxLength: 63
  20163. minLength: 1
  20164. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20165. type: string
  20166. type: object
  20167. keySecretRef:
  20168. description: |-
  20169. KeySecretRef to a key in a Secret resource containing client private key
  20170. added to the transport layer when communicating with the Vault server.
  20171. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  20172. properties:
  20173. key:
  20174. description: |-
  20175. A key in the referenced Secret.
  20176. Some instances of this field may be defaulted, in others it may be required.
  20177. maxLength: 253
  20178. minLength: 1
  20179. pattern: ^[-._a-zA-Z0-9]+$
  20180. type: string
  20181. name:
  20182. description: The name of the Secret resource being referred to.
  20183. maxLength: 253
  20184. minLength: 1
  20185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20186. type: string
  20187. namespace:
  20188. description: |-
  20189. The namespace of the Secret resource being referred to.
  20190. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20191. maxLength: 63
  20192. minLength: 1
  20193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20194. type: string
  20195. type: object
  20196. type: object
  20197. version:
  20198. default: v2
  20199. description: |-
  20200. Version is the Vault KV secret engine version. This can be either "v1" or
  20201. "v2". Version defaults to "v2".
  20202. enum:
  20203. - v1
  20204. - v2
  20205. type: string
  20206. required:
  20207. - server
  20208. type: object
  20209. volcengine:
  20210. description: Volcengine configures this store to sync secrets using the Volcengine provider
  20211. properties:
  20212. auth:
  20213. description: |-
  20214. Auth defines the authentication method to use.
  20215. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  20216. properties:
  20217. secretRef:
  20218. description: |-
  20219. SecretRef defines the static credentials to use for authentication.
  20220. If not set, IRSA is used.
  20221. properties:
  20222. accessKeyID:
  20223. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  20224. properties:
  20225. key:
  20226. description: |-
  20227. A key in the referenced Secret.
  20228. Some instances of this field may be defaulted, in others it may be required.
  20229. maxLength: 253
  20230. minLength: 1
  20231. pattern: ^[-._a-zA-Z0-9]+$
  20232. type: string
  20233. name:
  20234. description: The name of the Secret resource being referred to.
  20235. maxLength: 253
  20236. minLength: 1
  20237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20238. type: string
  20239. namespace:
  20240. description: |-
  20241. The namespace of the Secret resource being referred to.
  20242. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20243. maxLength: 63
  20244. minLength: 1
  20245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20246. type: string
  20247. type: object
  20248. secretAccessKey:
  20249. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  20250. properties:
  20251. key:
  20252. description: |-
  20253. A key in the referenced Secret.
  20254. Some instances of this field may be defaulted, in others it may be required.
  20255. maxLength: 253
  20256. minLength: 1
  20257. pattern: ^[-._a-zA-Z0-9]+$
  20258. type: string
  20259. name:
  20260. description: The name of the Secret resource being referred to.
  20261. maxLength: 253
  20262. minLength: 1
  20263. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20264. type: string
  20265. namespace:
  20266. description: |-
  20267. The namespace of the Secret resource being referred to.
  20268. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20269. maxLength: 63
  20270. minLength: 1
  20271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20272. type: string
  20273. type: object
  20274. token:
  20275. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  20276. properties:
  20277. key:
  20278. description: |-
  20279. A key in the referenced Secret.
  20280. Some instances of this field may be defaulted, in others it may be required.
  20281. maxLength: 253
  20282. minLength: 1
  20283. pattern: ^[-._a-zA-Z0-9]+$
  20284. type: string
  20285. name:
  20286. description: The name of the Secret resource being referred to.
  20287. maxLength: 253
  20288. minLength: 1
  20289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20290. type: string
  20291. namespace:
  20292. description: |-
  20293. The namespace of the Secret resource being referred to.
  20294. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20295. maxLength: 63
  20296. minLength: 1
  20297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20298. type: string
  20299. type: object
  20300. required:
  20301. - accessKeyID
  20302. - secretAccessKey
  20303. type: object
  20304. type: object
  20305. region:
  20306. description: Region specifies the Volcengine region to connect to.
  20307. type: string
  20308. required:
  20309. - region
  20310. type: object
  20311. webhook:
  20312. description: Webhook configures this store to sync secrets using a generic templated webhook
  20313. properties:
  20314. auth:
  20315. description: Auth specifies a authorization protocol. Only one protocol may be set.
  20316. maxProperties: 1
  20317. minProperties: 1
  20318. properties:
  20319. ntlm:
  20320. description: NTLMProtocol configures the store to use NTLM for auth
  20321. properties:
  20322. passwordSecret:
  20323. description: |-
  20324. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20325. In some instances, `key` is a required field.
  20326. properties:
  20327. key:
  20328. description: |-
  20329. A key in the referenced Secret.
  20330. Some instances of this field may be defaulted, in others it may be required.
  20331. maxLength: 253
  20332. minLength: 1
  20333. pattern: ^[-._a-zA-Z0-9]+$
  20334. type: string
  20335. name:
  20336. description: The name of the Secret resource being referred to.
  20337. maxLength: 253
  20338. minLength: 1
  20339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20340. type: string
  20341. namespace:
  20342. description: |-
  20343. The namespace of the Secret resource being referred to.
  20344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20345. maxLength: 63
  20346. minLength: 1
  20347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20348. type: string
  20349. type: object
  20350. usernameSecret:
  20351. description: |-
  20352. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20353. In some instances, `key` is a required field.
  20354. properties:
  20355. key:
  20356. description: |-
  20357. A key in the referenced Secret.
  20358. Some instances of this field may be defaulted, in others it may be required.
  20359. maxLength: 253
  20360. minLength: 1
  20361. pattern: ^[-._a-zA-Z0-9]+$
  20362. type: string
  20363. name:
  20364. description: The name of the Secret resource being referred to.
  20365. maxLength: 253
  20366. minLength: 1
  20367. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20368. type: string
  20369. namespace:
  20370. description: |-
  20371. The namespace of the Secret resource being referred to.
  20372. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20373. maxLength: 63
  20374. minLength: 1
  20375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20376. type: string
  20377. type: object
  20378. required:
  20379. - passwordSecret
  20380. - usernameSecret
  20381. type: object
  20382. type: object
  20383. body:
  20384. description: Body
  20385. type: string
  20386. caBundle:
  20387. description: |-
  20388. PEM encoded CA bundle used to validate webhook server certificate. Only used
  20389. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20390. plain HTTP protocol connection. If not set the system root certificates
  20391. are used to validate the TLS connection.
  20392. format: byte
  20393. type: string
  20394. caProvider:
  20395. description: The provider for the CA bundle to use to validate webhook server certificate.
  20396. properties:
  20397. key:
  20398. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20399. maxLength: 253
  20400. minLength: 1
  20401. pattern: ^[-._a-zA-Z0-9]+$
  20402. type: string
  20403. name:
  20404. description: The name of the object located at the provider type.
  20405. maxLength: 253
  20406. minLength: 1
  20407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20408. type: string
  20409. namespace:
  20410. description: The namespace the Provider type is in.
  20411. maxLength: 63
  20412. minLength: 1
  20413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20414. type: string
  20415. type:
  20416. description: The type of provider to use such as "Secret", or "ConfigMap".
  20417. enum:
  20418. - Secret
  20419. - ConfigMap
  20420. type: string
  20421. required:
  20422. - name
  20423. - type
  20424. type: object
  20425. headers:
  20426. additionalProperties:
  20427. type: string
  20428. description: Headers
  20429. type: object
  20430. method:
  20431. description: Webhook Method
  20432. type: string
  20433. result:
  20434. description: Result formatting
  20435. properties:
  20436. jsonPath:
  20437. description: Json path of return value
  20438. type: string
  20439. type: object
  20440. secrets:
  20441. description: |-
  20442. Secrets to fill in templates
  20443. These secrets will be passed to the templating function as key value pairs under the given name
  20444. items:
  20445. description: WebhookSecret defines a secret that will be passed to the webhook request.
  20446. properties:
  20447. name:
  20448. description: Name of this secret in templates
  20449. type: string
  20450. secretRef:
  20451. description: Secret ref to fill in credentials
  20452. properties:
  20453. key:
  20454. description: |-
  20455. A key in the referenced Secret.
  20456. Some instances of this field may be defaulted, in others it may be required.
  20457. maxLength: 253
  20458. minLength: 1
  20459. pattern: ^[-._a-zA-Z0-9]+$
  20460. type: string
  20461. name:
  20462. description: The name of the Secret resource being referred to.
  20463. maxLength: 253
  20464. minLength: 1
  20465. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20466. type: string
  20467. namespace:
  20468. description: |-
  20469. The namespace of the Secret resource being referred to.
  20470. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20471. maxLength: 63
  20472. minLength: 1
  20473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20474. type: string
  20475. type: object
  20476. required:
  20477. - name
  20478. - secretRef
  20479. type: object
  20480. type: array
  20481. timeout:
  20482. description: Timeout
  20483. type: string
  20484. url:
  20485. description: Webhook url to call
  20486. type: string
  20487. required:
  20488. - url
  20489. type: object
  20490. yandexcertificatemanager:
  20491. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  20492. properties:
  20493. apiEndpoint:
  20494. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20495. type: string
  20496. auth:
  20497. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20498. properties:
  20499. authorizedKeySecretRef:
  20500. description: The authorized key used for authentication
  20501. properties:
  20502. key:
  20503. description: |-
  20504. A key in the referenced Secret.
  20505. Some instances of this field may be defaulted, in others it may be required.
  20506. maxLength: 253
  20507. minLength: 1
  20508. pattern: ^[-._a-zA-Z0-9]+$
  20509. type: string
  20510. name:
  20511. description: The name of the Secret resource being referred to.
  20512. maxLength: 253
  20513. minLength: 1
  20514. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20515. type: string
  20516. namespace:
  20517. description: |-
  20518. The namespace of the Secret resource being referred to.
  20519. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20520. maxLength: 63
  20521. minLength: 1
  20522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20523. type: string
  20524. type: object
  20525. type: object
  20526. caProvider:
  20527. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20528. properties:
  20529. certSecretRef:
  20530. description: |-
  20531. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20532. In some instances, `key` is a required field.
  20533. properties:
  20534. key:
  20535. description: |-
  20536. A key in the referenced Secret.
  20537. Some instances of this field may be defaulted, in others it may be required.
  20538. maxLength: 253
  20539. minLength: 1
  20540. pattern: ^[-._a-zA-Z0-9]+$
  20541. type: string
  20542. name:
  20543. description: The name of the Secret resource being referred to.
  20544. maxLength: 253
  20545. minLength: 1
  20546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20547. type: string
  20548. namespace:
  20549. description: |-
  20550. The namespace of the Secret resource being referred to.
  20551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20552. maxLength: 63
  20553. minLength: 1
  20554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20555. type: string
  20556. type: object
  20557. type: object
  20558. fetching:
  20559. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  20560. maxProperties: 1
  20561. minProperties: 1
  20562. properties:
  20563. byID:
  20564. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20565. type: object
  20566. byName:
  20567. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20568. properties:
  20569. folderID:
  20570. description: The folder to fetch secrets from
  20571. type: string
  20572. required:
  20573. - folderID
  20574. type: object
  20575. type: object
  20576. required:
  20577. - auth
  20578. type: object
  20579. yandexlockbox:
  20580. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  20581. properties:
  20582. apiEndpoint:
  20583. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  20584. type: string
  20585. auth:
  20586. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  20587. properties:
  20588. authorizedKeySecretRef:
  20589. description: The authorized key used for authentication
  20590. properties:
  20591. key:
  20592. description: |-
  20593. A key in the referenced Secret.
  20594. Some instances of this field may be defaulted, in others it may be required.
  20595. maxLength: 253
  20596. minLength: 1
  20597. pattern: ^[-._a-zA-Z0-9]+$
  20598. type: string
  20599. name:
  20600. description: The name of the Secret resource being referred to.
  20601. maxLength: 253
  20602. minLength: 1
  20603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20604. type: string
  20605. namespace:
  20606. description: |-
  20607. The namespace of the Secret resource being referred to.
  20608. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20609. maxLength: 63
  20610. minLength: 1
  20611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20612. type: string
  20613. type: object
  20614. type: object
  20615. caProvider:
  20616. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  20617. properties:
  20618. certSecretRef:
  20619. description: |-
  20620. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20621. In some instances, `key` is a required field.
  20622. properties:
  20623. key:
  20624. description: |-
  20625. A key in the referenced Secret.
  20626. Some instances of this field may be defaulted, in others it may be required.
  20627. maxLength: 253
  20628. minLength: 1
  20629. pattern: ^[-._a-zA-Z0-9]+$
  20630. type: string
  20631. name:
  20632. description: The name of the Secret resource being referred to.
  20633. maxLength: 253
  20634. minLength: 1
  20635. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20636. type: string
  20637. namespace:
  20638. description: |-
  20639. The namespace of the Secret resource being referred to.
  20640. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20641. maxLength: 63
  20642. minLength: 1
  20643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20644. type: string
  20645. type: object
  20646. type: object
  20647. fetching:
  20648. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  20649. maxProperties: 1
  20650. minProperties: 1
  20651. properties:
  20652. byID:
  20653. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  20654. type: object
  20655. byName:
  20656. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  20657. properties:
  20658. folderID:
  20659. description: The folder to fetch secrets from
  20660. type: string
  20661. required:
  20662. - folderID
  20663. type: object
  20664. type: object
  20665. required:
  20666. - auth
  20667. type: object
  20668. type: object
  20669. refreshInterval:
  20670. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  20671. type: integer
  20672. retrySettings:
  20673. description: Used to configure HTTP retries on failures.
  20674. properties:
  20675. maxRetries:
  20676. format: int32
  20677. type: integer
  20678. retryInterval:
  20679. type: string
  20680. type: object
  20681. required:
  20682. - provider
  20683. type: object
  20684. status:
  20685. description: SecretStoreStatus defines the observed state of the SecretStore.
  20686. properties:
  20687. capabilities:
  20688. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  20689. type: string
  20690. conditions:
  20691. items:
  20692. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  20693. properties:
  20694. lastTransitionTime:
  20695. format: date-time
  20696. type: string
  20697. message:
  20698. type: string
  20699. reason:
  20700. type: string
  20701. status:
  20702. type: string
  20703. type:
  20704. description: SecretStoreConditionType represents the condition of the SecretStore.
  20705. type: string
  20706. required:
  20707. - status
  20708. - type
  20709. type: object
  20710. type: array
  20711. type: object
  20712. type: object
  20713. served: true
  20714. storage: true
  20715. subresources:
  20716. status: {}
  20717. - additionalPrinterColumns:
  20718. - jsonPath: .metadata.creationTimestamp
  20719. name: AGE
  20720. type: date
  20721. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  20722. name: Status
  20723. type: string
  20724. - jsonPath: .status.capabilities
  20725. name: Capabilities
  20726. type: string
  20727. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  20728. name: Ready
  20729. type: string
  20730. deprecated: true
  20731. name: v1beta1
  20732. schema:
  20733. openAPIV3Schema:
  20734. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  20735. properties:
  20736. apiVersion:
  20737. description: |-
  20738. APIVersion defines the versioned schema of this representation of an object.
  20739. Servers should convert recognized schemas to the latest internal value, and
  20740. may reject unrecognized values.
  20741. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  20742. type: string
  20743. kind:
  20744. description: |-
  20745. Kind is a string value representing the REST resource this object represents.
  20746. Servers may infer this from the endpoint the client submits requests to.
  20747. Cannot be updated.
  20748. In CamelCase.
  20749. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  20750. type: string
  20751. metadata:
  20752. type: object
  20753. spec:
  20754. description: SecretStoreSpec defines the desired state of SecretStore.
  20755. properties:
  20756. conditions:
  20757. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  20758. items:
  20759. description: |-
  20760. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  20761. for a ClusterSecretStore instance.
  20762. properties:
  20763. namespaceRegexes:
  20764. description: Choose namespaces by using regex matching
  20765. items:
  20766. type: string
  20767. type: array
  20768. namespaceSelector:
  20769. description: Choose namespace using a labelSelector
  20770. properties:
  20771. matchExpressions:
  20772. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  20773. items:
  20774. description: |-
  20775. A label selector requirement is a selector that contains values, a key, and an operator that
  20776. relates the key and values.
  20777. properties:
  20778. key:
  20779. description: key is the label key that the selector applies to.
  20780. type: string
  20781. operator:
  20782. description: |-
  20783. operator represents a key's relationship to a set of values.
  20784. Valid operators are In, NotIn, Exists and DoesNotExist.
  20785. type: string
  20786. values:
  20787. description: |-
  20788. values is an array of string values. If the operator is In or NotIn,
  20789. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  20790. the values array must be empty. This array is replaced during a strategic
  20791. merge patch.
  20792. items:
  20793. type: string
  20794. type: array
  20795. x-kubernetes-list-type: atomic
  20796. required:
  20797. - key
  20798. - operator
  20799. type: object
  20800. type: array
  20801. x-kubernetes-list-type: atomic
  20802. matchLabels:
  20803. additionalProperties:
  20804. type: string
  20805. description: |-
  20806. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  20807. map is equivalent to an element of matchExpressions, whose key field is "key", the
  20808. operator is "In", and the values array contains only "value". The requirements are ANDed.
  20809. type: object
  20810. type: object
  20811. x-kubernetes-map-type: atomic
  20812. namespaces:
  20813. description: Choose namespaces by name
  20814. items:
  20815. maxLength: 63
  20816. minLength: 1
  20817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20818. type: string
  20819. type: array
  20820. type: object
  20821. type: array
  20822. controller:
  20823. description: |-
  20824. Used to select the correct ESO controller (think: ingress.ingressClassName)
  20825. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  20826. type: string
  20827. provider:
  20828. description: Used to configure the provider. Only one provider may be set
  20829. maxProperties: 1
  20830. minProperties: 1
  20831. properties:
  20832. akeyless:
  20833. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  20834. properties:
  20835. akeylessGWApiURL:
  20836. description: Akeyless GW API Url from which the secrets to be fetched from.
  20837. type: string
  20838. authSecretRef:
  20839. description: Auth configures how the operator authenticates with Akeyless.
  20840. properties:
  20841. kubernetesAuth:
  20842. description: |-
  20843. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  20844. token stored in the named Secret resource.
  20845. properties:
  20846. accessID:
  20847. description: the Akeyless Kubernetes auth-method access-id
  20848. type: string
  20849. k8sConfName:
  20850. description: Kubernetes-auth configuration name in Akeyless-Gateway
  20851. type: string
  20852. secretRef:
  20853. description: |-
  20854. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20855. for authenticating with Akeyless. If a name is specified without a key,
  20856. `token` is the default. If one is not specified, the one bound to
  20857. the controller will be used.
  20858. properties:
  20859. key:
  20860. description: |-
  20861. A key in the referenced Secret.
  20862. Some instances of this field may be defaulted, in others it may be required.
  20863. maxLength: 253
  20864. minLength: 1
  20865. pattern: ^[-._a-zA-Z0-9]+$
  20866. type: string
  20867. name:
  20868. description: The name of the Secret resource being referred to.
  20869. maxLength: 253
  20870. minLength: 1
  20871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20872. type: string
  20873. namespace:
  20874. description: |-
  20875. The namespace of the Secret resource being referred to.
  20876. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20877. maxLength: 63
  20878. minLength: 1
  20879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20880. type: string
  20881. type: object
  20882. serviceAccountRef:
  20883. description: |-
  20884. Optional service account field containing the name of a kubernetes ServiceAccount.
  20885. If the service account is specified, the service account secret token JWT will be used
  20886. for authenticating with Akeyless. If the service account selector is not supplied,
  20887. the secretRef will be used instead.
  20888. properties:
  20889. audiences:
  20890. description: |-
  20891. Audience specifies the `aud` claim for the service account token
  20892. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20893. then this audiences will be appended to the list
  20894. items:
  20895. type: string
  20896. type: array
  20897. name:
  20898. description: The name of the ServiceAccount resource being referred to.
  20899. maxLength: 253
  20900. minLength: 1
  20901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20902. type: string
  20903. namespace:
  20904. description: |-
  20905. Namespace of the resource being referred to.
  20906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20907. maxLength: 63
  20908. minLength: 1
  20909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20910. type: string
  20911. required:
  20912. - name
  20913. type: object
  20914. required:
  20915. - accessID
  20916. - k8sConfName
  20917. type: object
  20918. secretRef:
  20919. description: |-
  20920. Reference to a Secret that contains the details
  20921. to authenticate with Akeyless.
  20922. properties:
  20923. accessID:
  20924. description: The SecretAccessID is used for authentication
  20925. properties:
  20926. key:
  20927. description: |-
  20928. A key in the referenced Secret.
  20929. Some instances of this field may be defaulted, in others it may be required.
  20930. maxLength: 253
  20931. minLength: 1
  20932. pattern: ^[-._a-zA-Z0-9]+$
  20933. type: string
  20934. name:
  20935. description: The name of the Secret resource being referred to.
  20936. maxLength: 253
  20937. minLength: 1
  20938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20939. type: string
  20940. namespace:
  20941. description: |-
  20942. The namespace of the Secret resource being referred to.
  20943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20944. maxLength: 63
  20945. minLength: 1
  20946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20947. type: string
  20948. type: object
  20949. accessType:
  20950. description: |-
  20951. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20952. In some instances, `key` is a required field.
  20953. properties:
  20954. key:
  20955. description: |-
  20956. A key in the referenced Secret.
  20957. Some instances of this field may be defaulted, in others it may be required.
  20958. maxLength: 253
  20959. minLength: 1
  20960. pattern: ^[-._a-zA-Z0-9]+$
  20961. type: string
  20962. name:
  20963. description: The name of the Secret resource being referred to.
  20964. maxLength: 253
  20965. minLength: 1
  20966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20967. type: string
  20968. namespace:
  20969. description: |-
  20970. The namespace of the Secret resource being referred to.
  20971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20972. maxLength: 63
  20973. minLength: 1
  20974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20975. type: string
  20976. type: object
  20977. accessTypeParam:
  20978. description: |-
  20979. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20980. In some instances, `key` is a required field.
  20981. properties:
  20982. key:
  20983. description: |-
  20984. A key in the referenced Secret.
  20985. Some instances of this field may be defaulted, in others it may be required.
  20986. maxLength: 253
  20987. minLength: 1
  20988. pattern: ^[-._a-zA-Z0-9]+$
  20989. type: string
  20990. name:
  20991. description: The name of the Secret resource being referred to.
  20992. maxLength: 253
  20993. minLength: 1
  20994. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20995. type: string
  20996. namespace:
  20997. description: |-
  20998. The namespace of the Secret resource being referred to.
  20999. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21000. maxLength: 63
  21001. minLength: 1
  21002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21003. type: string
  21004. type: object
  21005. type: object
  21006. type: object
  21007. caBundle:
  21008. description: |-
  21009. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21010. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21011. are used to validate the TLS connection.
  21012. format: byte
  21013. type: string
  21014. caProvider:
  21015. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21016. properties:
  21017. key:
  21018. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21019. maxLength: 253
  21020. minLength: 1
  21021. pattern: ^[-._a-zA-Z0-9]+$
  21022. type: string
  21023. name:
  21024. description: The name of the object located at the provider type.
  21025. maxLength: 253
  21026. minLength: 1
  21027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21028. type: string
  21029. namespace:
  21030. description: |-
  21031. The namespace the Provider type is in.
  21032. Can only be defined when used in a ClusterSecretStore.
  21033. maxLength: 63
  21034. minLength: 1
  21035. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21036. type: string
  21037. type:
  21038. description: The type of provider to use such as "Secret", or "ConfigMap".
  21039. enum:
  21040. - Secret
  21041. - ConfigMap
  21042. type: string
  21043. required:
  21044. - name
  21045. - type
  21046. type: object
  21047. required:
  21048. - akeylessGWApiURL
  21049. - authSecretRef
  21050. type: object
  21051. alibaba:
  21052. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21053. properties:
  21054. auth:
  21055. description: AlibabaAuth contains a secretRef for credentials.
  21056. properties:
  21057. rrsa:
  21058. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21059. properties:
  21060. oidcProviderArn:
  21061. type: string
  21062. oidcTokenFilePath:
  21063. type: string
  21064. roleArn:
  21065. type: string
  21066. sessionName:
  21067. type: string
  21068. required:
  21069. - oidcProviderArn
  21070. - oidcTokenFilePath
  21071. - roleArn
  21072. - sessionName
  21073. type: object
  21074. secretRef:
  21075. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21076. properties:
  21077. accessKeyIDSecretRef:
  21078. description: The AccessKeyID is used for authentication
  21079. properties:
  21080. key:
  21081. description: |-
  21082. A key in the referenced Secret.
  21083. Some instances of this field may be defaulted, in others it may be required.
  21084. maxLength: 253
  21085. minLength: 1
  21086. pattern: ^[-._a-zA-Z0-9]+$
  21087. type: string
  21088. name:
  21089. description: The name of the Secret resource being referred to.
  21090. maxLength: 253
  21091. minLength: 1
  21092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21093. type: string
  21094. namespace:
  21095. description: |-
  21096. The namespace of the Secret resource being referred to.
  21097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21098. maxLength: 63
  21099. minLength: 1
  21100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21101. type: string
  21102. type: object
  21103. accessKeySecretSecretRef:
  21104. description: The AccessKeySecret is used for authentication
  21105. properties:
  21106. key:
  21107. description: |-
  21108. A key in the referenced Secret.
  21109. Some instances of this field may be defaulted, in others it may be required.
  21110. maxLength: 253
  21111. minLength: 1
  21112. pattern: ^[-._a-zA-Z0-9]+$
  21113. type: string
  21114. name:
  21115. description: The name of the Secret resource being referred to.
  21116. maxLength: 253
  21117. minLength: 1
  21118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21119. type: string
  21120. namespace:
  21121. description: |-
  21122. The namespace of the Secret resource being referred to.
  21123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21124. maxLength: 63
  21125. minLength: 1
  21126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21127. type: string
  21128. type: object
  21129. required:
  21130. - accessKeyIDSecretRef
  21131. - accessKeySecretSecretRef
  21132. type: object
  21133. type: object
  21134. regionID:
  21135. description: Alibaba Region to be used for the provider
  21136. type: string
  21137. required:
  21138. - auth
  21139. - regionID
  21140. type: object
  21141. aws:
  21142. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  21143. properties:
  21144. additionalRoles:
  21145. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  21146. items:
  21147. type: string
  21148. type: array
  21149. auth:
  21150. description: |-
  21151. Auth defines the information necessary to authenticate against AWS
  21152. if not set aws sdk will infer credentials from your environment
  21153. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  21154. properties:
  21155. jwt:
  21156. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  21157. properties:
  21158. serviceAccountRef:
  21159. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  21160. properties:
  21161. audiences:
  21162. description: |-
  21163. Audience specifies the `aud` claim for the service account token
  21164. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21165. then this audiences will be appended to the list
  21166. items:
  21167. type: string
  21168. type: array
  21169. name:
  21170. description: The name of the ServiceAccount resource being referred to.
  21171. maxLength: 253
  21172. minLength: 1
  21173. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21174. type: string
  21175. namespace:
  21176. description: |-
  21177. Namespace of the resource being referred to.
  21178. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21179. maxLength: 63
  21180. minLength: 1
  21181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21182. type: string
  21183. required:
  21184. - name
  21185. type: object
  21186. type: object
  21187. secretRef:
  21188. description: |-
  21189. AWSAuthSecretRef holds secret references for AWS credentials
  21190. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  21191. properties:
  21192. accessKeyIDSecretRef:
  21193. description: The AccessKeyID is used for authentication
  21194. properties:
  21195. key:
  21196. description: |-
  21197. A key in the referenced Secret.
  21198. Some instances of this field may be defaulted, in others it may be required.
  21199. maxLength: 253
  21200. minLength: 1
  21201. pattern: ^[-._a-zA-Z0-9]+$
  21202. type: string
  21203. name:
  21204. description: The name of the Secret resource being referred to.
  21205. maxLength: 253
  21206. minLength: 1
  21207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21208. type: string
  21209. namespace:
  21210. description: |-
  21211. The namespace of the Secret resource being referred to.
  21212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21213. maxLength: 63
  21214. minLength: 1
  21215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21216. type: string
  21217. type: object
  21218. secretAccessKeySecretRef:
  21219. description: The SecretAccessKey is used for authentication
  21220. properties:
  21221. key:
  21222. description: |-
  21223. A key in the referenced Secret.
  21224. Some instances of this field may be defaulted, in others it may be required.
  21225. maxLength: 253
  21226. minLength: 1
  21227. pattern: ^[-._a-zA-Z0-9]+$
  21228. type: string
  21229. name:
  21230. description: The name of the Secret resource being referred to.
  21231. maxLength: 253
  21232. minLength: 1
  21233. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21234. type: string
  21235. namespace:
  21236. description: |-
  21237. The namespace of the Secret resource being referred to.
  21238. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21239. maxLength: 63
  21240. minLength: 1
  21241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21242. type: string
  21243. type: object
  21244. sessionTokenSecretRef:
  21245. description: |-
  21246. The SessionToken used for authentication
  21247. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  21248. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  21249. properties:
  21250. key:
  21251. description: |-
  21252. A key in the referenced Secret.
  21253. Some instances of this field may be defaulted, in others it may be required.
  21254. maxLength: 253
  21255. minLength: 1
  21256. pattern: ^[-._a-zA-Z0-9]+$
  21257. type: string
  21258. name:
  21259. description: The name of the Secret resource being referred to.
  21260. maxLength: 253
  21261. minLength: 1
  21262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21263. type: string
  21264. namespace:
  21265. description: |-
  21266. The namespace of the Secret resource being referred to.
  21267. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21268. maxLength: 63
  21269. minLength: 1
  21270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21271. type: string
  21272. type: object
  21273. type: object
  21274. type: object
  21275. externalID:
  21276. description: AWS External ID set on assumed IAM roles
  21277. type: string
  21278. prefix:
  21279. description: Prefix adds a prefix to all retrieved values.
  21280. type: string
  21281. region:
  21282. description: AWS Region to be used for the provider
  21283. type: string
  21284. role:
  21285. description: Role is a Role ARN which the provider will assume
  21286. type: string
  21287. secretsManager:
  21288. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  21289. properties:
  21290. forceDeleteWithoutRecovery:
  21291. description: |-
  21292. Specifies whether to delete the secret without any recovery window. You
  21293. can't use both this parameter and RecoveryWindowInDays in the same call.
  21294. If you don't use either, then by default Secrets Manager uses a 30 day
  21295. recovery window.
  21296. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  21297. type: boolean
  21298. recoveryWindowInDays:
  21299. description: |-
  21300. The number of days from 7 to 30 that Secrets Manager waits before
  21301. permanently deleting the secret. You can't use both this parameter and
  21302. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  21303. then by default Secrets Manager uses a 30 day recovery window.
  21304. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  21305. format: int64
  21306. type: integer
  21307. type: object
  21308. service:
  21309. description: Service defines which service should be used to fetch the secrets
  21310. enum:
  21311. - SecretsManager
  21312. - ParameterStore
  21313. type: string
  21314. sessionTags:
  21315. description: AWS STS assume role session tags
  21316. items:
  21317. description: Tag defines a tag key and value for AWS resources.
  21318. properties:
  21319. key:
  21320. type: string
  21321. value:
  21322. type: string
  21323. required:
  21324. - key
  21325. - value
  21326. type: object
  21327. type: array
  21328. transitiveTagKeys:
  21329. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  21330. items:
  21331. type: string
  21332. type: array
  21333. required:
  21334. - region
  21335. - service
  21336. type: object
  21337. azurekv:
  21338. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  21339. properties:
  21340. authSecretRef:
  21341. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21342. properties:
  21343. clientCertificate:
  21344. description: The Azure ClientCertificate of the service principle used for authentication.
  21345. properties:
  21346. key:
  21347. description: |-
  21348. A key in the referenced Secret.
  21349. Some instances of this field may be defaulted, in others it may be required.
  21350. maxLength: 253
  21351. minLength: 1
  21352. pattern: ^[-._a-zA-Z0-9]+$
  21353. type: string
  21354. name:
  21355. description: The name of the Secret resource being referred to.
  21356. maxLength: 253
  21357. minLength: 1
  21358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21359. type: string
  21360. namespace:
  21361. description: |-
  21362. The namespace of the Secret resource being referred to.
  21363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21364. maxLength: 63
  21365. minLength: 1
  21366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21367. type: string
  21368. type: object
  21369. clientId:
  21370. description: The Azure clientId of the service principle or managed identity used for authentication.
  21371. properties:
  21372. key:
  21373. description: |-
  21374. A key in the referenced Secret.
  21375. Some instances of this field may be defaulted, in others it may be required.
  21376. maxLength: 253
  21377. minLength: 1
  21378. pattern: ^[-._a-zA-Z0-9]+$
  21379. type: string
  21380. name:
  21381. description: The name of the Secret resource being referred to.
  21382. maxLength: 253
  21383. minLength: 1
  21384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21385. type: string
  21386. namespace:
  21387. description: |-
  21388. The namespace of the Secret resource being referred to.
  21389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21390. maxLength: 63
  21391. minLength: 1
  21392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21393. type: string
  21394. type: object
  21395. clientSecret:
  21396. description: The Azure ClientSecret of the service principle used for authentication.
  21397. properties:
  21398. key:
  21399. description: |-
  21400. A key in the referenced Secret.
  21401. Some instances of this field may be defaulted, in others it may be required.
  21402. maxLength: 253
  21403. minLength: 1
  21404. pattern: ^[-._a-zA-Z0-9]+$
  21405. type: string
  21406. name:
  21407. description: The name of the Secret resource being referred to.
  21408. maxLength: 253
  21409. minLength: 1
  21410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21411. type: string
  21412. namespace:
  21413. description: |-
  21414. The namespace of the Secret resource being referred to.
  21415. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21416. maxLength: 63
  21417. minLength: 1
  21418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21419. type: string
  21420. type: object
  21421. tenantId:
  21422. description: The Azure tenantId of the managed identity used for authentication.
  21423. properties:
  21424. key:
  21425. description: |-
  21426. A key in the referenced Secret.
  21427. Some instances of this field may be defaulted, in others it may be required.
  21428. maxLength: 253
  21429. minLength: 1
  21430. pattern: ^[-._a-zA-Z0-9]+$
  21431. type: string
  21432. name:
  21433. description: The name of the Secret resource being referred to.
  21434. maxLength: 253
  21435. minLength: 1
  21436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21437. type: string
  21438. namespace:
  21439. description: |-
  21440. The namespace of the Secret resource being referred to.
  21441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21442. maxLength: 63
  21443. minLength: 1
  21444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21445. type: string
  21446. type: object
  21447. type: object
  21448. authType:
  21449. default: ServicePrincipal
  21450. description: |-
  21451. Auth type defines how to authenticate to the keyvault service.
  21452. Valid values are:
  21453. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  21454. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  21455. enum:
  21456. - ServicePrincipal
  21457. - ManagedIdentity
  21458. - WorkloadIdentity
  21459. type: string
  21460. environmentType:
  21461. default: PublicCloud
  21462. description: |-
  21463. EnvironmentType specifies the Azure cloud environment endpoints to use for
  21464. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  21465. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  21466. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  21467. enum:
  21468. - PublicCloud
  21469. - USGovernmentCloud
  21470. - ChinaCloud
  21471. - GermanCloud
  21472. type: string
  21473. identityId:
  21474. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  21475. type: string
  21476. serviceAccountRef:
  21477. description: |-
  21478. ServiceAccountRef specified the service account
  21479. that should be used when authenticating with WorkloadIdentity.
  21480. properties:
  21481. audiences:
  21482. description: |-
  21483. Audience specifies the `aud` claim for the service account token
  21484. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21485. then this audiences will be appended to the list
  21486. items:
  21487. type: string
  21488. type: array
  21489. name:
  21490. description: The name of the ServiceAccount resource being referred to.
  21491. maxLength: 253
  21492. minLength: 1
  21493. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21494. type: string
  21495. namespace:
  21496. description: |-
  21497. Namespace of the resource being referred to.
  21498. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21499. maxLength: 63
  21500. minLength: 1
  21501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21502. type: string
  21503. required:
  21504. - name
  21505. type: object
  21506. tenantId:
  21507. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  21508. type: string
  21509. vaultUrl:
  21510. description: Vault Url from which the secrets to be fetched from.
  21511. type: string
  21512. required:
  21513. - vaultUrl
  21514. type: object
  21515. beyondtrust:
  21516. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  21517. properties:
  21518. auth:
  21519. description: Auth configures how the operator authenticates with Beyondtrust.
  21520. properties:
  21521. apiKey:
  21522. description: APIKey If not provided then ClientID/ClientSecret become required.
  21523. properties:
  21524. secretRef:
  21525. description: SecretRef references a key in a secret that will be used as value.
  21526. properties:
  21527. key:
  21528. description: |-
  21529. A key in the referenced Secret.
  21530. Some instances of this field may be defaulted, in others it may be required.
  21531. maxLength: 253
  21532. minLength: 1
  21533. pattern: ^[-._a-zA-Z0-9]+$
  21534. type: string
  21535. name:
  21536. description: The name of the Secret resource being referred to.
  21537. maxLength: 253
  21538. minLength: 1
  21539. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21540. type: string
  21541. namespace:
  21542. description: |-
  21543. The namespace of the Secret resource being referred to.
  21544. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21545. maxLength: 63
  21546. minLength: 1
  21547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21548. type: string
  21549. type: object
  21550. value:
  21551. description: Value can be specified directly to set a value without using a secret.
  21552. type: string
  21553. type: object
  21554. certificate:
  21555. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  21556. properties:
  21557. secretRef:
  21558. description: SecretRef references a key in a secret that will be used as value.
  21559. properties:
  21560. key:
  21561. description: |-
  21562. A key in the referenced Secret.
  21563. Some instances of this field may be defaulted, in others it may be required.
  21564. maxLength: 253
  21565. minLength: 1
  21566. pattern: ^[-._a-zA-Z0-9]+$
  21567. type: string
  21568. name:
  21569. description: The name of the Secret resource being referred to.
  21570. maxLength: 253
  21571. minLength: 1
  21572. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21573. type: string
  21574. namespace:
  21575. description: |-
  21576. The namespace of the Secret resource being referred to.
  21577. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21578. maxLength: 63
  21579. minLength: 1
  21580. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21581. type: string
  21582. type: object
  21583. value:
  21584. description: Value can be specified directly to set a value without using a secret.
  21585. type: string
  21586. type: object
  21587. certificateKey:
  21588. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  21589. properties:
  21590. secretRef:
  21591. description: SecretRef references a key in a secret that will be used as value.
  21592. properties:
  21593. key:
  21594. description: |-
  21595. A key in the referenced Secret.
  21596. Some instances of this field may be defaulted, in others it may be required.
  21597. maxLength: 253
  21598. minLength: 1
  21599. pattern: ^[-._a-zA-Z0-9]+$
  21600. type: string
  21601. name:
  21602. description: The name of the Secret resource being referred to.
  21603. maxLength: 253
  21604. minLength: 1
  21605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21606. type: string
  21607. namespace:
  21608. description: |-
  21609. The namespace of the Secret resource being referred to.
  21610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21611. maxLength: 63
  21612. minLength: 1
  21613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21614. type: string
  21615. type: object
  21616. value:
  21617. description: Value can be specified directly to set a value without using a secret.
  21618. type: string
  21619. type: object
  21620. clientId:
  21621. description: ClientID is the API OAuth Client ID.
  21622. properties:
  21623. secretRef:
  21624. description: SecretRef references a key in a secret that will be used as value.
  21625. properties:
  21626. key:
  21627. description: |-
  21628. A key in the referenced Secret.
  21629. Some instances of this field may be defaulted, in others it may be required.
  21630. maxLength: 253
  21631. minLength: 1
  21632. pattern: ^[-._a-zA-Z0-9]+$
  21633. type: string
  21634. name:
  21635. description: The name of the Secret resource being referred to.
  21636. maxLength: 253
  21637. minLength: 1
  21638. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21639. type: string
  21640. namespace:
  21641. description: |-
  21642. The namespace of the Secret resource being referred to.
  21643. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21644. maxLength: 63
  21645. minLength: 1
  21646. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21647. type: string
  21648. type: object
  21649. value:
  21650. description: Value can be specified directly to set a value without using a secret.
  21651. type: string
  21652. type: object
  21653. clientSecret:
  21654. description: ClientSecret is the API OAuth Client Secret.
  21655. properties:
  21656. secretRef:
  21657. description: SecretRef references a key in a secret that will be used as value.
  21658. properties:
  21659. key:
  21660. description: |-
  21661. A key in the referenced Secret.
  21662. Some instances of this field may be defaulted, in others it may be required.
  21663. maxLength: 253
  21664. minLength: 1
  21665. pattern: ^[-._a-zA-Z0-9]+$
  21666. type: string
  21667. name:
  21668. description: The name of the Secret resource being referred to.
  21669. maxLength: 253
  21670. minLength: 1
  21671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21672. type: string
  21673. namespace:
  21674. description: |-
  21675. The namespace of the Secret resource being referred to.
  21676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21677. maxLength: 63
  21678. minLength: 1
  21679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21680. type: string
  21681. type: object
  21682. value:
  21683. description: Value can be specified directly to set a value without using a secret.
  21684. type: string
  21685. type: object
  21686. type: object
  21687. server:
  21688. description: Auth configures how API server works.
  21689. properties:
  21690. apiUrl:
  21691. type: string
  21692. apiVersion:
  21693. type: string
  21694. clientTimeOutSeconds:
  21695. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  21696. type: integer
  21697. decrypt:
  21698. default: true
  21699. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  21700. type: boolean
  21701. retrievalType:
  21702. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  21703. type: string
  21704. separator:
  21705. description: A character that separates the folder names.
  21706. type: string
  21707. verifyCA:
  21708. type: boolean
  21709. required:
  21710. - apiUrl
  21711. - verifyCA
  21712. type: object
  21713. required:
  21714. - auth
  21715. - server
  21716. type: object
  21717. bitwardensecretsmanager:
  21718. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  21719. properties:
  21720. apiURL:
  21721. type: string
  21722. auth:
  21723. description: |-
  21724. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  21725. Make sure that the token being used has permissions on the given secret.
  21726. properties:
  21727. secretRef:
  21728. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  21729. properties:
  21730. credentials:
  21731. description: AccessToken used for the bitwarden instance.
  21732. properties:
  21733. key:
  21734. description: |-
  21735. A key in the referenced Secret.
  21736. Some instances of this field may be defaulted, in others it may be required.
  21737. maxLength: 253
  21738. minLength: 1
  21739. pattern: ^[-._a-zA-Z0-9]+$
  21740. type: string
  21741. name:
  21742. description: The name of the Secret resource being referred to.
  21743. maxLength: 253
  21744. minLength: 1
  21745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21746. type: string
  21747. namespace:
  21748. description: |-
  21749. The namespace of the Secret resource being referred to.
  21750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21751. maxLength: 63
  21752. minLength: 1
  21753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21754. type: string
  21755. type: object
  21756. required:
  21757. - credentials
  21758. type: object
  21759. required:
  21760. - secretRef
  21761. type: object
  21762. bitwardenServerSDKURL:
  21763. type: string
  21764. caBundle:
  21765. description: |-
  21766. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  21767. can be performed.
  21768. type: string
  21769. caProvider:
  21770. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  21771. properties:
  21772. key:
  21773. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21774. maxLength: 253
  21775. minLength: 1
  21776. pattern: ^[-._a-zA-Z0-9]+$
  21777. type: string
  21778. name:
  21779. description: The name of the object located at the provider type.
  21780. maxLength: 253
  21781. minLength: 1
  21782. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21783. type: string
  21784. namespace:
  21785. description: |-
  21786. The namespace the Provider type is in.
  21787. Can only be defined when used in a ClusterSecretStore.
  21788. maxLength: 63
  21789. minLength: 1
  21790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21791. type: string
  21792. type:
  21793. description: The type of provider to use such as "Secret", or "ConfigMap".
  21794. enum:
  21795. - Secret
  21796. - ConfigMap
  21797. type: string
  21798. required:
  21799. - name
  21800. - type
  21801. type: object
  21802. identityURL:
  21803. type: string
  21804. organizationID:
  21805. description: OrganizationID determines which organization this secret store manages.
  21806. type: string
  21807. projectID:
  21808. description: ProjectID determines which project this secret store manages.
  21809. type: string
  21810. required:
  21811. - auth
  21812. - organizationID
  21813. - projectID
  21814. type: object
  21815. chef:
  21816. description: Chef configures this store to sync secrets with chef server
  21817. properties:
  21818. auth:
  21819. description: Auth defines the information necessary to authenticate against chef Server
  21820. properties:
  21821. secretRef:
  21822. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  21823. properties:
  21824. privateKeySecretRef:
  21825. description: SecretKey is the Signing Key in PEM format, used for authentication.
  21826. properties:
  21827. key:
  21828. description: |-
  21829. A key in the referenced Secret.
  21830. Some instances of this field may be defaulted, in others it may be required.
  21831. maxLength: 253
  21832. minLength: 1
  21833. pattern: ^[-._a-zA-Z0-9]+$
  21834. type: string
  21835. name:
  21836. description: The name of the Secret resource being referred to.
  21837. maxLength: 253
  21838. minLength: 1
  21839. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21840. type: string
  21841. namespace:
  21842. description: |-
  21843. The namespace of the Secret resource being referred to.
  21844. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21845. maxLength: 63
  21846. minLength: 1
  21847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21848. type: string
  21849. type: object
  21850. required:
  21851. - privateKeySecretRef
  21852. type: object
  21853. required:
  21854. - secretRef
  21855. type: object
  21856. serverUrl:
  21857. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  21858. type: string
  21859. username:
  21860. description: UserName should be the user ID on the chef server
  21861. type: string
  21862. required:
  21863. - auth
  21864. - serverUrl
  21865. - username
  21866. type: object
  21867. cloudrusm:
  21868. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  21869. properties:
  21870. auth:
  21871. description: CSMAuth contains a secretRef for credentials.
  21872. properties:
  21873. secretRef:
  21874. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  21875. properties:
  21876. accessKeyIDSecretRef:
  21877. description: The AccessKeyID is used for authentication
  21878. properties:
  21879. key:
  21880. description: |-
  21881. A key in the referenced Secret.
  21882. Some instances of this field may be defaulted, in others it may be required.
  21883. maxLength: 253
  21884. minLength: 1
  21885. pattern: ^[-._a-zA-Z0-9]+$
  21886. type: string
  21887. name:
  21888. description: The name of the Secret resource being referred to.
  21889. maxLength: 253
  21890. minLength: 1
  21891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21892. type: string
  21893. namespace:
  21894. description: |-
  21895. The namespace of the Secret resource being referred to.
  21896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21897. maxLength: 63
  21898. minLength: 1
  21899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21900. type: string
  21901. type: object
  21902. accessKeySecretSecretRef:
  21903. description: The AccessKeySecret is used for authentication
  21904. properties:
  21905. key:
  21906. description: |-
  21907. A key in the referenced Secret.
  21908. Some instances of this field may be defaulted, in others it may be required.
  21909. maxLength: 253
  21910. minLength: 1
  21911. pattern: ^[-._a-zA-Z0-9]+$
  21912. type: string
  21913. name:
  21914. description: The name of the Secret resource being referred to.
  21915. maxLength: 253
  21916. minLength: 1
  21917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21918. type: string
  21919. namespace:
  21920. description: |-
  21921. The namespace of the Secret resource being referred to.
  21922. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21923. maxLength: 63
  21924. minLength: 1
  21925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21926. type: string
  21927. type: object
  21928. required:
  21929. - accessKeyIDSecretRef
  21930. - accessKeySecretSecretRef
  21931. type: object
  21932. type: object
  21933. projectID:
  21934. description: ProjectID is the project, which the secrets are stored in.
  21935. type: string
  21936. required:
  21937. - auth
  21938. type: object
  21939. conjur:
  21940. description: Conjur configures this store to sync secrets using conjur provider
  21941. properties:
  21942. auth:
  21943. description: Defines authentication settings for connecting to Conjur.
  21944. properties:
  21945. apikey:
  21946. description: Authenticates with Conjur using an API key.
  21947. properties:
  21948. account:
  21949. description: Account is the Conjur organization account name.
  21950. type: string
  21951. apiKeyRef:
  21952. description: |-
  21953. A reference to a specific 'key' containing the Conjur API key
  21954. within a Secret resource. In some instances, `key` is a required field.
  21955. properties:
  21956. key:
  21957. description: |-
  21958. A key in the referenced Secret.
  21959. Some instances of this field may be defaulted, in others it may be required.
  21960. maxLength: 253
  21961. minLength: 1
  21962. pattern: ^[-._a-zA-Z0-9]+$
  21963. type: string
  21964. name:
  21965. description: The name of the Secret resource being referred to.
  21966. maxLength: 253
  21967. minLength: 1
  21968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21969. type: string
  21970. namespace:
  21971. description: |-
  21972. The namespace of the Secret resource being referred to.
  21973. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21974. maxLength: 63
  21975. minLength: 1
  21976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21977. type: string
  21978. type: object
  21979. userRef:
  21980. description: |-
  21981. A reference to a specific 'key' containing the Conjur username
  21982. within a Secret resource. In some instances, `key` is a required field.
  21983. properties:
  21984. key:
  21985. description: |-
  21986. A key in the referenced Secret.
  21987. Some instances of this field may be defaulted, in others it may be required.
  21988. maxLength: 253
  21989. minLength: 1
  21990. pattern: ^[-._a-zA-Z0-9]+$
  21991. type: string
  21992. name:
  21993. description: The name of the Secret resource being referred to.
  21994. maxLength: 253
  21995. minLength: 1
  21996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21997. type: string
  21998. namespace:
  21999. description: |-
  22000. The namespace of the Secret resource being referred to.
  22001. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22002. maxLength: 63
  22003. minLength: 1
  22004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22005. type: string
  22006. type: object
  22007. required:
  22008. - account
  22009. - apiKeyRef
  22010. - userRef
  22011. type: object
  22012. jwt:
  22013. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22014. properties:
  22015. account:
  22016. description: Account is the Conjur organization account name.
  22017. type: string
  22018. hostId:
  22019. description: |-
  22020. Optional HostID for JWT authentication. This may be used depending
  22021. on how the Conjur JWT authenticator policy is configured.
  22022. type: string
  22023. secretRef:
  22024. description: |-
  22025. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22026. authenticate with Conjur using the JWT authentication method.
  22027. properties:
  22028. key:
  22029. description: |-
  22030. A key in the referenced Secret.
  22031. Some instances of this field may be defaulted, in others it may be required.
  22032. maxLength: 253
  22033. minLength: 1
  22034. pattern: ^[-._a-zA-Z0-9]+$
  22035. type: string
  22036. name:
  22037. description: The name of the Secret resource being referred to.
  22038. maxLength: 253
  22039. minLength: 1
  22040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22041. type: string
  22042. namespace:
  22043. description: |-
  22044. The namespace of the Secret resource being referred to.
  22045. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22046. maxLength: 63
  22047. minLength: 1
  22048. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22049. type: string
  22050. type: object
  22051. serviceAccountRef:
  22052. description: |-
  22053. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22054. a token for with the `TokenRequest` API.
  22055. properties:
  22056. audiences:
  22057. description: |-
  22058. Audience specifies the `aud` claim for the service account token
  22059. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22060. then this audiences will be appended to the list
  22061. items:
  22062. type: string
  22063. type: array
  22064. name:
  22065. description: The name of the ServiceAccount resource being referred to.
  22066. maxLength: 253
  22067. minLength: 1
  22068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22069. type: string
  22070. namespace:
  22071. description: |-
  22072. Namespace of the resource being referred to.
  22073. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22074. maxLength: 63
  22075. minLength: 1
  22076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22077. type: string
  22078. required:
  22079. - name
  22080. type: object
  22081. serviceID:
  22082. description: The conjur authn jwt webservice id
  22083. type: string
  22084. required:
  22085. - account
  22086. - serviceID
  22087. type: object
  22088. type: object
  22089. caBundle:
  22090. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22091. type: string
  22092. caProvider:
  22093. description: |-
  22094. Used to provide custom certificate authority (CA) certificates
  22095. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22096. that contains a PEM-encoded certificate.
  22097. properties:
  22098. key:
  22099. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22100. maxLength: 253
  22101. minLength: 1
  22102. pattern: ^[-._a-zA-Z0-9]+$
  22103. type: string
  22104. name:
  22105. description: The name of the object located at the provider type.
  22106. maxLength: 253
  22107. minLength: 1
  22108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22109. type: string
  22110. namespace:
  22111. description: |-
  22112. The namespace the Provider type is in.
  22113. Can only be defined when used in a ClusterSecretStore.
  22114. maxLength: 63
  22115. minLength: 1
  22116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22117. type: string
  22118. type:
  22119. description: The type of provider to use such as "Secret", or "ConfigMap".
  22120. enum:
  22121. - Secret
  22122. - ConfigMap
  22123. type: string
  22124. required:
  22125. - name
  22126. - type
  22127. type: object
  22128. url:
  22129. description: URL is the endpoint of the Conjur instance.
  22130. type: string
  22131. required:
  22132. - auth
  22133. - url
  22134. type: object
  22135. delinea:
  22136. description: |-
  22137. Delinea DevOps Secrets Vault
  22138. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  22139. properties:
  22140. clientId:
  22141. description: ClientID is the non-secret part of the credential.
  22142. properties:
  22143. secretRef:
  22144. description: SecretRef references a key in a secret that will be used as value.
  22145. properties:
  22146. key:
  22147. description: |-
  22148. A key in the referenced Secret.
  22149. Some instances of this field may be defaulted, in others it may be required.
  22150. maxLength: 253
  22151. minLength: 1
  22152. pattern: ^[-._a-zA-Z0-9]+$
  22153. type: string
  22154. name:
  22155. description: The name of the Secret resource being referred to.
  22156. maxLength: 253
  22157. minLength: 1
  22158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22159. type: string
  22160. namespace:
  22161. description: |-
  22162. The namespace of the Secret resource being referred to.
  22163. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22164. maxLength: 63
  22165. minLength: 1
  22166. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22167. type: string
  22168. type: object
  22169. value:
  22170. description: Value can be specified directly to set a value without using a secret.
  22171. type: string
  22172. type: object
  22173. clientSecret:
  22174. description: ClientSecret is the secret part of the credential.
  22175. properties:
  22176. secretRef:
  22177. description: SecretRef references a key in a secret that will be used as value.
  22178. properties:
  22179. key:
  22180. description: |-
  22181. A key in the referenced Secret.
  22182. Some instances of this field may be defaulted, in others it may be required.
  22183. maxLength: 253
  22184. minLength: 1
  22185. pattern: ^[-._a-zA-Z0-9]+$
  22186. type: string
  22187. name:
  22188. description: The name of the Secret resource being referred to.
  22189. maxLength: 253
  22190. minLength: 1
  22191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22192. type: string
  22193. namespace:
  22194. description: |-
  22195. The namespace of the Secret resource being referred to.
  22196. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22197. maxLength: 63
  22198. minLength: 1
  22199. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22200. type: string
  22201. type: object
  22202. value:
  22203. description: Value can be specified directly to set a value without using a secret.
  22204. type: string
  22205. type: object
  22206. tenant:
  22207. description: Tenant is the chosen hostname / site name.
  22208. type: string
  22209. tld:
  22210. description: |-
  22211. TLD is based on the server location that was chosen during provisioning.
  22212. If unset, defaults to "com".
  22213. type: string
  22214. urlTemplate:
  22215. description: |-
  22216. URLTemplate
  22217. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  22218. type: string
  22219. required:
  22220. - clientId
  22221. - clientSecret
  22222. - tenant
  22223. type: object
  22224. device42:
  22225. description: Device42 configures this store to sync secrets using the Device42 provider
  22226. properties:
  22227. auth:
  22228. description: Auth configures how secret-manager authenticates with a Device42 instance.
  22229. properties:
  22230. secretRef:
  22231. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  22232. properties:
  22233. credentials:
  22234. description: Username / Password is used for authentication.
  22235. properties:
  22236. key:
  22237. description: |-
  22238. A key in the referenced Secret.
  22239. Some instances of this field may be defaulted, in others it may be required.
  22240. maxLength: 253
  22241. minLength: 1
  22242. pattern: ^[-._a-zA-Z0-9]+$
  22243. type: string
  22244. name:
  22245. description: The name of the Secret resource being referred to.
  22246. maxLength: 253
  22247. minLength: 1
  22248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22249. type: string
  22250. namespace:
  22251. description: |-
  22252. The namespace of the Secret resource being referred to.
  22253. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22254. maxLength: 63
  22255. minLength: 1
  22256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22257. type: string
  22258. type: object
  22259. type: object
  22260. required:
  22261. - secretRef
  22262. type: object
  22263. host:
  22264. description: URL configures the Device42 instance URL.
  22265. type: string
  22266. required:
  22267. - auth
  22268. - host
  22269. type: object
  22270. doppler:
  22271. description: Doppler configures this store to sync secrets using the Doppler provider
  22272. properties:
  22273. auth:
  22274. description: Auth configures how the Operator authenticates with the Doppler API
  22275. properties:
  22276. secretRef:
  22277. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  22278. properties:
  22279. dopplerToken:
  22280. description: |-
  22281. The DopplerToken is used for authentication.
  22282. See https://docs.doppler.com/reference/api#authentication for auth token types.
  22283. The Key attribute defaults to dopplerToken if not specified.
  22284. properties:
  22285. key:
  22286. description: |-
  22287. A key in the referenced Secret.
  22288. Some instances of this field may be defaulted, in others it may be required.
  22289. maxLength: 253
  22290. minLength: 1
  22291. pattern: ^[-._a-zA-Z0-9]+$
  22292. type: string
  22293. name:
  22294. description: The name of the Secret resource being referred to.
  22295. maxLength: 253
  22296. minLength: 1
  22297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22298. type: string
  22299. namespace:
  22300. description: |-
  22301. The namespace of the Secret resource being referred to.
  22302. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22303. maxLength: 63
  22304. minLength: 1
  22305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22306. type: string
  22307. type: object
  22308. required:
  22309. - dopplerToken
  22310. type: object
  22311. required:
  22312. - secretRef
  22313. type: object
  22314. config:
  22315. description: Doppler config (required if not using a Service Token)
  22316. type: string
  22317. format:
  22318. description: Format enables the downloading of secrets as a file (string)
  22319. enum:
  22320. - json
  22321. - dotnet-json
  22322. - env
  22323. - yaml
  22324. - docker
  22325. type: string
  22326. nameTransformer:
  22327. description: Environment variable compatible name transforms that change secret names to a different format
  22328. enum:
  22329. - upper-camel
  22330. - camel
  22331. - lower-snake
  22332. - tf-var
  22333. - dotnet-env
  22334. - lower-kebab
  22335. type: string
  22336. project:
  22337. description: Doppler project (required if not using a Service Token)
  22338. type: string
  22339. required:
  22340. - auth
  22341. type: object
  22342. fake:
  22343. description: Fake configures a store with static key/value pairs
  22344. properties:
  22345. data:
  22346. items:
  22347. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  22348. properties:
  22349. key:
  22350. type: string
  22351. value:
  22352. type: string
  22353. version:
  22354. type: string
  22355. required:
  22356. - key
  22357. - value
  22358. type: object
  22359. type: array
  22360. required:
  22361. - data
  22362. type: object
  22363. fortanix:
  22364. description: Fortanix configures this store to sync secrets using the Fortanix provider
  22365. properties:
  22366. apiKey:
  22367. description: APIKey is the API token to access SDKMS Applications.
  22368. properties:
  22369. secretRef:
  22370. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  22371. properties:
  22372. key:
  22373. description: |-
  22374. A key in the referenced Secret.
  22375. Some instances of this field may be defaulted, in others it may be required.
  22376. maxLength: 253
  22377. minLength: 1
  22378. pattern: ^[-._a-zA-Z0-9]+$
  22379. type: string
  22380. name:
  22381. description: The name of the Secret resource being referred to.
  22382. maxLength: 253
  22383. minLength: 1
  22384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22385. type: string
  22386. namespace:
  22387. description: |-
  22388. The namespace of the Secret resource being referred to.
  22389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22390. maxLength: 63
  22391. minLength: 1
  22392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22393. type: string
  22394. type: object
  22395. type: object
  22396. apiUrl:
  22397. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  22398. type: string
  22399. type: object
  22400. gcpsm:
  22401. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  22402. properties:
  22403. auth:
  22404. description: Auth defines the information necessary to authenticate against GCP
  22405. properties:
  22406. secretRef:
  22407. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  22408. properties:
  22409. secretAccessKeySecretRef:
  22410. description: The SecretAccessKey is used for authentication
  22411. properties:
  22412. key:
  22413. description: |-
  22414. A key in the referenced Secret.
  22415. Some instances of this field may be defaulted, in others it may be required.
  22416. maxLength: 253
  22417. minLength: 1
  22418. pattern: ^[-._a-zA-Z0-9]+$
  22419. type: string
  22420. name:
  22421. description: The name of the Secret resource being referred to.
  22422. maxLength: 253
  22423. minLength: 1
  22424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22425. type: string
  22426. namespace:
  22427. description: |-
  22428. The namespace of the Secret resource being referred to.
  22429. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22430. maxLength: 63
  22431. minLength: 1
  22432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22433. type: string
  22434. type: object
  22435. type: object
  22436. workloadIdentity:
  22437. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  22438. properties:
  22439. clusterLocation:
  22440. description: |-
  22441. ClusterLocation is the location of the cluster
  22442. If not specified, it fetches information from the metadata server
  22443. type: string
  22444. clusterName:
  22445. description: |-
  22446. ClusterName is the name of the cluster
  22447. If not specified, it fetches information from the metadata server
  22448. type: string
  22449. clusterProjectID:
  22450. description: |-
  22451. ClusterProjectID is the project ID of the cluster
  22452. If not specified, it fetches information from the metadata server
  22453. type: string
  22454. serviceAccountRef:
  22455. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22456. properties:
  22457. audiences:
  22458. description: |-
  22459. Audience specifies the `aud` claim for the service account token
  22460. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22461. then this audiences will be appended to the list
  22462. items:
  22463. type: string
  22464. type: array
  22465. name:
  22466. description: The name of the ServiceAccount resource being referred to.
  22467. maxLength: 253
  22468. minLength: 1
  22469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22470. type: string
  22471. namespace:
  22472. description: |-
  22473. Namespace of the resource being referred to.
  22474. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22475. maxLength: 63
  22476. minLength: 1
  22477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22478. type: string
  22479. required:
  22480. - name
  22481. type: object
  22482. required:
  22483. - serviceAccountRef
  22484. type: object
  22485. type: object
  22486. location:
  22487. description: Location optionally defines a location for a secret
  22488. type: string
  22489. projectID:
  22490. description: ProjectID project where secret is located
  22491. type: string
  22492. type: object
  22493. github:
  22494. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  22495. properties:
  22496. appID:
  22497. description: appID specifies the Github APP that will be used to authenticate the client
  22498. format: int64
  22499. type: integer
  22500. auth:
  22501. description: auth configures how secret-manager authenticates with a Github instance.
  22502. properties:
  22503. privateKey:
  22504. description: |-
  22505. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22506. In some instances, `key` is a required field.
  22507. properties:
  22508. key:
  22509. description: |-
  22510. A key in the referenced Secret.
  22511. Some instances of this field may be defaulted, in others it may be required.
  22512. maxLength: 253
  22513. minLength: 1
  22514. pattern: ^[-._a-zA-Z0-9]+$
  22515. type: string
  22516. name:
  22517. description: The name of the Secret resource being referred to.
  22518. maxLength: 253
  22519. minLength: 1
  22520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22521. type: string
  22522. namespace:
  22523. description: |-
  22524. The namespace of the Secret resource being referred to.
  22525. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22526. maxLength: 63
  22527. minLength: 1
  22528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22529. type: string
  22530. type: object
  22531. required:
  22532. - privateKey
  22533. type: object
  22534. environment:
  22535. description: environment will be used to fetch secrets from a particular environment within a github repository
  22536. type: string
  22537. installationID:
  22538. description: installationID specifies the Github APP installation that will be used to authenticate the client
  22539. format: int64
  22540. type: integer
  22541. organization:
  22542. description: organization will be used to fetch secrets from the Github organization
  22543. type: string
  22544. repository:
  22545. description: repository will be used to fetch secrets from the Github repository within an organization
  22546. type: string
  22547. uploadURL:
  22548. description: Upload URL for enterprise instances. Default to URL.
  22549. type: string
  22550. url:
  22551. default: https://github.com/
  22552. description: URL configures the Github instance URL. Defaults to https://github.com/.
  22553. type: string
  22554. required:
  22555. - appID
  22556. - auth
  22557. - installationID
  22558. - organization
  22559. type: object
  22560. gitlab:
  22561. description: GitLab configures this store to sync secrets using GitLab Variables provider
  22562. properties:
  22563. auth:
  22564. description: Auth configures how secret-manager authenticates with a GitLab instance.
  22565. properties:
  22566. SecretRef:
  22567. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  22568. properties:
  22569. accessToken:
  22570. description: AccessToken is used for authentication.
  22571. properties:
  22572. key:
  22573. description: |-
  22574. A key in the referenced Secret.
  22575. Some instances of this field may be defaulted, in others it may be required.
  22576. maxLength: 253
  22577. minLength: 1
  22578. pattern: ^[-._a-zA-Z0-9]+$
  22579. type: string
  22580. name:
  22581. description: The name of the Secret resource being referred to.
  22582. maxLength: 253
  22583. minLength: 1
  22584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22585. type: string
  22586. namespace:
  22587. description: |-
  22588. The namespace of the Secret resource being referred to.
  22589. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22590. maxLength: 63
  22591. minLength: 1
  22592. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22593. type: string
  22594. type: object
  22595. type: object
  22596. required:
  22597. - SecretRef
  22598. type: object
  22599. caBundle:
  22600. description: |-
  22601. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22602. can be performed.
  22603. format: byte
  22604. type: string
  22605. caProvider:
  22606. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22607. properties:
  22608. key:
  22609. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22610. maxLength: 253
  22611. minLength: 1
  22612. pattern: ^[-._a-zA-Z0-9]+$
  22613. type: string
  22614. name:
  22615. description: The name of the object located at the provider type.
  22616. maxLength: 253
  22617. minLength: 1
  22618. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22619. type: string
  22620. namespace:
  22621. description: |-
  22622. The namespace the Provider type is in.
  22623. Can only be defined when used in a ClusterSecretStore.
  22624. maxLength: 63
  22625. minLength: 1
  22626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22627. type: string
  22628. type:
  22629. description: The type of provider to use such as "Secret", or "ConfigMap".
  22630. enum:
  22631. - Secret
  22632. - ConfigMap
  22633. type: string
  22634. required:
  22635. - name
  22636. - type
  22637. type: object
  22638. environment:
  22639. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  22640. type: string
  22641. groupIDs:
  22642. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  22643. items:
  22644. type: string
  22645. type: array
  22646. inheritFromGroups:
  22647. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  22648. type: boolean
  22649. projectID:
  22650. description: ProjectID specifies a project where secrets are located.
  22651. type: string
  22652. url:
  22653. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  22654. type: string
  22655. required:
  22656. - auth
  22657. type: object
  22658. ibm:
  22659. description: IBM configures this store to sync secrets using IBM Cloud provider
  22660. properties:
  22661. auth:
  22662. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  22663. maxProperties: 1
  22664. minProperties: 1
  22665. properties:
  22666. containerAuth:
  22667. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  22668. properties:
  22669. iamEndpoint:
  22670. type: string
  22671. profile:
  22672. description: the IBM Trusted Profile
  22673. type: string
  22674. tokenLocation:
  22675. description: Location the token is mounted on the pod
  22676. type: string
  22677. required:
  22678. - profile
  22679. type: object
  22680. secretRef:
  22681. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  22682. properties:
  22683. secretApiKeySecretRef:
  22684. description: The SecretAccessKey is used for authentication
  22685. properties:
  22686. key:
  22687. description: |-
  22688. A key in the referenced Secret.
  22689. Some instances of this field may be defaulted, in others it may be required.
  22690. maxLength: 253
  22691. minLength: 1
  22692. pattern: ^[-._a-zA-Z0-9]+$
  22693. type: string
  22694. name:
  22695. description: The name of the Secret resource being referred to.
  22696. maxLength: 253
  22697. minLength: 1
  22698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22699. type: string
  22700. namespace:
  22701. description: |-
  22702. The namespace of the Secret resource being referred to.
  22703. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22704. maxLength: 63
  22705. minLength: 1
  22706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22707. type: string
  22708. type: object
  22709. type: object
  22710. type: object
  22711. serviceUrl:
  22712. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  22713. type: string
  22714. required:
  22715. - auth
  22716. type: object
  22717. infisical:
  22718. description: Infisical configures this store to sync secrets using the Infisical provider
  22719. properties:
  22720. auth:
  22721. description: Auth configures how the Operator authenticates with the Infisical API
  22722. properties:
  22723. universalAuthCredentials:
  22724. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  22725. properties:
  22726. clientId:
  22727. description: |-
  22728. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22729. In some instances, `key` is a required field.
  22730. properties:
  22731. key:
  22732. description: |-
  22733. A key in the referenced Secret.
  22734. Some instances of this field may be defaulted, in others it may be required.
  22735. maxLength: 253
  22736. minLength: 1
  22737. pattern: ^[-._a-zA-Z0-9]+$
  22738. type: string
  22739. name:
  22740. description: The name of the Secret resource being referred to.
  22741. maxLength: 253
  22742. minLength: 1
  22743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22744. type: string
  22745. namespace:
  22746. description: |-
  22747. The namespace of the Secret resource being referred to.
  22748. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22749. maxLength: 63
  22750. minLength: 1
  22751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22752. type: string
  22753. type: object
  22754. clientSecret:
  22755. description: |-
  22756. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22757. In some instances, `key` is a required field.
  22758. properties:
  22759. key:
  22760. description: |-
  22761. A key in the referenced Secret.
  22762. Some instances of this field may be defaulted, in others it may be required.
  22763. maxLength: 253
  22764. minLength: 1
  22765. pattern: ^[-._a-zA-Z0-9]+$
  22766. type: string
  22767. name:
  22768. description: The name of the Secret resource being referred to.
  22769. maxLength: 253
  22770. minLength: 1
  22771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22772. type: string
  22773. namespace:
  22774. description: |-
  22775. The namespace of the Secret resource being referred to.
  22776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22777. maxLength: 63
  22778. minLength: 1
  22779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22780. type: string
  22781. type: object
  22782. required:
  22783. - clientId
  22784. - clientSecret
  22785. type: object
  22786. type: object
  22787. hostAPI:
  22788. default: https://app.infisical.com/api
  22789. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  22790. type: string
  22791. secretsScope:
  22792. description: SecretsScope defines the scope of the secrets within the workspace
  22793. properties:
  22794. environmentSlug:
  22795. description: EnvironmentSlug is the required slug identifier for the environment.
  22796. type: string
  22797. expandSecretReferences:
  22798. default: true
  22799. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  22800. type: boolean
  22801. projectSlug:
  22802. description: ProjectSlug is the required slug identifier for the project.
  22803. type: string
  22804. recursive:
  22805. default: false
  22806. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  22807. type: boolean
  22808. secretsPath:
  22809. default: /
  22810. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  22811. type: string
  22812. required:
  22813. - environmentSlug
  22814. - projectSlug
  22815. type: object
  22816. required:
  22817. - auth
  22818. - secretsScope
  22819. type: object
  22820. keepersecurity:
  22821. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  22822. properties:
  22823. authRef:
  22824. description: |-
  22825. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22826. In some instances, `key` is a required field.
  22827. properties:
  22828. key:
  22829. description: |-
  22830. A key in the referenced Secret.
  22831. Some instances of this field may be defaulted, in others it may be required.
  22832. maxLength: 253
  22833. minLength: 1
  22834. pattern: ^[-._a-zA-Z0-9]+$
  22835. type: string
  22836. name:
  22837. description: The name of the Secret resource being referred to.
  22838. maxLength: 253
  22839. minLength: 1
  22840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22841. type: string
  22842. namespace:
  22843. description: |-
  22844. The namespace of the Secret resource being referred to.
  22845. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22846. maxLength: 63
  22847. minLength: 1
  22848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22849. type: string
  22850. type: object
  22851. folderID:
  22852. type: string
  22853. required:
  22854. - authRef
  22855. - folderID
  22856. type: object
  22857. kubernetes:
  22858. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  22859. properties:
  22860. auth:
  22861. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  22862. maxProperties: 1
  22863. minProperties: 1
  22864. properties:
  22865. cert:
  22866. description: has both clientCert and clientKey as secretKeySelector
  22867. properties:
  22868. clientCert:
  22869. description: |-
  22870. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22871. In some instances, `key` is a required field.
  22872. properties:
  22873. key:
  22874. description: |-
  22875. A key in the referenced Secret.
  22876. Some instances of this field may be defaulted, in others it may be required.
  22877. maxLength: 253
  22878. minLength: 1
  22879. pattern: ^[-._a-zA-Z0-9]+$
  22880. type: string
  22881. name:
  22882. description: The name of the Secret resource being referred to.
  22883. maxLength: 253
  22884. minLength: 1
  22885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22886. type: string
  22887. namespace:
  22888. description: |-
  22889. The namespace of the Secret resource being referred to.
  22890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22891. maxLength: 63
  22892. minLength: 1
  22893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22894. type: string
  22895. type: object
  22896. clientKey:
  22897. description: |-
  22898. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22899. In some instances, `key` is a required field.
  22900. properties:
  22901. key:
  22902. description: |-
  22903. A key in the referenced Secret.
  22904. Some instances of this field may be defaulted, in others it may be required.
  22905. maxLength: 253
  22906. minLength: 1
  22907. pattern: ^[-._a-zA-Z0-9]+$
  22908. type: string
  22909. name:
  22910. description: The name of the Secret resource being referred to.
  22911. maxLength: 253
  22912. minLength: 1
  22913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22914. type: string
  22915. namespace:
  22916. description: |-
  22917. The namespace of the Secret resource being referred to.
  22918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22919. maxLength: 63
  22920. minLength: 1
  22921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22922. type: string
  22923. type: object
  22924. type: object
  22925. serviceAccount:
  22926. description: points to a service account that should be used for authentication
  22927. properties:
  22928. audiences:
  22929. description: |-
  22930. Audience specifies the `aud` claim for the service account token
  22931. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22932. then this audiences will be appended to the list
  22933. items:
  22934. type: string
  22935. type: array
  22936. name:
  22937. description: The name of the ServiceAccount resource being referred to.
  22938. maxLength: 253
  22939. minLength: 1
  22940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22941. type: string
  22942. namespace:
  22943. description: |-
  22944. Namespace of the resource being referred to.
  22945. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22946. maxLength: 63
  22947. minLength: 1
  22948. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22949. type: string
  22950. required:
  22951. - name
  22952. type: object
  22953. token:
  22954. description: use static token to authenticate with
  22955. properties:
  22956. bearerToken:
  22957. description: |-
  22958. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  22959. In some instances, `key` is a required field.
  22960. properties:
  22961. key:
  22962. description: |-
  22963. A key in the referenced Secret.
  22964. Some instances of this field may be defaulted, in others it may be required.
  22965. maxLength: 253
  22966. minLength: 1
  22967. pattern: ^[-._a-zA-Z0-9]+$
  22968. type: string
  22969. name:
  22970. description: The name of the Secret resource being referred to.
  22971. maxLength: 253
  22972. minLength: 1
  22973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22974. type: string
  22975. namespace:
  22976. description: |-
  22977. The namespace of the Secret resource being referred to.
  22978. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22979. maxLength: 63
  22980. minLength: 1
  22981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22982. type: string
  22983. type: object
  22984. type: object
  22985. type: object
  22986. authRef:
  22987. description: A reference to a secret that contains the auth information.
  22988. properties:
  22989. key:
  22990. description: |-
  22991. A key in the referenced Secret.
  22992. Some instances of this field may be defaulted, in others it may be required.
  22993. maxLength: 253
  22994. minLength: 1
  22995. pattern: ^[-._a-zA-Z0-9]+$
  22996. type: string
  22997. name:
  22998. description: The name of the Secret resource being referred to.
  22999. maxLength: 253
  23000. minLength: 1
  23001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23002. type: string
  23003. namespace:
  23004. description: |-
  23005. The namespace of the Secret resource being referred to.
  23006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23007. maxLength: 63
  23008. minLength: 1
  23009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23010. type: string
  23011. type: object
  23012. remoteNamespace:
  23013. default: default
  23014. description: Remote namespace to fetch the secrets from
  23015. maxLength: 63
  23016. minLength: 1
  23017. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23018. type: string
  23019. server:
  23020. description: configures the Kubernetes server Address.
  23021. properties:
  23022. caBundle:
  23023. description: CABundle is a base64-encoded CA certificate
  23024. format: byte
  23025. type: string
  23026. caProvider:
  23027. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23028. properties:
  23029. key:
  23030. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23031. maxLength: 253
  23032. minLength: 1
  23033. pattern: ^[-._a-zA-Z0-9]+$
  23034. type: string
  23035. name:
  23036. description: The name of the object located at the provider type.
  23037. maxLength: 253
  23038. minLength: 1
  23039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23040. type: string
  23041. namespace:
  23042. description: |-
  23043. The namespace the Provider type is in.
  23044. Can only be defined when used in a ClusterSecretStore.
  23045. maxLength: 63
  23046. minLength: 1
  23047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23048. type: string
  23049. type:
  23050. description: The type of provider to use such as "Secret", or "ConfigMap".
  23051. enum:
  23052. - Secret
  23053. - ConfigMap
  23054. type: string
  23055. required:
  23056. - name
  23057. - type
  23058. type: object
  23059. url:
  23060. default: kubernetes.default
  23061. description: configures the Kubernetes server Address.
  23062. type: string
  23063. type: object
  23064. type: object
  23065. onboardbase:
  23066. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23067. properties:
  23068. apiHost:
  23069. default: https://public.onboardbase.com/api/v1/
  23070. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23071. type: string
  23072. auth:
  23073. description: Auth configures how the Operator authenticates with the Onboardbase API
  23074. properties:
  23075. apiKeyRef:
  23076. description: |-
  23077. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23078. It is used to recognize and authorize access to a project and environment within onboardbase
  23079. properties:
  23080. key:
  23081. description: |-
  23082. A key in the referenced Secret.
  23083. Some instances of this field may be defaulted, in others it may be required.
  23084. maxLength: 253
  23085. minLength: 1
  23086. pattern: ^[-._a-zA-Z0-9]+$
  23087. type: string
  23088. name:
  23089. description: The name of the Secret resource being referred to.
  23090. maxLength: 253
  23091. minLength: 1
  23092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23093. type: string
  23094. namespace:
  23095. description: |-
  23096. The namespace of the Secret resource being referred to.
  23097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23098. maxLength: 63
  23099. minLength: 1
  23100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23101. type: string
  23102. type: object
  23103. passcodeRef:
  23104. description: OnboardbasePasscode is the passcode attached to the API Key
  23105. properties:
  23106. key:
  23107. description: |-
  23108. A key in the referenced Secret.
  23109. Some instances of this field may be defaulted, in others it may be required.
  23110. maxLength: 253
  23111. minLength: 1
  23112. pattern: ^[-._a-zA-Z0-9]+$
  23113. type: string
  23114. name:
  23115. description: The name of the Secret resource being referred to.
  23116. maxLength: 253
  23117. minLength: 1
  23118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23119. type: string
  23120. namespace:
  23121. description: |-
  23122. The namespace of the Secret resource being referred to.
  23123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23124. maxLength: 63
  23125. minLength: 1
  23126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23127. type: string
  23128. type: object
  23129. required:
  23130. - apiKeyRef
  23131. - passcodeRef
  23132. type: object
  23133. environment:
  23134. default: development
  23135. description: Environment is the name of an environmnent within a project to pull the secrets from
  23136. type: string
  23137. project:
  23138. default: development
  23139. description: Project is an onboardbase project that the secrets should be pulled from
  23140. type: string
  23141. required:
  23142. - apiHost
  23143. - auth
  23144. - environment
  23145. - project
  23146. type: object
  23147. onepassword:
  23148. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  23149. properties:
  23150. auth:
  23151. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  23152. properties:
  23153. secretRef:
  23154. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  23155. properties:
  23156. connectTokenSecretRef:
  23157. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  23158. properties:
  23159. key:
  23160. description: |-
  23161. A key in the referenced Secret.
  23162. Some instances of this field may be defaulted, in others it may be required.
  23163. maxLength: 253
  23164. minLength: 1
  23165. pattern: ^[-._a-zA-Z0-9]+$
  23166. type: string
  23167. name:
  23168. description: The name of the Secret resource being referred to.
  23169. maxLength: 253
  23170. minLength: 1
  23171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23172. type: string
  23173. namespace:
  23174. description: |-
  23175. The namespace of the Secret resource being referred to.
  23176. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23177. maxLength: 63
  23178. minLength: 1
  23179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23180. type: string
  23181. type: object
  23182. required:
  23183. - connectTokenSecretRef
  23184. type: object
  23185. required:
  23186. - secretRef
  23187. type: object
  23188. connectHost:
  23189. description: ConnectHost defines the OnePassword Connect Server to connect to
  23190. type: string
  23191. vaults:
  23192. additionalProperties:
  23193. type: integer
  23194. description: Vaults defines which OnePassword vaults to search in which order
  23195. type: object
  23196. required:
  23197. - auth
  23198. - connectHost
  23199. - vaults
  23200. type: object
  23201. oracle:
  23202. description: Oracle configures this store to sync secrets using Oracle Vault provider
  23203. properties:
  23204. auth:
  23205. description: |-
  23206. Auth configures how secret-manager authenticates with the Oracle Vault.
  23207. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  23208. properties:
  23209. secretRef:
  23210. description: SecretRef to pass through sensitive information.
  23211. properties:
  23212. fingerprint:
  23213. description: Fingerprint is the fingerprint of the API private key.
  23214. properties:
  23215. key:
  23216. description: |-
  23217. A key in the referenced Secret.
  23218. Some instances of this field may be defaulted, in others it may be required.
  23219. maxLength: 253
  23220. minLength: 1
  23221. pattern: ^[-._a-zA-Z0-9]+$
  23222. type: string
  23223. name:
  23224. description: The name of the Secret resource being referred to.
  23225. maxLength: 253
  23226. minLength: 1
  23227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23228. type: string
  23229. namespace:
  23230. description: |-
  23231. The namespace of the Secret resource being referred to.
  23232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23233. maxLength: 63
  23234. minLength: 1
  23235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23236. type: string
  23237. type: object
  23238. privatekey:
  23239. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  23240. properties:
  23241. key:
  23242. description: |-
  23243. A key in the referenced Secret.
  23244. Some instances of this field may be defaulted, in others it may be required.
  23245. maxLength: 253
  23246. minLength: 1
  23247. pattern: ^[-._a-zA-Z0-9]+$
  23248. type: string
  23249. name:
  23250. description: The name of the Secret resource being referred to.
  23251. maxLength: 253
  23252. minLength: 1
  23253. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23254. type: string
  23255. namespace:
  23256. description: |-
  23257. The namespace of the Secret resource being referred to.
  23258. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23259. maxLength: 63
  23260. minLength: 1
  23261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23262. type: string
  23263. type: object
  23264. required:
  23265. - fingerprint
  23266. - privatekey
  23267. type: object
  23268. tenancy:
  23269. description: Tenancy is the tenancy OCID where user is located.
  23270. type: string
  23271. user:
  23272. description: User is an access OCID specific to the account.
  23273. type: string
  23274. required:
  23275. - secretRef
  23276. - tenancy
  23277. - user
  23278. type: object
  23279. compartment:
  23280. description: |-
  23281. Compartment is the vault compartment OCID.
  23282. Required for PushSecret
  23283. type: string
  23284. encryptionKey:
  23285. description: |-
  23286. EncryptionKey is the OCID of the encryption key within the vault.
  23287. Required for PushSecret
  23288. type: string
  23289. principalType:
  23290. description: |-
  23291. The type of principal to use for authentication. If left blank, the Auth struct will
  23292. determine the principal type. This optional field must be specified if using
  23293. workload identity.
  23294. enum:
  23295. - ""
  23296. - UserPrincipal
  23297. - InstancePrincipal
  23298. - Workload
  23299. type: string
  23300. region:
  23301. description: Region is the region where vault is located.
  23302. type: string
  23303. serviceAccountRef:
  23304. description: |-
  23305. ServiceAccountRef specified the service account
  23306. that should be used when authenticating with WorkloadIdentity.
  23307. properties:
  23308. audiences:
  23309. description: |-
  23310. Audience specifies the `aud` claim for the service account token
  23311. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23312. then this audiences will be appended to the list
  23313. items:
  23314. type: string
  23315. type: array
  23316. name:
  23317. description: The name of the ServiceAccount resource being referred to.
  23318. maxLength: 253
  23319. minLength: 1
  23320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23321. type: string
  23322. namespace:
  23323. description: |-
  23324. Namespace of the resource being referred to.
  23325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23326. maxLength: 63
  23327. minLength: 1
  23328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23329. type: string
  23330. required:
  23331. - name
  23332. type: object
  23333. vault:
  23334. description: Vault is the vault's OCID of the specific vault where secret is located.
  23335. type: string
  23336. required:
  23337. - region
  23338. - vault
  23339. type: object
  23340. passbolt:
  23341. description: PassboltProvider defines configuration for the Passbolt provider.
  23342. properties:
  23343. auth:
  23344. description: Auth defines the information necessary to authenticate against Passbolt Server
  23345. properties:
  23346. passwordSecretRef:
  23347. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  23348. properties:
  23349. key:
  23350. description: |-
  23351. A key in the referenced Secret.
  23352. Some instances of this field may be defaulted, in others it may be required.
  23353. maxLength: 253
  23354. minLength: 1
  23355. pattern: ^[-._a-zA-Z0-9]+$
  23356. type: string
  23357. name:
  23358. description: The name of the Secret resource being referred to.
  23359. maxLength: 253
  23360. minLength: 1
  23361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23362. type: string
  23363. namespace:
  23364. description: |-
  23365. The namespace of the Secret resource being referred to.
  23366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23367. maxLength: 63
  23368. minLength: 1
  23369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23370. type: string
  23371. type: object
  23372. privateKeySecretRef:
  23373. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  23374. properties:
  23375. key:
  23376. description: |-
  23377. A key in the referenced Secret.
  23378. Some instances of this field may be defaulted, in others it may be required.
  23379. maxLength: 253
  23380. minLength: 1
  23381. pattern: ^[-._a-zA-Z0-9]+$
  23382. type: string
  23383. name:
  23384. description: The name of the Secret resource being referred to.
  23385. maxLength: 253
  23386. minLength: 1
  23387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23388. type: string
  23389. namespace:
  23390. description: |-
  23391. The namespace of the Secret resource being referred to.
  23392. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23393. maxLength: 63
  23394. minLength: 1
  23395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23396. type: string
  23397. type: object
  23398. required:
  23399. - passwordSecretRef
  23400. - privateKeySecretRef
  23401. type: object
  23402. host:
  23403. description: Host defines the Passbolt Server to connect to
  23404. type: string
  23405. required:
  23406. - auth
  23407. - host
  23408. type: object
  23409. passworddepot:
  23410. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  23411. properties:
  23412. auth:
  23413. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  23414. properties:
  23415. secretRef:
  23416. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  23417. properties:
  23418. credentials:
  23419. description: Username / Password is used for authentication.
  23420. properties:
  23421. key:
  23422. description: |-
  23423. A key in the referenced Secret.
  23424. Some instances of this field may be defaulted, in others it may be required.
  23425. maxLength: 253
  23426. minLength: 1
  23427. pattern: ^[-._a-zA-Z0-9]+$
  23428. type: string
  23429. name:
  23430. description: The name of the Secret resource being referred to.
  23431. maxLength: 253
  23432. minLength: 1
  23433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23434. type: string
  23435. namespace:
  23436. description: |-
  23437. The namespace of the Secret resource being referred to.
  23438. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23439. maxLength: 63
  23440. minLength: 1
  23441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23442. type: string
  23443. type: object
  23444. type: object
  23445. required:
  23446. - secretRef
  23447. type: object
  23448. database:
  23449. description: Database to use as source
  23450. type: string
  23451. host:
  23452. description: URL configures the Password Depot instance URL.
  23453. type: string
  23454. required:
  23455. - auth
  23456. - database
  23457. - host
  23458. type: object
  23459. previder:
  23460. description: Previder configures this store to sync secrets using the Previder provider
  23461. properties:
  23462. auth:
  23463. description: PreviderAuth contains a secretRef for credentials.
  23464. properties:
  23465. secretRef:
  23466. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  23467. properties:
  23468. accessToken:
  23469. description: The AccessToken is used for authentication
  23470. properties:
  23471. key:
  23472. description: |-
  23473. A key in the referenced Secret.
  23474. Some instances of this field may be defaulted, in others it may be required.
  23475. maxLength: 253
  23476. minLength: 1
  23477. pattern: ^[-._a-zA-Z0-9]+$
  23478. type: string
  23479. name:
  23480. description: The name of the Secret resource being referred to.
  23481. maxLength: 253
  23482. minLength: 1
  23483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23484. type: string
  23485. namespace:
  23486. description: |-
  23487. The namespace of the Secret resource being referred to.
  23488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23489. maxLength: 63
  23490. minLength: 1
  23491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23492. type: string
  23493. type: object
  23494. required:
  23495. - accessToken
  23496. type: object
  23497. type: object
  23498. baseUri:
  23499. type: string
  23500. required:
  23501. - auth
  23502. type: object
  23503. pulumi:
  23504. description: Pulumi configures this store to sync secrets using the Pulumi provider
  23505. properties:
  23506. accessToken:
  23507. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  23508. properties:
  23509. secretRef:
  23510. description: SecretRef is a reference to a secret containing the Pulumi API token.
  23511. properties:
  23512. key:
  23513. description: |-
  23514. A key in the referenced Secret.
  23515. Some instances of this field may be defaulted, in others it may be required.
  23516. maxLength: 253
  23517. minLength: 1
  23518. pattern: ^[-._a-zA-Z0-9]+$
  23519. type: string
  23520. name:
  23521. description: The name of the Secret resource being referred to.
  23522. maxLength: 253
  23523. minLength: 1
  23524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23525. type: string
  23526. namespace:
  23527. description: |-
  23528. The namespace of the Secret resource being referred to.
  23529. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23530. maxLength: 63
  23531. minLength: 1
  23532. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23533. type: string
  23534. type: object
  23535. type: object
  23536. apiUrl:
  23537. default: https://api.pulumi.com/api/esc
  23538. description: APIURL is the URL of the Pulumi API.
  23539. type: string
  23540. environment:
  23541. description: |-
  23542. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  23543. dynamically retrieved values from supported providers including all major clouds,
  23544. and other Pulumi ESC environments.
  23545. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  23546. type: string
  23547. organization:
  23548. description: |-
  23549. Organization are a space to collaborate on shared projects and stacks.
  23550. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  23551. type: string
  23552. project:
  23553. description: Project is the name of the Pulumi ESC project the environment belongs to.
  23554. type: string
  23555. required:
  23556. - accessToken
  23557. - environment
  23558. - organization
  23559. - project
  23560. type: object
  23561. scaleway:
  23562. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  23563. properties:
  23564. accessKey:
  23565. description: AccessKey is the non-secret part of the api key.
  23566. properties:
  23567. secretRef:
  23568. description: SecretRef references a key in a secret that will be used as value.
  23569. properties:
  23570. key:
  23571. description: |-
  23572. A key in the referenced Secret.
  23573. Some instances of this field may be defaulted, in others it may be required.
  23574. maxLength: 253
  23575. minLength: 1
  23576. pattern: ^[-._a-zA-Z0-9]+$
  23577. type: string
  23578. name:
  23579. description: The name of the Secret resource being referred to.
  23580. maxLength: 253
  23581. minLength: 1
  23582. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23583. type: string
  23584. namespace:
  23585. description: |-
  23586. The namespace of the Secret resource being referred to.
  23587. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23588. maxLength: 63
  23589. minLength: 1
  23590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23591. type: string
  23592. type: object
  23593. value:
  23594. description: Value can be specified directly to set a value without using a secret.
  23595. type: string
  23596. type: object
  23597. apiUrl:
  23598. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  23599. type: string
  23600. projectId:
  23601. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  23602. type: string
  23603. region:
  23604. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  23605. type: string
  23606. secretKey:
  23607. description: SecretKey is the non-secret part of the api key.
  23608. properties:
  23609. secretRef:
  23610. description: SecretRef references a key in a secret that will be used as value.
  23611. properties:
  23612. key:
  23613. description: |-
  23614. A key in the referenced Secret.
  23615. Some instances of this field may be defaulted, in others it may be required.
  23616. maxLength: 253
  23617. minLength: 1
  23618. pattern: ^[-._a-zA-Z0-9]+$
  23619. type: string
  23620. name:
  23621. description: The name of the Secret resource being referred to.
  23622. maxLength: 253
  23623. minLength: 1
  23624. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23625. type: string
  23626. namespace:
  23627. description: |-
  23628. The namespace of the Secret resource being referred to.
  23629. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23630. maxLength: 63
  23631. minLength: 1
  23632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23633. type: string
  23634. type: object
  23635. value:
  23636. description: Value can be specified directly to set a value without using a secret.
  23637. type: string
  23638. type: object
  23639. required:
  23640. - accessKey
  23641. - projectId
  23642. - region
  23643. - secretKey
  23644. type: object
  23645. secretserver:
  23646. description: |-
  23647. SecretServer configures this store to sync secrets using SecretServer provider
  23648. https://docs.delinea.com/online-help/secret-server/start.htm
  23649. properties:
  23650. password:
  23651. description: Password is the secret server account password.
  23652. properties:
  23653. secretRef:
  23654. description: SecretRef references a key in a secret that will be used as value.
  23655. properties:
  23656. key:
  23657. description: |-
  23658. A key in the referenced Secret.
  23659. Some instances of this field may be defaulted, in others it may be required.
  23660. maxLength: 253
  23661. minLength: 1
  23662. pattern: ^[-._a-zA-Z0-9]+$
  23663. type: string
  23664. name:
  23665. description: The name of the Secret resource being referred to.
  23666. maxLength: 253
  23667. minLength: 1
  23668. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23669. type: string
  23670. namespace:
  23671. description: |-
  23672. The namespace of the Secret resource being referred to.
  23673. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23674. maxLength: 63
  23675. minLength: 1
  23676. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23677. type: string
  23678. type: object
  23679. value:
  23680. description: Value can be specified directly to set a value without using a secret.
  23681. type: string
  23682. type: object
  23683. serverURL:
  23684. description: |-
  23685. ServerURL
  23686. URL to your secret server installation
  23687. type: string
  23688. username:
  23689. description: Username is the secret server account username.
  23690. properties:
  23691. secretRef:
  23692. description: SecretRef references a key in a secret that will be used as value.
  23693. properties:
  23694. key:
  23695. description: |-
  23696. A key in the referenced Secret.
  23697. Some instances of this field may be defaulted, in others it may be required.
  23698. maxLength: 253
  23699. minLength: 1
  23700. pattern: ^[-._a-zA-Z0-9]+$
  23701. type: string
  23702. name:
  23703. description: The name of the Secret resource being referred to.
  23704. maxLength: 253
  23705. minLength: 1
  23706. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23707. type: string
  23708. namespace:
  23709. description: |-
  23710. The namespace of the Secret resource being referred to.
  23711. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23712. maxLength: 63
  23713. minLength: 1
  23714. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23715. type: string
  23716. type: object
  23717. value:
  23718. description: Value can be specified directly to set a value without using a secret.
  23719. type: string
  23720. type: object
  23721. required:
  23722. - password
  23723. - serverURL
  23724. - username
  23725. type: object
  23726. senhasegura:
  23727. description: Senhasegura configures this store to sync secrets using senhasegura provider
  23728. properties:
  23729. auth:
  23730. description: Auth defines parameters to authenticate in senhasegura
  23731. properties:
  23732. clientId:
  23733. type: string
  23734. clientSecretSecretRef:
  23735. description: |-
  23736. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23737. In some instances, `key` is a required field.
  23738. properties:
  23739. key:
  23740. description: |-
  23741. A key in the referenced Secret.
  23742. Some instances of this field may be defaulted, in others it may be required.
  23743. maxLength: 253
  23744. minLength: 1
  23745. pattern: ^[-._a-zA-Z0-9]+$
  23746. type: string
  23747. name:
  23748. description: The name of the Secret resource being referred to.
  23749. maxLength: 253
  23750. minLength: 1
  23751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23752. type: string
  23753. namespace:
  23754. description: |-
  23755. The namespace of the Secret resource being referred to.
  23756. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23757. maxLength: 63
  23758. minLength: 1
  23759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23760. type: string
  23761. type: object
  23762. required:
  23763. - clientId
  23764. - clientSecretSecretRef
  23765. type: object
  23766. ignoreSslCertificate:
  23767. default: false
  23768. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  23769. type: boolean
  23770. module:
  23771. description: Module defines which senhasegura module should be used to get secrets
  23772. type: string
  23773. url:
  23774. description: URL of senhasegura
  23775. type: string
  23776. required:
  23777. - auth
  23778. - module
  23779. - url
  23780. type: object
  23781. vault:
  23782. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  23783. properties:
  23784. auth:
  23785. description: Auth configures how secret-manager authenticates with the Vault server.
  23786. properties:
  23787. appRole:
  23788. description: |-
  23789. AppRole authenticates with Vault using the App Role auth mechanism,
  23790. with the role and secret stored in a Kubernetes Secret resource.
  23791. properties:
  23792. path:
  23793. default: approle
  23794. description: |-
  23795. Path where the App Role authentication backend is mounted
  23796. in Vault, e.g: "approle"
  23797. type: string
  23798. roleId:
  23799. description: |-
  23800. RoleID configured in the App Role authentication backend when setting
  23801. up the authentication backend in Vault.
  23802. type: string
  23803. roleRef:
  23804. description: |-
  23805. Reference to a key in a Secret that contains the App Role ID used
  23806. to authenticate with Vault.
  23807. The `key` field must be specified and denotes which entry within the Secret
  23808. resource is used as the app role id.
  23809. properties:
  23810. key:
  23811. description: |-
  23812. A key in the referenced Secret.
  23813. Some instances of this field may be defaulted, in others it may be required.
  23814. maxLength: 253
  23815. minLength: 1
  23816. pattern: ^[-._a-zA-Z0-9]+$
  23817. type: string
  23818. name:
  23819. description: The name of the Secret resource being referred to.
  23820. maxLength: 253
  23821. minLength: 1
  23822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23823. type: string
  23824. namespace:
  23825. description: |-
  23826. The namespace of the Secret resource being referred to.
  23827. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23828. maxLength: 63
  23829. minLength: 1
  23830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23831. type: string
  23832. type: object
  23833. secretRef:
  23834. description: |-
  23835. Reference to a key in a Secret that contains the App Role secret used
  23836. to authenticate with Vault.
  23837. The `key` field must be specified and denotes which entry within the Secret
  23838. resource is used as the app role secret.
  23839. properties:
  23840. key:
  23841. description: |-
  23842. A key in the referenced Secret.
  23843. Some instances of this field may be defaulted, in others it may be required.
  23844. maxLength: 253
  23845. minLength: 1
  23846. pattern: ^[-._a-zA-Z0-9]+$
  23847. type: string
  23848. name:
  23849. description: The name of the Secret resource being referred to.
  23850. maxLength: 253
  23851. minLength: 1
  23852. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23853. type: string
  23854. namespace:
  23855. description: |-
  23856. The namespace of the Secret resource being referred to.
  23857. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23858. maxLength: 63
  23859. minLength: 1
  23860. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23861. type: string
  23862. type: object
  23863. required:
  23864. - path
  23865. - secretRef
  23866. type: object
  23867. cert:
  23868. description: |-
  23869. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  23870. Cert authentication method
  23871. properties:
  23872. clientCert:
  23873. description: |-
  23874. ClientCert is a certificate to authenticate using the Cert Vault
  23875. authentication method
  23876. properties:
  23877. key:
  23878. description: |-
  23879. A key in the referenced Secret.
  23880. Some instances of this field may be defaulted, in others it may be required.
  23881. maxLength: 253
  23882. minLength: 1
  23883. pattern: ^[-._a-zA-Z0-9]+$
  23884. type: string
  23885. name:
  23886. description: The name of the Secret resource being referred to.
  23887. maxLength: 253
  23888. minLength: 1
  23889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23890. type: string
  23891. namespace:
  23892. description: |-
  23893. The namespace of the Secret resource being referred to.
  23894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23895. maxLength: 63
  23896. minLength: 1
  23897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23898. type: string
  23899. type: object
  23900. secretRef:
  23901. description: |-
  23902. SecretRef to a key in a Secret resource containing client private key to
  23903. authenticate with Vault using the Cert authentication method
  23904. properties:
  23905. key:
  23906. description: |-
  23907. A key in the referenced Secret.
  23908. Some instances of this field may be defaulted, in others it may be required.
  23909. maxLength: 253
  23910. minLength: 1
  23911. pattern: ^[-._a-zA-Z0-9]+$
  23912. type: string
  23913. name:
  23914. description: The name of the Secret resource being referred to.
  23915. maxLength: 253
  23916. minLength: 1
  23917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23918. type: string
  23919. namespace:
  23920. description: |-
  23921. The namespace of the Secret resource being referred to.
  23922. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23923. maxLength: 63
  23924. minLength: 1
  23925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23926. type: string
  23927. type: object
  23928. type: object
  23929. iam:
  23930. description: |-
  23931. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  23932. AWS IAM authentication method
  23933. properties:
  23934. externalID:
  23935. description: AWS External ID set on assumed IAM roles
  23936. type: string
  23937. jwt:
  23938. description: Specify a service account with IRSA enabled
  23939. properties:
  23940. serviceAccountRef:
  23941. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23942. properties:
  23943. audiences:
  23944. description: |-
  23945. Audience specifies the `aud` claim for the service account token
  23946. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23947. then this audiences will be appended to the list
  23948. items:
  23949. type: string
  23950. type: array
  23951. name:
  23952. description: The name of the ServiceAccount resource being referred to.
  23953. maxLength: 253
  23954. minLength: 1
  23955. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23956. type: string
  23957. namespace:
  23958. description: |-
  23959. Namespace of the resource being referred to.
  23960. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23961. maxLength: 63
  23962. minLength: 1
  23963. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23964. type: string
  23965. required:
  23966. - name
  23967. type: object
  23968. type: object
  23969. path:
  23970. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  23971. type: string
  23972. region:
  23973. description: AWS region
  23974. type: string
  23975. role:
  23976. description: This is the AWS role to be assumed before talking to vault
  23977. type: string
  23978. secretRef:
  23979. description: Specify credentials in a Secret object
  23980. properties:
  23981. accessKeyIDSecretRef:
  23982. description: The AccessKeyID is used for authentication
  23983. properties:
  23984. key:
  23985. description: |-
  23986. A key in the referenced Secret.
  23987. Some instances of this field may be defaulted, in others it may be required.
  23988. maxLength: 253
  23989. minLength: 1
  23990. pattern: ^[-._a-zA-Z0-9]+$
  23991. type: string
  23992. name:
  23993. description: The name of the Secret resource being referred to.
  23994. maxLength: 253
  23995. minLength: 1
  23996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23997. type: string
  23998. namespace:
  23999. description: |-
  24000. The namespace of the Secret resource being referred to.
  24001. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24002. maxLength: 63
  24003. minLength: 1
  24004. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24005. type: string
  24006. type: object
  24007. secretAccessKeySecretRef:
  24008. description: The SecretAccessKey is used for authentication
  24009. properties:
  24010. key:
  24011. description: |-
  24012. A key in the referenced Secret.
  24013. Some instances of this field may be defaulted, in others it may be required.
  24014. maxLength: 253
  24015. minLength: 1
  24016. pattern: ^[-._a-zA-Z0-9]+$
  24017. type: string
  24018. name:
  24019. description: The name of the Secret resource being referred to.
  24020. maxLength: 253
  24021. minLength: 1
  24022. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24023. type: string
  24024. namespace:
  24025. description: |-
  24026. The namespace of the Secret resource being referred to.
  24027. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24028. maxLength: 63
  24029. minLength: 1
  24030. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24031. type: string
  24032. type: object
  24033. sessionTokenSecretRef:
  24034. description: |-
  24035. The SessionToken used for authentication
  24036. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24037. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24038. properties:
  24039. key:
  24040. description: |-
  24041. A key in the referenced Secret.
  24042. Some instances of this field may be defaulted, in others it may be required.
  24043. maxLength: 253
  24044. minLength: 1
  24045. pattern: ^[-._a-zA-Z0-9]+$
  24046. type: string
  24047. name:
  24048. description: The name of the Secret resource being referred to.
  24049. maxLength: 253
  24050. minLength: 1
  24051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24052. type: string
  24053. namespace:
  24054. description: |-
  24055. The namespace of the Secret resource being referred to.
  24056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24057. maxLength: 63
  24058. minLength: 1
  24059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24060. type: string
  24061. type: object
  24062. type: object
  24063. vaultAwsIamServerID:
  24064. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24065. type: string
  24066. vaultRole:
  24067. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24068. type: string
  24069. required:
  24070. - vaultRole
  24071. type: object
  24072. jwt:
  24073. description: |-
  24074. Jwt authenticates with Vault by passing role and JWT token using the
  24075. JWT/OIDC authentication method
  24076. properties:
  24077. kubernetesServiceAccountToken:
  24078. description: |-
  24079. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24080. a token for with the `TokenRequest` API.
  24081. properties:
  24082. audiences:
  24083. description: |-
  24084. Optional audiences field that will be used to request a temporary Kubernetes service
  24085. account token for the service account referenced by `serviceAccountRef`.
  24086. Defaults to a single audience `vault` it not specified.
  24087. Deprecated: use serviceAccountRef.Audiences instead
  24088. items:
  24089. type: string
  24090. type: array
  24091. expirationSeconds:
  24092. description: |-
  24093. Optional expiration time in seconds that will be used to request a temporary
  24094. Kubernetes service account token for the service account referenced by
  24095. `serviceAccountRef`.
  24096. Deprecated: this will be removed in the future.
  24097. Defaults to 10 minutes.
  24098. format: int64
  24099. type: integer
  24100. serviceAccountRef:
  24101. description: Service account field containing the name of a kubernetes ServiceAccount.
  24102. properties:
  24103. audiences:
  24104. description: |-
  24105. Audience specifies the `aud` claim for the service account token
  24106. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24107. then this audiences will be appended to the list
  24108. items:
  24109. type: string
  24110. type: array
  24111. name:
  24112. description: The name of the ServiceAccount resource being referred to.
  24113. maxLength: 253
  24114. minLength: 1
  24115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24116. type: string
  24117. namespace:
  24118. description: |-
  24119. Namespace of the resource being referred to.
  24120. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24121. maxLength: 63
  24122. minLength: 1
  24123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24124. type: string
  24125. required:
  24126. - name
  24127. type: object
  24128. required:
  24129. - serviceAccountRef
  24130. type: object
  24131. path:
  24132. default: jwt
  24133. description: |-
  24134. Path where the JWT authentication backend is mounted
  24135. in Vault, e.g: "jwt"
  24136. type: string
  24137. role:
  24138. description: |-
  24139. Role is a JWT role to authenticate using the JWT/OIDC Vault
  24140. authentication method
  24141. type: string
  24142. secretRef:
  24143. description: |-
  24144. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  24145. authenticate with Vault using the JWT/OIDC authentication method.
  24146. properties:
  24147. key:
  24148. description: |-
  24149. A key in the referenced Secret.
  24150. Some instances of this field may be defaulted, in others it may be required.
  24151. maxLength: 253
  24152. minLength: 1
  24153. pattern: ^[-._a-zA-Z0-9]+$
  24154. type: string
  24155. name:
  24156. description: The name of the Secret resource being referred to.
  24157. maxLength: 253
  24158. minLength: 1
  24159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24160. type: string
  24161. namespace:
  24162. description: |-
  24163. The namespace of the Secret resource being referred to.
  24164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24165. maxLength: 63
  24166. minLength: 1
  24167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24168. type: string
  24169. type: object
  24170. required:
  24171. - path
  24172. type: object
  24173. kubernetes:
  24174. description: |-
  24175. Kubernetes authenticates with Vault by passing the ServiceAccount
  24176. token stored in the named Secret resource to the Vault server.
  24177. properties:
  24178. mountPath:
  24179. default: kubernetes
  24180. description: |-
  24181. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  24182. "kubernetes"
  24183. type: string
  24184. role:
  24185. description: |-
  24186. A required field containing the Vault Role to assume. A Role binds a
  24187. Kubernetes ServiceAccount with a set of Vault policies.
  24188. type: string
  24189. secretRef:
  24190. description: |-
  24191. Optional secret field containing a Kubernetes ServiceAccount JWT used
  24192. for authenticating with Vault. If a name is specified without a key,
  24193. `token` is the default. If one is not specified, the one bound to
  24194. the controller will be used.
  24195. properties:
  24196. key:
  24197. description: |-
  24198. A key in the referenced Secret.
  24199. Some instances of this field may be defaulted, in others it may be required.
  24200. maxLength: 253
  24201. minLength: 1
  24202. pattern: ^[-._a-zA-Z0-9]+$
  24203. type: string
  24204. name:
  24205. description: The name of the Secret resource being referred to.
  24206. maxLength: 253
  24207. minLength: 1
  24208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24209. type: string
  24210. namespace:
  24211. description: |-
  24212. The namespace of the Secret resource being referred to.
  24213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24214. maxLength: 63
  24215. minLength: 1
  24216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24217. type: string
  24218. type: object
  24219. serviceAccountRef:
  24220. description: |-
  24221. Optional service account field containing the name of a kubernetes ServiceAccount.
  24222. If the service account is specified, the service account secret token JWT will be used
  24223. for authenticating with Vault. If the service account selector is not supplied,
  24224. the secretRef will be used instead.
  24225. properties:
  24226. audiences:
  24227. description: |-
  24228. Audience specifies the `aud` claim for the service account token
  24229. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24230. then this audiences will be appended to the list
  24231. items:
  24232. type: string
  24233. type: array
  24234. name:
  24235. description: The name of the ServiceAccount resource being referred to.
  24236. maxLength: 253
  24237. minLength: 1
  24238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24239. type: string
  24240. namespace:
  24241. description: |-
  24242. Namespace of the resource being referred to.
  24243. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24244. maxLength: 63
  24245. minLength: 1
  24246. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24247. type: string
  24248. required:
  24249. - name
  24250. type: object
  24251. required:
  24252. - mountPath
  24253. - role
  24254. type: object
  24255. ldap:
  24256. description: |-
  24257. Ldap authenticates with Vault by passing username/password pair using
  24258. the LDAP authentication method
  24259. properties:
  24260. path:
  24261. default: ldap
  24262. description: |-
  24263. Path where the LDAP authentication backend is mounted
  24264. in Vault, e.g: "ldap"
  24265. type: string
  24266. secretRef:
  24267. description: |-
  24268. SecretRef to a key in a Secret resource containing password for the LDAP
  24269. user used to authenticate with Vault using the LDAP authentication
  24270. method
  24271. properties:
  24272. key:
  24273. description: |-
  24274. A key in the referenced Secret.
  24275. Some instances of this field may be defaulted, in others it may be required.
  24276. maxLength: 253
  24277. minLength: 1
  24278. pattern: ^[-._a-zA-Z0-9]+$
  24279. type: string
  24280. name:
  24281. description: The name of the Secret resource being referred to.
  24282. maxLength: 253
  24283. minLength: 1
  24284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24285. type: string
  24286. namespace:
  24287. description: |-
  24288. The namespace of the Secret resource being referred to.
  24289. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24290. maxLength: 63
  24291. minLength: 1
  24292. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24293. type: string
  24294. type: object
  24295. username:
  24296. description: |-
  24297. Username is an LDAP username used to authenticate using the LDAP Vault
  24298. authentication method
  24299. type: string
  24300. required:
  24301. - path
  24302. - username
  24303. type: object
  24304. namespace:
  24305. description: |-
  24306. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  24307. Namespaces is a set of features within Vault Enterprise that allows
  24308. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24309. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24310. This will default to Vault.Namespace field if set, or empty otherwise
  24311. type: string
  24312. tokenSecretRef:
  24313. description: TokenSecretRef authenticates with Vault by presenting a token.
  24314. properties:
  24315. key:
  24316. description: |-
  24317. A key in the referenced Secret.
  24318. Some instances of this field may be defaulted, in others it may be required.
  24319. maxLength: 253
  24320. minLength: 1
  24321. pattern: ^[-._a-zA-Z0-9]+$
  24322. type: string
  24323. name:
  24324. description: The name of the Secret resource being referred to.
  24325. maxLength: 253
  24326. minLength: 1
  24327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24328. type: string
  24329. namespace:
  24330. description: |-
  24331. The namespace of the Secret resource being referred to.
  24332. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24333. maxLength: 63
  24334. minLength: 1
  24335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24336. type: string
  24337. type: object
  24338. userPass:
  24339. description: UserPass authenticates with Vault by passing username/password pair
  24340. properties:
  24341. path:
  24342. default: userpass
  24343. description: |-
  24344. Path where the UserPassword authentication backend is mounted
  24345. in Vault, e.g: "userpass"
  24346. type: string
  24347. secretRef:
  24348. description: |-
  24349. SecretRef to a key in a Secret resource containing password for the
  24350. user used to authenticate with Vault using the UserPass authentication
  24351. method
  24352. properties:
  24353. key:
  24354. description: |-
  24355. A key in the referenced Secret.
  24356. Some instances of this field may be defaulted, in others it may be required.
  24357. maxLength: 253
  24358. minLength: 1
  24359. pattern: ^[-._a-zA-Z0-9]+$
  24360. type: string
  24361. name:
  24362. description: The name of the Secret resource being referred to.
  24363. maxLength: 253
  24364. minLength: 1
  24365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24366. type: string
  24367. namespace:
  24368. description: |-
  24369. The namespace of the Secret resource being referred to.
  24370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24371. maxLength: 63
  24372. minLength: 1
  24373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24374. type: string
  24375. type: object
  24376. username:
  24377. description: |-
  24378. Username is a username used to authenticate using the UserPass Vault
  24379. authentication method
  24380. type: string
  24381. required:
  24382. - path
  24383. - username
  24384. type: object
  24385. type: object
  24386. caBundle:
  24387. description: |-
  24388. PEM encoded CA bundle used to validate Vault server certificate. Only used
  24389. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24390. plain HTTP protocol connection. If not set the system root certificates
  24391. are used to validate the TLS connection.
  24392. format: byte
  24393. type: string
  24394. caProvider:
  24395. description: The provider for the CA bundle to use to validate Vault server certificate.
  24396. properties:
  24397. key:
  24398. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24399. maxLength: 253
  24400. minLength: 1
  24401. pattern: ^[-._a-zA-Z0-9]+$
  24402. type: string
  24403. name:
  24404. description: The name of the object located at the provider type.
  24405. maxLength: 253
  24406. minLength: 1
  24407. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24408. type: string
  24409. namespace:
  24410. description: |-
  24411. The namespace the Provider type is in.
  24412. Can only be defined when used in a ClusterSecretStore.
  24413. maxLength: 63
  24414. minLength: 1
  24415. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24416. type: string
  24417. type:
  24418. description: The type of provider to use such as "Secret", or "ConfigMap".
  24419. enum:
  24420. - Secret
  24421. - ConfigMap
  24422. type: string
  24423. required:
  24424. - name
  24425. - type
  24426. type: object
  24427. forwardInconsistent:
  24428. description: |-
  24429. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  24430. leader instead of simply retrying within a loop. This can increase performance if
  24431. the option is enabled serverside.
  24432. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  24433. type: boolean
  24434. headers:
  24435. additionalProperties:
  24436. type: string
  24437. description: Headers to be added in Vault request
  24438. type: object
  24439. namespace:
  24440. description: |-
  24441. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  24442. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  24443. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  24444. type: string
  24445. path:
  24446. description: |-
  24447. Path is the mount path of the Vault KV backend endpoint, e.g:
  24448. "secret". The v2 KV secret engine version specific "/data" path suffix
  24449. for fetching secrets from Vault is optional and will be appended
  24450. if not present in specified path.
  24451. type: string
  24452. readYourWrites:
  24453. description: |-
  24454. ReadYourWrites ensures isolated read-after-write semantics by
  24455. providing discovered cluster replication states in each request.
  24456. More information about eventual consistency in Vault can be found here
  24457. https://www.vaultproject.io/docs/enterprise/consistency
  24458. type: boolean
  24459. server:
  24460. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  24461. type: string
  24462. tls:
  24463. description: |-
  24464. The configuration used for client side related TLS communication, when the Vault server
  24465. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  24466. This parameter is ignored for plain HTTP protocol connection.
  24467. It's worth noting this configuration is different from the "TLS certificates auth method",
  24468. which is available under the `auth.cert` section.
  24469. properties:
  24470. certSecretRef:
  24471. description: |-
  24472. CertSecretRef is a certificate added to the transport layer
  24473. when communicating with the Vault server.
  24474. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  24475. properties:
  24476. key:
  24477. description: |-
  24478. A key in the referenced Secret.
  24479. Some instances of this field may be defaulted, in others it may be required.
  24480. maxLength: 253
  24481. minLength: 1
  24482. pattern: ^[-._a-zA-Z0-9]+$
  24483. type: string
  24484. name:
  24485. description: The name of the Secret resource being referred to.
  24486. maxLength: 253
  24487. minLength: 1
  24488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24489. type: string
  24490. namespace:
  24491. description: |-
  24492. The namespace of the Secret resource being referred to.
  24493. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24494. maxLength: 63
  24495. minLength: 1
  24496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24497. type: string
  24498. type: object
  24499. keySecretRef:
  24500. description: |-
  24501. KeySecretRef to a key in a Secret resource containing client private key
  24502. added to the transport layer when communicating with the Vault server.
  24503. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  24504. properties:
  24505. key:
  24506. description: |-
  24507. A key in the referenced Secret.
  24508. Some instances of this field may be defaulted, in others it may be required.
  24509. maxLength: 253
  24510. minLength: 1
  24511. pattern: ^[-._a-zA-Z0-9]+$
  24512. type: string
  24513. name:
  24514. description: The name of the Secret resource being referred to.
  24515. maxLength: 253
  24516. minLength: 1
  24517. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24518. type: string
  24519. namespace:
  24520. description: |-
  24521. The namespace of the Secret resource being referred to.
  24522. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24523. maxLength: 63
  24524. minLength: 1
  24525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24526. type: string
  24527. type: object
  24528. type: object
  24529. version:
  24530. default: v2
  24531. description: |-
  24532. Version is the Vault KV secret engine version. This can be either "v1" or
  24533. "v2". Version defaults to "v2".
  24534. enum:
  24535. - v1
  24536. - v2
  24537. type: string
  24538. required:
  24539. - server
  24540. type: object
  24541. webhook:
  24542. description: Webhook configures this store to sync secrets using a generic templated webhook
  24543. properties:
  24544. auth:
  24545. description: Auth specifies a authorization protocol. Only one protocol may be set.
  24546. maxProperties: 1
  24547. minProperties: 1
  24548. properties:
  24549. ntlm:
  24550. description: NTLMProtocol configures the store to use NTLM for auth
  24551. properties:
  24552. passwordSecret:
  24553. description: |-
  24554. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24555. In some instances, `key` is a required field.
  24556. properties:
  24557. key:
  24558. description: |-
  24559. A key in the referenced Secret.
  24560. Some instances of this field may be defaulted, in others it may be required.
  24561. maxLength: 253
  24562. minLength: 1
  24563. pattern: ^[-._a-zA-Z0-9]+$
  24564. type: string
  24565. name:
  24566. description: The name of the Secret resource being referred to.
  24567. maxLength: 253
  24568. minLength: 1
  24569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24570. type: string
  24571. namespace:
  24572. description: |-
  24573. The namespace of the Secret resource being referred to.
  24574. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24575. maxLength: 63
  24576. minLength: 1
  24577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24578. type: string
  24579. type: object
  24580. usernameSecret:
  24581. description: |-
  24582. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24583. In some instances, `key` is a required field.
  24584. properties:
  24585. key:
  24586. description: |-
  24587. A key in the referenced Secret.
  24588. Some instances of this field may be defaulted, in others it may be required.
  24589. maxLength: 253
  24590. minLength: 1
  24591. pattern: ^[-._a-zA-Z0-9]+$
  24592. type: string
  24593. name:
  24594. description: The name of the Secret resource being referred to.
  24595. maxLength: 253
  24596. minLength: 1
  24597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24598. type: string
  24599. namespace:
  24600. description: |-
  24601. The namespace of the Secret resource being referred to.
  24602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24603. maxLength: 63
  24604. minLength: 1
  24605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24606. type: string
  24607. type: object
  24608. required:
  24609. - passwordSecret
  24610. - usernameSecret
  24611. type: object
  24612. type: object
  24613. body:
  24614. description: Body
  24615. type: string
  24616. caBundle:
  24617. description: |-
  24618. PEM encoded CA bundle used to validate webhook server certificate. Only used
  24619. if the Server URL is using HTTPS protocol. This parameter is ignored for
  24620. plain HTTP protocol connection. If not set the system root certificates
  24621. are used to validate the TLS connection.
  24622. format: byte
  24623. type: string
  24624. caProvider:
  24625. description: The provider for the CA bundle to use to validate webhook server certificate.
  24626. properties:
  24627. key:
  24628. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  24629. maxLength: 253
  24630. minLength: 1
  24631. pattern: ^[-._a-zA-Z0-9]+$
  24632. type: string
  24633. name:
  24634. description: The name of the object located at the provider type.
  24635. maxLength: 253
  24636. minLength: 1
  24637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24638. type: string
  24639. namespace:
  24640. description: The namespace the Provider type is in.
  24641. maxLength: 63
  24642. minLength: 1
  24643. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24644. type: string
  24645. type:
  24646. description: The type of provider to use such as "Secret", or "ConfigMap".
  24647. enum:
  24648. - Secret
  24649. - ConfigMap
  24650. type: string
  24651. required:
  24652. - name
  24653. - type
  24654. type: object
  24655. headers:
  24656. additionalProperties:
  24657. type: string
  24658. description: Headers
  24659. type: object
  24660. method:
  24661. description: Webhook Method
  24662. type: string
  24663. result:
  24664. description: Result formatting
  24665. properties:
  24666. jsonPath:
  24667. description: Json path of return value
  24668. type: string
  24669. type: object
  24670. secrets:
  24671. description: |-
  24672. Secrets to fill in templates
  24673. These secrets will be passed to the templating function as key value pairs under the given name
  24674. items:
  24675. description: WebhookSecret defines a secret to be used in webhook templates.
  24676. properties:
  24677. name:
  24678. description: Name of this secret in templates
  24679. type: string
  24680. secretRef:
  24681. description: Secret ref to fill in credentials
  24682. properties:
  24683. key:
  24684. description: |-
  24685. A key in the referenced Secret.
  24686. Some instances of this field may be defaulted, in others it may be required.
  24687. maxLength: 253
  24688. minLength: 1
  24689. pattern: ^[-._a-zA-Z0-9]+$
  24690. type: string
  24691. name:
  24692. description: The name of the Secret resource being referred to.
  24693. maxLength: 253
  24694. minLength: 1
  24695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24696. type: string
  24697. namespace:
  24698. description: |-
  24699. The namespace of the Secret resource being referred to.
  24700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24701. maxLength: 63
  24702. minLength: 1
  24703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24704. type: string
  24705. type: object
  24706. required:
  24707. - name
  24708. - secretRef
  24709. type: object
  24710. type: array
  24711. timeout:
  24712. description: Timeout
  24713. type: string
  24714. url:
  24715. description: Webhook url to call
  24716. type: string
  24717. required:
  24718. - result
  24719. - url
  24720. type: object
  24721. yandexcertificatemanager:
  24722. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  24723. properties:
  24724. apiEndpoint:
  24725. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  24726. type: string
  24727. auth:
  24728. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  24729. properties:
  24730. authorizedKeySecretRef:
  24731. description: The authorized key used for authentication
  24732. properties:
  24733. key:
  24734. description: |-
  24735. A key in the referenced Secret.
  24736. Some instances of this field may be defaulted, in others it may be required.
  24737. maxLength: 253
  24738. minLength: 1
  24739. pattern: ^[-._a-zA-Z0-9]+$
  24740. type: string
  24741. name:
  24742. description: The name of the Secret resource being referred to.
  24743. maxLength: 253
  24744. minLength: 1
  24745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24746. type: string
  24747. namespace:
  24748. description: |-
  24749. The namespace of the Secret resource being referred to.
  24750. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24751. maxLength: 63
  24752. minLength: 1
  24753. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24754. type: string
  24755. type: object
  24756. type: object
  24757. caProvider:
  24758. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  24759. properties:
  24760. certSecretRef:
  24761. description: |-
  24762. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24763. In some instances, `key` is a required field.
  24764. properties:
  24765. key:
  24766. description: |-
  24767. A key in the referenced Secret.
  24768. Some instances of this field may be defaulted, in others it may be required.
  24769. maxLength: 253
  24770. minLength: 1
  24771. pattern: ^[-._a-zA-Z0-9]+$
  24772. type: string
  24773. name:
  24774. description: The name of the Secret resource being referred to.
  24775. maxLength: 253
  24776. minLength: 1
  24777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24778. type: string
  24779. namespace:
  24780. description: |-
  24781. The namespace of the Secret resource being referred to.
  24782. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24783. maxLength: 63
  24784. minLength: 1
  24785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24786. type: string
  24787. type: object
  24788. type: object
  24789. required:
  24790. - auth
  24791. type: object
  24792. yandexlockbox:
  24793. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  24794. properties:
  24795. apiEndpoint:
  24796. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  24797. type: string
  24798. auth:
  24799. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  24800. properties:
  24801. authorizedKeySecretRef:
  24802. description: The authorized key used for authentication
  24803. properties:
  24804. key:
  24805. description: |-
  24806. A key in the referenced Secret.
  24807. Some instances of this field may be defaulted, in others it may be required.
  24808. maxLength: 253
  24809. minLength: 1
  24810. pattern: ^[-._a-zA-Z0-9]+$
  24811. type: string
  24812. name:
  24813. description: The name of the Secret resource being referred to.
  24814. maxLength: 253
  24815. minLength: 1
  24816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24817. type: string
  24818. namespace:
  24819. description: |-
  24820. The namespace of the Secret resource being referred to.
  24821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24822. maxLength: 63
  24823. minLength: 1
  24824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24825. type: string
  24826. type: object
  24827. type: object
  24828. caProvider:
  24829. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  24830. properties:
  24831. certSecretRef:
  24832. description: |-
  24833. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24834. In some instances, `key` is a required field.
  24835. properties:
  24836. key:
  24837. description: |-
  24838. A key in the referenced Secret.
  24839. Some instances of this field may be defaulted, in others it may be required.
  24840. maxLength: 253
  24841. minLength: 1
  24842. pattern: ^[-._a-zA-Z0-9]+$
  24843. type: string
  24844. name:
  24845. description: The name of the Secret resource being referred to.
  24846. maxLength: 253
  24847. minLength: 1
  24848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24849. type: string
  24850. namespace:
  24851. description: |-
  24852. The namespace of the Secret resource being referred to.
  24853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24854. maxLength: 63
  24855. minLength: 1
  24856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24857. type: string
  24858. type: object
  24859. type: object
  24860. required:
  24861. - auth
  24862. type: object
  24863. type: object
  24864. refreshInterval:
  24865. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  24866. type: integer
  24867. retrySettings:
  24868. description: Used to configure HTTP retries on failures.
  24869. properties:
  24870. maxRetries:
  24871. description: MaxRetries is the maximum number of retry attempts.
  24872. format: int32
  24873. type: integer
  24874. retryInterval:
  24875. description: RetryInterval is the interval between retry attempts.
  24876. type: string
  24877. type: object
  24878. required:
  24879. - provider
  24880. type: object
  24881. status:
  24882. description: SecretStoreStatus defines the observed state of the SecretStore.
  24883. properties:
  24884. capabilities:
  24885. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  24886. type: string
  24887. conditions:
  24888. items:
  24889. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  24890. properties:
  24891. lastTransitionTime:
  24892. format: date-time
  24893. type: string
  24894. message:
  24895. type: string
  24896. reason:
  24897. type: string
  24898. status:
  24899. type: string
  24900. type:
  24901. description: SecretStoreConditionType represents the condition type of the SecretStore.
  24902. type: string
  24903. required:
  24904. - status
  24905. - type
  24906. type: object
  24907. type: array
  24908. type: object
  24909. type: object
  24910. served: false
  24911. storage: false
  24912. subresources:
  24913. status: {}
  24914. ---
  24915. apiVersion: apiextensions.k8s.io/v1
  24916. kind: CustomResourceDefinition
  24917. metadata:
  24918. annotations:
  24919. controller-gen.kubebuilder.io/version: v0.19.0
  24920. labels:
  24921. external-secrets.io/component: controller
  24922. name: acraccesstokens.generators.external-secrets.io
  24923. spec:
  24924. group: generators.external-secrets.io
  24925. names:
  24926. categories:
  24927. - external-secrets
  24928. - external-secrets-generators
  24929. kind: ACRAccessToken
  24930. listKind: ACRAccessTokenList
  24931. plural: acraccesstokens
  24932. singular: acraccesstoken
  24933. scope: Namespaced
  24934. versions:
  24935. - name: v1alpha1
  24936. schema:
  24937. openAPIV3Schema:
  24938. description: |-
  24939. ACRAccessToken returns an Azure Container Registry token
  24940. that can be used for pushing/pulling images.
  24941. Note: by default it will return an ACR Refresh Token with full access
  24942. (depending on the identity).
  24943. This can be scoped down to the repository level using .spec.scope.
  24944. In case scope is defined it will return an ACR Access Token.
  24945. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  24946. properties:
  24947. apiVersion:
  24948. description: |-
  24949. APIVersion defines the versioned schema of this representation of an object.
  24950. Servers should convert recognized schemas to the latest internal value, and
  24951. may reject unrecognized values.
  24952. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  24953. type: string
  24954. kind:
  24955. description: |-
  24956. Kind is a string value representing the REST resource this object represents.
  24957. Servers may infer this from the endpoint the client submits requests to.
  24958. Cannot be updated.
  24959. In CamelCase.
  24960. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  24961. type: string
  24962. metadata:
  24963. type: object
  24964. spec:
  24965. description: |-
  24966. ACRAccessTokenSpec defines how to generate the access token
  24967. e.g. how to authenticate and which registry to use.
  24968. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  24969. properties:
  24970. auth:
  24971. description: ACRAuth defines the authentication methods for Azure Container Registry.
  24972. properties:
  24973. managedIdentity:
  24974. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  24975. properties:
  24976. identityId:
  24977. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  24978. type: string
  24979. type: object
  24980. servicePrincipal:
  24981. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  24982. properties:
  24983. secretRef:
  24984. description: |-
  24985. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  24986. It uses static credentials stored in a Kind=Secret.
  24987. properties:
  24988. clientId:
  24989. description: The Azure clientId of the service principle used for authentication.
  24990. properties:
  24991. key:
  24992. description: |-
  24993. A key in the referenced Secret.
  24994. Some instances of this field may be defaulted, in others it may be required.
  24995. maxLength: 253
  24996. minLength: 1
  24997. pattern: ^[-._a-zA-Z0-9]+$
  24998. type: string
  24999. name:
  25000. description: The name of the Secret resource being referred to.
  25001. maxLength: 253
  25002. minLength: 1
  25003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25004. type: string
  25005. namespace:
  25006. description: |-
  25007. The namespace of the Secret resource being referred to.
  25008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25009. maxLength: 63
  25010. minLength: 1
  25011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25012. type: string
  25013. type: object
  25014. clientSecret:
  25015. description: The Azure ClientSecret of the service principle used for authentication.
  25016. properties:
  25017. key:
  25018. description: |-
  25019. A key in the referenced Secret.
  25020. Some instances of this field may be defaulted, in others it may be required.
  25021. maxLength: 253
  25022. minLength: 1
  25023. pattern: ^[-._a-zA-Z0-9]+$
  25024. type: string
  25025. name:
  25026. description: The name of the Secret resource being referred to.
  25027. maxLength: 253
  25028. minLength: 1
  25029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25030. type: string
  25031. namespace:
  25032. description: |-
  25033. The namespace of the Secret resource being referred to.
  25034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25035. maxLength: 63
  25036. minLength: 1
  25037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25038. type: string
  25039. type: object
  25040. type: object
  25041. required:
  25042. - secretRef
  25043. type: object
  25044. workloadIdentity:
  25045. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25046. properties:
  25047. serviceAccountRef:
  25048. description: |-
  25049. ServiceAccountRef specified the service account
  25050. that should be used when authenticating with WorkloadIdentity.
  25051. properties:
  25052. audiences:
  25053. description: |-
  25054. Audience specifies the `aud` claim for the service account token
  25055. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25056. then this audiences will be appended to the list
  25057. items:
  25058. type: string
  25059. type: array
  25060. name:
  25061. description: The name of the ServiceAccount resource being referred to.
  25062. maxLength: 253
  25063. minLength: 1
  25064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25065. type: string
  25066. namespace:
  25067. description: |-
  25068. Namespace of the resource being referred to.
  25069. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25070. maxLength: 63
  25071. minLength: 1
  25072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25073. type: string
  25074. required:
  25075. - name
  25076. type: object
  25077. type: object
  25078. type: object
  25079. environmentType:
  25080. default: PublicCloud
  25081. description: |-
  25082. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25083. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25084. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25085. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25086. enum:
  25087. - PublicCloud
  25088. - USGovernmentCloud
  25089. - ChinaCloud
  25090. - GermanCloud
  25091. - AzureStackCloud
  25092. type: string
  25093. registry:
  25094. description: |-
  25095. the domain name of the ACR registry
  25096. e.g. foobarexample.azurecr.io
  25097. type: string
  25098. scope:
  25099. description: |-
  25100. Define the scope for the access token, e.g. pull/push access for a repository.
  25101. if not provided it will return a refresh token that has full scope.
  25102. Note: you need to pin it down to the repository level, there is no wildcard available.
  25103. examples:
  25104. repository:my-repository:pull,push
  25105. repository:my-repository:pull
  25106. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25107. type: string
  25108. tenantId:
  25109. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25110. type: string
  25111. required:
  25112. - auth
  25113. - registry
  25114. type: object
  25115. type: object
  25116. served: true
  25117. storage: true
  25118. subresources:
  25119. status: {}
  25120. ---
  25121. apiVersion: apiextensions.k8s.io/v1
  25122. kind: CustomResourceDefinition
  25123. metadata:
  25124. annotations:
  25125. controller-gen.kubebuilder.io/version: v0.19.0
  25126. labels:
  25127. external-secrets.io/component: controller
  25128. name: cloudsmithaccesstokens.generators.external-secrets.io
  25129. spec:
  25130. group: generators.external-secrets.io
  25131. names:
  25132. categories:
  25133. - external-secrets
  25134. - external-secrets-generators
  25135. kind: CloudsmithAccessToken
  25136. listKind: CloudsmithAccessTokenList
  25137. plural: cloudsmithaccesstokens
  25138. singular: cloudsmithaccesstoken
  25139. scope: Namespaced
  25140. versions:
  25141. - name: v1alpha1
  25142. schema:
  25143. openAPIV3Schema:
  25144. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  25145. properties:
  25146. apiVersion:
  25147. description: |-
  25148. APIVersion defines the versioned schema of this representation of an object.
  25149. Servers should convert recognized schemas to the latest internal value, and
  25150. may reject unrecognized values.
  25151. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25152. type: string
  25153. kind:
  25154. description: |-
  25155. Kind is a string value representing the REST resource this object represents.
  25156. Servers may infer this from the endpoint the client submits requests to.
  25157. Cannot be updated.
  25158. In CamelCase.
  25159. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25160. type: string
  25161. metadata:
  25162. type: object
  25163. spec:
  25164. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25165. properties:
  25166. apiUrl:
  25167. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25168. type: string
  25169. orgSlug:
  25170. description: OrgSlug is the organization slug in Cloudsmith
  25171. type: string
  25172. serviceAccountRef:
  25173. description: Name of the service account you are federating with
  25174. properties:
  25175. audiences:
  25176. description: |-
  25177. Audience specifies the `aud` claim for the service account token
  25178. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25179. then this audiences will be appended to the list
  25180. items:
  25181. type: string
  25182. type: array
  25183. name:
  25184. description: The name of the ServiceAccount resource being referred to.
  25185. maxLength: 253
  25186. minLength: 1
  25187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25188. type: string
  25189. namespace:
  25190. description: |-
  25191. Namespace of the resource being referred to.
  25192. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25193. maxLength: 63
  25194. minLength: 1
  25195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25196. type: string
  25197. required:
  25198. - name
  25199. type: object
  25200. serviceSlug:
  25201. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25202. type: string
  25203. required:
  25204. - orgSlug
  25205. - serviceAccountRef
  25206. - serviceSlug
  25207. type: object
  25208. type: object
  25209. served: true
  25210. storage: true
  25211. subresources:
  25212. status: {}
  25213. ---
  25214. apiVersion: apiextensions.k8s.io/v1
  25215. kind: CustomResourceDefinition
  25216. metadata:
  25217. annotations:
  25218. controller-gen.kubebuilder.io/version: v0.19.0
  25219. labels:
  25220. external-secrets.io/component: controller
  25221. name: clustergenerators.generators.external-secrets.io
  25222. spec:
  25223. group: generators.external-secrets.io
  25224. names:
  25225. categories:
  25226. - external-secrets
  25227. - external-secrets-generators
  25228. kind: ClusterGenerator
  25229. listKind: ClusterGeneratorList
  25230. plural: clustergenerators
  25231. singular: clustergenerator
  25232. scope: Cluster
  25233. versions:
  25234. - name: v1alpha1
  25235. schema:
  25236. openAPIV3Schema:
  25237. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  25238. properties:
  25239. apiVersion:
  25240. description: |-
  25241. APIVersion defines the versioned schema of this representation of an object.
  25242. Servers should convert recognized schemas to the latest internal value, and
  25243. may reject unrecognized values.
  25244. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25245. type: string
  25246. kind:
  25247. description: |-
  25248. Kind is a string value representing the REST resource this object represents.
  25249. Servers may infer this from the endpoint the client submits requests to.
  25250. Cannot be updated.
  25251. In CamelCase.
  25252. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25253. type: string
  25254. metadata:
  25255. type: object
  25256. spec:
  25257. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  25258. properties:
  25259. generator:
  25260. description: Generator the spec for this generator, must match the kind.
  25261. maxProperties: 1
  25262. minProperties: 1
  25263. properties:
  25264. acrAccessTokenSpec:
  25265. description: |-
  25266. ACRAccessTokenSpec defines how to generate the access token
  25267. e.g. how to authenticate and which registry to use.
  25268. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25269. properties:
  25270. auth:
  25271. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25272. properties:
  25273. managedIdentity:
  25274. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25275. properties:
  25276. identityId:
  25277. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25278. type: string
  25279. type: object
  25280. servicePrincipal:
  25281. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25282. properties:
  25283. secretRef:
  25284. description: |-
  25285. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25286. It uses static credentials stored in a Kind=Secret.
  25287. properties:
  25288. clientId:
  25289. description: The Azure clientId of the service principle used for authentication.
  25290. properties:
  25291. key:
  25292. description: |-
  25293. A key in the referenced Secret.
  25294. Some instances of this field may be defaulted, in others it may be required.
  25295. maxLength: 253
  25296. minLength: 1
  25297. pattern: ^[-._a-zA-Z0-9]+$
  25298. type: string
  25299. name:
  25300. description: The name of the Secret resource being referred to.
  25301. maxLength: 253
  25302. minLength: 1
  25303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25304. type: string
  25305. namespace:
  25306. description: |-
  25307. The namespace of the Secret resource being referred to.
  25308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25309. maxLength: 63
  25310. minLength: 1
  25311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25312. type: string
  25313. type: object
  25314. clientSecret:
  25315. description: The Azure ClientSecret of the service principle used for authentication.
  25316. properties:
  25317. key:
  25318. description: |-
  25319. A key in the referenced Secret.
  25320. Some instances of this field may be defaulted, in others it may be required.
  25321. maxLength: 253
  25322. minLength: 1
  25323. pattern: ^[-._a-zA-Z0-9]+$
  25324. type: string
  25325. name:
  25326. description: The name of the Secret resource being referred to.
  25327. maxLength: 253
  25328. minLength: 1
  25329. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25330. type: string
  25331. namespace:
  25332. description: |-
  25333. The namespace of the Secret resource being referred to.
  25334. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25335. maxLength: 63
  25336. minLength: 1
  25337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25338. type: string
  25339. type: object
  25340. type: object
  25341. required:
  25342. - secretRef
  25343. type: object
  25344. workloadIdentity:
  25345. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25346. properties:
  25347. serviceAccountRef:
  25348. description: |-
  25349. ServiceAccountRef specified the service account
  25350. that should be used when authenticating with WorkloadIdentity.
  25351. properties:
  25352. audiences:
  25353. description: |-
  25354. Audience specifies the `aud` claim for the service account token
  25355. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25356. then this audiences will be appended to the list
  25357. items:
  25358. type: string
  25359. type: array
  25360. name:
  25361. description: The name of the ServiceAccount resource being referred to.
  25362. maxLength: 253
  25363. minLength: 1
  25364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25365. type: string
  25366. namespace:
  25367. description: |-
  25368. Namespace of the resource being referred to.
  25369. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25370. maxLength: 63
  25371. minLength: 1
  25372. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25373. type: string
  25374. required:
  25375. - name
  25376. type: object
  25377. type: object
  25378. type: object
  25379. environmentType:
  25380. default: PublicCloud
  25381. description: |-
  25382. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25383. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25384. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25385. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25386. enum:
  25387. - PublicCloud
  25388. - USGovernmentCloud
  25389. - ChinaCloud
  25390. - GermanCloud
  25391. - AzureStackCloud
  25392. type: string
  25393. registry:
  25394. description: |-
  25395. the domain name of the ACR registry
  25396. e.g. foobarexample.azurecr.io
  25397. type: string
  25398. scope:
  25399. description: |-
  25400. Define the scope for the access token, e.g. pull/push access for a repository.
  25401. if not provided it will return a refresh token that has full scope.
  25402. Note: you need to pin it down to the repository level, there is no wildcard available.
  25403. examples:
  25404. repository:my-repository:pull,push
  25405. repository:my-repository:pull
  25406. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25407. type: string
  25408. tenantId:
  25409. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25410. type: string
  25411. required:
  25412. - auth
  25413. - registry
  25414. type: object
  25415. cloudsmithAccessTokenSpec:
  25416. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  25417. properties:
  25418. apiUrl:
  25419. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  25420. type: string
  25421. orgSlug:
  25422. description: OrgSlug is the organization slug in Cloudsmith
  25423. type: string
  25424. serviceAccountRef:
  25425. description: Name of the service account you are federating with
  25426. properties:
  25427. audiences:
  25428. description: |-
  25429. Audience specifies the `aud` claim for the service account token
  25430. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25431. then this audiences will be appended to the list
  25432. items:
  25433. type: string
  25434. type: array
  25435. name:
  25436. description: The name of the ServiceAccount resource being referred to.
  25437. maxLength: 253
  25438. minLength: 1
  25439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25440. type: string
  25441. namespace:
  25442. description: |-
  25443. Namespace of the resource being referred to.
  25444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25445. maxLength: 63
  25446. minLength: 1
  25447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25448. type: string
  25449. required:
  25450. - name
  25451. type: object
  25452. serviceSlug:
  25453. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  25454. type: string
  25455. required:
  25456. - orgSlug
  25457. - serviceAccountRef
  25458. - serviceSlug
  25459. type: object
  25460. ecrAuthorizationTokenSpec:
  25461. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  25462. properties:
  25463. auth:
  25464. description: Auth defines how to authenticate with AWS
  25465. properties:
  25466. jwt:
  25467. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  25468. properties:
  25469. serviceAccountRef:
  25470. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  25471. properties:
  25472. audiences:
  25473. description: |-
  25474. Audience specifies the `aud` claim for the service account token
  25475. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25476. then this audiences will be appended to the list
  25477. items:
  25478. type: string
  25479. type: array
  25480. name:
  25481. description: The name of the ServiceAccount resource being referred to.
  25482. maxLength: 253
  25483. minLength: 1
  25484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25485. type: string
  25486. namespace:
  25487. description: |-
  25488. Namespace of the resource being referred to.
  25489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25490. maxLength: 63
  25491. minLength: 1
  25492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25493. type: string
  25494. required:
  25495. - name
  25496. type: object
  25497. type: object
  25498. secretRef:
  25499. description: |-
  25500. AWSAuthSecretRef holds secret references for AWS credentials
  25501. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  25502. properties:
  25503. accessKeyIDSecretRef:
  25504. description: The AccessKeyID is used for authentication
  25505. properties:
  25506. key:
  25507. description: |-
  25508. A key in the referenced Secret.
  25509. Some instances of this field may be defaulted, in others it may be required.
  25510. maxLength: 253
  25511. minLength: 1
  25512. pattern: ^[-._a-zA-Z0-9]+$
  25513. type: string
  25514. name:
  25515. description: The name of the Secret resource being referred to.
  25516. maxLength: 253
  25517. minLength: 1
  25518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25519. type: string
  25520. namespace:
  25521. description: |-
  25522. The namespace of the Secret resource being referred to.
  25523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25524. maxLength: 63
  25525. minLength: 1
  25526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25527. type: string
  25528. type: object
  25529. secretAccessKeySecretRef:
  25530. description: The SecretAccessKey is used for authentication
  25531. properties:
  25532. key:
  25533. description: |-
  25534. A key in the referenced Secret.
  25535. Some instances of this field may be defaulted, in others it may be required.
  25536. maxLength: 253
  25537. minLength: 1
  25538. pattern: ^[-._a-zA-Z0-9]+$
  25539. type: string
  25540. name:
  25541. description: The name of the Secret resource being referred to.
  25542. maxLength: 253
  25543. minLength: 1
  25544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25545. type: string
  25546. namespace:
  25547. description: |-
  25548. The namespace of the Secret resource being referred to.
  25549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25550. maxLength: 63
  25551. minLength: 1
  25552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25553. type: string
  25554. type: object
  25555. sessionTokenSecretRef:
  25556. description: |-
  25557. The SessionToken used for authentication
  25558. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  25559. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  25560. properties:
  25561. key:
  25562. description: |-
  25563. A key in the referenced Secret.
  25564. Some instances of this field may be defaulted, in others it may be required.
  25565. maxLength: 253
  25566. minLength: 1
  25567. pattern: ^[-._a-zA-Z0-9]+$
  25568. type: string
  25569. name:
  25570. description: The name of the Secret resource being referred to.
  25571. maxLength: 253
  25572. minLength: 1
  25573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25574. type: string
  25575. namespace:
  25576. description: |-
  25577. The namespace of the Secret resource being referred to.
  25578. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25579. maxLength: 63
  25580. minLength: 1
  25581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25582. type: string
  25583. type: object
  25584. type: object
  25585. type: object
  25586. region:
  25587. description: Region specifies the region to operate in.
  25588. type: string
  25589. role:
  25590. description: |-
  25591. You can assume a role before making calls to the
  25592. desired AWS service.
  25593. type: string
  25594. scope:
  25595. description: |-
  25596. Scope specifies the ECR service scope.
  25597. Valid options are private and public.
  25598. type: string
  25599. required:
  25600. - region
  25601. type: object
  25602. fakeSpec:
  25603. description: FakeSpec contains the static data.
  25604. properties:
  25605. controller:
  25606. description: |-
  25607. Used to select the correct ESO controller (think: ingress.ingressClassName)
  25608. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  25609. type: string
  25610. data:
  25611. additionalProperties:
  25612. type: string
  25613. description: |-
  25614. Data defines the static data returned
  25615. by this generator.
  25616. type: object
  25617. type: object
  25618. gcrAccessTokenSpec:
  25619. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  25620. properties:
  25621. auth:
  25622. description: Auth defines the means for authenticating with GCP
  25623. properties:
  25624. secretRef:
  25625. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  25626. properties:
  25627. secretAccessKeySecretRef:
  25628. description: The SecretAccessKey is used for authentication
  25629. properties:
  25630. key:
  25631. description: |-
  25632. A key in the referenced Secret.
  25633. Some instances of this field may be defaulted, in others it may be required.
  25634. maxLength: 253
  25635. minLength: 1
  25636. pattern: ^[-._a-zA-Z0-9]+$
  25637. type: string
  25638. name:
  25639. description: The name of the Secret resource being referred to.
  25640. maxLength: 253
  25641. minLength: 1
  25642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25643. type: string
  25644. namespace:
  25645. description: |-
  25646. The namespace of the Secret resource being referred to.
  25647. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25648. maxLength: 63
  25649. minLength: 1
  25650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25651. type: string
  25652. type: object
  25653. type: object
  25654. workloadIdentity:
  25655. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  25656. properties:
  25657. clusterLocation:
  25658. type: string
  25659. clusterName:
  25660. type: string
  25661. clusterProjectID:
  25662. type: string
  25663. serviceAccountRef:
  25664. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  25665. properties:
  25666. audiences:
  25667. description: |-
  25668. Audience specifies the `aud` claim for the service account token
  25669. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25670. then this audiences will be appended to the list
  25671. items:
  25672. type: string
  25673. type: array
  25674. name:
  25675. description: The name of the ServiceAccount resource being referred to.
  25676. maxLength: 253
  25677. minLength: 1
  25678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25679. type: string
  25680. namespace:
  25681. description: |-
  25682. Namespace of the resource being referred to.
  25683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25684. maxLength: 63
  25685. minLength: 1
  25686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25687. type: string
  25688. required:
  25689. - name
  25690. type: object
  25691. required:
  25692. - clusterLocation
  25693. - clusterName
  25694. - serviceAccountRef
  25695. type: object
  25696. workloadIdentityFederation:
  25697. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  25698. properties:
  25699. audience:
  25700. description: |-
  25701. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  25702. If specified, Audience found in the external account credential config will be overridden with the configured value.
  25703. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  25704. type: string
  25705. awsSecurityCredentials:
  25706. description: |-
  25707. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  25708. when using the AWS metadata server is not an option.
  25709. properties:
  25710. awsCredentialsSecretRef:
  25711. description: |-
  25712. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  25713. Secret should be created with below names for keys
  25714. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  25715. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  25716. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  25717. properties:
  25718. name:
  25719. description: name of the secret.
  25720. maxLength: 253
  25721. minLength: 1
  25722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25723. type: string
  25724. namespace:
  25725. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  25726. maxLength: 63
  25727. minLength: 1
  25728. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25729. type: string
  25730. required:
  25731. - name
  25732. type: object
  25733. region:
  25734. description: region is for configuring the AWS region to be used.
  25735. example: ap-south-1
  25736. maxLength: 50
  25737. minLength: 1
  25738. pattern: ^[a-z0-9-]+$
  25739. type: string
  25740. required:
  25741. - awsCredentialsSecretRef
  25742. - region
  25743. type: object
  25744. credConfig:
  25745. description: |-
  25746. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  25747. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  25748. serviceAccountRef must be used by providing operators service account details.
  25749. properties:
  25750. key:
  25751. description: key name holding the external account credential config.
  25752. maxLength: 253
  25753. minLength: 1
  25754. pattern: ^[-._a-zA-Z0-9]+$
  25755. type: string
  25756. name:
  25757. description: name of the configmap.
  25758. maxLength: 253
  25759. minLength: 1
  25760. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25761. type: string
  25762. namespace:
  25763. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  25764. maxLength: 63
  25765. minLength: 1
  25766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25767. type: string
  25768. required:
  25769. - key
  25770. - name
  25771. type: object
  25772. externalTokenEndpoint:
  25773. description: |-
  25774. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  25775. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  25776. URL is having the expected value.
  25777. type: string
  25778. gcpServiceAccountEmail:
  25779. description: |-
  25780. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  25781. after Workload Identity Federation. Use this to grant access through the service account's
  25782. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  25783. service_account_impersonation_url in the external account JSON from credConfig;
  25784. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  25785. on that ServiceAccount.
  25786. example: my-gsa@my-project.iam.gserviceaccount.com
  25787. minLength: 1
  25788. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  25789. type: string
  25790. serviceAccountRef:
  25791. description: |-
  25792. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  25793. when Kubernetes is configured as provider in workload identity pool.
  25794. properties:
  25795. audiences:
  25796. description: |-
  25797. Audience specifies the `aud` claim for the service account token
  25798. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25799. then this audiences will be appended to the list
  25800. items:
  25801. type: string
  25802. type: array
  25803. name:
  25804. description: The name of the ServiceAccount resource being referred to.
  25805. maxLength: 253
  25806. minLength: 1
  25807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25808. type: string
  25809. namespace:
  25810. description: |-
  25811. Namespace of the resource being referred to.
  25812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25813. maxLength: 63
  25814. minLength: 1
  25815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25816. type: string
  25817. required:
  25818. - name
  25819. type: object
  25820. type: object
  25821. type: object
  25822. projectID:
  25823. description: ProjectID defines which project to use to authenticate with
  25824. type: string
  25825. required:
  25826. - auth
  25827. - projectID
  25828. type: object
  25829. githubAccessTokenSpec:
  25830. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  25831. properties:
  25832. appID:
  25833. type: string
  25834. auth:
  25835. description: Auth configures how ESO authenticates with a Github instance.
  25836. properties:
  25837. privateKey:
  25838. description: GithubSecretRef references a secret containing GitHub credentials.
  25839. properties:
  25840. secretRef:
  25841. description: |-
  25842. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25843. In some instances, `key` is a required field.
  25844. properties:
  25845. key:
  25846. description: |-
  25847. A key in the referenced Secret.
  25848. Some instances of this field may be defaulted, in others it may be required.
  25849. maxLength: 253
  25850. minLength: 1
  25851. pattern: ^[-._a-zA-Z0-9]+$
  25852. type: string
  25853. name:
  25854. description: The name of the Secret resource being referred to.
  25855. maxLength: 253
  25856. minLength: 1
  25857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25858. type: string
  25859. namespace:
  25860. description: |-
  25861. The namespace of the Secret resource being referred to.
  25862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25863. maxLength: 63
  25864. minLength: 1
  25865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25866. type: string
  25867. type: object
  25868. required:
  25869. - secretRef
  25870. type: object
  25871. required:
  25872. - privateKey
  25873. type: object
  25874. installID:
  25875. type: string
  25876. permissions:
  25877. additionalProperties:
  25878. type: string
  25879. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  25880. type: object
  25881. repositories:
  25882. description: |-
  25883. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  25884. is installed to.
  25885. items:
  25886. type: string
  25887. type: array
  25888. url:
  25889. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  25890. type: string
  25891. required:
  25892. - appID
  25893. - auth
  25894. - installID
  25895. type: object
  25896. grafanaSpec:
  25897. description: GrafanaSpec controls the behavior of the grafana generator.
  25898. properties:
  25899. auth:
  25900. description: |-
  25901. Auth is the authentication configuration to authenticate
  25902. against the Grafana instance.
  25903. properties:
  25904. basic:
  25905. description: |-
  25906. Basic auth credentials used to authenticate against the Grafana instance.
  25907. Note: you need a token which has elevated permissions to create service accounts.
  25908. See here for the documentation on basic roles offered by Grafana:
  25909. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25910. properties:
  25911. password:
  25912. description: A basic auth password used to authenticate against the Grafana instance.
  25913. properties:
  25914. key:
  25915. description: The key where the token is found.
  25916. maxLength: 253
  25917. minLength: 1
  25918. pattern: ^[-._a-zA-Z0-9]+$
  25919. type: string
  25920. name:
  25921. description: The name of the Secret resource being referred to.
  25922. maxLength: 253
  25923. minLength: 1
  25924. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25925. type: string
  25926. type: object
  25927. username:
  25928. description: A basic auth username used to authenticate against the Grafana instance.
  25929. type: string
  25930. required:
  25931. - password
  25932. - username
  25933. type: object
  25934. token:
  25935. description: |-
  25936. A service account token used to authenticate against the Grafana instance.
  25937. Note: you need a token which has elevated permissions to create service accounts.
  25938. See here for the documentation on basic roles offered by Grafana:
  25939. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25940. properties:
  25941. key:
  25942. description: The key where the token is found.
  25943. maxLength: 253
  25944. minLength: 1
  25945. pattern: ^[-._a-zA-Z0-9]+$
  25946. type: string
  25947. name:
  25948. description: The name of the Secret resource being referred to.
  25949. maxLength: 253
  25950. minLength: 1
  25951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25952. type: string
  25953. type: object
  25954. type: object
  25955. serviceAccount:
  25956. description: |-
  25957. ServiceAccount is the configuration for the service account that
  25958. is supposed to be generated by the generator.
  25959. properties:
  25960. name:
  25961. description: Name is the name of the service account that will be created by ESO.
  25962. type: string
  25963. role:
  25964. description: |-
  25965. Role is the role of the service account.
  25966. See here for the documentation on basic roles offered by Grafana:
  25967. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  25968. type: string
  25969. required:
  25970. - name
  25971. - role
  25972. type: object
  25973. url:
  25974. description: URL is the URL of the Grafana instance.
  25975. type: string
  25976. required:
  25977. - auth
  25978. - serviceAccount
  25979. - url
  25980. type: object
  25981. mfaSpec:
  25982. description: MFASpec controls the behavior of the mfa generator.
  25983. properties:
  25984. algorithm:
  25985. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  25986. type: string
  25987. length:
  25988. description: Length defines the token length. Defaults to 6 characters.
  25989. type: integer
  25990. secret:
  25991. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  25992. properties:
  25993. key:
  25994. description: |-
  25995. A key in the referenced Secret.
  25996. Some instances of this field may be defaulted, in others it may be required.
  25997. maxLength: 253
  25998. minLength: 1
  25999. pattern: ^[-._a-zA-Z0-9]+$
  26000. type: string
  26001. name:
  26002. description: The name of the Secret resource being referred to.
  26003. maxLength: 253
  26004. minLength: 1
  26005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26006. type: string
  26007. namespace:
  26008. description: |-
  26009. The namespace of the Secret resource being referred to.
  26010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26011. maxLength: 63
  26012. minLength: 1
  26013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26014. type: string
  26015. type: object
  26016. timePeriod:
  26017. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  26018. type: integer
  26019. when:
  26020. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  26021. format: date-time
  26022. type: string
  26023. required:
  26024. - secret
  26025. type: object
  26026. passwordSpec:
  26027. description: PasswordSpec controls the behavior of the password generator.
  26028. properties:
  26029. allowRepeat:
  26030. default: false
  26031. description: set AllowRepeat to true to allow repeating characters.
  26032. type: boolean
  26033. digits:
  26034. description: |-
  26035. Digits specifies the number of digits in the generated
  26036. password. If omitted it defaults to 25% of the length of the password
  26037. type: integer
  26038. encoding:
  26039. default: raw
  26040. description: |-
  26041. Encoding specifies the encoding of the generated password.
  26042. Valid values are:
  26043. - "raw" (default): no encoding
  26044. - "base64": standard base64 encoding
  26045. - "base64url": base64url encoding
  26046. - "base32": base32 encoding
  26047. - "hex": hexadecimal encoding
  26048. enum:
  26049. - base64
  26050. - base64url
  26051. - base32
  26052. - hex
  26053. - raw
  26054. type: string
  26055. length:
  26056. default: 24
  26057. description: |-
  26058. Length of the password to be generated.
  26059. Defaults to 24
  26060. type: integer
  26061. noUpper:
  26062. default: false
  26063. description: Set NoUpper to disable uppercase characters
  26064. type: boolean
  26065. secretKeys:
  26066. description: |-
  26067. SecretKeys defines the keys that will be populated with generated passwords.
  26068. Defaults to "password" when not set.
  26069. items:
  26070. type: string
  26071. minItems: 1
  26072. type: array
  26073. symbolCharacters:
  26074. description: |-
  26075. SymbolCharacters specifies the special characters that should be used
  26076. in the generated password.
  26077. type: string
  26078. symbols:
  26079. description: |-
  26080. Symbols specifies the number of symbol characters in the generated
  26081. password. If omitted it defaults to 25% of the length of the password
  26082. type: integer
  26083. required:
  26084. - allowRepeat
  26085. - length
  26086. - noUpper
  26087. type: object
  26088. quayAccessTokenSpec:
  26089. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  26090. properties:
  26091. robotAccount:
  26092. description: Name of the robot account you are federating with
  26093. type: string
  26094. serviceAccountRef:
  26095. description: Name of the service account you are federating with
  26096. properties:
  26097. audiences:
  26098. description: |-
  26099. Audience specifies the `aud` claim for the service account token
  26100. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26101. then this audiences will be appended to the list
  26102. items:
  26103. type: string
  26104. type: array
  26105. name:
  26106. description: The name of the ServiceAccount resource being referred to.
  26107. maxLength: 253
  26108. minLength: 1
  26109. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26110. type: string
  26111. namespace:
  26112. description: |-
  26113. Namespace of the resource being referred to.
  26114. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26115. maxLength: 63
  26116. minLength: 1
  26117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26118. type: string
  26119. required:
  26120. - name
  26121. type: object
  26122. url:
  26123. description: URL configures the Quay instance URL. Defaults to quay.io.
  26124. type: string
  26125. required:
  26126. - robotAccount
  26127. - serviceAccountRef
  26128. type: object
  26129. sshKeySpec:
  26130. description: SSHKeySpec controls the behavior of the ssh key generator.
  26131. properties:
  26132. comment:
  26133. description: Comment specifies an optional comment for the SSH key
  26134. type: string
  26135. keySize:
  26136. description: |-
  26137. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  26138. For RSA keys: 2048, 3072, 4096
  26139. For ECDSA keys: 256, 384, 521
  26140. Ignored for ed25519 keys
  26141. maximum: 8192
  26142. minimum: 256
  26143. type: integer
  26144. keyType:
  26145. default: rsa
  26146. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  26147. enum:
  26148. - rsa
  26149. - ecdsa
  26150. - ed25519
  26151. type: string
  26152. type: object
  26153. stsSessionTokenSpec:
  26154. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  26155. properties:
  26156. auth:
  26157. description: Auth defines how to authenticate with AWS
  26158. properties:
  26159. jwt:
  26160. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26161. properties:
  26162. serviceAccountRef:
  26163. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26164. properties:
  26165. audiences:
  26166. description: |-
  26167. Audience specifies the `aud` claim for the service account token
  26168. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26169. then this audiences will be appended to the list
  26170. items:
  26171. type: string
  26172. type: array
  26173. name:
  26174. description: The name of the ServiceAccount resource being referred to.
  26175. maxLength: 253
  26176. minLength: 1
  26177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26178. type: string
  26179. namespace:
  26180. description: |-
  26181. Namespace of the resource being referred to.
  26182. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26183. maxLength: 63
  26184. minLength: 1
  26185. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26186. type: string
  26187. required:
  26188. - name
  26189. type: object
  26190. type: object
  26191. secretRef:
  26192. description: |-
  26193. AWSAuthSecretRef holds secret references for AWS credentials
  26194. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26195. properties:
  26196. accessKeyIDSecretRef:
  26197. description: The AccessKeyID is used for authentication
  26198. properties:
  26199. key:
  26200. description: |-
  26201. A key in the referenced Secret.
  26202. Some instances of this field may be defaulted, in others it may be required.
  26203. maxLength: 253
  26204. minLength: 1
  26205. pattern: ^[-._a-zA-Z0-9]+$
  26206. type: string
  26207. name:
  26208. description: The name of the Secret resource being referred to.
  26209. maxLength: 253
  26210. minLength: 1
  26211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26212. type: string
  26213. namespace:
  26214. description: |-
  26215. The namespace of the Secret resource being referred to.
  26216. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26217. maxLength: 63
  26218. minLength: 1
  26219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26220. type: string
  26221. type: object
  26222. secretAccessKeySecretRef:
  26223. description: The SecretAccessKey is used for authentication
  26224. properties:
  26225. key:
  26226. description: |-
  26227. A key in the referenced Secret.
  26228. Some instances of this field may be defaulted, in others it may be required.
  26229. maxLength: 253
  26230. minLength: 1
  26231. pattern: ^[-._a-zA-Z0-9]+$
  26232. type: string
  26233. name:
  26234. description: The name of the Secret resource being referred to.
  26235. maxLength: 253
  26236. minLength: 1
  26237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26238. type: string
  26239. namespace:
  26240. description: |-
  26241. The namespace of the Secret resource being referred to.
  26242. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26243. maxLength: 63
  26244. minLength: 1
  26245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26246. type: string
  26247. type: object
  26248. sessionTokenSecretRef:
  26249. description: |-
  26250. The SessionToken used for authentication
  26251. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26252. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26253. properties:
  26254. key:
  26255. description: |-
  26256. A key in the referenced Secret.
  26257. Some instances of this field may be defaulted, in others it may be required.
  26258. maxLength: 253
  26259. minLength: 1
  26260. pattern: ^[-._a-zA-Z0-9]+$
  26261. type: string
  26262. name:
  26263. description: The name of the Secret resource being referred to.
  26264. maxLength: 253
  26265. minLength: 1
  26266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26267. type: string
  26268. namespace:
  26269. description: |-
  26270. The namespace of the Secret resource being referred to.
  26271. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26272. maxLength: 63
  26273. minLength: 1
  26274. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26275. type: string
  26276. type: object
  26277. type: object
  26278. type: object
  26279. region:
  26280. description: Region specifies the region to operate in.
  26281. type: string
  26282. requestParameters:
  26283. description: RequestParameters contains parameters that can be passed to the STS service.
  26284. properties:
  26285. serialNumber:
  26286. description: |-
  26287. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  26288. the GetSessionToken call.
  26289. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  26290. (such as arn:aws:iam::123456789012:mfa/user)
  26291. type: string
  26292. sessionDuration:
  26293. format: int32
  26294. type: integer
  26295. tokenCode:
  26296. description: TokenCode is the value provided by the MFA device, if MFA is required.
  26297. type: string
  26298. type: object
  26299. role:
  26300. description: |-
  26301. You can assume a role before making calls to the
  26302. desired AWS service.
  26303. type: string
  26304. required:
  26305. - region
  26306. type: object
  26307. uuidSpec:
  26308. description: UUIDSpec controls the behavior of the uuid generator.
  26309. type: object
  26310. vaultDynamicSecretSpec:
  26311. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  26312. properties:
  26313. allowEmptyResponse:
  26314. default: false
  26315. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  26316. type: boolean
  26317. controller:
  26318. description: |-
  26319. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26320. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26321. type: string
  26322. getParameters:
  26323. additionalProperties:
  26324. items:
  26325. type: string
  26326. type: array
  26327. description: |-
  26328. GetParameters are query-string parameters passed to Vault on GET calls.
  26329. Each key may map to multiple values, matching HTTP query-string semantics.
  26330. Ignored for non-GET methods; use Parameters for write bodies.
  26331. type: object
  26332. method:
  26333. description: Vault API method to use (GET/POST/other)
  26334. type: string
  26335. parameters:
  26336. description: Parameters to pass to Vault write (for non-GET methods)
  26337. x-kubernetes-preserve-unknown-fields: true
  26338. path:
  26339. description: Vault path to obtain the dynamic secret from
  26340. type: string
  26341. provider:
  26342. description: Vault provider common spec
  26343. properties:
  26344. auth:
  26345. description: Auth configures how secret-manager authenticates with the Vault server.
  26346. properties:
  26347. appRole:
  26348. description: |-
  26349. AppRole authenticates with Vault using the App Role auth mechanism,
  26350. with the role and secret stored in a Kubernetes Secret resource.
  26351. properties:
  26352. path:
  26353. default: approle
  26354. description: |-
  26355. Path where the App Role authentication backend is mounted
  26356. in Vault, e.g: "approle"
  26357. type: string
  26358. roleId:
  26359. description: |-
  26360. RoleID configured in the App Role authentication backend when setting
  26361. up the authentication backend in Vault.
  26362. type: string
  26363. roleRef:
  26364. description: |-
  26365. Reference to a key in a Secret that contains the App Role ID used
  26366. to authenticate with Vault.
  26367. The `key` field must be specified and denotes which entry within the Secret
  26368. resource is used as the app role id.
  26369. properties:
  26370. key:
  26371. description: |-
  26372. A key in the referenced Secret.
  26373. Some instances of this field may be defaulted, in others it may be required.
  26374. maxLength: 253
  26375. minLength: 1
  26376. pattern: ^[-._a-zA-Z0-9]+$
  26377. type: string
  26378. name:
  26379. description: The name of the Secret resource being referred to.
  26380. maxLength: 253
  26381. minLength: 1
  26382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26383. type: string
  26384. namespace:
  26385. description: |-
  26386. The namespace of the Secret resource being referred to.
  26387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26388. maxLength: 63
  26389. minLength: 1
  26390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26391. type: string
  26392. type: object
  26393. secretRef:
  26394. description: |-
  26395. Reference to a key in a Secret that contains the App Role secret used
  26396. to authenticate with Vault.
  26397. The `key` field must be specified and denotes which entry within the Secret
  26398. resource is used as the app role secret.
  26399. properties:
  26400. key:
  26401. description: |-
  26402. A key in the referenced Secret.
  26403. Some instances of this field may be defaulted, in others it may be required.
  26404. maxLength: 253
  26405. minLength: 1
  26406. pattern: ^[-._a-zA-Z0-9]+$
  26407. type: string
  26408. name:
  26409. description: The name of the Secret resource being referred to.
  26410. maxLength: 253
  26411. minLength: 1
  26412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26413. type: string
  26414. namespace:
  26415. description: |-
  26416. The namespace of the Secret resource being referred to.
  26417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26418. maxLength: 63
  26419. minLength: 1
  26420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26421. type: string
  26422. type: object
  26423. required:
  26424. - path
  26425. - secretRef
  26426. type: object
  26427. cert:
  26428. description: |-
  26429. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  26430. Cert authentication method
  26431. properties:
  26432. clientCert:
  26433. description: |-
  26434. ClientCert is a certificate to authenticate using the Cert Vault
  26435. authentication method
  26436. properties:
  26437. key:
  26438. description: |-
  26439. A key in the referenced Secret.
  26440. Some instances of this field may be defaulted, in others it may be required.
  26441. maxLength: 253
  26442. minLength: 1
  26443. pattern: ^[-._a-zA-Z0-9]+$
  26444. type: string
  26445. name:
  26446. description: The name of the Secret resource being referred to.
  26447. maxLength: 253
  26448. minLength: 1
  26449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26450. type: string
  26451. namespace:
  26452. description: |-
  26453. The namespace of the Secret resource being referred to.
  26454. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26455. maxLength: 63
  26456. minLength: 1
  26457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26458. type: string
  26459. type: object
  26460. path:
  26461. default: cert
  26462. description: |-
  26463. Path where the Certificate authentication backend is mounted
  26464. in Vault, e.g: "cert"
  26465. type: string
  26466. secretRef:
  26467. description: |-
  26468. SecretRef to a key in a Secret resource containing client private key to
  26469. authenticate with Vault using the Cert authentication method
  26470. properties:
  26471. key:
  26472. description: |-
  26473. A key in the referenced Secret.
  26474. Some instances of this field may be defaulted, in others it may be required.
  26475. maxLength: 253
  26476. minLength: 1
  26477. pattern: ^[-._a-zA-Z0-9]+$
  26478. type: string
  26479. name:
  26480. description: The name of the Secret resource being referred to.
  26481. maxLength: 253
  26482. minLength: 1
  26483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26484. type: string
  26485. namespace:
  26486. description: |-
  26487. The namespace of the Secret resource being referred to.
  26488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26489. maxLength: 63
  26490. minLength: 1
  26491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26492. type: string
  26493. type: object
  26494. vaultRole:
  26495. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  26496. type: string
  26497. type: object
  26498. gcp:
  26499. description: |-
  26500. Gcp authenticates with Vault using Google Cloud Platform authentication method
  26501. GCP authentication method
  26502. properties:
  26503. location:
  26504. description: Location optionally defines a location/region for the secret
  26505. type: string
  26506. path:
  26507. default: gcp
  26508. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  26509. type: string
  26510. projectID:
  26511. description: Project ID of the Google Cloud Platform project
  26512. type: string
  26513. role:
  26514. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  26515. type: string
  26516. secretRef:
  26517. description: Specify credentials in a Secret object
  26518. properties:
  26519. secretAccessKeySecretRef:
  26520. description: The SecretAccessKey is used for authentication
  26521. properties:
  26522. key:
  26523. description: |-
  26524. A key in the referenced Secret.
  26525. Some instances of this field may be defaulted, in others it may be required.
  26526. maxLength: 253
  26527. minLength: 1
  26528. pattern: ^[-._a-zA-Z0-9]+$
  26529. type: string
  26530. name:
  26531. description: The name of the Secret resource being referred to.
  26532. maxLength: 253
  26533. minLength: 1
  26534. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26535. type: string
  26536. namespace:
  26537. description: |-
  26538. The namespace of the Secret resource being referred to.
  26539. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26540. maxLength: 63
  26541. minLength: 1
  26542. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26543. type: string
  26544. type: object
  26545. type: object
  26546. serviceAccountRef:
  26547. description: ServiceAccountRef to a service account for impersonation
  26548. properties:
  26549. audiences:
  26550. description: |-
  26551. Audience specifies the `aud` claim for the service account token
  26552. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26553. then this audiences will be appended to the list
  26554. items:
  26555. type: string
  26556. type: array
  26557. name:
  26558. description: The name of the ServiceAccount resource being referred to.
  26559. maxLength: 253
  26560. minLength: 1
  26561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26562. type: string
  26563. namespace:
  26564. description: |-
  26565. Namespace of the resource being referred to.
  26566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26567. maxLength: 63
  26568. minLength: 1
  26569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26570. type: string
  26571. required:
  26572. - name
  26573. type: object
  26574. workloadIdentity:
  26575. description: Specify a service account with Workload Identity
  26576. properties:
  26577. clusterLocation:
  26578. description: |-
  26579. ClusterLocation is the location of the cluster
  26580. If not specified, it fetches information from the metadata server
  26581. type: string
  26582. clusterName:
  26583. description: |-
  26584. ClusterName is the name of the cluster
  26585. If not specified, it fetches information from the metadata server
  26586. type: string
  26587. clusterProjectID:
  26588. description: |-
  26589. ClusterProjectID is the project ID of the cluster
  26590. If not specified, it fetches information from the metadata server
  26591. type: string
  26592. serviceAccountRef:
  26593. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26594. properties:
  26595. audiences:
  26596. description: |-
  26597. Audience specifies the `aud` claim for the service account token
  26598. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26599. then this audiences will be appended to the list
  26600. items:
  26601. type: string
  26602. type: array
  26603. name:
  26604. description: The name of the ServiceAccount resource being referred to.
  26605. maxLength: 253
  26606. minLength: 1
  26607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26608. type: string
  26609. namespace:
  26610. description: |-
  26611. Namespace of the resource being referred to.
  26612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26613. maxLength: 63
  26614. minLength: 1
  26615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26616. type: string
  26617. required:
  26618. - name
  26619. type: object
  26620. required:
  26621. - serviceAccountRef
  26622. type: object
  26623. required:
  26624. - role
  26625. type: object
  26626. iam:
  26627. description: |-
  26628. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  26629. AWS IAM authentication method
  26630. properties:
  26631. externalID:
  26632. description: AWS External ID set on assumed IAM roles
  26633. type: string
  26634. jwt:
  26635. description: Specify a service account with IRSA enabled
  26636. properties:
  26637. serviceAccountRef:
  26638. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26639. properties:
  26640. audiences:
  26641. description: |-
  26642. Audience specifies the `aud` claim for the service account token
  26643. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26644. then this audiences will be appended to the list
  26645. items:
  26646. type: string
  26647. type: array
  26648. name:
  26649. description: The name of the ServiceAccount resource being referred to.
  26650. maxLength: 253
  26651. minLength: 1
  26652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26653. type: string
  26654. namespace:
  26655. description: |-
  26656. Namespace of the resource being referred to.
  26657. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26658. maxLength: 63
  26659. minLength: 1
  26660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26661. type: string
  26662. required:
  26663. - name
  26664. type: object
  26665. type: object
  26666. path:
  26667. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  26668. type: string
  26669. region:
  26670. description: AWS region
  26671. type: string
  26672. role:
  26673. description: This is the AWS role to be assumed before talking to vault
  26674. type: string
  26675. secretRef:
  26676. description: Specify credentials in a Secret object
  26677. properties:
  26678. accessKeyIDSecretRef:
  26679. description: The AccessKeyID is used for authentication
  26680. properties:
  26681. key:
  26682. description: |-
  26683. A key in the referenced Secret.
  26684. Some instances of this field may be defaulted, in others it may be required.
  26685. maxLength: 253
  26686. minLength: 1
  26687. pattern: ^[-._a-zA-Z0-9]+$
  26688. type: string
  26689. name:
  26690. description: The name of the Secret resource being referred to.
  26691. maxLength: 253
  26692. minLength: 1
  26693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26694. type: string
  26695. namespace:
  26696. description: |-
  26697. The namespace of the Secret resource being referred to.
  26698. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26699. maxLength: 63
  26700. minLength: 1
  26701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26702. type: string
  26703. type: object
  26704. secretAccessKeySecretRef:
  26705. description: The SecretAccessKey is used for authentication
  26706. properties:
  26707. key:
  26708. description: |-
  26709. A key in the referenced Secret.
  26710. Some instances of this field may be defaulted, in others it may be required.
  26711. maxLength: 253
  26712. minLength: 1
  26713. pattern: ^[-._a-zA-Z0-9]+$
  26714. type: string
  26715. name:
  26716. description: The name of the Secret resource being referred to.
  26717. maxLength: 253
  26718. minLength: 1
  26719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26720. type: string
  26721. namespace:
  26722. description: |-
  26723. The namespace of the Secret resource being referred to.
  26724. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26725. maxLength: 63
  26726. minLength: 1
  26727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26728. type: string
  26729. type: object
  26730. sessionTokenSecretRef:
  26731. description: |-
  26732. The SessionToken used for authentication
  26733. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26734. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26735. properties:
  26736. key:
  26737. description: |-
  26738. A key in the referenced Secret.
  26739. Some instances of this field may be defaulted, in others it may be required.
  26740. maxLength: 253
  26741. minLength: 1
  26742. pattern: ^[-._a-zA-Z0-9]+$
  26743. type: string
  26744. name:
  26745. description: The name of the Secret resource being referred to.
  26746. maxLength: 253
  26747. minLength: 1
  26748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26749. type: string
  26750. namespace:
  26751. description: |-
  26752. The namespace of the Secret resource being referred to.
  26753. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26754. maxLength: 63
  26755. minLength: 1
  26756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26757. type: string
  26758. type: object
  26759. type: object
  26760. vaultAwsIamServerID:
  26761. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  26762. type: string
  26763. vaultRole:
  26764. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  26765. type: string
  26766. required:
  26767. - vaultRole
  26768. type: object
  26769. jwt:
  26770. description: |-
  26771. Jwt authenticates with Vault by passing role and JWT token using the
  26772. JWT/OIDC authentication method
  26773. properties:
  26774. kubernetesServiceAccountToken:
  26775. description: |-
  26776. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  26777. a token for with the `TokenRequest` API.
  26778. properties:
  26779. audiences:
  26780. description: |-
  26781. Optional audiences field that will be used to request a temporary Kubernetes service
  26782. account token for the service account referenced by `serviceAccountRef`.
  26783. Defaults to a single audience `vault` it not specified.
  26784. Deprecated: use serviceAccountRef.Audiences instead
  26785. items:
  26786. type: string
  26787. type: array
  26788. expirationSeconds:
  26789. description: |-
  26790. Optional expiration time in seconds that will be used to request a temporary
  26791. Kubernetes service account token for the service account referenced by
  26792. `serviceAccountRef`.
  26793. Deprecated: this will be removed in the future.
  26794. Defaults to 10 minutes.
  26795. format: int64
  26796. type: integer
  26797. serviceAccountRef:
  26798. description: Service account field containing the name of a kubernetes ServiceAccount.
  26799. properties:
  26800. audiences:
  26801. description: |-
  26802. Audience specifies the `aud` claim for the service account token
  26803. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26804. then this audiences will be appended to the list
  26805. items:
  26806. type: string
  26807. type: array
  26808. name:
  26809. description: The name of the ServiceAccount resource being referred to.
  26810. maxLength: 253
  26811. minLength: 1
  26812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26813. type: string
  26814. namespace:
  26815. description: |-
  26816. Namespace of the resource being referred to.
  26817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26818. maxLength: 63
  26819. minLength: 1
  26820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26821. type: string
  26822. required:
  26823. - name
  26824. type: object
  26825. required:
  26826. - serviceAccountRef
  26827. type: object
  26828. path:
  26829. default: jwt
  26830. description: |-
  26831. Path where the JWT authentication backend is mounted
  26832. in Vault, e.g: "jwt"
  26833. type: string
  26834. role:
  26835. description: |-
  26836. Role is a JWT role to authenticate using the JWT/OIDC Vault
  26837. authentication method
  26838. type: string
  26839. secretRef:
  26840. description: |-
  26841. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  26842. authenticate with Vault using the JWT/OIDC authentication method.
  26843. properties:
  26844. key:
  26845. description: |-
  26846. A key in the referenced Secret.
  26847. Some instances of this field may be defaulted, in others it may be required.
  26848. maxLength: 253
  26849. minLength: 1
  26850. pattern: ^[-._a-zA-Z0-9]+$
  26851. type: string
  26852. name:
  26853. description: The name of the Secret resource being referred to.
  26854. maxLength: 253
  26855. minLength: 1
  26856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26857. type: string
  26858. namespace:
  26859. description: |-
  26860. The namespace of the Secret resource being referred to.
  26861. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26862. maxLength: 63
  26863. minLength: 1
  26864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26865. type: string
  26866. type: object
  26867. required:
  26868. - path
  26869. type: object
  26870. kubernetes:
  26871. description: |-
  26872. Kubernetes authenticates with Vault by passing the ServiceAccount
  26873. token stored in the named Secret resource to the Vault server.
  26874. properties:
  26875. mountPath:
  26876. default: kubernetes
  26877. description: |-
  26878. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  26879. "kubernetes"
  26880. type: string
  26881. role:
  26882. description: |-
  26883. A required field containing the Vault Role to assume. A Role binds a
  26884. Kubernetes ServiceAccount with a set of Vault policies.
  26885. type: string
  26886. secretRef:
  26887. description: |-
  26888. Optional secret field containing a Kubernetes ServiceAccount JWT used
  26889. for authenticating with Vault. If a name is specified without a key,
  26890. `token` is the default. If one is not specified, the one bound to
  26891. the controller will be used.
  26892. properties:
  26893. key:
  26894. description: |-
  26895. A key in the referenced Secret.
  26896. Some instances of this field may be defaulted, in others it may be required.
  26897. maxLength: 253
  26898. minLength: 1
  26899. pattern: ^[-._a-zA-Z0-9]+$
  26900. type: string
  26901. name:
  26902. description: The name of the Secret resource being referred to.
  26903. maxLength: 253
  26904. minLength: 1
  26905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26906. type: string
  26907. namespace:
  26908. description: |-
  26909. The namespace of the Secret resource being referred to.
  26910. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26911. maxLength: 63
  26912. minLength: 1
  26913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26914. type: string
  26915. type: object
  26916. serviceAccountRef:
  26917. description: |-
  26918. Optional service account field containing the name of a kubernetes ServiceAccount.
  26919. If the service account is specified, the service account secret token JWT will be used
  26920. for authenticating with Vault. If the service account selector is not supplied,
  26921. the secretRef will be used instead.
  26922. properties:
  26923. audiences:
  26924. description: |-
  26925. Audience specifies the `aud` claim for the service account token
  26926. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26927. then this audiences will be appended to the list
  26928. items:
  26929. type: string
  26930. type: array
  26931. name:
  26932. description: The name of the ServiceAccount resource being referred to.
  26933. maxLength: 253
  26934. minLength: 1
  26935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26936. type: string
  26937. namespace:
  26938. description: |-
  26939. Namespace of the resource being referred to.
  26940. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26941. maxLength: 63
  26942. minLength: 1
  26943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26944. type: string
  26945. required:
  26946. - name
  26947. type: object
  26948. required:
  26949. - mountPath
  26950. - role
  26951. type: object
  26952. ldap:
  26953. description: |-
  26954. Ldap authenticates with Vault by passing username/password pair using
  26955. the LDAP authentication method
  26956. properties:
  26957. path:
  26958. default: ldap
  26959. description: |-
  26960. Path where the LDAP authentication backend is mounted
  26961. in Vault, e.g: "ldap"
  26962. type: string
  26963. secretRef:
  26964. description: |-
  26965. SecretRef to a key in a Secret resource containing password for the LDAP
  26966. user used to authenticate with Vault using the LDAP authentication
  26967. method
  26968. properties:
  26969. key:
  26970. description: |-
  26971. A key in the referenced Secret.
  26972. Some instances of this field may be defaulted, in others it may be required.
  26973. maxLength: 253
  26974. minLength: 1
  26975. pattern: ^[-._a-zA-Z0-9]+$
  26976. type: string
  26977. name:
  26978. description: The name of the Secret resource being referred to.
  26979. maxLength: 253
  26980. minLength: 1
  26981. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26982. type: string
  26983. namespace:
  26984. description: |-
  26985. The namespace of the Secret resource being referred to.
  26986. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26987. maxLength: 63
  26988. minLength: 1
  26989. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26990. type: string
  26991. type: object
  26992. username:
  26993. description: |-
  26994. Username is an LDAP username used to authenticate using the LDAP Vault
  26995. authentication method
  26996. type: string
  26997. required:
  26998. - path
  26999. - username
  27000. type: object
  27001. namespace:
  27002. description: |-
  27003. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  27004. Namespaces is a set of features within Vault Enterprise that allows
  27005. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27006. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27007. This will default to Vault.Namespace field if set, or empty otherwise
  27008. type: string
  27009. tokenSecretRef:
  27010. description: TokenSecretRef authenticates with Vault by presenting a token.
  27011. properties:
  27012. key:
  27013. description: |-
  27014. A key in the referenced Secret.
  27015. Some instances of this field may be defaulted, in others it may be required.
  27016. maxLength: 253
  27017. minLength: 1
  27018. pattern: ^[-._a-zA-Z0-9]+$
  27019. type: string
  27020. name:
  27021. description: The name of the Secret resource being referred to.
  27022. maxLength: 253
  27023. minLength: 1
  27024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27025. type: string
  27026. namespace:
  27027. description: |-
  27028. The namespace of the Secret resource being referred to.
  27029. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27030. maxLength: 63
  27031. minLength: 1
  27032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27033. type: string
  27034. type: object
  27035. userPass:
  27036. description: UserPass authenticates with Vault by passing username/password pair
  27037. properties:
  27038. path:
  27039. default: userpass
  27040. description: |-
  27041. Path where the UserPassword authentication backend is mounted
  27042. in Vault, e.g: "userpass"
  27043. type: string
  27044. secretRef:
  27045. description: |-
  27046. SecretRef to a key in a Secret resource containing password for the
  27047. user used to authenticate with Vault using the UserPass authentication
  27048. method
  27049. properties:
  27050. key:
  27051. description: |-
  27052. A key in the referenced Secret.
  27053. Some instances of this field may be defaulted, in others it may be required.
  27054. maxLength: 253
  27055. minLength: 1
  27056. pattern: ^[-._a-zA-Z0-9]+$
  27057. type: string
  27058. name:
  27059. description: The name of the Secret resource being referred to.
  27060. maxLength: 253
  27061. minLength: 1
  27062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27063. type: string
  27064. namespace:
  27065. description: |-
  27066. The namespace of the Secret resource being referred to.
  27067. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27068. maxLength: 63
  27069. minLength: 1
  27070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27071. type: string
  27072. type: object
  27073. username:
  27074. description: |-
  27075. Username is a username used to authenticate using the UserPass Vault
  27076. authentication method
  27077. type: string
  27078. required:
  27079. - path
  27080. - username
  27081. type: object
  27082. type: object
  27083. caBundle:
  27084. description: |-
  27085. PEM encoded CA bundle used to validate Vault server certificate. Only used
  27086. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27087. plain HTTP protocol connection. If not set the system root certificates
  27088. are used to validate the TLS connection.
  27089. format: byte
  27090. type: string
  27091. caProvider:
  27092. description: The provider for the CA bundle to use to validate Vault server certificate.
  27093. properties:
  27094. key:
  27095. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27096. maxLength: 253
  27097. minLength: 1
  27098. pattern: ^[-._a-zA-Z0-9]+$
  27099. type: string
  27100. name:
  27101. description: The name of the object located at the provider type.
  27102. maxLength: 253
  27103. minLength: 1
  27104. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27105. type: string
  27106. namespace:
  27107. description: |-
  27108. The namespace the Provider type is in.
  27109. Can only be defined when used in a ClusterSecretStore.
  27110. maxLength: 63
  27111. minLength: 1
  27112. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27113. type: string
  27114. type:
  27115. description: The type of provider to use such as "Secret", or "ConfigMap".
  27116. enum:
  27117. - Secret
  27118. - ConfigMap
  27119. type: string
  27120. required:
  27121. - name
  27122. - type
  27123. type: object
  27124. checkAndSet:
  27125. description: |-
  27126. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  27127. Only applies to Vault KV v2 stores. When enabled, write operations must include
  27128. the current version of the secret to prevent unintentional overwrites.
  27129. properties:
  27130. required:
  27131. description: |-
  27132. Required when true, all write operations must include a check-and-set parameter.
  27133. This helps prevent unintentional overwrites of secrets.
  27134. type: boolean
  27135. type: object
  27136. forwardInconsistent:
  27137. description: |-
  27138. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  27139. leader instead of simply retrying within a loop. This can increase performance if
  27140. the option is enabled serverside.
  27141. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  27142. type: boolean
  27143. headers:
  27144. additionalProperties:
  27145. type: string
  27146. description: Headers to be added in Vault request
  27147. type: object
  27148. namespace:
  27149. description: |-
  27150. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  27151. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  27152. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  27153. type: string
  27154. path:
  27155. description: |-
  27156. Path is the mount path of the Vault KV backend endpoint, e.g:
  27157. "secret". The v2 KV secret engine version specific "/data" path suffix
  27158. for fetching secrets from Vault is optional and will be appended
  27159. if not present in specified path.
  27160. type: string
  27161. readYourWrites:
  27162. description: |-
  27163. ReadYourWrites ensures isolated read-after-write semantics by
  27164. providing discovered cluster replication states in each request.
  27165. More information about eventual consistency in Vault can be found here
  27166. https://www.vaultproject.io/docs/enterprise/consistency
  27167. type: boolean
  27168. server:
  27169. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  27170. type: string
  27171. tls:
  27172. description: |-
  27173. The configuration used for client side related TLS communication, when the Vault server
  27174. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  27175. This parameter is ignored for plain HTTP protocol connection.
  27176. It's worth noting this configuration is different from the "TLS certificates auth method",
  27177. which is available under the `auth.cert` section.
  27178. properties:
  27179. certSecretRef:
  27180. description: |-
  27181. CertSecretRef is a certificate added to the transport layer
  27182. when communicating with the Vault server.
  27183. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  27184. properties:
  27185. key:
  27186. description: |-
  27187. A key in the referenced Secret.
  27188. Some instances of this field may be defaulted, in others it may be required.
  27189. maxLength: 253
  27190. minLength: 1
  27191. pattern: ^[-._a-zA-Z0-9]+$
  27192. type: string
  27193. name:
  27194. description: The name of the Secret resource being referred to.
  27195. maxLength: 253
  27196. minLength: 1
  27197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27198. type: string
  27199. namespace:
  27200. description: |-
  27201. The namespace of the Secret resource being referred to.
  27202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27203. maxLength: 63
  27204. minLength: 1
  27205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27206. type: string
  27207. type: object
  27208. keySecretRef:
  27209. description: |-
  27210. KeySecretRef to a key in a Secret resource containing client private key
  27211. added to the transport layer when communicating with the Vault server.
  27212. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  27213. properties:
  27214. key:
  27215. description: |-
  27216. A key in the referenced Secret.
  27217. Some instances of this field may be defaulted, in others it may be required.
  27218. maxLength: 253
  27219. minLength: 1
  27220. pattern: ^[-._a-zA-Z0-9]+$
  27221. type: string
  27222. name:
  27223. description: The name of the Secret resource being referred to.
  27224. maxLength: 253
  27225. minLength: 1
  27226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27227. type: string
  27228. namespace:
  27229. description: |-
  27230. The namespace of the Secret resource being referred to.
  27231. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27232. maxLength: 63
  27233. minLength: 1
  27234. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27235. type: string
  27236. type: object
  27237. type: object
  27238. version:
  27239. default: v2
  27240. description: |-
  27241. Version is the Vault KV secret engine version. This can be either "v1" or
  27242. "v2". Version defaults to "v2".
  27243. enum:
  27244. - v1
  27245. - v2
  27246. type: string
  27247. required:
  27248. - server
  27249. type: object
  27250. resultType:
  27251. default: Data
  27252. description: |-
  27253. Result type defines which data is returned from the generator.
  27254. By default, it is the "data" section of the Vault API response.
  27255. When using e.g. /auth/token/create the "data" section is empty but
  27256. the "auth" section contains the generated token.
  27257. Please refer to the vault docs regarding the result data structure.
  27258. Additionally, accessing the raw response is possibly by using "Raw" result type.
  27259. enum:
  27260. - Data
  27261. - Auth
  27262. - Raw
  27263. type: string
  27264. retrySettings:
  27265. description: Used to configure http retries if failed
  27266. properties:
  27267. maxRetries:
  27268. format: int32
  27269. type: integer
  27270. retryInterval:
  27271. type: string
  27272. type: object
  27273. required:
  27274. - path
  27275. - provider
  27276. type: object
  27277. webhookSpec:
  27278. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  27279. properties:
  27280. auth:
  27281. description: Auth specifies a authorization protocol. Only one protocol may be set.
  27282. maxProperties: 1
  27283. minProperties: 1
  27284. properties:
  27285. ntlm:
  27286. description: NTLMProtocol configures the store to use NTLM for auth
  27287. properties:
  27288. passwordSecret:
  27289. description: |-
  27290. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27291. In some instances, `key` is a required field.
  27292. properties:
  27293. key:
  27294. description: |-
  27295. A key in the referenced Secret.
  27296. Some instances of this field may be defaulted, in others it may be required.
  27297. maxLength: 253
  27298. minLength: 1
  27299. pattern: ^[-._a-zA-Z0-9]+$
  27300. type: string
  27301. name:
  27302. description: The name of the Secret resource being referred to.
  27303. maxLength: 253
  27304. minLength: 1
  27305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27306. type: string
  27307. namespace:
  27308. description: |-
  27309. The namespace of the Secret resource being referred to.
  27310. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27311. maxLength: 63
  27312. minLength: 1
  27313. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27314. type: string
  27315. type: object
  27316. usernameSecret:
  27317. description: |-
  27318. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27319. In some instances, `key` is a required field.
  27320. properties:
  27321. key:
  27322. description: |-
  27323. A key in the referenced Secret.
  27324. Some instances of this field may be defaulted, in others it may be required.
  27325. maxLength: 253
  27326. minLength: 1
  27327. pattern: ^[-._a-zA-Z0-9]+$
  27328. type: string
  27329. name:
  27330. description: The name of the Secret resource being referred to.
  27331. maxLength: 253
  27332. minLength: 1
  27333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27334. type: string
  27335. namespace:
  27336. description: |-
  27337. The namespace of the Secret resource being referred to.
  27338. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27339. maxLength: 63
  27340. minLength: 1
  27341. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27342. type: string
  27343. type: object
  27344. required:
  27345. - passwordSecret
  27346. - usernameSecret
  27347. type: object
  27348. type: object
  27349. body:
  27350. description: Body
  27351. type: string
  27352. caBundle:
  27353. description: |-
  27354. PEM encoded CA bundle used to validate webhook server certificate. Only used
  27355. if the Server URL is using HTTPS protocol. This parameter is ignored for
  27356. plain HTTP protocol connection. If not set the system root certificates
  27357. are used to validate the TLS connection.
  27358. format: byte
  27359. type: string
  27360. caProvider:
  27361. description: The provider for the CA bundle to use to validate webhook server certificate.
  27362. properties:
  27363. key:
  27364. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  27365. maxLength: 253
  27366. minLength: 1
  27367. pattern: ^[-._a-zA-Z0-9]+$
  27368. type: string
  27369. name:
  27370. description: The name of the object located at the provider type.
  27371. maxLength: 253
  27372. minLength: 1
  27373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27374. type: string
  27375. namespace:
  27376. description: The namespace the Provider type is in.
  27377. maxLength: 63
  27378. minLength: 1
  27379. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27380. type: string
  27381. type:
  27382. description: The type of provider to use such as "Secret", or "ConfigMap".
  27383. enum:
  27384. - Secret
  27385. - ConfigMap
  27386. type: string
  27387. required:
  27388. - name
  27389. - type
  27390. type: object
  27391. headers:
  27392. additionalProperties:
  27393. type: string
  27394. description: Headers
  27395. type: object
  27396. method:
  27397. description: Webhook Method
  27398. type: string
  27399. result:
  27400. description: Result formatting
  27401. properties:
  27402. jsonPath:
  27403. description: Json path of return value
  27404. type: string
  27405. type: object
  27406. secrets:
  27407. description: |-
  27408. Secrets to fill in templates
  27409. These secrets will be passed to the templating function as key value pairs under the given name
  27410. items:
  27411. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  27412. properties:
  27413. name:
  27414. description: Name of this secret in templates
  27415. type: string
  27416. secretRef:
  27417. description: Secret ref to fill in credentials
  27418. properties:
  27419. key:
  27420. description: The key where the token is found.
  27421. maxLength: 253
  27422. minLength: 1
  27423. pattern: ^[-._a-zA-Z0-9]+$
  27424. type: string
  27425. name:
  27426. description: The name of the Secret resource being referred to.
  27427. maxLength: 253
  27428. minLength: 1
  27429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27430. type: string
  27431. type: object
  27432. required:
  27433. - name
  27434. - secretRef
  27435. type: object
  27436. type: array
  27437. timeout:
  27438. description: Timeout
  27439. type: string
  27440. url:
  27441. description: Webhook url to call
  27442. type: string
  27443. required:
  27444. - result
  27445. - url
  27446. type: object
  27447. type: object
  27448. kind:
  27449. description: Kind the kind of this generator.
  27450. enum:
  27451. - ACRAccessToken
  27452. - CloudsmithAccessToken
  27453. - ECRAuthorizationToken
  27454. - Fake
  27455. - GCRAccessToken
  27456. - GithubAccessToken
  27457. - QuayAccessToken
  27458. - Password
  27459. - SSHKey
  27460. - STSSessionToken
  27461. - UUID
  27462. - VaultDynamicSecret
  27463. - Webhook
  27464. - Grafana
  27465. type: string
  27466. required:
  27467. - generator
  27468. - kind
  27469. type: object
  27470. type: object
  27471. served: true
  27472. storage: true
  27473. subresources:
  27474. status: {}
  27475. ---
  27476. apiVersion: apiextensions.k8s.io/v1
  27477. kind: CustomResourceDefinition
  27478. metadata:
  27479. annotations:
  27480. controller-gen.kubebuilder.io/version: v0.19.0
  27481. labels:
  27482. external-secrets.io/component: controller
  27483. name: ecrauthorizationtokens.generators.external-secrets.io
  27484. spec:
  27485. group: generators.external-secrets.io
  27486. names:
  27487. categories:
  27488. - external-secrets
  27489. - external-secrets-generators
  27490. kind: ECRAuthorizationToken
  27491. listKind: ECRAuthorizationTokenList
  27492. plural: ecrauthorizationtokens
  27493. singular: ecrauthorizationtoken
  27494. scope: Namespaced
  27495. versions:
  27496. - name: v1alpha1
  27497. schema:
  27498. openAPIV3Schema:
  27499. description: |-
  27500. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  27501. The authorization token is valid for 12 hours.
  27502. The authorizationToken returned is a base64 encoded string that can be decoded
  27503. and used in a docker login command to authenticate to a registry.
  27504. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  27505. properties:
  27506. apiVersion:
  27507. description: |-
  27508. APIVersion defines the versioned schema of this representation of an object.
  27509. Servers should convert recognized schemas to the latest internal value, and
  27510. may reject unrecognized values.
  27511. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27512. type: string
  27513. kind:
  27514. description: |-
  27515. Kind is a string value representing the REST resource this object represents.
  27516. Servers may infer this from the endpoint the client submits requests to.
  27517. Cannot be updated.
  27518. In CamelCase.
  27519. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27520. type: string
  27521. metadata:
  27522. type: object
  27523. spec:
  27524. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  27525. properties:
  27526. auth:
  27527. description: Auth defines how to authenticate with AWS
  27528. properties:
  27529. jwt:
  27530. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27531. properties:
  27532. serviceAccountRef:
  27533. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27534. properties:
  27535. audiences:
  27536. description: |-
  27537. Audience specifies the `aud` claim for the service account token
  27538. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27539. then this audiences will be appended to the list
  27540. items:
  27541. type: string
  27542. type: array
  27543. name:
  27544. description: The name of the ServiceAccount resource being referred to.
  27545. maxLength: 253
  27546. minLength: 1
  27547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27548. type: string
  27549. namespace:
  27550. description: |-
  27551. Namespace of the resource being referred to.
  27552. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27553. maxLength: 63
  27554. minLength: 1
  27555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27556. type: string
  27557. required:
  27558. - name
  27559. type: object
  27560. type: object
  27561. secretRef:
  27562. description: |-
  27563. AWSAuthSecretRef holds secret references for AWS credentials
  27564. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27565. properties:
  27566. accessKeyIDSecretRef:
  27567. description: The AccessKeyID is used for authentication
  27568. properties:
  27569. key:
  27570. description: |-
  27571. A key in the referenced Secret.
  27572. Some instances of this field may be defaulted, in others it may be required.
  27573. maxLength: 253
  27574. minLength: 1
  27575. pattern: ^[-._a-zA-Z0-9]+$
  27576. type: string
  27577. name:
  27578. description: The name of the Secret resource being referred to.
  27579. maxLength: 253
  27580. minLength: 1
  27581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27582. type: string
  27583. namespace:
  27584. description: |-
  27585. The namespace of the Secret resource being referred to.
  27586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27587. maxLength: 63
  27588. minLength: 1
  27589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27590. type: string
  27591. type: object
  27592. secretAccessKeySecretRef:
  27593. description: The SecretAccessKey is used for authentication
  27594. properties:
  27595. key:
  27596. description: |-
  27597. A key in the referenced Secret.
  27598. Some instances of this field may be defaulted, in others it may be required.
  27599. maxLength: 253
  27600. minLength: 1
  27601. pattern: ^[-._a-zA-Z0-9]+$
  27602. type: string
  27603. name:
  27604. description: The name of the Secret resource being referred to.
  27605. maxLength: 253
  27606. minLength: 1
  27607. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27608. type: string
  27609. namespace:
  27610. description: |-
  27611. The namespace of the Secret resource being referred to.
  27612. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27613. maxLength: 63
  27614. minLength: 1
  27615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27616. type: string
  27617. type: object
  27618. sessionTokenSecretRef:
  27619. description: |-
  27620. The SessionToken used for authentication
  27621. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27622. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27623. properties:
  27624. key:
  27625. description: |-
  27626. A key in the referenced Secret.
  27627. Some instances of this field may be defaulted, in others it may be required.
  27628. maxLength: 253
  27629. minLength: 1
  27630. pattern: ^[-._a-zA-Z0-9]+$
  27631. type: string
  27632. name:
  27633. description: The name of the Secret resource being referred to.
  27634. maxLength: 253
  27635. minLength: 1
  27636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27637. type: string
  27638. namespace:
  27639. description: |-
  27640. The namespace of the Secret resource being referred to.
  27641. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27642. maxLength: 63
  27643. minLength: 1
  27644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27645. type: string
  27646. type: object
  27647. type: object
  27648. type: object
  27649. region:
  27650. description: Region specifies the region to operate in.
  27651. type: string
  27652. role:
  27653. description: |-
  27654. You can assume a role before making calls to the
  27655. desired AWS service.
  27656. type: string
  27657. scope:
  27658. description: |-
  27659. Scope specifies the ECR service scope.
  27660. Valid options are private and public.
  27661. type: string
  27662. required:
  27663. - region
  27664. type: object
  27665. type: object
  27666. served: true
  27667. storage: true
  27668. subresources:
  27669. status: {}
  27670. ---
  27671. apiVersion: apiextensions.k8s.io/v1
  27672. kind: CustomResourceDefinition
  27673. metadata:
  27674. annotations:
  27675. controller-gen.kubebuilder.io/version: v0.19.0
  27676. labels:
  27677. external-secrets.io/component: controller
  27678. name: fakes.generators.external-secrets.io
  27679. spec:
  27680. group: generators.external-secrets.io
  27681. names:
  27682. categories:
  27683. - external-secrets
  27684. - external-secrets-generators
  27685. kind: Fake
  27686. listKind: FakeList
  27687. plural: fakes
  27688. singular: fake
  27689. scope: Namespaced
  27690. versions:
  27691. - name: v1alpha1
  27692. schema:
  27693. openAPIV3Schema:
  27694. description: |-
  27695. Fake generator is used for testing. It lets you define
  27696. a static set of credentials that is always returned.
  27697. properties:
  27698. apiVersion:
  27699. description: |-
  27700. APIVersion defines the versioned schema of this representation of an object.
  27701. Servers should convert recognized schemas to the latest internal value, and
  27702. may reject unrecognized values.
  27703. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27704. type: string
  27705. kind:
  27706. description: |-
  27707. Kind is a string value representing the REST resource this object represents.
  27708. Servers may infer this from the endpoint the client submits requests to.
  27709. Cannot be updated.
  27710. In CamelCase.
  27711. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27712. type: string
  27713. metadata:
  27714. type: object
  27715. spec:
  27716. description: FakeSpec contains the static data.
  27717. properties:
  27718. controller:
  27719. description: |-
  27720. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27721. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27722. type: string
  27723. data:
  27724. additionalProperties:
  27725. type: string
  27726. description: |-
  27727. Data defines the static data returned
  27728. by this generator.
  27729. type: object
  27730. type: object
  27731. type: object
  27732. served: true
  27733. storage: true
  27734. subresources:
  27735. status: {}
  27736. ---
  27737. apiVersion: apiextensions.k8s.io/v1
  27738. kind: CustomResourceDefinition
  27739. metadata:
  27740. annotations:
  27741. controller-gen.kubebuilder.io/version: v0.19.0
  27742. labels:
  27743. external-secrets.io/component: controller
  27744. name: gcraccesstokens.generators.external-secrets.io
  27745. spec:
  27746. group: generators.external-secrets.io
  27747. names:
  27748. categories:
  27749. - external-secrets
  27750. - external-secrets-generators
  27751. kind: GCRAccessToken
  27752. listKind: GCRAccessTokenList
  27753. plural: gcraccesstokens
  27754. singular: gcraccesstoken
  27755. scope: Namespaced
  27756. versions:
  27757. - name: v1alpha1
  27758. schema:
  27759. openAPIV3Schema:
  27760. description: |-
  27761. GCRAccessToken generates an GCP access token
  27762. that can be used to authenticate with GCR.
  27763. properties:
  27764. apiVersion:
  27765. description: |-
  27766. APIVersion defines the versioned schema of this representation of an object.
  27767. Servers should convert recognized schemas to the latest internal value, and
  27768. may reject unrecognized values.
  27769. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  27770. type: string
  27771. kind:
  27772. description: |-
  27773. Kind is a string value representing the REST resource this object represents.
  27774. Servers may infer this from the endpoint the client submits requests to.
  27775. Cannot be updated.
  27776. In CamelCase.
  27777. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  27778. type: string
  27779. metadata:
  27780. type: object
  27781. spec:
  27782. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  27783. properties:
  27784. auth:
  27785. description: Auth defines the means for authenticating with GCP
  27786. properties:
  27787. secretRef:
  27788. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  27789. properties:
  27790. secretAccessKeySecretRef:
  27791. description: The SecretAccessKey is used for authentication
  27792. properties:
  27793. key:
  27794. description: |-
  27795. A key in the referenced Secret.
  27796. Some instances of this field may be defaulted, in others it may be required.
  27797. maxLength: 253
  27798. minLength: 1
  27799. pattern: ^[-._a-zA-Z0-9]+$
  27800. type: string
  27801. name:
  27802. description: The name of the Secret resource being referred to.
  27803. maxLength: 253
  27804. minLength: 1
  27805. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27806. type: string
  27807. namespace:
  27808. description: |-
  27809. The namespace of the Secret resource being referred to.
  27810. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27811. maxLength: 63
  27812. minLength: 1
  27813. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27814. type: string
  27815. type: object
  27816. type: object
  27817. workloadIdentity:
  27818. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  27819. properties:
  27820. clusterLocation:
  27821. type: string
  27822. clusterName:
  27823. type: string
  27824. clusterProjectID:
  27825. type: string
  27826. serviceAccountRef:
  27827. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27828. properties:
  27829. audiences:
  27830. description: |-
  27831. Audience specifies the `aud` claim for the service account token
  27832. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27833. then this audiences will be appended to the list
  27834. items:
  27835. type: string
  27836. type: array
  27837. name:
  27838. description: The name of the ServiceAccount resource being referred to.
  27839. maxLength: 253
  27840. minLength: 1
  27841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27842. type: string
  27843. namespace:
  27844. description: |-
  27845. Namespace of the resource being referred to.
  27846. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27847. maxLength: 63
  27848. minLength: 1
  27849. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27850. type: string
  27851. required:
  27852. - name
  27853. type: object
  27854. required:
  27855. - clusterLocation
  27856. - clusterName
  27857. - serviceAccountRef
  27858. type: object
  27859. workloadIdentityFederation:
  27860. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  27861. properties:
  27862. audience:
  27863. description: |-
  27864. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  27865. If specified, Audience found in the external account credential config will be overridden with the configured value.
  27866. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  27867. type: string
  27868. awsSecurityCredentials:
  27869. description: |-
  27870. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  27871. when using the AWS metadata server is not an option.
  27872. properties:
  27873. awsCredentialsSecretRef:
  27874. description: |-
  27875. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  27876. Secret should be created with below names for keys
  27877. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  27878. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  27879. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  27880. properties:
  27881. name:
  27882. description: name of the secret.
  27883. maxLength: 253
  27884. minLength: 1
  27885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27886. type: string
  27887. namespace:
  27888. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  27889. maxLength: 63
  27890. minLength: 1
  27891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27892. type: string
  27893. required:
  27894. - name
  27895. type: object
  27896. region:
  27897. description: region is for configuring the AWS region to be used.
  27898. example: ap-south-1
  27899. maxLength: 50
  27900. minLength: 1
  27901. pattern: ^[a-z0-9-]+$
  27902. type: string
  27903. required:
  27904. - awsCredentialsSecretRef
  27905. - region
  27906. type: object
  27907. credConfig:
  27908. description: |-
  27909. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  27910. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  27911. serviceAccountRef must be used by providing operators service account details.
  27912. properties:
  27913. key:
  27914. description: key name holding the external account credential config.
  27915. maxLength: 253
  27916. minLength: 1
  27917. pattern: ^[-._a-zA-Z0-9]+$
  27918. type: string
  27919. name:
  27920. description: name of the configmap.
  27921. maxLength: 253
  27922. minLength: 1
  27923. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27924. type: string
  27925. namespace:
  27926. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  27927. maxLength: 63
  27928. minLength: 1
  27929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27930. type: string
  27931. required:
  27932. - key
  27933. - name
  27934. type: object
  27935. externalTokenEndpoint:
  27936. description: |-
  27937. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  27938. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  27939. URL is having the expected value.
  27940. type: string
  27941. gcpServiceAccountEmail:
  27942. description: |-
  27943. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  27944. after Workload Identity Federation. Use this to grant access through the service account's
  27945. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  27946. service_account_impersonation_url in the external account JSON from credConfig;
  27947. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  27948. on that ServiceAccount.
  27949. example: my-gsa@my-project.iam.gserviceaccount.com
  27950. minLength: 1
  27951. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  27952. type: string
  27953. serviceAccountRef:
  27954. description: |-
  27955. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  27956. when Kubernetes is configured as provider in workload identity pool.
  27957. properties:
  27958. audiences:
  27959. description: |-
  27960. Audience specifies the `aud` claim for the service account token
  27961. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27962. then this audiences will be appended to the list
  27963. items:
  27964. type: string
  27965. type: array
  27966. name:
  27967. description: The name of the ServiceAccount resource being referred to.
  27968. maxLength: 253
  27969. minLength: 1
  27970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27971. type: string
  27972. namespace:
  27973. description: |-
  27974. Namespace of the resource being referred to.
  27975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27976. maxLength: 63
  27977. minLength: 1
  27978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27979. type: string
  27980. required:
  27981. - name
  27982. type: object
  27983. type: object
  27984. type: object
  27985. projectID:
  27986. description: ProjectID defines which project to use to authenticate with
  27987. type: string
  27988. required:
  27989. - auth
  27990. - projectID
  27991. type: object
  27992. type: object
  27993. served: true
  27994. storage: true
  27995. subresources:
  27996. status: {}
  27997. ---
  27998. apiVersion: apiextensions.k8s.io/v1
  27999. kind: CustomResourceDefinition
  28000. metadata:
  28001. annotations:
  28002. controller-gen.kubebuilder.io/version: v0.19.0
  28003. labels:
  28004. external-secrets.io/component: controller
  28005. name: generatorstates.generators.external-secrets.io
  28006. spec:
  28007. group: generators.external-secrets.io
  28008. names:
  28009. categories:
  28010. - external-secrets
  28011. - external-secrets-generators
  28012. kind: GeneratorState
  28013. listKind: GeneratorStateList
  28014. plural: generatorstates
  28015. shortNames:
  28016. - gs
  28017. singular: generatorstate
  28018. scope: Namespaced
  28019. versions:
  28020. - additionalPrinterColumns:
  28021. - jsonPath: .spec.garbageCollectionDeadline
  28022. name: GC Deadline
  28023. type: string
  28024. - jsonPath: .metadata.creationTimestamp
  28025. name: Age
  28026. type: date
  28027. name: v1alpha1
  28028. schema:
  28029. openAPIV3Schema:
  28030. description: GeneratorState represents the state created and managed by a generator resource.
  28031. properties:
  28032. apiVersion:
  28033. description: |-
  28034. APIVersion defines the versioned schema of this representation of an object.
  28035. Servers should convert recognized schemas to the latest internal value, and
  28036. may reject unrecognized values.
  28037. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28038. type: string
  28039. kind:
  28040. description: |-
  28041. Kind is a string value representing the REST resource this object represents.
  28042. Servers may infer this from the endpoint the client submits requests to.
  28043. Cannot be updated.
  28044. In CamelCase.
  28045. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28046. type: string
  28047. metadata:
  28048. type: object
  28049. spec:
  28050. description: GeneratorStateSpec defines the desired state of a generator state resource.
  28051. properties:
  28052. garbageCollectionDeadline:
  28053. description: |-
  28054. GarbageCollectionDeadline is the time after which the generator state
  28055. will be deleted.
  28056. It is set by the controller which creates the generator state and
  28057. can be set configured by the user.
  28058. If the garbage collection deadline is not set the generator state will not be deleted.
  28059. format: date-time
  28060. type: string
  28061. resource:
  28062. description: |-
  28063. Resource is the generator manifest that produced the state.
  28064. It is a snapshot of the generator manifest at the time the state was produced.
  28065. This manifest will be used to delete the resource. Any configuration that is referenced
  28066. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  28067. be blocked by a finalizer.
  28068. x-kubernetes-preserve-unknown-fields: true
  28069. state:
  28070. description: State is the state that was produced by the generator implementation.
  28071. x-kubernetes-preserve-unknown-fields: true
  28072. required:
  28073. - resource
  28074. - state
  28075. type: object
  28076. status:
  28077. description: GeneratorStateStatus defines the observed state of a generator state resource.
  28078. properties:
  28079. conditions:
  28080. items:
  28081. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  28082. properties:
  28083. lastTransitionTime:
  28084. format: date-time
  28085. type: string
  28086. message:
  28087. type: string
  28088. reason:
  28089. type: string
  28090. status:
  28091. type: string
  28092. type:
  28093. description: GeneratorStateConditionType represents the type of condition for a generator state.
  28094. type: string
  28095. required:
  28096. - status
  28097. - type
  28098. type: object
  28099. type: array
  28100. type: object
  28101. type: object
  28102. served: true
  28103. storage: true
  28104. subresources: {}
  28105. ---
  28106. apiVersion: apiextensions.k8s.io/v1
  28107. kind: CustomResourceDefinition
  28108. metadata:
  28109. annotations:
  28110. controller-gen.kubebuilder.io/version: v0.19.0
  28111. labels:
  28112. external-secrets.io/component: controller
  28113. name: githubaccesstokens.generators.external-secrets.io
  28114. spec:
  28115. group: generators.external-secrets.io
  28116. names:
  28117. categories:
  28118. - external-secrets
  28119. - external-secrets-generators
  28120. kind: GithubAccessToken
  28121. listKind: GithubAccessTokenList
  28122. plural: githubaccesstokens
  28123. singular: githubaccesstoken
  28124. scope: Namespaced
  28125. versions:
  28126. - name: v1alpha1
  28127. schema:
  28128. openAPIV3Schema:
  28129. description: GithubAccessToken generates ghs_ accessToken
  28130. properties:
  28131. apiVersion:
  28132. description: |-
  28133. APIVersion defines the versioned schema of this representation of an object.
  28134. Servers should convert recognized schemas to the latest internal value, and
  28135. may reject unrecognized values.
  28136. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28137. type: string
  28138. kind:
  28139. description: |-
  28140. Kind is a string value representing the REST resource this object represents.
  28141. Servers may infer this from the endpoint the client submits requests to.
  28142. Cannot be updated.
  28143. In CamelCase.
  28144. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28145. type: string
  28146. metadata:
  28147. type: object
  28148. spec:
  28149. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  28150. properties:
  28151. appID:
  28152. type: string
  28153. auth:
  28154. description: Auth configures how ESO authenticates with a Github instance.
  28155. properties:
  28156. privateKey:
  28157. description: GithubSecretRef references a secret containing GitHub credentials.
  28158. properties:
  28159. secretRef:
  28160. description: |-
  28161. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28162. In some instances, `key` is a required field.
  28163. properties:
  28164. key:
  28165. description: |-
  28166. A key in the referenced Secret.
  28167. Some instances of this field may be defaulted, in others it may be required.
  28168. maxLength: 253
  28169. minLength: 1
  28170. pattern: ^[-._a-zA-Z0-9]+$
  28171. type: string
  28172. name:
  28173. description: The name of the Secret resource being referred to.
  28174. maxLength: 253
  28175. minLength: 1
  28176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28177. type: string
  28178. namespace:
  28179. description: |-
  28180. The namespace of the Secret resource being referred to.
  28181. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28182. maxLength: 63
  28183. minLength: 1
  28184. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28185. type: string
  28186. type: object
  28187. required:
  28188. - secretRef
  28189. type: object
  28190. required:
  28191. - privateKey
  28192. type: object
  28193. installID:
  28194. type: string
  28195. permissions:
  28196. additionalProperties:
  28197. type: string
  28198. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  28199. type: object
  28200. repositories:
  28201. description: |-
  28202. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  28203. is installed to.
  28204. items:
  28205. type: string
  28206. type: array
  28207. url:
  28208. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  28209. type: string
  28210. required:
  28211. - appID
  28212. - auth
  28213. - installID
  28214. type: object
  28215. type: object
  28216. served: true
  28217. storage: true
  28218. subresources:
  28219. status: {}
  28220. ---
  28221. apiVersion: apiextensions.k8s.io/v1
  28222. kind: CustomResourceDefinition
  28223. metadata:
  28224. annotations:
  28225. controller-gen.kubebuilder.io/version: v0.19.0
  28226. labels:
  28227. external-secrets.io/component: controller
  28228. name: grafanas.generators.external-secrets.io
  28229. spec:
  28230. group: generators.external-secrets.io
  28231. names:
  28232. categories:
  28233. - external-secrets
  28234. - external-secrets-generators
  28235. kind: Grafana
  28236. listKind: GrafanaList
  28237. plural: grafanas
  28238. singular: grafana
  28239. scope: Namespaced
  28240. versions:
  28241. - name: v1alpha1
  28242. schema:
  28243. openAPIV3Schema:
  28244. description: Grafana represents a generator for Grafana service account tokens.
  28245. properties:
  28246. apiVersion:
  28247. description: |-
  28248. APIVersion defines the versioned schema of this representation of an object.
  28249. Servers should convert recognized schemas to the latest internal value, and
  28250. may reject unrecognized values.
  28251. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28252. type: string
  28253. kind:
  28254. description: |-
  28255. Kind is a string value representing the REST resource this object represents.
  28256. Servers may infer this from the endpoint the client submits requests to.
  28257. Cannot be updated.
  28258. In CamelCase.
  28259. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28260. type: string
  28261. metadata:
  28262. type: object
  28263. spec:
  28264. description: GrafanaSpec controls the behavior of the grafana generator.
  28265. properties:
  28266. auth:
  28267. description: |-
  28268. Auth is the authentication configuration to authenticate
  28269. against the Grafana instance.
  28270. properties:
  28271. basic:
  28272. description: |-
  28273. Basic auth credentials used to authenticate against the Grafana instance.
  28274. Note: you need a token which has elevated permissions to create service accounts.
  28275. See here for the documentation on basic roles offered by Grafana:
  28276. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28277. properties:
  28278. password:
  28279. description: A basic auth password used to authenticate against the Grafana instance.
  28280. properties:
  28281. key:
  28282. description: The key where the token is found.
  28283. maxLength: 253
  28284. minLength: 1
  28285. pattern: ^[-._a-zA-Z0-9]+$
  28286. type: string
  28287. name:
  28288. description: The name of the Secret resource being referred to.
  28289. maxLength: 253
  28290. minLength: 1
  28291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28292. type: string
  28293. type: object
  28294. username:
  28295. description: A basic auth username used to authenticate against the Grafana instance.
  28296. type: string
  28297. required:
  28298. - password
  28299. - username
  28300. type: object
  28301. token:
  28302. description: |-
  28303. A service account token used to authenticate against the Grafana instance.
  28304. Note: you need a token which has elevated permissions to create service accounts.
  28305. See here for the documentation on basic roles offered by Grafana:
  28306. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28307. properties:
  28308. key:
  28309. description: The key where the token is found.
  28310. maxLength: 253
  28311. minLength: 1
  28312. pattern: ^[-._a-zA-Z0-9]+$
  28313. type: string
  28314. name:
  28315. description: The name of the Secret resource being referred to.
  28316. maxLength: 253
  28317. minLength: 1
  28318. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28319. type: string
  28320. type: object
  28321. type: object
  28322. serviceAccount:
  28323. description: |-
  28324. ServiceAccount is the configuration for the service account that
  28325. is supposed to be generated by the generator.
  28326. properties:
  28327. name:
  28328. description: Name is the name of the service account that will be created by ESO.
  28329. type: string
  28330. role:
  28331. description: |-
  28332. Role is the role of the service account.
  28333. See here for the documentation on basic roles offered by Grafana:
  28334. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  28335. type: string
  28336. required:
  28337. - name
  28338. - role
  28339. type: object
  28340. url:
  28341. description: URL is the URL of the Grafana instance.
  28342. type: string
  28343. required:
  28344. - auth
  28345. - serviceAccount
  28346. - url
  28347. type: object
  28348. type: object
  28349. served: true
  28350. storage: true
  28351. subresources:
  28352. status: {}
  28353. ---
  28354. apiVersion: apiextensions.k8s.io/v1
  28355. kind: CustomResourceDefinition
  28356. metadata:
  28357. annotations:
  28358. controller-gen.kubebuilder.io/version: v0.19.0
  28359. labels:
  28360. external-secrets.io/component: controller
  28361. name: mfas.generators.external-secrets.io
  28362. spec:
  28363. group: generators.external-secrets.io
  28364. names:
  28365. categories:
  28366. - external-secrets
  28367. - external-secrets-generators
  28368. kind: MFA
  28369. listKind: MFAList
  28370. plural: mfas
  28371. singular: mfa
  28372. scope: Namespaced
  28373. versions:
  28374. - name: v1alpha1
  28375. schema:
  28376. openAPIV3Schema:
  28377. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  28378. properties:
  28379. apiVersion:
  28380. description: |-
  28381. APIVersion defines the versioned schema of this representation of an object.
  28382. Servers should convert recognized schemas to the latest internal value, and
  28383. may reject unrecognized values.
  28384. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28385. type: string
  28386. kind:
  28387. description: |-
  28388. Kind is a string value representing the REST resource this object represents.
  28389. Servers may infer this from the endpoint the client submits requests to.
  28390. Cannot be updated.
  28391. In CamelCase.
  28392. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28393. type: string
  28394. metadata:
  28395. type: object
  28396. spec:
  28397. description: MFASpec controls the behavior of the mfa generator.
  28398. properties:
  28399. algorithm:
  28400. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  28401. type: string
  28402. length:
  28403. description: Length defines the token length. Defaults to 6 characters.
  28404. type: integer
  28405. secret:
  28406. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  28407. properties:
  28408. key:
  28409. description: |-
  28410. A key in the referenced Secret.
  28411. Some instances of this field may be defaulted, in others it may be required.
  28412. maxLength: 253
  28413. minLength: 1
  28414. pattern: ^[-._a-zA-Z0-9]+$
  28415. type: string
  28416. name:
  28417. description: The name of the Secret resource being referred to.
  28418. maxLength: 253
  28419. minLength: 1
  28420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28421. type: string
  28422. namespace:
  28423. description: |-
  28424. The namespace of the Secret resource being referred to.
  28425. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28426. maxLength: 63
  28427. minLength: 1
  28428. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28429. type: string
  28430. type: object
  28431. timePeriod:
  28432. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  28433. type: integer
  28434. when:
  28435. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  28436. format: date-time
  28437. type: string
  28438. required:
  28439. - secret
  28440. type: object
  28441. type: object
  28442. served: true
  28443. storage: true
  28444. subresources:
  28445. status: {}
  28446. ---
  28447. apiVersion: apiextensions.k8s.io/v1
  28448. kind: CustomResourceDefinition
  28449. metadata:
  28450. annotations:
  28451. controller-gen.kubebuilder.io/version: v0.19.0
  28452. labels:
  28453. external-secrets.io/component: controller
  28454. name: passwords.generators.external-secrets.io
  28455. spec:
  28456. group: generators.external-secrets.io
  28457. names:
  28458. categories:
  28459. - external-secrets
  28460. - external-secrets-generators
  28461. kind: Password
  28462. listKind: PasswordList
  28463. plural: passwords
  28464. singular: password
  28465. scope: Namespaced
  28466. versions:
  28467. - name: v1alpha1
  28468. schema:
  28469. openAPIV3Schema:
  28470. description: |-
  28471. Password generates a random password based on the
  28472. configuration parameters in spec.
  28473. You can specify the length, characterset and other attributes.
  28474. properties:
  28475. apiVersion:
  28476. description: |-
  28477. APIVersion defines the versioned schema of this representation of an object.
  28478. Servers should convert recognized schemas to the latest internal value, and
  28479. may reject unrecognized values.
  28480. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28481. type: string
  28482. kind:
  28483. description: |-
  28484. Kind is a string value representing the REST resource this object represents.
  28485. Servers may infer this from the endpoint the client submits requests to.
  28486. Cannot be updated.
  28487. In CamelCase.
  28488. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28489. type: string
  28490. metadata:
  28491. type: object
  28492. spec:
  28493. description: PasswordSpec controls the behavior of the password generator.
  28494. properties:
  28495. allowRepeat:
  28496. default: false
  28497. description: set AllowRepeat to true to allow repeating characters.
  28498. type: boolean
  28499. digits:
  28500. description: |-
  28501. Digits specifies the number of digits in the generated
  28502. password. If omitted it defaults to 25% of the length of the password
  28503. type: integer
  28504. encoding:
  28505. default: raw
  28506. description: |-
  28507. Encoding specifies the encoding of the generated password.
  28508. Valid values are:
  28509. - "raw" (default): no encoding
  28510. - "base64": standard base64 encoding
  28511. - "base64url": base64url encoding
  28512. - "base32": base32 encoding
  28513. - "hex": hexadecimal encoding
  28514. enum:
  28515. - base64
  28516. - base64url
  28517. - base32
  28518. - hex
  28519. - raw
  28520. type: string
  28521. length:
  28522. default: 24
  28523. description: |-
  28524. Length of the password to be generated.
  28525. Defaults to 24
  28526. type: integer
  28527. noUpper:
  28528. default: false
  28529. description: Set NoUpper to disable uppercase characters
  28530. type: boolean
  28531. secretKeys:
  28532. description: |-
  28533. SecretKeys defines the keys that will be populated with generated passwords.
  28534. Defaults to "password" when not set.
  28535. items:
  28536. type: string
  28537. minItems: 1
  28538. type: array
  28539. symbolCharacters:
  28540. description: |-
  28541. SymbolCharacters specifies the special characters that should be used
  28542. in the generated password.
  28543. type: string
  28544. symbols:
  28545. description: |-
  28546. Symbols specifies the number of symbol characters in the generated
  28547. password. If omitted it defaults to 25% of the length of the password
  28548. type: integer
  28549. required:
  28550. - allowRepeat
  28551. - length
  28552. - noUpper
  28553. type: object
  28554. type: object
  28555. served: true
  28556. storage: true
  28557. subresources:
  28558. status: {}
  28559. ---
  28560. apiVersion: apiextensions.k8s.io/v1
  28561. kind: CustomResourceDefinition
  28562. metadata:
  28563. annotations:
  28564. controller-gen.kubebuilder.io/version: v0.19.0
  28565. labels:
  28566. external-secrets.io/component: controller
  28567. name: quayaccesstokens.generators.external-secrets.io
  28568. spec:
  28569. group: generators.external-secrets.io
  28570. names:
  28571. categories:
  28572. - external-secrets
  28573. - external-secrets-generators
  28574. kind: QuayAccessToken
  28575. listKind: QuayAccessTokenList
  28576. plural: quayaccesstokens
  28577. singular: quayaccesstoken
  28578. scope: Namespaced
  28579. versions:
  28580. - name: v1alpha1
  28581. schema:
  28582. openAPIV3Schema:
  28583. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  28584. properties:
  28585. apiVersion:
  28586. description: |-
  28587. APIVersion defines the versioned schema of this representation of an object.
  28588. Servers should convert recognized schemas to the latest internal value, and
  28589. may reject unrecognized values.
  28590. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28591. type: string
  28592. kind:
  28593. description: |-
  28594. Kind is a string value representing the REST resource this object represents.
  28595. Servers may infer this from the endpoint the client submits requests to.
  28596. Cannot be updated.
  28597. In CamelCase.
  28598. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28599. type: string
  28600. metadata:
  28601. type: object
  28602. spec:
  28603. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  28604. properties:
  28605. robotAccount:
  28606. description: Name of the robot account you are federating with
  28607. type: string
  28608. serviceAccountRef:
  28609. description: Name of the service account you are federating with
  28610. properties:
  28611. audiences:
  28612. description: |-
  28613. Audience specifies the `aud` claim for the service account token
  28614. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28615. then this audiences will be appended to the list
  28616. items:
  28617. type: string
  28618. type: array
  28619. name:
  28620. description: The name of the ServiceAccount resource being referred to.
  28621. maxLength: 253
  28622. minLength: 1
  28623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28624. type: string
  28625. namespace:
  28626. description: |-
  28627. Namespace of the resource being referred to.
  28628. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28629. maxLength: 63
  28630. minLength: 1
  28631. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28632. type: string
  28633. required:
  28634. - name
  28635. type: object
  28636. url:
  28637. description: URL configures the Quay instance URL. Defaults to quay.io.
  28638. type: string
  28639. required:
  28640. - robotAccount
  28641. - serviceAccountRef
  28642. type: object
  28643. type: object
  28644. served: true
  28645. storage: true
  28646. subresources:
  28647. status: {}
  28648. ---
  28649. apiVersion: apiextensions.k8s.io/v1
  28650. kind: CustomResourceDefinition
  28651. metadata:
  28652. annotations:
  28653. controller-gen.kubebuilder.io/version: v0.19.0
  28654. labels:
  28655. external-secrets.io/component: controller
  28656. name: sshkeys.generators.external-secrets.io
  28657. spec:
  28658. group: generators.external-secrets.io
  28659. names:
  28660. categories:
  28661. - external-secrets
  28662. - external-secrets-generators
  28663. kind: SSHKey
  28664. listKind: SSHKeyList
  28665. plural: sshkeys
  28666. singular: sshkey
  28667. scope: Namespaced
  28668. versions:
  28669. - name: v1alpha1
  28670. schema:
  28671. openAPIV3Schema:
  28672. description: SSHKey generates SSH key pairs.
  28673. properties:
  28674. apiVersion:
  28675. description: |-
  28676. APIVersion defines the versioned schema of this representation of an object.
  28677. Servers should convert recognized schemas to the latest internal value, and
  28678. may reject unrecognized values.
  28679. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28680. type: string
  28681. kind:
  28682. description: |-
  28683. Kind is a string value representing the REST resource this object represents.
  28684. Servers may infer this from the endpoint the client submits requests to.
  28685. Cannot be updated.
  28686. In CamelCase.
  28687. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28688. type: string
  28689. metadata:
  28690. type: object
  28691. spec:
  28692. description: SSHKeySpec controls the behavior of the ssh key generator.
  28693. properties:
  28694. comment:
  28695. description: Comment specifies an optional comment for the SSH key
  28696. type: string
  28697. keySize:
  28698. description: |-
  28699. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  28700. For RSA keys: 2048, 3072, 4096
  28701. For ECDSA keys: 256, 384, 521
  28702. Ignored for ed25519 keys
  28703. maximum: 8192
  28704. minimum: 256
  28705. type: integer
  28706. keyType:
  28707. default: rsa
  28708. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  28709. enum:
  28710. - rsa
  28711. - ecdsa
  28712. - ed25519
  28713. type: string
  28714. type: object
  28715. type: object
  28716. served: true
  28717. storage: true
  28718. subresources:
  28719. status: {}
  28720. ---
  28721. apiVersion: apiextensions.k8s.io/v1
  28722. kind: CustomResourceDefinition
  28723. metadata:
  28724. annotations:
  28725. controller-gen.kubebuilder.io/version: v0.19.0
  28726. labels:
  28727. external-secrets.io/component: controller
  28728. name: stssessiontokens.generators.external-secrets.io
  28729. spec:
  28730. group: generators.external-secrets.io
  28731. names:
  28732. categories:
  28733. - external-secrets
  28734. - external-secrets-generators
  28735. kind: STSSessionToken
  28736. listKind: STSSessionTokenList
  28737. plural: stssessiontokens
  28738. singular: stssessiontoken
  28739. scope: Namespaced
  28740. versions:
  28741. - name: v1alpha1
  28742. schema:
  28743. openAPIV3Schema:
  28744. description: |-
  28745. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  28746. The authorization token is valid for 12 hours.
  28747. The authorizationToken returned is a base64 encoded string that can be decoded.
  28748. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  28749. properties:
  28750. apiVersion:
  28751. description: |-
  28752. APIVersion defines the versioned schema of this representation of an object.
  28753. Servers should convert recognized schemas to the latest internal value, and
  28754. may reject unrecognized values.
  28755. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28756. type: string
  28757. kind:
  28758. description: |-
  28759. Kind is a string value representing the REST resource this object represents.
  28760. Servers may infer this from the endpoint the client submits requests to.
  28761. Cannot be updated.
  28762. In CamelCase.
  28763. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28764. type: string
  28765. metadata:
  28766. type: object
  28767. spec:
  28768. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  28769. properties:
  28770. auth:
  28771. description: Auth defines how to authenticate with AWS
  28772. properties:
  28773. jwt:
  28774. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28775. properties:
  28776. serviceAccountRef:
  28777. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28778. properties:
  28779. audiences:
  28780. description: |-
  28781. Audience specifies the `aud` claim for the service account token
  28782. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28783. then this audiences will be appended to the list
  28784. items:
  28785. type: string
  28786. type: array
  28787. name:
  28788. description: The name of the ServiceAccount resource being referred to.
  28789. maxLength: 253
  28790. minLength: 1
  28791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28792. type: string
  28793. namespace:
  28794. description: |-
  28795. Namespace of the resource being referred to.
  28796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28797. maxLength: 63
  28798. minLength: 1
  28799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28800. type: string
  28801. required:
  28802. - name
  28803. type: object
  28804. type: object
  28805. secretRef:
  28806. description: |-
  28807. AWSAuthSecretRef holds secret references for AWS credentials
  28808. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28809. properties:
  28810. accessKeyIDSecretRef:
  28811. description: The AccessKeyID is used for authentication
  28812. properties:
  28813. key:
  28814. description: |-
  28815. A key in the referenced Secret.
  28816. Some instances of this field may be defaulted, in others it may be required.
  28817. maxLength: 253
  28818. minLength: 1
  28819. pattern: ^[-._a-zA-Z0-9]+$
  28820. type: string
  28821. name:
  28822. description: The name of the Secret resource being referred to.
  28823. maxLength: 253
  28824. minLength: 1
  28825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28826. type: string
  28827. namespace:
  28828. description: |-
  28829. The namespace of the Secret resource being referred to.
  28830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28831. maxLength: 63
  28832. minLength: 1
  28833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28834. type: string
  28835. type: object
  28836. secretAccessKeySecretRef:
  28837. description: The SecretAccessKey is used for authentication
  28838. properties:
  28839. key:
  28840. description: |-
  28841. A key in the referenced Secret.
  28842. Some instances of this field may be defaulted, in others it may be required.
  28843. maxLength: 253
  28844. minLength: 1
  28845. pattern: ^[-._a-zA-Z0-9]+$
  28846. type: string
  28847. name:
  28848. description: The name of the Secret resource being referred to.
  28849. maxLength: 253
  28850. minLength: 1
  28851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28852. type: string
  28853. namespace:
  28854. description: |-
  28855. The namespace of the Secret resource being referred to.
  28856. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28857. maxLength: 63
  28858. minLength: 1
  28859. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28860. type: string
  28861. type: object
  28862. sessionTokenSecretRef:
  28863. description: |-
  28864. The SessionToken used for authentication
  28865. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28866. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28867. properties:
  28868. key:
  28869. description: |-
  28870. A key in the referenced Secret.
  28871. Some instances of this field may be defaulted, in others it may be required.
  28872. maxLength: 253
  28873. minLength: 1
  28874. pattern: ^[-._a-zA-Z0-9]+$
  28875. type: string
  28876. name:
  28877. description: The name of the Secret resource being referred to.
  28878. maxLength: 253
  28879. minLength: 1
  28880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28881. type: string
  28882. namespace:
  28883. description: |-
  28884. The namespace of the Secret resource being referred to.
  28885. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28886. maxLength: 63
  28887. minLength: 1
  28888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28889. type: string
  28890. type: object
  28891. type: object
  28892. type: object
  28893. region:
  28894. description: Region specifies the region to operate in.
  28895. type: string
  28896. requestParameters:
  28897. description: RequestParameters contains parameters that can be passed to the STS service.
  28898. properties:
  28899. serialNumber:
  28900. description: |-
  28901. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  28902. the GetSessionToken call.
  28903. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  28904. (such as arn:aws:iam::123456789012:mfa/user)
  28905. type: string
  28906. sessionDuration:
  28907. format: int32
  28908. type: integer
  28909. tokenCode:
  28910. description: TokenCode is the value provided by the MFA device, if MFA is required.
  28911. type: string
  28912. type: object
  28913. role:
  28914. description: |-
  28915. You can assume a role before making calls to the
  28916. desired AWS service.
  28917. type: string
  28918. required:
  28919. - region
  28920. type: object
  28921. type: object
  28922. served: true
  28923. storage: true
  28924. subresources:
  28925. status: {}
  28926. ---
  28927. apiVersion: apiextensions.k8s.io/v1
  28928. kind: CustomResourceDefinition
  28929. metadata:
  28930. annotations:
  28931. controller-gen.kubebuilder.io/version: v0.19.0
  28932. labels:
  28933. external-secrets.io/component: controller
  28934. name: uuids.generators.external-secrets.io
  28935. spec:
  28936. group: generators.external-secrets.io
  28937. names:
  28938. categories:
  28939. - external-secrets
  28940. - external-secrets-generators
  28941. kind: UUID
  28942. listKind: UUIDList
  28943. plural: uuids
  28944. singular: uuid
  28945. scope: Namespaced
  28946. versions:
  28947. - name: v1alpha1
  28948. schema:
  28949. openAPIV3Schema:
  28950. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  28951. properties:
  28952. apiVersion:
  28953. description: |-
  28954. APIVersion defines the versioned schema of this representation of an object.
  28955. Servers should convert recognized schemas to the latest internal value, and
  28956. may reject unrecognized values.
  28957. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28958. type: string
  28959. kind:
  28960. description: |-
  28961. Kind is a string value representing the REST resource this object represents.
  28962. Servers may infer this from the endpoint the client submits requests to.
  28963. Cannot be updated.
  28964. In CamelCase.
  28965. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28966. type: string
  28967. metadata:
  28968. type: object
  28969. spec:
  28970. description: UUIDSpec controls the behavior of the uuid generator.
  28971. type: object
  28972. type: object
  28973. served: true
  28974. storage: true
  28975. subresources:
  28976. status: {}
  28977. ---
  28978. apiVersion: apiextensions.k8s.io/v1
  28979. kind: CustomResourceDefinition
  28980. metadata:
  28981. annotations:
  28982. controller-gen.kubebuilder.io/version: v0.19.0
  28983. labels:
  28984. external-secrets.io/component: controller
  28985. name: vaultdynamicsecrets.generators.external-secrets.io
  28986. spec:
  28987. group: generators.external-secrets.io
  28988. names:
  28989. categories:
  28990. - external-secrets
  28991. - external-secrets-generators
  28992. kind: VaultDynamicSecret
  28993. listKind: VaultDynamicSecretList
  28994. plural: vaultdynamicsecrets
  28995. singular: vaultdynamicsecret
  28996. scope: Namespaced
  28997. versions:
  28998. - name: v1alpha1
  28999. schema:
  29000. openAPIV3Schema:
  29001. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  29002. properties:
  29003. apiVersion:
  29004. description: |-
  29005. APIVersion defines the versioned schema of this representation of an object.
  29006. Servers should convert recognized schemas to the latest internal value, and
  29007. may reject unrecognized values.
  29008. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29009. type: string
  29010. kind:
  29011. description: |-
  29012. Kind is a string value representing the REST resource this object represents.
  29013. Servers may infer this from the endpoint the client submits requests to.
  29014. Cannot be updated.
  29015. In CamelCase.
  29016. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29017. type: string
  29018. metadata:
  29019. type: object
  29020. spec:
  29021. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  29022. properties:
  29023. allowEmptyResponse:
  29024. default: false
  29025. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  29026. type: boolean
  29027. controller:
  29028. description: |-
  29029. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29030. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29031. type: string
  29032. getParameters:
  29033. additionalProperties:
  29034. items:
  29035. type: string
  29036. type: array
  29037. description: |-
  29038. GetParameters are query-string parameters passed to Vault on GET calls.
  29039. Each key may map to multiple values, matching HTTP query-string semantics.
  29040. Ignored for non-GET methods; use Parameters for write bodies.
  29041. type: object
  29042. method:
  29043. description: Vault API method to use (GET/POST/other)
  29044. type: string
  29045. parameters:
  29046. description: Parameters to pass to Vault write (for non-GET methods)
  29047. x-kubernetes-preserve-unknown-fields: true
  29048. path:
  29049. description: Vault path to obtain the dynamic secret from
  29050. type: string
  29051. provider:
  29052. description: Vault provider common spec
  29053. properties:
  29054. auth:
  29055. description: Auth configures how secret-manager authenticates with the Vault server.
  29056. properties:
  29057. appRole:
  29058. description: |-
  29059. AppRole authenticates with Vault using the App Role auth mechanism,
  29060. with the role and secret stored in a Kubernetes Secret resource.
  29061. properties:
  29062. path:
  29063. default: approle
  29064. description: |-
  29065. Path where the App Role authentication backend is mounted
  29066. in Vault, e.g: "approle"
  29067. type: string
  29068. roleId:
  29069. description: |-
  29070. RoleID configured in the App Role authentication backend when setting
  29071. up the authentication backend in Vault.
  29072. type: string
  29073. roleRef:
  29074. description: |-
  29075. Reference to a key in a Secret that contains the App Role ID used
  29076. to authenticate with Vault.
  29077. The `key` field must be specified and denotes which entry within the Secret
  29078. resource is used as the app role id.
  29079. properties:
  29080. key:
  29081. description: |-
  29082. A key in the referenced Secret.
  29083. Some instances of this field may be defaulted, in others it may be required.
  29084. maxLength: 253
  29085. minLength: 1
  29086. pattern: ^[-._a-zA-Z0-9]+$
  29087. type: string
  29088. name:
  29089. description: The name of the Secret resource being referred to.
  29090. maxLength: 253
  29091. minLength: 1
  29092. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29093. type: string
  29094. namespace:
  29095. description: |-
  29096. The namespace of the Secret resource being referred to.
  29097. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29098. maxLength: 63
  29099. minLength: 1
  29100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29101. type: string
  29102. type: object
  29103. secretRef:
  29104. description: |-
  29105. Reference to a key in a Secret that contains the App Role secret used
  29106. to authenticate with Vault.
  29107. The `key` field must be specified and denotes which entry within the Secret
  29108. resource is used as the app role secret.
  29109. properties:
  29110. key:
  29111. description: |-
  29112. A key in the referenced Secret.
  29113. Some instances of this field may be defaulted, in others it may be required.
  29114. maxLength: 253
  29115. minLength: 1
  29116. pattern: ^[-._a-zA-Z0-9]+$
  29117. type: string
  29118. name:
  29119. description: The name of the Secret resource being referred to.
  29120. maxLength: 253
  29121. minLength: 1
  29122. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29123. type: string
  29124. namespace:
  29125. description: |-
  29126. The namespace of the Secret resource being referred to.
  29127. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29128. maxLength: 63
  29129. minLength: 1
  29130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29131. type: string
  29132. type: object
  29133. required:
  29134. - path
  29135. - secretRef
  29136. type: object
  29137. cert:
  29138. description: |-
  29139. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  29140. Cert authentication method
  29141. properties:
  29142. clientCert:
  29143. description: |-
  29144. ClientCert is a certificate to authenticate using the Cert Vault
  29145. authentication method
  29146. properties:
  29147. key:
  29148. description: |-
  29149. A key in the referenced Secret.
  29150. Some instances of this field may be defaulted, in others it may be required.
  29151. maxLength: 253
  29152. minLength: 1
  29153. pattern: ^[-._a-zA-Z0-9]+$
  29154. type: string
  29155. name:
  29156. description: The name of the Secret resource being referred to.
  29157. maxLength: 253
  29158. minLength: 1
  29159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29160. type: string
  29161. namespace:
  29162. description: |-
  29163. The namespace of the Secret resource being referred to.
  29164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29165. maxLength: 63
  29166. minLength: 1
  29167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29168. type: string
  29169. type: object
  29170. path:
  29171. default: cert
  29172. description: |-
  29173. Path where the Certificate authentication backend is mounted
  29174. in Vault, e.g: "cert"
  29175. type: string
  29176. secretRef:
  29177. description: |-
  29178. SecretRef to a key in a Secret resource containing client private key to
  29179. authenticate with Vault using the Cert authentication method
  29180. properties:
  29181. key:
  29182. description: |-
  29183. A key in the referenced Secret.
  29184. Some instances of this field may be defaulted, in others it may be required.
  29185. maxLength: 253
  29186. minLength: 1
  29187. pattern: ^[-._a-zA-Z0-9]+$
  29188. type: string
  29189. name:
  29190. description: The name of the Secret resource being referred to.
  29191. maxLength: 253
  29192. minLength: 1
  29193. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29194. type: string
  29195. namespace:
  29196. description: |-
  29197. The namespace of the Secret resource being referred to.
  29198. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29199. maxLength: 63
  29200. minLength: 1
  29201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29202. type: string
  29203. type: object
  29204. vaultRole:
  29205. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  29206. type: string
  29207. type: object
  29208. gcp:
  29209. description: |-
  29210. Gcp authenticates with Vault using Google Cloud Platform authentication method
  29211. GCP authentication method
  29212. properties:
  29213. location:
  29214. description: Location optionally defines a location/region for the secret
  29215. type: string
  29216. path:
  29217. default: gcp
  29218. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  29219. type: string
  29220. projectID:
  29221. description: Project ID of the Google Cloud Platform project
  29222. type: string
  29223. role:
  29224. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  29225. type: string
  29226. secretRef:
  29227. description: Specify credentials in a Secret object
  29228. properties:
  29229. secretAccessKeySecretRef:
  29230. description: The SecretAccessKey is used for authentication
  29231. properties:
  29232. key:
  29233. description: |-
  29234. A key in the referenced Secret.
  29235. Some instances of this field may be defaulted, in others it may be required.
  29236. maxLength: 253
  29237. minLength: 1
  29238. pattern: ^[-._a-zA-Z0-9]+$
  29239. type: string
  29240. name:
  29241. description: The name of the Secret resource being referred to.
  29242. maxLength: 253
  29243. minLength: 1
  29244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29245. type: string
  29246. namespace:
  29247. description: |-
  29248. The namespace of the Secret resource being referred to.
  29249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29250. maxLength: 63
  29251. minLength: 1
  29252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29253. type: string
  29254. type: object
  29255. type: object
  29256. serviceAccountRef:
  29257. description: ServiceAccountRef to a service account for impersonation
  29258. properties:
  29259. audiences:
  29260. description: |-
  29261. Audience specifies the `aud` claim for the service account token
  29262. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29263. then this audiences will be appended to the list
  29264. items:
  29265. type: string
  29266. type: array
  29267. name:
  29268. description: The name of the ServiceAccount resource being referred to.
  29269. maxLength: 253
  29270. minLength: 1
  29271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29272. type: string
  29273. namespace:
  29274. description: |-
  29275. Namespace of the resource being referred to.
  29276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29277. maxLength: 63
  29278. minLength: 1
  29279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29280. type: string
  29281. required:
  29282. - name
  29283. type: object
  29284. workloadIdentity:
  29285. description: Specify a service account with Workload Identity
  29286. properties:
  29287. clusterLocation:
  29288. description: |-
  29289. ClusterLocation is the location of the cluster
  29290. If not specified, it fetches information from the metadata server
  29291. type: string
  29292. clusterName:
  29293. description: |-
  29294. ClusterName is the name of the cluster
  29295. If not specified, it fetches information from the metadata server
  29296. type: string
  29297. clusterProjectID:
  29298. description: |-
  29299. ClusterProjectID is the project ID of the cluster
  29300. If not specified, it fetches information from the metadata server
  29301. type: string
  29302. serviceAccountRef:
  29303. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29304. properties:
  29305. audiences:
  29306. description: |-
  29307. Audience specifies the `aud` claim for the service account token
  29308. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29309. then this audiences will be appended to the list
  29310. items:
  29311. type: string
  29312. type: array
  29313. name:
  29314. description: The name of the ServiceAccount resource being referred to.
  29315. maxLength: 253
  29316. minLength: 1
  29317. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29318. type: string
  29319. namespace:
  29320. description: |-
  29321. Namespace of the resource being referred to.
  29322. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29323. maxLength: 63
  29324. minLength: 1
  29325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29326. type: string
  29327. required:
  29328. - name
  29329. type: object
  29330. required:
  29331. - serviceAccountRef
  29332. type: object
  29333. required:
  29334. - role
  29335. type: object
  29336. iam:
  29337. description: |-
  29338. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  29339. AWS IAM authentication method
  29340. properties:
  29341. externalID:
  29342. description: AWS External ID set on assumed IAM roles
  29343. type: string
  29344. jwt:
  29345. description: Specify a service account with IRSA enabled
  29346. properties:
  29347. serviceAccountRef:
  29348. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29349. properties:
  29350. audiences:
  29351. description: |-
  29352. Audience specifies the `aud` claim for the service account token
  29353. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29354. then this audiences will be appended to the list
  29355. items:
  29356. type: string
  29357. type: array
  29358. name:
  29359. description: The name of the ServiceAccount resource being referred to.
  29360. maxLength: 253
  29361. minLength: 1
  29362. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29363. type: string
  29364. namespace:
  29365. description: |-
  29366. Namespace of the resource being referred to.
  29367. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29368. maxLength: 63
  29369. minLength: 1
  29370. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29371. type: string
  29372. required:
  29373. - name
  29374. type: object
  29375. type: object
  29376. path:
  29377. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  29378. type: string
  29379. region:
  29380. description: AWS region
  29381. type: string
  29382. role:
  29383. description: This is the AWS role to be assumed before talking to vault
  29384. type: string
  29385. secretRef:
  29386. description: Specify credentials in a Secret object
  29387. properties:
  29388. accessKeyIDSecretRef:
  29389. description: The AccessKeyID is used for authentication
  29390. properties:
  29391. key:
  29392. description: |-
  29393. A key in the referenced Secret.
  29394. Some instances of this field may be defaulted, in others it may be required.
  29395. maxLength: 253
  29396. minLength: 1
  29397. pattern: ^[-._a-zA-Z0-9]+$
  29398. type: string
  29399. name:
  29400. description: The name of the Secret resource being referred to.
  29401. maxLength: 253
  29402. minLength: 1
  29403. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29404. type: string
  29405. namespace:
  29406. description: |-
  29407. The namespace of the Secret resource being referred to.
  29408. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29409. maxLength: 63
  29410. minLength: 1
  29411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29412. type: string
  29413. type: object
  29414. secretAccessKeySecretRef:
  29415. description: The SecretAccessKey is used for authentication
  29416. properties:
  29417. key:
  29418. description: |-
  29419. A key in the referenced Secret.
  29420. Some instances of this field may be defaulted, in others it may be required.
  29421. maxLength: 253
  29422. minLength: 1
  29423. pattern: ^[-._a-zA-Z0-9]+$
  29424. type: string
  29425. name:
  29426. description: The name of the Secret resource being referred to.
  29427. maxLength: 253
  29428. minLength: 1
  29429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29430. type: string
  29431. namespace:
  29432. description: |-
  29433. The namespace of the Secret resource being referred to.
  29434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29435. maxLength: 63
  29436. minLength: 1
  29437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29438. type: string
  29439. type: object
  29440. sessionTokenSecretRef:
  29441. description: |-
  29442. The SessionToken used for authentication
  29443. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  29444. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  29445. properties:
  29446. key:
  29447. description: |-
  29448. A key in the referenced Secret.
  29449. Some instances of this field may be defaulted, in others it may be required.
  29450. maxLength: 253
  29451. minLength: 1
  29452. pattern: ^[-._a-zA-Z0-9]+$
  29453. type: string
  29454. name:
  29455. description: The name of the Secret resource being referred to.
  29456. maxLength: 253
  29457. minLength: 1
  29458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29459. type: string
  29460. namespace:
  29461. description: |-
  29462. The namespace of the Secret resource being referred to.
  29463. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29464. maxLength: 63
  29465. minLength: 1
  29466. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29467. type: string
  29468. type: object
  29469. type: object
  29470. vaultAwsIamServerID:
  29471. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  29472. type: string
  29473. vaultRole:
  29474. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  29475. type: string
  29476. required:
  29477. - vaultRole
  29478. type: object
  29479. jwt:
  29480. description: |-
  29481. Jwt authenticates with Vault by passing role and JWT token using the
  29482. JWT/OIDC authentication method
  29483. properties:
  29484. kubernetesServiceAccountToken:
  29485. description: |-
  29486. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  29487. a token for with the `TokenRequest` API.
  29488. properties:
  29489. audiences:
  29490. description: |-
  29491. Optional audiences field that will be used to request a temporary Kubernetes service
  29492. account token for the service account referenced by `serviceAccountRef`.
  29493. Defaults to a single audience `vault` it not specified.
  29494. Deprecated: use serviceAccountRef.Audiences instead
  29495. items:
  29496. type: string
  29497. type: array
  29498. expirationSeconds:
  29499. description: |-
  29500. Optional expiration time in seconds that will be used to request a temporary
  29501. Kubernetes service account token for the service account referenced by
  29502. `serviceAccountRef`.
  29503. Deprecated: this will be removed in the future.
  29504. Defaults to 10 minutes.
  29505. format: int64
  29506. type: integer
  29507. serviceAccountRef:
  29508. description: Service account field containing the name of a kubernetes ServiceAccount.
  29509. properties:
  29510. audiences:
  29511. description: |-
  29512. Audience specifies the `aud` claim for the service account token
  29513. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29514. then this audiences will be appended to the list
  29515. items:
  29516. type: string
  29517. type: array
  29518. name:
  29519. description: The name of the ServiceAccount resource being referred to.
  29520. maxLength: 253
  29521. minLength: 1
  29522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29523. type: string
  29524. namespace:
  29525. description: |-
  29526. Namespace of the resource being referred to.
  29527. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29528. maxLength: 63
  29529. minLength: 1
  29530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29531. type: string
  29532. required:
  29533. - name
  29534. type: object
  29535. required:
  29536. - serviceAccountRef
  29537. type: object
  29538. path:
  29539. default: jwt
  29540. description: |-
  29541. Path where the JWT authentication backend is mounted
  29542. in Vault, e.g: "jwt"
  29543. type: string
  29544. role:
  29545. description: |-
  29546. Role is a JWT role to authenticate using the JWT/OIDC Vault
  29547. authentication method
  29548. type: string
  29549. secretRef:
  29550. description: |-
  29551. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  29552. authenticate with Vault using the JWT/OIDC authentication method.
  29553. properties:
  29554. key:
  29555. description: |-
  29556. A key in the referenced Secret.
  29557. Some instances of this field may be defaulted, in others it may be required.
  29558. maxLength: 253
  29559. minLength: 1
  29560. pattern: ^[-._a-zA-Z0-9]+$
  29561. type: string
  29562. name:
  29563. description: The name of the Secret resource being referred to.
  29564. maxLength: 253
  29565. minLength: 1
  29566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29567. type: string
  29568. namespace:
  29569. description: |-
  29570. The namespace of the Secret resource being referred to.
  29571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29572. maxLength: 63
  29573. minLength: 1
  29574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29575. type: string
  29576. type: object
  29577. required:
  29578. - path
  29579. type: object
  29580. kubernetes:
  29581. description: |-
  29582. Kubernetes authenticates with Vault by passing the ServiceAccount
  29583. token stored in the named Secret resource to the Vault server.
  29584. properties:
  29585. mountPath:
  29586. default: kubernetes
  29587. description: |-
  29588. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  29589. "kubernetes"
  29590. type: string
  29591. role:
  29592. description: |-
  29593. A required field containing the Vault Role to assume. A Role binds a
  29594. Kubernetes ServiceAccount with a set of Vault policies.
  29595. type: string
  29596. secretRef:
  29597. description: |-
  29598. Optional secret field containing a Kubernetes ServiceAccount JWT used
  29599. for authenticating with Vault. If a name is specified without a key,
  29600. `token` is the default. If one is not specified, the one bound to
  29601. the controller will be used.
  29602. properties:
  29603. key:
  29604. description: |-
  29605. A key in the referenced Secret.
  29606. Some instances of this field may be defaulted, in others it may be required.
  29607. maxLength: 253
  29608. minLength: 1
  29609. pattern: ^[-._a-zA-Z0-9]+$
  29610. type: string
  29611. name:
  29612. description: The name of the Secret resource being referred to.
  29613. maxLength: 253
  29614. minLength: 1
  29615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29616. type: string
  29617. namespace:
  29618. description: |-
  29619. The namespace of the Secret resource being referred to.
  29620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29621. maxLength: 63
  29622. minLength: 1
  29623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29624. type: string
  29625. type: object
  29626. serviceAccountRef:
  29627. description: |-
  29628. Optional service account field containing the name of a kubernetes ServiceAccount.
  29629. If the service account is specified, the service account secret token JWT will be used
  29630. for authenticating with Vault. If the service account selector is not supplied,
  29631. the secretRef will be used instead.
  29632. properties:
  29633. audiences:
  29634. description: |-
  29635. Audience specifies the `aud` claim for the service account token
  29636. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29637. then this audiences will be appended to the list
  29638. items:
  29639. type: string
  29640. type: array
  29641. name:
  29642. description: The name of the ServiceAccount resource being referred to.
  29643. maxLength: 253
  29644. minLength: 1
  29645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29646. type: string
  29647. namespace:
  29648. description: |-
  29649. Namespace of the resource being referred to.
  29650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29651. maxLength: 63
  29652. minLength: 1
  29653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29654. type: string
  29655. required:
  29656. - name
  29657. type: object
  29658. required:
  29659. - mountPath
  29660. - role
  29661. type: object
  29662. ldap:
  29663. description: |-
  29664. Ldap authenticates with Vault by passing username/password pair using
  29665. the LDAP authentication method
  29666. properties:
  29667. path:
  29668. default: ldap
  29669. description: |-
  29670. Path where the LDAP authentication backend is mounted
  29671. in Vault, e.g: "ldap"
  29672. type: string
  29673. secretRef:
  29674. description: |-
  29675. SecretRef to a key in a Secret resource containing password for the LDAP
  29676. user used to authenticate with Vault using the LDAP authentication
  29677. method
  29678. properties:
  29679. key:
  29680. description: |-
  29681. A key in the referenced Secret.
  29682. Some instances of this field may be defaulted, in others it may be required.
  29683. maxLength: 253
  29684. minLength: 1
  29685. pattern: ^[-._a-zA-Z0-9]+$
  29686. type: string
  29687. name:
  29688. description: The name of the Secret resource being referred to.
  29689. maxLength: 253
  29690. minLength: 1
  29691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29692. type: string
  29693. namespace:
  29694. description: |-
  29695. The namespace of the Secret resource being referred to.
  29696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29697. maxLength: 63
  29698. minLength: 1
  29699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29700. type: string
  29701. type: object
  29702. username:
  29703. description: |-
  29704. Username is an LDAP username used to authenticate using the LDAP Vault
  29705. authentication method
  29706. type: string
  29707. required:
  29708. - path
  29709. - username
  29710. type: object
  29711. namespace:
  29712. description: |-
  29713. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  29714. Namespaces is a set of features within Vault Enterprise that allows
  29715. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  29716. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  29717. This will default to Vault.Namespace field if set, or empty otherwise
  29718. type: string
  29719. tokenSecretRef:
  29720. description: TokenSecretRef authenticates with Vault by presenting a token.
  29721. properties:
  29722. key:
  29723. description: |-
  29724. A key in the referenced Secret.
  29725. Some instances of this field may be defaulted, in others it may be required.
  29726. maxLength: 253
  29727. minLength: 1
  29728. pattern: ^[-._a-zA-Z0-9]+$
  29729. type: string
  29730. name:
  29731. description: The name of the Secret resource being referred to.
  29732. maxLength: 253
  29733. minLength: 1
  29734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29735. type: string
  29736. namespace:
  29737. description: |-
  29738. The namespace of the Secret resource being referred to.
  29739. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29740. maxLength: 63
  29741. minLength: 1
  29742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29743. type: string
  29744. type: object
  29745. userPass:
  29746. description: UserPass authenticates with Vault by passing username/password pair
  29747. properties:
  29748. path:
  29749. default: userpass
  29750. description: |-
  29751. Path where the UserPassword authentication backend is mounted
  29752. in Vault, e.g: "userpass"
  29753. type: string
  29754. secretRef:
  29755. description: |-
  29756. SecretRef to a key in a Secret resource containing password for the
  29757. user used to authenticate with Vault using the UserPass authentication
  29758. method
  29759. properties:
  29760. key:
  29761. description: |-
  29762. A key in the referenced Secret.
  29763. Some instances of this field may be defaulted, in others it may be required.
  29764. maxLength: 253
  29765. minLength: 1
  29766. pattern: ^[-._a-zA-Z0-9]+$
  29767. type: string
  29768. name:
  29769. description: The name of the Secret resource being referred to.
  29770. maxLength: 253
  29771. minLength: 1
  29772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29773. type: string
  29774. namespace:
  29775. description: |-
  29776. The namespace of the Secret resource being referred to.
  29777. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29778. maxLength: 63
  29779. minLength: 1
  29780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29781. type: string
  29782. type: object
  29783. username:
  29784. description: |-
  29785. Username is a username used to authenticate using the UserPass Vault
  29786. authentication method
  29787. type: string
  29788. required:
  29789. - path
  29790. - username
  29791. type: object
  29792. type: object
  29793. caBundle:
  29794. description: |-
  29795. PEM encoded CA bundle used to validate Vault server certificate. Only used
  29796. if the Server URL is using HTTPS protocol. This parameter is ignored for
  29797. plain HTTP protocol connection. If not set the system root certificates
  29798. are used to validate the TLS connection.
  29799. format: byte
  29800. type: string
  29801. caProvider:
  29802. description: The provider for the CA bundle to use to validate Vault server certificate.
  29803. properties:
  29804. key:
  29805. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  29806. maxLength: 253
  29807. minLength: 1
  29808. pattern: ^[-._a-zA-Z0-9]+$
  29809. type: string
  29810. name:
  29811. description: The name of the object located at the provider type.
  29812. maxLength: 253
  29813. minLength: 1
  29814. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29815. type: string
  29816. namespace:
  29817. description: |-
  29818. The namespace the Provider type is in.
  29819. Can only be defined when used in a ClusterSecretStore.
  29820. maxLength: 63
  29821. minLength: 1
  29822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29823. type: string
  29824. type:
  29825. description: The type of provider to use such as "Secret", or "ConfigMap".
  29826. enum:
  29827. - Secret
  29828. - ConfigMap
  29829. type: string
  29830. required:
  29831. - name
  29832. - type
  29833. type: object
  29834. checkAndSet:
  29835. description: |-
  29836. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  29837. Only applies to Vault KV v2 stores. When enabled, write operations must include
  29838. the current version of the secret to prevent unintentional overwrites.
  29839. properties:
  29840. required:
  29841. description: |-
  29842. Required when true, all write operations must include a check-and-set parameter.
  29843. This helps prevent unintentional overwrites of secrets.
  29844. type: boolean
  29845. type: object
  29846. forwardInconsistent:
  29847. description: |-
  29848. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  29849. leader instead of simply retrying within a loop. This can increase performance if
  29850. the option is enabled serverside.
  29851. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  29852. type: boolean
  29853. headers:
  29854. additionalProperties:
  29855. type: string
  29856. description: Headers to be added in Vault request
  29857. type: object
  29858. namespace:
  29859. description: |-
  29860. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  29861. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  29862. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  29863. type: string
  29864. path:
  29865. description: |-
  29866. Path is the mount path of the Vault KV backend endpoint, e.g:
  29867. "secret". The v2 KV secret engine version specific "/data" path suffix
  29868. for fetching secrets from Vault is optional and will be appended
  29869. if not present in specified path.
  29870. type: string
  29871. readYourWrites:
  29872. description: |-
  29873. ReadYourWrites ensures isolated read-after-write semantics by
  29874. providing discovered cluster replication states in each request.
  29875. More information about eventual consistency in Vault can be found here
  29876. https://www.vaultproject.io/docs/enterprise/consistency
  29877. type: boolean
  29878. server:
  29879. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  29880. type: string
  29881. tls:
  29882. description: |-
  29883. The configuration used for client side related TLS communication, when the Vault server
  29884. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  29885. This parameter is ignored for plain HTTP protocol connection.
  29886. It's worth noting this configuration is different from the "TLS certificates auth method",
  29887. which is available under the `auth.cert` section.
  29888. properties:
  29889. certSecretRef:
  29890. description: |-
  29891. CertSecretRef is a certificate added to the transport layer
  29892. when communicating with the Vault server.
  29893. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  29894. properties:
  29895. key:
  29896. description: |-
  29897. A key in the referenced Secret.
  29898. Some instances of this field may be defaulted, in others it may be required.
  29899. maxLength: 253
  29900. minLength: 1
  29901. pattern: ^[-._a-zA-Z0-9]+$
  29902. type: string
  29903. name:
  29904. description: The name of the Secret resource being referred to.
  29905. maxLength: 253
  29906. minLength: 1
  29907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29908. type: string
  29909. namespace:
  29910. description: |-
  29911. The namespace of the Secret resource being referred to.
  29912. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29913. maxLength: 63
  29914. minLength: 1
  29915. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29916. type: string
  29917. type: object
  29918. keySecretRef:
  29919. description: |-
  29920. KeySecretRef to a key in a Secret resource containing client private key
  29921. added to the transport layer when communicating with the Vault server.
  29922. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  29923. properties:
  29924. key:
  29925. description: |-
  29926. A key in the referenced Secret.
  29927. Some instances of this field may be defaulted, in others it may be required.
  29928. maxLength: 253
  29929. minLength: 1
  29930. pattern: ^[-._a-zA-Z0-9]+$
  29931. type: string
  29932. name:
  29933. description: The name of the Secret resource being referred to.
  29934. maxLength: 253
  29935. minLength: 1
  29936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29937. type: string
  29938. namespace:
  29939. description: |-
  29940. The namespace of the Secret resource being referred to.
  29941. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29942. maxLength: 63
  29943. minLength: 1
  29944. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29945. type: string
  29946. type: object
  29947. type: object
  29948. version:
  29949. default: v2
  29950. description: |-
  29951. Version is the Vault KV secret engine version. This can be either "v1" or
  29952. "v2". Version defaults to "v2".
  29953. enum:
  29954. - v1
  29955. - v2
  29956. type: string
  29957. required:
  29958. - server
  29959. type: object
  29960. resultType:
  29961. default: Data
  29962. description: |-
  29963. Result type defines which data is returned from the generator.
  29964. By default, it is the "data" section of the Vault API response.
  29965. When using e.g. /auth/token/create the "data" section is empty but
  29966. the "auth" section contains the generated token.
  29967. Please refer to the vault docs regarding the result data structure.
  29968. Additionally, accessing the raw response is possibly by using "Raw" result type.
  29969. enum:
  29970. - Data
  29971. - Auth
  29972. - Raw
  29973. type: string
  29974. retrySettings:
  29975. description: Used to configure http retries if failed
  29976. properties:
  29977. maxRetries:
  29978. format: int32
  29979. type: integer
  29980. retryInterval:
  29981. type: string
  29982. type: object
  29983. required:
  29984. - path
  29985. - provider
  29986. type: object
  29987. type: object
  29988. served: true
  29989. storage: true
  29990. subresources:
  29991. status: {}
  29992. ---
  29993. apiVersion: apiextensions.k8s.io/v1
  29994. kind: CustomResourceDefinition
  29995. metadata:
  29996. annotations:
  29997. controller-gen.kubebuilder.io/version: v0.19.0
  29998. labels:
  29999. external-secrets.io/component: controller
  30000. name: webhooks.generators.external-secrets.io
  30001. spec:
  30002. group: generators.external-secrets.io
  30003. names:
  30004. categories:
  30005. - external-secrets
  30006. - external-secrets-generators
  30007. kind: Webhook
  30008. listKind: WebhookList
  30009. plural: webhooks
  30010. singular: webhook
  30011. scope: Namespaced
  30012. versions:
  30013. - name: v1alpha1
  30014. schema:
  30015. openAPIV3Schema:
  30016. description: |-
  30017. Webhook connects to a third party API server to handle the secrets generation
  30018. configuration parameters in spec.
  30019. You can specify the server, the token, and additional body parameters.
  30020. See documentation for the full API specification for requests and responses.
  30021. properties:
  30022. apiVersion:
  30023. description: |-
  30024. APIVersion defines the versioned schema of this representation of an object.
  30025. Servers should convert recognized schemas to the latest internal value, and
  30026. may reject unrecognized values.
  30027. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30028. type: string
  30029. kind:
  30030. description: |-
  30031. Kind is a string value representing the REST resource this object represents.
  30032. Servers may infer this from the endpoint the client submits requests to.
  30033. Cannot be updated.
  30034. In CamelCase.
  30035. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30036. type: string
  30037. metadata:
  30038. type: object
  30039. spec:
  30040. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  30041. properties:
  30042. auth:
  30043. description: Auth specifies a authorization protocol. Only one protocol may be set.
  30044. maxProperties: 1
  30045. minProperties: 1
  30046. properties:
  30047. ntlm:
  30048. description: NTLMProtocol configures the store to use NTLM for auth
  30049. properties:
  30050. passwordSecret:
  30051. description: |-
  30052. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30053. In some instances, `key` is a required field.
  30054. properties:
  30055. key:
  30056. description: |-
  30057. A key in the referenced Secret.
  30058. Some instances of this field may be defaulted, in others it may be required.
  30059. maxLength: 253
  30060. minLength: 1
  30061. pattern: ^[-._a-zA-Z0-9]+$
  30062. type: string
  30063. name:
  30064. description: The name of the Secret resource being referred to.
  30065. maxLength: 253
  30066. minLength: 1
  30067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30068. type: string
  30069. namespace:
  30070. description: |-
  30071. The namespace of the Secret resource being referred to.
  30072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30073. maxLength: 63
  30074. minLength: 1
  30075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30076. type: string
  30077. type: object
  30078. usernameSecret:
  30079. description: |-
  30080. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  30081. In some instances, `key` is a required field.
  30082. properties:
  30083. key:
  30084. description: |-
  30085. A key in the referenced Secret.
  30086. Some instances of this field may be defaulted, in others it may be required.
  30087. maxLength: 253
  30088. minLength: 1
  30089. pattern: ^[-._a-zA-Z0-9]+$
  30090. type: string
  30091. name:
  30092. description: The name of the Secret resource being referred to.
  30093. maxLength: 253
  30094. minLength: 1
  30095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30096. type: string
  30097. namespace:
  30098. description: |-
  30099. The namespace of the Secret resource being referred to.
  30100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30101. maxLength: 63
  30102. minLength: 1
  30103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30104. type: string
  30105. type: object
  30106. required:
  30107. - passwordSecret
  30108. - usernameSecret
  30109. type: object
  30110. type: object
  30111. body:
  30112. description: Body
  30113. type: string
  30114. caBundle:
  30115. description: |-
  30116. PEM encoded CA bundle used to validate webhook server certificate. Only used
  30117. if the Server URL is using HTTPS protocol. This parameter is ignored for
  30118. plain HTTP protocol connection. If not set the system root certificates
  30119. are used to validate the TLS connection.
  30120. format: byte
  30121. type: string
  30122. caProvider:
  30123. description: The provider for the CA bundle to use to validate webhook server certificate.
  30124. properties:
  30125. key:
  30126. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  30127. maxLength: 253
  30128. minLength: 1
  30129. pattern: ^[-._a-zA-Z0-9]+$
  30130. type: string
  30131. name:
  30132. description: The name of the object located at the provider type.
  30133. maxLength: 253
  30134. minLength: 1
  30135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30136. type: string
  30137. namespace:
  30138. description: The namespace the Provider type is in.
  30139. maxLength: 63
  30140. minLength: 1
  30141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30142. type: string
  30143. type:
  30144. description: The type of provider to use such as "Secret", or "ConfigMap".
  30145. enum:
  30146. - Secret
  30147. - ConfigMap
  30148. type: string
  30149. required:
  30150. - name
  30151. - type
  30152. type: object
  30153. headers:
  30154. additionalProperties:
  30155. type: string
  30156. description: Headers
  30157. type: object
  30158. method:
  30159. description: Webhook Method
  30160. type: string
  30161. result:
  30162. description: Result formatting
  30163. properties:
  30164. jsonPath:
  30165. description: Json path of return value
  30166. type: string
  30167. type: object
  30168. secrets:
  30169. description: |-
  30170. Secrets to fill in templates
  30171. These secrets will be passed to the templating function as key value pairs under the given name
  30172. items:
  30173. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  30174. properties:
  30175. name:
  30176. description: Name of this secret in templates
  30177. type: string
  30178. secretRef:
  30179. description: Secret ref to fill in credentials
  30180. properties:
  30181. key:
  30182. description: The key where the token is found.
  30183. maxLength: 253
  30184. minLength: 1
  30185. pattern: ^[-._a-zA-Z0-9]+$
  30186. type: string
  30187. name:
  30188. description: The name of the Secret resource being referred to.
  30189. maxLength: 253
  30190. minLength: 1
  30191. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30192. type: string
  30193. type: object
  30194. required:
  30195. - name
  30196. - secretRef
  30197. type: object
  30198. type: array
  30199. timeout:
  30200. description: Timeout
  30201. type: string
  30202. url:
  30203. description: Webhook url to call
  30204. type: string
  30205. required:
  30206. - result
  30207. - url
  30208. type: object
  30209. type: object
  30210. served: true
  30211. storage: true
  30212. subresources:
  30213. status: {}