| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923 |
- apiVersion: apiextensions.k8s.io/v1
- kind: CustomResourceDefinition
- metadata:
- annotations:
- controller-gen.kubebuilder.io/version: v0.18.0
- labels:
- external-secrets.io/component: controller
- name: clustergenerators.generators.external-secrets.io
- spec:
- group: generators.external-secrets.io
- names:
- categories:
- - external-secrets
- - external-secrets-generators
- kind: ClusterGenerator
- listKind: ClusterGeneratorList
- plural: clustergenerators
- singular: clustergenerator
- scope: Cluster
- versions:
- - name: v1alpha1
- schema:
- openAPIV3Schema:
- description: ClusterGenerator represents a cluster-wide generator which can
- be referenced as part of `generatorRef` fields.
- properties:
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- spec:
- properties:
- generator:
- description: Generator the spec for this generator, must match the
- kind.
- maxProperties: 1
- minProperties: 1
- properties:
- acrAccessTokenSpec:
- description: |-
- ACRAccessTokenSpec defines how to generate the access token
- e.g. how to authenticate and which registry to use.
- see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
- properties:
- auth:
- properties:
- managedIdentity:
- description: ManagedIdentity uses Azure Managed Identity
- to authenticate with Azure.
- properties:
- identityId:
- description: If multiple Managed Identity is assigned
- to the pod, you can select the one to be used
- type: string
- type: object
- servicePrincipal:
- description: ServicePrincipal uses Azure Service Principal
- credentials to authenticate with Azure.
- properties:
- secretRef:
- description: |-
- Configuration used to authenticate with Azure using static
- credentials stored in a Kind=Secret.
- properties:
- clientId:
- description: The Azure clientId of the service
- principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- clientSecret:
- description: The Azure ClientSecret of the service
- principle used for authentication.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- required:
- - secretRef
- type: object
- workloadIdentity:
- description: WorkloadIdentity uses Azure Workload Identity
- to authenticate with Azure.
- properties:
- serviceAccountRef:
- description: |-
- ServiceAccountRef specified the service account
- that should be used when authenticating with WorkloadIdentity.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- type: object
- environmentType:
- default: PublicCloud
- description: |-
- EnvironmentType specifies the Azure cloud environment endpoints to use for
- connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
- The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
- PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
- enum:
- - PublicCloud
- - USGovernmentCloud
- - ChinaCloud
- - GermanCloud
- type: string
- registry:
- description: |-
- the domain name of the ACR registry
- e.g. foobarexample.azurecr.io
- type: string
- scope:
- description: |-
- Define the scope for the access token, e.g. pull/push access for a repository.
- if not provided it will return a refresh token that has full scope.
- Note: you need to pin it down to the repository level, there is no wildcard available.
- examples:
- repository:my-repository:pull,push
- repository:my-repository:pull
- see docs for details: https://docs.docker.com/registry/spec/auth/scope/
- type: string
- tenantId:
- description: TenantID configures the Azure Tenant to send
- requests to. Required for ServicePrincipal auth type.
- type: string
- required:
- - auth
- - registry
- type: object
- ecrAuthorizationTokenSpec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account
- tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- scope:
- description: |-
- Scope specifies the ECR service scope.
- Valid options are private and public.
- type: string
- required:
- - region
- type: object
- fakeSpec:
- description: FakeSpec contains the static data.
- properties:
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
- type: string
- data:
- additionalProperties:
- type: string
- description: |-
- Data defines the static data returned
- by this generator.
- type: object
- type: object
- gcrAccessTokenSpec:
- properties:
- auth:
- description: Auth defines the means for authenticating with
- GCP
- properties:
- secretRef:
- properties:
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- workloadIdentity:
- properties:
- clusterLocation:
- type: string
- clusterName:
- type: string
- clusterProjectID:
- type: string
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - clusterLocation
- - clusterName
- - serviceAccountRef
- type: object
- type: object
- projectID:
- description: ProjectID defines which project to use to authenticate
- with
- type: string
- required:
- - auth
- - projectID
- type: object
- githubAccessTokenSpec:
- properties:
- appID:
- type: string
- auth:
- description: Auth configures how ESO authenticates with a
- Github instance.
- properties:
- privateKey:
- properties:
- secretRef:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - secretRef
- type: object
- required:
- - privateKey
- type: object
- installID:
- type: string
- permissions:
- additionalProperties:
- type: string
- description: Map of permissions the token will have. If omitted,
- defaults to all permissions the GitHub App has.
- type: object
- repositories:
- description: |-
- List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
- is installed to.
- items:
- type: string
- type: array
- url:
- description: URL configures the Github instance URL. Defaults
- to https://github.com/.
- type: string
- required:
- - appID
- - auth
- - installID
- type: object
- grafanaSpec:
- description: GrafanaSpec controls the behavior of the grafana
- generator.
- properties:
- auth:
- description: |-
- Auth is the authentication configuration to authenticate
- against the Grafana instance.
- properties:
- basic:
- description: |-
- Basic auth credentials used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- password:
- description: A basic auth password used to authenticate
- against the Grafana instance.
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- username:
- description: A basic auth username used to authenticate
- against the Grafana instance.
- type: string
- required:
- - password
- - username
- type: object
- token:
- description: |-
- A service account token used to authenticate against the Grafana instance.
- Note: you need a token which has elevated permissions to create service accounts.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- type: object
- serviceAccount:
- description: |-
- ServiceAccount is the configuration for the service account that
- is supposed to be generated by the generator.
- properties:
- name:
- description: Name is the name of the service account that
- will be created by ESO.
- type: string
- role:
- description: |-
- Role is the role of the service account.
- See here for the documentation on basic roles offered by Grafana:
- https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
- type: string
- required:
- - name
- - role
- type: object
- url:
- description: URL is the URL of the Grafana instance.
- type: string
- required:
- - auth
- - serviceAccount
- - url
- type: object
- passwordSpec:
- description: PasswordSpec controls the behavior of the password
- generator.
- properties:
- allowRepeat:
- default: false
- description: set AllowRepeat to true to allow repeating characters.
- type: boolean
- digits:
- description: |-
- Digits specifies the number of digits in the generated
- password. If omitted it defaults to 25% of the length of the password
- type: integer
- length:
- default: 24
- description: |-
- Length of the password to be generated.
- Defaults to 24
- type: integer
- noUpper:
- default: false
- description: Set NoUpper to disable uppercase characters
- type: boolean
- symbolCharacters:
- description: |-
- SymbolCharacters specifies the special characters that should be used
- in the generated password.
- type: string
- symbols:
- description: |-
- Symbols specifies the number of symbol characters in the generated
- password. If omitted it defaults to 25% of the length of the password
- type: integer
- required:
- - allowRepeat
- - length
- - noUpper
- type: object
- quayAccessTokenSpec:
- properties:
- robotAccount:
- description: Name of the robot account you are federating
- with
- type: string
- serviceAccountRef:
- description: Name of the service account you are federating
- with
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- url:
- description: URL configures the Quay instance URL. Defaults
- to quay.io.
- type: string
- required:
- - robotAccount
- - serviceAccountRef
- type: object
- stsSessionTokenSpec:
- properties:
- auth:
- description: Auth defines how to authenticate with AWS
- properties:
- jwt:
- description: Authenticate against AWS using service account
- tokens.
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- secretRef:
- description: |-
- AWSAuthSecretRef holds secret references for AWS credentials
- both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- type: object
- region:
- description: Region specifies the region to operate in.
- type: string
- requestParameters:
- description: RequestParameters contains parameters that can
- be passed to the STS service.
- properties:
- serialNumber:
- description: |-
- SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
- the GetSessionToken call.
- Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
- (such as arn:aws:iam::123456789012:mfa/user)
- type: string
- sessionDuration:
- description: |-
- SessionDuration The duration, in seconds, that the credentials should remain valid. Acceptable durations for
- IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds
- (12 hours) as the default.
- format: int64
- type: integer
- tokenCode:
- description: TokenCode is the value provided by the MFA
- device, if MFA is required.
- type: string
- type: object
- role:
- description: |-
- You can assume a role before making calls to the
- desired AWS service.
- type: string
- required:
- - region
- type: object
- uuidSpec:
- description: UUIDSpec controls the behavior of the uuid generator.
- type: object
- vaultDynamicSecretSpec:
- properties:
- allowEmptyResponse:
- default: false
- description: Do not fail if no secrets are found. Useful for
- requests where no data is expected.
- type: boolean
- controller:
- description: |-
- Used to select the correct ESO controller (think: ingress.ingressClassName)
- The ESO controller is instantiated with a specific controller name and filters VDS based on this property
- type: string
- method:
- description: Vault API method to use (GET/POST/other)
- type: string
- parameters:
- description: Parameters to pass to Vault write (for non-GET
- methods)
- x-kubernetes-preserve-unknown-fields: true
- path:
- description: Vault path to obtain the dynamic secret from
- type: string
- provider:
- description: Vault provider common spec
- properties:
- auth:
- description: Auth configures how secret-manager authenticates
- with the Vault server.
- properties:
- appRole:
- description: |-
- AppRole authenticates with Vault using the App Role auth mechanism,
- with the role and secret stored in a Kubernetes Secret resource.
- properties:
- path:
- default: approle
- description: |-
- Path where the App Role authentication backend is mounted
- in Vault, e.g: "approle"
- type: string
- roleId:
- description: |-
- RoleID configured in the App Role authentication backend when setting
- up the authentication backend in Vault.
- type: string
- roleRef:
- description: |-
- Reference to a key in a Secret that contains the App Role ID used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role id.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- Reference to a key in a Secret that contains the App Role secret used
- to authenticate with Vault.
- The `key` field must be specified and denotes which entry within the Secret
- resource is used as the app role secret.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- - secretRef
- type: object
- cert:
- description: |-
- Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
- Cert authentication method
- properties:
- clientCert:
- description: |-
- ClientCert is a certificate to authenticate using the Cert Vault
- authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing client private key to
- authenticate with Vault using the Cert authentication method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- iam:
- description: |-
- Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
- AWS IAM authentication method
- properties:
- externalID:
- description: AWS External ID set on assumed IAM
- roles
- type: string
- jwt:
- description: Specify a service account with IRSA
- enabled
- properties:
- serviceAccountRef:
- description: A reference to a ServiceAccount
- resource.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- type: object
- path:
- description: 'Path where the AWS auth method is
- enabled in Vault, e.g: "aws"'
- type: string
- region:
- description: AWS region
- type: string
- role:
- description: This is the AWS role to be assumed
- before talking to vault
- type: string
- secretRef:
- description: Specify credentials in a Secret object
- properties:
- accessKeyIDSecretRef:
- description: The AccessKeyID is used for authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- secretAccessKeySecretRef:
- description: The SecretAccessKey is used for
- authentication
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- sessionTokenSecretRef:
- description: |-
- The SessionToken used for authentication
- This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
- see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- vaultAwsIamServerID:
- description: 'X-Vault-AWS-IAM-Server-ID is an
- additional header used by Vault IAM auth method
- to mitigate against different types of replay
- attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
- type: string
- vaultRole:
- description: Vault Role. In vault, a role describes
- an identity with a set of permissions, groups,
- or policies you want to attach a user of the
- secrets engine
- type: string
- required:
- - vaultRole
- type: object
- jwt:
- description: |-
- Jwt authenticates with Vault by passing role and JWT token using the
- JWT/OIDC authentication method
- properties:
- kubernetesServiceAccountToken:
- description: |-
- Optional ServiceAccountToken specifies the Kubernetes service account for which to request
- a token for with the `TokenRequest` API.
- properties:
- audiences:
- description: |-
- Optional audiences field that will be used to request a temporary Kubernetes service
- account token for the service account referenced by `serviceAccountRef`.
- Defaults to a single audience `vault` it not specified.
- Deprecated: use serviceAccountRef.Audiences instead
- items:
- type: string
- type: array
- expirationSeconds:
- description: |-
- Optional expiration time in seconds that will be used to request a temporary
- Kubernetes service account token for the service account referenced by
- `serviceAccountRef`.
- Deprecated: this will be removed in the future.
- Defaults to 10 minutes.
- format: int64
- type: integer
- serviceAccountRef:
- description: Service account field containing
- the name of a kubernetes ServiceAccount.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - serviceAccountRef
- type: object
- path:
- default: jwt
- description: |-
- Path where the JWT authentication backend is mounted
- in Vault, e.g: "jwt"
- type: string
- role:
- description: |-
- Role is a JWT role to authenticate using the JWT/OIDC Vault
- authentication method
- type: string
- secretRef:
- description: |-
- Optional SecretRef that refers to a key in a Secret resource containing JWT token to
- authenticate with Vault using the JWT/OIDC authentication method.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - path
- type: object
- kubernetes:
- description: |-
- Kubernetes authenticates with Vault by passing the ServiceAccount
- token stored in the named Secret resource to the Vault server.
- properties:
- mountPath:
- default: kubernetes
- description: |-
- Path where the Kubernetes authentication backend is mounted in Vault, e.g:
- "kubernetes"
- type: string
- role:
- description: |-
- A required field containing the Vault Role to assume. A Role binds a
- Kubernetes ServiceAccount with a set of Vault policies.
- type: string
- secretRef:
- description: |-
- Optional secret field containing a Kubernetes ServiceAccount JWT used
- for authenticating with Vault. If a name is specified without a key,
- `token` is the default. If one is not specified, the one bound to
- the controller will be used.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- serviceAccountRef:
- description: |-
- Optional service account field containing the name of a kubernetes ServiceAccount.
- If the service account is specified, the service account secret token JWT will be used
- for authenticating with Vault. If the service account selector is not supplied,
- the secretRef will be used instead.
- properties:
- audiences:
- description: |-
- Audience specifies the `aud` claim for the service account token
- If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
- then this audiences will be appended to the list
- items:
- type: string
- type: array
- name:
- description: The name of the ServiceAccount
- resource being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- Namespace of the resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- required:
- - name
- type: object
- required:
- - mountPath
- - role
- type: object
- ldap:
- description: |-
- Ldap authenticates with Vault by passing username/password pair using
- the LDAP authentication method
- properties:
- path:
- default: ldap
- description: |-
- Path where the LDAP authentication backend is mounted
- in Vault, e.g: "ldap"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the LDAP
- user used to authenticate with Vault using the LDAP authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is an LDAP username used to authenticate using the LDAP Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- namespace:
- description: |-
- Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
- Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- This will default to Vault.Namespace field if set, or empty otherwise
- type: string
- tokenSecretRef:
- description: TokenSecretRef authenticates with Vault
- by presenting a token.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- userPass:
- description: UserPass authenticates with Vault by
- passing username/password pair
- properties:
- path:
- default: userpass
- description: |-
- Path where the UserPassword authentication backend is mounted
- in Vault, e.g: "userpass"
- type: string
- secretRef:
- description: |-
- SecretRef to a key in a Secret resource containing password for the
- user used to authenticate with Vault using the UserPass authentication
- method
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource
- being referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- username:
- description: |-
- Username is a username used to authenticate using the UserPass Vault
- authentication method
- type: string
- required:
- - path
- - username
- type: object
- type: object
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate Vault server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to
- validate Vault server certificate.
- properties:
- key:
- description: The key where the CA certificate can
- be found in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the
- provider type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace the Provider type is in.
- Can only be defined when used in a ClusterSecretStore.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- forwardInconsistent:
- description: |-
- ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
- leader instead of simply retrying within a loop. This can increase performance if
- the option is enabled serverside.
- https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
- type: boolean
- headers:
- additionalProperties:
- type: string
- description: Headers to be added in Vault request
- type: object
- namespace:
- description: |-
- Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
- Vault environments to support Secure Multi-tenancy. e.g: "ns1".
- More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
- type: string
- path:
- description: |-
- Path is the mount path of the Vault KV backend endpoint, e.g:
- "secret". The v2 KV secret engine version specific "/data" path suffix
- for fetching secrets from Vault is optional and will be appended
- if not present in specified path.
- type: string
- readYourWrites:
- description: |-
- ReadYourWrites ensures isolated read-after-write semantics by
- providing discovered cluster replication states in each request.
- More information about eventual consistency in Vault can be found here
- https://www.vaultproject.io/docs/enterprise/consistency
- type: boolean
- server:
- description: 'Server is the connection address for the
- Vault server, e.g: "https://vault.example.com:8200".'
- type: string
- tls:
- description: |-
- The configuration used for client side related TLS communication, when the Vault server
- requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
- This parameter is ignored for plain HTTP protocol connection.
- It's worth noting this configuration is different from the "TLS certificates auth method",
- which is available under the `auth.cert` section.
- properties:
- certSecretRef:
- description: |-
- CertSecretRef is a certificate added to the transport layer
- when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.crt'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- keySecretRef:
- description: |-
- KeySecretRef to a key in a Secret resource containing client private key
- added to the transport layer when communicating with the Vault server.
- If no key for the Secret is specified, external-secret will default to 'tls.key'.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- type: object
- version:
- default: v2
- description: |-
- Version is the Vault KV secret engine version. This can be either "v1" or
- "v2". Version defaults to "v2".
- enum:
- - v1
- - v2
- type: string
- required:
- - server
- type: object
- resultType:
- default: Data
- description: |-
- Result type defines which data is returned from the generator.
- By default it is the "data" section of the Vault API response.
- When using e.g. /auth/token/create the "data" section is empty but
- the "auth" section contains the generated token.
- Please refer to the vault docs regarding the result data structure.
- Additionally, accessing the raw response is possibly by using "Raw" result type.
- enum:
- - Data
- - Auth
- - Raw
- type: string
- retrySettings:
- description: Used to configure http retries if failed
- properties:
- maxRetries:
- format: int32
- type: integer
- retryInterval:
- type: string
- type: object
- required:
- - path
- - provider
- type: object
- webhookSpec:
- description: WebhookSpec controls the behavior of the external
- generator. Any body parameters should be passed to the server
- through the parameters field.
- properties:
- auth:
- description: Auth specifies a authorization protocol. Only
- one protocol may be set.
- maxProperties: 1
- minProperties: 1
- properties:
- ntlm:
- description: NTLMProtocol configures the store to use
- NTLM for auth
- properties:
- passwordSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- usernameSecret:
- description: |-
- A reference to a specific 'key' within a Secret resource.
- In some instances, `key` is a required field.
- properties:
- key:
- description: |-
- A key in the referenced Secret.
- Some instances of this field may be defaulted, in others it may be required.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: |-
- The namespace of the Secret resource being referred to.
- Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type: object
- required:
- - passwordSecret
- - usernameSecret
- type: object
- type: object
- body:
- description: Body
- type: string
- caBundle:
- description: |-
- PEM encoded CA bundle used to validate webhook server certificate. Only used
- if the Server URL is using HTTPS protocol. This parameter is ignored for
- plain HTTP protocol connection. If not set the system root certificates
- are used to validate the TLS connection.
- format: byte
- type: string
- caProvider:
- description: The provider for the CA bundle to use to validate
- webhook server certificate.
- properties:
- key:
- description: The key where the CA certificate can be found
- in the Secret or ConfigMap.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the object located at the provider
- type.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- namespace:
- description: The namespace the Provider type is in.
- maxLength: 63
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
- type: string
- type:
- description: The type of provider to use such as "Secret",
- or "ConfigMap".
- enum:
- - Secret
- - ConfigMap
- type: string
- required:
- - name
- - type
- type: object
- headers:
- additionalProperties:
- type: string
- description: Headers
- type: object
- method:
- description: Webhook Method
- type: string
- result:
- description: Result formatting
- properties:
- jsonPath:
- description: Json path of return value
- type: string
- type: object
- secrets:
- description: |-
- Secrets to fill in templates
- These secrets will be passed to the templating function as key value pairs under the given name
- items:
- properties:
- name:
- description: Name of this secret in templates
- type: string
- secretRef:
- description: Secret ref to fill in credentials
- properties:
- key:
- description: The key where the token is found.
- maxLength: 253
- minLength: 1
- pattern: ^[-._a-zA-Z0-9]+$
- type: string
- name:
- description: The name of the Secret resource being
- referred to.
- maxLength: 253
- minLength: 1
- pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
- type: string
- type: object
- required:
- - name
- - secretRef
- type: object
- type: array
- timeout:
- description: Timeout
- type: string
- url:
- description: Webhook url to call
- type: string
- required:
- - result
- - url
- type: object
- type: object
- kind:
- description: Kind the kind of this generator.
- enum:
- - ACRAccessToken
- - ECRAuthorizationToken
- - Fake
- - GCRAccessToken
- - GithubAccessToken
- - QuayAccessToken
- - Password
- - STSSessionToken
- - UUID
- - VaultDynamicSecret
- - Webhook
- - Grafana
- type: string
- required:
- - generator
- - kind
- type: object
- type: object
- served: true
- storage: true
- subresources:
- status: {}
|
