helm-external-secrets/config/crds/bases/external-secrets.io_clusterexternalsecrets.yaml

apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.18.0
  labels:
    external-secrets.io/component: controller
  name: clusterexternalsecrets.external-secrets.io
spec:
  group: external-secrets.io
  names:
    categories:
    - external-secrets
    kind: ClusterExternalSecret
    listKind: ClusterExternalSecretList
    plural: clusterexternalsecrets
    shortNames:
    - ces
    singular: clusterexternalsecret
  scope: Cluster
  versions:
  - additionalPrinterColumns:
    - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
      name: Store
      type: string
    - jsonPath: .spec.refreshTime
      name: Refresh Interval
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    name: v1
    schema:
      openAPIV3Schema:
        description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
          API.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
            properties:
              externalSecretMetadata:
                description: The metadata of the external secrets to be created
                properties:
                  annotations:
                    additionalProperties:
                      type: string
                    type: object
                  labels:
                    additionalProperties:
                      type: string
                    type: object
                type: object
              externalSecretName:
                description: |-
                  The name of the external secrets to be created.
                  Defaults to the name of the ClusterExternalSecret
                maxLength: 253
                minLength: 1
                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                type: string
              externalSecretSpec:
                description: The spec for the ExternalSecrets to be created
                properties:
                  data:
                    description: Data defines the connection between the Kubernetes
                      Secret keys and the Provider data
                    items:
                      description: ExternalSecretData defines the connection between
                        the Kubernetes Secret key (spec.data.<key>) and the Provider
                        data.
                      properties:
                        remoteRef:
                          description: |-
                            RemoteRef points to the remote secret and defines
                            which secret (version/property/..) to fetch.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            key:
                              description: Key is the key used in the Provider, mandatory
                              type: string
                            metadataPolicy:
                              default: None
                              description: Policy for fetching tags/labels from provider
                                secrets, possible options are Fetch, None. Defaults
                                to None
                              enum:
                              - None
                              - Fetch
                              type: string
                            property:
                              description: Used to select a specific property of the
                                Provider value (if a map), if supported
                              type: string
                            version:
                              description: Used to select a specific version of the
                                Provider value, if supported
                              type: string
                          required:
                          - key
                          type: object
                        secretKey:
                          description: The key in the Kubernetes Secret to store the
                            value.
                          maxLength: 253
                          minLength: 1
                          pattern: ^[-._a-zA-Z0-9]+$
                          type: string
                        sourceRef:
                          description: |-
                            SourceRef allows you to override the source
                            from which the value will be pulled.
                          maxProperties: 1
                          minProperties: 1
                          properties:
                            generatorRef:
                              description: |-
                                GeneratorRef points to a generator custom resource.

                                Deprecated: The generatorRef is not implemented in .data[].
                                this will be removed with v1.
                              properties:
                                apiVersion:
                                  default: generators.external-secrets.io/v1alpha1
                                  description: Specify the apiVersion of the generator
                                    resource
                                  type: string
                                kind:
                                  description: Specify the Kind of the generator resource
                                  enum:
                                  - ACRAccessToken
                                  - ClusterGenerator
                                  - ECRAuthorizationToken
                                  - Fake
                                  - GCRAccessToken
                                  - GithubAccessToken
                                  - QuayAccessToken
                                  - Password
                                  - STSSessionToken
                                  - UUID
                                  - VaultDynamicSecret
                                  - Webhook
                                  - Grafana
                                  type: string
                                name:
                                  description: Specify the name of the generator resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              required:
                              - kind
                              - name
                              type: object
                            storeRef:
                              description: SecretStoreRef defines which SecretStore
                                to fetch the ExternalSecret data.
                              properties:
                                kind:
                                  description: |-
                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                                    Defaults to `SecretStore`
                                  enum:
                                  - SecretStore
                                  - ClusterSecretStore
                                  type: string
                                name:
                                  description: Name of the SecretStore resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              type: object
                          type: object
                      required:
                      - remoteRef
                      - secretKey
                      type: object
                    type: array
                  dataFrom:
                    description: |-
                      DataFrom is used to fetch all properties from a specific Provider data
                      If multiple entries are specified, the Secret keys are merged in the specified order
                    items:
                      properties:
                        extract:
                          description: |-
                            Used to extract multiple key/value pairs from one secret
                            Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            key:
                              description: Key is the key used in the Provider, mandatory
                              type: string
                            metadataPolicy:
                              default: None
                              description: Policy for fetching tags/labels from provider
                                secrets, possible options are Fetch, None. Defaults
                                to None
                              enum:
                              - None
                              - Fetch
                              type: string
                            property:
                              description: Used to select a specific property of the
                                Provider value (if a map), if supported
                              type: string
                            version:
                              description: Used to select a specific version of the
                                Provider value, if supported
                              type: string
                          required:
                          - key
                          type: object
                        find:
                          description: |-
                            Used to find secrets based on tags or regular expressions
                            Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            name:
                              description: Finds secrets based on the name.
                              properties:
                                regexp:
                                  description: Finds secrets base
                                  type: string
                              type: object
                            path:
                              description: A root path to start the find operations.
                              type: string
                            tags:
                              additionalProperties:
                                type: string
                              description: Find secrets based on tags.
                              type: object
                          type: object
                        rewrite:
                          description: |-
                            Used to rewrite secret Keys after getting them from the secret Provider
                            Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
                          items:
                            properties:
                              regexp:
                                description: |-
                                  Used to rewrite with regular expressions.
                                  The resulting key will be the output of a regexp.ReplaceAll operation.
                                properties:
                                  source:
                                    description: Used to define the regular expression
                                      of a re.Compiler.
                                    type: string
                                  target:
                                    description: Used to define the target pattern
                                      of a ReplaceAll operation.
                                    type: string
                                required:
                                - source
                                - target
                                type: object
                              transform:
                                description: |-
                                  Used to apply string transformation on the secrets.
                                  The resulting key will be the output of the template applied by the operation.
                                properties:
                                  template:
                                    description: |-
                                      Used to define the template to apply on the secret name.
                                      `.value ` will specify the secret name in the template.
                                    type: string
                                required:
                                - template
                                type: object
                            type: object
                          type: array
                        sourceRef:
                          description: |-
                            SourceRef points to a store or generator
                            which contains secret values ready to use.
                            Use this in combination with Extract or Find pull values out of
                            a specific SecretStore.
                            When sourceRef points to a generator Extract or Find is not supported.
                            The generator returns a static map of values
                          maxProperties: 1
                          minProperties: 1
                          properties:
                            generatorRef:
                              description: GeneratorRef points to a generator custom
                                resource.
                              properties:
                                apiVersion:
                                  default: generators.external-secrets.io/v1alpha1
                                  description: Specify the apiVersion of the generator
                                    resource
                                  type: string
                                kind:
                                  description: Specify the Kind of the generator resource
                                  enum:
                                  - ACRAccessToken
                                  - ClusterGenerator
                                  - ECRAuthorizationToken
                                  - Fake
                                  - GCRAccessToken
                                  - GithubAccessToken
                                  - QuayAccessToken
                                  - Password
                                  - STSSessionToken
                                  - UUID
                                  - VaultDynamicSecret
                                  - Webhook
                                  - Grafana
                                  type: string
                                name:
                                  description: Specify the name of the generator resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              required:
                              - kind
                              - name
                              type: object
                            storeRef:
                              description: SecretStoreRef defines which SecretStore
                                to fetch the ExternalSecret data.
                              properties:
                                kind:
                                  description: |-
                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                                    Defaults to `SecretStore`
                                  enum:
                                  - SecretStore
                                  - ClusterSecretStore
                                  type: string
                                name:
                                  description: Name of the SecretStore resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              type: object
                          type: object
                      type: object
                    type: array
                  refreshInterval:
                    default: 1h
                    description: |-
                      RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
                      specified as Golang Duration strings.
                      Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
                      Example values: "1h", "2h30m", "10s"
                      May be set to zero to fetch and create it once. Defaults to 1h.
                    type: string
                  refreshPolicy:
                    description: |-
                      RefreshPolicy determines how the ExternalSecret should be refreshed:
                      - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
                      - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
                        No periodic updates occur if refreshInterval is 0.
                      - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
                    enum:
                    - CreatedOnce
                    - Periodic
                    - OnChange
                    type: string
                  secretStoreRef:
                    description: SecretStoreRef defines which SecretStore to fetch
                      the ExternalSecret data.
                    properties:
                      kind:
                        description: |-
                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                          Defaults to `SecretStore`
                        enum:
                        - SecretStore
                        - ClusterSecretStore
                        type: string
                      name:
                        description: Name of the SecretStore resource
                        maxLength: 253
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                    type: object
                  target:
                    default:
                      creationPolicy: Owner
                      deletionPolicy: Retain
                    description: |-
                      ExternalSecretTarget defines the Kubernetes Secret to be created
                      There can be only one target per ExternalSecret.
                    properties:
                      creationPolicy:
                        default: Owner
                        description: |-
                          CreationPolicy defines rules on how to create the resulting Secret.
                          Defaults to "Owner"
                        enum:
                        - Owner
                        - Orphan
                        - Merge
                        - None
                        type: string
                      deletionPolicy:
                        default: Retain
                        description: |-
                          DeletionPolicy defines rules on how to delete the resulting Secret.
                          Defaults to "Retain"
                        enum:
                        - Delete
                        - Merge
                        - Retain
                        type: string
                      immutable:
                        description: Immutable defines if the final secret will be
                          immutable
                        type: boolean
                      name:
                        description: |-
                          The name of the Secret resource to be managed.
                          Defaults to the .metadata.name of the ExternalSecret resource
                        maxLength: 253
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                      template:
                        description: Template defines a blueprint for the created
                          Secret resource.
                        properties:
                          data:
                            additionalProperties:
                              type: string
                            type: object
                          engineVersion:
                            default: v2
                            description: |-
                              EngineVersion specifies the template engine version
                              that should be used to compile/execute the
                              template specified in .data and .templateFrom[].
                            enum:
                            - v2
                            type: string
                          mergePolicy:
                            default: Replace
                            enum:
                            - Replace
                            - Merge
                            type: string
                          metadata:
                            description: ExternalSecretTemplateMetadata defines metadata
                              fields for the Secret blueprint.
                            properties:
                              annotations:
                                additionalProperties:
                                  type: string
                                type: object
                              labels:
                                additionalProperties:
                                  type: string
                                type: object
                            type: object
                          templateFrom:
                            items:
                              properties:
                                configMap:
                                  properties:
                                    items:
                                      description: A list of keys in the ConfigMap/Secret
                                        to use as templates for Secret data
                                      items:
                                        properties:
                                          key:
                                            description: A key in the ConfigMap/Secret
                                            maxLength: 253
                                            minLength: 1
                                            pattern: ^[-._a-zA-Z0-9]+$
                                            type: string
                                          templateAs:
                                            default: Values
                                            enum:
                                            - Values
                                            - KeysAndValues
                                            type: string
                                        required:
                                        - key
                                        type: object
                                      type: array
                                    name:
                                      description: The name of the ConfigMap/Secret
                                        resource
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                  required:
                                  - items
                                  - name
                                  type: object
                                literal:
                                  type: string
                                secret:
                                  properties:
                                    items:
                                      description: A list of keys in the ConfigMap/Secret
                                        to use as templates for Secret data
                                      items:
                                        properties:
                                          key:
                                            description: A key in the ConfigMap/Secret
                                            maxLength: 253
                                            minLength: 1
                                            pattern: ^[-._a-zA-Z0-9]+$
                                            type: string
                                          templateAs:
                                            default: Values
                                            enum:
                                            - Values
                                            - KeysAndValues
                                            type: string
                                        required:
                                        - key
                                        type: object
                                      type: array
                                    name:
                                      description: The name of the ConfigMap/Secret
                                        resource
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                  required:
                                  - items
                                  - name
                                  type: object
                                target:
                                  default: Data
                                  enum:
                                  - Data
                                  - Annotations
                                  - Labels
                                  type: string
                              type: object
                            type: array
                          type:
                            type: string
                        type: object
                    type: object
                type: object
              namespaceSelector:
                description: |-
                  The labels to select by to find the Namespaces to create the ExternalSecrets in.
                  Deprecated: Use NamespaceSelectors instead.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: |-
                        A label selector requirement is a selector that contains values, a key, and an operator that
                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: |-
                            operator represents a key's relationship to a set of values.
                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
                          description: |-
                            values is an array of string values. If the operator is In or NotIn,
                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                          x-kubernetes-list-type: atomic
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                    x-kubernetes-list-type: atomic
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: |-
                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              namespaceSelectors:
                description: A list of labels to select by to find the Namespaces
                  to create the ExternalSecrets in. The selectors are ORed.
                items:
                  description: |-
                    A label selector is a label query over a set of resources. The result of matchLabels and
                    matchExpressions are ANDed. An empty label selector matches all objects. A null
                    label selector matches no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: |-
                          A label selector requirement is a selector that contains values, a key, and an operator that
                          relates the key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: |-
                              operator represents a key's relationship to a set of values.
                              Valid operators are In, NotIn, Exists and DoesNotExist.
                            type: string
                          values:
                            description: |-
                              values is an array of string values. If the operator is In or NotIn,
                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                              the values array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                      x-kubernetes-list-type: atomic
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: |-
                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              namespaces:
                description: |-
                  Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
                  Deprecated: Use NamespaceSelectors instead.
                items:
                  maxLength: 63
                  minLength: 1
                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                  type: string
                type: array
              refreshTime:
                description: The time in which the controller should reconcile its
                  objects and recheck namespaces for labels.
                type: string
            required:
            - externalSecretSpec
            type: object
          status:
            description: ClusterExternalSecretStatus defines the observed state of
              ClusterExternalSecret.
            properties:
              conditions:
                items:
                  properties:
                    message:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              externalSecretName:
                description: ExternalSecretName is the name of the ExternalSecrets
                  created by the ClusterExternalSecret
                type: string
              failedNamespaces:
                description: Failed namespaces are the namespaces that failed to apply
                  an ExternalSecret
                items:
                  description: ClusterExternalSecretNamespaceFailure represents a
                    failed namespace deployment and it's reason.
                  properties:
                    namespace:
                      description: Namespace is the namespace that failed when trying
                        to apply an ExternalSecret
                      type: string
                    reason:
                      description: Reason is why the ExternalSecret failed to apply
                        to the namespace
                      type: string
                  required:
                  - namespace
                  type: object
                type: array
              provisionedNamespaces:
                description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
                  has secrets
                items:
                  type: string
                type: array
            type: object
        type: object
    served: true
    storage: true
    subresources:
      status: {}
  - additionalPrinterColumns:
    - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
      name: Store
      type: string
    - jsonPath: .spec.refreshTime
      name: Refresh Interval
      type: string
    - jsonPath: .status.conditions[?(@.type=="Ready")].status
      name: Ready
      type: string
    deprecated: true
    name: v1beta1
    schema:
      openAPIV3Schema:
        description: ClusterExternalSecret is the Schema for the clusterexternalsecrets
          API.
        properties:
          apiVersion:
            description: |-
              APIVersion defines the versioned schema of this representation of an object.
              Servers should convert recognized schemas to the latest internal value, and
              may reject unrecognized values.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
            type: string
          kind:
            description: |-
              Kind is a string value representing the REST resource this object represents.
              Servers may infer this from the endpoint the client submits requests to.
              Cannot be updated.
              In CamelCase.
              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
            type: string
          metadata:
            type: object
          spec:
            description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
            properties:
              externalSecretMetadata:
                description: The metadata of the external secrets to be created
                properties:
                  annotations:
                    additionalProperties:
                      type: string
                    type: object
                  labels:
                    additionalProperties:
                      type: string
                    type: object
                type: object
              externalSecretName:
                description: |-
                  The name of the external secrets to be created.
                  Defaults to the name of the ClusterExternalSecret
                maxLength: 253
                minLength: 1
                pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                type: string
              externalSecretSpec:
                description: The spec for the ExternalSecrets to be created
                properties:
                  data:
                    description: Data defines the connection between the Kubernetes
                      Secret keys and the Provider data
                    items:
                      description: ExternalSecretData defines the connection between
                        the Kubernetes Secret key (spec.data.<key>) and the Provider
                        data.
                      properties:
                        remoteRef:
                          description: |-
                            RemoteRef points to the remote secret and defines
                            which secret (version/property/..) to fetch.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            key:
                              description: Key is the key used in the Provider, mandatory
                              type: string
                            metadataPolicy:
                              default: None
                              description: Policy for fetching tags/labels from provider
                                secrets, possible options are Fetch, None. Defaults
                                to None
                              enum:
                              - None
                              - Fetch
                              type: string
                            property:
                              description: Used to select a specific property of the
                                Provider value (if a map), if supported
                              type: string
                            version:
                              description: Used to select a specific version of the
                                Provider value, if supported
                              type: string
                          required:
                          - key
                          type: object
                        secretKey:
                          description: The key in the Kubernetes Secret to store the
                            value.
                          maxLength: 253
                          minLength: 1
                          pattern: ^[-._a-zA-Z0-9]+$
                          type: string
                        sourceRef:
                          description: |-
                            SourceRef allows you to override the source
                            from which the value will be pulled.
                          maxProperties: 1
                          minProperties: 1
                          properties:
                            generatorRef:
                              description: |-
                                GeneratorRef points to a generator custom resource.

                                Deprecated: The generatorRef is not implemented in .data[].
                                this will be removed with v1.
                              properties:
                                apiVersion:
                                  default: generators.external-secrets.io/v1alpha1
                                  description: Specify the apiVersion of the generator
                                    resource
                                  type: string
                                kind:
                                  description: Specify the Kind of the generator resource
                                  enum:
                                  - ACRAccessToken
                                  - ClusterGenerator
                                  - ECRAuthorizationToken
                                  - Fake
                                  - GCRAccessToken
                                  - GithubAccessToken
                                  - QuayAccessToken
                                  - Password
                                  - STSSessionToken
                                  - UUID
                                  - VaultDynamicSecret
                                  - Webhook
                                  - Grafana
                                  type: string
                                name:
                                  description: Specify the name of the generator resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              required:
                              - kind
                              - name
                              type: object
                            storeRef:
                              description: SecretStoreRef defines which SecretStore
                                to fetch the ExternalSecret data.
                              properties:
                                kind:
                                  description: |-
                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                                    Defaults to `SecretStore`
                                  enum:
                                  - SecretStore
                                  - ClusterSecretStore
                                  type: string
                                name:
                                  description: Name of the SecretStore resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              type: object
                          type: object
                      required:
                      - remoteRef
                      - secretKey
                      type: object
                    type: array
                  dataFrom:
                    description: |-
                      DataFrom is used to fetch all properties from a specific Provider data
                      If multiple entries are specified, the Secret keys are merged in the specified order
                    items:
                      properties:
                        extract:
                          description: |-
                            Used to extract multiple key/value pairs from one secret
                            Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            key:
                              description: Key is the key used in the Provider, mandatory
                              type: string
                            metadataPolicy:
                              default: None
                              description: Policy for fetching tags/labels from provider
                                secrets, possible options are Fetch, None. Defaults
                                to None
                              enum:
                              - None
                              - Fetch
                              type: string
                            property:
                              description: Used to select a specific property of the
                                Provider value (if a map), if supported
                              type: string
                            version:
                              description: Used to select a specific version of the
                                Provider value, if supported
                              type: string
                          required:
                          - key
                          type: object
                        find:
                          description: |-
                            Used to find secrets based on tags or regular expressions
                            Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
                          properties:
                            conversionStrategy:
                              default: Default
                              description: Used to define a conversion Strategy
                              enum:
                              - Default
                              - Unicode
                              type: string
                            decodingStrategy:
                              default: None
                              description: Used to define a decoding Strategy
                              enum:
                              - Auto
                              - Base64
                              - Base64URL
                              - None
                              type: string
                            name:
                              description: Finds secrets based on the name.
                              properties:
                                regexp:
                                  description: Finds secrets base
                                  type: string
                              type: object
                            path:
                              description: A root path to start the find operations.
                              type: string
                            tags:
                              additionalProperties:
                                type: string
                              description: Find secrets based on tags.
                              type: object
                          type: object
                        rewrite:
                          description: |-
                            Used to rewrite secret Keys after getting them from the secret Provider
                            Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
                          items:
                            properties:
                              regexp:
                                description: |-
                                  Used to rewrite with regular expressions.
                                  The resulting key will be the output of a regexp.ReplaceAll operation.
                                properties:
                                  source:
                                    description: Used to define the regular expression
                                      of a re.Compiler.
                                    type: string
                                  target:
                                    description: Used to define the target pattern
                                      of a ReplaceAll operation.
                                    type: string
                                required:
                                - source
                                - target
                                type: object
                              transform:
                                description: |-
                                  Used to apply string transformation on the secrets.
                                  The resulting key will be the output of the template applied by the operation.
                                properties:
                                  template:
                                    description: |-
                                      Used to define the template to apply on the secret name.
                                      `.value ` will specify the secret name in the template.
                                    type: string
                                required:
                                - template
                                type: object
                            type: object
                          type: array
                        sourceRef:
                          description: |-
                            SourceRef points to a store or generator
                            which contains secret values ready to use.
                            Use this in combination with Extract or Find pull values out of
                            a specific SecretStore.
                            When sourceRef points to a generator Extract or Find is not supported.
                            The generator returns a static map of values
                          maxProperties: 1
                          minProperties: 1
                          properties:
                            generatorRef:
                              description: GeneratorRef points to a generator custom
                                resource.
                              properties:
                                apiVersion:
                                  default: generators.external-secrets.io/v1alpha1
                                  description: Specify the apiVersion of the generator
                                    resource
                                  type: string
                                kind:
                                  description: Specify the Kind of the generator resource
                                  enum:
                                  - ACRAccessToken
                                  - ClusterGenerator
                                  - ECRAuthorizationToken
                                  - Fake
                                  - GCRAccessToken
                                  - GithubAccessToken
                                  - QuayAccessToken
                                  - Password
                                  - STSSessionToken
                                  - UUID
                                  - VaultDynamicSecret
                                  - Webhook
                                  - Grafana
                                  type: string
                                name:
                                  description: Specify the name of the generator resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              required:
                              - kind
                              - name
                              type: object
                            storeRef:
                              description: SecretStoreRef defines which SecretStore
                                to fetch the ExternalSecret data.
                              properties:
                                kind:
                                  description: |-
                                    Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                                    Defaults to `SecretStore`
                                  enum:
                                  - SecretStore
                                  - ClusterSecretStore
                                  type: string
                                name:
                                  description: Name of the SecretStore resource
                                  maxLength: 253
                                  minLength: 1
                                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                  type: string
                              type: object
                          type: object
                      type: object
                    type: array
                  refreshInterval:
                    default: 1h
                    description: |-
                      RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
                      specified as Golang Duration strings.
                      Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
                      Example values: "1h", "2h30m", "10s"
                      May be set to zero to fetch and create it once. Defaults to 1h.
                    type: string
                  refreshPolicy:
                    description: |-
                      RefreshPolicy determines how the ExternalSecret should be refreshed:
                      - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
                      - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
                        No periodic updates occur if refreshInterval is 0.
                      - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
                    enum:
                    - CreatedOnce
                    - Periodic
                    - OnChange
                    type: string
                  secretStoreRef:
                    description: SecretStoreRef defines which SecretStore to fetch
                      the ExternalSecret data.
                    properties:
                      kind:
                        description: |-
                          Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
                          Defaults to `SecretStore`
                        enum:
                        - SecretStore
                        - ClusterSecretStore
                        type: string
                      name:
                        description: Name of the SecretStore resource
                        maxLength: 253
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                    type: object
                  target:
                    default:
                      creationPolicy: Owner
                      deletionPolicy: Retain
                    description: |-
                      ExternalSecretTarget defines the Kubernetes Secret to be created
                      There can be only one target per ExternalSecret.
                    properties:
                      creationPolicy:
                        default: Owner
                        description: |-
                          CreationPolicy defines rules on how to create the resulting Secret.
                          Defaults to "Owner"
                        enum:
                        - Owner
                        - Orphan
                        - Merge
                        - None
                        type: string
                      deletionPolicy:
                        default: Retain
                        description: |-
                          DeletionPolicy defines rules on how to delete the resulting Secret.
                          Defaults to "Retain"
                        enum:
                        - Delete
                        - Merge
                        - Retain
                        type: string
                      immutable:
                        description: Immutable defines if the final secret will be
                          immutable
                        type: boolean
                      name:
                        description: |-
                          The name of the Secret resource to be managed.
                          Defaults to the .metadata.name of the ExternalSecret resource
                        maxLength: 253
                        minLength: 1
                        pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                        type: string
                      template:
                        description: Template defines a blueprint for the created
                          Secret resource.
                        properties:
                          data:
                            additionalProperties:
                              type: string
                            type: object
                          engineVersion:
                            default: v2
                            description: |-
                              EngineVersion specifies the template engine version
                              that should be used to compile/execute the
                              template specified in .data and .templateFrom[].
                            enum:
                            - v2
                            type: string
                          mergePolicy:
                            default: Replace
                            enum:
                            - Replace
                            - Merge
                            type: string
                          metadata:
                            description: ExternalSecretTemplateMetadata defines metadata
                              fields for the Secret blueprint.
                            properties:
                              annotations:
                                additionalProperties:
                                  type: string
                                type: object
                              labels:
                                additionalProperties:
                                  type: string
                                type: object
                            type: object
                          templateFrom:
                            items:
                              properties:
                                configMap:
                                  properties:
                                    items:
                                      description: A list of keys in the ConfigMap/Secret
                                        to use as templates for Secret data
                                      items:
                                        properties:
                                          key:
                                            description: A key in the ConfigMap/Secret
                                            maxLength: 253
                                            minLength: 1
                                            pattern: ^[-._a-zA-Z0-9]+$
                                            type: string
                                          templateAs:
                                            default: Values
                                            enum:
                                            - Values
                                            - KeysAndValues
                                            type: string
                                        required:
                                        - key
                                        type: object
                                      type: array
                                    name:
                                      description: The name of the ConfigMap/Secret
                                        resource
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                  required:
                                  - items
                                  - name
                                  type: object
                                literal:
                                  type: string
                                secret:
                                  properties:
                                    items:
                                      description: A list of keys in the ConfigMap/Secret
                                        to use as templates for Secret data
                                      items:
                                        properties:
                                          key:
                                            description: A key in the ConfigMap/Secret
                                            maxLength: 253
                                            minLength: 1
                                            pattern: ^[-._a-zA-Z0-9]+$
                                            type: string
                                          templateAs:
                                            default: Values
                                            enum:
                                            - Values
                                            - KeysAndValues
                                            type: string
                                        required:
                                        - key
                                        type: object
                                      type: array
                                    name:
                                      description: The name of the ConfigMap/Secret
                                        resource
                                      maxLength: 253
                                      minLength: 1
                                      pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
                                      type: string
                                  required:
                                  - items
                                  - name
                                  type: object
                                target:
                                  default: Data
                                  enum:
                                  - Data
                                  - Annotations
                                  - Labels
                                  type: string
                              type: object
                            type: array
                          type:
                            type: string
                        type: object
                    type: object
                type: object
              namespaceSelector:
                description: |-
                  The labels to select by to find the Namespaces to create the ExternalSecrets in.
                  Deprecated: Use NamespaceSelectors instead.
                properties:
                  matchExpressions:
                    description: matchExpressions is a list of label selector requirements.
                      The requirements are ANDed.
                    items:
                      description: |-
                        A label selector requirement is a selector that contains values, a key, and an operator that
                        relates the key and values.
                      properties:
                        key:
                          description: key is the label key that the selector applies
                            to.
                          type: string
                        operator:
                          description: |-
                            operator represents a key's relationship to a set of values.
                            Valid operators are In, NotIn, Exists and DoesNotExist.
                          type: string
                        values:
                          description: |-
                            values is an array of string values. If the operator is In or NotIn,
                            the values array must be non-empty. If the operator is Exists or DoesNotExist,
                            the values array must be empty. This array is replaced during a strategic
                            merge patch.
                          items:
                            type: string
                          type: array
                          x-kubernetes-list-type: atomic
                      required:
                      - key
                      - operator
                      type: object
                    type: array
                    x-kubernetes-list-type: atomic
                  matchLabels:
                    additionalProperties:
                      type: string
                    description: |-
                      matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                      map is equivalent to an element of matchExpressions, whose key field is "key", the
                      operator is "In", and the values array contains only "value". The requirements are ANDed.
                    type: object
                type: object
                x-kubernetes-map-type: atomic
              namespaceSelectors:
                description: A list of labels to select by to find the Namespaces
                  to create the ExternalSecrets in. The selectors are ORed.
                items:
                  description: |-
                    A label selector is a label query over a set of resources. The result of matchLabels and
                    matchExpressions are ANDed. An empty label selector matches all objects. A null
                    label selector matches no objects.
                  properties:
                    matchExpressions:
                      description: matchExpressions is a list of label selector requirements.
                        The requirements are ANDed.
                      items:
                        description: |-
                          A label selector requirement is a selector that contains values, a key, and an operator that
                          relates the key and values.
                        properties:
                          key:
                            description: key is the label key that the selector applies
                              to.
                            type: string
                          operator:
                            description: |-
                              operator represents a key's relationship to a set of values.
                              Valid operators are In, NotIn, Exists and DoesNotExist.
                            type: string
                          values:
                            description: |-
                              values is an array of string values. If the operator is In or NotIn,
                              the values array must be non-empty. If the operator is Exists or DoesNotExist,
                              the values array must be empty. This array is replaced during a strategic
                              merge patch.
                            items:
                              type: string
                            type: array
                            x-kubernetes-list-type: atomic
                        required:
                        - key
                        - operator
                        type: object
                      type: array
                      x-kubernetes-list-type: atomic
                    matchLabels:
                      additionalProperties:
                        type: string
                      description: |-
                        matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
                        map is equivalent to an element of matchExpressions, whose key field is "key", the
                        operator is "In", and the values array contains only "value". The requirements are ANDed.
                      type: object
                  type: object
                  x-kubernetes-map-type: atomic
                type: array
              namespaces:
                description: |-
                  Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
                  Deprecated: Use NamespaceSelectors instead.
                items:
                  maxLength: 63
                  minLength: 1
                  pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
                  type: string
                type: array
              refreshTime:
                description: The time in which the controller should reconcile its
                  objects and recheck namespaces for labels.
                type: string
            required:
            - externalSecretSpec
            type: object
          status:
            description: ClusterExternalSecretStatus defines the observed state of
              ClusterExternalSecret.
            properties:
              conditions:
                items:
                  properties:
                    message:
                      type: string
                    status:
                      type: string
                    type:
                      type: string
                  required:
                  - status
                  - type
                  type: object
                type: array
              externalSecretName:
                description: ExternalSecretName is the name of the ExternalSecrets
                  created by the ClusterExternalSecret
                type: string
              failedNamespaces:
                description: Failed namespaces are the namespaces that failed to apply
                  an ExternalSecret
                items:
                  description: ClusterExternalSecretNamespaceFailure represents a
                    failed namespace deployment and it's reason.
                  properties:
                    namespace:
                      description: Namespace is the namespace that failed when trying
                        to apply an ExternalSecret
                      type: string
                    reason:
                      description: Reason is why the ExternalSecret failed to apply
                        to the namespace
                      type: string
                  required:
                  - namespace
                  type: object
                type: array
              provisionedNamespaces:
                description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret
                  has secrets
                items:
                  type: string
                type: array
            type: object
        type: object
    served: false
    storage: false
    subresources:
      status: {}