bundle.yaml 1.8 MB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300123011230212303123041230512306123071230812309123101231112312123131231412315123161231712318123191232012321123221232312324123251232612327123281232912330123311233212333123341233512336123371233812339123401234112342123431234412345123461234712348123491235012351123521235312354123551235612357123581235912360123611236212363123641236512366123671236812369123701237112372123731237412375123761237712378123791238012381123821238312384123851238612387123881238912390123911239212393123941239512396123971239812399124001240112402124031240412405124061240712408124091241012411124121241312414124151241612417124181241912420124211242212423124241242512426124271242812429124301243112432124331243412435124361243712438124391244012441124421244312444124451244612447124481244912450124511245212453124541245512456124571245812459124601246112462124631246412465124661246712468124691247012471124721247312474124751247612477124781247912480124811248212483124841248512486124871248812489124901249112492124931249412495124961249712498124991250012501125021250312504125051250612507125081250912510125111251212513125141251512516125171251812519125201252112522125231252412525125261252712528125291253012531125321253312534125351253612537125381253912540125411254212543125441254512546125471254812549125501255112552125531255412555125561255712558125591256012561125621256312564125651256612567125681256912570125711257212573125741257512576125771257812579125801258112582125831258412585125861258712588125891259012591125921259312594125951259612597125981259912600126011260212603126041260512606126071260812609126101261112612126131261412615126161261712618126191262012621126221262312624126251262612627126281262912630126311263212633126341263512636126371263812639126401264112642126431264412645126461264712648126491265012651126521265312654126551265612657126581265912660126611266212663126641266512666126671266812669126701267112672126731267412675126761267712678126791268012681126821268312684126851268612687126881268912690126911269212693126941269512696126971269812699127001270112702127031270412705127061270712708127091271012711127121271312714127151271612717127181271912720127211272212723127241272512726127271272812729127301273112732127331273412735127361273712738127391274012741127421274312744127451274612747127481274912750127511275212753127541275512756127571275812759127601276112762127631276412765127661276712768127691277012771127721277312774127751277612777127781277912780127811278212783127841278512786127871278812789127901279112792127931279412795127961279712798127991280012801128021280312804128051280612807128081280912810128111281212813128141281512816128171281812819128201282112822128231282412825128261282712828128291283012831128321283312834128351283612837128381283912840128411284212843128441284512846128471284812849128501285112852128531285412855128561285712858128591286012861128621286312864128651286612867128681286912870128711287212873128741287512876128771287812879128801288112882128831288412885128861288712888128891289012891128921289312894128951289612897128981289912900129011290212903129041290512906129071290812909129101291112912129131291412915129161291712918129191292012921129221292312924129251292612927129281292912930129311293212933129341293512936129371293812939129401294112942129431294412945129461294712948129491295012951129521295312954129551295612957129581295912960129611296212963129641296512966129671296812969129701297112972129731297412975129761297712978129791298012981129821298312984129851298612987129881298912990129911299212993129941299512996129971299812999130001300113002130031300413005130061300713008130091301013011130121301313014130151301613017130181301913020130211302213023130241302513026130271302813029130301303113032130331303413035130361303713038130391304013041130421304313044130451304613047130481304913050130511305213053130541305513056130571305813059130601306113062130631306413065130661306713068130691307013071130721307313074130751307613077130781307913080130811308213083130841308513086130871308813089130901309113092130931309413095130961309713098130991310013101131021310313104131051310613107131081310913110131111311213113131141311513116131171311813119131201312113122131231312413125131261312713128131291313013131131321313313134131351313613137131381313913140131411314213143131441314513146131471314813149131501315113152131531315413155131561315713158131591316013161131621316313164131651316613167131681316913170131711317213173131741317513176131771317813179131801318113182131831318413185131861318713188131891319013191131921319313194131951319613197131981319913200132011320213203132041320513206132071320813209132101321113212132131321413215132161321713218132191322013221132221322313224132251322613227132281322913230132311323213233132341323513236132371323813239132401324113242132431324413245132461324713248132491325013251132521325313254132551325613257132581325913260132611326213263132641326513266132671326813269132701327113272132731327413275132761327713278132791328013281132821328313284132851328613287132881328913290132911329213293132941329513296132971329813299133001330113302133031330413305133061330713308133091331013311133121331313314133151331613317133181331913320133211332213323133241332513326133271332813329133301333113332133331333413335133361333713338133391334013341133421334313344133451334613347133481334913350133511335213353133541335513356133571335813359133601336113362133631336413365133661336713368133691337013371133721337313374133751337613377133781337913380133811338213383133841338513386133871338813389133901339113392133931339413395133961339713398133991340013401134021340313404134051340613407134081340913410134111341213413134141341513416134171341813419134201342113422134231342413425134261342713428134291343013431134321343313434134351343613437134381343913440134411344213443134441344513446134471344813449134501345113452134531345413455134561345713458134591346013461134621346313464134651346613467134681346913470134711347213473134741347513476134771347813479134801348113482134831348413485134861348713488134891349013491134921349313494134951349613497134981349913500135011350213503135041350513506135071350813509135101351113512135131351413515135161351713518135191352013521135221352313524135251352613527135281352913530135311353213533135341353513536135371353813539135401354113542135431354413545135461354713548135491355013551135521355313554135551355613557135581355913560135611356213563135641356513566135671356813569135701357113572135731357413575135761357713578135791358013581135821358313584135851358613587135881358913590135911359213593135941359513596135971359813599136001360113602136031360413605136061360713608136091361013611136121361313614136151361613617136181361913620136211362213623136241362513626136271362813629136301363113632136331363413635136361363713638136391364013641136421364313644136451364613647136481364913650136511365213653136541365513656136571365813659136601366113662136631366413665136661366713668136691367013671136721367313674136751367613677136781367913680136811368213683136841368513686136871368813689136901369113692136931369413695136961369713698136991370013701137021370313704137051370613707137081370913710137111371213713137141371513716137171371813719137201372113722137231372413725137261372713728137291373013731137321373313734137351373613737137381373913740137411374213743137441374513746137471374813749137501375113752137531375413755137561375713758137591376013761137621376313764137651376613767137681376913770137711377213773137741377513776137771377813779137801378113782137831378413785137861378713788137891379013791137921379313794137951379613797137981379913800138011380213803138041380513806138071380813809138101381113812138131381413815138161381713818138191382013821138221382313824138251382613827138281382913830138311383213833138341383513836138371383813839138401384113842138431384413845138461384713848138491385013851138521385313854138551385613857138581385913860138611386213863138641386513866138671386813869138701387113872138731387413875138761387713878138791388013881138821388313884138851388613887138881388913890138911389213893138941389513896138971389813899139001390113902139031390413905139061390713908139091391013911139121391313914139151391613917139181391913920139211392213923139241392513926139271392813929139301393113932139331393413935139361393713938139391394013941139421394313944139451394613947139481394913950139511395213953139541395513956139571395813959139601396113962139631396413965139661396713968139691397013971139721397313974139751397613977139781397913980139811398213983139841398513986139871398813989139901399113992139931399413995139961399713998139991400014001140021400314004140051400614007140081400914010140111401214013140141401514016140171401814019140201402114022140231402414025140261402714028140291403014031140321403314034140351403614037140381403914040140411404214043140441404514046140471404814049140501405114052140531405414055140561405714058140591406014061140621406314064140651406614067140681406914070140711407214073140741407514076140771407814079140801408114082140831408414085140861408714088140891409014091140921409314094140951409614097140981409914100141011410214103141041410514106141071410814109141101411114112141131411414115141161411714118141191412014121141221412314124141251412614127141281412914130141311413214133141341413514136141371413814139141401414114142141431414414145141461414714148141491415014151141521415314154141551415614157141581415914160141611416214163141641416514166141671416814169141701417114172141731417414175141761417714178141791418014181141821418314184141851418614187141881418914190141911419214193141941419514196141971419814199142001420114202142031420414205142061420714208142091421014211142121421314214142151421614217142181421914220142211422214223142241422514226142271422814229142301423114232142331423414235142361423714238142391424014241142421424314244142451424614247142481424914250142511425214253142541425514256142571425814259142601426114262142631426414265142661426714268142691427014271142721427314274142751427614277142781427914280142811428214283142841428514286142871428814289142901429114292142931429414295142961429714298142991430014301143021430314304143051430614307143081430914310143111431214313143141431514316143171431814319143201432114322143231432414325143261432714328143291433014331143321433314334143351433614337143381433914340143411434214343143441434514346143471434814349143501435114352143531435414355143561435714358143591436014361143621436314364143651436614367143681436914370143711437214373143741437514376143771437814379143801438114382143831438414385143861438714388143891439014391143921439314394143951439614397143981439914400144011440214403144041440514406144071440814409144101441114412144131441414415144161441714418144191442014421144221442314424144251442614427144281442914430144311443214433144341443514436144371443814439144401444114442144431444414445144461444714448144491445014451144521445314454144551445614457144581445914460144611446214463144641446514466144671446814469144701447114472144731447414475144761447714478144791448014481144821448314484144851448614487144881448914490144911449214493144941449514496144971449814499145001450114502145031450414505145061450714508145091451014511145121451314514145151451614517145181451914520145211452214523145241452514526145271452814529145301453114532145331453414535145361453714538145391454014541145421454314544145451454614547145481454914550145511455214553145541455514556145571455814559145601456114562145631456414565145661456714568145691457014571145721457314574145751457614577145781457914580145811458214583145841458514586145871458814589145901459114592145931459414595145961459714598145991460014601146021460314604146051460614607146081460914610146111461214613146141461514616146171461814619146201462114622146231462414625146261462714628146291463014631146321463314634146351463614637146381463914640146411464214643146441464514646146471464814649146501465114652146531465414655146561465714658146591466014661146621466314664146651466614667146681466914670146711467214673146741467514676146771467814679146801468114682146831468414685146861468714688146891469014691146921469314694146951469614697146981469914700147011470214703147041470514706147071470814709147101471114712147131471414715147161471714718147191472014721147221472314724147251472614727147281472914730147311473214733147341473514736147371473814739147401474114742147431474414745147461474714748147491475014751147521475314754147551475614757147581475914760147611476214763147641476514766147671476814769147701477114772147731477414775147761477714778147791478014781147821478314784147851478614787147881478914790147911479214793147941479514796147971479814799148001480114802148031480414805148061480714808148091481014811148121481314814148151481614817148181481914820148211482214823148241482514826148271482814829148301483114832148331483414835148361483714838148391484014841148421484314844148451484614847148481484914850148511485214853148541485514856148571485814859148601486114862148631486414865148661486714868148691487014871148721487314874148751487614877148781487914880148811488214883148841488514886148871488814889148901489114892148931489414895148961489714898148991490014901149021490314904149051490614907149081490914910149111491214913149141491514916149171491814919149201492114922149231492414925149261492714928149291493014931149321493314934149351493614937149381493914940149411494214943149441494514946149471494814949149501495114952149531495414955149561495714958149591496014961149621496314964149651496614967149681496914970149711497214973149741497514976149771497814979149801498114982149831498414985149861498714988149891499014991149921499314994149951499614997149981499915000150011500215003150041500515006150071500815009150101501115012150131501415015150161501715018150191502015021150221502315024150251502615027150281502915030150311503215033150341503515036150371503815039150401504115042150431504415045150461504715048150491505015051150521505315054150551505615057150581505915060150611506215063150641506515066150671506815069150701507115072150731507415075150761507715078150791508015081150821508315084150851508615087150881508915090150911509215093150941509515096150971509815099151001510115102151031510415105151061510715108151091511015111151121511315114151151511615117151181511915120151211512215123151241512515126151271512815129151301513115132151331513415135151361513715138151391514015141151421514315144151451514615147151481514915150151511515215153151541515515156151571515815159151601516115162151631516415165151661516715168151691517015171151721517315174151751517615177151781517915180151811518215183151841518515186151871518815189151901519115192151931519415195151961519715198151991520015201152021520315204152051520615207152081520915210152111521215213152141521515216152171521815219152201522115222152231522415225152261522715228152291523015231152321523315234152351523615237152381523915240152411524215243152441524515246152471524815249152501525115252152531525415255152561525715258152591526015261152621526315264152651526615267152681526915270152711527215273152741527515276152771527815279152801528115282152831528415285152861528715288152891529015291152921529315294152951529615297152981529915300153011530215303153041530515306153071530815309153101531115312153131531415315153161531715318153191532015321153221532315324153251532615327153281532915330153311533215333153341533515336153371533815339153401534115342153431534415345153461534715348153491535015351153521535315354153551535615357153581535915360153611536215363153641536515366153671536815369153701537115372153731537415375153761537715378153791538015381153821538315384153851538615387153881538915390153911539215393153941539515396153971539815399154001540115402154031540415405154061540715408154091541015411154121541315414154151541615417154181541915420154211542215423154241542515426154271542815429154301543115432154331543415435154361543715438154391544015441154421544315444154451544615447154481544915450154511545215453154541545515456154571545815459154601546115462154631546415465154661546715468154691547015471154721547315474154751547615477154781547915480154811548215483154841548515486154871548815489154901549115492154931549415495154961549715498154991550015501155021550315504155051550615507155081550915510155111551215513155141551515516155171551815519155201552115522155231552415525155261552715528155291553015531155321553315534155351553615537155381553915540155411554215543155441554515546155471554815549155501555115552155531555415555155561555715558155591556015561155621556315564155651556615567155681556915570155711557215573155741557515576155771557815579155801558115582155831558415585155861558715588155891559015591155921559315594155951559615597155981559915600156011560215603156041560515606156071560815609156101561115612156131561415615156161561715618156191562015621156221562315624156251562615627156281562915630156311563215633156341563515636156371563815639156401564115642156431564415645156461564715648156491565015651156521565315654156551565615657156581565915660156611566215663156641566515666156671566815669156701567115672156731567415675156761567715678156791568015681156821568315684156851568615687156881568915690156911569215693156941569515696156971569815699157001570115702157031570415705157061570715708157091571015711157121571315714157151571615717157181571915720157211572215723157241572515726157271572815729157301573115732157331573415735157361573715738157391574015741157421574315744157451574615747157481574915750157511575215753157541575515756157571575815759157601576115762157631576415765157661576715768157691577015771157721577315774157751577615777157781577915780157811578215783157841578515786157871578815789157901579115792157931579415795157961579715798157991580015801158021580315804158051580615807158081580915810158111581215813158141581515816158171581815819158201582115822158231582415825158261582715828158291583015831158321583315834158351583615837158381583915840158411584215843158441584515846158471584815849158501585115852158531585415855158561585715858158591586015861158621586315864158651586615867158681586915870158711587215873158741587515876158771587815879158801588115882158831588415885158861588715888158891589015891158921589315894158951589615897158981589915900159011590215903159041590515906159071590815909159101591115912159131591415915159161591715918159191592015921159221592315924159251592615927159281592915930159311593215933159341593515936159371593815939159401594115942159431594415945159461594715948159491595015951159521595315954159551595615957159581595915960159611596215963159641596515966159671596815969159701597115972159731597415975159761597715978159791598015981159821598315984159851598615987159881598915990159911599215993159941599515996159971599815999160001600116002160031600416005160061600716008160091601016011160121601316014160151601616017160181601916020160211602216023160241602516026160271602816029160301603116032160331603416035160361603716038160391604016041160421604316044160451604616047160481604916050160511605216053160541605516056160571605816059160601606116062160631606416065160661606716068160691607016071160721607316074160751607616077160781607916080160811608216083160841608516086160871608816089160901609116092160931609416095160961609716098160991610016101161021610316104161051610616107161081610916110161111611216113161141611516116161171611816119161201612116122161231612416125161261612716128161291613016131161321613316134161351613616137161381613916140161411614216143161441614516146161471614816149161501615116152161531615416155161561615716158161591616016161161621616316164161651616616167161681616916170161711617216173161741617516176161771617816179161801618116182161831618416185161861618716188161891619016191161921619316194161951619616197161981619916200162011620216203162041620516206162071620816209162101621116212162131621416215162161621716218162191622016221162221622316224162251622616227162281622916230162311623216233162341623516236162371623816239162401624116242162431624416245162461624716248162491625016251162521625316254162551625616257162581625916260162611626216263162641626516266162671626816269162701627116272162731627416275162761627716278162791628016281162821628316284162851628616287162881628916290162911629216293162941629516296162971629816299163001630116302163031630416305163061630716308163091631016311163121631316314163151631616317163181631916320163211632216323163241632516326163271632816329163301633116332163331633416335163361633716338163391634016341163421634316344163451634616347163481634916350163511635216353163541635516356163571635816359163601636116362163631636416365163661636716368163691637016371163721637316374163751637616377163781637916380163811638216383163841638516386163871638816389163901639116392163931639416395163961639716398163991640016401164021640316404164051640616407164081640916410164111641216413164141641516416164171641816419164201642116422164231642416425164261642716428164291643016431164321643316434164351643616437164381643916440164411644216443164441644516446164471644816449164501645116452164531645416455164561645716458164591646016461164621646316464164651646616467164681646916470164711647216473164741647516476164771647816479164801648116482164831648416485164861648716488164891649016491164921649316494164951649616497164981649916500165011650216503165041650516506165071650816509165101651116512165131651416515165161651716518165191652016521165221652316524165251652616527165281652916530165311653216533165341653516536165371653816539165401654116542165431654416545165461654716548165491655016551165521655316554165551655616557165581655916560165611656216563165641656516566165671656816569165701657116572165731657416575165761657716578165791658016581165821658316584165851658616587165881658916590165911659216593165941659516596165971659816599166001660116602166031660416605166061660716608166091661016611166121661316614166151661616617166181661916620166211662216623166241662516626166271662816629166301663116632166331663416635166361663716638166391664016641166421664316644166451664616647166481664916650166511665216653166541665516656166571665816659166601666116662166631666416665166661666716668166691667016671166721667316674166751667616677166781667916680166811668216683166841668516686166871668816689166901669116692166931669416695166961669716698166991670016701167021670316704167051670616707167081670916710167111671216713167141671516716167171671816719167201672116722167231672416725167261672716728167291673016731167321673316734167351673616737167381673916740167411674216743167441674516746167471674816749167501675116752167531675416755167561675716758167591676016761167621676316764167651676616767167681676916770167711677216773167741677516776167771677816779167801678116782167831678416785167861678716788167891679016791167921679316794167951679616797167981679916800168011680216803168041680516806168071680816809168101681116812168131681416815168161681716818168191682016821168221682316824168251682616827168281682916830168311683216833168341683516836168371683816839168401684116842168431684416845168461684716848168491685016851168521685316854168551685616857168581685916860168611686216863168641686516866168671686816869168701687116872168731687416875168761687716878168791688016881168821688316884168851688616887168881688916890168911689216893168941689516896168971689816899169001690116902169031690416905169061690716908169091691016911169121691316914169151691616917169181691916920169211692216923169241692516926169271692816929169301693116932169331693416935169361693716938169391694016941169421694316944169451694616947169481694916950169511695216953169541695516956169571695816959169601696116962169631696416965169661696716968169691697016971169721697316974169751697616977169781697916980169811698216983169841698516986169871698816989169901699116992169931699416995169961699716998169991700017001170021700317004170051700617007170081700917010170111701217013170141701517016170171701817019170201702117022170231702417025170261702717028170291703017031170321703317034170351703617037170381703917040170411704217043170441704517046170471704817049170501705117052170531705417055170561705717058170591706017061170621706317064170651706617067170681706917070170711707217073170741707517076170771707817079170801708117082170831708417085170861708717088170891709017091170921709317094170951709617097170981709917100171011710217103171041710517106171071710817109171101711117112171131711417115171161711717118171191712017121171221712317124171251712617127171281712917130171311713217133171341713517136171371713817139171401714117142171431714417145171461714717148171491715017151171521715317154171551715617157171581715917160171611716217163171641716517166171671716817169171701717117172171731717417175171761717717178171791718017181171821718317184171851718617187171881718917190171911719217193171941719517196171971719817199172001720117202172031720417205172061720717208172091721017211172121721317214172151721617217172181721917220172211722217223172241722517226172271722817229172301723117232172331723417235172361723717238172391724017241172421724317244172451724617247172481724917250172511725217253172541725517256172571725817259172601726117262172631726417265172661726717268172691727017271172721727317274172751727617277172781727917280172811728217283172841728517286172871728817289172901729117292172931729417295172961729717298172991730017301173021730317304173051730617307173081730917310173111731217313173141731517316173171731817319173201732117322173231732417325173261732717328173291733017331173321733317334173351733617337173381733917340173411734217343173441734517346173471734817349173501735117352173531735417355173561735717358173591736017361173621736317364173651736617367173681736917370173711737217373173741737517376173771737817379173801738117382173831738417385173861738717388173891739017391173921739317394173951739617397173981739917400174011740217403174041740517406174071740817409174101741117412174131741417415174161741717418174191742017421174221742317424174251742617427174281742917430174311743217433174341743517436174371743817439174401744117442174431744417445174461744717448174491745017451174521745317454174551745617457174581745917460174611746217463174641746517466174671746817469174701747117472174731747417475174761747717478174791748017481174821748317484174851748617487174881748917490174911749217493174941749517496174971749817499175001750117502175031750417505175061750717508175091751017511175121751317514175151751617517175181751917520175211752217523175241752517526175271752817529175301753117532175331753417535175361753717538175391754017541175421754317544175451754617547175481754917550175511755217553175541755517556175571755817559175601756117562175631756417565175661756717568175691757017571175721757317574175751757617577175781757917580175811758217583175841758517586175871758817589175901759117592175931759417595175961759717598175991760017601176021760317604176051760617607176081760917610176111761217613176141761517616176171761817619176201762117622176231762417625176261762717628176291763017631176321763317634176351763617637176381763917640176411764217643176441764517646176471764817649176501765117652176531765417655176561765717658176591766017661176621766317664176651766617667176681766917670176711767217673176741767517676176771767817679176801768117682176831768417685176861768717688176891769017691176921769317694176951769617697176981769917700177011770217703177041770517706177071770817709177101771117712177131771417715177161771717718177191772017721177221772317724177251772617727177281772917730177311773217733177341773517736177371773817739177401774117742177431774417745177461774717748177491775017751177521775317754177551775617757177581775917760177611776217763177641776517766177671776817769177701777117772177731777417775177761777717778177791778017781177821778317784177851778617787177881778917790177911779217793177941779517796177971779817799178001780117802178031780417805178061780717808178091781017811178121781317814178151781617817178181781917820178211782217823178241782517826178271782817829178301783117832178331783417835178361783717838178391784017841178421784317844178451784617847178481784917850178511785217853178541785517856178571785817859178601786117862178631786417865178661786717868178691787017871178721787317874178751787617877178781787917880178811788217883178841788517886178871788817889178901789117892178931789417895178961789717898178991790017901179021790317904179051790617907179081790917910179111791217913179141791517916179171791817919179201792117922179231792417925179261792717928179291793017931179321793317934179351793617937179381793917940179411794217943179441794517946179471794817949179501795117952179531795417955179561795717958179591796017961179621796317964179651796617967179681796917970179711797217973179741797517976179771797817979179801798117982179831798417985179861798717988179891799017991179921799317994179951799617997179981799918000180011800218003180041800518006180071800818009180101801118012180131801418015180161801718018180191802018021180221802318024180251802618027180281802918030180311803218033180341803518036180371803818039180401804118042180431804418045180461804718048180491805018051180521805318054180551805618057180581805918060180611806218063180641806518066180671806818069180701807118072180731807418075180761807718078180791808018081180821808318084180851808618087180881808918090180911809218093180941809518096180971809818099181001810118102181031810418105181061810718108181091811018111181121811318114181151811618117181181811918120181211812218123181241812518126181271812818129181301813118132181331813418135181361813718138181391814018141181421814318144181451814618147181481814918150181511815218153181541815518156181571815818159181601816118162181631816418165181661816718168181691817018171181721817318174181751817618177181781817918180181811818218183181841818518186181871818818189181901819118192181931819418195181961819718198181991820018201182021820318204182051820618207182081820918210182111821218213182141821518216182171821818219182201822118222182231822418225182261822718228182291823018231182321823318234182351823618237182381823918240182411824218243182441824518246182471824818249182501825118252182531825418255182561825718258182591826018261182621826318264182651826618267182681826918270182711827218273182741827518276182771827818279182801828118282182831828418285182861828718288182891829018291182921829318294182951829618297182981829918300183011830218303183041830518306183071830818309183101831118312183131831418315183161831718318183191832018321183221832318324183251832618327183281832918330183311833218333183341833518336183371833818339183401834118342183431834418345183461834718348183491835018351183521835318354183551835618357183581835918360183611836218363183641836518366183671836818369183701837118372183731837418375183761837718378183791838018381183821838318384183851838618387183881838918390183911839218393183941839518396183971839818399184001840118402184031840418405184061840718408184091841018411184121841318414184151841618417184181841918420184211842218423184241842518426184271842818429184301843118432184331843418435184361843718438184391844018441184421844318444184451844618447184481844918450184511845218453184541845518456184571845818459184601846118462184631846418465184661846718468184691847018471184721847318474184751847618477184781847918480184811848218483184841848518486184871848818489184901849118492184931849418495184961849718498184991850018501185021850318504185051850618507185081850918510185111851218513185141851518516185171851818519185201852118522185231852418525185261852718528185291853018531185321853318534185351853618537185381853918540185411854218543185441854518546185471854818549185501855118552185531855418555185561855718558185591856018561185621856318564185651856618567185681856918570185711857218573185741857518576185771857818579185801858118582185831858418585185861858718588185891859018591185921859318594185951859618597185981859918600186011860218603186041860518606186071860818609186101861118612186131861418615186161861718618186191862018621186221862318624186251862618627186281862918630186311863218633186341863518636186371863818639186401864118642186431864418645186461864718648186491865018651186521865318654186551865618657186581865918660186611866218663186641866518666186671866818669186701867118672186731867418675186761867718678186791868018681186821868318684186851868618687186881868918690186911869218693186941869518696186971869818699187001870118702187031870418705187061870718708187091871018711187121871318714187151871618717187181871918720187211872218723187241872518726187271872818729187301873118732187331873418735187361873718738187391874018741187421874318744187451874618747187481874918750187511875218753187541875518756187571875818759187601876118762187631876418765187661876718768187691877018771187721877318774187751877618777187781877918780187811878218783187841878518786187871878818789187901879118792187931879418795187961879718798187991880018801188021880318804188051880618807188081880918810188111881218813188141881518816188171881818819188201882118822188231882418825188261882718828188291883018831188321883318834188351883618837188381883918840188411884218843188441884518846188471884818849188501885118852188531885418855188561885718858188591886018861188621886318864188651886618867188681886918870188711887218873188741887518876188771887818879188801888118882188831888418885188861888718888188891889018891188921889318894188951889618897188981889918900189011890218903189041890518906189071890818909189101891118912189131891418915189161891718918189191892018921189221892318924189251892618927189281892918930189311893218933189341893518936189371893818939189401894118942189431894418945189461894718948189491895018951189521895318954189551895618957189581895918960189611896218963189641896518966189671896818969189701897118972189731897418975189761897718978189791898018981189821898318984189851898618987189881898918990189911899218993189941899518996189971899818999190001900119002190031900419005190061900719008190091901019011190121901319014190151901619017190181901919020190211902219023190241902519026190271902819029190301903119032190331903419035190361903719038190391904019041190421904319044190451904619047190481904919050190511905219053190541905519056190571905819059190601906119062190631906419065190661906719068190691907019071190721907319074190751907619077190781907919080190811908219083190841908519086190871908819089190901909119092190931909419095190961909719098190991910019101191021910319104191051910619107191081910919110191111911219113191141911519116191171911819119191201912119122191231912419125191261912719128191291913019131191321913319134191351913619137191381913919140191411914219143191441914519146191471914819149191501915119152191531915419155191561915719158191591916019161191621916319164191651916619167191681916919170191711917219173191741917519176191771917819179191801918119182191831918419185191861918719188191891919019191191921919319194191951919619197191981919919200192011920219203192041920519206192071920819209192101921119212192131921419215192161921719218192191922019221192221922319224192251922619227192281922919230192311923219233192341923519236192371923819239192401924119242192431924419245192461924719248192491925019251192521925319254192551925619257192581925919260192611926219263192641926519266192671926819269192701927119272192731927419275192761927719278192791928019281192821928319284192851928619287192881928919290192911929219293192941929519296192971929819299193001930119302193031930419305193061930719308193091931019311193121931319314193151931619317193181931919320193211932219323193241932519326193271932819329193301933119332193331933419335193361933719338193391934019341193421934319344193451934619347193481934919350193511935219353193541935519356193571935819359193601936119362193631936419365193661936719368193691937019371193721937319374193751937619377193781937919380193811938219383193841938519386193871938819389193901939119392193931939419395193961939719398193991940019401194021940319404194051940619407194081940919410194111941219413194141941519416194171941819419194201942119422194231942419425194261942719428194291943019431194321943319434194351943619437194381943919440194411944219443194441944519446194471944819449194501945119452194531945419455194561945719458194591946019461194621946319464194651946619467194681946919470194711947219473194741947519476194771947819479194801948119482194831948419485194861948719488194891949019491194921949319494194951949619497194981949919500195011950219503195041950519506195071950819509195101951119512195131951419515195161951719518195191952019521195221952319524195251952619527195281952919530195311953219533195341953519536195371953819539195401954119542195431954419545195461954719548195491955019551195521955319554195551955619557195581955919560195611956219563195641956519566195671956819569195701957119572195731957419575195761957719578195791958019581195821958319584195851958619587195881958919590195911959219593195941959519596195971959819599196001960119602196031960419605196061960719608196091961019611196121961319614196151961619617196181961919620196211962219623196241962519626196271962819629196301963119632196331963419635196361963719638196391964019641196421964319644196451964619647196481964919650196511965219653196541965519656196571965819659196601966119662196631966419665196661966719668196691967019671196721967319674196751967619677196781967919680196811968219683196841968519686196871968819689196901969119692196931969419695196961969719698196991970019701197021970319704197051970619707197081970919710197111971219713197141971519716197171971819719197201972119722197231972419725197261972719728197291973019731197321973319734197351973619737197381973919740197411974219743197441974519746197471974819749197501975119752197531975419755197561975719758197591976019761197621976319764197651976619767197681976919770197711977219773197741977519776197771977819779197801978119782197831978419785197861978719788197891979019791197921979319794197951979619797197981979919800198011980219803198041980519806198071980819809198101981119812198131981419815198161981719818198191982019821198221982319824198251982619827198281982919830198311983219833198341983519836198371983819839198401984119842198431984419845198461984719848198491985019851198521985319854198551985619857198581985919860198611986219863198641986519866198671986819869198701987119872198731987419875198761987719878198791988019881198821988319884198851988619887198881988919890198911989219893198941989519896198971989819899199001990119902199031990419905199061990719908199091991019911199121991319914199151991619917199181991919920199211992219923199241992519926199271992819929199301993119932199331993419935199361993719938199391994019941199421994319944199451994619947199481994919950199511995219953199541995519956199571995819959199601996119962199631996419965199661996719968199691997019971199721997319974199751997619977199781997919980199811998219983199841998519986199871998819989199901999119992199931999419995199961999719998199992000020001200022000320004200052000620007200082000920010200112001220013200142001520016200172001820019200202002120022200232002420025200262002720028200292003020031200322003320034200352003620037200382003920040200412004220043200442004520046200472004820049200502005120052200532005420055200562005720058200592006020061200622006320064200652006620067200682006920070200712007220073200742007520076200772007820079200802008120082200832008420085200862008720088200892009020091200922009320094200952009620097200982009920100201012010220103201042010520106201072010820109201102011120112201132011420115201162011720118201192012020121201222012320124201252012620127201282012920130201312013220133201342013520136201372013820139201402014120142201432014420145201462014720148201492015020151201522015320154201552015620157201582015920160201612016220163201642016520166201672016820169201702017120172201732017420175201762017720178201792018020181201822018320184201852018620187201882018920190201912019220193201942019520196201972019820199202002020120202202032020420205202062020720208202092021020211202122021320214202152021620217202182021920220202212022220223202242022520226202272022820229202302023120232202332023420235202362023720238202392024020241202422024320244202452024620247202482024920250202512025220253202542025520256202572025820259202602026120262202632026420265202662026720268202692027020271202722027320274202752027620277202782027920280202812028220283202842028520286202872028820289202902029120292202932029420295202962029720298202992030020301203022030320304203052030620307203082030920310203112031220313203142031520316203172031820319203202032120322203232032420325203262032720328203292033020331203322033320334203352033620337203382033920340203412034220343203442034520346203472034820349203502035120352203532035420355203562035720358203592036020361203622036320364203652036620367203682036920370203712037220373203742037520376203772037820379203802038120382203832038420385203862038720388203892039020391203922039320394203952039620397203982039920400204012040220403204042040520406204072040820409204102041120412204132041420415204162041720418204192042020421204222042320424204252042620427204282042920430204312043220433204342043520436204372043820439204402044120442204432044420445204462044720448204492045020451204522045320454204552045620457204582045920460204612046220463204642046520466204672046820469204702047120472204732047420475204762047720478204792048020481204822048320484204852048620487204882048920490204912049220493204942049520496204972049820499205002050120502205032050420505205062050720508205092051020511205122051320514205152051620517205182051920520205212052220523205242052520526205272052820529205302053120532205332053420535205362053720538205392054020541205422054320544205452054620547205482054920550205512055220553205542055520556205572055820559205602056120562205632056420565205662056720568205692057020571205722057320574205752057620577205782057920580205812058220583205842058520586205872058820589205902059120592205932059420595205962059720598205992060020601206022060320604206052060620607206082060920610206112061220613206142061520616206172061820619206202062120622206232062420625206262062720628206292063020631206322063320634206352063620637206382063920640206412064220643206442064520646206472064820649206502065120652206532065420655206562065720658206592066020661206622066320664206652066620667206682066920670206712067220673206742067520676206772067820679206802068120682206832068420685206862068720688206892069020691206922069320694206952069620697206982069920700207012070220703207042070520706207072070820709207102071120712207132071420715207162071720718207192072020721207222072320724207252072620727207282072920730207312073220733207342073520736207372073820739207402074120742207432074420745207462074720748207492075020751207522075320754207552075620757207582075920760207612076220763207642076520766207672076820769207702077120772207732077420775207762077720778207792078020781207822078320784207852078620787207882078920790207912079220793207942079520796207972079820799208002080120802208032080420805208062080720808208092081020811208122081320814208152081620817208182081920820208212082220823208242082520826208272082820829208302083120832208332083420835208362083720838208392084020841208422084320844208452084620847208482084920850208512085220853208542085520856208572085820859208602086120862208632086420865208662086720868208692087020871208722087320874208752087620877208782087920880208812088220883208842088520886208872088820889208902089120892208932089420895208962089720898208992090020901209022090320904209052090620907209082090920910209112091220913209142091520916209172091820919209202092120922209232092420925209262092720928209292093020931209322093320934209352093620937209382093920940209412094220943209442094520946209472094820949209502095120952209532095420955209562095720958209592096020961209622096320964209652096620967209682096920970209712097220973209742097520976209772097820979209802098120982209832098420985209862098720988209892099020991209922099320994209952099620997209982099921000210012100221003210042100521006210072100821009210102101121012210132101421015210162101721018210192102021021210222102321024210252102621027210282102921030210312103221033210342103521036210372103821039210402104121042210432104421045210462104721048210492105021051210522105321054210552105621057210582105921060210612106221063210642106521066210672106821069210702107121072210732107421075210762107721078210792108021081210822108321084210852108621087210882108921090210912109221093210942109521096210972109821099211002110121102211032110421105211062110721108211092111021111211122111321114211152111621117211182111921120211212112221123211242112521126211272112821129211302113121132211332113421135211362113721138211392114021141211422114321144211452114621147211482114921150211512115221153211542115521156211572115821159211602116121162211632116421165211662116721168211692117021171211722117321174211752117621177211782117921180211812118221183211842118521186211872118821189211902119121192211932119421195211962119721198211992120021201212022120321204212052120621207212082120921210212112121221213212142121521216212172121821219212202122121222212232122421225212262122721228212292123021231212322123321234212352123621237212382123921240212412124221243212442124521246212472124821249212502125121252212532125421255212562125721258212592126021261212622126321264212652126621267212682126921270212712127221273212742127521276212772127821279212802128121282212832128421285212862128721288212892129021291212922129321294212952129621297212982129921300213012130221303213042130521306213072130821309213102131121312213132131421315213162131721318213192132021321213222132321324213252132621327213282132921330213312133221333213342133521336213372133821339213402134121342213432134421345213462134721348213492135021351213522135321354213552135621357213582135921360213612136221363213642136521366213672136821369213702137121372213732137421375213762137721378213792138021381213822138321384213852138621387213882138921390213912139221393213942139521396213972139821399214002140121402214032140421405214062140721408214092141021411214122141321414214152141621417214182141921420214212142221423214242142521426214272142821429214302143121432214332143421435214362143721438214392144021441214422144321444214452144621447214482144921450214512145221453214542145521456214572145821459214602146121462214632146421465214662146721468214692147021471214722147321474214752147621477214782147921480214812148221483214842148521486214872148821489214902149121492214932149421495214962149721498214992150021501215022150321504215052150621507215082150921510215112151221513215142151521516215172151821519215202152121522215232152421525215262152721528215292153021531215322153321534215352153621537215382153921540215412154221543215442154521546215472154821549215502155121552215532155421555215562155721558215592156021561215622156321564215652156621567215682156921570215712157221573215742157521576215772157821579215802158121582215832158421585215862158721588215892159021591215922159321594215952159621597215982159921600216012160221603216042160521606216072160821609216102161121612216132161421615216162161721618216192162021621216222162321624216252162621627216282162921630216312163221633216342163521636216372163821639216402164121642216432164421645216462164721648216492165021651216522165321654216552165621657216582165921660216612166221663216642166521666216672166821669216702167121672216732167421675216762167721678216792168021681216822168321684216852168621687216882168921690216912169221693216942169521696216972169821699217002170121702217032170421705217062170721708217092171021711217122171321714217152171621717217182171921720217212172221723217242172521726217272172821729217302173121732217332173421735217362173721738217392174021741217422174321744217452174621747217482174921750217512175221753217542175521756217572175821759217602176121762217632176421765217662176721768217692177021771217722177321774217752177621777217782177921780217812178221783217842178521786217872178821789217902179121792217932179421795217962179721798217992180021801218022180321804218052180621807218082180921810218112181221813218142181521816218172181821819218202182121822218232182421825218262182721828218292183021831218322183321834218352183621837218382183921840218412184221843218442184521846218472184821849218502185121852218532185421855218562185721858218592186021861218622186321864218652186621867218682186921870218712187221873218742187521876218772187821879218802188121882218832188421885218862188721888218892189021891218922189321894218952189621897218982189921900219012190221903219042190521906219072190821909219102191121912219132191421915219162191721918219192192021921219222192321924219252192621927219282192921930219312193221933219342193521936219372193821939219402194121942219432194421945219462194721948219492195021951219522195321954219552195621957219582195921960219612196221963219642196521966219672196821969219702197121972219732197421975219762197721978219792198021981219822198321984219852198621987219882198921990219912199221993219942199521996219972199821999220002200122002220032200422005220062200722008220092201022011220122201322014220152201622017220182201922020220212202222023220242202522026220272202822029220302203122032220332203422035220362203722038220392204022041220422204322044220452204622047220482204922050220512205222053220542205522056220572205822059220602206122062220632206422065220662206722068220692207022071220722207322074220752207622077220782207922080220812208222083220842208522086220872208822089220902209122092220932209422095220962209722098220992210022101221022210322104221052210622107221082210922110221112211222113221142211522116221172211822119221202212122122221232212422125221262212722128221292213022131221322213322134221352213622137221382213922140221412214222143221442214522146221472214822149221502215122152221532215422155221562215722158221592216022161221622216322164221652216622167221682216922170221712217222173221742217522176221772217822179221802218122182221832218422185221862218722188221892219022191221922219322194221952219622197221982219922200222012220222203222042220522206222072220822209222102221122212222132221422215222162221722218222192222022221222222222322224222252222622227222282222922230222312223222233222342223522236222372223822239222402224122242222432224422245222462224722248222492225022251222522225322254222552225622257222582225922260222612226222263222642226522266222672226822269222702227122272222732227422275222762227722278222792228022281222822228322284222852228622287222882228922290222912229222293222942229522296222972229822299223002230122302223032230422305223062230722308223092231022311223122231322314223152231622317223182231922320223212232222323223242232522326223272232822329223302233122332223332233422335223362233722338223392234022341223422234322344223452234622347223482234922350223512235222353223542235522356223572235822359223602236122362223632236422365223662236722368223692237022371223722237322374223752237622377223782237922380223812238222383223842238522386223872238822389223902239122392223932239422395223962239722398223992240022401224022240322404224052240622407224082240922410224112241222413224142241522416224172241822419224202242122422224232242422425224262242722428224292243022431224322243322434224352243622437224382243922440224412244222443224442244522446224472244822449224502245122452224532245422455224562245722458224592246022461224622246322464224652246622467224682246922470224712247222473224742247522476224772247822479224802248122482224832248422485224862248722488224892249022491224922249322494224952249622497224982249922500225012250222503225042250522506225072250822509225102251122512225132251422515225162251722518225192252022521225222252322524225252252622527225282252922530225312253222533225342253522536225372253822539225402254122542225432254422545225462254722548225492255022551225522255322554225552255622557225582255922560225612256222563225642256522566225672256822569225702257122572225732257422575225762257722578225792258022581225822258322584225852258622587225882258922590225912259222593225942259522596225972259822599226002260122602226032260422605226062260722608226092261022611226122261322614226152261622617226182261922620226212262222623226242262522626226272262822629226302263122632226332263422635226362263722638226392264022641226422264322644226452264622647226482264922650226512265222653226542265522656226572265822659226602266122662226632266422665226662266722668226692267022671226722267322674226752267622677226782267922680226812268222683226842268522686226872268822689226902269122692226932269422695226962269722698226992270022701227022270322704227052270622707227082270922710227112271222713227142271522716227172271822719227202272122722227232272422725227262272722728227292273022731227322273322734227352273622737227382273922740227412274222743227442274522746227472274822749227502275122752227532275422755227562275722758227592276022761227622276322764227652276622767227682276922770227712277222773227742277522776227772277822779227802278122782227832278422785227862278722788227892279022791227922279322794227952279622797227982279922800228012280222803228042280522806228072280822809228102281122812228132281422815228162281722818228192282022821228222282322824228252282622827228282282922830228312283222833228342283522836228372283822839228402284122842228432284422845228462284722848228492285022851228522285322854228552285622857228582285922860228612286222863228642286522866228672286822869228702287122872228732287422875228762287722878228792288022881228822288322884228852288622887228882288922890228912289222893228942289522896228972289822899229002290122902229032290422905229062290722908229092291022911229122291322914229152291622917229182291922920229212292222923229242292522926229272292822929229302293122932229332293422935229362293722938229392294022941229422294322944229452294622947229482294922950229512295222953229542295522956229572295822959229602296122962229632296422965229662296722968229692297022971229722297322974229752297622977229782297922980229812298222983229842298522986229872298822989229902299122992229932299422995229962299722998229992300023001230022300323004230052300623007230082300923010230112301223013230142301523016230172301823019230202302123022230232302423025230262302723028230292303023031230322303323034230352303623037230382303923040230412304223043230442304523046230472304823049230502305123052230532305423055230562305723058230592306023061230622306323064230652306623067230682306923070230712307223073230742307523076230772307823079230802308123082230832308423085230862308723088230892309023091230922309323094230952309623097230982309923100231012310223103231042310523106231072310823109231102311123112231132311423115231162311723118231192312023121231222312323124231252312623127231282312923130231312313223133231342313523136231372313823139231402314123142231432314423145231462314723148231492315023151231522315323154231552315623157231582315923160231612316223163231642316523166231672316823169231702317123172231732317423175231762317723178231792318023181231822318323184231852318623187231882318923190231912319223193231942319523196231972319823199232002320123202232032320423205232062320723208232092321023211232122321323214232152321623217232182321923220232212322223223232242322523226232272322823229232302323123232232332323423235232362323723238232392324023241232422324323244232452324623247232482324923250232512325223253232542325523256232572325823259232602326123262232632326423265232662326723268232692327023271232722327323274232752327623277232782327923280232812328223283232842328523286232872328823289232902329123292232932329423295232962329723298232992330023301233022330323304233052330623307233082330923310233112331223313233142331523316233172331823319233202332123322233232332423325233262332723328233292333023331233322333323334233352333623337233382333923340233412334223343233442334523346233472334823349233502335123352233532335423355233562335723358233592336023361233622336323364233652336623367233682336923370233712337223373233742337523376233772337823379233802338123382233832338423385233862338723388233892339023391233922339323394233952339623397233982339923400234012340223403234042340523406234072340823409234102341123412234132341423415234162341723418234192342023421234222342323424234252342623427234282342923430234312343223433234342343523436234372343823439234402344123442234432344423445234462344723448234492345023451234522345323454234552345623457234582345923460234612346223463234642346523466234672346823469234702347123472234732347423475234762347723478234792348023481234822348323484234852348623487234882348923490234912349223493234942349523496234972349823499235002350123502235032350423505235062350723508235092351023511235122351323514235152351623517235182351923520235212352223523235242352523526235272352823529235302353123532235332353423535235362353723538235392354023541235422354323544235452354623547235482354923550235512355223553235542355523556235572355823559235602356123562235632356423565235662356723568235692357023571235722357323574235752357623577235782357923580235812358223583235842358523586235872358823589235902359123592235932359423595235962359723598235992360023601236022360323604236052360623607236082360923610236112361223613236142361523616236172361823619236202362123622236232362423625236262362723628236292363023631236322363323634236352363623637236382363923640236412364223643236442364523646236472364823649236502365123652236532365423655236562365723658236592366023661236622366323664236652366623667236682366923670236712367223673236742367523676236772367823679236802368123682236832368423685236862368723688236892369023691236922369323694236952369623697236982369923700237012370223703237042370523706237072370823709237102371123712237132371423715237162371723718237192372023721237222372323724237252372623727237282372923730237312373223733237342373523736237372373823739237402374123742237432374423745237462374723748237492375023751237522375323754237552375623757237582375923760237612376223763237642376523766237672376823769237702377123772237732377423775237762377723778237792378023781237822378323784237852378623787237882378923790237912379223793237942379523796237972379823799238002380123802238032380423805238062380723808238092381023811238122381323814238152381623817238182381923820238212382223823238242382523826238272382823829238302383123832238332383423835238362383723838238392384023841238422384323844238452384623847238482384923850238512385223853238542385523856238572385823859238602386123862238632386423865238662386723868238692387023871238722387323874238752387623877238782387923880238812388223883238842388523886238872388823889238902389123892238932389423895238962389723898238992390023901239022390323904239052390623907239082390923910239112391223913239142391523916239172391823919239202392123922239232392423925239262392723928239292393023931239322393323934239352393623937239382393923940239412394223943239442394523946239472394823949239502395123952239532395423955239562395723958239592396023961239622396323964239652396623967239682396923970239712397223973239742397523976239772397823979239802398123982239832398423985239862398723988239892399023991239922399323994239952399623997239982399924000240012400224003240042400524006240072400824009240102401124012240132401424015240162401724018240192402024021240222402324024240252402624027240282402924030240312403224033240342403524036240372403824039240402404124042240432404424045240462404724048240492405024051240522405324054240552405624057240582405924060240612406224063240642406524066240672406824069240702407124072240732407424075240762407724078240792408024081240822408324084240852408624087240882408924090240912409224093240942409524096240972409824099241002410124102241032410424105241062410724108241092411024111241122411324114241152411624117241182411924120241212412224123241242412524126241272412824129241302413124132241332413424135241362413724138241392414024141241422414324144241452414624147241482414924150241512415224153241542415524156241572415824159241602416124162241632416424165241662416724168241692417024171241722417324174241752417624177241782417924180241812418224183241842418524186241872418824189241902419124192241932419424195241962419724198241992420024201242022420324204242052420624207242082420924210242112421224213242142421524216242172421824219242202422124222242232422424225242262422724228242292423024231242322423324234242352423624237242382423924240242412424224243242442424524246242472424824249242502425124252242532425424255242562425724258242592426024261242622426324264242652426624267242682426924270242712427224273242742427524276242772427824279242802428124282242832428424285242862428724288242892429024291242922429324294242952429624297242982429924300243012430224303243042430524306243072430824309243102431124312243132431424315243162431724318243192432024321243222432324324243252432624327243282432924330243312433224333243342433524336243372433824339243402434124342243432434424345243462434724348243492435024351243522435324354243552435624357243582435924360243612436224363243642436524366243672436824369243702437124372243732437424375243762437724378243792438024381243822438324384243852438624387243882438924390243912439224393243942439524396243972439824399244002440124402244032440424405244062440724408244092441024411244122441324414244152441624417244182441924420244212442224423244242442524426244272442824429244302443124432244332443424435244362443724438244392444024441244422444324444244452444624447244482444924450244512445224453244542445524456244572445824459244602446124462244632446424465244662446724468244692447024471244722447324474244752447624477244782447924480244812448224483244842448524486244872448824489244902449124492244932449424495244962449724498244992450024501245022450324504245052450624507245082450924510245112451224513245142451524516245172451824519245202452124522245232452424525245262452724528245292453024531245322453324534245352453624537245382453924540245412454224543245442454524546245472454824549245502455124552245532455424555245562455724558245592456024561245622456324564245652456624567245682456924570245712457224573245742457524576245772457824579245802458124582245832458424585245862458724588245892459024591245922459324594245952459624597245982459924600246012460224603246042460524606246072460824609246102461124612246132461424615246162461724618246192462024621246222462324624246252462624627246282462924630246312463224633246342463524636246372463824639246402464124642246432464424645246462464724648246492465024651246522465324654246552465624657246582465924660246612466224663246642466524666246672466824669246702467124672246732467424675246762467724678246792468024681246822468324684246852468624687246882468924690246912469224693246942469524696246972469824699247002470124702247032470424705247062470724708247092471024711247122471324714247152471624717247182471924720247212472224723247242472524726247272472824729247302473124732247332473424735247362473724738247392474024741247422474324744247452474624747247482474924750247512475224753247542475524756247572475824759247602476124762247632476424765247662476724768247692477024771247722477324774247752477624777247782477924780247812478224783247842478524786247872478824789247902479124792247932479424795247962479724798247992480024801248022480324804248052480624807248082480924810248112481224813248142481524816248172481824819248202482124822248232482424825248262482724828248292483024831248322483324834248352483624837248382483924840248412484224843248442484524846248472484824849248502485124852248532485424855248562485724858248592486024861248622486324864248652486624867248682486924870248712487224873248742487524876248772487824879248802488124882248832488424885248862488724888248892489024891248922489324894248952489624897248982489924900249012490224903249042490524906249072490824909249102491124912249132491424915249162491724918249192492024921249222492324924249252492624927249282492924930249312493224933249342493524936249372493824939249402494124942249432494424945249462494724948249492495024951249522495324954249552495624957249582495924960249612496224963249642496524966249672496824969249702497124972249732497424975249762497724978249792498024981249822498324984249852498624987249882498924990249912499224993249942499524996249972499824999250002500125002250032500425005250062500725008250092501025011250122501325014250152501625017250182501925020250212502225023250242502525026250272502825029250302503125032250332503425035250362503725038250392504025041250422504325044250452504625047250482504925050250512505225053250542505525056250572505825059250602506125062250632506425065250662506725068250692507025071250722507325074250752507625077250782507925080250812508225083250842508525086250872508825089250902509125092250932509425095250962509725098250992510025101251022510325104251052510625107251082510925110251112511225113251142511525116251172511825119251202512125122251232512425125251262512725128251292513025131251322513325134251352513625137251382513925140251412514225143251442514525146251472514825149251502515125152251532515425155251562515725158251592516025161251622516325164251652516625167251682516925170251712517225173251742517525176251772517825179251802518125182251832518425185251862518725188251892519025191251922519325194251952519625197251982519925200252012520225203252042520525206252072520825209252102521125212252132521425215252162521725218252192522025221252222522325224252252522625227252282522925230252312523225233252342523525236252372523825239252402524125242252432524425245252462524725248252492525025251252522525325254252552525625257252582525925260252612526225263252642526525266252672526825269252702527125272252732527425275252762527725278252792528025281252822528325284252852528625287252882528925290252912529225293252942529525296252972529825299253002530125302253032530425305253062530725308253092531025311253122531325314253152531625317253182531925320253212532225323253242532525326253272532825329253302533125332253332533425335253362533725338253392534025341253422534325344253452534625347253482534925350253512535225353253542535525356253572535825359253602536125362253632536425365253662536725368253692537025371253722537325374253752537625377253782537925380253812538225383253842538525386253872538825389253902539125392253932539425395253962539725398253992540025401254022540325404254052540625407254082540925410254112541225413254142541525416254172541825419254202542125422254232542425425254262542725428254292543025431254322543325434254352543625437254382543925440254412544225443254442544525446254472544825449254502545125452254532545425455254562545725458254592546025461254622546325464254652546625467254682546925470254712547225473254742547525476254772547825479254802548125482254832548425485254862548725488254892549025491254922549325494254952549625497254982549925500255012550225503255042550525506255072550825509255102551125512255132551425515255162551725518255192552025521255222552325524255252552625527255282552925530255312553225533255342553525536255372553825539255402554125542255432554425545255462554725548255492555025551255522555325554255552555625557255582555925560255612556225563255642556525566255672556825569255702557125572255732557425575255762557725578255792558025581255822558325584255852558625587255882558925590255912559225593255942559525596255972559825599256002560125602256032560425605256062560725608256092561025611256122561325614256152561625617256182561925620256212562225623256242562525626256272562825629256302563125632256332563425635256362563725638256392564025641256422564325644256452564625647256482564925650256512565225653256542565525656256572565825659256602566125662256632566425665256662566725668256692567025671256722567325674256752567625677256782567925680256812568225683256842568525686256872568825689256902569125692256932569425695256962569725698256992570025701257022570325704257052570625707257082570925710257112571225713257142571525716257172571825719257202572125722257232572425725257262572725728257292573025731257322573325734257352573625737257382573925740257412574225743257442574525746257472574825749257502575125752257532575425755257562575725758257592576025761257622576325764257652576625767257682576925770257712577225773257742577525776257772577825779257802578125782257832578425785257862578725788257892579025791257922579325794257952579625797257982579925800258012580225803258042580525806258072580825809258102581125812258132581425815258162581725818258192582025821258222582325824258252582625827258282582925830258312583225833258342583525836258372583825839258402584125842258432584425845258462584725848258492585025851258522585325854258552585625857258582585925860258612586225863258642586525866258672586825869258702587125872258732587425875258762587725878258792588025881258822588325884258852588625887258882588925890258912589225893258942589525896258972589825899259002590125902259032590425905259062590725908259092591025911259122591325914259152591625917259182591925920259212592225923259242592525926259272592825929259302593125932259332593425935259362593725938259392594025941259422594325944259452594625947259482594925950259512595225953259542595525956259572595825959259602596125962259632596425965259662596725968259692597025971259722597325974259752597625977259782597925980259812598225983259842598525986259872598825989259902599125992259932599425995259962599725998259992600026001260022600326004260052600626007260082600926010260112601226013260142601526016260172601826019260202602126022260232602426025260262602726028260292603026031260322603326034260352603626037260382603926040260412604226043260442604526046260472604826049260502605126052260532605426055260562605726058260592606026061260622606326064260652606626067260682606926070260712607226073260742607526076260772607826079260802608126082260832608426085260862608726088260892609026091260922609326094260952609626097260982609926100261012610226103261042610526106261072610826109261102611126112261132611426115261162611726118261192612026121261222612326124261252612626127261282612926130261312613226133261342613526136261372613826139261402614126142261432614426145261462614726148261492615026151261522615326154261552615626157261582615926160261612616226163261642616526166261672616826169261702617126172261732617426175261762617726178261792618026181261822618326184261852618626187261882618926190261912619226193261942619526196261972619826199262002620126202262032620426205262062620726208262092621026211262122621326214262152621626217262182621926220262212622226223262242622526226262272622826229262302623126232262332623426235262362623726238262392624026241262422624326244262452624626247262482624926250262512625226253262542625526256262572625826259262602626126262262632626426265262662626726268262692627026271262722627326274262752627626277262782627926280262812628226283262842628526286262872628826289262902629126292262932629426295262962629726298262992630026301263022630326304263052630626307263082630926310263112631226313263142631526316263172631826319263202632126322263232632426325263262632726328263292633026331263322633326334263352633626337263382633926340263412634226343263442634526346263472634826349263502635126352263532635426355263562635726358263592636026361263622636326364263652636626367263682636926370263712637226373263742637526376263772637826379263802638126382263832638426385263862638726388263892639026391263922639326394263952639626397263982639926400264012640226403264042640526406264072640826409264102641126412264132641426415264162641726418264192642026421264222642326424264252642626427264282642926430264312643226433264342643526436264372643826439264402644126442264432644426445264462644726448264492645026451264522645326454264552645626457264582645926460264612646226463264642646526466264672646826469264702647126472264732647426475264762647726478264792648026481264822648326484264852648626487264882648926490264912649226493264942649526496264972649826499265002650126502265032650426505265062650726508265092651026511265122651326514265152651626517265182651926520265212652226523265242652526526265272652826529265302653126532265332653426535265362653726538265392654026541265422654326544265452654626547265482654926550265512655226553265542655526556265572655826559265602656126562265632656426565265662656726568265692657026571265722657326574265752657626577265782657926580265812658226583265842658526586265872658826589265902659126592265932659426595265962659726598265992660026601266022660326604266052660626607266082660926610266112661226613266142661526616266172661826619266202662126622266232662426625266262662726628266292663026631266322663326634266352663626637266382663926640266412664226643266442664526646266472664826649266502665126652266532665426655266562665726658266592666026661266622666326664266652666626667266682666926670266712667226673266742667526676266772667826679266802668126682266832668426685266862668726688266892669026691266922669326694266952669626697266982669926700267012670226703267042670526706267072670826709267102671126712267132671426715267162671726718267192672026721267222672326724267252672626727267282672926730267312673226733267342673526736267372673826739267402674126742267432674426745267462674726748267492675026751267522675326754267552675626757267582675926760267612676226763267642676526766267672676826769267702677126772267732677426775267762677726778267792678026781267822678326784267852678626787267882678926790267912679226793267942679526796267972679826799268002680126802268032680426805268062680726808268092681026811268122681326814268152681626817268182681926820268212682226823268242682526826268272682826829268302683126832268332683426835268362683726838268392684026841268422684326844268452684626847268482684926850268512685226853268542685526856268572685826859268602686126862268632686426865268662686726868268692687026871268722687326874268752687626877268782687926880268812688226883268842688526886268872688826889268902689126892268932689426895268962689726898268992690026901269022690326904269052690626907269082690926910269112691226913269142691526916269172691826919269202692126922269232692426925269262692726928269292693026931269322693326934269352693626937269382693926940269412694226943269442694526946269472694826949269502695126952269532695426955269562695726958269592696026961269622696326964269652696626967269682696926970269712697226973269742697526976269772697826979269802698126982269832698426985269862698726988269892699026991269922699326994269952699626997269982699927000270012700227003270042700527006270072700827009270102701127012270132701427015270162701727018270192702027021270222702327024270252702627027270282702927030270312703227033270342703527036270372703827039270402704127042270432704427045270462704727048270492705027051270522705327054270552705627057270582705927060270612706227063270642706527066270672706827069270702707127072270732707427075270762707727078270792708027081270822708327084270852708627087270882708927090270912709227093270942709527096270972709827099271002710127102271032710427105271062710727108271092711027111271122711327114271152711627117271182711927120271212712227123271242712527126271272712827129271302713127132271332713427135271362713727138271392714027141271422714327144271452714627147271482714927150271512715227153271542715527156271572715827159271602716127162271632716427165271662716727168271692717027171271722717327174271752717627177271782717927180271812718227183271842718527186271872718827189271902719127192271932719427195271962719727198271992720027201272022720327204272052720627207272082720927210272112721227213272142721527216272172721827219272202722127222272232722427225272262722727228272292723027231272322723327234272352723627237272382723927240272412724227243272442724527246272472724827249272502725127252272532725427255272562725727258272592726027261272622726327264272652726627267272682726927270272712727227273272742727527276272772727827279272802728127282272832728427285272862728727288272892729027291272922729327294272952729627297272982729927300273012730227303273042730527306273072730827309273102731127312273132731427315273162731727318273192732027321273222732327324273252732627327273282732927330273312733227333273342733527336273372733827339273402734127342273432734427345273462734727348273492735027351273522735327354273552735627357273582735927360273612736227363273642736527366273672736827369273702737127372273732737427375273762737727378273792738027381273822738327384273852738627387273882738927390273912739227393273942739527396273972739827399274002740127402274032740427405274062740727408274092741027411274122741327414274152741627417274182741927420274212742227423274242742527426274272742827429274302743127432274332743427435274362743727438274392744027441274422744327444274452744627447274482744927450274512745227453274542745527456274572745827459274602746127462274632746427465274662746727468274692747027471274722747327474274752747627477274782747927480274812748227483274842748527486274872748827489274902749127492274932749427495274962749727498274992750027501275022750327504275052750627507275082750927510275112751227513275142751527516275172751827519275202752127522275232752427525275262752727528275292753027531275322753327534275352753627537275382753927540275412754227543275442754527546275472754827549275502755127552275532755427555275562755727558275592756027561275622756327564275652756627567275682756927570275712757227573275742757527576275772757827579275802758127582275832758427585275862758727588275892759027591275922759327594275952759627597275982759927600276012760227603276042760527606276072760827609276102761127612276132761427615276162761727618276192762027621276222762327624276252762627627276282762927630276312763227633276342763527636276372763827639276402764127642276432764427645276462764727648276492765027651276522765327654276552765627657276582765927660276612766227663276642766527666276672766827669276702767127672276732767427675276762767727678276792768027681276822768327684276852768627687276882768927690276912769227693276942769527696276972769827699277002770127702277032770427705277062770727708277092771027711277122771327714277152771627717277182771927720277212772227723277242772527726277272772827729277302773127732277332773427735277362773727738277392774027741277422774327744277452774627747277482774927750277512775227753277542775527756277572775827759277602776127762277632776427765277662776727768277692777027771277722777327774277752777627777277782777927780277812778227783277842778527786277872778827789277902779127792277932779427795277962779727798277992780027801278022780327804278052780627807278082780927810278112781227813278142781527816278172781827819278202782127822278232782427825278262782727828278292783027831278322783327834278352783627837278382783927840278412784227843278442784527846278472784827849278502785127852278532785427855278562785727858278592786027861278622786327864278652786627867278682786927870278712787227873278742787527876278772787827879278802788127882278832788427885278862788727888278892789027891278922789327894278952789627897278982789927900279012790227903279042790527906279072790827909279102791127912279132791427915279162791727918279192792027921279222792327924279252792627927279282792927930279312793227933279342793527936279372793827939279402794127942279432794427945279462794727948279492795027951279522795327954279552795627957279582795927960279612796227963279642796527966279672796827969279702797127972279732797427975279762797727978279792798027981279822798327984279852798627987279882798927990279912799227993279942799527996279972799827999280002800128002280032800428005280062800728008280092801028011280122801328014280152801628017280182801928020280212802228023280242802528026280272802828029280302803128032280332803428035280362803728038280392804028041280422804328044280452804628047280482804928050280512805228053280542805528056280572805828059280602806128062280632806428065280662806728068280692807028071280722807328074280752807628077280782807928080280812808228083280842808528086280872808828089280902809128092280932809428095280962809728098280992810028101281022810328104281052810628107281082810928110281112811228113281142811528116281172811828119281202812128122281232812428125281262812728128281292813028131281322813328134281352813628137281382813928140281412814228143281442814528146281472814828149281502815128152281532815428155281562815728158281592816028161281622816328164281652816628167281682816928170281712817228173281742817528176281772817828179281802818128182281832818428185281862818728188281892819028191281922819328194281952819628197281982819928200282012820228203282042820528206282072820828209282102821128212282132821428215282162821728218282192822028221282222822328224282252822628227282282822928230282312823228233282342823528236282372823828239282402824128242282432824428245282462824728248282492825028251282522825328254282552825628257282582825928260282612826228263282642826528266282672826828269282702827128272282732827428275282762827728278282792828028281282822828328284282852828628287282882828928290282912829228293282942829528296282972829828299283002830128302283032830428305283062830728308283092831028311283122831328314283152831628317283182831928320283212832228323283242832528326283272832828329283302833128332283332833428335283362833728338283392834028341283422834328344283452834628347283482834928350283512835228353283542835528356283572835828359283602836128362283632836428365283662836728368283692837028371283722837328374283752837628377283782837928380283812838228383283842838528386283872838828389283902839128392283932839428395283962839728398283992840028401284022840328404284052840628407284082840928410284112841228413284142841528416284172841828419284202842128422284232842428425284262842728428284292843028431284322843328434284352843628437284382843928440284412844228443284442844528446284472844828449284502845128452284532845428455284562845728458284592846028461284622846328464284652846628467284682846928470284712847228473284742847528476284772847828479284802848128482284832848428485284862848728488284892849028491284922849328494284952849628497284982849928500285012850228503285042850528506285072850828509285102851128512285132851428515285162851728518285192852028521285222852328524285252852628527285282852928530285312853228533285342853528536285372853828539285402854128542285432854428545285462854728548285492855028551285522855328554285552855628557285582855928560285612856228563285642856528566285672856828569285702857128572285732857428575285762857728578285792858028581285822858328584285852858628587285882858928590285912859228593285942859528596285972859828599286002860128602286032860428605286062860728608286092861028611286122861328614286152861628617286182861928620286212862228623286242862528626286272862828629286302863128632286332863428635286362863728638286392864028641286422864328644286452864628647286482864928650286512865228653286542865528656286572865828659286602866128662286632866428665286662866728668286692867028671286722867328674286752867628677286782867928680286812868228683286842868528686286872868828689286902869128692286932869428695286962869728698286992870028701287022870328704287052870628707287082870928710287112871228713287142871528716287172871828719287202872128722287232872428725287262872728728287292873028731287322873328734287352873628737287382873928740287412874228743287442874528746287472874828749287502875128752287532875428755287562875728758287592876028761287622876328764287652876628767287682876928770287712877228773287742877528776287772877828779287802878128782287832878428785287862878728788287892879028791287922879328794287952879628797287982879928800288012880228803288042880528806288072880828809288102881128812288132881428815288162881728818288192882028821288222882328824288252882628827288282882928830288312883228833288342883528836288372883828839288402884128842288432884428845288462884728848288492885028851288522885328854288552885628857288582885928860288612886228863288642886528866288672886828869288702887128872288732887428875288762887728878288792888028881288822888328884288852888628887288882888928890288912889228893288942889528896288972889828899289002890128902289032890428905289062890728908289092891028911289122891328914289152891628917289182891928920289212892228923289242892528926289272892828929289302893128932289332893428935289362893728938289392894028941289422894328944289452894628947289482894928950289512895228953289542895528956289572895828959289602896128962289632896428965289662896728968289692897028971289722897328974289752897628977289782897928980289812898228983289842898528986289872898828989289902899128992289932899428995289962899728998289992900029001290022900329004290052900629007290082900929010290112901229013290142901529016290172901829019290202902129022290232902429025290262902729028290292903029031290322903329034290352903629037290382903929040290412904229043290442904529046290472904829049290502905129052290532905429055290562905729058290592906029061290622906329064290652906629067290682906929070290712907229073290742907529076290772907829079290802908129082290832908429085290862908729088290892909029091290922909329094290952909629097290982909929100291012910229103291042910529106291072910829109291102911129112291132911429115291162911729118291192912029121291222912329124291252912629127291282912929130291312913229133291342913529136291372913829139291402914129142291432914429145291462914729148291492915029151291522915329154291552915629157291582915929160291612916229163291642916529166291672916829169291702917129172291732917429175291762917729178291792918029181291822918329184291852918629187291882918929190291912919229193291942919529196291972919829199292002920129202292032920429205292062920729208292092921029211292122921329214292152921629217292182921929220292212922229223292242922529226292272922829229292302923129232292332923429235292362923729238292392924029241292422924329244292452924629247292482924929250292512925229253292542925529256292572925829259292602926129262292632926429265292662926729268292692927029271292722927329274292752927629277292782927929280292812928229283292842928529286292872928829289292902929129292292932929429295292962929729298292992930029301293022930329304293052930629307293082930929310293112931229313293142931529316293172931829319293202932129322293232932429325293262932729328293292933029331293322933329334293352933629337293382933929340293412934229343293442934529346293472934829349293502935129352293532935429355293562935729358293592936029361293622936329364293652936629367293682936929370293712937229373293742937529376293772937829379293802938129382293832938429385293862938729388293892939029391293922939329394293952939629397293982939929400294012940229403294042940529406294072940829409294102941129412294132941429415294162941729418294192942029421294222942329424294252942629427294282942929430294312943229433294342943529436294372943829439294402944129442294432944429445294462944729448294492945029451294522945329454294552945629457294582945929460294612946229463294642946529466294672946829469294702947129472294732947429475294762947729478294792948029481294822948329484294852948629487294882948929490294912949229493294942949529496294972949829499295002950129502295032950429505295062950729508295092951029511295122951329514295152951629517295182951929520295212952229523295242952529526295272952829529295302953129532295332953429535295362953729538295392954029541295422954329544295452954629547295482954929550295512955229553295542955529556295572955829559295602956129562295632956429565295662956729568295692957029571295722957329574295752957629577295782957929580295812958229583295842958529586295872958829589295902959129592295932959429595295962959729598295992960029601296022960329604296052960629607296082960929610296112961229613296142961529616296172961829619296202962129622296232962429625296262962729628296292963029631296322963329634296352963629637296382963929640296412964229643296442964529646296472964829649296502965129652296532965429655296562965729658296592966029661296622966329664296652966629667296682966929670296712967229673296742967529676296772967829679296802968129682296832968429685296862968729688296892969029691296922969329694296952969629697296982969929700297012970229703297042970529706297072970829709297102971129712297132971429715297162971729718297192972029721297222972329724297252972629727297282972929730297312973229733297342973529736297372973829739297402974129742297432974429745297462974729748297492975029751297522975329754297552975629757297582975929760297612976229763297642976529766297672976829769297702977129772297732977429775297762977729778297792978029781297822978329784297852978629787297882978929790297912979229793297942979529796297972979829799298002980129802298032980429805298062980729808298092981029811298122981329814298152981629817298182981929820298212982229823298242982529826298272982829829298302983129832298332983429835298362983729838298392984029841298422984329844298452984629847298482984929850298512985229853298542985529856298572985829859298602986129862298632986429865298662986729868298692987029871298722987329874298752987629877298782987929880298812988229883298842988529886298872988829889298902989129892298932989429895298962989729898298992990029901299022990329904299052990629907299082990929910299112991229913299142991529916299172991829919299202992129922299232992429925299262992729928299292993029931299322993329934299352993629937299382993929940299412994229943299442994529946299472994829949299502995129952299532995429955299562995729958299592996029961299622996329964299652996629967299682996929970299712997229973299742997529976299772997829979299802998129982299832998429985299862998729988299892999029991299922999329994299952999629997299982999930000300013000230003300043000530006300073000830009300103001130012300133001430015300163001730018300193002030021300223002330024300253002630027300283002930030300313003230033300343003530036300373003830039300403004130042300433004430045300463004730048300493005030051300523005330054300553005630057300583005930060300613006230063300643006530066300673006830069300703007130072300733007430075300763007730078300793008030081300823008330084300853008630087300883008930090300913009230093300943009530096300973009830099301003010130102301033010430105301063010730108301093011030111301123011330114301153011630117301183011930120301213012230123301243012530126301273012830129301303013130132301333013430135301363013730138301393014030141301423014330144301453014630147301483014930150301513015230153301543015530156301573015830159301603016130162301633016430165301663016730168301693017030171301723017330174301753017630177301783017930180301813018230183301843018530186301873018830189301903019130192301933019430195301963019730198301993020030201302023020330204302053020630207302083020930210302113021230213302143021530216302173021830219302203022130222302233022430225302263022730228302293023030231302323023330234302353023630237302383023930240302413024230243302443024530246302473024830249302503025130252302533025430255302563025730258302593026030261302623026330264302653026630267302683026930270302713027230273302743027530276302773027830279302803028130282302833028430285302863028730288302893029030291302923029330294302953029630297302983029930300303013030230303303043030530306303073030830309303103031130312303133031430315303163031730318303193032030321303223032330324303253032630327303283032930330303313033230333303343033530336303373033830339303403034130342303433034430345303463034730348303493035030351303523035330354303553035630357303583035930360303613036230363303643036530366303673036830369303703037130372303733037430375303763037730378303793038030381303823038330384303853038630387303883038930390303913039230393303943039530396303973039830399304003040130402304033040430405304063040730408304093041030411304123041330414304153041630417304183041930420304213042230423304243042530426304273042830429304303043130432304333043430435304363043730438304393044030441304423044330444304453044630447304483044930450304513045230453304543045530456304573045830459304603046130462304633046430465304663046730468304693047030471304723047330474304753047630477304783047930480304813048230483304843048530486304873048830489304903049130492304933049430495304963049730498304993050030501305023050330504305053050630507305083050930510305113051230513305143051530516305173051830519305203052130522305233052430525305263052730528305293053030531305323053330534305353053630537305383053930540305413054230543305443054530546305473054830549305503055130552305533055430555305563055730558305593056030561305623056330564305653056630567305683056930570305713057230573305743057530576305773057830579305803058130582305833058430585305863058730588305893059030591305923059330594305953059630597305983059930600306013060230603306043060530606306073060830609306103061130612306133061430615306163061730618306193062030621306223062330624306253062630627306283062930630306313063230633306343063530636306373063830639306403064130642306433064430645306463064730648306493065030651306523065330654306553065630657306583065930660306613066230663306643066530666306673066830669306703067130672306733067430675306763067730678306793068030681306823068330684306853068630687306883068930690306913069230693306943069530696306973069830699307003070130702307033070430705307063070730708307093071030711307123071330714307153071630717307183071930720307213072230723307243072530726307273072830729307303073130732307333073430735307363073730738307393074030741307423074330744307453074630747307483074930750307513075230753307543075530756307573075830759307603076130762307633076430765307663076730768307693077030771307723077330774307753077630777307783077930780307813078230783307843078530786307873078830789307903079130792307933079430795307963079730798307993080030801308023080330804308053080630807308083080930810308113081230813308143081530816308173081830819308203082130822308233082430825308263082730828308293083030831308323083330834308353083630837308383083930840308413084230843308443084530846308473084830849308503085130852308533085430855308563085730858308593086030861308623086330864308653086630867308683086930870308713087230873308743087530876308773087830879308803088130882308833088430885308863088730888308893089030891308923089330894308953089630897308983089930900309013090230903309043090530906309073090830909309103091130912309133091430915309163091730918309193092030921309223092330924309253092630927309283092930930309313093230933309343093530936309373093830939309403094130942309433094430945309463094730948309493095030951309523095330954309553095630957309583095930960309613096230963309643096530966309673096830969309703097130972309733097430975309763097730978309793098030981309823098330984309853098630987309883098930990309913099230993309943099530996309973099830999310003100131002310033100431005310063100731008310093101031011310123101331014310153101631017310183101931020310213102231023310243102531026310273102831029310303103131032310333103431035310363103731038310393104031041310423104331044310453104631047310483104931050310513105231053310543105531056310573105831059310603106131062310633106431065310663106731068310693107031071310723107331074310753107631077310783107931080310813108231083310843108531086310873108831089310903109131092310933109431095310963109731098310993110031101311023110331104311053110631107311083110931110311113111231113311143111531116311173111831119311203112131122311233112431125311263112731128311293113031131311323113331134311353113631137311383113931140311413114231143311443114531146311473114831149311503115131152311533115431155311563115731158311593116031161311623116331164311653116631167311683116931170311713117231173311743117531176311773117831179311803118131182311833118431185311863118731188311893119031191311923119331194311953119631197311983119931200312013120231203312043120531206312073120831209312103121131212312133121431215312163121731218312193122031221312223122331224312253122631227312283122931230312313123231233312343123531236312373123831239312403124131242312433124431245312463124731248312493125031251312523125331254312553125631257312583125931260312613126231263312643126531266312673126831269312703127131272312733127431275312763127731278312793128031281312823128331284312853128631287312883128931290312913129231293312943129531296312973129831299313003130131302313033130431305313063130731308313093131031311313123131331314313153131631317313183131931320313213132231323313243132531326313273132831329313303133131332313333133431335313363133731338313393134031341313423134331344313453134631347313483134931350313513135231353313543135531356313573135831359313603136131362313633136431365313663136731368313693137031371313723137331374313753137631377313783137931380313813138231383313843138531386313873138831389313903139131392313933139431395313963139731398313993140031401314023140331404314053140631407314083140931410314113141231413314143141531416314173141831419314203142131422314233142431425314263142731428314293143031431314323143331434314353143631437314383143931440314413144231443314443144531446314473144831449314503145131452314533145431455314563145731458314593146031461314623146331464314653146631467314683146931470314713147231473314743147531476314773147831479314803148131482314833148431485314863148731488314893149031491314923149331494314953149631497314983149931500315013150231503315043150531506315073150831509315103151131512315133151431515315163151731518315193152031521315223152331524315253152631527315283152931530315313153231533315343153531536315373153831539315403154131542315433154431545315463154731548315493155031551315523155331554315553155631557315583155931560315613156231563315643156531566315673156831569315703157131572315733157431575315763157731578315793158031581315823158331584315853158631587315883158931590315913159231593315943159531596315973159831599316003160131602316033160431605316063160731608316093161031611316123161331614316153161631617316183161931620316213162231623316243162531626316273162831629316303163131632316333163431635316363163731638316393164031641316423164331644316453164631647316483164931650316513165231653316543165531656316573165831659316603166131662316633166431665316663166731668316693167031671316723167331674316753167631677316783167931680316813168231683316843168531686316873168831689316903169131692316933169431695316963169731698316993170031701317023170331704317053170631707317083170931710317113171231713317143171531716317173171831719317203172131722317233172431725317263172731728317293173031731317323173331734317353173631737317383173931740317413174231743317443174531746317473174831749317503175131752317533175431755317563175731758317593176031761
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.19.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - external-secrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: |-
  71. The name of the external secrets to be created.
  72. Defaults to the name of the ClusterExternalSecret
  73. maxLength: 253
  74. minLength: 1
  75. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  76. type: string
  77. externalSecretSpec:
  78. description: The spec for the ExternalSecrets to be created
  79. properties:
  80. data:
  81. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  82. items:
  83. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  84. properties:
  85. remoteRef:
  86. description: |-
  87. RemoteRef points to the remote secret and defines
  88. which secret (version/property/..) to fetch.
  89. properties:
  90. conversionStrategy:
  91. default: Default
  92. description: Used to define a conversion Strategy
  93. enum:
  94. - Default
  95. - Unicode
  96. type: string
  97. decodingStrategy:
  98. default: None
  99. description: Used to define a decoding Strategy
  100. enum:
  101. - Auto
  102. - Base64
  103. - Base64URL
  104. - None
  105. type: string
  106. key:
  107. description: Key is the key used in the Provider, mandatory
  108. type: string
  109. metadataPolicy:
  110. default: None
  111. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  112. enum:
  113. - None
  114. - Fetch
  115. type: string
  116. nullBytePolicy:
  117. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  118. enum:
  119. - Ignore
  120. - Fail
  121. type: string
  122. property:
  123. description: Used to select a specific property of the Provider value (if a map), if supported
  124. type: string
  125. version:
  126. description: Used to select a specific version of the Provider value, if supported
  127. type: string
  128. required:
  129. - key
  130. type: object
  131. secretKey:
  132. description: The key in the Kubernetes Secret to store the value.
  133. maxLength: 253
  134. minLength: 1
  135. pattern: ^[-._a-zA-Z0-9]+$
  136. type: string
  137. sourceRef:
  138. description: |-
  139. SourceRef allows you to override the source
  140. from which the value will be pulled.
  141. maxProperties: 1
  142. minProperties: 1
  143. properties:
  144. generatorRef:
  145. description: |-
  146. GeneratorRef points to a generator custom resource.
  147. Deprecated: The generatorRef is not implemented in .data[].
  148. this will be removed with v1.
  149. properties:
  150. apiVersion:
  151. default: generators.external-secrets.io/v1alpha1
  152. description: Specify the apiVersion of the generator resource
  153. type: string
  154. kind:
  155. description: Specify the Kind of the generator resource
  156. enum:
  157. - ACRAccessToken
  158. - BeyondtrustWorkloadCredentialsDynamicSecret
  159. - ClusterGenerator
  160. - CloudsmithAccessToken
  161. - ECRAuthorizationToken
  162. - Fake
  163. - GCRAccessToken
  164. - GithubAccessToken
  165. - GitlabDeployToken
  166. - QuayAccessToken
  167. - Password
  168. - SSHKey
  169. - STSSessionToken
  170. - UUID
  171. - VaultDynamicSecret
  172. - Webhook
  173. - Grafana
  174. - MFA
  175. type: string
  176. name:
  177. description: Specify the name of the generator resource
  178. maxLength: 253
  179. minLength: 1
  180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  181. type: string
  182. required:
  183. - kind
  184. - name
  185. type: object
  186. storeRef:
  187. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  188. properties:
  189. kind:
  190. description: |-
  191. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  192. Defaults to `SecretStore`
  193. enum:
  194. - SecretStore
  195. - ClusterSecretStore
  196. type: string
  197. name:
  198. description: Name of the SecretStore resource
  199. maxLength: 253
  200. minLength: 1
  201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  202. type: string
  203. type: object
  204. type: object
  205. required:
  206. - remoteRef
  207. - secretKey
  208. type: object
  209. type: array
  210. dataFrom:
  211. description: |-
  212. DataFrom is used to fetch all properties from a specific Provider data
  213. If multiple entries are specified, the Secret keys are merged in the specified order
  214. items:
  215. description: |-
  216. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  217. when using DataFrom to fetch multiple values from a Provider.
  218. properties:
  219. extract:
  220. description: |-
  221. Used to extract multiple key/value pairs from one secret
  222. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  223. properties:
  224. conversionStrategy:
  225. default: Default
  226. description: Used to define a conversion Strategy
  227. enum:
  228. - Default
  229. - Unicode
  230. type: string
  231. decodingStrategy:
  232. default: None
  233. description: Used to define a decoding Strategy
  234. enum:
  235. - Auto
  236. - Base64
  237. - Base64URL
  238. - None
  239. type: string
  240. key:
  241. description: Key is the key used in the Provider, mandatory
  242. type: string
  243. metadataPolicy:
  244. default: None
  245. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  246. enum:
  247. - None
  248. - Fetch
  249. type: string
  250. nullBytePolicy:
  251. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  252. enum:
  253. - Ignore
  254. - Fail
  255. type: string
  256. property:
  257. description: Used to select a specific property of the Provider value (if a map), if supported
  258. type: string
  259. version:
  260. description: Used to select a specific version of the Provider value, if supported
  261. type: string
  262. required:
  263. - key
  264. type: object
  265. find:
  266. description: |-
  267. Used to find secrets based on tags or regular expressions
  268. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  269. properties:
  270. conversionStrategy:
  271. default: Default
  272. description: Used to define a conversion Strategy
  273. enum:
  274. - Default
  275. - Unicode
  276. type: string
  277. decodingStrategy:
  278. default: None
  279. description: Used to define a decoding Strategy
  280. enum:
  281. - Auto
  282. - Base64
  283. - Base64URL
  284. - None
  285. type: string
  286. name:
  287. description: Finds secrets based on the name.
  288. properties:
  289. regexp:
  290. description: Finds secrets base
  291. type: string
  292. type: object
  293. nullBytePolicy:
  294. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  295. enum:
  296. - Ignore
  297. - Fail
  298. type: string
  299. path:
  300. description: A root path to start the find operations.
  301. type: string
  302. tags:
  303. additionalProperties:
  304. type: string
  305. description: Find secrets based on tags.
  306. type: object
  307. type: object
  308. rewrite:
  309. description: |-
  310. Used to rewrite secret Keys after getting them from the secret Provider
  311. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  312. items:
  313. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  314. maxProperties: 1
  315. minProperties: 1
  316. properties:
  317. merge:
  318. description: |-
  319. Used to merge key/values in one single Secret
  320. The resulting key will contain all values from the specified secrets
  321. properties:
  322. conflictPolicy:
  323. default: Error
  324. description: Used to define the policy to use in conflict resolution.
  325. enum:
  326. - Ignore
  327. - Error
  328. type: string
  329. into:
  330. default: ""
  331. description: |-
  332. Used to define the target key of the merge operation.
  333. Required if strategy is JSON. Ignored otherwise.
  334. type: string
  335. priority:
  336. description: Used to define key priority in conflict resolution.
  337. items:
  338. type: string
  339. type: array
  340. priorityPolicy:
  341. default: Strict
  342. description: Used to define the policy when a key in the priority list does not exist in the input.
  343. enum:
  344. - IgnoreNotFound
  345. - Strict
  346. type: string
  347. strategy:
  348. default: Extract
  349. description: Used to define the strategy to use in the merge operation.
  350. enum:
  351. - Extract
  352. - JSON
  353. type: string
  354. type: object
  355. regexp:
  356. description: |-
  357. Used to rewrite with regular expressions.
  358. The resulting key will be the output of a regexp.ReplaceAll operation.
  359. properties:
  360. source:
  361. description: Used to define the regular expression of a re.Compiler.
  362. type: string
  363. target:
  364. description: Used to define the target pattern of a ReplaceAll operation.
  365. type: string
  366. required:
  367. - source
  368. - target
  369. type: object
  370. transform:
  371. description: |-
  372. Used to apply string transformation on the secrets.
  373. The resulting key will be the output of the template applied by the operation.
  374. properties:
  375. template:
  376. description: |-
  377. Used to define the template to apply on the secret name.
  378. `.value ` will specify the secret name in the template.
  379. type: string
  380. required:
  381. - template
  382. type: object
  383. type: object
  384. type: array
  385. sourceRef:
  386. description: |-
  387. SourceRef points to a store or generator
  388. which contains secret values ready to use.
  389. Use this in combination with Extract or Find pull values out of
  390. a specific SecretStore.
  391. When sourceRef points to a generator Extract or Find is not supported.
  392. The generator returns a static map of values
  393. maxProperties: 1
  394. minProperties: 1
  395. properties:
  396. generatorRef:
  397. description: GeneratorRef points to a generator custom resource.
  398. properties:
  399. apiVersion:
  400. default: generators.external-secrets.io/v1alpha1
  401. description: Specify the apiVersion of the generator resource
  402. type: string
  403. kind:
  404. description: Specify the Kind of the generator resource
  405. enum:
  406. - ACRAccessToken
  407. - BeyondtrustWorkloadCredentialsDynamicSecret
  408. - ClusterGenerator
  409. - CloudsmithAccessToken
  410. - ECRAuthorizationToken
  411. - Fake
  412. - GCRAccessToken
  413. - GithubAccessToken
  414. - GitlabDeployToken
  415. - QuayAccessToken
  416. - Password
  417. - SSHKey
  418. - STSSessionToken
  419. - UUID
  420. - VaultDynamicSecret
  421. - Webhook
  422. - Grafana
  423. - MFA
  424. type: string
  425. name:
  426. description: Specify the name of the generator resource
  427. maxLength: 253
  428. minLength: 1
  429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  430. type: string
  431. required:
  432. - kind
  433. - name
  434. type: object
  435. storeRef:
  436. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  437. properties:
  438. kind:
  439. description: |-
  440. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  441. Defaults to `SecretStore`
  442. enum:
  443. - SecretStore
  444. - ClusterSecretStore
  445. type: string
  446. name:
  447. description: Name of the SecretStore resource
  448. maxLength: 253
  449. minLength: 1
  450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  451. type: string
  452. type: object
  453. type: object
  454. type: object
  455. type: array
  456. refreshInterval:
  457. default: 1h0m0s
  458. description: |-
  459. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  460. specified as Golang Duration strings.
  461. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  462. Example values: "1h0m0s", "2h30m0s", "10m0s"
  463. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  464. type: string
  465. refreshPolicy:
  466. description: |-
  467. RefreshPolicy determines how the ExternalSecret should be refreshed:
  468. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  469. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  470. No periodic updates occur if refreshInterval is 0.
  471. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  472. enum:
  473. - CreatedOnce
  474. - Periodic
  475. - OnChange
  476. type: string
  477. secretStoreRef:
  478. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  479. properties:
  480. kind:
  481. description: |-
  482. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  483. Defaults to `SecretStore`
  484. enum:
  485. - SecretStore
  486. - ClusterSecretStore
  487. type: string
  488. name:
  489. description: Name of the SecretStore resource
  490. maxLength: 253
  491. minLength: 1
  492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  493. type: string
  494. type: object
  495. syncWindows:
  496. description: |-
  497. SyncWindows optionally restricts when periodic refreshes may occur.
  498. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  499. properties:
  500. kind:
  501. description: |-
  502. Kind applies to every window in the list.
  503. "allow" -- syncs are permitted only while at least one window is active;
  504. all other times are blocked.
  505. "deny" -- syncs are blocked while any window is active;
  506. all other times are permitted.
  507. enum:
  508. - allow
  509. - deny
  510. type: string
  511. windows:
  512. description: Windows is the list of schedule+duration pairs.
  513. items:
  514. description: |-
  515. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  516. within a SyncWindows block.
  517. properties:
  518. duration:
  519. description: |-
  520. Duration specifies how long the window stays open after each Schedule
  521. firing. Example: "8h".
  522. type: string
  523. schedule:
  524. description: |-
  525. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  526. named shorthand such as @daily or @every 1h. It marks the start time of
  527. each window occurrence.
  528. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  529. minLength: 1
  530. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  531. type: string
  532. required:
  533. - duration
  534. - schedule
  535. type: object
  536. minItems: 1
  537. type: array
  538. required:
  539. - kind
  540. - windows
  541. type: object
  542. target:
  543. default:
  544. creationPolicy: Owner
  545. deletionPolicy: Retain
  546. description: |-
  547. ExternalSecretTarget defines the Kubernetes Secret to be created,
  548. there can be only one target per ExternalSecret.
  549. properties:
  550. creationPolicy:
  551. default: Owner
  552. description: |-
  553. CreationPolicy defines rules on how to create the resulting Secret.
  554. Defaults to "Owner"
  555. enum:
  556. - Owner
  557. - Orphan
  558. - Merge
  559. - None
  560. type: string
  561. deletionPolicy:
  562. default: Retain
  563. description: |-
  564. DeletionPolicy defines rules on how to delete the resulting Secret.
  565. Defaults to "Retain"
  566. enum:
  567. - Delete
  568. - Merge
  569. - Retain
  570. type: string
  571. immutable:
  572. description: Immutable defines if the final secret will be immutable
  573. type: boolean
  574. manifest:
  575. description: |-
  576. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  577. When specified, ExternalSecret will create the resource type defined here
  578. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  579. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  580. properties:
  581. apiVersion:
  582. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  583. minLength: 1
  584. type: string
  585. kind:
  586. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  587. minLength: 1
  588. type: string
  589. required:
  590. - apiVersion
  591. - kind
  592. type: object
  593. name:
  594. description: |-
  595. The name of the Secret resource to be managed.
  596. Defaults to the .metadata.name of the ExternalSecret resource
  597. maxLength: 253
  598. minLength: 1
  599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  600. type: string
  601. template:
  602. description: Template defines a blueprint for the created Secret resource.
  603. properties:
  604. data:
  605. additionalProperties:
  606. type: string
  607. type: object
  608. engineVersion:
  609. default: v2
  610. description: |-
  611. EngineVersion specifies the template engine version
  612. that should be used to compile/execute the
  613. template specified in .data and .templateFrom[].
  614. enum:
  615. - v2
  616. type: string
  617. mergePolicy:
  618. default: Replace
  619. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  620. enum:
  621. - Replace
  622. - Merge
  623. type: string
  624. metadata:
  625. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  626. properties:
  627. annotations:
  628. additionalProperties:
  629. type: string
  630. type: object
  631. finalizers:
  632. items:
  633. type: string
  634. type: array
  635. labels:
  636. additionalProperties:
  637. type: string
  638. type: object
  639. type: object
  640. templateFrom:
  641. items:
  642. description: |-
  643. TemplateFrom specifies a source for templates.
  644. Each item in the list can either reference a ConfigMap or a Secret resource.
  645. properties:
  646. configMap:
  647. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  648. properties:
  649. items:
  650. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  651. items:
  652. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  653. properties:
  654. key:
  655. description: A key in the ConfigMap/Secret
  656. maxLength: 253
  657. minLength: 1
  658. pattern: ^[-._a-zA-Z0-9]+$
  659. type: string
  660. templateAs:
  661. default: Values
  662. description: TemplateScope specifies how the template keys should be interpreted.
  663. enum:
  664. - Values
  665. - KeysAndValues
  666. type: string
  667. required:
  668. - key
  669. type: object
  670. type: array
  671. name:
  672. description: The name of the ConfigMap/Secret resource
  673. maxLength: 253
  674. minLength: 1
  675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  676. type: string
  677. required:
  678. - items
  679. - name
  680. type: object
  681. literal:
  682. type: string
  683. secret:
  684. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  685. properties:
  686. items:
  687. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  688. items:
  689. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  690. properties:
  691. key:
  692. description: A key in the ConfigMap/Secret
  693. maxLength: 253
  694. minLength: 1
  695. pattern: ^[-._a-zA-Z0-9]+$
  696. type: string
  697. templateAs:
  698. default: Values
  699. description: TemplateScope specifies how the template keys should be interpreted.
  700. enum:
  701. - Values
  702. - KeysAndValues
  703. type: string
  704. required:
  705. - key
  706. type: object
  707. type: array
  708. name:
  709. description: The name of the ConfigMap/Secret resource
  710. maxLength: 253
  711. minLength: 1
  712. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  713. type: string
  714. required:
  715. - items
  716. - name
  717. type: object
  718. target:
  719. default: Data
  720. description: |-
  721. Target specifies where to place the template result.
  722. For Secret resources, common values are: "Data", "Annotations", "Labels".
  723. For custom resources (when spec.target.manifest is set), this supports
  724. nested paths like "spec.database.config" or "data".
  725. type: string
  726. valuesDecodingStrategy:
  727. default: None
  728. description: Used to define a decoding Strategy for the rendered template values.
  729. enum:
  730. - Auto
  731. - Base64
  732. - Base64URL
  733. - None
  734. type: string
  735. type: object
  736. type: array
  737. type:
  738. type: string
  739. type: object
  740. type: object
  741. type: object
  742. namespaceSelector:
  743. description: |-
  744. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  745. Deprecated: Use NamespaceSelectors instead.
  746. properties:
  747. matchExpressions:
  748. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  749. items:
  750. description: |-
  751. A label selector requirement is a selector that contains values, a key, and an operator that
  752. relates the key and values.
  753. properties:
  754. key:
  755. description: key is the label key that the selector applies to.
  756. type: string
  757. operator:
  758. description: |-
  759. operator represents a key's relationship to a set of values.
  760. Valid operators are In, NotIn, Exists and DoesNotExist.
  761. type: string
  762. values:
  763. description: |-
  764. values is an array of string values. If the operator is In or NotIn,
  765. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  766. the values array must be empty. This array is replaced during a strategic
  767. merge patch.
  768. items:
  769. type: string
  770. type: array
  771. x-kubernetes-list-type: atomic
  772. required:
  773. - key
  774. - operator
  775. type: object
  776. type: array
  777. x-kubernetes-list-type: atomic
  778. matchLabels:
  779. additionalProperties:
  780. type: string
  781. description: |-
  782. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  783. map is equivalent to an element of matchExpressions, whose key field is "key", the
  784. operator is "In", and the values array contains only "value". The requirements are ANDed.
  785. type: object
  786. type: object
  787. x-kubernetes-map-type: atomic
  788. namespaceSelectors:
  789. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  790. items:
  791. description: |-
  792. A label selector is a label query over a set of resources. The result of matchLabels and
  793. matchExpressions are ANDed. An empty label selector matches all objects. A null
  794. label selector matches no objects.
  795. properties:
  796. matchExpressions:
  797. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  798. items:
  799. description: |-
  800. A label selector requirement is a selector that contains values, a key, and an operator that
  801. relates the key and values.
  802. properties:
  803. key:
  804. description: key is the label key that the selector applies to.
  805. type: string
  806. operator:
  807. description: |-
  808. operator represents a key's relationship to a set of values.
  809. Valid operators are In, NotIn, Exists and DoesNotExist.
  810. type: string
  811. values:
  812. description: |-
  813. values is an array of string values. If the operator is In or NotIn,
  814. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  815. the values array must be empty. This array is replaced during a strategic
  816. merge patch.
  817. items:
  818. type: string
  819. type: array
  820. x-kubernetes-list-type: atomic
  821. required:
  822. - key
  823. - operator
  824. type: object
  825. type: array
  826. x-kubernetes-list-type: atomic
  827. matchLabels:
  828. additionalProperties:
  829. type: string
  830. description: |-
  831. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  832. map is equivalent to an element of matchExpressions, whose key field is "key", the
  833. operator is "In", and the values array contains only "value". The requirements are ANDed.
  834. type: object
  835. type: object
  836. x-kubernetes-map-type: atomic
  837. type: array
  838. namespaces:
  839. description: |-
  840. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  841. Deprecated: Use NamespaceSelectors instead.
  842. items:
  843. maxLength: 63
  844. minLength: 1
  845. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  846. type: string
  847. type: array
  848. refreshTime:
  849. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  850. type: string
  851. required:
  852. - externalSecretSpec
  853. type: object
  854. status:
  855. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  856. properties:
  857. conditions:
  858. items:
  859. description: ClusterExternalSecretStatusCondition defines the observed state of a ClusterExternalSecret resource.
  860. properties:
  861. message:
  862. type: string
  863. status:
  864. type: string
  865. type:
  866. description: ClusterExternalSecretConditionType defines a value type for ClusterExternalSecret conditions.
  867. type: string
  868. required:
  869. - status
  870. - type
  871. type: object
  872. type: array
  873. externalSecretName:
  874. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  875. type: string
  876. failedNamespaces:
  877. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  878. items:
  879. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  880. properties:
  881. namespace:
  882. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  883. type: string
  884. reason:
  885. description: Reason is why the ExternalSecret failed to apply to the namespace
  886. type: string
  887. required:
  888. - namespace
  889. type: object
  890. type: array
  891. provisionedNamespaces:
  892. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  893. items:
  894. type: string
  895. type: array
  896. type: object
  897. type: object
  898. served: true
  899. storage: true
  900. subresources:
  901. status: {}
  902. - additionalPrinterColumns:
  903. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  904. name: Store
  905. type: string
  906. - jsonPath: .spec.refreshTime
  907. name: Refresh Interval
  908. type: string
  909. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  910. name: Ready
  911. type: string
  912. deprecated: true
  913. name: v1beta1
  914. schema:
  915. openAPIV3Schema:
  916. description: ClusterExternalSecret is the schema for the clusterexternalsecrets API.
  917. properties:
  918. apiVersion:
  919. description: |-
  920. APIVersion defines the versioned schema of this representation of an object.
  921. Servers should convert recognized schemas to the latest internal value, and
  922. may reject unrecognized values.
  923. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  924. type: string
  925. kind:
  926. description: |-
  927. Kind is a string value representing the REST resource this object represents.
  928. Servers may infer this from the endpoint the client submits requests to.
  929. Cannot be updated.
  930. In CamelCase.
  931. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  932. type: string
  933. metadata:
  934. type: object
  935. spec:
  936. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  937. properties:
  938. externalSecretMetadata:
  939. description: The metadata of the external secrets to be created
  940. properties:
  941. annotations:
  942. additionalProperties:
  943. type: string
  944. type: object
  945. labels:
  946. additionalProperties:
  947. type: string
  948. type: object
  949. type: object
  950. externalSecretName:
  951. description: |-
  952. The name of the external secrets to be created.
  953. Defaults to the name of the ClusterExternalSecret
  954. maxLength: 253
  955. minLength: 1
  956. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  957. type: string
  958. externalSecretSpec:
  959. description: The spec for the ExternalSecrets to be created
  960. properties:
  961. data:
  962. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  963. items:
  964. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  965. properties:
  966. remoteRef:
  967. description: |-
  968. RemoteRef points to the remote secret and defines
  969. which secret (version/property/..) to fetch.
  970. properties:
  971. conversionStrategy:
  972. default: Default
  973. description: Used to define a conversion Strategy
  974. enum:
  975. - Default
  976. - Unicode
  977. type: string
  978. decodingStrategy:
  979. default: None
  980. description: Used to define a decoding Strategy
  981. enum:
  982. - Auto
  983. - Base64
  984. - Base64URL
  985. - None
  986. type: string
  987. key:
  988. description: Key is the key used in the Provider, mandatory
  989. type: string
  990. metadataPolicy:
  991. default: None
  992. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  993. enum:
  994. - None
  995. - Fetch
  996. type: string
  997. property:
  998. description: Used to select a specific property of the Provider value (if a map), if supported
  999. type: string
  1000. version:
  1001. description: Used to select a specific version of the Provider value, if supported
  1002. type: string
  1003. required:
  1004. - key
  1005. type: object
  1006. secretKey:
  1007. description: The key in the Kubernetes Secret to store the value.
  1008. maxLength: 253
  1009. minLength: 1
  1010. pattern: ^[-._a-zA-Z0-9]+$
  1011. type: string
  1012. sourceRef:
  1013. description: |-
  1014. SourceRef allows you to override the source
  1015. from which the value will be pulled.
  1016. maxProperties: 1
  1017. minProperties: 1
  1018. properties:
  1019. generatorRef:
  1020. description: |-
  1021. GeneratorRef points to a generator custom resource.
  1022. Deprecated: The generatorRef is not implemented in .data[].
  1023. this will be removed with v1.
  1024. properties:
  1025. apiVersion:
  1026. default: generators.external-secrets.io/v1alpha1
  1027. description: Specify the apiVersion of the generator resource
  1028. type: string
  1029. kind:
  1030. description: Specify the Kind of the generator resource
  1031. enum:
  1032. - ACRAccessToken
  1033. - ClusterGenerator
  1034. - ECRAuthorizationToken
  1035. - Fake
  1036. - GCRAccessToken
  1037. - GithubAccessToken
  1038. - QuayAccessToken
  1039. - Password
  1040. - SSHKey
  1041. - STSSessionToken
  1042. - UUID
  1043. - VaultDynamicSecret
  1044. - Webhook
  1045. - Grafana
  1046. type: string
  1047. name:
  1048. description: Specify the name of the generator resource
  1049. maxLength: 253
  1050. minLength: 1
  1051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1052. type: string
  1053. required:
  1054. - kind
  1055. - name
  1056. type: object
  1057. storeRef:
  1058. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1059. properties:
  1060. kind:
  1061. description: |-
  1062. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1063. Defaults to `SecretStore`
  1064. enum:
  1065. - SecretStore
  1066. - ClusterSecretStore
  1067. type: string
  1068. name:
  1069. description: Name of the SecretStore resource
  1070. maxLength: 253
  1071. minLength: 1
  1072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1073. type: string
  1074. type: object
  1075. type: object
  1076. required:
  1077. - remoteRef
  1078. - secretKey
  1079. type: object
  1080. type: array
  1081. dataFrom:
  1082. description: |-
  1083. DataFrom is used to fetch all properties from a specific Provider data
  1084. If multiple entries are specified, the Secret keys are merged in the specified order
  1085. items:
  1086. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  1087. properties:
  1088. extract:
  1089. description: |-
  1090. Used to extract multiple key/value pairs from one secret
  1091. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1092. properties:
  1093. conversionStrategy:
  1094. default: Default
  1095. description: Used to define a conversion Strategy
  1096. enum:
  1097. - Default
  1098. - Unicode
  1099. type: string
  1100. decodingStrategy:
  1101. default: None
  1102. description: Used to define a decoding Strategy
  1103. enum:
  1104. - Auto
  1105. - Base64
  1106. - Base64URL
  1107. - None
  1108. type: string
  1109. key:
  1110. description: Key is the key used in the Provider, mandatory
  1111. type: string
  1112. metadataPolicy:
  1113. default: None
  1114. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  1115. enum:
  1116. - None
  1117. - Fetch
  1118. type: string
  1119. property:
  1120. description: Used to select a specific property of the Provider value (if a map), if supported
  1121. type: string
  1122. version:
  1123. description: Used to select a specific version of the Provider value, if supported
  1124. type: string
  1125. required:
  1126. - key
  1127. type: object
  1128. find:
  1129. description: |-
  1130. Used to find secrets based on tags or regular expressions
  1131. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  1132. properties:
  1133. conversionStrategy:
  1134. default: Default
  1135. description: Used to define a conversion Strategy
  1136. enum:
  1137. - Default
  1138. - Unicode
  1139. type: string
  1140. decodingStrategy:
  1141. default: None
  1142. description: Used to define a decoding Strategy
  1143. enum:
  1144. - Auto
  1145. - Base64
  1146. - Base64URL
  1147. - None
  1148. type: string
  1149. name:
  1150. description: Finds secrets based on the name.
  1151. properties:
  1152. regexp:
  1153. description: Finds secrets base
  1154. type: string
  1155. type: object
  1156. path:
  1157. description: A root path to start the find operations.
  1158. type: string
  1159. tags:
  1160. additionalProperties:
  1161. type: string
  1162. description: Find secrets based on tags.
  1163. type: object
  1164. type: object
  1165. rewrite:
  1166. description: |-
  1167. Used to rewrite secret Keys after getting them from the secret Provider
  1168. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  1169. items:
  1170. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  1171. maxProperties: 1
  1172. minProperties: 1
  1173. properties:
  1174. regexp:
  1175. description: |-
  1176. Used to rewrite with regular expressions.
  1177. The resulting key will be the output of a regexp.ReplaceAll operation.
  1178. properties:
  1179. source:
  1180. description: Used to define the regular expression of a re.Compiler.
  1181. type: string
  1182. target:
  1183. description: Used to define the target pattern of a ReplaceAll operation.
  1184. type: string
  1185. required:
  1186. - source
  1187. - target
  1188. type: object
  1189. transform:
  1190. description: |-
  1191. Used to apply string transformation on the secrets.
  1192. The resulting key will be the output of the template applied by the operation.
  1193. properties:
  1194. template:
  1195. description: |-
  1196. Used to define the template to apply on the secret name.
  1197. `.value ` will specify the secret name in the template.
  1198. type: string
  1199. required:
  1200. - template
  1201. type: object
  1202. type: object
  1203. type: array
  1204. sourceRef:
  1205. description: |-
  1206. SourceRef points to a store or generator
  1207. which contains secret values ready to use.
  1208. Use this in combination with Extract or Find pull values out of
  1209. a specific SecretStore.
  1210. When sourceRef points to a generator Extract or Find is not supported.
  1211. The generator returns a static map of values
  1212. maxProperties: 1
  1213. minProperties: 1
  1214. properties:
  1215. generatorRef:
  1216. description: GeneratorRef points to a generator custom resource.
  1217. properties:
  1218. apiVersion:
  1219. default: generators.external-secrets.io/v1alpha1
  1220. description: Specify the apiVersion of the generator resource
  1221. type: string
  1222. kind:
  1223. description: Specify the Kind of the generator resource
  1224. enum:
  1225. - ACRAccessToken
  1226. - ClusterGenerator
  1227. - ECRAuthorizationToken
  1228. - Fake
  1229. - GCRAccessToken
  1230. - GithubAccessToken
  1231. - QuayAccessToken
  1232. - Password
  1233. - SSHKey
  1234. - STSSessionToken
  1235. - UUID
  1236. - VaultDynamicSecret
  1237. - Webhook
  1238. - Grafana
  1239. type: string
  1240. name:
  1241. description: Specify the name of the generator resource
  1242. maxLength: 253
  1243. minLength: 1
  1244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1245. type: string
  1246. required:
  1247. - kind
  1248. - name
  1249. type: object
  1250. storeRef:
  1251. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1252. properties:
  1253. kind:
  1254. description: |-
  1255. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1256. Defaults to `SecretStore`
  1257. enum:
  1258. - SecretStore
  1259. - ClusterSecretStore
  1260. type: string
  1261. name:
  1262. description: Name of the SecretStore resource
  1263. maxLength: 253
  1264. minLength: 1
  1265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1266. type: string
  1267. type: object
  1268. type: object
  1269. type: object
  1270. type: array
  1271. refreshInterval:
  1272. default: 1h0m0s
  1273. description: |-
  1274. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  1275. specified as Golang Duration strings.
  1276. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  1277. Example values: "1h0m0s", "2h30m0s", "10m0s"
  1278. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  1279. type: string
  1280. refreshPolicy:
  1281. description: |-
  1282. RefreshPolicy determines how the ExternalSecret should be refreshed:
  1283. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  1284. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  1285. No periodic updates occur if refreshInterval is 0.
  1286. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  1287. enum:
  1288. - CreatedOnce
  1289. - Periodic
  1290. - OnChange
  1291. type: string
  1292. secretStoreRef:
  1293. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  1294. properties:
  1295. kind:
  1296. description: |-
  1297. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1298. Defaults to `SecretStore`
  1299. enum:
  1300. - SecretStore
  1301. - ClusterSecretStore
  1302. type: string
  1303. name:
  1304. description: Name of the SecretStore resource
  1305. maxLength: 253
  1306. minLength: 1
  1307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1308. type: string
  1309. type: object
  1310. target:
  1311. default:
  1312. creationPolicy: Owner
  1313. deletionPolicy: Retain
  1314. description: |-
  1315. ExternalSecretTarget defines the Kubernetes Secret to be created
  1316. There can be only one target per ExternalSecret.
  1317. properties:
  1318. creationPolicy:
  1319. default: Owner
  1320. description: |-
  1321. CreationPolicy defines rules on how to create the resulting Secret.
  1322. Defaults to "Owner"
  1323. enum:
  1324. - Owner
  1325. - Orphan
  1326. - Merge
  1327. - None
  1328. type: string
  1329. deletionPolicy:
  1330. default: Retain
  1331. description: |-
  1332. DeletionPolicy defines rules on how to delete the resulting Secret.
  1333. Defaults to "Retain"
  1334. enum:
  1335. - Delete
  1336. - Merge
  1337. - Retain
  1338. type: string
  1339. immutable:
  1340. description: Immutable defines if the final secret will be immutable
  1341. type: boolean
  1342. name:
  1343. description: |-
  1344. The name of the Secret resource to be managed.
  1345. Defaults to the .metadata.name of the ExternalSecret resource
  1346. maxLength: 253
  1347. minLength: 1
  1348. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1349. type: string
  1350. template:
  1351. description: Template defines a blueprint for the created Secret resource.
  1352. properties:
  1353. data:
  1354. additionalProperties:
  1355. type: string
  1356. type: object
  1357. engineVersion:
  1358. default: v2
  1359. description: |-
  1360. EngineVersion specifies the template engine version
  1361. that should be used to compile/execute the
  1362. template specified in .data and .templateFrom[].
  1363. enum:
  1364. - v2
  1365. type: string
  1366. mergePolicy:
  1367. default: Replace
  1368. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  1369. enum:
  1370. - Replace
  1371. - Merge
  1372. type: string
  1373. metadata:
  1374. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  1375. properties:
  1376. annotations:
  1377. additionalProperties:
  1378. type: string
  1379. type: object
  1380. labels:
  1381. additionalProperties:
  1382. type: string
  1383. type: object
  1384. type: object
  1385. templateFrom:
  1386. items:
  1387. description: TemplateFrom defines a source for template data.
  1388. properties:
  1389. configMap:
  1390. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1391. properties:
  1392. items:
  1393. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1394. items:
  1395. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1396. properties:
  1397. key:
  1398. description: A key in the ConfigMap/Secret
  1399. maxLength: 253
  1400. minLength: 1
  1401. pattern: ^[-._a-zA-Z0-9]+$
  1402. type: string
  1403. templateAs:
  1404. default: Values
  1405. description: TemplateScope defines the scope of the template when processing template data.
  1406. enum:
  1407. - Values
  1408. - KeysAndValues
  1409. type: string
  1410. required:
  1411. - key
  1412. type: object
  1413. type: array
  1414. name:
  1415. description: The name of the ConfigMap/Secret resource
  1416. maxLength: 253
  1417. minLength: 1
  1418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1419. type: string
  1420. required:
  1421. - items
  1422. - name
  1423. type: object
  1424. literal:
  1425. type: string
  1426. secret:
  1427. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  1428. properties:
  1429. items:
  1430. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  1431. items:
  1432. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  1433. properties:
  1434. key:
  1435. description: A key in the ConfigMap/Secret
  1436. maxLength: 253
  1437. minLength: 1
  1438. pattern: ^[-._a-zA-Z0-9]+$
  1439. type: string
  1440. templateAs:
  1441. default: Values
  1442. description: TemplateScope defines the scope of the template when processing template data.
  1443. enum:
  1444. - Values
  1445. - KeysAndValues
  1446. type: string
  1447. required:
  1448. - key
  1449. type: object
  1450. type: array
  1451. name:
  1452. description: The name of the ConfigMap/Secret resource
  1453. maxLength: 253
  1454. minLength: 1
  1455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1456. type: string
  1457. required:
  1458. - items
  1459. - name
  1460. type: object
  1461. target:
  1462. default: Data
  1463. description: TemplateTarget defines the target field where the template result will be stored.
  1464. enum:
  1465. - Data
  1466. - Annotations
  1467. - Labels
  1468. type: string
  1469. type: object
  1470. type: array
  1471. type:
  1472. type: string
  1473. type: object
  1474. type: object
  1475. type: object
  1476. namespaceSelector:
  1477. description: The labels to select by to find the Namespaces to create the ExternalSecrets in
  1478. properties:
  1479. matchExpressions:
  1480. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1481. items:
  1482. description: |-
  1483. A label selector requirement is a selector that contains values, a key, and an operator that
  1484. relates the key and values.
  1485. properties:
  1486. key:
  1487. description: key is the label key that the selector applies to.
  1488. type: string
  1489. operator:
  1490. description: |-
  1491. operator represents a key's relationship to a set of values.
  1492. Valid operators are In, NotIn, Exists and DoesNotExist.
  1493. type: string
  1494. values:
  1495. description: |-
  1496. values is an array of string values. If the operator is In or NotIn,
  1497. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1498. the values array must be empty. This array is replaced during a strategic
  1499. merge patch.
  1500. items:
  1501. type: string
  1502. type: array
  1503. x-kubernetes-list-type: atomic
  1504. required:
  1505. - key
  1506. - operator
  1507. type: object
  1508. type: array
  1509. x-kubernetes-list-type: atomic
  1510. matchLabels:
  1511. additionalProperties:
  1512. type: string
  1513. description: |-
  1514. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1515. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1516. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1517. type: object
  1518. type: object
  1519. x-kubernetes-map-type: atomic
  1520. namespaceSelectors:
  1521. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1522. items:
  1523. description: |-
  1524. A label selector is a label query over a set of resources. The result of matchLabels and
  1525. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1526. label selector matches no objects.
  1527. properties:
  1528. matchExpressions:
  1529. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1530. items:
  1531. description: |-
  1532. A label selector requirement is a selector that contains values, a key, and an operator that
  1533. relates the key and values.
  1534. properties:
  1535. key:
  1536. description: key is the label key that the selector applies to.
  1537. type: string
  1538. operator:
  1539. description: |-
  1540. operator represents a key's relationship to a set of values.
  1541. Valid operators are In, NotIn, Exists and DoesNotExist.
  1542. type: string
  1543. values:
  1544. description: |-
  1545. values is an array of string values. If the operator is In or NotIn,
  1546. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1547. the values array must be empty. This array is replaced during a strategic
  1548. merge patch.
  1549. items:
  1550. type: string
  1551. type: array
  1552. x-kubernetes-list-type: atomic
  1553. required:
  1554. - key
  1555. - operator
  1556. type: object
  1557. type: array
  1558. x-kubernetes-list-type: atomic
  1559. matchLabels:
  1560. additionalProperties:
  1561. type: string
  1562. description: |-
  1563. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1564. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1565. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1566. type: object
  1567. type: object
  1568. x-kubernetes-map-type: atomic
  1569. type: array
  1570. namespaces:
  1571. description: |-
  1572. Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  1573. Deprecated: Use NamespaceSelectors instead.
  1574. items:
  1575. maxLength: 63
  1576. minLength: 1
  1577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  1578. type: string
  1579. type: array
  1580. refreshTime:
  1581. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  1582. type: string
  1583. required:
  1584. - externalSecretSpec
  1585. type: object
  1586. status:
  1587. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  1588. properties:
  1589. conditions:
  1590. items:
  1591. description: ClusterExternalSecretStatusCondition indicates the status of the ClusterExternalSecret.
  1592. properties:
  1593. message:
  1594. type: string
  1595. status:
  1596. type: string
  1597. type:
  1598. description: ClusterExternalSecretConditionType indicates the condition of the ClusterExternalSecret.
  1599. type: string
  1600. required:
  1601. - status
  1602. - type
  1603. type: object
  1604. type: array
  1605. externalSecretName:
  1606. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  1607. type: string
  1608. failedNamespaces:
  1609. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  1610. items:
  1611. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  1612. properties:
  1613. namespace:
  1614. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  1615. type: string
  1616. reason:
  1617. description: Reason is why the ExternalSecret failed to apply to the namespace
  1618. type: string
  1619. required:
  1620. - namespace
  1621. type: object
  1622. type: array
  1623. provisionedNamespaces:
  1624. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  1625. items:
  1626. type: string
  1627. type: array
  1628. type: object
  1629. type: object
  1630. served: false
  1631. storage: false
  1632. subresources:
  1633. status: {}
  1634. ---
  1635. apiVersion: apiextensions.k8s.io/v1
  1636. kind: CustomResourceDefinition
  1637. metadata:
  1638. annotations:
  1639. controller-gen.kubebuilder.io/version: v0.19.0
  1640. labels:
  1641. external-secrets.io/component: controller
  1642. name: clusterpushsecrets.external-secrets.io
  1643. spec:
  1644. group: external-secrets.io
  1645. names:
  1646. categories:
  1647. - external-secrets
  1648. kind: ClusterPushSecret
  1649. listKind: ClusterPushSecretList
  1650. plural: clusterpushsecrets
  1651. singular: clusterpushsecret
  1652. scope: Cluster
  1653. versions:
  1654. - additionalPrinterColumns:
  1655. - jsonPath: .metadata.creationTimestamp
  1656. name: AGE
  1657. type: date
  1658. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1659. name: Status
  1660. type: string
  1661. name: v1alpha1
  1662. schema:
  1663. openAPIV3Schema:
  1664. description: ClusterPushSecret is the Schema for the ClusterPushSecrets API that enables cluster-wide management of pushing Kubernetes secrets to external providers.
  1665. properties:
  1666. apiVersion:
  1667. description: |-
  1668. APIVersion defines the versioned schema of this representation of an object.
  1669. Servers should convert recognized schemas to the latest internal value, and
  1670. may reject unrecognized values.
  1671. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1672. type: string
  1673. kind:
  1674. description: |-
  1675. Kind is a string value representing the REST resource this object represents.
  1676. Servers may infer this from the endpoint the client submits requests to.
  1677. Cannot be updated.
  1678. In CamelCase.
  1679. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1680. type: string
  1681. metadata:
  1682. type: object
  1683. spec:
  1684. description: ClusterPushSecretSpec defines the configuration for a ClusterPushSecret resource.
  1685. properties:
  1686. namespaceSelectors:
  1687. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  1688. items:
  1689. description: |-
  1690. A label selector is a label query over a set of resources. The result of matchLabels and
  1691. matchExpressions are ANDed. An empty label selector matches all objects. A null
  1692. label selector matches no objects.
  1693. properties:
  1694. matchExpressions:
  1695. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1696. items:
  1697. description: |-
  1698. A label selector requirement is a selector that contains values, a key, and an operator that
  1699. relates the key and values.
  1700. properties:
  1701. key:
  1702. description: key is the label key that the selector applies to.
  1703. type: string
  1704. operator:
  1705. description: |-
  1706. operator represents a key's relationship to a set of values.
  1707. Valid operators are In, NotIn, Exists and DoesNotExist.
  1708. type: string
  1709. values:
  1710. description: |-
  1711. values is an array of string values. If the operator is In or NotIn,
  1712. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1713. the values array must be empty. This array is replaced during a strategic
  1714. merge patch.
  1715. items:
  1716. type: string
  1717. type: array
  1718. x-kubernetes-list-type: atomic
  1719. required:
  1720. - key
  1721. - operator
  1722. type: object
  1723. type: array
  1724. x-kubernetes-list-type: atomic
  1725. matchLabels:
  1726. additionalProperties:
  1727. type: string
  1728. description: |-
  1729. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1730. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1731. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1732. type: object
  1733. type: object
  1734. x-kubernetes-map-type: atomic
  1735. type: array
  1736. pushSecretMetadata:
  1737. description: The metadata of the external secrets to be created
  1738. properties:
  1739. annotations:
  1740. additionalProperties:
  1741. type: string
  1742. type: object
  1743. labels:
  1744. additionalProperties:
  1745. type: string
  1746. type: object
  1747. type: object
  1748. pushSecretName:
  1749. description: |-
  1750. The name of the push secrets to be created.
  1751. Defaults to the name of the ClusterPushSecret
  1752. maxLength: 253
  1753. minLength: 1
  1754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1755. type: string
  1756. pushSecretSpec:
  1757. description: PushSecretSpec defines what to do with the secrets.
  1758. properties:
  1759. data:
  1760. description: Secret Data that should be pushed to providers
  1761. items:
  1762. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  1763. properties:
  1764. conversionStrategy:
  1765. default: None
  1766. description: Used to define a conversion Strategy for the secret keys
  1767. enum:
  1768. - None
  1769. - ReverseUnicode
  1770. type: string
  1771. match:
  1772. description: Match a given Secret Key to be pushed to the provider.
  1773. properties:
  1774. remoteRef:
  1775. description: Remote Refs to push to providers.
  1776. properties:
  1777. property:
  1778. description: Name of the property in the resulting secret
  1779. type: string
  1780. remoteKey:
  1781. description: Name of the resulting provider secret.
  1782. type: string
  1783. required:
  1784. - remoteKey
  1785. type: object
  1786. secretKey:
  1787. description: Secret Key to be pushed
  1788. type: string
  1789. required:
  1790. - remoteRef
  1791. type: object
  1792. metadata:
  1793. description: |-
  1794. Metadata is metadata attached to the secret.
  1795. The structure of metadata is provider specific, please look it up in the provider documentation.
  1796. x-kubernetes-preserve-unknown-fields: true
  1797. required:
  1798. - match
  1799. type: object
  1800. type: array
  1801. dataTo:
  1802. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  1803. items:
  1804. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  1805. properties:
  1806. conversionStrategy:
  1807. default: None
  1808. description: Used to define a conversion Strategy for the secret keys
  1809. enum:
  1810. - None
  1811. - ReverseUnicode
  1812. type: string
  1813. match:
  1814. description: |-
  1815. Match pattern for selecting keys from the source Secret.
  1816. If not specified, all keys are selected.
  1817. properties:
  1818. regexp:
  1819. description: |-
  1820. Regexp matches keys by regular expression.
  1821. If not specified, all keys are matched.
  1822. type: string
  1823. type: object
  1824. metadata:
  1825. description: |-
  1826. Metadata is metadata attached to the secret.
  1827. The structure of metadata is provider specific, please look it up in the provider documentation.
  1828. x-kubernetes-preserve-unknown-fields: true
  1829. remoteKey:
  1830. description: |-
  1831. RemoteKey is the name of the single provider secret that will receive ALL
  1832. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  1833. When set, per-key expansion is skipped and a single push is performed.
  1834. The provider's store prefix (if any) is still prepended to this value.
  1835. When not set, each matched key is pushed as its own individual provider secret.
  1836. type: string
  1837. rewrite:
  1838. description: |-
  1839. Rewrite operations to transform keys before pushing to the provider.
  1840. Operations are applied sequentially.
  1841. items:
  1842. description: PushSecretRewrite defines how to transform secret keys before pushing.
  1843. properties:
  1844. regexp:
  1845. description: Used to rewrite with regular expressions.
  1846. properties:
  1847. source:
  1848. description: Used to define the regular expression of a re.Compiler.
  1849. type: string
  1850. target:
  1851. description: Used to define the target pattern of a ReplaceAll operation.
  1852. type: string
  1853. required:
  1854. - source
  1855. - target
  1856. type: object
  1857. transform:
  1858. description: Used to apply string transformation on the secrets.
  1859. properties:
  1860. template:
  1861. description: |-
  1862. Used to define the template to apply on the secret name.
  1863. `.value ` will specify the secret name in the template.
  1864. type: string
  1865. required:
  1866. - template
  1867. type: object
  1868. type: object
  1869. x-kubernetes-validations:
  1870. - message: exactly one of regexp or transform must be set
  1871. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  1872. type: array
  1873. storeRef:
  1874. description: StoreRef specifies which SecretStore to push to. Required.
  1875. properties:
  1876. kind:
  1877. default: SecretStore
  1878. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1879. enum:
  1880. - SecretStore
  1881. - ClusterSecretStore
  1882. type: string
  1883. labelSelector:
  1884. description: Optionally, sync to secret stores with label selector
  1885. properties:
  1886. matchExpressions:
  1887. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1888. items:
  1889. description: |-
  1890. A label selector requirement is a selector that contains values, a key, and an operator that
  1891. relates the key and values.
  1892. properties:
  1893. key:
  1894. description: key is the label key that the selector applies to.
  1895. type: string
  1896. operator:
  1897. description: |-
  1898. operator represents a key's relationship to a set of values.
  1899. Valid operators are In, NotIn, Exists and DoesNotExist.
  1900. type: string
  1901. values:
  1902. description: |-
  1903. values is an array of string values. If the operator is In or NotIn,
  1904. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1905. the values array must be empty. This array is replaced during a strategic
  1906. merge patch.
  1907. items:
  1908. type: string
  1909. type: array
  1910. x-kubernetes-list-type: atomic
  1911. required:
  1912. - key
  1913. - operator
  1914. type: object
  1915. type: array
  1916. x-kubernetes-list-type: atomic
  1917. matchLabels:
  1918. additionalProperties:
  1919. type: string
  1920. description: |-
  1921. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1922. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1923. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1924. type: object
  1925. type: object
  1926. x-kubernetes-map-type: atomic
  1927. name:
  1928. description: Optionally, sync to the SecretStore of the given name
  1929. maxLength: 253
  1930. minLength: 1
  1931. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  1932. type: string
  1933. type: object
  1934. type: object
  1935. x-kubernetes-validations:
  1936. - message: storeRef must specify either name or labelSelector
  1937. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  1938. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  1939. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  1940. type: array
  1941. deletionPolicy:
  1942. default: None
  1943. description: Deletion Policy to handle Secrets in the provider.
  1944. enum:
  1945. - Delete
  1946. - None
  1947. type: string
  1948. refreshInterval:
  1949. default: 1h0m0s
  1950. description: The Interval to which External Secrets will try to push a secret definition
  1951. type: string
  1952. secretStoreRefs:
  1953. items:
  1954. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  1955. properties:
  1956. kind:
  1957. default: SecretStore
  1958. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  1959. enum:
  1960. - SecretStore
  1961. - ClusterSecretStore
  1962. type: string
  1963. labelSelector:
  1964. description: Optionally, sync to secret stores with label selector
  1965. properties:
  1966. matchExpressions:
  1967. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1968. items:
  1969. description: |-
  1970. A label selector requirement is a selector that contains values, a key, and an operator that
  1971. relates the key and values.
  1972. properties:
  1973. key:
  1974. description: key is the label key that the selector applies to.
  1975. type: string
  1976. operator:
  1977. description: |-
  1978. operator represents a key's relationship to a set of values.
  1979. Valid operators are In, NotIn, Exists and DoesNotExist.
  1980. type: string
  1981. values:
  1982. description: |-
  1983. values is an array of string values. If the operator is In or NotIn,
  1984. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1985. the values array must be empty. This array is replaced during a strategic
  1986. merge patch.
  1987. items:
  1988. type: string
  1989. type: array
  1990. x-kubernetes-list-type: atomic
  1991. required:
  1992. - key
  1993. - operator
  1994. type: object
  1995. type: array
  1996. x-kubernetes-list-type: atomic
  1997. matchLabels:
  1998. additionalProperties:
  1999. type: string
  2000. description: |-
  2001. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2002. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2003. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2004. type: object
  2005. type: object
  2006. x-kubernetes-map-type: atomic
  2007. name:
  2008. description: Optionally, sync to the SecretStore of the given name
  2009. maxLength: 253
  2010. minLength: 1
  2011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2012. type: string
  2013. type: object
  2014. type: array
  2015. selector:
  2016. description: The Secret Selector (k8s source) for the Push Secret
  2017. maxProperties: 1
  2018. minProperties: 1
  2019. properties:
  2020. generatorRef:
  2021. description: Point to a generator to create a Secret.
  2022. properties:
  2023. apiVersion:
  2024. default: generators.external-secrets.io/v1alpha1
  2025. description: Specify the apiVersion of the generator resource
  2026. type: string
  2027. kind:
  2028. description: Specify the Kind of the generator resource
  2029. enum:
  2030. - ACRAccessToken
  2031. - BeyondtrustWorkloadCredentialsDynamicSecret
  2032. - ClusterGenerator
  2033. - CloudsmithAccessToken
  2034. - ECRAuthorizationToken
  2035. - Fake
  2036. - GCRAccessToken
  2037. - GithubAccessToken
  2038. - GitlabDeployToken
  2039. - QuayAccessToken
  2040. - Password
  2041. - SSHKey
  2042. - STSSessionToken
  2043. - UUID
  2044. - VaultDynamicSecret
  2045. - Webhook
  2046. - Grafana
  2047. - MFA
  2048. type: string
  2049. name:
  2050. description: Specify the name of the generator resource
  2051. maxLength: 253
  2052. minLength: 1
  2053. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2054. type: string
  2055. required:
  2056. - kind
  2057. - name
  2058. type: object
  2059. secret:
  2060. description: Select a Secret to Push.
  2061. properties:
  2062. name:
  2063. description: |-
  2064. Name of the Secret.
  2065. The Secret must exist in the same namespace as the PushSecret manifest.
  2066. maxLength: 253
  2067. minLength: 1
  2068. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2069. type: string
  2070. selector:
  2071. description: Selector chooses secrets using a labelSelector.
  2072. properties:
  2073. matchExpressions:
  2074. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2075. items:
  2076. description: |-
  2077. A label selector requirement is a selector that contains values, a key, and an operator that
  2078. relates the key and values.
  2079. properties:
  2080. key:
  2081. description: key is the label key that the selector applies to.
  2082. type: string
  2083. operator:
  2084. description: |-
  2085. operator represents a key's relationship to a set of values.
  2086. Valid operators are In, NotIn, Exists and DoesNotExist.
  2087. type: string
  2088. values:
  2089. description: |-
  2090. values is an array of string values. If the operator is In or NotIn,
  2091. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2092. the values array must be empty. This array is replaced during a strategic
  2093. merge patch.
  2094. items:
  2095. type: string
  2096. type: array
  2097. x-kubernetes-list-type: atomic
  2098. required:
  2099. - key
  2100. - operator
  2101. type: object
  2102. type: array
  2103. x-kubernetes-list-type: atomic
  2104. matchLabels:
  2105. additionalProperties:
  2106. type: string
  2107. description: |-
  2108. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2109. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2110. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2111. type: object
  2112. type: object
  2113. x-kubernetes-map-type: atomic
  2114. type: object
  2115. type: object
  2116. template:
  2117. description: Template defines a blueprint for the created Secret resource.
  2118. properties:
  2119. data:
  2120. additionalProperties:
  2121. type: string
  2122. type: object
  2123. engineVersion:
  2124. default: v2
  2125. description: |-
  2126. EngineVersion specifies the template engine version
  2127. that should be used to compile/execute the
  2128. template specified in .data and .templateFrom[].
  2129. enum:
  2130. - v2
  2131. type: string
  2132. mergePolicy:
  2133. default: Replace
  2134. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  2135. enum:
  2136. - Replace
  2137. - Merge
  2138. type: string
  2139. metadata:
  2140. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  2141. properties:
  2142. annotations:
  2143. additionalProperties:
  2144. type: string
  2145. type: object
  2146. finalizers:
  2147. items:
  2148. type: string
  2149. type: array
  2150. labels:
  2151. additionalProperties:
  2152. type: string
  2153. type: object
  2154. type: object
  2155. templateFrom:
  2156. items:
  2157. description: |-
  2158. TemplateFrom specifies a source for templates.
  2159. Each item in the list can either reference a ConfigMap or a Secret resource.
  2160. properties:
  2161. configMap:
  2162. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2163. properties:
  2164. items:
  2165. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2166. items:
  2167. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2168. properties:
  2169. key:
  2170. description: A key in the ConfigMap/Secret
  2171. maxLength: 253
  2172. minLength: 1
  2173. pattern: ^[-._a-zA-Z0-9]+$
  2174. type: string
  2175. templateAs:
  2176. default: Values
  2177. description: TemplateScope specifies how the template keys should be interpreted.
  2178. enum:
  2179. - Values
  2180. - KeysAndValues
  2181. type: string
  2182. required:
  2183. - key
  2184. type: object
  2185. type: array
  2186. name:
  2187. description: The name of the ConfigMap/Secret resource
  2188. maxLength: 253
  2189. minLength: 1
  2190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2191. type: string
  2192. required:
  2193. - items
  2194. - name
  2195. type: object
  2196. literal:
  2197. type: string
  2198. secret:
  2199. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  2200. properties:
  2201. items:
  2202. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  2203. items:
  2204. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  2205. properties:
  2206. key:
  2207. description: A key in the ConfigMap/Secret
  2208. maxLength: 253
  2209. minLength: 1
  2210. pattern: ^[-._a-zA-Z0-9]+$
  2211. type: string
  2212. templateAs:
  2213. default: Values
  2214. description: TemplateScope specifies how the template keys should be interpreted.
  2215. enum:
  2216. - Values
  2217. - KeysAndValues
  2218. type: string
  2219. required:
  2220. - key
  2221. type: object
  2222. type: array
  2223. name:
  2224. description: The name of the ConfigMap/Secret resource
  2225. maxLength: 253
  2226. minLength: 1
  2227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2228. type: string
  2229. required:
  2230. - items
  2231. - name
  2232. type: object
  2233. target:
  2234. default: Data
  2235. description: |-
  2236. Target specifies where to place the template result.
  2237. For Secret resources, common values are: "Data", "Annotations", "Labels".
  2238. For custom resources (when spec.target.manifest is set), this supports
  2239. nested paths like "spec.database.config" or "data".
  2240. type: string
  2241. valuesDecodingStrategy:
  2242. default: None
  2243. description: Used to define a decoding Strategy for the rendered template values.
  2244. enum:
  2245. - Auto
  2246. - Base64
  2247. - Base64URL
  2248. - None
  2249. type: string
  2250. type: object
  2251. type: array
  2252. type:
  2253. type: string
  2254. type: object
  2255. updatePolicy:
  2256. default: Replace
  2257. description: UpdatePolicy to handle Secrets in the provider.
  2258. enum:
  2259. - Replace
  2260. - IfNotExists
  2261. type: string
  2262. required:
  2263. - secretStoreRefs
  2264. - selector
  2265. type: object
  2266. refreshTime:
  2267. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  2268. type: string
  2269. required:
  2270. - pushSecretSpec
  2271. type: object
  2272. status:
  2273. description: ClusterPushSecretStatus contains the status information for the ClusterPushSecret resource.
  2274. properties:
  2275. conditions:
  2276. items:
  2277. description: PushSecretStatusCondition indicates the status of the PushSecret.
  2278. properties:
  2279. lastTransitionTime:
  2280. format: date-time
  2281. type: string
  2282. message:
  2283. type: string
  2284. reason:
  2285. type: string
  2286. status:
  2287. type: string
  2288. type:
  2289. description: PushSecretConditionType indicates the condition of the PushSecret.
  2290. type: string
  2291. required:
  2292. - status
  2293. - type
  2294. type: object
  2295. type: array
  2296. failedNamespaces:
  2297. description: Failed namespaces are the namespaces that failed to apply an PushSecret
  2298. items:
  2299. description: ClusterPushSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  2300. properties:
  2301. namespace:
  2302. description: Namespace is the namespace that failed when trying to apply an PushSecret
  2303. type: string
  2304. reason:
  2305. description: Reason is why the PushSecret failed to apply to the namespace
  2306. type: string
  2307. required:
  2308. - namespace
  2309. type: object
  2310. type: array
  2311. provisionedNamespaces:
  2312. description: ProvisionedNamespaces are the namespaces where the ClusterPushSecret has secrets
  2313. items:
  2314. type: string
  2315. type: array
  2316. pushSecretName:
  2317. type: string
  2318. type: object
  2319. type: object
  2320. served: true
  2321. storage: true
  2322. subresources:
  2323. status: {}
  2324. ---
  2325. apiVersion: apiextensions.k8s.io/v1
  2326. kind: CustomResourceDefinition
  2327. metadata:
  2328. annotations:
  2329. controller-gen.kubebuilder.io/version: v0.19.0
  2330. labels:
  2331. external-secrets.io/component: controller
  2332. name: clustersecretstores.external-secrets.io
  2333. spec:
  2334. group: external-secrets.io
  2335. names:
  2336. categories:
  2337. - external-secrets
  2338. kind: ClusterSecretStore
  2339. listKind: ClusterSecretStoreList
  2340. plural: clustersecretstores
  2341. shortNames:
  2342. - css
  2343. singular: clustersecretstore
  2344. scope: Cluster
  2345. versions:
  2346. - additionalPrinterColumns:
  2347. - jsonPath: .metadata.creationTimestamp
  2348. name: AGE
  2349. type: date
  2350. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2351. name: Status
  2352. type: string
  2353. - jsonPath: .status.capabilities
  2354. name: Capabilities
  2355. type: string
  2356. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2357. name: Ready
  2358. type: string
  2359. name: v1
  2360. schema:
  2361. openAPIV3Schema:
  2362. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2363. properties:
  2364. apiVersion:
  2365. description: |-
  2366. APIVersion defines the versioned schema of this representation of an object.
  2367. Servers should convert recognized schemas to the latest internal value, and
  2368. may reject unrecognized values.
  2369. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2370. type: string
  2371. kind:
  2372. description: |-
  2373. Kind is a string value representing the REST resource this object represents.
  2374. Servers may infer this from the endpoint the client submits requests to.
  2375. Cannot be updated.
  2376. In CamelCase.
  2377. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2378. type: string
  2379. metadata:
  2380. type: object
  2381. spec:
  2382. description: SecretStoreSpec defines the desired state of SecretStore.
  2383. properties:
  2384. conditions:
  2385. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  2386. items:
  2387. description: |-
  2388. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2389. for a ClusterSecretStore instance.
  2390. properties:
  2391. namespaceRegexes:
  2392. description: Choose namespaces by using regex matching
  2393. items:
  2394. type: string
  2395. type: array
  2396. namespaceSelector:
  2397. description: Choose namespace using a labelSelector
  2398. properties:
  2399. matchExpressions:
  2400. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2401. items:
  2402. description: |-
  2403. A label selector requirement is a selector that contains values, a key, and an operator that
  2404. relates the key and values.
  2405. properties:
  2406. key:
  2407. description: key is the label key that the selector applies to.
  2408. type: string
  2409. operator:
  2410. description: |-
  2411. operator represents a key's relationship to a set of values.
  2412. Valid operators are In, NotIn, Exists and DoesNotExist.
  2413. type: string
  2414. values:
  2415. description: |-
  2416. values is an array of string values. If the operator is In or NotIn,
  2417. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2418. the values array must be empty. This array is replaced during a strategic
  2419. merge patch.
  2420. items:
  2421. type: string
  2422. type: array
  2423. x-kubernetes-list-type: atomic
  2424. required:
  2425. - key
  2426. - operator
  2427. type: object
  2428. type: array
  2429. x-kubernetes-list-type: atomic
  2430. matchLabels:
  2431. additionalProperties:
  2432. type: string
  2433. description: |-
  2434. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2435. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2436. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2437. type: object
  2438. type: object
  2439. x-kubernetes-map-type: atomic
  2440. namespaces:
  2441. description: Choose namespaces by name
  2442. items:
  2443. maxLength: 63
  2444. minLength: 1
  2445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2446. type: string
  2447. type: array
  2448. type: object
  2449. type: array
  2450. controller:
  2451. description: |-
  2452. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2453. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2454. type: string
  2455. provider:
  2456. description: Used to configure the provider. Only one provider may be set
  2457. maxProperties: 1
  2458. minProperties: 1
  2459. properties:
  2460. akeyless:
  2461. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2462. properties:
  2463. akeylessGWApiURL:
  2464. description: Akeyless GW API Url from which the secrets to be fetched from.
  2465. type: string
  2466. authSecretRef:
  2467. description: Auth configures how the operator authenticates with Akeyless.
  2468. properties:
  2469. kubernetesAuth:
  2470. description: |-
  2471. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2472. token stored in the named Secret resource.
  2473. properties:
  2474. accessID:
  2475. description: the Akeyless Kubernetes auth-method access-id
  2476. type: string
  2477. k8sConfName:
  2478. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2479. type: string
  2480. secretRef:
  2481. description: |-
  2482. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2483. for authenticating with Akeyless. If a name is specified without a key,
  2484. `token` is the default. If one is not specified, the one bound to
  2485. the controller will be used.
  2486. properties:
  2487. key:
  2488. description: |-
  2489. A key in the referenced Secret.
  2490. Some instances of this field may be defaulted, in others it may be required.
  2491. maxLength: 253
  2492. minLength: 1
  2493. pattern: ^[-._a-zA-Z0-9]+$
  2494. type: string
  2495. name:
  2496. description: The name of the Secret resource being referred to.
  2497. maxLength: 253
  2498. minLength: 1
  2499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2500. type: string
  2501. namespace:
  2502. description: |-
  2503. The namespace of the Secret resource being referred to.
  2504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2505. maxLength: 63
  2506. minLength: 1
  2507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2508. type: string
  2509. type: object
  2510. serviceAccountRef:
  2511. description: |-
  2512. Optional service account field containing the name of a kubernetes ServiceAccount.
  2513. If the service account is specified, the service account secret token JWT will be used
  2514. for authenticating with Akeyless. If the service account selector is not supplied,
  2515. the secretRef will be used instead.
  2516. properties:
  2517. audiences:
  2518. description: |-
  2519. Audience specifies the `aud` claim for the service account token
  2520. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2521. then this audiences will be appended to the list
  2522. items:
  2523. type: string
  2524. type: array
  2525. name:
  2526. description: The name of the ServiceAccount resource being referred to.
  2527. maxLength: 253
  2528. minLength: 1
  2529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2530. type: string
  2531. namespace:
  2532. description: |-
  2533. Namespace of the resource being referred to.
  2534. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2535. maxLength: 63
  2536. minLength: 1
  2537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2538. type: string
  2539. required:
  2540. - name
  2541. type: object
  2542. required:
  2543. - accessID
  2544. - k8sConfName
  2545. type: object
  2546. secretRef:
  2547. description: |-
  2548. Reference to a Secret that contains the details
  2549. to authenticate with Akeyless.
  2550. properties:
  2551. accessID:
  2552. description: The SecretAccessID is used for authentication
  2553. properties:
  2554. key:
  2555. description: |-
  2556. A key in the referenced Secret.
  2557. Some instances of this field may be defaulted, in others it may be required.
  2558. maxLength: 253
  2559. minLength: 1
  2560. pattern: ^[-._a-zA-Z0-9]+$
  2561. type: string
  2562. name:
  2563. description: The name of the Secret resource being referred to.
  2564. maxLength: 253
  2565. minLength: 1
  2566. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2567. type: string
  2568. namespace:
  2569. description: |-
  2570. The namespace of the Secret resource being referred to.
  2571. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2572. maxLength: 63
  2573. minLength: 1
  2574. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2575. type: string
  2576. type: object
  2577. accessType:
  2578. description: |-
  2579. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2580. In some instances, `key` is a required field.
  2581. properties:
  2582. key:
  2583. description: |-
  2584. A key in the referenced Secret.
  2585. Some instances of this field may be defaulted, in others it may be required.
  2586. maxLength: 253
  2587. minLength: 1
  2588. pattern: ^[-._a-zA-Z0-9]+$
  2589. type: string
  2590. name:
  2591. description: The name of the Secret resource being referred to.
  2592. maxLength: 253
  2593. minLength: 1
  2594. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2595. type: string
  2596. namespace:
  2597. description: |-
  2598. The namespace of the Secret resource being referred to.
  2599. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2600. maxLength: 63
  2601. minLength: 1
  2602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2603. type: string
  2604. type: object
  2605. accessTypeParam:
  2606. description: |-
  2607. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  2608. In some instances, `key` is a required field.
  2609. properties:
  2610. key:
  2611. description: |-
  2612. A key in the referenced Secret.
  2613. Some instances of this field may be defaulted, in others it may be required.
  2614. maxLength: 253
  2615. minLength: 1
  2616. pattern: ^[-._a-zA-Z0-9]+$
  2617. type: string
  2618. name:
  2619. description: The name of the Secret resource being referred to.
  2620. maxLength: 253
  2621. minLength: 1
  2622. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2623. type: string
  2624. namespace:
  2625. description: |-
  2626. The namespace of the Secret resource being referred to.
  2627. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2628. maxLength: 63
  2629. minLength: 1
  2630. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2631. type: string
  2632. type: object
  2633. type: object
  2634. serviceAccountRef:
  2635. description: |-
  2636. ServiceAccountRef specifies a Kubernetes ServiceAccount used for azure_ad
  2637. authentication on AKS Workload Identity. The operator obtains a federated
  2638. identity token from this ServiceAccount via the TokenRequest API instead
  2639. of using the ESO controller pod identity. Ignored for other access types.
  2640. properties:
  2641. audiences:
  2642. description: |-
  2643. Audience specifies the `aud` claim for the service account token
  2644. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2645. then this audiences will be appended to the list
  2646. items:
  2647. type: string
  2648. type: array
  2649. name:
  2650. description: The name of the ServiceAccount resource being referred to.
  2651. maxLength: 253
  2652. minLength: 1
  2653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2654. type: string
  2655. namespace:
  2656. description: |-
  2657. Namespace of the resource being referred to.
  2658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2659. maxLength: 63
  2660. minLength: 1
  2661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2662. type: string
  2663. required:
  2664. - name
  2665. type: object
  2666. type: object
  2667. caBundle:
  2668. description: |-
  2669. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2670. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2671. are used to validate the TLS connection.
  2672. format: byte
  2673. type: string
  2674. caProvider:
  2675. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2676. properties:
  2677. key:
  2678. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2679. maxLength: 253
  2680. minLength: 1
  2681. pattern: ^[-._a-zA-Z0-9]+$
  2682. type: string
  2683. name:
  2684. description: The name of the object located at the provider type.
  2685. maxLength: 253
  2686. minLength: 1
  2687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2688. type: string
  2689. namespace:
  2690. description: |-
  2691. The namespace the Provider type is in.
  2692. Can only be defined when used in a ClusterSecretStore.
  2693. maxLength: 63
  2694. minLength: 1
  2695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2696. type: string
  2697. type:
  2698. description: The type of provider to use such as "Secret", or "ConfigMap".
  2699. enum:
  2700. - Secret
  2701. - ConfigMap
  2702. type: string
  2703. required:
  2704. - name
  2705. - type
  2706. type: object
  2707. required:
  2708. - akeylessGWApiURL
  2709. - authSecretRef
  2710. type: object
  2711. aws:
  2712. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2713. properties:
  2714. additionalRoles:
  2715. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2716. items:
  2717. type: string
  2718. type: array
  2719. auth:
  2720. description: |-
  2721. Auth defines the information necessary to authenticate against AWS
  2722. if not set aws sdk will infer credentials from your environment
  2723. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2724. properties:
  2725. jwt:
  2726. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  2727. properties:
  2728. serviceAccountRef:
  2729. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  2730. properties:
  2731. audiences:
  2732. description: |-
  2733. Audience specifies the `aud` claim for the service account token
  2734. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2735. then this audiences will be appended to the list
  2736. items:
  2737. type: string
  2738. type: array
  2739. name:
  2740. description: The name of the ServiceAccount resource being referred to.
  2741. maxLength: 253
  2742. minLength: 1
  2743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2744. type: string
  2745. namespace:
  2746. description: |-
  2747. Namespace of the resource being referred to.
  2748. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2749. maxLength: 63
  2750. minLength: 1
  2751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2752. type: string
  2753. required:
  2754. - name
  2755. type: object
  2756. type: object
  2757. secretRef:
  2758. description: |-
  2759. AWSAuthSecretRef holds secret references for AWS credentials
  2760. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2761. properties:
  2762. accessKeyIDSecretRef:
  2763. description: The AccessKeyID is used for authentication
  2764. properties:
  2765. key:
  2766. description: |-
  2767. A key in the referenced Secret.
  2768. Some instances of this field may be defaulted, in others it may be required.
  2769. maxLength: 253
  2770. minLength: 1
  2771. pattern: ^[-._a-zA-Z0-9]+$
  2772. type: string
  2773. name:
  2774. description: The name of the Secret resource being referred to.
  2775. maxLength: 253
  2776. minLength: 1
  2777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2778. type: string
  2779. namespace:
  2780. description: |-
  2781. The namespace of the Secret resource being referred to.
  2782. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2783. maxLength: 63
  2784. minLength: 1
  2785. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2786. type: string
  2787. type: object
  2788. secretAccessKeySecretRef:
  2789. description: The SecretAccessKey is used for authentication
  2790. properties:
  2791. key:
  2792. description: |-
  2793. A key in the referenced Secret.
  2794. Some instances of this field may be defaulted, in others it may be required.
  2795. maxLength: 253
  2796. minLength: 1
  2797. pattern: ^[-._a-zA-Z0-9]+$
  2798. type: string
  2799. name:
  2800. description: The name of the Secret resource being referred to.
  2801. maxLength: 253
  2802. minLength: 1
  2803. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2804. type: string
  2805. namespace:
  2806. description: |-
  2807. The namespace of the Secret resource being referred to.
  2808. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2809. maxLength: 63
  2810. minLength: 1
  2811. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2812. type: string
  2813. type: object
  2814. sessionTokenSecretRef:
  2815. description: |-
  2816. The SessionToken used for authentication
  2817. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2818. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2819. properties:
  2820. key:
  2821. description: |-
  2822. A key in the referenced Secret.
  2823. Some instances of this field may be defaulted, in others it may be required.
  2824. maxLength: 253
  2825. minLength: 1
  2826. pattern: ^[-._a-zA-Z0-9]+$
  2827. type: string
  2828. name:
  2829. description: The name of the Secret resource being referred to.
  2830. maxLength: 253
  2831. minLength: 1
  2832. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2833. type: string
  2834. namespace:
  2835. description: |-
  2836. The namespace of the Secret resource being referred to.
  2837. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2838. maxLength: 63
  2839. minLength: 1
  2840. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2841. type: string
  2842. type: object
  2843. type: object
  2844. type: object
  2845. customSessionTags:
  2846. additionalProperties:
  2847. type: string
  2848. description: |-
  2849. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  2850. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  2851. type: object
  2852. x-kubernetes-validations:
  2853. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  2854. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  2855. externalID:
  2856. description: AWS External ID set on assumed IAM roles
  2857. type: string
  2858. prefix:
  2859. description: Prefix adds a prefix to all retrieved values.
  2860. type: string
  2861. region:
  2862. description: AWS Region to be used for the provider
  2863. type: string
  2864. role:
  2865. description: Role is a Role ARN which the provider will assume
  2866. type: string
  2867. secretsManager:
  2868. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2869. properties:
  2870. forceDeleteWithoutRecovery:
  2871. description: |-
  2872. Specifies whether to delete the secret without any recovery window. You
  2873. can't use both this parameter and RecoveryWindowInDays in the same call.
  2874. If you don't use either, then by default Secrets Manager uses a 30 day
  2875. recovery window.
  2876. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2877. type: boolean
  2878. recoveryWindowInDays:
  2879. description: |-
  2880. The number of days from 7 to 30 that Secrets Manager waits before
  2881. permanently deleting the secret. You can't use both this parameter and
  2882. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2883. then by default Secrets Manager uses a 30-day recovery window.
  2884. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2885. format: int64
  2886. type: integer
  2887. type: object
  2888. service:
  2889. description: Service defines which service should be used to fetch the secrets
  2890. enum:
  2891. - SecretsManager
  2892. - ParameterStore
  2893. type: string
  2894. sessionTags:
  2895. description: AWS STS assume role session tags
  2896. items:
  2897. description: |-
  2898. Tag is a key-value pair that can be attached to an AWS resource.
  2899. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  2900. properties:
  2901. key:
  2902. type: string
  2903. value:
  2904. type: string
  2905. required:
  2906. - key
  2907. - value
  2908. type: object
  2909. type: array
  2910. sessionTagsPolicy:
  2911. default: None
  2912. description: |-
  2913. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  2914. None (default): no tags are added.
  2915. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  2916. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  2917. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  2918. enum:
  2919. - None
  2920. - Simple
  2921. - Custom
  2922. type: string
  2923. transitiveTagKeys:
  2924. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2925. items:
  2926. type: string
  2927. type: array
  2928. required:
  2929. - region
  2930. - service
  2931. type: object
  2932. azurekv:
  2933. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2934. properties:
  2935. authSecretRef:
  2936. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2937. properties:
  2938. clientCertificate:
  2939. description: The Azure ClientCertificate of the service principle used for authentication.
  2940. properties:
  2941. key:
  2942. description: |-
  2943. A key in the referenced Secret.
  2944. Some instances of this field may be defaulted, in others it may be required.
  2945. maxLength: 253
  2946. minLength: 1
  2947. pattern: ^[-._a-zA-Z0-9]+$
  2948. type: string
  2949. name:
  2950. description: The name of the Secret resource being referred to.
  2951. maxLength: 253
  2952. minLength: 1
  2953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2954. type: string
  2955. namespace:
  2956. description: |-
  2957. The namespace of the Secret resource being referred to.
  2958. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2959. maxLength: 63
  2960. minLength: 1
  2961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2962. type: string
  2963. type: object
  2964. clientId:
  2965. description: The Azure clientId of the service principle or managed identity used for authentication.
  2966. properties:
  2967. key:
  2968. description: |-
  2969. A key in the referenced Secret.
  2970. Some instances of this field may be defaulted, in others it may be required.
  2971. maxLength: 253
  2972. minLength: 1
  2973. pattern: ^[-._a-zA-Z0-9]+$
  2974. type: string
  2975. name:
  2976. description: The name of the Secret resource being referred to.
  2977. maxLength: 253
  2978. minLength: 1
  2979. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  2980. type: string
  2981. namespace:
  2982. description: |-
  2983. The namespace of the Secret resource being referred to.
  2984. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  2985. maxLength: 63
  2986. minLength: 1
  2987. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  2988. type: string
  2989. type: object
  2990. clientSecret:
  2991. description: The Azure ClientSecret of the service principle used for authentication.
  2992. properties:
  2993. key:
  2994. description: |-
  2995. A key in the referenced Secret.
  2996. Some instances of this field may be defaulted, in others it may be required.
  2997. maxLength: 253
  2998. minLength: 1
  2999. pattern: ^[-._a-zA-Z0-9]+$
  3000. type: string
  3001. name:
  3002. description: The name of the Secret resource being referred to.
  3003. maxLength: 253
  3004. minLength: 1
  3005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3006. type: string
  3007. namespace:
  3008. description: |-
  3009. The namespace of the Secret resource being referred to.
  3010. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3011. maxLength: 63
  3012. minLength: 1
  3013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3014. type: string
  3015. type: object
  3016. tenantId:
  3017. description: The Azure tenantId of the managed identity used for authentication.
  3018. properties:
  3019. key:
  3020. description: |-
  3021. A key in the referenced Secret.
  3022. Some instances of this field may be defaulted, in others it may be required.
  3023. maxLength: 253
  3024. minLength: 1
  3025. pattern: ^[-._a-zA-Z0-9]+$
  3026. type: string
  3027. name:
  3028. description: The name of the Secret resource being referred to.
  3029. maxLength: 253
  3030. minLength: 1
  3031. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3032. type: string
  3033. namespace:
  3034. description: |-
  3035. The namespace of the Secret resource being referred to.
  3036. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3037. maxLength: 63
  3038. minLength: 1
  3039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3040. type: string
  3041. type: object
  3042. type: object
  3043. authType:
  3044. default: ServicePrincipal
  3045. description: |-
  3046. Auth type defines how to authenticate to the keyvault service.
  3047. Valid values are:
  3048. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  3049. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  3050. - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID
  3051. enum:
  3052. - ServicePrincipal
  3053. - ManagedIdentity
  3054. - WorkloadIdentity
  3055. type: string
  3056. customCloudConfig:
  3057. description: |-
  3058. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  3059. Required when EnvironmentType is AzureStackCloud.
  3060. Optional for other environment types - useful for Azure China when using Workload Identity
  3061. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  3062. standard China Cloud endpoint (login.chinacloudapi.cn).
  3063. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  3064. configuration is not supported with the legacy go-autorest SDK.
  3065. properties:
  3066. activeDirectoryEndpoint:
  3067. description: |-
  3068. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  3069. Required when using custom cloud configuration
  3070. type: string
  3071. keyVaultDNSSuffix:
  3072. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  3073. type: string
  3074. keyVaultEndpoint:
  3075. description: KeyVaultEndpoint is the Key Vault service endpoint
  3076. type: string
  3077. resourceManagerEndpoint:
  3078. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  3079. type: string
  3080. required:
  3081. - activeDirectoryEndpoint
  3082. type: object
  3083. environmentType:
  3084. default: PublicCloud
  3085. description: |-
  3086. EnvironmentType specifies the Azure cloud environment endpoints to use for
  3087. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  3088. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  3089. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  3090. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  3091. enum:
  3092. - PublicCloud
  3093. - USGovernmentCloud
  3094. - ChinaCloud
  3095. - GermanCloud
  3096. - AzureStackCloud
  3097. type: string
  3098. identityId:
  3099. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  3100. type: string
  3101. serviceAccountRef:
  3102. description: |-
  3103. ServiceAccountRef specified the service account
  3104. that should be used when authenticating with WorkloadIdentity.
  3105. properties:
  3106. audiences:
  3107. description: |-
  3108. Audience specifies the `aud` claim for the service account token
  3109. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3110. then this audiences will be appended to the list
  3111. items:
  3112. type: string
  3113. type: array
  3114. name:
  3115. description: The name of the ServiceAccount resource being referred to.
  3116. maxLength: 253
  3117. minLength: 1
  3118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3119. type: string
  3120. namespace:
  3121. description: |-
  3122. Namespace of the resource being referred to.
  3123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3124. maxLength: 63
  3125. minLength: 1
  3126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3127. type: string
  3128. required:
  3129. - name
  3130. type: object
  3131. tenantId:
  3132. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  3133. type: string
  3134. useAzureSDK:
  3135. default: false
  3136. description: |-
  3137. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  3138. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  3139. type: boolean
  3140. vaultUrl:
  3141. description: Vault Url from which the secrets to be fetched from.
  3142. type: string
  3143. required:
  3144. - vaultUrl
  3145. type: object
  3146. barbican:
  3147. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  3148. properties:
  3149. auth:
  3150. description: BarbicanAuth contains the authentication information for Barbican.
  3151. properties:
  3152. password:
  3153. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  3154. properties:
  3155. secretRef:
  3156. description: |-
  3157. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3158. In some instances, `key` is a required field.
  3159. properties:
  3160. key:
  3161. description: |-
  3162. A key in the referenced Secret.
  3163. Some instances of this field may be defaulted, in others it may be required.
  3164. maxLength: 253
  3165. minLength: 1
  3166. pattern: ^[-._a-zA-Z0-9]+$
  3167. type: string
  3168. name:
  3169. description: The name of the Secret resource being referred to.
  3170. maxLength: 253
  3171. minLength: 1
  3172. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3173. type: string
  3174. namespace:
  3175. description: |-
  3176. The namespace of the Secret resource being referred to.
  3177. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3178. maxLength: 63
  3179. minLength: 1
  3180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3181. type: string
  3182. type: object
  3183. required:
  3184. - secretRef
  3185. type: object
  3186. username:
  3187. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  3188. maxProperties: 1
  3189. minProperties: 1
  3190. properties:
  3191. secretRef:
  3192. description: |-
  3193. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  3194. In some instances, `key` is a required field.
  3195. properties:
  3196. key:
  3197. description: |-
  3198. A key in the referenced Secret.
  3199. Some instances of this field may be defaulted, in others it may be required.
  3200. maxLength: 253
  3201. minLength: 1
  3202. pattern: ^[-._a-zA-Z0-9]+$
  3203. type: string
  3204. name:
  3205. description: The name of the Secret resource being referred to.
  3206. maxLength: 253
  3207. minLength: 1
  3208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3209. type: string
  3210. namespace:
  3211. description: |-
  3212. The namespace of the Secret resource being referred to.
  3213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3214. maxLength: 63
  3215. minLength: 1
  3216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3217. type: string
  3218. type: object
  3219. value:
  3220. type: string
  3221. type: object
  3222. required:
  3223. - password
  3224. - username
  3225. type: object
  3226. authURL:
  3227. type: string
  3228. domainName:
  3229. type: string
  3230. region:
  3231. type: string
  3232. tenantName:
  3233. type: string
  3234. required:
  3235. - auth
  3236. type: object
  3237. beyondtrust:
  3238. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  3239. properties:
  3240. auth:
  3241. description: Auth configures how the operator authenticates with Beyondtrust.
  3242. properties:
  3243. apiKey:
  3244. description: APIKey If not provided then ClientID/ClientSecret become required.
  3245. properties:
  3246. secretRef:
  3247. description: SecretRef references a key in a secret that will be used as value.
  3248. properties:
  3249. key:
  3250. description: |-
  3251. A key in the referenced Secret.
  3252. Some instances of this field may be defaulted, in others it may be required.
  3253. maxLength: 253
  3254. minLength: 1
  3255. pattern: ^[-._a-zA-Z0-9]+$
  3256. type: string
  3257. name:
  3258. description: The name of the Secret resource being referred to.
  3259. maxLength: 253
  3260. minLength: 1
  3261. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3262. type: string
  3263. namespace:
  3264. description: |-
  3265. The namespace of the Secret resource being referred to.
  3266. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3267. maxLength: 63
  3268. minLength: 1
  3269. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3270. type: string
  3271. type: object
  3272. value:
  3273. description: Value can be specified directly to set a value without using a secret.
  3274. type: string
  3275. type: object
  3276. certificate:
  3277. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  3278. properties:
  3279. secretRef:
  3280. description: SecretRef references a key in a secret that will be used as value.
  3281. properties:
  3282. key:
  3283. description: |-
  3284. A key in the referenced Secret.
  3285. Some instances of this field may be defaulted, in others it may be required.
  3286. maxLength: 253
  3287. minLength: 1
  3288. pattern: ^[-._a-zA-Z0-9]+$
  3289. type: string
  3290. name:
  3291. description: The name of the Secret resource being referred to.
  3292. maxLength: 253
  3293. minLength: 1
  3294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3295. type: string
  3296. namespace:
  3297. description: |-
  3298. The namespace of the Secret resource being referred to.
  3299. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3300. maxLength: 63
  3301. minLength: 1
  3302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3303. type: string
  3304. type: object
  3305. value:
  3306. description: Value can be specified directly to set a value without using a secret.
  3307. type: string
  3308. type: object
  3309. certificateKey:
  3310. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  3311. properties:
  3312. secretRef:
  3313. description: SecretRef references a key in a secret that will be used as value.
  3314. properties:
  3315. key:
  3316. description: |-
  3317. A key in the referenced Secret.
  3318. Some instances of this field may be defaulted, in others it may be required.
  3319. maxLength: 253
  3320. minLength: 1
  3321. pattern: ^[-._a-zA-Z0-9]+$
  3322. type: string
  3323. name:
  3324. description: The name of the Secret resource being referred to.
  3325. maxLength: 253
  3326. minLength: 1
  3327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3328. type: string
  3329. namespace:
  3330. description: |-
  3331. The namespace of the Secret resource being referred to.
  3332. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3333. maxLength: 63
  3334. minLength: 1
  3335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3336. type: string
  3337. type: object
  3338. value:
  3339. description: Value can be specified directly to set a value without using a secret.
  3340. type: string
  3341. type: object
  3342. clientId:
  3343. description: ClientID is the API OAuth Client ID.
  3344. properties:
  3345. secretRef:
  3346. description: SecretRef references a key in a secret that will be used as value.
  3347. properties:
  3348. key:
  3349. description: |-
  3350. A key in the referenced Secret.
  3351. Some instances of this field may be defaulted, in others it may be required.
  3352. maxLength: 253
  3353. minLength: 1
  3354. pattern: ^[-._a-zA-Z0-9]+$
  3355. type: string
  3356. name:
  3357. description: The name of the Secret resource being referred to.
  3358. maxLength: 253
  3359. minLength: 1
  3360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3361. type: string
  3362. namespace:
  3363. description: |-
  3364. The namespace of the Secret resource being referred to.
  3365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3366. maxLength: 63
  3367. minLength: 1
  3368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3369. type: string
  3370. type: object
  3371. value:
  3372. description: Value can be specified directly to set a value without using a secret.
  3373. type: string
  3374. type: object
  3375. clientSecret:
  3376. description: ClientSecret is the API OAuth Client Secret.
  3377. properties:
  3378. secretRef:
  3379. description: SecretRef references a key in a secret that will be used as value.
  3380. properties:
  3381. key:
  3382. description: |-
  3383. A key in the referenced Secret.
  3384. Some instances of this field may be defaulted, in others it may be required.
  3385. maxLength: 253
  3386. minLength: 1
  3387. pattern: ^[-._a-zA-Z0-9]+$
  3388. type: string
  3389. name:
  3390. description: The name of the Secret resource being referred to.
  3391. maxLength: 253
  3392. minLength: 1
  3393. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3394. type: string
  3395. namespace:
  3396. description: |-
  3397. The namespace of the Secret resource being referred to.
  3398. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3399. maxLength: 63
  3400. minLength: 1
  3401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3402. type: string
  3403. type: object
  3404. value:
  3405. description: Value can be specified directly to set a value without using a secret.
  3406. type: string
  3407. type: object
  3408. type: object
  3409. server:
  3410. description: Auth configures how API server works.
  3411. properties:
  3412. apiUrl:
  3413. type: string
  3414. apiVersion:
  3415. type: string
  3416. clientTimeOutSeconds:
  3417. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  3418. type: integer
  3419. decrypt:
  3420. default: true
  3421. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  3422. type: boolean
  3423. retrievalType:
  3424. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  3425. type: string
  3426. separator:
  3427. description: A character that separates the folder names.
  3428. type: string
  3429. verifyCA:
  3430. type: boolean
  3431. required:
  3432. - apiUrl
  3433. - verifyCA
  3434. type: object
  3435. required:
  3436. - auth
  3437. - server
  3438. type: object
  3439. beyondtrustworkloadcredentials:
  3440. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  3441. properties:
  3442. auth:
  3443. description: |-
  3444. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  3445. Currently supports API key authentication via Kubernetes secret reference.
  3446. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3447. properties:
  3448. apikey:
  3449. description: |-
  3450. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  3451. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  3452. properties:
  3453. token:
  3454. description: |-
  3455. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  3456. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  3457. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  3458. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  3459. properties:
  3460. key:
  3461. description: |-
  3462. A key in the referenced Secret.
  3463. Some instances of this field may be defaulted, in others it may be required.
  3464. maxLength: 253
  3465. minLength: 1
  3466. pattern: ^[-._a-zA-Z0-9]+$
  3467. type: string
  3468. name:
  3469. description: The name of the Secret resource being referred to.
  3470. maxLength: 253
  3471. minLength: 1
  3472. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3473. type: string
  3474. namespace:
  3475. description: |-
  3476. The namespace of the Secret resource being referred to.
  3477. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3478. maxLength: 63
  3479. minLength: 1
  3480. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3481. type: string
  3482. type: object
  3483. required:
  3484. - token
  3485. type: object
  3486. required:
  3487. - apikey
  3488. type: object
  3489. caBundle:
  3490. description: |-
  3491. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3492. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  3493. If not set, the system's trusted root certificates are used.
  3494. format: byte
  3495. type: string
  3496. caProvider:
  3497. description: |-
  3498. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  3499. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  3500. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  3501. properties:
  3502. key:
  3503. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3504. maxLength: 253
  3505. minLength: 1
  3506. pattern: ^[-._a-zA-Z0-9]+$
  3507. type: string
  3508. name:
  3509. description: The name of the object located at the provider type.
  3510. maxLength: 253
  3511. minLength: 1
  3512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3513. type: string
  3514. namespace:
  3515. description: |-
  3516. The namespace the Provider type is in.
  3517. Can only be defined when used in a ClusterSecretStore.
  3518. maxLength: 63
  3519. minLength: 1
  3520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3521. type: string
  3522. type:
  3523. description: The type of provider to use such as "Secret", or "ConfigMap".
  3524. enum:
  3525. - Secret
  3526. - ConfigMap
  3527. type: string
  3528. required:
  3529. - name
  3530. - type
  3531. type: object
  3532. folderPath:
  3533. description: |-
  3534. FolderPath specifies the default folder path for secret retrieval.
  3535. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  3536. Example: "production/database" or "dev/api-keys"
  3537. Leave empty to retrieve secrets from the root folder.
  3538. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  3539. type: string
  3540. server:
  3541. description: |-
  3542. Server configures the BeyondTrust Workload Credentials server connection details.
  3543. Includes the API URL and Site ID for your BeyondTrust instance.
  3544. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3545. properties:
  3546. apiUrl:
  3547. description: |-
  3548. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  3549. This should be the full URL to your BeyondTrust instance.
  3550. Example: https://api.beyondtrust.io/siie
  3551. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  3552. type: string
  3553. siteId:
  3554. description: |-
  3555. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  3556. This identifier is unique to your BeyondTrust Workload Credentials instance.
  3557. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  3558. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  3559. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  3560. type: string
  3561. required:
  3562. - apiUrl
  3563. - siteId
  3564. type: object
  3565. required:
  3566. - auth
  3567. - server
  3568. type: object
  3569. bitwardensecretsmanager:
  3570. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  3571. properties:
  3572. apiURL:
  3573. type: string
  3574. auth:
  3575. description: |-
  3576. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  3577. Make sure that the token being used has permissions on the given secret.
  3578. properties:
  3579. secretRef:
  3580. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  3581. properties:
  3582. credentials:
  3583. description: AccessToken used for the bitwarden instance.
  3584. properties:
  3585. key:
  3586. description: |-
  3587. A key in the referenced Secret.
  3588. Some instances of this field may be defaulted, in others it may be required.
  3589. maxLength: 253
  3590. minLength: 1
  3591. pattern: ^[-._a-zA-Z0-9]+$
  3592. type: string
  3593. name:
  3594. description: The name of the Secret resource being referred to.
  3595. maxLength: 253
  3596. minLength: 1
  3597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3598. type: string
  3599. namespace:
  3600. description: |-
  3601. The namespace of the Secret resource being referred to.
  3602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3603. maxLength: 63
  3604. minLength: 1
  3605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3606. type: string
  3607. type: object
  3608. required:
  3609. - credentials
  3610. type: object
  3611. required:
  3612. - secretRef
  3613. type: object
  3614. bitwardenServerSDKURL:
  3615. type: string
  3616. caBundle:
  3617. description: |-
  3618. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  3619. can be performed.
  3620. type: string
  3621. caProvider:
  3622. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  3623. properties:
  3624. key:
  3625. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3626. maxLength: 253
  3627. minLength: 1
  3628. pattern: ^[-._a-zA-Z0-9]+$
  3629. type: string
  3630. name:
  3631. description: The name of the object located at the provider type.
  3632. maxLength: 253
  3633. minLength: 1
  3634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3635. type: string
  3636. namespace:
  3637. description: |-
  3638. The namespace the Provider type is in.
  3639. Can only be defined when used in a ClusterSecretStore.
  3640. maxLength: 63
  3641. minLength: 1
  3642. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3643. type: string
  3644. type:
  3645. description: The type of provider to use such as "Secret", or "ConfigMap".
  3646. enum:
  3647. - Secret
  3648. - ConfigMap
  3649. type: string
  3650. required:
  3651. - name
  3652. - type
  3653. type: object
  3654. identityURL:
  3655. type: string
  3656. organizationID:
  3657. description: OrganizationID determines which organization this secret store manages.
  3658. type: string
  3659. projectID:
  3660. description: ProjectID determines which project this secret store manages.
  3661. type: string
  3662. required:
  3663. - auth
  3664. - organizationID
  3665. - projectID
  3666. type: object
  3667. chef:
  3668. description: Chef configures this store to sync secrets with chef server
  3669. properties:
  3670. auth:
  3671. description: Auth defines the information necessary to authenticate against chef Server
  3672. properties:
  3673. secretRef:
  3674. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  3675. properties:
  3676. privateKeySecretRef:
  3677. description: SecretKey is the Signing Key in PEM format, used for authentication.
  3678. properties:
  3679. key:
  3680. description: |-
  3681. A key in the referenced Secret.
  3682. Some instances of this field may be defaulted, in others it may be required.
  3683. maxLength: 253
  3684. minLength: 1
  3685. pattern: ^[-._a-zA-Z0-9]+$
  3686. type: string
  3687. name:
  3688. description: The name of the Secret resource being referred to.
  3689. maxLength: 253
  3690. minLength: 1
  3691. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3692. type: string
  3693. namespace:
  3694. description: |-
  3695. The namespace of the Secret resource being referred to.
  3696. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3697. maxLength: 63
  3698. minLength: 1
  3699. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3700. type: string
  3701. type: object
  3702. required:
  3703. - privateKeySecretRef
  3704. type: object
  3705. required:
  3706. - secretRef
  3707. type: object
  3708. serverUrl:
  3709. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  3710. type: string
  3711. username:
  3712. description: UserName should be the user ID on the chef server
  3713. type: string
  3714. required:
  3715. - auth
  3716. - serverUrl
  3717. - username
  3718. type: object
  3719. cloudrusm:
  3720. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  3721. properties:
  3722. auth:
  3723. description: CSMAuth contains a secretRef for credentials.
  3724. properties:
  3725. secretRef:
  3726. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  3727. properties:
  3728. accessKeyIDSecretRef:
  3729. description: The AccessKeyID is used for authentication
  3730. properties:
  3731. key:
  3732. description: |-
  3733. A key in the referenced Secret.
  3734. Some instances of this field may be defaulted, in others it may be required.
  3735. maxLength: 253
  3736. minLength: 1
  3737. pattern: ^[-._a-zA-Z0-9]+$
  3738. type: string
  3739. name:
  3740. description: The name of the Secret resource being referred to.
  3741. maxLength: 253
  3742. minLength: 1
  3743. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3744. type: string
  3745. namespace:
  3746. description: |-
  3747. The namespace of the Secret resource being referred to.
  3748. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3749. maxLength: 63
  3750. minLength: 1
  3751. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3752. type: string
  3753. type: object
  3754. accessKeySecretSecretRef:
  3755. description: The AccessKeySecret is used for authentication
  3756. properties:
  3757. key:
  3758. description: |-
  3759. A key in the referenced Secret.
  3760. Some instances of this field may be defaulted, in others it may be required.
  3761. maxLength: 253
  3762. minLength: 1
  3763. pattern: ^[-._a-zA-Z0-9]+$
  3764. type: string
  3765. name:
  3766. description: The name of the Secret resource being referred to.
  3767. maxLength: 253
  3768. minLength: 1
  3769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3770. type: string
  3771. namespace:
  3772. description: |-
  3773. The namespace of the Secret resource being referred to.
  3774. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3775. maxLength: 63
  3776. minLength: 1
  3777. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3778. type: string
  3779. type: object
  3780. required:
  3781. - accessKeyIDSecretRef
  3782. - accessKeySecretSecretRef
  3783. type: object
  3784. type: object
  3785. projectID:
  3786. description: ProjectID is the project, which the secrets are stored in.
  3787. type: string
  3788. required:
  3789. - auth
  3790. type: object
  3791. conjur:
  3792. description: Conjur configures this store to sync secrets using conjur provider
  3793. properties:
  3794. auth:
  3795. description: Defines authentication settings for connecting to Conjur.
  3796. properties:
  3797. apikey:
  3798. description: Authenticates with Conjur using an API key.
  3799. properties:
  3800. account:
  3801. description: Account is the Conjur organization account name.
  3802. type: string
  3803. apiKeyRef:
  3804. description: |-
  3805. A reference to a specific 'key' containing the Conjur API key
  3806. within a Secret resource. In some instances, `key` is a required field.
  3807. properties:
  3808. key:
  3809. description: |-
  3810. A key in the referenced Secret.
  3811. Some instances of this field may be defaulted, in others it may be required.
  3812. maxLength: 253
  3813. minLength: 1
  3814. pattern: ^[-._a-zA-Z0-9]+$
  3815. type: string
  3816. name:
  3817. description: The name of the Secret resource being referred to.
  3818. maxLength: 253
  3819. minLength: 1
  3820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3821. type: string
  3822. namespace:
  3823. description: |-
  3824. The namespace of the Secret resource being referred to.
  3825. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3826. maxLength: 63
  3827. minLength: 1
  3828. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3829. type: string
  3830. type: object
  3831. userRef:
  3832. description: |-
  3833. A reference to a specific 'key' containing the Conjur username
  3834. within a Secret resource. In some instances, `key` is a required field.
  3835. properties:
  3836. key:
  3837. description: |-
  3838. A key in the referenced Secret.
  3839. Some instances of this field may be defaulted, in others it may be required.
  3840. maxLength: 253
  3841. minLength: 1
  3842. pattern: ^[-._a-zA-Z0-9]+$
  3843. type: string
  3844. name:
  3845. description: The name of the Secret resource being referred to.
  3846. maxLength: 253
  3847. minLength: 1
  3848. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3849. type: string
  3850. namespace:
  3851. description: |-
  3852. The namespace of the Secret resource being referred to.
  3853. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3854. maxLength: 63
  3855. minLength: 1
  3856. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3857. type: string
  3858. type: object
  3859. required:
  3860. - account
  3861. - apiKeyRef
  3862. - userRef
  3863. type: object
  3864. jwt:
  3865. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  3866. properties:
  3867. account:
  3868. description: Account is the Conjur organization account name.
  3869. type: string
  3870. hostId:
  3871. description: |-
  3872. Optional HostID for JWT authentication. This may be used depending
  3873. on how the Conjur JWT authenticator policy is configured.
  3874. type: string
  3875. secretRef:
  3876. description: |-
  3877. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3878. authenticate with Conjur using the JWT authentication method.
  3879. properties:
  3880. key:
  3881. description: |-
  3882. A key in the referenced Secret.
  3883. Some instances of this field may be defaulted, in others it may be required.
  3884. maxLength: 253
  3885. minLength: 1
  3886. pattern: ^[-._a-zA-Z0-9]+$
  3887. type: string
  3888. name:
  3889. description: The name of the Secret resource being referred to.
  3890. maxLength: 253
  3891. minLength: 1
  3892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3893. type: string
  3894. namespace:
  3895. description: |-
  3896. The namespace of the Secret resource being referred to.
  3897. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3898. maxLength: 63
  3899. minLength: 1
  3900. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3901. type: string
  3902. type: object
  3903. serviceAccountRef:
  3904. description: |-
  3905. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  3906. a token for with the `TokenRequest` API.
  3907. properties:
  3908. audiences:
  3909. description: |-
  3910. Audience specifies the `aud` claim for the service account token
  3911. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3912. then this audiences will be appended to the list
  3913. items:
  3914. type: string
  3915. type: array
  3916. name:
  3917. description: The name of the ServiceAccount resource being referred to.
  3918. maxLength: 253
  3919. minLength: 1
  3920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3921. type: string
  3922. namespace:
  3923. description: |-
  3924. Namespace of the resource being referred to.
  3925. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  3926. maxLength: 63
  3927. minLength: 1
  3928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3929. type: string
  3930. required:
  3931. - name
  3932. type: object
  3933. serviceID:
  3934. description: The conjur authn jwt webservice id
  3935. type: string
  3936. required:
  3937. - account
  3938. - serviceID
  3939. type: object
  3940. type: object
  3941. caBundle:
  3942. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  3943. type: string
  3944. caProvider:
  3945. description: |-
  3946. Used to provide custom certificate authority (CA) certificates
  3947. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3948. that contains a PEM-encoded certificate.
  3949. properties:
  3950. key:
  3951. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3952. maxLength: 253
  3953. minLength: 1
  3954. pattern: ^[-._a-zA-Z0-9]+$
  3955. type: string
  3956. name:
  3957. description: The name of the object located at the provider type.
  3958. maxLength: 253
  3959. minLength: 1
  3960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  3961. type: string
  3962. namespace:
  3963. description: |-
  3964. The namespace the Provider type is in.
  3965. Can only be defined when used in a ClusterSecretStore.
  3966. maxLength: 63
  3967. minLength: 1
  3968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  3969. type: string
  3970. type:
  3971. description: The type of provider to use such as "Secret", or "ConfigMap".
  3972. enum:
  3973. - Secret
  3974. - ConfigMap
  3975. type: string
  3976. required:
  3977. - name
  3978. - type
  3979. type: object
  3980. url:
  3981. description: URL is the endpoint of the Conjur instance.
  3982. type: string
  3983. required:
  3984. - auth
  3985. - url
  3986. type: object
  3987. delinea:
  3988. description: |-
  3989. Delinea DevOps Secrets Vault
  3990. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3991. properties:
  3992. clientId:
  3993. description: ClientID is the non-secret part of the credential.
  3994. properties:
  3995. secretRef:
  3996. description: SecretRef references a key in a secret that will be used as value.
  3997. properties:
  3998. key:
  3999. description: |-
  4000. A key in the referenced Secret.
  4001. Some instances of this field may be defaulted, in others it may be required.
  4002. maxLength: 253
  4003. minLength: 1
  4004. pattern: ^[-._a-zA-Z0-9]+$
  4005. type: string
  4006. name:
  4007. description: The name of the Secret resource being referred to.
  4008. maxLength: 253
  4009. minLength: 1
  4010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4011. type: string
  4012. namespace:
  4013. description: |-
  4014. The namespace of the Secret resource being referred to.
  4015. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4016. maxLength: 63
  4017. minLength: 1
  4018. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4019. type: string
  4020. type: object
  4021. value:
  4022. description: Value can be specified directly to set a value without using a secret.
  4023. type: string
  4024. type: object
  4025. clientSecret:
  4026. description: ClientSecret is the secret part of the credential.
  4027. properties:
  4028. secretRef:
  4029. description: SecretRef references a key in a secret that will be used as value.
  4030. properties:
  4031. key:
  4032. description: |-
  4033. A key in the referenced Secret.
  4034. Some instances of this field may be defaulted, in others it may be required.
  4035. maxLength: 253
  4036. minLength: 1
  4037. pattern: ^[-._a-zA-Z0-9]+$
  4038. type: string
  4039. name:
  4040. description: The name of the Secret resource being referred to.
  4041. maxLength: 253
  4042. minLength: 1
  4043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4044. type: string
  4045. namespace:
  4046. description: |-
  4047. The namespace of the Secret resource being referred to.
  4048. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4049. maxLength: 63
  4050. minLength: 1
  4051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4052. type: string
  4053. type: object
  4054. value:
  4055. description: Value can be specified directly to set a value without using a secret.
  4056. type: string
  4057. type: object
  4058. tenant:
  4059. description: Tenant is the chosen hostname / site name.
  4060. type: string
  4061. tld:
  4062. description: |-
  4063. TLD is based on the server location that was chosen during provisioning.
  4064. If unset, defaults to "com".
  4065. type: string
  4066. urlTemplate:
  4067. description: |-
  4068. URLTemplate
  4069. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  4070. type: string
  4071. required:
  4072. - clientId
  4073. - clientSecret
  4074. - tenant
  4075. type: object
  4076. doppler:
  4077. description: Doppler configures this store to sync secrets using the Doppler provider
  4078. properties:
  4079. auth:
  4080. description: Auth configures how the Operator authenticates with the Doppler API
  4081. properties:
  4082. oidcConfig:
  4083. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  4084. properties:
  4085. expirationSeconds:
  4086. default: 600
  4087. description: |-
  4088. ExpirationSeconds sets the ServiceAccount token validity duration.
  4089. Defaults to 10 minutes.
  4090. format: int64
  4091. type: integer
  4092. identity:
  4093. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  4094. type: string
  4095. serviceAccountRef:
  4096. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  4097. properties:
  4098. audiences:
  4099. description: |-
  4100. Audience specifies the `aud` claim for the service account token
  4101. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4102. then this audiences will be appended to the list
  4103. items:
  4104. type: string
  4105. type: array
  4106. name:
  4107. description: The name of the ServiceAccount resource being referred to.
  4108. maxLength: 253
  4109. minLength: 1
  4110. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4111. type: string
  4112. namespace:
  4113. description: |-
  4114. Namespace of the resource being referred to.
  4115. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4116. maxLength: 63
  4117. minLength: 1
  4118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4119. type: string
  4120. required:
  4121. - name
  4122. type: object
  4123. required:
  4124. - identity
  4125. - serviceAccountRef
  4126. type: object
  4127. secretRef:
  4128. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  4129. properties:
  4130. dopplerToken:
  4131. description: |-
  4132. The DopplerToken is used for authentication.
  4133. See https://docs.doppler.com/reference/api#authentication for auth token types.
  4134. The Key attribute defaults to dopplerToken if not specified.
  4135. properties:
  4136. key:
  4137. description: |-
  4138. A key in the referenced Secret.
  4139. Some instances of this field may be defaulted, in others it may be required.
  4140. maxLength: 253
  4141. minLength: 1
  4142. pattern: ^[-._a-zA-Z0-9]+$
  4143. type: string
  4144. name:
  4145. description: The name of the Secret resource being referred to.
  4146. maxLength: 253
  4147. minLength: 1
  4148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4149. type: string
  4150. namespace:
  4151. description: |-
  4152. The namespace of the Secret resource being referred to.
  4153. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4154. maxLength: 63
  4155. minLength: 1
  4156. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4157. type: string
  4158. type: object
  4159. required:
  4160. - dopplerToken
  4161. type: object
  4162. type: object
  4163. x-kubernetes-validations:
  4164. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  4165. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  4166. config:
  4167. description: Doppler config (required if not using a Service Token)
  4168. type: string
  4169. format:
  4170. description: Format enables the downloading of secrets as a file (string)
  4171. enum:
  4172. - json
  4173. - dotnet-json
  4174. - env
  4175. - yaml
  4176. - docker
  4177. type: string
  4178. nameTransformer:
  4179. description: Environment variable compatible name transforms that change secret names to a different format
  4180. enum:
  4181. - upper-camel
  4182. - camel
  4183. - lower-snake
  4184. - tf-var
  4185. - dotnet-env
  4186. - lower-kebab
  4187. type: string
  4188. project:
  4189. description: Doppler project (required if not using a Service Token)
  4190. type: string
  4191. required:
  4192. - auth
  4193. type: object
  4194. dvls:
  4195. description: DVLS configures this store to sync secrets using Devolutions Server provider
  4196. properties:
  4197. auth:
  4198. description: Auth defines the authentication method to use.
  4199. properties:
  4200. secretRef:
  4201. description: SecretRef contains the Application ID and Application Secret for authentication.
  4202. properties:
  4203. appId:
  4204. description: AppID is the reference to the secret containing the Application ID.
  4205. properties:
  4206. key:
  4207. description: |-
  4208. A key in the referenced Secret.
  4209. Some instances of this field may be defaulted, in others it may be required.
  4210. maxLength: 253
  4211. minLength: 1
  4212. pattern: ^[-._a-zA-Z0-9]+$
  4213. type: string
  4214. name:
  4215. description: The name of the Secret resource being referred to.
  4216. maxLength: 253
  4217. minLength: 1
  4218. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4219. type: string
  4220. namespace:
  4221. description: |-
  4222. The namespace of the Secret resource being referred to.
  4223. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4224. maxLength: 63
  4225. minLength: 1
  4226. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4227. type: string
  4228. type: object
  4229. appSecret:
  4230. description: AppSecret is the reference to the secret containing the Application Secret.
  4231. properties:
  4232. key:
  4233. description: |-
  4234. A key in the referenced Secret.
  4235. Some instances of this field may be defaulted, in others it may be required.
  4236. maxLength: 253
  4237. minLength: 1
  4238. pattern: ^[-._a-zA-Z0-9]+$
  4239. type: string
  4240. name:
  4241. description: The name of the Secret resource being referred to.
  4242. maxLength: 253
  4243. minLength: 1
  4244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4245. type: string
  4246. namespace:
  4247. description: |-
  4248. The namespace of the Secret resource being referred to.
  4249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4250. maxLength: 63
  4251. minLength: 1
  4252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4253. type: string
  4254. type: object
  4255. required:
  4256. - appId
  4257. - appSecret
  4258. type: object
  4259. required:
  4260. - secretRef
  4261. type: object
  4262. insecure:
  4263. description: |-
  4264. Insecure allows connecting to DVLS over plain HTTP.
  4265. This is NOT RECOMMENDED for production use.
  4266. Set to true only if you understand the security implications.
  4267. type: boolean
  4268. serverUrl:
  4269. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  4270. type: string
  4271. vault:
  4272. description: |-
  4273. Vault is the name or UUID of the vault to fetch secrets from.
  4274. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  4275. type: string
  4276. required:
  4277. - auth
  4278. - serverUrl
  4279. type: object
  4280. fake:
  4281. description: Fake configures a store with static key/value pairs
  4282. properties:
  4283. data:
  4284. items:
  4285. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  4286. properties:
  4287. key:
  4288. type: string
  4289. value:
  4290. type: string
  4291. version:
  4292. type: string
  4293. required:
  4294. - key
  4295. - value
  4296. type: object
  4297. type: array
  4298. validationResult:
  4299. description: ValidationResult is defined type for the number of validation results.
  4300. type: integer
  4301. required:
  4302. - data
  4303. type: object
  4304. fortanix:
  4305. description: Fortanix configures this store to sync secrets using the Fortanix provider
  4306. properties:
  4307. apiKey:
  4308. description: APIKey is the API token to access SDKMS Applications.
  4309. properties:
  4310. secretRef:
  4311. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  4312. properties:
  4313. key:
  4314. description: |-
  4315. A key in the referenced Secret.
  4316. Some instances of this field may be defaulted, in others it may be required.
  4317. maxLength: 253
  4318. minLength: 1
  4319. pattern: ^[-._a-zA-Z0-9]+$
  4320. type: string
  4321. name:
  4322. description: The name of the Secret resource being referred to.
  4323. maxLength: 253
  4324. minLength: 1
  4325. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4326. type: string
  4327. namespace:
  4328. description: |-
  4329. The namespace of the Secret resource being referred to.
  4330. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4331. maxLength: 63
  4332. minLength: 1
  4333. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4334. type: string
  4335. type: object
  4336. type: object
  4337. apiUrl:
  4338. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  4339. type: string
  4340. type: object
  4341. gcpsm:
  4342. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  4343. properties:
  4344. auth:
  4345. description: Auth defines the information necessary to authenticate against GCP
  4346. properties:
  4347. secretRef:
  4348. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  4349. properties:
  4350. secretAccessKeySecretRef:
  4351. description: The SecretAccessKey is used for authentication
  4352. properties:
  4353. key:
  4354. description: |-
  4355. A key in the referenced Secret.
  4356. Some instances of this field may be defaulted, in others it may be required.
  4357. maxLength: 253
  4358. minLength: 1
  4359. pattern: ^[-._a-zA-Z0-9]+$
  4360. type: string
  4361. name:
  4362. description: The name of the Secret resource being referred to.
  4363. maxLength: 253
  4364. minLength: 1
  4365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4366. type: string
  4367. namespace:
  4368. description: |-
  4369. The namespace of the Secret resource being referred to.
  4370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4371. maxLength: 63
  4372. minLength: 1
  4373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4374. type: string
  4375. type: object
  4376. type: object
  4377. workloadIdentity:
  4378. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  4379. properties:
  4380. clusterLocation:
  4381. description: |-
  4382. ClusterLocation is the location of the cluster
  4383. If not specified, it fetches information from the metadata server
  4384. type: string
  4385. clusterName:
  4386. description: |-
  4387. ClusterName is the name of the cluster
  4388. If not specified, it fetches information from the metadata server
  4389. type: string
  4390. clusterProjectID:
  4391. description: |-
  4392. ClusterProjectID is the project ID of the cluster
  4393. If not specified, it fetches information from the metadata server
  4394. type: string
  4395. serviceAccountRef:
  4396. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  4397. properties:
  4398. audiences:
  4399. description: |-
  4400. Audience specifies the `aud` claim for the service account token
  4401. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4402. then this audiences will be appended to the list
  4403. items:
  4404. type: string
  4405. type: array
  4406. name:
  4407. description: The name of the ServiceAccount resource being referred to.
  4408. maxLength: 253
  4409. minLength: 1
  4410. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4411. type: string
  4412. namespace:
  4413. description: |-
  4414. Namespace of the resource being referred to.
  4415. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4416. maxLength: 63
  4417. minLength: 1
  4418. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4419. type: string
  4420. required:
  4421. - name
  4422. type: object
  4423. required:
  4424. - serviceAccountRef
  4425. type: object
  4426. workloadIdentityFederation:
  4427. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  4428. properties:
  4429. audience:
  4430. description: |-
  4431. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  4432. If specified, Audience found in the external account credential config will be overridden with the configured value.
  4433. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  4434. type: string
  4435. awsSecurityCredentials:
  4436. description: |-
  4437. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  4438. when using the AWS metadata server is not an option.
  4439. properties:
  4440. awsCredentialsSecretRef:
  4441. description: |-
  4442. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  4443. Secret should be created with below names for keys
  4444. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  4445. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  4446. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  4447. properties:
  4448. name:
  4449. description: name of the secret.
  4450. maxLength: 253
  4451. minLength: 1
  4452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4453. type: string
  4454. namespace:
  4455. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  4456. maxLength: 63
  4457. minLength: 1
  4458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4459. type: string
  4460. required:
  4461. - name
  4462. type: object
  4463. region:
  4464. description: region is for configuring the AWS region to be used.
  4465. example: ap-south-1
  4466. maxLength: 50
  4467. minLength: 1
  4468. pattern: ^[a-z0-9-]+$
  4469. type: string
  4470. required:
  4471. - awsCredentialsSecretRef
  4472. - region
  4473. type: object
  4474. credConfig:
  4475. description: |-
  4476. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  4477. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  4478. serviceAccountRef must be used by providing operators service account details.
  4479. properties:
  4480. key:
  4481. description: key name holding the external account credential config.
  4482. maxLength: 253
  4483. minLength: 1
  4484. pattern: ^[-._a-zA-Z0-9]+$
  4485. type: string
  4486. name:
  4487. description: name of the configmap.
  4488. maxLength: 253
  4489. minLength: 1
  4490. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4491. type: string
  4492. namespace:
  4493. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  4494. maxLength: 63
  4495. minLength: 1
  4496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4497. type: string
  4498. required:
  4499. - key
  4500. - name
  4501. type: object
  4502. externalTokenEndpoint:
  4503. description: |-
  4504. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  4505. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  4506. URL is having the expected value.
  4507. type: string
  4508. gcpServiceAccountEmail:
  4509. description: |-
  4510. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  4511. after Workload Identity Federation. Use this to grant access through the service account's
  4512. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  4513. service_account_impersonation_url in the external account JSON from credConfig;
  4514. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  4515. on that ServiceAccount.
  4516. example: my-gsa@my-project.iam.gserviceaccount.com
  4517. minLength: 1
  4518. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  4519. type: string
  4520. serviceAccountRef:
  4521. description: |-
  4522. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  4523. when Kubernetes is configured as provider in workload identity pool.
  4524. properties:
  4525. audiences:
  4526. description: |-
  4527. Audience specifies the `aud` claim for the service account token
  4528. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4529. then this audiences will be appended to the list
  4530. items:
  4531. type: string
  4532. type: array
  4533. name:
  4534. description: The name of the ServiceAccount resource being referred to.
  4535. maxLength: 253
  4536. minLength: 1
  4537. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4538. type: string
  4539. namespace:
  4540. description: |-
  4541. Namespace of the resource being referred to.
  4542. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4543. maxLength: 63
  4544. minLength: 1
  4545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4546. type: string
  4547. required:
  4548. - name
  4549. type: object
  4550. type: object
  4551. type: object
  4552. location:
  4553. description: Location optionally defines a location for a secret
  4554. type: string
  4555. projectID:
  4556. description: ProjectID project where secret is located
  4557. type: string
  4558. secretVersionSelectionPolicy:
  4559. default: LatestOrFail
  4560. description: |-
  4561. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  4562. when "latest" is disabled or destroyed.
  4563. Possible values are:
  4564. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  4565. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  4566. type: string
  4567. type: object
  4568. github:
  4569. description: |-
  4570. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  4571. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  4572. properties:
  4573. appID:
  4574. description: appID specifies the Github APP that will be used to authenticate the client
  4575. format: int64
  4576. type: integer
  4577. auth:
  4578. description: auth configures how secret-manager authenticates with a Github instance.
  4579. properties:
  4580. privateKey:
  4581. description: |-
  4582. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4583. In some instances, `key` is a required field.
  4584. properties:
  4585. key:
  4586. description: |-
  4587. A key in the referenced Secret.
  4588. Some instances of this field may be defaulted, in others it may be required.
  4589. maxLength: 253
  4590. minLength: 1
  4591. pattern: ^[-._a-zA-Z0-9]+$
  4592. type: string
  4593. name:
  4594. description: The name of the Secret resource being referred to.
  4595. maxLength: 253
  4596. minLength: 1
  4597. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4598. type: string
  4599. namespace:
  4600. description: |-
  4601. The namespace of the Secret resource being referred to.
  4602. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4603. maxLength: 63
  4604. minLength: 1
  4605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4606. type: string
  4607. type: object
  4608. required:
  4609. - privateKey
  4610. type: object
  4611. environment:
  4612. description: environment will be used to fetch secrets from a particular environment within a github repository
  4613. type: string
  4614. installationID:
  4615. description: installationID specifies the Github APP installation that will be used to authenticate the client
  4616. format: int64
  4617. type: integer
  4618. orgSecretVisibility:
  4619. description: |-
  4620. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  4621. Valid values are "all" or "private".
  4622. When unset, new secrets are created with visibility "all" and existing secrets preserve
  4623. whatever visibility they already have in GitHub.
  4624. enum:
  4625. - all
  4626. - private
  4627. type: string
  4628. organization:
  4629. description: organization will be used to fetch secrets from the Github organization
  4630. type: string
  4631. repository:
  4632. description: repository will be used to fetch secrets from the Github repository within an organization
  4633. type: string
  4634. uploadURL:
  4635. description: Upload URL for enterprise instances. Default to URL.
  4636. type: string
  4637. url:
  4638. default: https://github.com/
  4639. description: URL configures the Github instance URL. Defaults to https://github.com/.
  4640. type: string
  4641. required:
  4642. - appID
  4643. - auth
  4644. - installationID
  4645. - organization
  4646. type: object
  4647. gitlab:
  4648. description: GitLab configures this store to sync secrets using GitLab Variables provider
  4649. properties:
  4650. auth:
  4651. description: Auth configures how secret-manager authenticates with a GitLab instance.
  4652. properties:
  4653. SecretRef:
  4654. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  4655. properties:
  4656. accessToken:
  4657. description: AccessToken is used for authentication.
  4658. properties:
  4659. key:
  4660. description: |-
  4661. A key in the referenced Secret.
  4662. Some instances of this field may be defaulted, in others it may be required.
  4663. maxLength: 253
  4664. minLength: 1
  4665. pattern: ^[-._a-zA-Z0-9]+$
  4666. type: string
  4667. name:
  4668. description: The name of the Secret resource being referred to.
  4669. maxLength: 253
  4670. minLength: 1
  4671. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4672. type: string
  4673. namespace:
  4674. description: |-
  4675. The namespace of the Secret resource being referred to.
  4676. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4677. maxLength: 63
  4678. minLength: 1
  4679. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4680. type: string
  4681. type: object
  4682. type: object
  4683. required:
  4684. - SecretRef
  4685. type: object
  4686. caBundle:
  4687. description: |-
  4688. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  4689. can be performed.
  4690. format: byte
  4691. type: string
  4692. caProvider:
  4693. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  4694. properties:
  4695. key:
  4696. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4697. maxLength: 253
  4698. minLength: 1
  4699. pattern: ^[-._a-zA-Z0-9]+$
  4700. type: string
  4701. name:
  4702. description: The name of the object located at the provider type.
  4703. maxLength: 253
  4704. minLength: 1
  4705. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4706. type: string
  4707. namespace:
  4708. description: |-
  4709. The namespace the Provider type is in.
  4710. Can only be defined when used in a ClusterSecretStore.
  4711. maxLength: 63
  4712. minLength: 1
  4713. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4714. type: string
  4715. type:
  4716. description: The type of provider to use such as "Secret", or "ConfigMap".
  4717. enum:
  4718. - Secret
  4719. - ConfigMap
  4720. type: string
  4721. required:
  4722. - name
  4723. - type
  4724. type: object
  4725. environment:
  4726. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  4727. type: string
  4728. groupIDs:
  4729. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  4730. items:
  4731. type: string
  4732. type: array
  4733. inheritFromGroups:
  4734. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  4735. type: boolean
  4736. projectID:
  4737. description: ProjectID specifies a project where secrets are located.
  4738. type: string
  4739. url:
  4740. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  4741. type: string
  4742. required:
  4743. - auth
  4744. type: object
  4745. ibm:
  4746. description: IBM configures this store to sync secrets using IBM Cloud provider
  4747. properties:
  4748. auth:
  4749. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  4750. maxProperties: 1
  4751. minProperties: 1
  4752. properties:
  4753. containerAuth:
  4754. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  4755. properties:
  4756. iamEndpoint:
  4757. type: string
  4758. profile:
  4759. description: the IBM Trusted Profile
  4760. type: string
  4761. tokenLocation:
  4762. description: Location the token is mounted on the pod
  4763. type: string
  4764. required:
  4765. - profile
  4766. type: object
  4767. secretRef:
  4768. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  4769. properties:
  4770. iamEndpoint:
  4771. description: The IAM endpoint used to obain a token
  4772. type: string
  4773. secretApiKeySecretRef:
  4774. description: The SecretAccessKey is used for authentication
  4775. properties:
  4776. key:
  4777. description: |-
  4778. A key in the referenced Secret.
  4779. Some instances of this field may be defaulted, in others it may be required.
  4780. maxLength: 253
  4781. minLength: 1
  4782. pattern: ^[-._a-zA-Z0-9]+$
  4783. type: string
  4784. name:
  4785. description: The name of the Secret resource being referred to.
  4786. maxLength: 253
  4787. minLength: 1
  4788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4789. type: string
  4790. namespace:
  4791. description: |-
  4792. The namespace of the Secret resource being referred to.
  4793. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4794. maxLength: 63
  4795. minLength: 1
  4796. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4797. type: string
  4798. type: object
  4799. type: object
  4800. type: object
  4801. serviceUrl:
  4802. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  4803. type: string
  4804. required:
  4805. - auth
  4806. type: object
  4807. infisical:
  4808. description: Infisical configures this store to sync secrets using the Infisical provider
  4809. properties:
  4810. auth:
  4811. description: Auth configures how the Operator authenticates with the Infisical API
  4812. properties:
  4813. awsAuthCredentials:
  4814. description: AwsAuthCredentials represents the credentials for AWS authentication.
  4815. properties:
  4816. identityId:
  4817. description: |-
  4818. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4819. In some instances, `key` is a required field.
  4820. properties:
  4821. key:
  4822. description: |-
  4823. A key in the referenced Secret.
  4824. Some instances of this field may be defaulted, in others it may be required.
  4825. maxLength: 253
  4826. minLength: 1
  4827. pattern: ^[-._a-zA-Z0-9]+$
  4828. type: string
  4829. name:
  4830. description: The name of the Secret resource being referred to.
  4831. maxLength: 253
  4832. minLength: 1
  4833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4834. type: string
  4835. namespace:
  4836. description: |-
  4837. The namespace of the Secret resource being referred to.
  4838. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4839. maxLength: 63
  4840. minLength: 1
  4841. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4842. type: string
  4843. type: object
  4844. required:
  4845. - identityId
  4846. type: object
  4847. azureAuthCredentials:
  4848. description: AzureAuthCredentials represents the credentials for Azure authentication.
  4849. properties:
  4850. identityId:
  4851. description: |-
  4852. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4853. In some instances, `key` is a required field.
  4854. properties:
  4855. key:
  4856. description: |-
  4857. A key in the referenced Secret.
  4858. Some instances of this field may be defaulted, in others it may be required.
  4859. maxLength: 253
  4860. minLength: 1
  4861. pattern: ^[-._a-zA-Z0-9]+$
  4862. type: string
  4863. name:
  4864. description: The name of the Secret resource being referred to.
  4865. maxLength: 253
  4866. minLength: 1
  4867. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4868. type: string
  4869. namespace:
  4870. description: |-
  4871. The namespace of the Secret resource being referred to.
  4872. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4873. maxLength: 63
  4874. minLength: 1
  4875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4876. type: string
  4877. type: object
  4878. resource:
  4879. description: |-
  4880. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4881. In some instances, `key` is a required field.
  4882. properties:
  4883. key:
  4884. description: |-
  4885. A key in the referenced Secret.
  4886. Some instances of this field may be defaulted, in others it may be required.
  4887. maxLength: 253
  4888. minLength: 1
  4889. pattern: ^[-._a-zA-Z0-9]+$
  4890. type: string
  4891. name:
  4892. description: The name of the Secret resource being referred to.
  4893. maxLength: 253
  4894. minLength: 1
  4895. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4896. type: string
  4897. namespace:
  4898. description: |-
  4899. The namespace of the Secret resource being referred to.
  4900. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4901. maxLength: 63
  4902. minLength: 1
  4903. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4904. type: string
  4905. type: object
  4906. required:
  4907. - identityId
  4908. type: object
  4909. gcpIamAuthCredentials:
  4910. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  4911. properties:
  4912. identityId:
  4913. description: |-
  4914. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4915. In some instances, `key` is a required field.
  4916. properties:
  4917. key:
  4918. description: |-
  4919. A key in the referenced Secret.
  4920. Some instances of this field may be defaulted, in others it may be required.
  4921. maxLength: 253
  4922. minLength: 1
  4923. pattern: ^[-._a-zA-Z0-9]+$
  4924. type: string
  4925. name:
  4926. description: The name of the Secret resource being referred to.
  4927. maxLength: 253
  4928. minLength: 1
  4929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4930. type: string
  4931. namespace:
  4932. description: |-
  4933. The namespace of the Secret resource being referred to.
  4934. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4935. maxLength: 63
  4936. minLength: 1
  4937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4938. type: string
  4939. type: object
  4940. serviceAccountKeyFilePath:
  4941. description: |-
  4942. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4943. In some instances, `key` is a required field.
  4944. properties:
  4945. key:
  4946. description: |-
  4947. A key in the referenced Secret.
  4948. Some instances of this field may be defaulted, in others it may be required.
  4949. maxLength: 253
  4950. minLength: 1
  4951. pattern: ^[-._a-zA-Z0-9]+$
  4952. type: string
  4953. name:
  4954. description: The name of the Secret resource being referred to.
  4955. maxLength: 253
  4956. minLength: 1
  4957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4958. type: string
  4959. namespace:
  4960. description: |-
  4961. The namespace of the Secret resource being referred to.
  4962. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4963. maxLength: 63
  4964. minLength: 1
  4965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  4966. type: string
  4967. type: object
  4968. required:
  4969. - identityId
  4970. - serviceAccountKeyFilePath
  4971. type: object
  4972. gcpIdTokenAuthCredentials:
  4973. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  4974. properties:
  4975. identityId:
  4976. description: |-
  4977. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  4978. In some instances, `key` is a required field.
  4979. properties:
  4980. key:
  4981. description: |-
  4982. A key in the referenced Secret.
  4983. Some instances of this field may be defaulted, in others it may be required.
  4984. maxLength: 253
  4985. minLength: 1
  4986. pattern: ^[-._a-zA-Z0-9]+$
  4987. type: string
  4988. name:
  4989. description: The name of the Secret resource being referred to.
  4990. maxLength: 253
  4991. minLength: 1
  4992. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  4993. type: string
  4994. namespace:
  4995. description: |-
  4996. The namespace of the Secret resource being referred to.
  4997. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  4998. maxLength: 63
  4999. minLength: 1
  5000. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5001. type: string
  5002. type: object
  5003. required:
  5004. - identityId
  5005. type: object
  5006. jwtAuthCredentials:
  5007. description: JwtAuthCredentials represents the credentials for JWT authentication.
  5008. properties:
  5009. identityId:
  5010. description: |-
  5011. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5012. In some instances, `key` is a required field.
  5013. properties:
  5014. key:
  5015. description: |-
  5016. A key in the referenced Secret.
  5017. Some instances of this field may be defaulted, in others it may be required.
  5018. maxLength: 253
  5019. minLength: 1
  5020. pattern: ^[-._a-zA-Z0-9]+$
  5021. type: string
  5022. name:
  5023. description: The name of the Secret resource being referred to.
  5024. maxLength: 253
  5025. minLength: 1
  5026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5027. type: string
  5028. namespace:
  5029. description: |-
  5030. The namespace of the Secret resource being referred to.
  5031. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5032. maxLength: 63
  5033. minLength: 1
  5034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5035. type: string
  5036. type: object
  5037. jwt:
  5038. description: |-
  5039. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5040. In some instances, `key` is a required field.
  5041. properties:
  5042. key:
  5043. description: |-
  5044. A key in the referenced Secret.
  5045. Some instances of this field may be defaulted, in others it may be required.
  5046. maxLength: 253
  5047. minLength: 1
  5048. pattern: ^[-._a-zA-Z0-9]+$
  5049. type: string
  5050. name:
  5051. description: The name of the Secret resource being referred to.
  5052. maxLength: 253
  5053. minLength: 1
  5054. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5055. type: string
  5056. namespace:
  5057. description: |-
  5058. The namespace of the Secret resource being referred to.
  5059. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5060. maxLength: 63
  5061. minLength: 1
  5062. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5063. type: string
  5064. type: object
  5065. required:
  5066. - identityId
  5067. - jwt
  5068. type: object
  5069. kubernetesAuthCredentials:
  5070. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  5071. properties:
  5072. identityId:
  5073. description: |-
  5074. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5075. In some instances, `key` is a required field.
  5076. properties:
  5077. key:
  5078. description: |-
  5079. A key in the referenced Secret.
  5080. Some instances of this field may be defaulted, in others it may be required.
  5081. maxLength: 253
  5082. minLength: 1
  5083. pattern: ^[-._a-zA-Z0-9]+$
  5084. type: string
  5085. name:
  5086. description: The name of the Secret resource being referred to.
  5087. maxLength: 253
  5088. minLength: 1
  5089. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5090. type: string
  5091. namespace:
  5092. description: |-
  5093. The namespace of the Secret resource being referred to.
  5094. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5095. maxLength: 63
  5096. minLength: 1
  5097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5098. type: string
  5099. type: object
  5100. serviceAccountTokenPath:
  5101. description: |-
  5102. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5103. In some instances, `key` is a required field.
  5104. properties:
  5105. key:
  5106. description: |-
  5107. A key in the referenced Secret.
  5108. Some instances of this field may be defaulted, in others it may be required.
  5109. maxLength: 253
  5110. minLength: 1
  5111. pattern: ^[-._a-zA-Z0-9]+$
  5112. type: string
  5113. name:
  5114. description: The name of the Secret resource being referred to.
  5115. maxLength: 253
  5116. minLength: 1
  5117. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5118. type: string
  5119. namespace:
  5120. description: |-
  5121. The namespace of the Secret resource being referred to.
  5122. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5123. maxLength: 63
  5124. minLength: 1
  5125. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5126. type: string
  5127. type: object
  5128. required:
  5129. - identityId
  5130. type: object
  5131. ldapAuthCredentials:
  5132. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  5133. properties:
  5134. identityId:
  5135. description: |-
  5136. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5137. In some instances, `key` is a required field.
  5138. properties:
  5139. key:
  5140. description: |-
  5141. A key in the referenced Secret.
  5142. Some instances of this field may be defaulted, in others it may be required.
  5143. maxLength: 253
  5144. minLength: 1
  5145. pattern: ^[-._a-zA-Z0-9]+$
  5146. type: string
  5147. name:
  5148. description: The name of the Secret resource being referred to.
  5149. maxLength: 253
  5150. minLength: 1
  5151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5152. type: string
  5153. namespace:
  5154. description: |-
  5155. The namespace of the Secret resource being referred to.
  5156. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5157. maxLength: 63
  5158. minLength: 1
  5159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5160. type: string
  5161. type: object
  5162. ldapPassword:
  5163. description: |-
  5164. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5165. In some instances, `key` is a required field.
  5166. properties:
  5167. key:
  5168. description: |-
  5169. A key in the referenced Secret.
  5170. Some instances of this field may be defaulted, in others it may be required.
  5171. maxLength: 253
  5172. minLength: 1
  5173. pattern: ^[-._a-zA-Z0-9]+$
  5174. type: string
  5175. name:
  5176. description: The name of the Secret resource being referred to.
  5177. maxLength: 253
  5178. minLength: 1
  5179. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5180. type: string
  5181. namespace:
  5182. description: |-
  5183. The namespace of the Secret resource being referred to.
  5184. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5185. maxLength: 63
  5186. minLength: 1
  5187. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5188. type: string
  5189. type: object
  5190. ldapUsername:
  5191. description: |-
  5192. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5193. In some instances, `key` is a required field.
  5194. properties:
  5195. key:
  5196. description: |-
  5197. A key in the referenced Secret.
  5198. Some instances of this field may be defaulted, in others it may be required.
  5199. maxLength: 253
  5200. minLength: 1
  5201. pattern: ^[-._a-zA-Z0-9]+$
  5202. type: string
  5203. name:
  5204. description: The name of the Secret resource being referred to.
  5205. maxLength: 253
  5206. minLength: 1
  5207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5208. type: string
  5209. namespace:
  5210. description: |-
  5211. The namespace of the Secret resource being referred to.
  5212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5213. maxLength: 63
  5214. minLength: 1
  5215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5216. type: string
  5217. type: object
  5218. required:
  5219. - identityId
  5220. - ldapPassword
  5221. - ldapUsername
  5222. type: object
  5223. ociAuthCredentials:
  5224. description: OciAuthCredentials represents the credentials for OCI authentication.
  5225. properties:
  5226. fingerprint:
  5227. description: |-
  5228. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5229. In some instances, `key` is a required field.
  5230. properties:
  5231. key:
  5232. description: |-
  5233. A key in the referenced Secret.
  5234. Some instances of this field may be defaulted, in others it may be required.
  5235. maxLength: 253
  5236. minLength: 1
  5237. pattern: ^[-._a-zA-Z0-9]+$
  5238. type: string
  5239. name:
  5240. description: The name of the Secret resource being referred to.
  5241. maxLength: 253
  5242. minLength: 1
  5243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5244. type: string
  5245. namespace:
  5246. description: |-
  5247. The namespace of the Secret resource being referred to.
  5248. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5249. maxLength: 63
  5250. minLength: 1
  5251. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5252. type: string
  5253. type: object
  5254. identityId:
  5255. description: |-
  5256. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5257. In some instances, `key` is a required field.
  5258. properties:
  5259. key:
  5260. description: |-
  5261. A key in the referenced Secret.
  5262. Some instances of this field may be defaulted, in others it may be required.
  5263. maxLength: 253
  5264. minLength: 1
  5265. pattern: ^[-._a-zA-Z0-9]+$
  5266. type: string
  5267. name:
  5268. description: The name of the Secret resource being referred to.
  5269. maxLength: 253
  5270. minLength: 1
  5271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5272. type: string
  5273. namespace:
  5274. description: |-
  5275. The namespace of the Secret resource being referred to.
  5276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5277. maxLength: 63
  5278. minLength: 1
  5279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5280. type: string
  5281. type: object
  5282. privateKey:
  5283. description: |-
  5284. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5285. In some instances, `key` is a required field.
  5286. properties:
  5287. key:
  5288. description: |-
  5289. A key in the referenced Secret.
  5290. Some instances of this field may be defaulted, in others it may be required.
  5291. maxLength: 253
  5292. minLength: 1
  5293. pattern: ^[-._a-zA-Z0-9]+$
  5294. type: string
  5295. name:
  5296. description: The name of the Secret resource being referred to.
  5297. maxLength: 253
  5298. minLength: 1
  5299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5300. type: string
  5301. namespace:
  5302. description: |-
  5303. The namespace of the Secret resource being referred to.
  5304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5305. maxLength: 63
  5306. minLength: 1
  5307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5308. type: string
  5309. type: object
  5310. privateKeyPassphrase:
  5311. description: |-
  5312. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5313. In some instances, `key` is a required field.
  5314. properties:
  5315. key:
  5316. description: |-
  5317. A key in the referenced Secret.
  5318. Some instances of this field may be defaulted, in others it may be required.
  5319. maxLength: 253
  5320. minLength: 1
  5321. pattern: ^[-._a-zA-Z0-9]+$
  5322. type: string
  5323. name:
  5324. description: The name of the Secret resource being referred to.
  5325. maxLength: 253
  5326. minLength: 1
  5327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5328. type: string
  5329. namespace:
  5330. description: |-
  5331. The namespace of the Secret resource being referred to.
  5332. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5333. maxLength: 63
  5334. minLength: 1
  5335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5336. type: string
  5337. type: object
  5338. region:
  5339. description: |-
  5340. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5341. In some instances, `key` is a required field.
  5342. properties:
  5343. key:
  5344. description: |-
  5345. A key in the referenced Secret.
  5346. Some instances of this field may be defaulted, in others it may be required.
  5347. maxLength: 253
  5348. minLength: 1
  5349. pattern: ^[-._a-zA-Z0-9]+$
  5350. type: string
  5351. name:
  5352. description: The name of the Secret resource being referred to.
  5353. maxLength: 253
  5354. minLength: 1
  5355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5356. type: string
  5357. namespace:
  5358. description: |-
  5359. The namespace of the Secret resource being referred to.
  5360. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5361. maxLength: 63
  5362. minLength: 1
  5363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5364. type: string
  5365. type: object
  5366. tenancyId:
  5367. description: |-
  5368. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5369. In some instances, `key` is a required field.
  5370. properties:
  5371. key:
  5372. description: |-
  5373. A key in the referenced Secret.
  5374. Some instances of this field may be defaulted, in others it may be required.
  5375. maxLength: 253
  5376. minLength: 1
  5377. pattern: ^[-._a-zA-Z0-9]+$
  5378. type: string
  5379. name:
  5380. description: The name of the Secret resource being referred to.
  5381. maxLength: 253
  5382. minLength: 1
  5383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5384. type: string
  5385. namespace:
  5386. description: |-
  5387. The namespace of the Secret resource being referred to.
  5388. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5389. maxLength: 63
  5390. minLength: 1
  5391. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5392. type: string
  5393. type: object
  5394. userId:
  5395. description: |-
  5396. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5397. In some instances, `key` is a required field.
  5398. properties:
  5399. key:
  5400. description: |-
  5401. A key in the referenced Secret.
  5402. Some instances of this field may be defaulted, in others it may be required.
  5403. maxLength: 253
  5404. minLength: 1
  5405. pattern: ^[-._a-zA-Z0-9]+$
  5406. type: string
  5407. name:
  5408. description: The name of the Secret resource being referred to.
  5409. maxLength: 253
  5410. minLength: 1
  5411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5412. type: string
  5413. namespace:
  5414. description: |-
  5415. The namespace of the Secret resource being referred to.
  5416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5417. maxLength: 63
  5418. minLength: 1
  5419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5420. type: string
  5421. type: object
  5422. required:
  5423. - fingerprint
  5424. - identityId
  5425. - privateKey
  5426. - region
  5427. - tenancyId
  5428. - userId
  5429. type: object
  5430. tokenAuthCredentials:
  5431. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  5432. properties:
  5433. accessToken:
  5434. description: |-
  5435. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5436. In some instances, `key` is a required field.
  5437. properties:
  5438. key:
  5439. description: |-
  5440. A key in the referenced Secret.
  5441. Some instances of this field may be defaulted, in others it may be required.
  5442. maxLength: 253
  5443. minLength: 1
  5444. pattern: ^[-._a-zA-Z0-9]+$
  5445. type: string
  5446. name:
  5447. description: The name of the Secret resource being referred to.
  5448. maxLength: 253
  5449. minLength: 1
  5450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5451. type: string
  5452. namespace:
  5453. description: |-
  5454. The namespace of the Secret resource being referred to.
  5455. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5456. maxLength: 63
  5457. minLength: 1
  5458. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5459. type: string
  5460. type: object
  5461. required:
  5462. - accessToken
  5463. type: object
  5464. universalAuthCredentials:
  5465. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  5466. properties:
  5467. clientId:
  5468. description: |-
  5469. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5470. In some instances, `key` is a required field.
  5471. properties:
  5472. key:
  5473. description: |-
  5474. A key in the referenced Secret.
  5475. Some instances of this field may be defaulted, in others it may be required.
  5476. maxLength: 253
  5477. minLength: 1
  5478. pattern: ^[-._a-zA-Z0-9]+$
  5479. type: string
  5480. name:
  5481. description: The name of the Secret resource being referred to.
  5482. maxLength: 253
  5483. minLength: 1
  5484. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5485. type: string
  5486. namespace:
  5487. description: |-
  5488. The namespace of the Secret resource being referred to.
  5489. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5490. maxLength: 63
  5491. minLength: 1
  5492. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5493. type: string
  5494. type: object
  5495. clientSecret:
  5496. description: |-
  5497. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5498. In some instances, `key` is a required field.
  5499. properties:
  5500. key:
  5501. description: |-
  5502. A key in the referenced Secret.
  5503. Some instances of this field may be defaulted, in others it may be required.
  5504. maxLength: 253
  5505. minLength: 1
  5506. pattern: ^[-._a-zA-Z0-9]+$
  5507. type: string
  5508. name:
  5509. description: The name of the Secret resource being referred to.
  5510. maxLength: 253
  5511. minLength: 1
  5512. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5513. type: string
  5514. namespace:
  5515. description: |-
  5516. The namespace of the Secret resource being referred to.
  5517. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5518. maxLength: 63
  5519. minLength: 1
  5520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5521. type: string
  5522. type: object
  5523. required:
  5524. - clientId
  5525. - clientSecret
  5526. type: object
  5527. type: object
  5528. caBundle:
  5529. description: |-
  5530. CABundle is a PEM-encoded CA certificate bundle used to validate
  5531. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  5532. format: byte
  5533. type: string
  5534. caProvider:
  5535. description: |-
  5536. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  5537. The certificate is used to validate the Infisical server's TLS certificate.
  5538. Mutually exclusive with CABundle.
  5539. properties:
  5540. key:
  5541. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5542. maxLength: 253
  5543. minLength: 1
  5544. pattern: ^[-._a-zA-Z0-9]+$
  5545. type: string
  5546. name:
  5547. description: The name of the object located at the provider type.
  5548. maxLength: 253
  5549. minLength: 1
  5550. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5551. type: string
  5552. namespace:
  5553. description: |-
  5554. The namespace the Provider type is in.
  5555. Can only be defined when used in a ClusterSecretStore.
  5556. maxLength: 63
  5557. minLength: 1
  5558. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5559. type: string
  5560. type:
  5561. description: The type of provider to use such as "Secret", or "ConfigMap".
  5562. enum:
  5563. - Secret
  5564. - ConfigMap
  5565. type: string
  5566. required:
  5567. - name
  5568. - type
  5569. type: object
  5570. hostAPI:
  5571. default: https://app.infisical.com/api
  5572. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  5573. type: string
  5574. secretsScope:
  5575. description: SecretsScope defines the scope of the secrets within the workspace
  5576. properties:
  5577. environmentSlug:
  5578. description: EnvironmentSlug is the required slug identifier for the environment.
  5579. type: string
  5580. expandSecretReferences:
  5581. default: true
  5582. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  5583. type: boolean
  5584. organizationSlug:
  5585. description: |-
  5586. OrganizationSlug is the optional slug that identifies the organization that will be used
  5587. during authentication. Useful for sub-organization setups
  5588. type: string
  5589. projectSlug:
  5590. description: ProjectSlug is the required slug identifier for the project.
  5591. type: string
  5592. recursive:
  5593. default: false
  5594. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  5595. type: boolean
  5596. secretsPath:
  5597. default: /
  5598. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  5599. type: string
  5600. required:
  5601. - environmentSlug
  5602. - projectSlug
  5603. type: object
  5604. required:
  5605. - auth
  5606. - secretsScope
  5607. type: object
  5608. keepersecurity:
  5609. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  5610. properties:
  5611. authRef:
  5612. description: |-
  5613. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5614. In some instances, `key` is a required field.
  5615. properties:
  5616. key:
  5617. description: |-
  5618. A key in the referenced Secret.
  5619. Some instances of this field may be defaulted, in others it may be required.
  5620. maxLength: 253
  5621. minLength: 1
  5622. pattern: ^[-._a-zA-Z0-9]+$
  5623. type: string
  5624. name:
  5625. description: The name of the Secret resource being referred to.
  5626. maxLength: 253
  5627. minLength: 1
  5628. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5629. type: string
  5630. namespace:
  5631. description: |-
  5632. The namespace of the Secret resource being referred to.
  5633. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5634. maxLength: 63
  5635. minLength: 1
  5636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5637. type: string
  5638. type: object
  5639. folderID:
  5640. type: string
  5641. getByTitleFallback:
  5642. type: boolean
  5643. required:
  5644. - authRef
  5645. - folderID
  5646. type: object
  5647. kubernetes:
  5648. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  5649. properties:
  5650. auth:
  5651. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  5652. maxProperties: 1
  5653. minProperties: 1
  5654. properties:
  5655. cert:
  5656. description: has both clientCert and clientKey as secretKeySelector
  5657. properties:
  5658. clientCert:
  5659. description: |-
  5660. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5661. In some instances, `key` is a required field.
  5662. properties:
  5663. key:
  5664. description: |-
  5665. A key in the referenced Secret.
  5666. Some instances of this field may be defaulted, in others it may be required.
  5667. maxLength: 253
  5668. minLength: 1
  5669. pattern: ^[-._a-zA-Z0-9]+$
  5670. type: string
  5671. name:
  5672. description: The name of the Secret resource being referred to.
  5673. maxLength: 253
  5674. minLength: 1
  5675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5676. type: string
  5677. namespace:
  5678. description: |-
  5679. The namespace of the Secret resource being referred to.
  5680. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5681. maxLength: 63
  5682. minLength: 1
  5683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5684. type: string
  5685. type: object
  5686. clientKey:
  5687. description: |-
  5688. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5689. In some instances, `key` is a required field.
  5690. properties:
  5691. key:
  5692. description: |-
  5693. A key in the referenced Secret.
  5694. Some instances of this field may be defaulted, in others it may be required.
  5695. maxLength: 253
  5696. minLength: 1
  5697. pattern: ^[-._a-zA-Z0-9]+$
  5698. type: string
  5699. name:
  5700. description: The name of the Secret resource being referred to.
  5701. maxLength: 253
  5702. minLength: 1
  5703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5704. type: string
  5705. namespace:
  5706. description: |-
  5707. The namespace of the Secret resource being referred to.
  5708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5709. maxLength: 63
  5710. minLength: 1
  5711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5712. type: string
  5713. type: object
  5714. type: object
  5715. serviceAccount:
  5716. description: points to a service account that should be used for authentication
  5717. properties:
  5718. audiences:
  5719. description: |-
  5720. Audience specifies the `aud` claim for the service account token
  5721. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  5722. then this audiences will be appended to the list
  5723. items:
  5724. type: string
  5725. type: array
  5726. name:
  5727. description: The name of the ServiceAccount resource being referred to.
  5728. maxLength: 253
  5729. minLength: 1
  5730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5731. type: string
  5732. namespace:
  5733. description: |-
  5734. Namespace of the resource being referred to.
  5735. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5736. maxLength: 63
  5737. minLength: 1
  5738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5739. type: string
  5740. required:
  5741. - name
  5742. type: object
  5743. token:
  5744. description: use static token to authenticate with
  5745. properties:
  5746. bearerToken:
  5747. description: |-
  5748. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5749. In some instances, `key` is a required field.
  5750. properties:
  5751. key:
  5752. description: |-
  5753. A key in the referenced Secret.
  5754. Some instances of this field may be defaulted, in others it may be required.
  5755. maxLength: 253
  5756. minLength: 1
  5757. pattern: ^[-._a-zA-Z0-9]+$
  5758. type: string
  5759. name:
  5760. description: The name of the Secret resource being referred to.
  5761. maxLength: 253
  5762. minLength: 1
  5763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5764. type: string
  5765. namespace:
  5766. description: |-
  5767. The namespace of the Secret resource being referred to.
  5768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5769. maxLength: 63
  5770. minLength: 1
  5771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5772. type: string
  5773. type: object
  5774. type: object
  5775. type: object
  5776. authRef:
  5777. description: A reference to a secret that contains the auth information.
  5778. properties:
  5779. key:
  5780. description: |-
  5781. A key in the referenced Secret.
  5782. Some instances of this field may be defaulted, in others it may be required.
  5783. maxLength: 253
  5784. minLength: 1
  5785. pattern: ^[-._a-zA-Z0-9]+$
  5786. type: string
  5787. name:
  5788. description: The name of the Secret resource being referred to.
  5789. maxLength: 253
  5790. minLength: 1
  5791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5792. type: string
  5793. namespace:
  5794. description: |-
  5795. The namespace of the Secret resource being referred to.
  5796. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5797. maxLength: 63
  5798. minLength: 1
  5799. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5800. type: string
  5801. type: object
  5802. remoteNamespace:
  5803. default: default
  5804. description: Remote namespace to fetch the secrets from
  5805. maxLength: 63
  5806. minLength: 1
  5807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5808. type: string
  5809. server:
  5810. description: configures the Kubernetes server Address.
  5811. properties:
  5812. caBundle:
  5813. description: CABundle is a base64-encoded CA certificate
  5814. format: byte
  5815. type: string
  5816. caProvider:
  5817. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  5818. properties:
  5819. key:
  5820. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  5821. maxLength: 253
  5822. minLength: 1
  5823. pattern: ^[-._a-zA-Z0-9]+$
  5824. type: string
  5825. name:
  5826. description: The name of the object located at the provider type.
  5827. maxLength: 253
  5828. minLength: 1
  5829. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5830. type: string
  5831. namespace:
  5832. description: |-
  5833. The namespace the Provider type is in.
  5834. Can only be defined when used in a ClusterSecretStore.
  5835. maxLength: 63
  5836. minLength: 1
  5837. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5838. type: string
  5839. type:
  5840. description: The type of provider to use such as "Secret", or "ConfigMap".
  5841. enum:
  5842. - Secret
  5843. - ConfigMap
  5844. type: string
  5845. required:
  5846. - name
  5847. - type
  5848. type: object
  5849. url:
  5850. default: kubernetes.default
  5851. description: configures the Kubernetes server Address.
  5852. type: string
  5853. type: object
  5854. type: object
  5855. nebiusmysterybox:
  5856. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  5857. properties:
  5858. apiDomain:
  5859. description: NebiusMysterybox API endpoint
  5860. type: string
  5861. auth:
  5862. description: Auth defines parameters to authenticate in MysteryBox
  5863. properties:
  5864. serviceAccountCredsSecretRef:
  5865. description: |-
  5866. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  5867. document with service account credentials used to get an IAM token.
  5868. Expected JSON structure:
  5869. {
  5870. "subject-credentials": {
  5871. "alg": "RS256",
  5872. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  5873. "kid": "<public-key-id>",
  5874. "iss": "<issuer-service-account-id>",
  5875. "sub": "<subject-service-account-id>"
  5876. }
  5877. }
  5878. properties:
  5879. key:
  5880. description: |-
  5881. A key in the referenced Secret.
  5882. Some instances of this field may be defaulted, in others it may be required.
  5883. maxLength: 253
  5884. minLength: 1
  5885. pattern: ^[-._a-zA-Z0-9]+$
  5886. type: string
  5887. name:
  5888. description: The name of the Secret resource being referred to.
  5889. maxLength: 253
  5890. minLength: 1
  5891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5892. type: string
  5893. namespace:
  5894. description: |-
  5895. The namespace of the Secret resource being referred to.
  5896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5897. maxLength: 63
  5898. minLength: 1
  5899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5900. type: string
  5901. type: object
  5902. tokenSecretRef:
  5903. description: Token authenticates with Nebius Mysterybox by presenting a token.
  5904. properties:
  5905. key:
  5906. description: |-
  5907. A key in the referenced Secret.
  5908. Some instances of this field may be defaulted, in others it may be required.
  5909. maxLength: 253
  5910. minLength: 1
  5911. pattern: ^[-._a-zA-Z0-9]+$
  5912. type: string
  5913. name:
  5914. description: The name of the Secret resource being referred to.
  5915. maxLength: 253
  5916. minLength: 1
  5917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5918. type: string
  5919. namespace:
  5920. description: |-
  5921. The namespace of the Secret resource being referred to.
  5922. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5923. maxLength: 63
  5924. minLength: 1
  5925. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5926. type: string
  5927. type: object
  5928. type: object
  5929. x-kubernetes-validations:
  5930. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  5931. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  5932. caProvider:
  5933. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  5934. properties:
  5935. certSecretRef:
  5936. description: |-
  5937. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  5938. In some instances, `key` is a required field.
  5939. properties:
  5940. key:
  5941. description: |-
  5942. A key in the referenced Secret.
  5943. Some instances of this field may be defaulted, in others it may be required.
  5944. maxLength: 253
  5945. minLength: 1
  5946. pattern: ^[-._a-zA-Z0-9]+$
  5947. type: string
  5948. name:
  5949. description: The name of the Secret resource being referred to.
  5950. maxLength: 253
  5951. minLength: 1
  5952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5953. type: string
  5954. namespace:
  5955. description: |-
  5956. The namespace of the Secret resource being referred to.
  5957. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  5958. maxLength: 63
  5959. minLength: 1
  5960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  5961. type: string
  5962. type: object
  5963. type: object
  5964. required:
  5965. - apiDomain
  5966. - auth
  5967. type: object
  5968. ngrok:
  5969. description: Ngrok configures this store to sync secrets using the ngrok provider.
  5970. properties:
  5971. apiUrl:
  5972. default: https://api.ngrok.com
  5973. description: APIURL is the URL of the ngrok API.
  5974. type: string
  5975. auth:
  5976. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  5977. maxProperties: 1
  5978. minProperties: 1
  5979. properties:
  5980. apiKey:
  5981. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  5982. properties:
  5983. secretRef:
  5984. description: SecretRef is a reference to a secret containing the ngrok API key.
  5985. properties:
  5986. key:
  5987. description: |-
  5988. A key in the referenced Secret.
  5989. Some instances of this field may be defaulted, in others it may be required.
  5990. maxLength: 253
  5991. minLength: 1
  5992. pattern: ^[-._a-zA-Z0-9]+$
  5993. type: string
  5994. name:
  5995. description: The name of the Secret resource being referred to.
  5996. maxLength: 253
  5997. minLength: 1
  5998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  5999. type: string
  6000. namespace:
  6001. description: |-
  6002. The namespace of the Secret resource being referred to.
  6003. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6004. maxLength: 63
  6005. minLength: 1
  6006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6007. type: string
  6008. type: object
  6009. type: object
  6010. type: object
  6011. vault:
  6012. description: Vault configures the ngrok vault to sync secrets with.
  6013. properties:
  6014. name:
  6015. description: Name is the name of the ngrok vault to sync secrets with.
  6016. type: string
  6017. required:
  6018. - name
  6019. type: object
  6020. required:
  6021. - auth
  6022. - vault
  6023. type: object
  6024. onboardbase:
  6025. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  6026. properties:
  6027. apiHost:
  6028. default: https://public.onboardbase.com/api/v1/
  6029. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  6030. type: string
  6031. auth:
  6032. description: Auth configures how the Operator authenticates with the Onboardbase API
  6033. properties:
  6034. apiKeyRef:
  6035. description: |-
  6036. OnboardbaseAPIKey is the APIKey generated by an admin account.
  6037. It is used to recognize and authorize access to a project and environment within onboardbase
  6038. properties:
  6039. key:
  6040. description: |-
  6041. A key in the referenced Secret.
  6042. Some instances of this field may be defaulted, in others it may be required.
  6043. maxLength: 253
  6044. minLength: 1
  6045. pattern: ^[-._a-zA-Z0-9]+$
  6046. type: string
  6047. name:
  6048. description: The name of the Secret resource being referred to.
  6049. maxLength: 253
  6050. minLength: 1
  6051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6052. type: string
  6053. namespace:
  6054. description: |-
  6055. The namespace of the Secret resource being referred to.
  6056. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6057. maxLength: 63
  6058. minLength: 1
  6059. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6060. type: string
  6061. type: object
  6062. passcodeRef:
  6063. description: OnboardbasePasscode is the passcode attached to the API Key
  6064. properties:
  6065. key:
  6066. description: |-
  6067. A key in the referenced Secret.
  6068. Some instances of this field may be defaulted, in others it may be required.
  6069. maxLength: 253
  6070. minLength: 1
  6071. pattern: ^[-._a-zA-Z0-9]+$
  6072. type: string
  6073. name:
  6074. description: The name of the Secret resource being referred to.
  6075. maxLength: 253
  6076. minLength: 1
  6077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6078. type: string
  6079. namespace:
  6080. description: |-
  6081. The namespace of the Secret resource being referred to.
  6082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6083. maxLength: 63
  6084. minLength: 1
  6085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6086. type: string
  6087. type: object
  6088. required:
  6089. - apiKeyRef
  6090. - passcodeRef
  6091. type: object
  6092. environment:
  6093. default: development
  6094. description: Environment is the name of an environmnent within a project to pull the secrets from
  6095. type: string
  6096. project:
  6097. default: development
  6098. description: Project is an onboardbase project that the secrets should be pulled from
  6099. type: string
  6100. required:
  6101. - apiHost
  6102. - auth
  6103. - environment
  6104. - project
  6105. type: object
  6106. onepassword:
  6107. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  6108. properties:
  6109. auth:
  6110. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  6111. properties:
  6112. secretRef:
  6113. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  6114. properties:
  6115. connectTokenSecretRef:
  6116. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  6117. properties:
  6118. key:
  6119. description: |-
  6120. A key in the referenced Secret.
  6121. Some instances of this field may be defaulted, in others it may be required.
  6122. maxLength: 253
  6123. minLength: 1
  6124. pattern: ^[-._a-zA-Z0-9]+$
  6125. type: string
  6126. name:
  6127. description: The name of the Secret resource being referred to.
  6128. maxLength: 253
  6129. minLength: 1
  6130. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6131. type: string
  6132. namespace:
  6133. description: |-
  6134. The namespace of the Secret resource being referred to.
  6135. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6136. maxLength: 63
  6137. minLength: 1
  6138. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6139. type: string
  6140. type: object
  6141. required:
  6142. - connectTokenSecretRef
  6143. type: object
  6144. required:
  6145. - secretRef
  6146. type: object
  6147. connectHost:
  6148. description: ConnectHost defines the OnePassword Connect Server to connect to
  6149. type: string
  6150. vaults:
  6151. additionalProperties:
  6152. type: integer
  6153. description: Vaults defines which OnePassword vaults to search in which order
  6154. type: object
  6155. required:
  6156. - auth
  6157. - connectHost
  6158. - vaults
  6159. type: object
  6160. onepasswordSDK:
  6161. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  6162. properties:
  6163. auth:
  6164. description: Auth defines the information necessary to authenticate against OnePassword API.
  6165. properties:
  6166. serviceAccountSecretRef:
  6167. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  6168. properties:
  6169. key:
  6170. description: |-
  6171. A key in the referenced Secret.
  6172. Some instances of this field may be defaulted, in others it may be required.
  6173. maxLength: 253
  6174. minLength: 1
  6175. pattern: ^[-._a-zA-Z0-9]+$
  6176. type: string
  6177. name:
  6178. description: The name of the Secret resource being referred to.
  6179. maxLength: 253
  6180. minLength: 1
  6181. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6182. type: string
  6183. namespace:
  6184. description: |-
  6185. The namespace of the Secret resource being referred to.
  6186. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6187. maxLength: 63
  6188. minLength: 1
  6189. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6190. type: string
  6191. type: object
  6192. required:
  6193. - serviceAccountSecretRef
  6194. type: object
  6195. cache:
  6196. description: |-
  6197. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  6198. When enabled, secrets are cached with the specified TTL.
  6199. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  6200. If omitted, caching is disabled (default).
  6201. cache: {} is a valid option to set.
  6202. properties:
  6203. maxSize:
  6204. default: 100
  6205. description: |-
  6206. MaxSize is the maximum number of secrets to cache.
  6207. When the cache is full, least-recently-used entries are evicted.
  6208. minimum: 1
  6209. type: integer
  6210. ttl:
  6211. default: 5m
  6212. description: |-
  6213. TTL is the time-to-live for cached secrets.
  6214. Format: duration string (e.g., "5m", "1h", "30s")
  6215. type: string
  6216. type: object
  6217. integrationInfo:
  6218. description: |-
  6219. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  6220. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  6221. properties:
  6222. name:
  6223. default: 1Password SDK
  6224. description: Name defaults to "1Password SDK".
  6225. type: string
  6226. version:
  6227. default: v1.0.0
  6228. description: Version defaults to "v1.0.0".
  6229. type: string
  6230. type: object
  6231. vault:
  6232. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  6233. type: string
  6234. required:
  6235. - auth
  6236. - vault
  6237. type: object
  6238. openBao:
  6239. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  6240. properties:
  6241. auth:
  6242. description: Auth configures how secret-manager authenticates with the OpenBao server.
  6243. properties:
  6244. appRole:
  6245. description: |-
  6246. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  6247. with the role and secret stored in a Kubernetes Secret resource.
  6248. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  6249. properties:
  6250. path:
  6251. default: approle
  6252. description: |-
  6253. Path where the App Role authentication backend is mounted
  6254. in OpenBao, e.g: "approle"
  6255. type: string
  6256. roleId:
  6257. description: |-
  6258. RoleID configured in the App Role authentication backend when setting
  6259. up the authentication backend in OpenBao.
  6260. minLength: 1
  6261. type: string
  6262. roleRef:
  6263. description: |-
  6264. Reference to a key in a Secret that contains the App Role ID used
  6265. to authenticate with OpenBao.
  6266. The `key` field must be specified and denotes which entry within the Secret
  6267. resource is used as the app role id.
  6268. properties:
  6269. key:
  6270. description: |-
  6271. A key in the referenced Secret.
  6272. Some instances of this field may be defaulted, in others it may be required.
  6273. maxLength: 253
  6274. minLength: 1
  6275. pattern: ^[-._a-zA-Z0-9]+$
  6276. type: string
  6277. name:
  6278. description: The name of the Secret resource being referred to.
  6279. maxLength: 253
  6280. minLength: 1
  6281. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6282. type: string
  6283. namespace:
  6284. description: |-
  6285. The namespace of the Secret resource being referred to.
  6286. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6287. maxLength: 63
  6288. minLength: 1
  6289. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6290. type: string
  6291. type: object
  6292. secretRef:
  6293. description: |-
  6294. Reference to a key in a Secret that contains the App Role secret used
  6295. to authenticate with OpenBao.
  6296. The `key` field must be specified and denotes which entry within the Secret
  6297. resource is used as the app role secret.
  6298. properties:
  6299. key:
  6300. description: |-
  6301. A key in the referenced Secret.
  6302. Some instances of this field may be defaulted, in others it may be required.
  6303. maxLength: 253
  6304. minLength: 1
  6305. pattern: ^[-._a-zA-Z0-9]+$
  6306. type: string
  6307. name:
  6308. description: The name of the Secret resource being referred to.
  6309. maxLength: 253
  6310. minLength: 1
  6311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6312. type: string
  6313. namespace:
  6314. description: |-
  6315. The namespace of the Secret resource being referred to.
  6316. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6317. maxLength: 63
  6318. minLength: 1
  6319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6320. type: string
  6321. type: object
  6322. required:
  6323. - path
  6324. - secretRef
  6325. type: object
  6326. x-kubernetes-validations:
  6327. - message: exactly one of the fields in [roleId roleRef] must be set
  6328. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  6329. namespace:
  6330. description: |-
  6331. Name of the [OpenBao Namespace] to authenticate to. This can be different
  6332. than the namespace your secret is in. Namespaces is a set of features
  6333. within OpenBao that allows OpenBao environments to support secure
  6334. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  6335. if set, or empty otherwise
  6336. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6337. type: string
  6338. tokenSecretRef:
  6339. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  6340. properties:
  6341. key:
  6342. description: |-
  6343. A key in the referenced Secret.
  6344. Some instances of this field may be defaulted, in others it may be required.
  6345. maxLength: 253
  6346. minLength: 1
  6347. pattern: ^[-._a-zA-Z0-9]+$
  6348. type: string
  6349. name:
  6350. description: The name of the Secret resource being referred to.
  6351. maxLength: 253
  6352. minLength: 1
  6353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6354. type: string
  6355. namespace:
  6356. description: |-
  6357. The namespace of the Secret resource being referred to.
  6358. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6359. maxLength: 63
  6360. minLength: 1
  6361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6362. type: string
  6363. type: object
  6364. userPass:
  6365. description: UserPass authenticates with OpenBao by passing a username/password pair
  6366. properties:
  6367. path:
  6368. default: userpass
  6369. description: |-
  6370. Path where the UserPassword authentication backend is mounted
  6371. in OpenBao, e.g: "userpass"
  6372. type: string
  6373. secretRef:
  6374. description: |-
  6375. SecretRef to a key in a Secret resource containing password for the user
  6376. used to authenticate with OpenBao using the [UserPass authentication
  6377. method]
  6378. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6379. properties:
  6380. key:
  6381. description: |-
  6382. A key in the referenced Secret.
  6383. Some instances of this field may be defaulted, in others it may be required.
  6384. maxLength: 253
  6385. minLength: 1
  6386. pattern: ^[-._a-zA-Z0-9]+$
  6387. type: string
  6388. name:
  6389. description: The name of the Secret resource being referred to.
  6390. maxLength: 253
  6391. minLength: 1
  6392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6393. type: string
  6394. namespace:
  6395. description: |-
  6396. The namespace of the Secret resource being referred to.
  6397. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6398. maxLength: 63
  6399. minLength: 1
  6400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6401. type: string
  6402. type: object
  6403. username:
  6404. description: |-
  6405. Username is a username used to authenticate using the [UserPass
  6406. authentication method]
  6407. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  6408. type: string
  6409. required:
  6410. - path
  6411. - username
  6412. type: object
  6413. type: object
  6414. x-kubernetes-validations:
  6415. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  6416. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  6417. caBundle:
  6418. description: |-
  6419. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  6420. this and `caProvider` are not set the system root certificates are used
  6421. to validate the TLS connection.
  6422. format: byte
  6423. type: string
  6424. caProvider:
  6425. description: |-
  6426. The provider for the CA bundle to use to validate OpenBao server
  6427. certificate. If this and `caBundle` are not set the system root
  6428. certificates are used to validate the TLS connection.
  6429. properties:
  6430. key:
  6431. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6432. maxLength: 253
  6433. minLength: 1
  6434. pattern: ^[-._a-zA-Z0-9]+$
  6435. type: string
  6436. name:
  6437. description: The name of the object located at the provider type.
  6438. maxLength: 253
  6439. minLength: 1
  6440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6441. type: string
  6442. namespace:
  6443. description: |-
  6444. The namespace the Provider type is in.
  6445. Can only be defined when used in a ClusterSecretStore.
  6446. maxLength: 63
  6447. minLength: 1
  6448. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6449. type: string
  6450. type:
  6451. description: The type of provider to use such as "Secret", or "ConfigMap".
  6452. enum:
  6453. - Secret
  6454. - ConfigMap
  6455. type: string
  6456. required:
  6457. - name
  6458. - type
  6459. type: object
  6460. namespace:
  6461. description: |-
  6462. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  6463. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  6464. e.g: "ns1".
  6465. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  6466. type: string
  6467. path:
  6468. description: |-
  6469. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  6470. "secret". The v2 KV secret engine version specific "/data" path suffix
  6471. for fetching secrets from OpenBao is optional and will be appended
  6472. if not present in specified path.
  6473. type: string
  6474. server:
  6475. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  6476. type: string
  6477. version:
  6478. default: v2
  6479. description: |-
  6480. Version is the OpenBao KV secret engine version. This can be either "v1" or
  6481. "v2". Version defaults to "v2".
  6482. enum:
  6483. - v1
  6484. - v2
  6485. type: string
  6486. required:
  6487. - server
  6488. type: object
  6489. x-kubernetes-validations:
  6490. - message: at most one of the fields in [caBundle caProvider] may be set
  6491. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  6492. oracle:
  6493. description: Oracle configures this store to sync secrets using Oracle Vault provider
  6494. properties:
  6495. auth:
  6496. description: |-
  6497. Auth configures how secret-manager authenticates with the Oracle Vault.
  6498. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  6499. properties:
  6500. secretRef:
  6501. description: SecretRef to pass through sensitive information.
  6502. properties:
  6503. fingerprint:
  6504. description: Fingerprint is the fingerprint of the API private key.
  6505. properties:
  6506. key:
  6507. description: |-
  6508. A key in the referenced Secret.
  6509. Some instances of this field may be defaulted, in others it may be required.
  6510. maxLength: 253
  6511. minLength: 1
  6512. pattern: ^[-._a-zA-Z0-9]+$
  6513. type: string
  6514. name:
  6515. description: The name of the Secret resource being referred to.
  6516. maxLength: 253
  6517. minLength: 1
  6518. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6519. type: string
  6520. namespace:
  6521. description: |-
  6522. The namespace of the Secret resource being referred to.
  6523. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6524. maxLength: 63
  6525. minLength: 1
  6526. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6527. type: string
  6528. type: object
  6529. privatekey:
  6530. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  6531. properties:
  6532. key:
  6533. description: |-
  6534. A key in the referenced Secret.
  6535. Some instances of this field may be defaulted, in others it may be required.
  6536. maxLength: 253
  6537. minLength: 1
  6538. pattern: ^[-._a-zA-Z0-9]+$
  6539. type: string
  6540. name:
  6541. description: The name of the Secret resource being referred to.
  6542. maxLength: 253
  6543. minLength: 1
  6544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6545. type: string
  6546. namespace:
  6547. description: |-
  6548. The namespace of the Secret resource being referred to.
  6549. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6550. maxLength: 63
  6551. minLength: 1
  6552. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6553. type: string
  6554. type: object
  6555. required:
  6556. - fingerprint
  6557. - privatekey
  6558. type: object
  6559. tenancy:
  6560. description: Tenancy is the tenancy OCID where user is located.
  6561. type: string
  6562. user:
  6563. description: User is an access OCID specific to the account.
  6564. type: string
  6565. required:
  6566. - secretRef
  6567. - tenancy
  6568. - user
  6569. type: object
  6570. compartment:
  6571. description: |-
  6572. Compartment is the vault compartment OCID.
  6573. Required for PushSecret
  6574. type: string
  6575. encryptionKey:
  6576. description: |-
  6577. EncryptionKey is the OCID of the encryption key within the vault.
  6578. Required for PushSecret
  6579. type: string
  6580. principalType:
  6581. description: |-
  6582. The type of principal to use for authentication. If left blank, the Auth struct will
  6583. determine the principal type. This optional field must be specified if using
  6584. workload identity.
  6585. enum:
  6586. - ""
  6587. - UserPrincipal
  6588. - InstancePrincipal
  6589. - Workload
  6590. type: string
  6591. region:
  6592. description: Region is the region where vault is located.
  6593. type: string
  6594. serviceAccountRef:
  6595. description: |-
  6596. ServiceAccountRef specified the service account
  6597. that should be used when authenticating with WorkloadIdentity.
  6598. properties:
  6599. audiences:
  6600. description: |-
  6601. Audience specifies the `aud` claim for the service account token
  6602. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6603. then this audiences will be appended to the list
  6604. items:
  6605. type: string
  6606. type: array
  6607. name:
  6608. description: The name of the ServiceAccount resource being referred to.
  6609. maxLength: 253
  6610. minLength: 1
  6611. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6612. type: string
  6613. namespace:
  6614. description: |-
  6615. Namespace of the resource being referred to.
  6616. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6617. maxLength: 63
  6618. minLength: 1
  6619. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6620. type: string
  6621. required:
  6622. - name
  6623. type: object
  6624. vault:
  6625. description: Vault is the vault's OCID of the specific vault where secret is located.
  6626. type: string
  6627. required:
  6628. - region
  6629. - vault
  6630. type: object
  6631. ovh:
  6632. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  6633. properties:
  6634. auth:
  6635. description: Authentication method (mtls or token).
  6636. properties:
  6637. mtls:
  6638. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  6639. properties:
  6640. caBundle:
  6641. format: byte
  6642. type: string
  6643. caProvider:
  6644. description: |-
  6645. CAProvider provides a custom certificate authority for accessing the provider's store.
  6646. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  6647. properties:
  6648. key:
  6649. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6650. maxLength: 253
  6651. minLength: 1
  6652. pattern: ^[-._a-zA-Z0-9]+$
  6653. type: string
  6654. name:
  6655. description: The name of the object located at the provider type.
  6656. maxLength: 253
  6657. minLength: 1
  6658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6659. type: string
  6660. namespace:
  6661. description: |-
  6662. The namespace the Provider type is in.
  6663. Can only be defined when used in a ClusterSecretStore.
  6664. maxLength: 63
  6665. minLength: 1
  6666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6667. type: string
  6668. type:
  6669. description: The type of provider to use such as "Secret", or "ConfigMap".
  6670. enum:
  6671. - Secret
  6672. - ConfigMap
  6673. type: string
  6674. required:
  6675. - name
  6676. - type
  6677. type: object
  6678. certSecretRef:
  6679. description: |-
  6680. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6681. In some instances, `key` is a required field.
  6682. properties:
  6683. key:
  6684. description: |-
  6685. A key in the referenced Secret.
  6686. Some instances of this field may be defaulted, in others it may be required.
  6687. maxLength: 253
  6688. minLength: 1
  6689. pattern: ^[-._a-zA-Z0-9]+$
  6690. type: string
  6691. name:
  6692. description: The name of the Secret resource being referred to.
  6693. maxLength: 253
  6694. minLength: 1
  6695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6696. type: string
  6697. namespace:
  6698. description: |-
  6699. The namespace of the Secret resource being referred to.
  6700. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6701. maxLength: 63
  6702. minLength: 1
  6703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6704. type: string
  6705. type: object
  6706. keySecretRef:
  6707. description: |-
  6708. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6709. In some instances, `key` is a required field.
  6710. properties:
  6711. key:
  6712. description: |-
  6713. A key in the referenced Secret.
  6714. Some instances of this field may be defaulted, in others it may be required.
  6715. maxLength: 253
  6716. minLength: 1
  6717. pattern: ^[-._a-zA-Z0-9]+$
  6718. type: string
  6719. name:
  6720. description: The name of the Secret resource being referred to.
  6721. maxLength: 253
  6722. minLength: 1
  6723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6724. type: string
  6725. namespace:
  6726. description: |-
  6727. The namespace of the Secret resource being referred to.
  6728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6729. maxLength: 63
  6730. minLength: 1
  6731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6732. type: string
  6733. type: object
  6734. required:
  6735. - certSecretRef
  6736. - keySecretRef
  6737. type: object
  6738. token:
  6739. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  6740. properties:
  6741. tokenSecretRef:
  6742. description: |-
  6743. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6744. In some instances, `key` is a required field.
  6745. properties:
  6746. key:
  6747. description: |-
  6748. A key in the referenced Secret.
  6749. Some instances of this field may be defaulted, in others it may be required.
  6750. maxLength: 253
  6751. minLength: 1
  6752. pattern: ^[-._a-zA-Z0-9]+$
  6753. type: string
  6754. name:
  6755. description: The name of the Secret resource being referred to.
  6756. maxLength: 253
  6757. minLength: 1
  6758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6759. type: string
  6760. namespace:
  6761. description: |-
  6762. The namespace of the Secret resource being referred to.
  6763. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6764. maxLength: 63
  6765. minLength: 1
  6766. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6767. type: string
  6768. type: object
  6769. required:
  6770. - tokenSecretRef
  6771. type: object
  6772. type: object
  6773. casRequired:
  6774. description: 'Enables or disables check-and-set (CAS) (default: false).'
  6775. type: boolean
  6776. okmsTimeout:
  6777. default: 30
  6778. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  6779. format: int32
  6780. minimum: 1
  6781. type: integer
  6782. okmsid:
  6783. description: specifies the OKMS ID.
  6784. type: string
  6785. server:
  6786. description: specifies the OKMS server endpoint.
  6787. type: string
  6788. required:
  6789. - auth
  6790. - okmsid
  6791. - server
  6792. type: object
  6793. passbolt:
  6794. description: |-
  6795. PassboltProvider provides access to Passbolt secrets manager.
  6796. See: https://www.passbolt.com.
  6797. properties:
  6798. auth:
  6799. description: Auth defines the information necessary to authenticate against Passbolt Server
  6800. properties:
  6801. passwordSecretRef:
  6802. description: |-
  6803. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6804. In some instances, `key` is a required field.
  6805. properties:
  6806. key:
  6807. description: |-
  6808. A key in the referenced Secret.
  6809. Some instances of this field may be defaulted, in others it may be required.
  6810. maxLength: 253
  6811. minLength: 1
  6812. pattern: ^[-._a-zA-Z0-9]+$
  6813. type: string
  6814. name:
  6815. description: The name of the Secret resource being referred to.
  6816. maxLength: 253
  6817. minLength: 1
  6818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6819. type: string
  6820. namespace:
  6821. description: |-
  6822. The namespace of the Secret resource being referred to.
  6823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6824. maxLength: 63
  6825. minLength: 1
  6826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6827. type: string
  6828. type: object
  6829. privateKeySecretRef:
  6830. description: |-
  6831. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  6832. In some instances, `key` is a required field.
  6833. properties:
  6834. key:
  6835. description: |-
  6836. A key in the referenced Secret.
  6837. Some instances of this field may be defaulted, in others it may be required.
  6838. maxLength: 253
  6839. minLength: 1
  6840. pattern: ^[-._a-zA-Z0-9]+$
  6841. type: string
  6842. name:
  6843. description: The name of the Secret resource being referred to.
  6844. maxLength: 253
  6845. minLength: 1
  6846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6847. type: string
  6848. namespace:
  6849. description: |-
  6850. The namespace of the Secret resource being referred to.
  6851. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6852. maxLength: 63
  6853. minLength: 1
  6854. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6855. type: string
  6856. type: object
  6857. required:
  6858. - passwordSecretRef
  6859. - privateKeySecretRef
  6860. type: object
  6861. caBundle:
  6862. description: |-
  6863. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  6864. if the Host URL is using HTTPS protocol. If not set the system root certificates
  6865. are used to validate the TLS connection.
  6866. format: byte
  6867. type: string
  6868. caProvider:
  6869. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  6870. properties:
  6871. key:
  6872. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  6873. maxLength: 253
  6874. minLength: 1
  6875. pattern: ^[-._a-zA-Z0-9]+$
  6876. type: string
  6877. name:
  6878. description: The name of the object located at the provider type.
  6879. maxLength: 253
  6880. minLength: 1
  6881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6882. type: string
  6883. namespace:
  6884. description: |-
  6885. The namespace the Provider type is in.
  6886. Can only be defined when used in a ClusterSecretStore.
  6887. maxLength: 63
  6888. minLength: 1
  6889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6890. type: string
  6891. type:
  6892. description: The type of provider to use such as "Secret", or "ConfigMap".
  6893. enum:
  6894. - Secret
  6895. - ConfigMap
  6896. type: string
  6897. required:
  6898. - name
  6899. - type
  6900. type: object
  6901. host:
  6902. description: Host defines the Passbolt Server to connect to
  6903. type: string
  6904. required:
  6905. - auth
  6906. - host
  6907. type: object
  6908. passworddepot:
  6909. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  6910. properties:
  6911. auth:
  6912. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  6913. properties:
  6914. secretRef:
  6915. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  6916. properties:
  6917. credentials:
  6918. description: Username / Password is used for authentication.
  6919. properties:
  6920. key:
  6921. description: |-
  6922. A key in the referenced Secret.
  6923. Some instances of this field may be defaulted, in others it may be required.
  6924. maxLength: 253
  6925. minLength: 1
  6926. pattern: ^[-._a-zA-Z0-9]+$
  6927. type: string
  6928. name:
  6929. description: The name of the Secret resource being referred to.
  6930. maxLength: 253
  6931. minLength: 1
  6932. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6933. type: string
  6934. namespace:
  6935. description: |-
  6936. The namespace of the Secret resource being referred to.
  6937. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6938. maxLength: 63
  6939. minLength: 1
  6940. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6941. type: string
  6942. type: object
  6943. type: object
  6944. required:
  6945. - secretRef
  6946. type: object
  6947. database:
  6948. description: Database to use as source
  6949. type: string
  6950. host:
  6951. description: URL configures the Password Depot instance URL.
  6952. type: string
  6953. required:
  6954. - auth
  6955. - database
  6956. - host
  6957. type: object
  6958. previder:
  6959. description: Previder configures this store to sync secrets using the Previder provider
  6960. properties:
  6961. auth:
  6962. description: PreviderAuth contains a secretRef for credentials.
  6963. properties:
  6964. secretRef:
  6965. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  6966. properties:
  6967. accessToken:
  6968. description: The AccessToken is used for authentication
  6969. properties:
  6970. key:
  6971. description: |-
  6972. A key in the referenced Secret.
  6973. Some instances of this field may be defaulted, in others it may be required.
  6974. maxLength: 253
  6975. minLength: 1
  6976. pattern: ^[-._a-zA-Z0-9]+$
  6977. type: string
  6978. name:
  6979. description: The name of the Secret resource being referred to.
  6980. maxLength: 253
  6981. minLength: 1
  6982. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  6983. type: string
  6984. namespace:
  6985. description: |-
  6986. The namespace of the Secret resource being referred to.
  6987. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  6988. maxLength: 63
  6989. minLength: 1
  6990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  6991. type: string
  6992. type: object
  6993. required:
  6994. - accessToken
  6995. type: object
  6996. type: object
  6997. baseUri:
  6998. type: string
  6999. required:
  7000. - auth
  7001. type: object
  7002. pulumi:
  7003. description: Pulumi configures this store to sync secrets using the Pulumi provider
  7004. properties:
  7005. accessToken:
  7006. description: |-
  7007. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  7008. Deprecated: Use auth.accessToken instead.
  7009. properties:
  7010. secretRef:
  7011. description: SecretRef is a reference to a secret containing the Pulumi API token.
  7012. properties:
  7013. key:
  7014. description: |-
  7015. A key in the referenced Secret.
  7016. Some instances of this field may be defaulted, in others it may be required.
  7017. maxLength: 253
  7018. minLength: 1
  7019. pattern: ^[-._a-zA-Z0-9]+$
  7020. type: string
  7021. name:
  7022. description: The name of the Secret resource being referred to.
  7023. maxLength: 253
  7024. minLength: 1
  7025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7026. type: string
  7027. namespace:
  7028. description: |-
  7029. The namespace of the Secret resource being referred to.
  7030. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7031. maxLength: 63
  7032. minLength: 1
  7033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7034. type: string
  7035. type: object
  7036. type: object
  7037. apiUrl:
  7038. default: https://api.pulumi.com/api/esc
  7039. description: APIURL is the URL of the Pulumi API.
  7040. type: string
  7041. auth:
  7042. description: |-
  7043. Auth configures how the Operator authenticates with the Pulumi API.
  7044. Either auth or the deprecated accessToken field must be specified.
  7045. properties:
  7046. accessToken:
  7047. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  7048. properties:
  7049. secretRef:
  7050. description: SecretRef is a reference to a secret containing the Pulumi API token.
  7051. properties:
  7052. key:
  7053. description: |-
  7054. A key in the referenced Secret.
  7055. Some instances of this field may be defaulted, in others it may be required.
  7056. maxLength: 253
  7057. minLength: 1
  7058. pattern: ^[-._a-zA-Z0-9]+$
  7059. type: string
  7060. name:
  7061. description: The name of the Secret resource being referred to.
  7062. maxLength: 253
  7063. minLength: 1
  7064. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7065. type: string
  7066. namespace:
  7067. description: |-
  7068. The namespace of the Secret resource being referred to.
  7069. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7070. maxLength: 63
  7071. minLength: 1
  7072. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7073. type: string
  7074. type: object
  7075. type: object
  7076. oidcConfig:
  7077. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  7078. properties:
  7079. expirationSeconds:
  7080. default: 600
  7081. description: |-
  7082. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  7083. Defaults to 10 minutes.
  7084. format: int64
  7085. minimum: 600
  7086. type: integer
  7087. organization:
  7088. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  7089. type: string
  7090. serviceAccountRef:
  7091. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  7092. properties:
  7093. audiences:
  7094. description: |-
  7095. Audience specifies the `aud` claim for the service account token
  7096. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7097. then this audiences will be appended to the list
  7098. items:
  7099. type: string
  7100. type: array
  7101. name:
  7102. description: The name of the ServiceAccount resource being referred to.
  7103. maxLength: 253
  7104. minLength: 1
  7105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7106. type: string
  7107. namespace:
  7108. description: |-
  7109. Namespace of the resource being referred to.
  7110. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7111. maxLength: 63
  7112. minLength: 1
  7113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7114. type: string
  7115. required:
  7116. - name
  7117. type: object
  7118. required:
  7119. - organization
  7120. - serviceAccountRef
  7121. type: object
  7122. type: object
  7123. x-kubernetes-validations:
  7124. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  7125. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  7126. environment:
  7127. description: |-
  7128. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  7129. dynamically retrieved values from supported providers including all major clouds,
  7130. and other Pulumi ESC environments.
  7131. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  7132. type: string
  7133. organization:
  7134. description: |-
  7135. Organization are a space to collaborate on shared projects and stacks.
  7136. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  7137. type: string
  7138. project:
  7139. description: Project is the name of the Pulumi ESC project the environment belongs to.
  7140. type: string
  7141. required:
  7142. - environment
  7143. - organization
  7144. - project
  7145. type: object
  7146. x-kubernetes-validations:
  7147. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  7148. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  7149. scaleway:
  7150. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  7151. properties:
  7152. accessKey:
  7153. description: AccessKey is the non-secret part of the api key.
  7154. properties:
  7155. secretRef:
  7156. description: SecretRef references a key in a secret that will be used as value.
  7157. properties:
  7158. key:
  7159. description: |-
  7160. A key in the referenced Secret.
  7161. Some instances of this field may be defaulted, in others it may be required.
  7162. maxLength: 253
  7163. minLength: 1
  7164. pattern: ^[-._a-zA-Z0-9]+$
  7165. type: string
  7166. name:
  7167. description: The name of the Secret resource being referred to.
  7168. maxLength: 253
  7169. minLength: 1
  7170. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7171. type: string
  7172. namespace:
  7173. description: |-
  7174. The namespace of the Secret resource being referred to.
  7175. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7176. maxLength: 63
  7177. minLength: 1
  7178. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7179. type: string
  7180. type: object
  7181. value:
  7182. description: Value can be specified directly to set a value without using a secret.
  7183. type: string
  7184. type: object
  7185. apiUrl:
  7186. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  7187. type: string
  7188. projectId:
  7189. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  7190. type: string
  7191. region:
  7192. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  7193. type: string
  7194. secretKey:
  7195. description: SecretKey is the non-secret part of the api key.
  7196. properties:
  7197. secretRef:
  7198. description: SecretRef references a key in a secret that will be used as value.
  7199. properties:
  7200. key:
  7201. description: |-
  7202. A key in the referenced Secret.
  7203. Some instances of this field may be defaulted, in others it may be required.
  7204. maxLength: 253
  7205. minLength: 1
  7206. pattern: ^[-._a-zA-Z0-9]+$
  7207. type: string
  7208. name:
  7209. description: The name of the Secret resource being referred to.
  7210. maxLength: 253
  7211. minLength: 1
  7212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7213. type: string
  7214. namespace:
  7215. description: |-
  7216. The namespace of the Secret resource being referred to.
  7217. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7218. maxLength: 63
  7219. minLength: 1
  7220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7221. type: string
  7222. type: object
  7223. value:
  7224. description: Value can be specified directly to set a value without using a secret.
  7225. type: string
  7226. type: object
  7227. required:
  7228. - accessKey
  7229. - projectId
  7230. - region
  7231. - secretKey
  7232. type: object
  7233. secretserver:
  7234. description: |-
  7235. SecretServer configures this store to sync secrets using SecretServer provider
  7236. https://docs.delinea.com/online-help/secret-server/start.htm
  7237. properties:
  7238. caBundle:
  7239. description: |-
  7240. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  7241. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  7242. are used to validate the TLS connection.
  7243. format: byte
  7244. type: string
  7245. caProvider:
  7246. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  7247. properties:
  7248. key:
  7249. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  7250. maxLength: 253
  7251. minLength: 1
  7252. pattern: ^[-._a-zA-Z0-9]+$
  7253. type: string
  7254. name:
  7255. description: The name of the object located at the provider type.
  7256. maxLength: 253
  7257. minLength: 1
  7258. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7259. type: string
  7260. namespace:
  7261. description: |-
  7262. The namespace the Provider type is in.
  7263. Can only be defined when used in a ClusterSecretStore.
  7264. maxLength: 63
  7265. minLength: 1
  7266. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7267. type: string
  7268. type:
  7269. description: The type of provider to use such as "Secret", or "ConfigMap".
  7270. enum:
  7271. - Secret
  7272. - ConfigMap
  7273. type: string
  7274. required:
  7275. - name
  7276. - type
  7277. type: object
  7278. domain:
  7279. description: Domain is the secret server domain.
  7280. type: string
  7281. password:
  7282. description: Password is the secret server account password.
  7283. properties:
  7284. secretRef:
  7285. description: SecretRef references a key in a secret that will be used as value.
  7286. properties:
  7287. key:
  7288. description: |-
  7289. A key in the referenced Secret.
  7290. Some instances of this field may be defaulted, in others it may be required.
  7291. maxLength: 253
  7292. minLength: 1
  7293. pattern: ^[-._a-zA-Z0-9]+$
  7294. type: string
  7295. name:
  7296. description: The name of the Secret resource being referred to.
  7297. maxLength: 253
  7298. minLength: 1
  7299. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7300. type: string
  7301. namespace:
  7302. description: |-
  7303. The namespace of the Secret resource being referred to.
  7304. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7305. maxLength: 63
  7306. minLength: 1
  7307. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7308. type: string
  7309. type: object
  7310. value:
  7311. description: Value can be specified directly to set a value without using a secret.
  7312. type: string
  7313. type: object
  7314. serverURL:
  7315. description: |-
  7316. ServerURL
  7317. URL to your secret server installation
  7318. type: string
  7319. username:
  7320. description: Username is the secret server account username.
  7321. properties:
  7322. secretRef:
  7323. description: SecretRef references a key in a secret that will be used as value.
  7324. properties:
  7325. key:
  7326. description: |-
  7327. A key in the referenced Secret.
  7328. Some instances of this field may be defaulted, in others it may be required.
  7329. maxLength: 253
  7330. minLength: 1
  7331. pattern: ^[-._a-zA-Z0-9]+$
  7332. type: string
  7333. name:
  7334. description: The name of the Secret resource being referred to.
  7335. maxLength: 253
  7336. minLength: 1
  7337. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7338. type: string
  7339. namespace:
  7340. description: |-
  7341. The namespace of the Secret resource being referred to.
  7342. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7343. maxLength: 63
  7344. minLength: 1
  7345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7346. type: string
  7347. type: object
  7348. value:
  7349. description: Value can be specified directly to set a value without using a secret.
  7350. type: string
  7351. type: object
  7352. required:
  7353. - password
  7354. - serverURL
  7355. - username
  7356. type: object
  7357. senhasegura:
  7358. description: Senhasegura configures this store to sync secrets using senhasegura provider
  7359. properties:
  7360. auth:
  7361. description: Auth defines parameters to authenticate in senhasegura
  7362. properties:
  7363. clientId:
  7364. type: string
  7365. clientSecretSecretRef:
  7366. description: |-
  7367. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  7368. In some instances, `key` is a required field.
  7369. properties:
  7370. key:
  7371. description: |-
  7372. A key in the referenced Secret.
  7373. Some instances of this field may be defaulted, in others it may be required.
  7374. maxLength: 253
  7375. minLength: 1
  7376. pattern: ^[-._a-zA-Z0-9]+$
  7377. type: string
  7378. name:
  7379. description: The name of the Secret resource being referred to.
  7380. maxLength: 253
  7381. minLength: 1
  7382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7383. type: string
  7384. namespace:
  7385. description: |-
  7386. The namespace of the Secret resource being referred to.
  7387. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7388. maxLength: 63
  7389. minLength: 1
  7390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7391. type: string
  7392. type: object
  7393. required:
  7394. - clientId
  7395. - clientSecretSecretRef
  7396. type: object
  7397. ignoreSslCertificate:
  7398. default: false
  7399. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  7400. type: boolean
  7401. module:
  7402. description: Module defines which senhasegura module should be used to get secrets
  7403. type: string
  7404. url:
  7405. description: URL of senhasegura
  7406. type: string
  7407. required:
  7408. - auth
  7409. - module
  7410. - url
  7411. type: object
  7412. vault:
  7413. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  7414. properties:
  7415. auth:
  7416. description: Auth configures how secret-manager authenticates with the Vault server.
  7417. properties:
  7418. appRole:
  7419. description: |-
  7420. AppRole authenticates with Vault using the App Role auth mechanism,
  7421. with the role and secret stored in a Kubernetes Secret resource.
  7422. properties:
  7423. path:
  7424. default: approle
  7425. description: |-
  7426. Path where the App Role authentication backend is mounted
  7427. in Vault, e.g: "approle"
  7428. type: string
  7429. roleId:
  7430. description: |-
  7431. RoleID configured in the App Role authentication backend when setting
  7432. up the authentication backend in Vault.
  7433. type: string
  7434. roleRef:
  7435. description: |-
  7436. Reference to a key in a Secret that contains the App Role ID used
  7437. to authenticate with Vault.
  7438. The `key` field must be specified and denotes which entry within the Secret
  7439. resource is used as the app role id.
  7440. properties:
  7441. key:
  7442. description: |-
  7443. A key in the referenced Secret.
  7444. Some instances of this field may be defaulted, in others it may be required.
  7445. maxLength: 253
  7446. minLength: 1
  7447. pattern: ^[-._a-zA-Z0-9]+$
  7448. type: string
  7449. name:
  7450. description: The name of the Secret resource being referred to.
  7451. maxLength: 253
  7452. minLength: 1
  7453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7454. type: string
  7455. namespace:
  7456. description: |-
  7457. The namespace of the Secret resource being referred to.
  7458. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7459. maxLength: 63
  7460. minLength: 1
  7461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7462. type: string
  7463. type: object
  7464. secretRef:
  7465. description: |-
  7466. Reference to a key in a Secret that contains the App Role secret used
  7467. to authenticate with Vault.
  7468. The `key` field must be specified and denotes which entry within the Secret
  7469. resource is used as the app role secret.
  7470. properties:
  7471. key:
  7472. description: |-
  7473. A key in the referenced Secret.
  7474. Some instances of this field may be defaulted, in others it may be required.
  7475. maxLength: 253
  7476. minLength: 1
  7477. pattern: ^[-._a-zA-Z0-9]+$
  7478. type: string
  7479. name:
  7480. description: The name of the Secret resource being referred to.
  7481. maxLength: 253
  7482. minLength: 1
  7483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7484. type: string
  7485. namespace:
  7486. description: |-
  7487. The namespace of the Secret resource being referred to.
  7488. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7489. maxLength: 63
  7490. minLength: 1
  7491. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7492. type: string
  7493. type: object
  7494. required:
  7495. - path
  7496. - secretRef
  7497. type: object
  7498. cert:
  7499. description: |-
  7500. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7501. Cert authentication method
  7502. properties:
  7503. clientCert:
  7504. description: |-
  7505. ClientCert is a certificate to authenticate using the Cert Vault
  7506. authentication method
  7507. properties:
  7508. key:
  7509. description: |-
  7510. A key in the referenced Secret.
  7511. Some instances of this field may be defaulted, in others it may be required.
  7512. maxLength: 253
  7513. minLength: 1
  7514. pattern: ^[-._a-zA-Z0-9]+$
  7515. type: string
  7516. name:
  7517. description: The name of the Secret resource being referred to.
  7518. maxLength: 253
  7519. minLength: 1
  7520. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7521. type: string
  7522. namespace:
  7523. description: |-
  7524. The namespace of the Secret resource being referred to.
  7525. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7526. maxLength: 63
  7527. minLength: 1
  7528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7529. type: string
  7530. type: object
  7531. path:
  7532. default: cert
  7533. description: |-
  7534. Path where the Certificate authentication backend is mounted
  7535. in Vault, e.g: "cert"
  7536. type: string
  7537. secretRef:
  7538. description: |-
  7539. SecretRef to a key in a Secret resource containing client private key to
  7540. authenticate with Vault using the Cert authentication method
  7541. properties:
  7542. key:
  7543. description: |-
  7544. A key in the referenced Secret.
  7545. Some instances of this field may be defaulted, in others it may be required.
  7546. maxLength: 253
  7547. minLength: 1
  7548. pattern: ^[-._a-zA-Z0-9]+$
  7549. type: string
  7550. name:
  7551. description: The name of the Secret resource being referred to.
  7552. maxLength: 253
  7553. minLength: 1
  7554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7555. type: string
  7556. namespace:
  7557. description: |-
  7558. The namespace of the Secret resource being referred to.
  7559. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7560. maxLength: 63
  7561. minLength: 1
  7562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7563. type: string
  7564. type: object
  7565. vaultRole:
  7566. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  7567. type: string
  7568. type: object
  7569. gcp:
  7570. description: |-
  7571. Gcp authenticates with Vault using Google Cloud Platform authentication method
  7572. GCP authentication method
  7573. properties:
  7574. location:
  7575. description: Location optionally defines a location/region for the secret
  7576. type: string
  7577. path:
  7578. default: gcp
  7579. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  7580. type: string
  7581. projectID:
  7582. description: Project ID of the Google Cloud Platform project
  7583. type: string
  7584. role:
  7585. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  7586. type: string
  7587. secretRef:
  7588. description: Specify credentials in a Secret object
  7589. properties:
  7590. secretAccessKeySecretRef:
  7591. description: The SecretAccessKey is used for authentication
  7592. properties:
  7593. key:
  7594. description: |-
  7595. A key in the referenced Secret.
  7596. Some instances of this field may be defaulted, in others it may be required.
  7597. maxLength: 253
  7598. minLength: 1
  7599. pattern: ^[-._a-zA-Z0-9]+$
  7600. type: string
  7601. name:
  7602. description: The name of the Secret resource being referred to.
  7603. maxLength: 253
  7604. minLength: 1
  7605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7606. type: string
  7607. namespace:
  7608. description: |-
  7609. The namespace of the Secret resource being referred to.
  7610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7611. maxLength: 63
  7612. minLength: 1
  7613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7614. type: string
  7615. type: object
  7616. type: object
  7617. serviceAccountRef:
  7618. description: ServiceAccountRef to a service account for impersonation
  7619. properties:
  7620. audiences:
  7621. description: |-
  7622. Audience specifies the `aud` claim for the service account token
  7623. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7624. then this audiences will be appended to the list
  7625. items:
  7626. type: string
  7627. type: array
  7628. name:
  7629. description: The name of the ServiceAccount resource being referred to.
  7630. maxLength: 253
  7631. minLength: 1
  7632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7633. type: string
  7634. namespace:
  7635. description: |-
  7636. Namespace of the resource being referred to.
  7637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7638. maxLength: 63
  7639. minLength: 1
  7640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7641. type: string
  7642. required:
  7643. - name
  7644. type: object
  7645. workloadIdentity:
  7646. description: Specify a service account with Workload Identity
  7647. properties:
  7648. clusterLocation:
  7649. description: |-
  7650. ClusterLocation is the location of the cluster
  7651. If not specified, it fetches information from the metadata server
  7652. type: string
  7653. clusterName:
  7654. description: |-
  7655. ClusterName is the name of the cluster
  7656. If not specified, it fetches information from the metadata server
  7657. type: string
  7658. clusterProjectID:
  7659. description: |-
  7660. ClusterProjectID is the project ID of the cluster
  7661. If not specified, it fetches information from the metadata server
  7662. type: string
  7663. serviceAccountRef:
  7664. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7665. properties:
  7666. audiences:
  7667. description: |-
  7668. Audience specifies the `aud` claim for the service account token
  7669. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7670. then this audiences will be appended to the list
  7671. items:
  7672. type: string
  7673. type: array
  7674. name:
  7675. description: The name of the ServiceAccount resource being referred to.
  7676. maxLength: 253
  7677. minLength: 1
  7678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7679. type: string
  7680. namespace:
  7681. description: |-
  7682. Namespace of the resource being referred to.
  7683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7684. maxLength: 63
  7685. minLength: 1
  7686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7687. type: string
  7688. required:
  7689. - name
  7690. type: object
  7691. required:
  7692. - serviceAccountRef
  7693. type: object
  7694. required:
  7695. - role
  7696. type: object
  7697. iam:
  7698. description: |-
  7699. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  7700. AWS IAM authentication method
  7701. properties:
  7702. externalID:
  7703. description: AWS External ID set on assumed IAM roles
  7704. type: string
  7705. jwt:
  7706. description: Specify a service account with IRSA enabled
  7707. properties:
  7708. serviceAccountRef:
  7709. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  7710. properties:
  7711. audiences:
  7712. description: |-
  7713. Audience specifies the `aud` claim for the service account token
  7714. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7715. then this audiences will be appended to the list
  7716. items:
  7717. type: string
  7718. type: array
  7719. name:
  7720. description: The name of the ServiceAccount resource being referred to.
  7721. maxLength: 253
  7722. minLength: 1
  7723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7724. type: string
  7725. namespace:
  7726. description: |-
  7727. Namespace of the resource being referred to.
  7728. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7729. maxLength: 63
  7730. minLength: 1
  7731. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7732. type: string
  7733. required:
  7734. - name
  7735. type: object
  7736. type: object
  7737. path:
  7738. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  7739. type: string
  7740. region:
  7741. description: AWS region
  7742. type: string
  7743. role:
  7744. description: This is the AWS role to be assumed before talking to vault
  7745. type: string
  7746. secretRef:
  7747. description: Specify credentials in a Secret object
  7748. properties:
  7749. accessKeyIDSecretRef:
  7750. description: The AccessKeyID is used for authentication
  7751. properties:
  7752. key:
  7753. description: |-
  7754. A key in the referenced Secret.
  7755. Some instances of this field may be defaulted, in others it may be required.
  7756. maxLength: 253
  7757. minLength: 1
  7758. pattern: ^[-._a-zA-Z0-9]+$
  7759. type: string
  7760. name:
  7761. description: The name of the Secret resource being referred to.
  7762. maxLength: 253
  7763. minLength: 1
  7764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7765. type: string
  7766. namespace:
  7767. description: |-
  7768. The namespace of the Secret resource being referred to.
  7769. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7770. maxLength: 63
  7771. minLength: 1
  7772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7773. type: string
  7774. type: object
  7775. secretAccessKeySecretRef:
  7776. description: The SecretAccessKey is used for authentication
  7777. properties:
  7778. key:
  7779. description: |-
  7780. A key in the referenced Secret.
  7781. Some instances of this field may be defaulted, in others it may be required.
  7782. maxLength: 253
  7783. minLength: 1
  7784. pattern: ^[-._a-zA-Z0-9]+$
  7785. type: string
  7786. name:
  7787. description: The name of the Secret resource being referred to.
  7788. maxLength: 253
  7789. minLength: 1
  7790. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7791. type: string
  7792. namespace:
  7793. description: |-
  7794. The namespace of the Secret resource being referred to.
  7795. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7796. maxLength: 63
  7797. minLength: 1
  7798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7799. type: string
  7800. type: object
  7801. sessionTokenSecretRef:
  7802. description: |-
  7803. The SessionToken used for authentication
  7804. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  7805. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  7806. properties:
  7807. key:
  7808. description: |-
  7809. A key in the referenced Secret.
  7810. Some instances of this field may be defaulted, in others it may be required.
  7811. maxLength: 253
  7812. minLength: 1
  7813. pattern: ^[-._a-zA-Z0-9]+$
  7814. type: string
  7815. name:
  7816. description: The name of the Secret resource being referred to.
  7817. maxLength: 253
  7818. minLength: 1
  7819. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7820. type: string
  7821. namespace:
  7822. description: |-
  7823. The namespace of the Secret resource being referred to.
  7824. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7825. maxLength: 63
  7826. minLength: 1
  7827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7828. type: string
  7829. type: object
  7830. type: object
  7831. vaultAwsIamServerID:
  7832. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  7833. type: string
  7834. vaultRole:
  7835. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  7836. type: string
  7837. required:
  7838. - vaultRole
  7839. type: object
  7840. jwt:
  7841. description: |-
  7842. Jwt authenticates with Vault by passing role and JWT token using the
  7843. JWT/OIDC authentication method
  7844. properties:
  7845. kubernetesServiceAccountToken:
  7846. description: |-
  7847. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7848. a token for with the `TokenRequest` API.
  7849. properties:
  7850. audiences:
  7851. description: |-
  7852. Optional audiences field that will be used to request a temporary Kubernetes service
  7853. account token for the service account referenced by `serviceAccountRef`.
  7854. Defaults to a single audience `vault` it not specified.
  7855. Deprecated: use serviceAccountRef.Audiences instead
  7856. items:
  7857. type: string
  7858. type: array
  7859. expirationSeconds:
  7860. description: |-
  7861. Optional expiration time in seconds that will be used to request a temporary
  7862. Kubernetes service account token for the service account referenced by
  7863. `serviceAccountRef`.
  7864. Deprecated: this will be removed in the future.
  7865. Defaults to 10 minutes.
  7866. format: int64
  7867. type: integer
  7868. serviceAccountRef:
  7869. description: Service account field containing the name of a kubernetes ServiceAccount.
  7870. properties:
  7871. audiences:
  7872. description: |-
  7873. Audience specifies the `aud` claim for the service account token
  7874. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7875. then this audiences will be appended to the list
  7876. items:
  7877. type: string
  7878. type: array
  7879. name:
  7880. description: The name of the ServiceAccount resource being referred to.
  7881. maxLength: 253
  7882. minLength: 1
  7883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7884. type: string
  7885. namespace:
  7886. description: |-
  7887. Namespace of the resource being referred to.
  7888. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7889. maxLength: 63
  7890. minLength: 1
  7891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7892. type: string
  7893. required:
  7894. - name
  7895. type: object
  7896. required:
  7897. - serviceAccountRef
  7898. type: object
  7899. path:
  7900. default: jwt
  7901. description: |-
  7902. Path where the JWT authentication backend is mounted
  7903. in Vault, e.g: "jwt"
  7904. type: string
  7905. role:
  7906. description: |-
  7907. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7908. authentication method
  7909. type: string
  7910. secretRef:
  7911. description: |-
  7912. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7913. authenticate with Vault using the JWT/OIDC authentication method.
  7914. properties:
  7915. key:
  7916. description: |-
  7917. A key in the referenced Secret.
  7918. Some instances of this field may be defaulted, in others it may be required.
  7919. maxLength: 253
  7920. minLength: 1
  7921. pattern: ^[-._a-zA-Z0-9]+$
  7922. type: string
  7923. name:
  7924. description: The name of the Secret resource being referred to.
  7925. maxLength: 253
  7926. minLength: 1
  7927. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7928. type: string
  7929. namespace:
  7930. description: |-
  7931. The namespace of the Secret resource being referred to.
  7932. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7933. maxLength: 63
  7934. minLength: 1
  7935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7936. type: string
  7937. type: object
  7938. required:
  7939. - path
  7940. type: object
  7941. kubernetes:
  7942. description: |-
  7943. Kubernetes authenticates with Vault by passing the ServiceAccount
  7944. token stored in the named Secret resource to the Vault server.
  7945. properties:
  7946. mountPath:
  7947. default: kubernetes
  7948. description: |-
  7949. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7950. "kubernetes"
  7951. type: string
  7952. role:
  7953. description: |-
  7954. A required field containing the Vault Role to assume. A Role binds a
  7955. Kubernetes ServiceAccount with a set of Vault policies.
  7956. type: string
  7957. secretRef:
  7958. description: |-
  7959. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7960. for authenticating with Vault. If a name is specified without a key,
  7961. `token` is the default. If one is not specified, the one bound to
  7962. the controller will be used.
  7963. properties:
  7964. key:
  7965. description: |-
  7966. A key in the referenced Secret.
  7967. Some instances of this field may be defaulted, in others it may be required.
  7968. maxLength: 253
  7969. minLength: 1
  7970. pattern: ^[-._a-zA-Z0-9]+$
  7971. type: string
  7972. name:
  7973. description: The name of the Secret resource being referred to.
  7974. maxLength: 253
  7975. minLength: 1
  7976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  7977. type: string
  7978. namespace:
  7979. description: |-
  7980. The namespace of the Secret resource being referred to.
  7981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  7982. maxLength: 63
  7983. minLength: 1
  7984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  7985. type: string
  7986. type: object
  7987. serviceAccountRef:
  7988. description: |-
  7989. Optional service account field containing the name of a kubernetes ServiceAccount.
  7990. If the service account is specified, the service account secret token JWT will be used
  7991. for authenticating with Vault. If the service account selector is not supplied,
  7992. the secretRef will be used instead.
  7993. properties:
  7994. audiences:
  7995. description: |-
  7996. Audience specifies the `aud` claim for the service account token
  7997. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7998. then this audiences will be appended to the list
  7999. items:
  8000. type: string
  8001. type: array
  8002. name:
  8003. description: The name of the ServiceAccount resource being referred to.
  8004. maxLength: 253
  8005. minLength: 1
  8006. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8007. type: string
  8008. namespace:
  8009. description: |-
  8010. Namespace of the resource being referred to.
  8011. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8012. maxLength: 63
  8013. minLength: 1
  8014. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8015. type: string
  8016. required:
  8017. - name
  8018. type: object
  8019. required:
  8020. - mountPath
  8021. - role
  8022. type: object
  8023. ldap:
  8024. description: |-
  8025. Ldap authenticates with Vault by passing username/password pair using
  8026. the LDAP authentication method
  8027. properties:
  8028. path:
  8029. default: ldap
  8030. description: |-
  8031. Path where the LDAP authentication backend is mounted
  8032. in Vault, e.g: "ldap"
  8033. type: string
  8034. secretRef:
  8035. description: |-
  8036. SecretRef to a key in a Secret resource containing password for the LDAP
  8037. user used to authenticate with Vault using the LDAP authentication
  8038. method
  8039. properties:
  8040. key:
  8041. description: |-
  8042. A key in the referenced Secret.
  8043. Some instances of this field may be defaulted, in others it may be required.
  8044. maxLength: 253
  8045. minLength: 1
  8046. pattern: ^[-._a-zA-Z0-9]+$
  8047. type: string
  8048. name:
  8049. description: The name of the Secret resource being referred to.
  8050. maxLength: 253
  8051. minLength: 1
  8052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8053. type: string
  8054. namespace:
  8055. description: |-
  8056. The namespace of the Secret resource being referred to.
  8057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8058. maxLength: 63
  8059. minLength: 1
  8060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8061. type: string
  8062. type: object
  8063. username:
  8064. description: |-
  8065. Username is an LDAP username used to authenticate using the LDAP Vault
  8066. authentication method
  8067. type: string
  8068. required:
  8069. - path
  8070. - username
  8071. type: object
  8072. namespace:
  8073. description: |-
  8074. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  8075. Namespaces is a set of features within Vault Enterprise that allows
  8076. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8077. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8078. This will default to Vault.Namespace field if set, or empty otherwise
  8079. type: string
  8080. tokenSecretRef:
  8081. description: TokenSecretRef authenticates with Vault by presenting a token.
  8082. properties:
  8083. key:
  8084. description: |-
  8085. A key in the referenced Secret.
  8086. Some instances of this field may be defaulted, in others it may be required.
  8087. maxLength: 253
  8088. minLength: 1
  8089. pattern: ^[-._a-zA-Z0-9]+$
  8090. type: string
  8091. name:
  8092. description: The name of the Secret resource being referred to.
  8093. maxLength: 253
  8094. minLength: 1
  8095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8096. type: string
  8097. namespace:
  8098. description: |-
  8099. The namespace of the Secret resource being referred to.
  8100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8101. maxLength: 63
  8102. minLength: 1
  8103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8104. type: string
  8105. type: object
  8106. userPass:
  8107. description: UserPass authenticates with Vault by passing username/password pair
  8108. properties:
  8109. path:
  8110. default: userpass
  8111. description: |-
  8112. Path where the UserPassword authentication backend is mounted
  8113. in Vault, e.g: "userpass"
  8114. type: string
  8115. secretRef:
  8116. description: |-
  8117. SecretRef to a key in a Secret resource containing password for the
  8118. user used to authenticate with Vault using the UserPass authentication
  8119. method
  8120. properties:
  8121. key:
  8122. description: |-
  8123. A key in the referenced Secret.
  8124. Some instances of this field may be defaulted, in others it may be required.
  8125. maxLength: 253
  8126. minLength: 1
  8127. pattern: ^[-._a-zA-Z0-9]+$
  8128. type: string
  8129. name:
  8130. description: The name of the Secret resource being referred to.
  8131. maxLength: 253
  8132. minLength: 1
  8133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8134. type: string
  8135. namespace:
  8136. description: |-
  8137. The namespace of the Secret resource being referred to.
  8138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8139. maxLength: 63
  8140. minLength: 1
  8141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8142. type: string
  8143. type: object
  8144. username:
  8145. description: |-
  8146. Username is a username used to authenticate using the UserPass Vault
  8147. authentication method
  8148. type: string
  8149. required:
  8150. - path
  8151. - username
  8152. type: object
  8153. type: object
  8154. caBundle:
  8155. description: |-
  8156. PEM encoded CA bundle used to validate Vault server certificate. Only used
  8157. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8158. plain HTTP protocol connection. If not set the system root certificates
  8159. are used to validate the TLS connection.
  8160. format: byte
  8161. type: string
  8162. caProvider:
  8163. description: The provider for the CA bundle to use to validate Vault server certificate.
  8164. properties:
  8165. key:
  8166. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8167. maxLength: 253
  8168. minLength: 1
  8169. pattern: ^[-._a-zA-Z0-9]+$
  8170. type: string
  8171. name:
  8172. description: The name of the object located at the provider type.
  8173. maxLength: 253
  8174. minLength: 1
  8175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8176. type: string
  8177. namespace:
  8178. description: |-
  8179. The namespace the Provider type is in.
  8180. Can only be defined when used in a ClusterSecretStore.
  8181. maxLength: 63
  8182. minLength: 1
  8183. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8184. type: string
  8185. type:
  8186. description: The type of provider to use such as "Secret", or "ConfigMap".
  8187. enum:
  8188. - Secret
  8189. - ConfigMap
  8190. type: string
  8191. required:
  8192. - name
  8193. - type
  8194. type: object
  8195. checkAndSet:
  8196. description: |-
  8197. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  8198. Only applies to Vault KV v2 stores. When enabled, write operations must include
  8199. the current version of the secret to prevent unintentional overwrites.
  8200. properties:
  8201. required:
  8202. description: |-
  8203. Required when true, all write operations must include a check-and-set parameter.
  8204. This helps prevent unintentional overwrites of secrets.
  8205. type: boolean
  8206. type: object
  8207. forwardInconsistent:
  8208. description: |-
  8209. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  8210. leader instead of simply retrying within a loop. This can increase performance if
  8211. the option is enabled serverside.
  8212. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  8213. type: boolean
  8214. headers:
  8215. additionalProperties:
  8216. type: string
  8217. description: Headers to be added in Vault request
  8218. type: object
  8219. namespace:
  8220. description: |-
  8221. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  8222. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  8223. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  8224. type: string
  8225. path:
  8226. description: |-
  8227. Path is the mount path of the Vault KV backend endpoint, e.g:
  8228. "secret". The v2 KV secret engine version specific "/data" path suffix
  8229. for fetching secrets from Vault is optional and will be appended
  8230. if not present in specified path.
  8231. type: string
  8232. readYourWrites:
  8233. description: |-
  8234. ReadYourWrites ensures isolated read-after-write semantics by
  8235. providing discovered cluster replication states in each request.
  8236. More information about eventual consistency in Vault can be found here
  8237. https://www.vaultproject.io/docs/enterprise/consistency
  8238. type: boolean
  8239. server:
  8240. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  8241. type: string
  8242. tls:
  8243. description: |-
  8244. The configuration used for client side related TLS communication, when the Vault server
  8245. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  8246. This parameter is ignored for plain HTTP protocol connection.
  8247. It's worth noting this configuration is different from the "TLS certificates auth method",
  8248. which is available under the `auth.cert` section.
  8249. properties:
  8250. certSecretRef:
  8251. description: |-
  8252. CertSecretRef is a certificate added to the transport layer
  8253. when communicating with the Vault server.
  8254. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  8255. properties:
  8256. key:
  8257. description: |-
  8258. A key in the referenced Secret.
  8259. Some instances of this field may be defaulted, in others it may be required.
  8260. maxLength: 253
  8261. minLength: 1
  8262. pattern: ^[-._a-zA-Z0-9]+$
  8263. type: string
  8264. name:
  8265. description: The name of the Secret resource being referred to.
  8266. maxLength: 253
  8267. minLength: 1
  8268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8269. type: string
  8270. namespace:
  8271. description: |-
  8272. The namespace of the Secret resource being referred to.
  8273. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8274. maxLength: 63
  8275. minLength: 1
  8276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8277. type: string
  8278. type: object
  8279. keySecretRef:
  8280. description: |-
  8281. KeySecretRef to a key in a Secret resource containing client private key
  8282. added to the transport layer when communicating with the Vault server.
  8283. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  8284. properties:
  8285. key:
  8286. description: |-
  8287. A key in the referenced Secret.
  8288. Some instances of this field may be defaulted, in others it may be required.
  8289. maxLength: 253
  8290. minLength: 1
  8291. pattern: ^[-._a-zA-Z0-9]+$
  8292. type: string
  8293. name:
  8294. description: The name of the Secret resource being referred to.
  8295. maxLength: 253
  8296. minLength: 1
  8297. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8298. type: string
  8299. namespace:
  8300. description: |-
  8301. The namespace of the Secret resource being referred to.
  8302. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8303. maxLength: 63
  8304. minLength: 1
  8305. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8306. type: string
  8307. type: object
  8308. type: object
  8309. version:
  8310. default: v2
  8311. description: |-
  8312. Version is the Vault KV secret engine version. This can be either "v1" or
  8313. "v2". Version defaults to "v2".
  8314. enum:
  8315. - v1
  8316. - v2
  8317. type: string
  8318. required:
  8319. - server
  8320. type: object
  8321. volcengine:
  8322. description: Volcengine configures this store to sync secrets using the Volcengine provider
  8323. properties:
  8324. auth:
  8325. description: |-
  8326. Auth defines the authentication method to use.
  8327. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  8328. properties:
  8329. secretRef:
  8330. description: |-
  8331. SecretRef defines the static credentials to use for authentication.
  8332. If not set, IRSA is used.
  8333. properties:
  8334. accessKeyID:
  8335. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  8336. properties:
  8337. key:
  8338. description: |-
  8339. A key in the referenced Secret.
  8340. Some instances of this field may be defaulted, in others it may be required.
  8341. maxLength: 253
  8342. minLength: 1
  8343. pattern: ^[-._a-zA-Z0-9]+$
  8344. type: string
  8345. name:
  8346. description: The name of the Secret resource being referred to.
  8347. maxLength: 253
  8348. minLength: 1
  8349. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8350. type: string
  8351. namespace:
  8352. description: |-
  8353. The namespace of the Secret resource being referred to.
  8354. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8355. maxLength: 63
  8356. minLength: 1
  8357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8358. type: string
  8359. type: object
  8360. secretAccessKey:
  8361. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  8362. properties:
  8363. key:
  8364. description: |-
  8365. A key in the referenced Secret.
  8366. Some instances of this field may be defaulted, in others it may be required.
  8367. maxLength: 253
  8368. minLength: 1
  8369. pattern: ^[-._a-zA-Z0-9]+$
  8370. type: string
  8371. name:
  8372. description: The name of the Secret resource being referred to.
  8373. maxLength: 253
  8374. minLength: 1
  8375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8376. type: string
  8377. namespace:
  8378. description: |-
  8379. The namespace of the Secret resource being referred to.
  8380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8381. maxLength: 63
  8382. minLength: 1
  8383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8384. type: string
  8385. type: object
  8386. token:
  8387. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  8388. properties:
  8389. key:
  8390. description: |-
  8391. A key in the referenced Secret.
  8392. Some instances of this field may be defaulted, in others it may be required.
  8393. maxLength: 253
  8394. minLength: 1
  8395. pattern: ^[-._a-zA-Z0-9]+$
  8396. type: string
  8397. name:
  8398. description: The name of the Secret resource being referred to.
  8399. maxLength: 253
  8400. minLength: 1
  8401. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8402. type: string
  8403. namespace:
  8404. description: |-
  8405. The namespace of the Secret resource being referred to.
  8406. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8407. maxLength: 63
  8408. minLength: 1
  8409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8410. type: string
  8411. type: object
  8412. required:
  8413. - accessKeyID
  8414. - secretAccessKey
  8415. type: object
  8416. type: object
  8417. region:
  8418. description: Region specifies the Volcengine region to connect to.
  8419. type: string
  8420. required:
  8421. - region
  8422. type: object
  8423. webhook:
  8424. description: Webhook configures this store to sync secrets using a generic templated webhook
  8425. properties:
  8426. auth:
  8427. description: Auth specifies a authorization protocol. Only one protocol may be set.
  8428. maxProperties: 1
  8429. minProperties: 1
  8430. properties:
  8431. ntlm:
  8432. description: NTLMProtocol configures the store to use NTLM for auth
  8433. properties:
  8434. passwordSecret:
  8435. description: |-
  8436. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8437. In some instances, `key` is a required field.
  8438. properties:
  8439. key:
  8440. description: |-
  8441. A key in the referenced Secret.
  8442. Some instances of this field may be defaulted, in others it may be required.
  8443. maxLength: 253
  8444. minLength: 1
  8445. pattern: ^[-._a-zA-Z0-9]+$
  8446. type: string
  8447. name:
  8448. description: The name of the Secret resource being referred to.
  8449. maxLength: 253
  8450. minLength: 1
  8451. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8452. type: string
  8453. namespace:
  8454. description: |-
  8455. The namespace of the Secret resource being referred to.
  8456. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8457. maxLength: 63
  8458. minLength: 1
  8459. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8460. type: string
  8461. type: object
  8462. usernameSecret:
  8463. description: |-
  8464. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8465. In some instances, `key` is a required field.
  8466. properties:
  8467. key:
  8468. description: |-
  8469. A key in the referenced Secret.
  8470. Some instances of this field may be defaulted, in others it may be required.
  8471. maxLength: 253
  8472. minLength: 1
  8473. pattern: ^[-._a-zA-Z0-9]+$
  8474. type: string
  8475. name:
  8476. description: The name of the Secret resource being referred to.
  8477. maxLength: 253
  8478. minLength: 1
  8479. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8480. type: string
  8481. namespace:
  8482. description: |-
  8483. The namespace of the Secret resource being referred to.
  8484. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8485. maxLength: 63
  8486. minLength: 1
  8487. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8488. type: string
  8489. type: object
  8490. required:
  8491. - passwordSecret
  8492. - usernameSecret
  8493. type: object
  8494. type: object
  8495. body:
  8496. description: Body
  8497. type: string
  8498. caBundle:
  8499. description: |-
  8500. PEM encoded CA bundle used to validate webhook server certificate. Only used
  8501. if the Server URL is using HTTPS protocol. This parameter is ignored for
  8502. plain HTTP protocol connection. If not set the system root certificates
  8503. are used to validate the TLS connection.
  8504. format: byte
  8505. type: string
  8506. caProvider:
  8507. description: The provider for the CA bundle to use to validate webhook server certificate.
  8508. properties:
  8509. key:
  8510. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8511. maxLength: 253
  8512. minLength: 1
  8513. pattern: ^[-._a-zA-Z0-9]+$
  8514. type: string
  8515. name:
  8516. description: The name of the object located at the provider type.
  8517. maxLength: 253
  8518. minLength: 1
  8519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8520. type: string
  8521. namespace:
  8522. description: The namespace the Provider type is in.
  8523. maxLength: 63
  8524. minLength: 1
  8525. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8526. type: string
  8527. type:
  8528. description: The type of provider to use such as "Secret", or "ConfigMap".
  8529. enum:
  8530. - Secret
  8531. - ConfigMap
  8532. type: string
  8533. required:
  8534. - name
  8535. - type
  8536. type: object
  8537. headers:
  8538. additionalProperties:
  8539. type: string
  8540. description: Headers
  8541. type: object
  8542. method:
  8543. description: Webhook Method
  8544. type: string
  8545. result:
  8546. description: Result formatting
  8547. properties:
  8548. jsonPath:
  8549. description: Json path of return value
  8550. type: string
  8551. type: object
  8552. secrets:
  8553. description: |-
  8554. Secrets to fill in templates
  8555. These secrets will be passed to the templating function as key value pairs under the given name
  8556. items:
  8557. description: WebhookSecret defines a secret that will be passed to the webhook request.
  8558. properties:
  8559. name:
  8560. description: Name of this secret in templates
  8561. type: string
  8562. secretRef:
  8563. description: Secret ref to fill in credentials
  8564. properties:
  8565. key:
  8566. description: |-
  8567. A key in the referenced Secret.
  8568. Some instances of this field may be defaulted, in others it may be required.
  8569. maxLength: 253
  8570. minLength: 1
  8571. pattern: ^[-._a-zA-Z0-9]+$
  8572. type: string
  8573. name:
  8574. description: The name of the Secret resource being referred to.
  8575. maxLength: 253
  8576. minLength: 1
  8577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8578. type: string
  8579. namespace:
  8580. description: |-
  8581. The namespace of the Secret resource being referred to.
  8582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8583. maxLength: 63
  8584. minLength: 1
  8585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8586. type: string
  8587. type: object
  8588. required:
  8589. - name
  8590. - secretRef
  8591. type: object
  8592. type: array
  8593. timeout:
  8594. description: Timeout
  8595. type: string
  8596. url:
  8597. description: Webhook url to call
  8598. type: string
  8599. required:
  8600. - url
  8601. type: object
  8602. yandexcertificatemanager:
  8603. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  8604. properties:
  8605. apiEndpoint:
  8606. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8607. type: string
  8608. auth:
  8609. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8610. properties:
  8611. authorizedKeySecretRef:
  8612. description: The authorized key used for authentication
  8613. properties:
  8614. key:
  8615. description: |-
  8616. A key in the referenced Secret.
  8617. Some instances of this field may be defaulted, in others it may be required.
  8618. maxLength: 253
  8619. minLength: 1
  8620. pattern: ^[-._a-zA-Z0-9]+$
  8621. type: string
  8622. name:
  8623. description: The name of the Secret resource being referred to.
  8624. maxLength: 253
  8625. minLength: 1
  8626. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8627. type: string
  8628. namespace:
  8629. description: |-
  8630. The namespace of the Secret resource being referred to.
  8631. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8632. maxLength: 63
  8633. minLength: 1
  8634. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8635. type: string
  8636. type: object
  8637. type: object
  8638. caProvider:
  8639. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8640. properties:
  8641. certSecretRef:
  8642. description: |-
  8643. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8644. In some instances, `key` is a required field.
  8645. properties:
  8646. key:
  8647. description: |-
  8648. A key in the referenced Secret.
  8649. Some instances of this field may be defaulted, in others it may be required.
  8650. maxLength: 253
  8651. minLength: 1
  8652. pattern: ^[-._a-zA-Z0-9]+$
  8653. type: string
  8654. name:
  8655. description: The name of the Secret resource being referred to.
  8656. maxLength: 253
  8657. minLength: 1
  8658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8659. type: string
  8660. namespace:
  8661. description: |-
  8662. The namespace of the Secret resource being referred to.
  8663. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8664. maxLength: 63
  8665. minLength: 1
  8666. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8667. type: string
  8668. type: object
  8669. type: object
  8670. fetching:
  8671. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  8672. maxProperties: 1
  8673. minProperties: 1
  8674. properties:
  8675. byID:
  8676. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8677. type: object
  8678. byName:
  8679. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8680. properties:
  8681. folderID:
  8682. description: The folder to fetch secrets from
  8683. type: string
  8684. required:
  8685. - folderID
  8686. type: object
  8687. type: object
  8688. required:
  8689. - auth
  8690. type: object
  8691. yandexlockbox:
  8692. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  8693. properties:
  8694. apiEndpoint:
  8695. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  8696. type: string
  8697. auth:
  8698. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  8699. properties:
  8700. authorizedKeySecretRef:
  8701. description: The authorized key used for authentication
  8702. properties:
  8703. key:
  8704. description: |-
  8705. A key in the referenced Secret.
  8706. Some instances of this field may be defaulted, in others it may be required.
  8707. maxLength: 253
  8708. minLength: 1
  8709. pattern: ^[-._a-zA-Z0-9]+$
  8710. type: string
  8711. name:
  8712. description: The name of the Secret resource being referred to.
  8713. maxLength: 253
  8714. minLength: 1
  8715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8716. type: string
  8717. namespace:
  8718. description: |-
  8719. The namespace of the Secret resource being referred to.
  8720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8721. maxLength: 63
  8722. minLength: 1
  8723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8724. type: string
  8725. type: object
  8726. type: object
  8727. caProvider:
  8728. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  8729. properties:
  8730. certSecretRef:
  8731. description: |-
  8732. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  8733. In some instances, `key` is a required field.
  8734. properties:
  8735. key:
  8736. description: |-
  8737. A key in the referenced Secret.
  8738. Some instances of this field may be defaulted, in others it may be required.
  8739. maxLength: 253
  8740. minLength: 1
  8741. pattern: ^[-._a-zA-Z0-9]+$
  8742. type: string
  8743. name:
  8744. description: The name of the Secret resource being referred to.
  8745. maxLength: 253
  8746. minLength: 1
  8747. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8748. type: string
  8749. namespace:
  8750. description: |-
  8751. The namespace of the Secret resource being referred to.
  8752. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8753. maxLength: 63
  8754. minLength: 1
  8755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8756. type: string
  8757. type: object
  8758. type: object
  8759. fetching:
  8760. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  8761. maxProperties: 1
  8762. minProperties: 1
  8763. properties:
  8764. byID:
  8765. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  8766. type: object
  8767. byName:
  8768. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  8769. properties:
  8770. folderID:
  8771. description: The folder to fetch secrets from
  8772. type: string
  8773. required:
  8774. - folderID
  8775. type: object
  8776. type: object
  8777. required:
  8778. - auth
  8779. type: object
  8780. type: object
  8781. refreshInterval:
  8782. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  8783. type: integer
  8784. retrySettings:
  8785. description: Used to configure HTTP retries on failures.
  8786. properties:
  8787. maxRetries:
  8788. format: int32
  8789. type: integer
  8790. retryInterval:
  8791. type: string
  8792. type: object
  8793. required:
  8794. - provider
  8795. type: object
  8796. status:
  8797. description: SecretStoreStatus defines the observed state of the SecretStore.
  8798. properties:
  8799. capabilities:
  8800. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  8801. type: string
  8802. conditions:
  8803. items:
  8804. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  8805. properties:
  8806. lastTransitionTime:
  8807. format: date-time
  8808. type: string
  8809. message:
  8810. type: string
  8811. reason:
  8812. type: string
  8813. status:
  8814. type: string
  8815. type:
  8816. description: SecretStoreConditionType represents the condition of the SecretStore.
  8817. type: string
  8818. required:
  8819. - status
  8820. - type
  8821. type: object
  8822. type: array
  8823. type: object
  8824. type: object
  8825. served: true
  8826. storage: true
  8827. subresources:
  8828. status: {}
  8829. - additionalPrinterColumns:
  8830. - jsonPath: .metadata.creationTimestamp
  8831. name: AGE
  8832. type: date
  8833. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  8834. name: Status
  8835. type: string
  8836. - jsonPath: .status.capabilities
  8837. name: Capabilities
  8838. type: string
  8839. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  8840. name: Ready
  8841. type: string
  8842. deprecated: true
  8843. name: v1beta1
  8844. schema:
  8845. openAPIV3Schema:
  8846. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  8847. properties:
  8848. apiVersion:
  8849. description: |-
  8850. APIVersion defines the versioned schema of this representation of an object.
  8851. Servers should convert recognized schemas to the latest internal value, and
  8852. may reject unrecognized values.
  8853. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  8854. type: string
  8855. kind:
  8856. description: |-
  8857. Kind is a string value representing the REST resource this object represents.
  8858. Servers may infer this from the endpoint the client submits requests to.
  8859. Cannot be updated.
  8860. In CamelCase.
  8861. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  8862. type: string
  8863. metadata:
  8864. type: object
  8865. spec:
  8866. description: SecretStoreSpec defines the desired state of SecretStore.
  8867. properties:
  8868. conditions:
  8869. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  8870. items:
  8871. description: |-
  8872. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  8873. for a ClusterSecretStore instance.
  8874. properties:
  8875. namespaceRegexes:
  8876. description: Choose namespaces by using regex matching
  8877. items:
  8878. type: string
  8879. type: array
  8880. namespaceSelector:
  8881. description: Choose namespace using a labelSelector
  8882. properties:
  8883. matchExpressions:
  8884. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  8885. items:
  8886. description: |-
  8887. A label selector requirement is a selector that contains values, a key, and an operator that
  8888. relates the key and values.
  8889. properties:
  8890. key:
  8891. description: key is the label key that the selector applies to.
  8892. type: string
  8893. operator:
  8894. description: |-
  8895. operator represents a key's relationship to a set of values.
  8896. Valid operators are In, NotIn, Exists and DoesNotExist.
  8897. type: string
  8898. values:
  8899. description: |-
  8900. values is an array of string values. If the operator is In or NotIn,
  8901. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  8902. the values array must be empty. This array is replaced during a strategic
  8903. merge patch.
  8904. items:
  8905. type: string
  8906. type: array
  8907. x-kubernetes-list-type: atomic
  8908. required:
  8909. - key
  8910. - operator
  8911. type: object
  8912. type: array
  8913. x-kubernetes-list-type: atomic
  8914. matchLabels:
  8915. additionalProperties:
  8916. type: string
  8917. description: |-
  8918. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  8919. map is equivalent to an element of matchExpressions, whose key field is "key", the
  8920. operator is "In", and the values array contains only "value". The requirements are ANDed.
  8921. type: object
  8922. type: object
  8923. x-kubernetes-map-type: atomic
  8924. namespaces:
  8925. description: Choose namespaces by name
  8926. items:
  8927. maxLength: 63
  8928. minLength: 1
  8929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8930. type: string
  8931. type: array
  8932. type: object
  8933. type: array
  8934. controller:
  8935. description: |-
  8936. Used to select the correct ESO controller (think: ingress.ingressClassName)
  8937. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  8938. type: string
  8939. provider:
  8940. description: Used to configure the provider. Only one provider may be set
  8941. maxProperties: 1
  8942. minProperties: 1
  8943. properties:
  8944. akeyless:
  8945. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  8946. properties:
  8947. akeylessGWApiURL:
  8948. description: Akeyless GW API Url from which the secrets to be fetched from.
  8949. type: string
  8950. authSecretRef:
  8951. description: Auth configures how the operator authenticates with Akeyless.
  8952. properties:
  8953. kubernetesAuth:
  8954. description: |-
  8955. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  8956. token stored in the named Secret resource.
  8957. properties:
  8958. accessID:
  8959. description: the Akeyless Kubernetes auth-method access-id
  8960. type: string
  8961. k8sConfName:
  8962. description: Kubernetes-auth configuration name in Akeyless-Gateway
  8963. type: string
  8964. secretRef:
  8965. description: |-
  8966. Optional secret field containing a Kubernetes ServiceAccount JWT used
  8967. for authenticating with Akeyless. If a name is specified without a key,
  8968. `token` is the default. If one is not specified, the one bound to
  8969. the controller will be used.
  8970. properties:
  8971. key:
  8972. description: |-
  8973. A key in the referenced Secret.
  8974. Some instances of this field may be defaulted, in others it may be required.
  8975. maxLength: 253
  8976. minLength: 1
  8977. pattern: ^[-._a-zA-Z0-9]+$
  8978. type: string
  8979. name:
  8980. description: The name of the Secret resource being referred to.
  8981. maxLength: 253
  8982. minLength: 1
  8983. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  8984. type: string
  8985. namespace:
  8986. description: |-
  8987. The namespace of the Secret resource being referred to.
  8988. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  8989. maxLength: 63
  8990. minLength: 1
  8991. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  8992. type: string
  8993. type: object
  8994. serviceAccountRef:
  8995. description: |-
  8996. Optional service account field containing the name of a kubernetes ServiceAccount.
  8997. If the service account is specified, the service account secret token JWT will be used
  8998. for authenticating with Akeyless. If the service account selector is not supplied,
  8999. the secretRef will be used instead.
  9000. properties:
  9001. audiences:
  9002. description: |-
  9003. Audience specifies the `aud` claim for the service account token
  9004. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9005. then this audiences will be appended to the list
  9006. items:
  9007. type: string
  9008. type: array
  9009. name:
  9010. description: The name of the ServiceAccount resource being referred to.
  9011. maxLength: 253
  9012. minLength: 1
  9013. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9014. type: string
  9015. namespace:
  9016. description: |-
  9017. Namespace of the resource being referred to.
  9018. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9019. maxLength: 63
  9020. minLength: 1
  9021. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9022. type: string
  9023. required:
  9024. - name
  9025. type: object
  9026. required:
  9027. - accessID
  9028. - k8sConfName
  9029. type: object
  9030. secretRef:
  9031. description: |-
  9032. Reference to a Secret that contains the details
  9033. to authenticate with Akeyless.
  9034. properties:
  9035. accessID:
  9036. description: The SecretAccessID is used for authentication
  9037. properties:
  9038. key:
  9039. description: |-
  9040. A key in the referenced Secret.
  9041. Some instances of this field may be defaulted, in others it may be required.
  9042. maxLength: 253
  9043. minLength: 1
  9044. pattern: ^[-._a-zA-Z0-9]+$
  9045. type: string
  9046. name:
  9047. description: The name of the Secret resource being referred to.
  9048. maxLength: 253
  9049. minLength: 1
  9050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9051. type: string
  9052. namespace:
  9053. description: |-
  9054. The namespace of the Secret resource being referred to.
  9055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9056. maxLength: 63
  9057. minLength: 1
  9058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9059. type: string
  9060. type: object
  9061. accessType:
  9062. description: |-
  9063. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9064. In some instances, `key` is a required field.
  9065. properties:
  9066. key:
  9067. description: |-
  9068. A key in the referenced Secret.
  9069. Some instances of this field may be defaulted, in others it may be required.
  9070. maxLength: 253
  9071. minLength: 1
  9072. pattern: ^[-._a-zA-Z0-9]+$
  9073. type: string
  9074. name:
  9075. description: The name of the Secret resource being referred to.
  9076. maxLength: 253
  9077. minLength: 1
  9078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9079. type: string
  9080. namespace:
  9081. description: |-
  9082. The namespace of the Secret resource being referred to.
  9083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9084. maxLength: 63
  9085. minLength: 1
  9086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9087. type: string
  9088. type: object
  9089. accessTypeParam:
  9090. description: |-
  9091. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  9092. In some instances, `key` is a required field.
  9093. properties:
  9094. key:
  9095. description: |-
  9096. A key in the referenced Secret.
  9097. Some instances of this field may be defaulted, in others it may be required.
  9098. maxLength: 253
  9099. minLength: 1
  9100. pattern: ^[-._a-zA-Z0-9]+$
  9101. type: string
  9102. name:
  9103. description: The name of the Secret resource being referred to.
  9104. maxLength: 253
  9105. minLength: 1
  9106. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9107. type: string
  9108. namespace:
  9109. description: |-
  9110. The namespace of the Secret resource being referred to.
  9111. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9112. maxLength: 63
  9113. minLength: 1
  9114. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9115. type: string
  9116. type: object
  9117. type: object
  9118. type: object
  9119. caBundle:
  9120. description: |-
  9121. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  9122. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  9123. are used to validate the TLS connection.
  9124. format: byte
  9125. type: string
  9126. caProvider:
  9127. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  9128. properties:
  9129. key:
  9130. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9131. maxLength: 253
  9132. minLength: 1
  9133. pattern: ^[-._a-zA-Z0-9]+$
  9134. type: string
  9135. name:
  9136. description: The name of the object located at the provider type.
  9137. maxLength: 253
  9138. minLength: 1
  9139. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9140. type: string
  9141. namespace:
  9142. description: |-
  9143. The namespace the Provider type is in.
  9144. Can only be defined when used in a ClusterSecretStore.
  9145. maxLength: 63
  9146. minLength: 1
  9147. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9148. type: string
  9149. type:
  9150. description: The type of provider to use such as "Secret", or "ConfigMap".
  9151. enum:
  9152. - Secret
  9153. - ConfigMap
  9154. type: string
  9155. required:
  9156. - name
  9157. - type
  9158. type: object
  9159. required:
  9160. - akeylessGWApiURL
  9161. - authSecretRef
  9162. type: object
  9163. alibaba:
  9164. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  9165. properties:
  9166. auth:
  9167. description: AlibabaAuth contains a secretRef for credentials.
  9168. properties:
  9169. rrsa:
  9170. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  9171. properties:
  9172. oidcProviderArn:
  9173. type: string
  9174. oidcTokenFilePath:
  9175. type: string
  9176. roleArn:
  9177. type: string
  9178. sessionName:
  9179. type: string
  9180. required:
  9181. - oidcProviderArn
  9182. - oidcTokenFilePath
  9183. - roleArn
  9184. - sessionName
  9185. type: object
  9186. secretRef:
  9187. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  9188. properties:
  9189. accessKeyIDSecretRef:
  9190. description: The AccessKeyID is used for authentication
  9191. properties:
  9192. key:
  9193. description: |-
  9194. A key in the referenced Secret.
  9195. Some instances of this field may be defaulted, in others it may be required.
  9196. maxLength: 253
  9197. minLength: 1
  9198. pattern: ^[-._a-zA-Z0-9]+$
  9199. type: string
  9200. name:
  9201. description: The name of the Secret resource being referred to.
  9202. maxLength: 253
  9203. minLength: 1
  9204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9205. type: string
  9206. namespace:
  9207. description: |-
  9208. The namespace of the Secret resource being referred to.
  9209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9210. maxLength: 63
  9211. minLength: 1
  9212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9213. type: string
  9214. type: object
  9215. accessKeySecretSecretRef:
  9216. description: The AccessKeySecret is used for authentication
  9217. properties:
  9218. key:
  9219. description: |-
  9220. A key in the referenced Secret.
  9221. Some instances of this field may be defaulted, in others it may be required.
  9222. maxLength: 253
  9223. minLength: 1
  9224. pattern: ^[-._a-zA-Z0-9]+$
  9225. type: string
  9226. name:
  9227. description: The name of the Secret resource being referred to.
  9228. maxLength: 253
  9229. minLength: 1
  9230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9231. type: string
  9232. namespace:
  9233. description: |-
  9234. The namespace of the Secret resource being referred to.
  9235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9236. maxLength: 63
  9237. minLength: 1
  9238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9239. type: string
  9240. type: object
  9241. required:
  9242. - accessKeyIDSecretRef
  9243. - accessKeySecretSecretRef
  9244. type: object
  9245. type: object
  9246. regionID:
  9247. description: Alibaba Region to be used for the provider
  9248. type: string
  9249. required:
  9250. - auth
  9251. - regionID
  9252. type: object
  9253. aws:
  9254. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  9255. properties:
  9256. additionalRoles:
  9257. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  9258. items:
  9259. type: string
  9260. type: array
  9261. auth:
  9262. description: |-
  9263. Auth defines the information necessary to authenticate against AWS
  9264. if not set aws sdk will infer credentials from your environment
  9265. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  9266. properties:
  9267. jwt:
  9268. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  9269. properties:
  9270. serviceAccountRef:
  9271. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  9272. properties:
  9273. audiences:
  9274. description: |-
  9275. Audience specifies the `aud` claim for the service account token
  9276. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9277. then this audiences will be appended to the list
  9278. items:
  9279. type: string
  9280. type: array
  9281. name:
  9282. description: The name of the ServiceAccount resource being referred to.
  9283. maxLength: 253
  9284. minLength: 1
  9285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9286. type: string
  9287. namespace:
  9288. description: |-
  9289. Namespace of the resource being referred to.
  9290. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9291. maxLength: 63
  9292. minLength: 1
  9293. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9294. type: string
  9295. required:
  9296. - name
  9297. type: object
  9298. type: object
  9299. secretRef:
  9300. description: |-
  9301. AWSAuthSecretRef holds secret references for AWS credentials
  9302. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  9303. properties:
  9304. accessKeyIDSecretRef:
  9305. description: The AccessKeyID is used for authentication
  9306. properties:
  9307. key:
  9308. description: |-
  9309. A key in the referenced Secret.
  9310. Some instances of this field may be defaulted, in others it may be required.
  9311. maxLength: 253
  9312. minLength: 1
  9313. pattern: ^[-._a-zA-Z0-9]+$
  9314. type: string
  9315. name:
  9316. description: The name of the Secret resource being referred to.
  9317. maxLength: 253
  9318. minLength: 1
  9319. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9320. type: string
  9321. namespace:
  9322. description: |-
  9323. The namespace of the Secret resource being referred to.
  9324. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9325. maxLength: 63
  9326. minLength: 1
  9327. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9328. type: string
  9329. type: object
  9330. secretAccessKeySecretRef:
  9331. description: The SecretAccessKey is used for authentication
  9332. properties:
  9333. key:
  9334. description: |-
  9335. A key in the referenced Secret.
  9336. Some instances of this field may be defaulted, in others it may be required.
  9337. maxLength: 253
  9338. minLength: 1
  9339. pattern: ^[-._a-zA-Z0-9]+$
  9340. type: string
  9341. name:
  9342. description: The name of the Secret resource being referred to.
  9343. maxLength: 253
  9344. minLength: 1
  9345. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9346. type: string
  9347. namespace:
  9348. description: |-
  9349. The namespace of the Secret resource being referred to.
  9350. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9351. maxLength: 63
  9352. minLength: 1
  9353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9354. type: string
  9355. type: object
  9356. sessionTokenSecretRef:
  9357. description: |-
  9358. The SessionToken used for authentication
  9359. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  9360. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  9361. properties:
  9362. key:
  9363. description: |-
  9364. A key in the referenced Secret.
  9365. Some instances of this field may be defaulted, in others it may be required.
  9366. maxLength: 253
  9367. minLength: 1
  9368. pattern: ^[-._a-zA-Z0-9]+$
  9369. type: string
  9370. name:
  9371. description: The name of the Secret resource being referred to.
  9372. maxLength: 253
  9373. minLength: 1
  9374. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9375. type: string
  9376. namespace:
  9377. description: |-
  9378. The namespace of the Secret resource being referred to.
  9379. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9380. maxLength: 63
  9381. minLength: 1
  9382. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9383. type: string
  9384. type: object
  9385. type: object
  9386. type: object
  9387. externalID:
  9388. description: AWS External ID set on assumed IAM roles
  9389. type: string
  9390. prefix:
  9391. description: Prefix adds a prefix to all retrieved values.
  9392. type: string
  9393. region:
  9394. description: AWS Region to be used for the provider
  9395. type: string
  9396. role:
  9397. description: Role is a Role ARN which the provider will assume
  9398. type: string
  9399. secretsManager:
  9400. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  9401. properties:
  9402. forceDeleteWithoutRecovery:
  9403. description: |-
  9404. Specifies whether to delete the secret without any recovery window. You
  9405. can't use both this parameter and RecoveryWindowInDays in the same call.
  9406. If you don't use either, then by default Secrets Manager uses a 30 day
  9407. recovery window.
  9408. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  9409. type: boolean
  9410. recoveryWindowInDays:
  9411. description: |-
  9412. The number of days from 7 to 30 that Secrets Manager waits before
  9413. permanently deleting the secret. You can't use both this parameter and
  9414. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  9415. then by default Secrets Manager uses a 30 day recovery window.
  9416. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  9417. format: int64
  9418. type: integer
  9419. type: object
  9420. service:
  9421. description: Service defines which service should be used to fetch the secrets
  9422. enum:
  9423. - SecretsManager
  9424. - ParameterStore
  9425. type: string
  9426. sessionTags:
  9427. description: AWS STS assume role session tags
  9428. items:
  9429. description: Tag defines a tag key and value for AWS resources.
  9430. properties:
  9431. key:
  9432. type: string
  9433. value:
  9434. type: string
  9435. required:
  9436. - key
  9437. - value
  9438. type: object
  9439. type: array
  9440. transitiveTagKeys:
  9441. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  9442. items:
  9443. type: string
  9444. type: array
  9445. required:
  9446. - region
  9447. - service
  9448. type: object
  9449. azurekv:
  9450. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  9451. properties:
  9452. authSecretRef:
  9453. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9454. properties:
  9455. clientCertificate:
  9456. description: The Azure ClientCertificate of the service principle used for authentication.
  9457. properties:
  9458. key:
  9459. description: |-
  9460. A key in the referenced Secret.
  9461. Some instances of this field may be defaulted, in others it may be required.
  9462. maxLength: 253
  9463. minLength: 1
  9464. pattern: ^[-._a-zA-Z0-9]+$
  9465. type: string
  9466. name:
  9467. description: The name of the Secret resource being referred to.
  9468. maxLength: 253
  9469. minLength: 1
  9470. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9471. type: string
  9472. namespace:
  9473. description: |-
  9474. The namespace of the Secret resource being referred to.
  9475. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9476. maxLength: 63
  9477. minLength: 1
  9478. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9479. type: string
  9480. type: object
  9481. clientId:
  9482. description: The Azure clientId of the service principle or managed identity used for authentication.
  9483. properties:
  9484. key:
  9485. description: |-
  9486. A key in the referenced Secret.
  9487. Some instances of this field may be defaulted, in others it may be required.
  9488. maxLength: 253
  9489. minLength: 1
  9490. pattern: ^[-._a-zA-Z0-9]+$
  9491. type: string
  9492. name:
  9493. description: The name of the Secret resource being referred to.
  9494. maxLength: 253
  9495. minLength: 1
  9496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9497. type: string
  9498. namespace:
  9499. description: |-
  9500. The namespace of the Secret resource being referred to.
  9501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9502. maxLength: 63
  9503. minLength: 1
  9504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9505. type: string
  9506. type: object
  9507. clientSecret:
  9508. description: The Azure ClientSecret of the service principle used for authentication.
  9509. properties:
  9510. key:
  9511. description: |-
  9512. A key in the referenced Secret.
  9513. Some instances of this field may be defaulted, in others it may be required.
  9514. maxLength: 253
  9515. minLength: 1
  9516. pattern: ^[-._a-zA-Z0-9]+$
  9517. type: string
  9518. name:
  9519. description: The name of the Secret resource being referred to.
  9520. maxLength: 253
  9521. minLength: 1
  9522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9523. type: string
  9524. namespace:
  9525. description: |-
  9526. The namespace of the Secret resource being referred to.
  9527. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9528. maxLength: 63
  9529. minLength: 1
  9530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9531. type: string
  9532. type: object
  9533. tenantId:
  9534. description: The Azure tenantId of the managed identity used for authentication.
  9535. properties:
  9536. key:
  9537. description: |-
  9538. A key in the referenced Secret.
  9539. Some instances of this field may be defaulted, in others it may be required.
  9540. maxLength: 253
  9541. minLength: 1
  9542. pattern: ^[-._a-zA-Z0-9]+$
  9543. type: string
  9544. name:
  9545. description: The name of the Secret resource being referred to.
  9546. maxLength: 253
  9547. minLength: 1
  9548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9549. type: string
  9550. namespace:
  9551. description: |-
  9552. The namespace of the Secret resource being referred to.
  9553. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9554. maxLength: 63
  9555. minLength: 1
  9556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9557. type: string
  9558. type: object
  9559. type: object
  9560. authType:
  9561. default: ServicePrincipal
  9562. description: |-
  9563. Auth type defines how to authenticate to the keyvault service.
  9564. Valid values are:
  9565. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  9566. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  9567. enum:
  9568. - ServicePrincipal
  9569. - ManagedIdentity
  9570. - WorkloadIdentity
  9571. type: string
  9572. environmentType:
  9573. default: PublicCloud
  9574. description: |-
  9575. EnvironmentType specifies the Azure cloud environment endpoints to use for
  9576. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  9577. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  9578. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  9579. enum:
  9580. - PublicCloud
  9581. - USGovernmentCloud
  9582. - ChinaCloud
  9583. - GermanCloud
  9584. type: string
  9585. identityId:
  9586. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  9587. type: string
  9588. serviceAccountRef:
  9589. description: |-
  9590. ServiceAccountRef specified the service account
  9591. that should be used when authenticating with WorkloadIdentity.
  9592. properties:
  9593. audiences:
  9594. description: |-
  9595. Audience specifies the `aud` claim for the service account token
  9596. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9597. then this audiences will be appended to the list
  9598. items:
  9599. type: string
  9600. type: array
  9601. name:
  9602. description: The name of the ServiceAccount resource being referred to.
  9603. maxLength: 253
  9604. minLength: 1
  9605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9606. type: string
  9607. namespace:
  9608. description: |-
  9609. Namespace of the resource being referred to.
  9610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9611. maxLength: 63
  9612. minLength: 1
  9613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9614. type: string
  9615. required:
  9616. - name
  9617. type: object
  9618. tenantId:
  9619. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  9620. type: string
  9621. vaultUrl:
  9622. description: Vault Url from which the secrets to be fetched from.
  9623. type: string
  9624. required:
  9625. - vaultUrl
  9626. type: object
  9627. beyondtrust:
  9628. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  9629. properties:
  9630. auth:
  9631. description: Auth configures how the operator authenticates with Beyondtrust.
  9632. properties:
  9633. apiKey:
  9634. description: APIKey If not provided then ClientID/ClientSecret become required.
  9635. properties:
  9636. secretRef:
  9637. description: SecretRef references a key in a secret that will be used as value.
  9638. properties:
  9639. key:
  9640. description: |-
  9641. A key in the referenced Secret.
  9642. Some instances of this field may be defaulted, in others it may be required.
  9643. maxLength: 253
  9644. minLength: 1
  9645. pattern: ^[-._a-zA-Z0-9]+$
  9646. type: string
  9647. name:
  9648. description: The name of the Secret resource being referred to.
  9649. maxLength: 253
  9650. minLength: 1
  9651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9652. type: string
  9653. namespace:
  9654. description: |-
  9655. The namespace of the Secret resource being referred to.
  9656. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9657. maxLength: 63
  9658. minLength: 1
  9659. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9660. type: string
  9661. type: object
  9662. value:
  9663. description: Value can be specified directly to set a value without using a secret.
  9664. type: string
  9665. type: object
  9666. certificate:
  9667. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  9668. properties:
  9669. secretRef:
  9670. description: SecretRef references a key in a secret that will be used as value.
  9671. properties:
  9672. key:
  9673. description: |-
  9674. A key in the referenced Secret.
  9675. Some instances of this field may be defaulted, in others it may be required.
  9676. maxLength: 253
  9677. minLength: 1
  9678. pattern: ^[-._a-zA-Z0-9]+$
  9679. type: string
  9680. name:
  9681. description: The name of the Secret resource being referred to.
  9682. maxLength: 253
  9683. minLength: 1
  9684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9685. type: string
  9686. namespace:
  9687. description: |-
  9688. The namespace of the Secret resource being referred to.
  9689. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9690. maxLength: 63
  9691. minLength: 1
  9692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9693. type: string
  9694. type: object
  9695. value:
  9696. description: Value can be specified directly to set a value without using a secret.
  9697. type: string
  9698. type: object
  9699. certificateKey:
  9700. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  9701. properties:
  9702. secretRef:
  9703. description: SecretRef references a key in a secret that will be used as value.
  9704. properties:
  9705. key:
  9706. description: |-
  9707. A key in the referenced Secret.
  9708. Some instances of this field may be defaulted, in others it may be required.
  9709. maxLength: 253
  9710. minLength: 1
  9711. pattern: ^[-._a-zA-Z0-9]+$
  9712. type: string
  9713. name:
  9714. description: The name of the Secret resource being referred to.
  9715. maxLength: 253
  9716. minLength: 1
  9717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9718. type: string
  9719. namespace:
  9720. description: |-
  9721. The namespace of the Secret resource being referred to.
  9722. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9723. maxLength: 63
  9724. minLength: 1
  9725. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9726. type: string
  9727. type: object
  9728. value:
  9729. description: Value can be specified directly to set a value without using a secret.
  9730. type: string
  9731. type: object
  9732. clientId:
  9733. description: ClientID is the API OAuth Client ID.
  9734. properties:
  9735. secretRef:
  9736. description: SecretRef references a key in a secret that will be used as value.
  9737. properties:
  9738. key:
  9739. description: |-
  9740. A key in the referenced Secret.
  9741. Some instances of this field may be defaulted, in others it may be required.
  9742. maxLength: 253
  9743. minLength: 1
  9744. pattern: ^[-._a-zA-Z0-9]+$
  9745. type: string
  9746. name:
  9747. description: The name of the Secret resource being referred to.
  9748. maxLength: 253
  9749. minLength: 1
  9750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9751. type: string
  9752. namespace:
  9753. description: |-
  9754. The namespace of the Secret resource being referred to.
  9755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9756. maxLength: 63
  9757. minLength: 1
  9758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9759. type: string
  9760. type: object
  9761. value:
  9762. description: Value can be specified directly to set a value without using a secret.
  9763. type: string
  9764. type: object
  9765. clientSecret:
  9766. description: ClientSecret is the API OAuth Client Secret.
  9767. properties:
  9768. secretRef:
  9769. description: SecretRef references a key in a secret that will be used as value.
  9770. properties:
  9771. key:
  9772. description: |-
  9773. A key in the referenced Secret.
  9774. Some instances of this field may be defaulted, in others it may be required.
  9775. maxLength: 253
  9776. minLength: 1
  9777. pattern: ^[-._a-zA-Z0-9]+$
  9778. type: string
  9779. name:
  9780. description: The name of the Secret resource being referred to.
  9781. maxLength: 253
  9782. minLength: 1
  9783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9784. type: string
  9785. namespace:
  9786. description: |-
  9787. The namespace of the Secret resource being referred to.
  9788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9789. maxLength: 63
  9790. minLength: 1
  9791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9792. type: string
  9793. type: object
  9794. value:
  9795. description: Value can be specified directly to set a value without using a secret.
  9796. type: string
  9797. type: object
  9798. type: object
  9799. server:
  9800. description: Auth configures how API server works.
  9801. properties:
  9802. apiUrl:
  9803. type: string
  9804. apiVersion:
  9805. type: string
  9806. clientTimeOutSeconds:
  9807. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  9808. type: integer
  9809. decrypt:
  9810. default: true
  9811. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  9812. type: boolean
  9813. retrievalType:
  9814. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  9815. type: string
  9816. separator:
  9817. description: A character that separates the folder names.
  9818. type: string
  9819. verifyCA:
  9820. type: boolean
  9821. required:
  9822. - apiUrl
  9823. - verifyCA
  9824. type: object
  9825. required:
  9826. - auth
  9827. - server
  9828. type: object
  9829. bitwardensecretsmanager:
  9830. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  9831. properties:
  9832. apiURL:
  9833. type: string
  9834. auth:
  9835. description: |-
  9836. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  9837. Make sure that the token being used has permissions on the given secret.
  9838. properties:
  9839. secretRef:
  9840. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  9841. properties:
  9842. credentials:
  9843. description: AccessToken used for the bitwarden instance.
  9844. properties:
  9845. key:
  9846. description: |-
  9847. A key in the referenced Secret.
  9848. Some instances of this field may be defaulted, in others it may be required.
  9849. maxLength: 253
  9850. minLength: 1
  9851. pattern: ^[-._a-zA-Z0-9]+$
  9852. type: string
  9853. name:
  9854. description: The name of the Secret resource being referred to.
  9855. maxLength: 253
  9856. minLength: 1
  9857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9858. type: string
  9859. namespace:
  9860. description: |-
  9861. The namespace of the Secret resource being referred to.
  9862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9863. maxLength: 63
  9864. minLength: 1
  9865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9866. type: string
  9867. type: object
  9868. required:
  9869. - credentials
  9870. type: object
  9871. required:
  9872. - secretRef
  9873. type: object
  9874. bitwardenServerSDKURL:
  9875. type: string
  9876. caBundle:
  9877. description: |-
  9878. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  9879. can be performed.
  9880. type: string
  9881. caProvider:
  9882. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  9883. properties:
  9884. key:
  9885. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9886. maxLength: 253
  9887. minLength: 1
  9888. pattern: ^[-._a-zA-Z0-9]+$
  9889. type: string
  9890. name:
  9891. description: The name of the object located at the provider type.
  9892. maxLength: 253
  9893. minLength: 1
  9894. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9895. type: string
  9896. namespace:
  9897. description: |-
  9898. The namespace the Provider type is in.
  9899. Can only be defined when used in a ClusterSecretStore.
  9900. maxLength: 63
  9901. minLength: 1
  9902. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9903. type: string
  9904. type:
  9905. description: The type of provider to use such as "Secret", or "ConfigMap".
  9906. enum:
  9907. - Secret
  9908. - ConfigMap
  9909. type: string
  9910. required:
  9911. - name
  9912. - type
  9913. type: object
  9914. identityURL:
  9915. type: string
  9916. organizationID:
  9917. description: OrganizationID determines which organization this secret store manages.
  9918. type: string
  9919. projectID:
  9920. description: ProjectID determines which project this secret store manages.
  9921. type: string
  9922. required:
  9923. - auth
  9924. - organizationID
  9925. - projectID
  9926. type: object
  9927. chef:
  9928. description: Chef configures this store to sync secrets with chef server
  9929. properties:
  9930. auth:
  9931. description: Auth defines the information necessary to authenticate against chef Server
  9932. properties:
  9933. secretRef:
  9934. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  9935. properties:
  9936. privateKeySecretRef:
  9937. description: SecretKey is the Signing Key in PEM format, used for authentication.
  9938. properties:
  9939. key:
  9940. description: |-
  9941. A key in the referenced Secret.
  9942. Some instances of this field may be defaulted, in others it may be required.
  9943. maxLength: 253
  9944. minLength: 1
  9945. pattern: ^[-._a-zA-Z0-9]+$
  9946. type: string
  9947. name:
  9948. description: The name of the Secret resource being referred to.
  9949. maxLength: 253
  9950. minLength: 1
  9951. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  9952. type: string
  9953. namespace:
  9954. description: |-
  9955. The namespace of the Secret resource being referred to.
  9956. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  9957. maxLength: 63
  9958. minLength: 1
  9959. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  9960. type: string
  9961. type: object
  9962. required:
  9963. - privateKeySecretRef
  9964. type: object
  9965. required:
  9966. - secretRef
  9967. type: object
  9968. serverUrl:
  9969. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  9970. type: string
  9971. username:
  9972. description: UserName should be the user ID on the chef server
  9973. type: string
  9974. required:
  9975. - auth
  9976. - serverUrl
  9977. - username
  9978. type: object
  9979. cloudrusm:
  9980. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  9981. properties:
  9982. auth:
  9983. description: CSMAuth contains a secretRef for credentials.
  9984. properties:
  9985. secretRef:
  9986. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  9987. properties:
  9988. accessKeyIDSecretRef:
  9989. description: The AccessKeyID is used for authentication
  9990. properties:
  9991. key:
  9992. description: |-
  9993. A key in the referenced Secret.
  9994. Some instances of this field may be defaulted, in others it may be required.
  9995. maxLength: 253
  9996. minLength: 1
  9997. pattern: ^[-._a-zA-Z0-9]+$
  9998. type: string
  9999. name:
  10000. description: The name of the Secret resource being referred to.
  10001. maxLength: 253
  10002. minLength: 1
  10003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10004. type: string
  10005. namespace:
  10006. description: |-
  10007. The namespace of the Secret resource being referred to.
  10008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10009. maxLength: 63
  10010. minLength: 1
  10011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10012. type: string
  10013. type: object
  10014. accessKeySecretSecretRef:
  10015. description: The AccessKeySecret is used for authentication
  10016. properties:
  10017. key:
  10018. description: |-
  10019. A key in the referenced Secret.
  10020. Some instances of this field may be defaulted, in others it may be required.
  10021. maxLength: 253
  10022. minLength: 1
  10023. pattern: ^[-._a-zA-Z0-9]+$
  10024. type: string
  10025. name:
  10026. description: The name of the Secret resource being referred to.
  10027. maxLength: 253
  10028. minLength: 1
  10029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10030. type: string
  10031. namespace:
  10032. description: |-
  10033. The namespace of the Secret resource being referred to.
  10034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10035. maxLength: 63
  10036. minLength: 1
  10037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10038. type: string
  10039. type: object
  10040. required:
  10041. - accessKeyIDSecretRef
  10042. - accessKeySecretSecretRef
  10043. type: object
  10044. type: object
  10045. projectID:
  10046. description: ProjectID is the project, which the secrets are stored in.
  10047. type: string
  10048. required:
  10049. - auth
  10050. type: object
  10051. conjur:
  10052. description: Conjur configures this store to sync secrets using conjur provider
  10053. properties:
  10054. auth:
  10055. description: Defines authentication settings for connecting to Conjur.
  10056. properties:
  10057. apikey:
  10058. description: Authenticates with Conjur using an API key.
  10059. properties:
  10060. account:
  10061. description: Account is the Conjur organization account name.
  10062. type: string
  10063. apiKeyRef:
  10064. description: |-
  10065. A reference to a specific 'key' containing the Conjur API key
  10066. within a Secret resource. In some instances, `key` is a required field.
  10067. properties:
  10068. key:
  10069. description: |-
  10070. A key in the referenced Secret.
  10071. Some instances of this field may be defaulted, in others it may be required.
  10072. maxLength: 253
  10073. minLength: 1
  10074. pattern: ^[-._a-zA-Z0-9]+$
  10075. type: string
  10076. name:
  10077. description: The name of the Secret resource being referred to.
  10078. maxLength: 253
  10079. minLength: 1
  10080. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10081. type: string
  10082. namespace:
  10083. description: |-
  10084. The namespace of the Secret resource being referred to.
  10085. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10086. maxLength: 63
  10087. minLength: 1
  10088. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10089. type: string
  10090. type: object
  10091. userRef:
  10092. description: |-
  10093. A reference to a specific 'key' containing the Conjur username
  10094. within a Secret resource. In some instances, `key` is a required field.
  10095. properties:
  10096. key:
  10097. description: |-
  10098. A key in the referenced Secret.
  10099. Some instances of this field may be defaulted, in others it may be required.
  10100. maxLength: 253
  10101. minLength: 1
  10102. pattern: ^[-._a-zA-Z0-9]+$
  10103. type: string
  10104. name:
  10105. description: The name of the Secret resource being referred to.
  10106. maxLength: 253
  10107. minLength: 1
  10108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10109. type: string
  10110. namespace:
  10111. description: |-
  10112. The namespace of the Secret resource being referred to.
  10113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10114. maxLength: 63
  10115. minLength: 1
  10116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10117. type: string
  10118. type: object
  10119. required:
  10120. - account
  10121. - apiKeyRef
  10122. - userRef
  10123. type: object
  10124. jwt:
  10125. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  10126. properties:
  10127. account:
  10128. description: Account is the Conjur organization account name.
  10129. type: string
  10130. hostId:
  10131. description: |-
  10132. Optional HostID for JWT authentication. This may be used depending
  10133. on how the Conjur JWT authenticator policy is configured.
  10134. type: string
  10135. secretRef:
  10136. description: |-
  10137. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  10138. authenticate with Conjur using the JWT authentication method.
  10139. properties:
  10140. key:
  10141. description: |-
  10142. A key in the referenced Secret.
  10143. Some instances of this field may be defaulted, in others it may be required.
  10144. maxLength: 253
  10145. minLength: 1
  10146. pattern: ^[-._a-zA-Z0-9]+$
  10147. type: string
  10148. name:
  10149. description: The name of the Secret resource being referred to.
  10150. maxLength: 253
  10151. minLength: 1
  10152. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10153. type: string
  10154. namespace:
  10155. description: |-
  10156. The namespace of the Secret resource being referred to.
  10157. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10158. maxLength: 63
  10159. minLength: 1
  10160. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10161. type: string
  10162. type: object
  10163. serviceAccountRef:
  10164. description: |-
  10165. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  10166. a token for with the `TokenRequest` API.
  10167. properties:
  10168. audiences:
  10169. description: |-
  10170. Audience specifies the `aud` claim for the service account token
  10171. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10172. then this audiences will be appended to the list
  10173. items:
  10174. type: string
  10175. type: array
  10176. name:
  10177. description: The name of the ServiceAccount resource being referred to.
  10178. maxLength: 253
  10179. minLength: 1
  10180. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10181. type: string
  10182. namespace:
  10183. description: |-
  10184. Namespace of the resource being referred to.
  10185. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10186. maxLength: 63
  10187. minLength: 1
  10188. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10189. type: string
  10190. required:
  10191. - name
  10192. type: object
  10193. serviceID:
  10194. description: The conjur authn jwt webservice id
  10195. type: string
  10196. required:
  10197. - account
  10198. - serviceID
  10199. type: object
  10200. type: object
  10201. caBundle:
  10202. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  10203. type: string
  10204. caProvider:
  10205. description: |-
  10206. Used to provide custom certificate authority (CA) certificates
  10207. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  10208. that contains a PEM-encoded certificate.
  10209. properties:
  10210. key:
  10211. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10212. maxLength: 253
  10213. minLength: 1
  10214. pattern: ^[-._a-zA-Z0-9]+$
  10215. type: string
  10216. name:
  10217. description: The name of the object located at the provider type.
  10218. maxLength: 253
  10219. minLength: 1
  10220. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10221. type: string
  10222. namespace:
  10223. description: |-
  10224. The namespace the Provider type is in.
  10225. Can only be defined when used in a ClusterSecretStore.
  10226. maxLength: 63
  10227. minLength: 1
  10228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10229. type: string
  10230. type:
  10231. description: The type of provider to use such as "Secret", or "ConfigMap".
  10232. enum:
  10233. - Secret
  10234. - ConfigMap
  10235. type: string
  10236. required:
  10237. - name
  10238. - type
  10239. type: object
  10240. url:
  10241. description: URL is the endpoint of the Conjur instance.
  10242. type: string
  10243. required:
  10244. - auth
  10245. - url
  10246. type: object
  10247. delinea:
  10248. description: |-
  10249. Delinea DevOps Secrets Vault
  10250. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  10251. properties:
  10252. clientId:
  10253. description: ClientID is the non-secret part of the credential.
  10254. properties:
  10255. secretRef:
  10256. description: SecretRef references a key in a secret that will be used as value.
  10257. properties:
  10258. key:
  10259. description: |-
  10260. A key in the referenced Secret.
  10261. Some instances of this field may be defaulted, in others it may be required.
  10262. maxLength: 253
  10263. minLength: 1
  10264. pattern: ^[-._a-zA-Z0-9]+$
  10265. type: string
  10266. name:
  10267. description: The name of the Secret resource being referred to.
  10268. maxLength: 253
  10269. minLength: 1
  10270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10271. type: string
  10272. namespace:
  10273. description: |-
  10274. The namespace of the Secret resource being referred to.
  10275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10276. maxLength: 63
  10277. minLength: 1
  10278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10279. type: string
  10280. type: object
  10281. value:
  10282. description: Value can be specified directly to set a value without using a secret.
  10283. type: string
  10284. type: object
  10285. clientSecret:
  10286. description: ClientSecret is the secret part of the credential.
  10287. properties:
  10288. secretRef:
  10289. description: SecretRef references a key in a secret that will be used as value.
  10290. properties:
  10291. key:
  10292. description: |-
  10293. A key in the referenced Secret.
  10294. Some instances of this field may be defaulted, in others it may be required.
  10295. maxLength: 253
  10296. minLength: 1
  10297. pattern: ^[-._a-zA-Z0-9]+$
  10298. type: string
  10299. name:
  10300. description: The name of the Secret resource being referred to.
  10301. maxLength: 253
  10302. minLength: 1
  10303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10304. type: string
  10305. namespace:
  10306. description: |-
  10307. The namespace of the Secret resource being referred to.
  10308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10309. maxLength: 63
  10310. minLength: 1
  10311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10312. type: string
  10313. type: object
  10314. value:
  10315. description: Value can be specified directly to set a value without using a secret.
  10316. type: string
  10317. type: object
  10318. tenant:
  10319. description: Tenant is the chosen hostname / site name.
  10320. type: string
  10321. tld:
  10322. description: |-
  10323. TLD is based on the server location that was chosen during provisioning.
  10324. If unset, defaults to "com".
  10325. type: string
  10326. urlTemplate:
  10327. description: |-
  10328. URLTemplate
  10329. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  10330. type: string
  10331. required:
  10332. - clientId
  10333. - clientSecret
  10334. - tenant
  10335. type: object
  10336. device42:
  10337. description: Device42 configures this store to sync secrets using the Device42 provider
  10338. properties:
  10339. auth:
  10340. description: Auth configures how secret-manager authenticates with a Device42 instance.
  10341. properties:
  10342. secretRef:
  10343. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  10344. properties:
  10345. credentials:
  10346. description: Username / Password is used for authentication.
  10347. properties:
  10348. key:
  10349. description: |-
  10350. A key in the referenced Secret.
  10351. Some instances of this field may be defaulted, in others it may be required.
  10352. maxLength: 253
  10353. minLength: 1
  10354. pattern: ^[-._a-zA-Z0-9]+$
  10355. type: string
  10356. name:
  10357. description: The name of the Secret resource being referred to.
  10358. maxLength: 253
  10359. minLength: 1
  10360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10361. type: string
  10362. namespace:
  10363. description: |-
  10364. The namespace of the Secret resource being referred to.
  10365. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10366. maxLength: 63
  10367. minLength: 1
  10368. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10369. type: string
  10370. type: object
  10371. type: object
  10372. required:
  10373. - secretRef
  10374. type: object
  10375. host:
  10376. description: URL configures the Device42 instance URL.
  10377. type: string
  10378. required:
  10379. - auth
  10380. - host
  10381. type: object
  10382. doppler:
  10383. description: Doppler configures this store to sync secrets using the Doppler provider
  10384. properties:
  10385. auth:
  10386. description: Auth configures how the Operator authenticates with the Doppler API
  10387. properties:
  10388. secretRef:
  10389. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  10390. properties:
  10391. dopplerToken:
  10392. description: |-
  10393. The DopplerToken is used for authentication.
  10394. See https://docs.doppler.com/reference/api#authentication for auth token types.
  10395. The Key attribute defaults to dopplerToken if not specified.
  10396. properties:
  10397. key:
  10398. description: |-
  10399. A key in the referenced Secret.
  10400. Some instances of this field may be defaulted, in others it may be required.
  10401. maxLength: 253
  10402. minLength: 1
  10403. pattern: ^[-._a-zA-Z0-9]+$
  10404. type: string
  10405. name:
  10406. description: The name of the Secret resource being referred to.
  10407. maxLength: 253
  10408. minLength: 1
  10409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10410. type: string
  10411. namespace:
  10412. description: |-
  10413. The namespace of the Secret resource being referred to.
  10414. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10415. maxLength: 63
  10416. minLength: 1
  10417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10418. type: string
  10419. type: object
  10420. required:
  10421. - dopplerToken
  10422. type: object
  10423. required:
  10424. - secretRef
  10425. type: object
  10426. config:
  10427. description: Doppler config (required if not using a Service Token)
  10428. type: string
  10429. format:
  10430. description: Format enables the downloading of secrets as a file (string)
  10431. enum:
  10432. - json
  10433. - dotnet-json
  10434. - env
  10435. - yaml
  10436. - docker
  10437. type: string
  10438. nameTransformer:
  10439. description: Environment variable compatible name transforms that change secret names to a different format
  10440. enum:
  10441. - upper-camel
  10442. - camel
  10443. - lower-snake
  10444. - tf-var
  10445. - dotnet-env
  10446. - lower-kebab
  10447. type: string
  10448. project:
  10449. description: Doppler project (required if not using a Service Token)
  10450. type: string
  10451. required:
  10452. - auth
  10453. type: object
  10454. fake:
  10455. description: Fake configures a store with static key/value pairs
  10456. properties:
  10457. data:
  10458. items:
  10459. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  10460. properties:
  10461. key:
  10462. type: string
  10463. value:
  10464. type: string
  10465. version:
  10466. type: string
  10467. required:
  10468. - key
  10469. - value
  10470. type: object
  10471. type: array
  10472. required:
  10473. - data
  10474. type: object
  10475. fortanix:
  10476. description: Fortanix configures this store to sync secrets using the Fortanix provider
  10477. properties:
  10478. apiKey:
  10479. description: APIKey is the API token to access SDKMS Applications.
  10480. properties:
  10481. secretRef:
  10482. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  10483. properties:
  10484. key:
  10485. description: |-
  10486. A key in the referenced Secret.
  10487. Some instances of this field may be defaulted, in others it may be required.
  10488. maxLength: 253
  10489. minLength: 1
  10490. pattern: ^[-._a-zA-Z0-9]+$
  10491. type: string
  10492. name:
  10493. description: The name of the Secret resource being referred to.
  10494. maxLength: 253
  10495. minLength: 1
  10496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10497. type: string
  10498. namespace:
  10499. description: |-
  10500. The namespace of the Secret resource being referred to.
  10501. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10502. maxLength: 63
  10503. minLength: 1
  10504. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10505. type: string
  10506. type: object
  10507. type: object
  10508. apiUrl:
  10509. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  10510. type: string
  10511. type: object
  10512. gcpsm:
  10513. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  10514. properties:
  10515. auth:
  10516. description: Auth defines the information necessary to authenticate against GCP
  10517. properties:
  10518. secretRef:
  10519. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  10520. properties:
  10521. secretAccessKeySecretRef:
  10522. description: The SecretAccessKey is used for authentication
  10523. properties:
  10524. key:
  10525. description: |-
  10526. A key in the referenced Secret.
  10527. Some instances of this field may be defaulted, in others it may be required.
  10528. maxLength: 253
  10529. minLength: 1
  10530. pattern: ^[-._a-zA-Z0-9]+$
  10531. type: string
  10532. name:
  10533. description: The name of the Secret resource being referred to.
  10534. maxLength: 253
  10535. minLength: 1
  10536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10537. type: string
  10538. namespace:
  10539. description: |-
  10540. The namespace of the Secret resource being referred to.
  10541. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10542. maxLength: 63
  10543. minLength: 1
  10544. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10545. type: string
  10546. type: object
  10547. type: object
  10548. workloadIdentity:
  10549. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  10550. properties:
  10551. clusterLocation:
  10552. description: |-
  10553. ClusterLocation is the location of the cluster
  10554. If not specified, it fetches information from the metadata server
  10555. type: string
  10556. clusterName:
  10557. description: |-
  10558. ClusterName is the name of the cluster
  10559. If not specified, it fetches information from the metadata server
  10560. type: string
  10561. clusterProjectID:
  10562. description: |-
  10563. ClusterProjectID is the project ID of the cluster
  10564. If not specified, it fetches information from the metadata server
  10565. type: string
  10566. serviceAccountRef:
  10567. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  10568. properties:
  10569. audiences:
  10570. description: |-
  10571. Audience specifies the `aud` claim for the service account token
  10572. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10573. then this audiences will be appended to the list
  10574. items:
  10575. type: string
  10576. type: array
  10577. name:
  10578. description: The name of the ServiceAccount resource being referred to.
  10579. maxLength: 253
  10580. minLength: 1
  10581. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10582. type: string
  10583. namespace:
  10584. description: |-
  10585. Namespace of the resource being referred to.
  10586. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10587. maxLength: 63
  10588. minLength: 1
  10589. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10590. type: string
  10591. required:
  10592. - name
  10593. type: object
  10594. required:
  10595. - serviceAccountRef
  10596. type: object
  10597. type: object
  10598. location:
  10599. description: Location optionally defines a location for a secret
  10600. type: string
  10601. projectID:
  10602. description: ProjectID project where secret is located
  10603. type: string
  10604. type: object
  10605. github:
  10606. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  10607. properties:
  10608. appID:
  10609. description: appID specifies the Github APP that will be used to authenticate the client
  10610. format: int64
  10611. type: integer
  10612. auth:
  10613. description: auth configures how secret-manager authenticates with a Github instance.
  10614. properties:
  10615. privateKey:
  10616. description: |-
  10617. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10618. In some instances, `key` is a required field.
  10619. properties:
  10620. key:
  10621. description: |-
  10622. A key in the referenced Secret.
  10623. Some instances of this field may be defaulted, in others it may be required.
  10624. maxLength: 253
  10625. minLength: 1
  10626. pattern: ^[-._a-zA-Z0-9]+$
  10627. type: string
  10628. name:
  10629. description: The name of the Secret resource being referred to.
  10630. maxLength: 253
  10631. minLength: 1
  10632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10633. type: string
  10634. namespace:
  10635. description: |-
  10636. The namespace of the Secret resource being referred to.
  10637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10638. maxLength: 63
  10639. minLength: 1
  10640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10641. type: string
  10642. type: object
  10643. required:
  10644. - privateKey
  10645. type: object
  10646. environment:
  10647. description: environment will be used to fetch secrets from a particular environment within a github repository
  10648. type: string
  10649. installationID:
  10650. description: installationID specifies the Github APP installation that will be used to authenticate the client
  10651. format: int64
  10652. type: integer
  10653. organization:
  10654. description: organization will be used to fetch secrets from the Github organization
  10655. type: string
  10656. repository:
  10657. description: repository will be used to fetch secrets from the Github repository within an organization
  10658. type: string
  10659. uploadURL:
  10660. description: Upload URL for enterprise instances. Default to URL.
  10661. type: string
  10662. url:
  10663. default: https://github.com/
  10664. description: URL configures the Github instance URL. Defaults to https://github.com/.
  10665. type: string
  10666. required:
  10667. - appID
  10668. - auth
  10669. - installationID
  10670. - organization
  10671. type: object
  10672. gitlab:
  10673. description: GitLab configures this store to sync secrets using GitLab Variables provider
  10674. properties:
  10675. auth:
  10676. description: Auth configures how secret-manager authenticates with a GitLab instance.
  10677. properties:
  10678. SecretRef:
  10679. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  10680. properties:
  10681. accessToken:
  10682. description: AccessToken is used for authentication.
  10683. properties:
  10684. key:
  10685. description: |-
  10686. A key in the referenced Secret.
  10687. Some instances of this field may be defaulted, in others it may be required.
  10688. maxLength: 253
  10689. minLength: 1
  10690. pattern: ^[-._a-zA-Z0-9]+$
  10691. type: string
  10692. name:
  10693. description: The name of the Secret resource being referred to.
  10694. maxLength: 253
  10695. minLength: 1
  10696. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10697. type: string
  10698. namespace:
  10699. description: |-
  10700. The namespace of the Secret resource being referred to.
  10701. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10702. maxLength: 63
  10703. minLength: 1
  10704. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10705. type: string
  10706. type: object
  10707. type: object
  10708. required:
  10709. - SecretRef
  10710. type: object
  10711. caBundle:
  10712. description: |-
  10713. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  10714. can be performed.
  10715. format: byte
  10716. type: string
  10717. caProvider:
  10718. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  10719. properties:
  10720. key:
  10721. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10722. maxLength: 253
  10723. minLength: 1
  10724. pattern: ^[-._a-zA-Z0-9]+$
  10725. type: string
  10726. name:
  10727. description: The name of the object located at the provider type.
  10728. maxLength: 253
  10729. minLength: 1
  10730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10731. type: string
  10732. namespace:
  10733. description: |-
  10734. The namespace the Provider type is in.
  10735. Can only be defined when used in a ClusterSecretStore.
  10736. maxLength: 63
  10737. minLength: 1
  10738. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10739. type: string
  10740. type:
  10741. description: The type of provider to use such as "Secret", or "ConfigMap".
  10742. enum:
  10743. - Secret
  10744. - ConfigMap
  10745. type: string
  10746. required:
  10747. - name
  10748. - type
  10749. type: object
  10750. environment:
  10751. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  10752. type: string
  10753. groupIDs:
  10754. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  10755. items:
  10756. type: string
  10757. type: array
  10758. inheritFromGroups:
  10759. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  10760. type: boolean
  10761. projectID:
  10762. description: ProjectID specifies a project where secrets are located.
  10763. type: string
  10764. url:
  10765. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  10766. type: string
  10767. required:
  10768. - auth
  10769. type: object
  10770. ibm:
  10771. description: IBM configures this store to sync secrets using IBM Cloud provider
  10772. properties:
  10773. auth:
  10774. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  10775. maxProperties: 1
  10776. minProperties: 1
  10777. properties:
  10778. containerAuth:
  10779. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  10780. properties:
  10781. iamEndpoint:
  10782. type: string
  10783. profile:
  10784. description: the IBM Trusted Profile
  10785. type: string
  10786. tokenLocation:
  10787. description: Location the token is mounted on the pod
  10788. type: string
  10789. required:
  10790. - profile
  10791. type: object
  10792. secretRef:
  10793. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  10794. properties:
  10795. secretApiKeySecretRef:
  10796. description: The SecretAccessKey is used for authentication
  10797. properties:
  10798. key:
  10799. description: |-
  10800. A key in the referenced Secret.
  10801. Some instances of this field may be defaulted, in others it may be required.
  10802. maxLength: 253
  10803. minLength: 1
  10804. pattern: ^[-._a-zA-Z0-9]+$
  10805. type: string
  10806. name:
  10807. description: The name of the Secret resource being referred to.
  10808. maxLength: 253
  10809. minLength: 1
  10810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10811. type: string
  10812. namespace:
  10813. description: |-
  10814. The namespace of the Secret resource being referred to.
  10815. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10816. maxLength: 63
  10817. minLength: 1
  10818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10819. type: string
  10820. type: object
  10821. type: object
  10822. type: object
  10823. serviceUrl:
  10824. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  10825. type: string
  10826. required:
  10827. - auth
  10828. type: object
  10829. infisical:
  10830. description: Infisical configures this store to sync secrets using the Infisical provider
  10831. properties:
  10832. auth:
  10833. description: Auth configures how the Operator authenticates with the Infisical API
  10834. properties:
  10835. universalAuthCredentials:
  10836. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  10837. properties:
  10838. clientId:
  10839. description: |-
  10840. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10841. In some instances, `key` is a required field.
  10842. properties:
  10843. key:
  10844. description: |-
  10845. A key in the referenced Secret.
  10846. Some instances of this field may be defaulted, in others it may be required.
  10847. maxLength: 253
  10848. minLength: 1
  10849. pattern: ^[-._a-zA-Z0-9]+$
  10850. type: string
  10851. name:
  10852. description: The name of the Secret resource being referred to.
  10853. maxLength: 253
  10854. minLength: 1
  10855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10856. type: string
  10857. namespace:
  10858. description: |-
  10859. The namespace of the Secret resource being referred to.
  10860. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10861. maxLength: 63
  10862. minLength: 1
  10863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10864. type: string
  10865. type: object
  10866. clientSecret:
  10867. description: |-
  10868. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10869. In some instances, `key` is a required field.
  10870. properties:
  10871. key:
  10872. description: |-
  10873. A key in the referenced Secret.
  10874. Some instances of this field may be defaulted, in others it may be required.
  10875. maxLength: 253
  10876. minLength: 1
  10877. pattern: ^[-._a-zA-Z0-9]+$
  10878. type: string
  10879. name:
  10880. description: The name of the Secret resource being referred to.
  10881. maxLength: 253
  10882. minLength: 1
  10883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10884. type: string
  10885. namespace:
  10886. description: |-
  10887. The namespace of the Secret resource being referred to.
  10888. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10889. maxLength: 63
  10890. minLength: 1
  10891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10892. type: string
  10893. type: object
  10894. required:
  10895. - clientId
  10896. - clientSecret
  10897. type: object
  10898. type: object
  10899. hostAPI:
  10900. default: https://app.infisical.com/api
  10901. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  10902. type: string
  10903. secretsScope:
  10904. description: SecretsScope defines the scope of the secrets within the workspace
  10905. properties:
  10906. environmentSlug:
  10907. description: EnvironmentSlug is the required slug identifier for the environment.
  10908. type: string
  10909. expandSecretReferences:
  10910. default: true
  10911. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  10912. type: boolean
  10913. projectSlug:
  10914. description: ProjectSlug is the required slug identifier for the project.
  10915. type: string
  10916. recursive:
  10917. default: false
  10918. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  10919. type: boolean
  10920. secretsPath:
  10921. default: /
  10922. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  10923. type: string
  10924. required:
  10925. - environmentSlug
  10926. - projectSlug
  10927. type: object
  10928. required:
  10929. - auth
  10930. - secretsScope
  10931. type: object
  10932. keepersecurity:
  10933. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  10934. properties:
  10935. authRef:
  10936. description: |-
  10937. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10938. In some instances, `key` is a required field.
  10939. properties:
  10940. key:
  10941. description: |-
  10942. A key in the referenced Secret.
  10943. Some instances of this field may be defaulted, in others it may be required.
  10944. maxLength: 253
  10945. minLength: 1
  10946. pattern: ^[-._a-zA-Z0-9]+$
  10947. type: string
  10948. name:
  10949. description: The name of the Secret resource being referred to.
  10950. maxLength: 253
  10951. minLength: 1
  10952. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10953. type: string
  10954. namespace:
  10955. description: |-
  10956. The namespace of the Secret resource being referred to.
  10957. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  10958. maxLength: 63
  10959. minLength: 1
  10960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  10961. type: string
  10962. type: object
  10963. folderID:
  10964. type: string
  10965. required:
  10966. - authRef
  10967. - folderID
  10968. type: object
  10969. kubernetes:
  10970. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  10971. properties:
  10972. auth:
  10973. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  10974. maxProperties: 1
  10975. minProperties: 1
  10976. properties:
  10977. cert:
  10978. description: has both clientCert and clientKey as secretKeySelector
  10979. properties:
  10980. clientCert:
  10981. description: |-
  10982. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  10983. In some instances, `key` is a required field.
  10984. properties:
  10985. key:
  10986. description: |-
  10987. A key in the referenced Secret.
  10988. Some instances of this field may be defaulted, in others it may be required.
  10989. maxLength: 253
  10990. minLength: 1
  10991. pattern: ^[-._a-zA-Z0-9]+$
  10992. type: string
  10993. name:
  10994. description: The name of the Secret resource being referred to.
  10995. maxLength: 253
  10996. minLength: 1
  10997. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  10998. type: string
  10999. namespace:
  11000. description: |-
  11001. The namespace of the Secret resource being referred to.
  11002. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11003. maxLength: 63
  11004. minLength: 1
  11005. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11006. type: string
  11007. type: object
  11008. clientKey:
  11009. description: |-
  11010. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11011. In some instances, `key` is a required field.
  11012. properties:
  11013. key:
  11014. description: |-
  11015. A key in the referenced Secret.
  11016. Some instances of this field may be defaulted, in others it may be required.
  11017. maxLength: 253
  11018. minLength: 1
  11019. pattern: ^[-._a-zA-Z0-9]+$
  11020. type: string
  11021. name:
  11022. description: The name of the Secret resource being referred to.
  11023. maxLength: 253
  11024. minLength: 1
  11025. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11026. type: string
  11027. namespace:
  11028. description: |-
  11029. The namespace of the Secret resource being referred to.
  11030. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11031. maxLength: 63
  11032. minLength: 1
  11033. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11034. type: string
  11035. type: object
  11036. type: object
  11037. serviceAccount:
  11038. description: points to a service account that should be used for authentication
  11039. properties:
  11040. audiences:
  11041. description: |-
  11042. Audience specifies the `aud` claim for the service account token
  11043. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11044. then this audiences will be appended to the list
  11045. items:
  11046. type: string
  11047. type: array
  11048. name:
  11049. description: The name of the ServiceAccount resource being referred to.
  11050. maxLength: 253
  11051. minLength: 1
  11052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11053. type: string
  11054. namespace:
  11055. description: |-
  11056. Namespace of the resource being referred to.
  11057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11058. maxLength: 63
  11059. minLength: 1
  11060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11061. type: string
  11062. required:
  11063. - name
  11064. type: object
  11065. token:
  11066. description: use static token to authenticate with
  11067. properties:
  11068. bearerToken:
  11069. description: |-
  11070. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11071. In some instances, `key` is a required field.
  11072. properties:
  11073. key:
  11074. description: |-
  11075. A key in the referenced Secret.
  11076. Some instances of this field may be defaulted, in others it may be required.
  11077. maxLength: 253
  11078. minLength: 1
  11079. pattern: ^[-._a-zA-Z0-9]+$
  11080. type: string
  11081. name:
  11082. description: The name of the Secret resource being referred to.
  11083. maxLength: 253
  11084. minLength: 1
  11085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11086. type: string
  11087. namespace:
  11088. description: |-
  11089. The namespace of the Secret resource being referred to.
  11090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11091. maxLength: 63
  11092. minLength: 1
  11093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11094. type: string
  11095. type: object
  11096. type: object
  11097. type: object
  11098. authRef:
  11099. description: A reference to a secret that contains the auth information.
  11100. properties:
  11101. key:
  11102. description: |-
  11103. A key in the referenced Secret.
  11104. Some instances of this field may be defaulted, in others it may be required.
  11105. maxLength: 253
  11106. minLength: 1
  11107. pattern: ^[-._a-zA-Z0-9]+$
  11108. type: string
  11109. name:
  11110. description: The name of the Secret resource being referred to.
  11111. maxLength: 253
  11112. minLength: 1
  11113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11114. type: string
  11115. namespace:
  11116. description: |-
  11117. The namespace of the Secret resource being referred to.
  11118. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11119. maxLength: 63
  11120. minLength: 1
  11121. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11122. type: string
  11123. type: object
  11124. remoteNamespace:
  11125. default: default
  11126. description: Remote namespace to fetch the secrets from
  11127. maxLength: 63
  11128. minLength: 1
  11129. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11130. type: string
  11131. server:
  11132. description: configures the Kubernetes server Address.
  11133. properties:
  11134. caBundle:
  11135. description: CABundle is a base64-encoded CA certificate
  11136. format: byte
  11137. type: string
  11138. caProvider:
  11139. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  11140. properties:
  11141. key:
  11142. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  11143. maxLength: 253
  11144. minLength: 1
  11145. pattern: ^[-._a-zA-Z0-9]+$
  11146. type: string
  11147. name:
  11148. description: The name of the object located at the provider type.
  11149. maxLength: 253
  11150. minLength: 1
  11151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11152. type: string
  11153. namespace:
  11154. description: |-
  11155. The namespace the Provider type is in.
  11156. Can only be defined when used in a ClusterSecretStore.
  11157. maxLength: 63
  11158. minLength: 1
  11159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11160. type: string
  11161. type:
  11162. description: The type of provider to use such as "Secret", or "ConfigMap".
  11163. enum:
  11164. - Secret
  11165. - ConfigMap
  11166. type: string
  11167. required:
  11168. - name
  11169. - type
  11170. type: object
  11171. url:
  11172. default: kubernetes.default
  11173. description: configures the Kubernetes server Address.
  11174. type: string
  11175. type: object
  11176. type: object
  11177. onboardbase:
  11178. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  11179. properties:
  11180. apiHost:
  11181. default: https://public.onboardbase.com/api/v1/
  11182. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  11183. type: string
  11184. auth:
  11185. description: Auth configures how the Operator authenticates with the Onboardbase API
  11186. properties:
  11187. apiKeyRef:
  11188. description: |-
  11189. OnboardbaseAPIKey is the APIKey generated by an admin account.
  11190. It is used to recognize and authorize access to a project and environment within onboardbase
  11191. properties:
  11192. key:
  11193. description: |-
  11194. A key in the referenced Secret.
  11195. Some instances of this field may be defaulted, in others it may be required.
  11196. maxLength: 253
  11197. minLength: 1
  11198. pattern: ^[-._a-zA-Z0-9]+$
  11199. type: string
  11200. name:
  11201. description: The name of the Secret resource being referred to.
  11202. maxLength: 253
  11203. minLength: 1
  11204. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11205. type: string
  11206. namespace:
  11207. description: |-
  11208. The namespace of the Secret resource being referred to.
  11209. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11210. maxLength: 63
  11211. minLength: 1
  11212. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11213. type: string
  11214. type: object
  11215. passcodeRef:
  11216. description: OnboardbasePasscode is the passcode attached to the API Key
  11217. properties:
  11218. key:
  11219. description: |-
  11220. A key in the referenced Secret.
  11221. Some instances of this field may be defaulted, in others it may be required.
  11222. maxLength: 253
  11223. minLength: 1
  11224. pattern: ^[-._a-zA-Z0-9]+$
  11225. type: string
  11226. name:
  11227. description: The name of the Secret resource being referred to.
  11228. maxLength: 253
  11229. minLength: 1
  11230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11231. type: string
  11232. namespace:
  11233. description: |-
  11234. The namespace of the Secret resource being referred to.
  11235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11236. maxLength: 63
  11237. minLength: 1
  11238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11239. type: string
  11240. type: object
  11241. required:
  11242. - apiKeyRef
  11243. - passcodeRef
  11244. type: object
  11245. environment:
  11246. default: development
  11247. description: Environment is the name of an environmnent within a project to pull the secrets from
  11248. type: string
  11249. project:
  11250. default: development
  11251. description: Project is an onboardbase project that the secrets should be pulled from
  11252. type: string
  11253. required:
  11254. - apiHost
  11255. - auth
  11256. - environment
  11257. - project
  11258. type: object
  11259. onepassword:
  11260. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  11261. properties:
  11262. auth:
  11263. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  11264. properties:
  11265. secretRef:
  11266. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  11267. properties:
  11268. connectTokenSecretRef:
  11269. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  11270. properties:
  11271. key:
  11272. description: |-
  11273. A key in the referenced Secret.
  11274. Some instances of this field may be defaulted, in others it may be required.
  11275. maxLength: 253
  11276. minLength: 1
  11277. pattern: ^[-._a-zA-Z0-9]+$
  11278. type: string
  11279. name:
  11280. description: The name of the Secret resource being referred to.
  11281. maxLength: 253
  11282. minLength: 1
  11283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11284. type: string
  11285. namespace:
  11286. description: |-
  11287. The namespace of the Secret resource being referred to.
  11288. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11289. maxLength: 63
  11290. minLength: 1
  11291. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11292. type: string
  11293. type: object
  11294. required:
  11295. - connectTokenSecretRef
  11296. type: object
  11297. required:
  11298. - secretRef
  11299. type: object
  11300. connectHost:
  11301. description: ConnectHost defines the OnePassword Connect Server to connect to
  11302. type: string
  11303. vaults:
  11304. additionalProperties:
  11305. type: integer
  11306. description: Vaults defines which OnePassword vaults to search in which order
  11307. type: object
  11308. required:
  11309. - auth
  11310. - connectHost
  11311. - vaults
  11312. type: object
  11313. oracle:
  11314. description: Oracle configures this store to sync secrets using Oracle Vault provider
  11315. properties:
  11316. auth:
  11317. description: |-
  11318. Auth configures how secret-manager authenticates with the Oracle Vault.
  11319. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  11320. properties:
  11321. secretRef:
  11322. description: SecretRef to pass through sensitive information.
  11323. properties:
  11324. fingerprint:
  11325. description: Fingerprint is the fingerprint of the API private key.
  11326. properties:
  11327. key:
  11328. description: |-
  11329. A key in the referenced Secret.
  11330. Some instances of this field may be defaulted, in others it may be required.
  11331. maxLength: 253
  11332. minLength: 1
  11333. pattern: ^[-._a-zA-Z0-9]+$
  11334. type: string
  11335. name:
  11336. description: The name of the Secret resource being referred to.
  11337. maxLength: 253
  11338. minLength: 1
  11339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11340. type: string
  11341. namespace:
  11342. description: |-
  11343. The namespace of the Secret resource being referred to.
  11344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11345. maxLength: 63
  11346. minLength: 1
  11347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11348. type: string
  11349. type: object
  11350. privatekey:
  11351. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  11352. properties:
  11353. key:
  11354. description: |-
  11355. A key in the referenced Secret.
  11356. Some instances of this field may be defaulted, in others it may be required.
  11357. maxLength: 253
  11358. minLength: 1
  11359. pattern: ^[-._a-zA-Z0-9]+$
  11360. type: string
  11361. name:
  11362. description: The name of the Secret resource being referred to.
  11363. maxLength: 253
  11364. minLength: 1
  11365. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11366. type: string
  11367. namespace:
  11368. description: |-
  11369. The namespace of the Secret resource being referred to.
  11370. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11371. maxLength: 63
  11372. minLength: 1
  11373. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11374. type: string
  11375. type: object
  11376. required:
  11377. - fingerprint
  11378. - privatekey
  11379. type: object
  11380. tenancy:
  11381. description: Tenancy is the tenancy OCID where user is located.
  11382. type: string
  11383. user:
  11384. description: User is an access OCID specific to the account.
  11385. type: string
  11386. required:
  11387. - secretRef
  11388. - tenancy
  11389. - user
  11390. type: object
  11391. compartment:
  11392. description: |-
  11393. Compartment is the vault compartment OCID.
  11394. Required for PushSecret
  11395. type: string
  11396. encryptionKey:
  11397. description: |-
  11398. EncryptionKey is the OCID of the encryption key within the vault.
  11399. Required for PushSecret
  11400. type: string
  11401. principalType:
  11402. description: |-
  11403. The type of principal to use for authentication. If left blank, the Auth struct will
  11404. determine the principal type. This optional field must be specified if using
  11405. workload identity.
  11406. enum:
  11407. - ""
  11408. - UserPrincipal
  11409. - InstancePrincipal
  11410. - Workload
  11411. type: string
  11412. region:
  11413. description: Region is the region where vault is located.
  11414. type: string
  11415. serviceAccountRef:
  11416. description: |-
  11417. ServiceAccountRef specified the service account
  11418. that should be used when authenticating with WorkloadIdentity.
  11419. properties:
  11420. audiences:
  11421. description: |-
  11422. Audience specifies the `aud` claim for the service account token
  11423. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11424. then this audiences will be appended to the list
  11425. items:
  11426. type: string
  11427. type: array
  11428. name:
  11429. description: The name of the ServiceAccount resource being referred to.
  11430. maxLength: 253
  11431. minLength: 1
  11432. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11433. type: string
  11434. namespace:
  11435. description: |-
  11436. Namespace of the resource being referred to.
  11437. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11438. maxLength: 63
  11439. minLength: 1
  11440. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11441. type: string
  11442. required:
  11443. - name
  11444. type: object
  11445. vault:
  11446. description: Vault is the vault's OCID of the specific vault where secret is located.
  11447. type: string
  11448. required:
  11449. - region
  11450. - vault
  11451. type: object
  11452. passbolt:
  11453. description: PassboltProvider defines configuration for the Passbolt provider.
  11454. properties:
  11455. auth:
  11456. description: Auth defines the information necessary to authenticate against Passbolt Server
  11457. properties:
  11458. passwordSecretRef:
  11459. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  11460. properties:
  11461. key:
  11462. description: |-
  11463. A key in the referenced Secret.
  11464. Some instances of this field may be defaulted, in others it may be required.
  11465. maxLength: 253
  11466. minLength: 1
  11467. pattern: ^[-._a-zA-Z0-9]+$
  11468. type: string
  11469. name:
  11470. description: The name of the Secret resource being referred to.
  11471. maxLength: 253
  11472. minLength: 1
  11473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11474. type: string
  11475. namespace:
  11476. description: |-
  11477. The namespace of the Secret resource being referred to.
  11478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11479. maxLength: 63
  11480. minLength: 1
  11481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11482. type: string
  11483. type: object
  11484. privateKeySecretRef:
  11485. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  11486. properties:
  11487. key:
  11488. description: |-
  11489. A key in the referenced Secret.
  11490. Some instances of this field may be defaulted, in others it may be required.
  11491. maxLength: 253
  11492. minLength: 1
  11493. pattern: ^[-._a-zA-Z0-9]+$
  11494. type: string
  11495. name:
  11496. description: The name of the Secret resource being referred to.
  11497. maxLength: 253
  11498. minLength: 1
  11499. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11500. type: string
  11501. namespace:
  11502. description: |-
  11503. The namespace of the Secret resource being referred to.
  11504. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11505. maxLength: 63
  11506. minLength: 1
  11507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11508. type: string
  11509. type: object
  11510. required:
  11511. - passwordSecretRef
  11512. - privateKeySecretRef
  11513. type: object
  11514. host:
  11515. description: Host defines the Passbolt Server to connect to
  11516. type: string
  11517. required:
  11518. - auth
  11519. - host
  11520. type: object
  11521. passworddepot:
  11522. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  11523. properties:
  11524. auth:
  11525. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  11526. properties:
  11527. secretRef:
  11528. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  11529. properties:
  11530. credentials:
  11531. description: Username / Password is used for authentication.
  11532. properties:
  11533. key:
  11534. description: |-
  11535. A key in the referenced Secret.
  11536. Some instances of this field may be defaulted, in others it may be required.
  11537. maxLength: 253
  11538. minLength: 1
  11539. pattern: ^[-._a-zA-Z0-9]+$
  11540. type: string
  11541. name:
  11542. description: The name of the Secret resource being referred to.
  11543. maxLength: 253
  11544. minLength: 1
  11545. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11546. type: string
  11547. namespace:
  11548. description: |-
  11549. The namespace of the Secret resource being referred to.
  11550. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11551. maxLength: 63
  11552. minLength: 1
  11553. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11554. type: string
  11555. type: object
  11556. type: object
  11557. required:
  11558. - secretRef
  11559. type: object
  11560. database:
  11561. description: Database to use as source
  11562. type: string
  11563. host:
  11564. description: URL configures the Password Depot instance URL.
  11565. type: string
  11566. required:
  11567. - auth
  11568. - database
  11569. - host
  11570. type: object
  11571. previder:
  11572. description: Previder configures this store to sync secrets using the Previder provider
  11573. properties:
  11574. auth:
  11575. description: PreviderAuth contains a secretRef for credentials.
  11576. properties:
  11577. secretRef:
  11578. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  11579. properties:
  11580. accessToken:
  11581. description: The AccessToken is used for authentication
  11582. properties:
  11583. key:
  11584. description: |-
  11585. A key in the referenced Secret.
  11586. Some instances of this field may be defaulted, in others it may be required.
  11587. maxLength: 253
  11588. minLength: 1
  11589. pattern: ^[-._a-zA-Z0-9]+$
  11590. type: string
  11591. name:
  11592. description: The name of the Secret resource being referred to.
  11593. maxLength: 253
  11594. minLength: 1
  11595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11596. type: string
  11597. namespace:
  11598. description: |-
  11599. The namespace of the Secret resource being referred to.
  11600. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11601. maxLength: 63
  11602. minLength: 1
  11603. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11604. type: string
  11605. type: object
  11606. required:
  11607. - accessToken
  11608. type: object
  11609. type: object
  11610. baseUri:
  11611. type: string
  11612. required:
  11613. - auth
  11614. type: object
  11615. pulumi:
  11616. description: Pulumi configures this store to sync secrets using the Pulumi provider
  11617. properties:
  11618. accessToken:
  11619. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  11620. properties:
  11621. secretRef:
  11622. description: SecretRef is a reference to a secret containing the Pulumi API token.
  11623. properties:
  11624. key:
  11625. description: |-
  11626. A key in the referenced Secret.
  11627. Some instances of this field may be defaulted, in others it may be required.
  11628. maxLength: 253
  11629. minLength: 1
  11630. pattern: ^[-._a-zA-Z0-9]+$
  11631. type: string
  11632. name:
  11633. description: The name of the Secret resource being referred to.
  11634. maxLength: 253
  11635. minLength: 1
  11636. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11637. type: string
  11638. namespace:
  11639. description: |-
  11640. The namespace of the Secret resource being referred to.
  11641. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11642. maxLength: 63
  11643. minLength: 1
  11644. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11645. type: string
  11646. type: object
  11647. type: object
  11648. apiUrl:
  11649. default: https://api.pulumi.com/api/esc
  11650. description: APIURL is the URL of the Pulumi API.
  11651. type: string
  11652. environment:
  11653. description: |-
  11654. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  11655. dynamically retrieved values from supported providers including all major clouds,
  11656. and other Pulumi ESC environments.
  11657. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  11658. type: string
  11659. organization:
  11660. description: |-
  11661. Organization are a space to collaborate on shared projects and stacks.
  11662. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  11663. type: string
  11664. project:
  11665. description: Project is the name of the Pulumi ESC project the environment belongs to.
  11666. type: string
  11667. required:
  11668. - accessToken
  11669. - environment
  11670. - organization
  11671. - project
  11672. type: object
  11673. scaleway:
  11674. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  11675. properties:
  11676. accessKey:
  11677. description: AccessKey is the non-secret part of the api key.
  11678. properties:
  11679. secretRef:
  11680. description: SecretRef references a key in a secret that will be used as value.
  11681. properties:
  11682. key:
  11683. description: |-
  11684. A key in the referenced Secret.
  11685. Some instances of this field may be defaulted, in others it may be required.
  11686. maxLength: 253
  11687. minLength: 1
  11688. pattern: ^[-._a-zA-Z0-9]+$
  11689. type: string
  11690. name:
  11691. description: The name of the Secret resource being referred to.
  11692. maxLength: 253
  11693. minLength: 1
  11694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11695. type: string
  11696. namespace:
  11697. description: |-
  11698. The namespace of the Secret resource being referred to.
  11699. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11700. maxLength: 63
  11701. minLength: 1
  11702. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11703. type: string
  11704. type: object
  11705. value:
  11706. description: Value can be specified directly to set a value without using a secret.
  11707. type: string
  11708. type: object
  11709. apiUrl:
  11710. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  11711. type: string
  11712. projectId:
  11713. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  11714. type: string
  11715. region:
  11716. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  11717. type: string
  11718. secretKey:
  11719. description: SecretKey is the non-secret part of the api key.
  11720. properties:
  11721. secretRef:
  11722. description: SecretRef references a key in a secret that will be used as value.
  11723. properties:
  11724. key:
  11725. description: |-
  11726. A key in the referenced Secret.
  11727. Some instances of this field may be defaulted, in others it may be required.
  11728. maxLength: 253
  11729. minLength: 1
  11730. pattern: ^[-._a-zA-Z0-9]+$
  11731. type: string
  11732. name:
  11733. description: The name of the Secret resource being referred to.
  11734. maxLength: 253
  11735. minLength: 1
  11736. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11737. type: string
  11738. namespace:
  11739. description: |-
  11740. The namespace of the Secret resource being referred to.
  11741. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11742. maxLength: 63
  11743. minLength: 1
  11744. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11745. type: string
  11746. type: object
  11747. value:
  11748. description: Value can be specified directly to set a value without using a secret.
  11749. type: string
  11750. type: object
  11751. required:
  11752. - accessKey
  11753. - projectId
  11754. - region
  11755. - secretKey
  11756. type: object
  11757. secretserver:
  11758. description: |-
  11759. SecretServer configures this store to sync secrets using SecretServer provider
  11760. https://docs.delinea.com/online-help/secret-server/start.htm
  11761. properties:
  11762. password:
  11763. description: Password is the secret server account password.
  11764. properties:
  11765. secretRef:
  11766. description: SecretRef references a key in a secret that will be used as value.
  11767. properties:
  11768. key:
  11769. description: |-
  11770. A key in the referenced Secret.
  11771. Some instances of this field may be defaulted, in others it may be required.
  11772. maxLength: 253
  11773. minLength: 1
  11774. pattern: ^[-._a-zA-Z0-9]+$
  11775. type: string
  11776. name:
  11777. description: The name of the Secret resource being referred to.
  11778. maxLength: 253
  11779. minLength: 1
  11780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11781. type: string
  11782. namespace:
  11783. description: |-
  11784. The namespace of the Secret resource being referred to.
  11785. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11786. maxLength: 63
  11787. minLength: 1
  11788. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11789. type: string
  11790. type: object
  11791. value:
  11792. description: Value can be specified directly to set a value without using a secret.
  11793. type: string
  11794. type: object
  11795. serverURL:
  11796. description: |-
  11797. ServerURL
  11798. URL to your secret server installation
  11799. type: string
  11800. username:
  11801. description: Username is the secret server account username.
  11802. properties:
  11803. secretRef:
  11804. description: SecretRef references a key in a secret that will be used as value.
  11805. properties:
  11806. key:
  11807. description: |-
  11808. A key in the referenced Secret.
  11809. Some instances of this field may be defaulted, in others it may be required.
  11810. maxLength: 253
  11811. minLength: 1
  11812. pattern: ^[-._a-zA-Z0-9]+$
  11813. type: string
  11814. name:
  11815. description: The name of the Secret resource being referred to.
  11816. maxLength: 253
  11817. minLength: 1
  11818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11819. type: string
  11820. namespace:
  11821. description: |-
  11822. The namespace of the Secret resource being referred to.
  11823. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11824. maxLength: 63
  11825. minLength: 1
  11826. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11827. type: string
  11828. type: object
  11829. value:
  11830. description: Value can be specified directly to set a value without using a secret.
  11831. type: string
  11832. type: object
  11833. required:
  11834. - password
  11835. - serverURL
  11836. - username
  11837. type: object
  11838. senhasegura:
  11839. description: Senhasegura configures this store to sync secrets using senhasegura provider
  11840. properties:
  11841. auth:
  11842. description: Auth defines parameters to authenticate in senhasegura
  11843. properties:
  11844. clientId:
  11845. type: string
  11846. clientSecretSecretRef:
  11847. description: |-
  11848. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  11849. In some instances, `key` is a required field.
  11850. properties:
  11851. key:
  11852. description: |-
  11853. A key in the referenced Secret.
  11854. Some instances of this field may be defaulted, in others it may be required.
  11855. maxLength: 253
  11856. minLength: 1
  11857. pattern: ^[-._a-zA-Z0-9]+$
  11858. type: string
  11859. name:
  11860. description: The name of the Secret resource being referred to.
  11861. maxLength: 253
  11862. minLength: 1
  11863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11864. type: string
  11865. namespace:
  11866. description: |-
  11867. The namespace of the Secret resource being referred to.
  11868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11869. maxLength: 63
  11870. minLength: 1
  11871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11872. type: string
  11873. type: object
  11874. required:
  11875. - clientId
  11876. - clientSecretSecretRef
  11877. type: object
  11878. ignoreSslCertificate:
  11879. default: false
  11880. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  11881. type: boolean
  11882. module:
  11883. description: Module defines which senhasegura module should be used to get secrets
  11884. type: string
  11885. url:
  11886. description: URL of senhasegura
  11887. type: string
  11888. required:
  11889. - auth
  11890. - module
  11891. - url
  11892. type: object
  11893. vault:
  11894. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  11895. properties:
  11896. auth:
  11897. description: Auth configures how secret-manager authenticates with the Vault server.
  11898. properties:
  11899. appRole:
  11900. description: |-
  11901. AppRole authenticates with Vault using the App Role auth mechanism,
  11902. with the role and secret stored in a Kubernetes Secret resource.
  11903. properties:
  11904. path:
  11905. default: approle
  11906. description: |-
  11907. Path where the App Role authentication backend is mounted
  11908. in Vault, e.g: "approle"
  11909. type: string
  11910. roleId:
  11911. description: |-
  11912. RoleID configured in the App Role authentication backend when setting
  11913. up the authentication backend in Vault.
  11914. type: string
  11915. roleRef:
  11916. description: |-
  11917. Reference to a key in a Secret that contains the App Role ID used
  11918. to authenticate with Vault.
  11919. The `key` field must be specified and denotes which entry within the Secret
  11920. resource is used as the app role id.
  11921. properties:
  11922. key:
  11923. description: |-
  11924. A key in the referenced Secret.
  11925. Some instances of this field may be defaulted, in others it may be required.
  11926. maxLength: 253
  11927. minLength: 1
  11928. pattern: ^[-._a-zA-Z0-9]+$
  11929. type: string
  11930. name:
  11931. description: The name of the Secret resource being referred to.
  11932. maxLength: 253
  11933. minLength: 1
  11934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11935. type: string
  11936. namespace:
  11937. description: |-
  11938. The namespace of the Secret resource being referred to.
  11939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11940. maxLength: 63
  11941. minLength: 1
  11942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11943. type: string
  11944. type: object
  11945. secretRef:
  11946. description: |-
  11947. Reference to a key in a Secret that contains the App Role secret used
  11948. to authenticate with Vault.
  11949. The `key` field must be specified and denotes which entry within the Secret
  11950. resource is used as the app role secret.
  11951. properties:
  11952. key:
  11953. description: |-
  11954. A key in the referenced Secret.
  11955. Some instances of this field may be defaulted, in others it may be required.
  11956. maxLength: 253
  11957. minLength: 1
  11958. pattern: ^[-._a-zA-Z0-9]+$
  11959. type: string
  11960. name:
  11961. description: The name of the Secret resource being referred to.
  11962. maxLength: 253
  11963. minLength: 1
  11964. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  11965. type: string
  11966. namespace:
  11967. description: |-
  11968. The namespace of the Secret resource being referred to.
  11969. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  11970. maxLength: 63
  11971. minLength: 1
  11972. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  11973. type: string
  11974. type: object
  11975. required:
  11976. - path
  11977. - secretRef
  11978. type: object
  11979. cert:
  11980. description: |-
  11981. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11982. Cert authentication method
  11983. properties:
  11984. clientCert:
  11985. description: |-
  11986. ClientCert is a certificate to authenticate using the Cert Vault
  11987. authentication method
  11988. properties:
  11989. key:
  11990. description: |-
  11991. A key in the referenced Secret.
  11992. Some instances of this field may be defaulted, in others it may be required.
  11993. maxLength: 253
  11994. minLength: 1
  11995. pattern: ^[-._a-zA-Z0-9]+$
  11996. type: string
  11997. name:
  11998. description: The name of the Secret resource being referred to.
  11999. maxLength: 253
  12000. minLength: 1
  12001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12002. type: string
  12003. namespace:
  12004. description: |-
  12005. The namespace of the Secret resource being referred to.
  12006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12007. maxLength: 63
  12008. minLength: 1
  12009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12010. type: string
  12011. type: object
  12012. secretRef:
  12013. description: |-
  12014. SecretRef to a key in a Secret resource containing client private key to
  12015. authenticate with Vault using the Cert authentication method
  12016. properties:
  12017. key:
  12018. description: |-
  12019. A key in the referenced Secret.
  12020. Some instances of this field may be defaulted, in others it may be required.
  12021. maxLength: 253
  12022. minLength: 1
  12023. pattern: ^[-._a-zA-Z0-9]+$
  12024. type: string
  12025. name:
  12026. description: The name of the Secret resource being referred to.
  12027. maxLength: 253
  12028. minLength: 1
  12029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12030. type: string
  12031. namespace:
  12032. description: |-
  12033. The namespace of the Secret resource being referred to.
  12034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12035. maxLength: 63
  12036. minLength: 1
  12037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12038. type: string
  12039. type: object
  12040. type: object
  12041. iam:
  12042. description: |-
  12043. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  12044. AWS IAM authentication method
  12045. properties:
  12046. externalID:
  12047. description: AWS External ID set on assumed IAM roles
  12048. type: string
  12049. jwt:
  12050. description: Specify a service account with IRSA enabled
  12051. properties:
  12052. serviceAccountRef:
  12053. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  12054. properties:
  12055. audiences:
  12056. description: |-
  12057. Audience specifies the `aud` claim for the service account token
  12058. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12059. then this audiences will be appended to the list
  12060. items:
  12061. type: string
  12062. type: array
  12063. name:
  12064. description: The name of the ServiceAccount resource being referred to.
  12065. maxLength: 253
  12066. minLength: 1
  12067. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12068. type: string
  12069. namespace:
  12070. description: |-
  12071. Namespace of the resource being referred to.
  12072. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12073. maxLength: 63
  12074. minLength: 1
  12075. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12076. type: string
  12077. required:
  12078. - name
  12079. type: object
  12080. type: object
  12081. path:
  12082. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  12083. type: string
  12084. region:
  12085. description: AWS region
  12086. type: string
  12087. role:
  12088. description: This is the AWS role to be assumed before talking to vault
  12089. type: string
  12090. secretRef:
  12091. description: Specify credentials in a Secret object
  12092. properties:
  12093. accessKeyIDSecretRef:
  12094. description: The AccessKeyID is used for authentication
  12095. properties:
  12096. key:
  12097. description: |-
  12098. A key in the referenced Secret.
  12099. Some instances of this field may be defaulted, in others it may be required.
  12100. maxLength: 253
  12101. minLength: 1
  12102. pattern: ^[-._a-zA-Z0-9]+$
  12103. type: string
  12104. name:
  12105. description: The name of the Secret resource being referred to.
  12106. maxLength: 253
  12107. minLength: 1
  12108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12109. type: string
  12110. namespace:
  12111. description: |-
  12112. The namespace of the Secret resource being referred to.
  12113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12114. maxLength: 63
  12115. minLength: 1
  12116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12117. type: string
  12118. type: object
  12119. secretAccessKeySecretRef:
  12120. description: The SecretAccessKey is used for authentication
  12121. properties:
  12122. key:
  12123. description: |-
  12124. A key in the referenced Secret.
  12125. Some instances of this field may be defaulted, in others it may be required.
  12126. maxLength: 253
  12127. minLength: 1
  12128. pattern: ^[-._a-zA-Z0-9]+$
  12129. type: string
  12130. name:
  12131. description: The name of the Secret resource being referred to.
  12132. maxLength: 253
  12133. minLength: 1
  12134. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12135. type: string
  12136. namespace:
  12137. description: |-
  12138. The namespace of the Secret resource being referred to.
  12139. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12140. maxLength: 63
  12141. minLength: 1
  12142. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12143. type: string
  12144. type: object
  12145. sessionTokenSecretRef:
  12146. description: |-
  12147. The SessionToken used for authentication
  12148. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  12149. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  12150. properties:
  12151. key:
  12152. description: |-
  12153. A key in the referenced Secret.
  12154. Some instances of this field may be defaulted, in others it may be required.
  12155. maxLength: 253
  12156. minLength: 1
  12157. pattern: ^[-._a-zA-Z0-9]+$
  12158. type: string
  12159. name:
  12160. description: The name of the Secret resource being referred to.
  12161. maxLength: 253
  12162. minLength: 1
  12163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12164. type: string
  12165. namespace:
  12166. description: |-
  12167. The namespace of the Secret resource being referred to.
  12168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12169. maxLength: 63
  12170. minLength: 1
  12171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12172. type: string
  12173. type: object
  12174. type: object
  12175. vaultAwsIamServerID:
  12176. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  12177. type: string
  12178. vaultRole:
  12179. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  12180. type: string
  12181. required:
  12182. - vaultRole
  12183. type: object
  12184. jwt:
  12185. description: |-
  12186. Jwt authenticates with Vault by passing role and JWT token using the
  12187. JWT/OIDC authentication method
  12188. properties:
  12189. kubernetesServiceAccountToken:
  12190. description: |-
  12191. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  12192. a token for with the `TokenRequest` API.
  12193. properties:
  12194. audiences:
  12195. description: |-
  12196. Optional audiences field that will be used to request a temporary Kubernetes service
  12197. account token for the service account referenced by `serviceAccountRef`.
  12198. Defaults to a single audience `vault` it not specified.
  12199. Deprecated: use serviceAccountRef.Audiences instead
  12200. items:
  12201. type: string
  12202. type: array
  12203. expirationSeconds:
  12204. description: |-
  12205. Optional expiration time in seconds that will be used to request a temporary
  12206. Kubernetes service account token for the service account referenced by
  12207. `serviceAccountRef`.
  12208. Deprecated: this will be removed in the future.
  12209. Defaults to 10 minutes.
  12210. format: int64
  12211. type: integer
  12212. serviceAccountRef:
  12213. description: Service account field containing the name of a kubernetes ServiceAccount.
  12214. properties:
  12215. audiences:
  12216. description: |-
  12217. Audience specifies the `aud` claim for the service account token
  12218. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12219. then this audiences will be appended to the list
  12220. items:
  12221. type: string
  12222. type: array
  12223. name:
  12224. description: The name of the ServiceAccount resource being referred to.
  12225. maxLength: 253
  12226. minLength: 1
  12227. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12228. type: string
  12229. namespace:
  12230. description: |-
  12231. Namespace of the resource being referred to.
  12232. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12233. maxLength: 63
  12234. minLength: 1
  12235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12236. type: string
  12237. required:
  12238. - name
  12239. type: object
  12240. required:
  12241. - serviceAccountRef
  12242. type: object
  12243. path:
  12244. default: jwt
  12245. description: |-
  12246. Path where the JWT authentication backend is mounted
  12247. in Vault, e.g: "jwt"
  12248. type: string
  12249. role:
  12250. description: |-
  12251. Role is a JWT role to authenticate using the JWT/OIDC Vault
  12252. authentication method
  12253. type: string
  12254. secretRef:
  12255. description: |-
  12256. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  12257. authenticate with Vault using the JWT/OIDC authentication method.
  12258. properties:
  12259. key:
  12260. description: |-
  12261. A key in the referenced Secret.
  12262. Some instances of this field may be defaulted, in others it may be required.
  12263. maxLength: 253
  12264. minLength: 1
  12265. pattern: ^[-._a-zA-Z0-9]+$
  12266. type: string
  12267. name:
  12268. description: The name of the Secret resource being referred to.
  12269. maxLength: 253
  12270. minLength: 1
  12271. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12272. type: string
  12273. namespace:
  12274. description: |-
  12275. The namespace of the Secret resource being referred to.
  12276. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12277. maxLength: 63
  12278. minLength: 1
  12279. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12280. type: string
  12281. type: object
  12282. required:
  12283. - path
  12284. type: object
  12285. kubernetes:
  12286. description: |-
  12287. Kubernetes authenticates with Vault by passing the ServiceAccount
  12288. token stored in the named Secret resource to the Vault server.
  12289. properties:
  12290. mountPath:
  12291. default: kubernetes
  12292. description: |-
  12293. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  12294. "kubernetes"
  12295. type: string
  12296. role:
  12297. description: |-
  12298. A required field containing the Vault Role to assume. A Role binds a
  12299. Kubernetes ServiceAccount with a set of Vault policies.
  12300. type: string
  12301. secretRef:
  12302. description: |-
  12303. Optional secret field containing a Kubernetes ServiceAccount JWT used
  12304. for authenticating with Vault. If a name is specified without a key,
  12305. `token` is the default. If one is not specified, the one bound to
  12306. the controller will be used.
  12307. properties:
  12308. key:
  12309. description: |-
  12310. A key in the referenced Secret.
  12311. Some instances of this field may be defaulted, in others it may be required.
  12312. maxLength: 253
  12313. minLength: 1
  12314. pattern: ^[-._a-zA-Z0-9]+$
  12315. type: string
  12316. name:
  12317. description: The name of the Secret resource being referred to.
  12318. maxLength: 253
  12319. minLength: 1
  12320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12321. type: string
  12322. namespace:
  12323. description: |-
  12324. The namespace of the Secret resource being referred to.
  12325. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12326. maxLength: 63
  12327. minLength: 1
  12328. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12329. type: string
  12330. type: object
  12331. serviceAccountRef:
  12332. description: |-
  12333. Optional service account field containing the name of a kubernetes ServiceAccount.
  12334. If the service account is specified, the service account secret token JWT will be used
  12335. for authenticating with Vault. If the service account selector is not supplied,
  12336. the secretRef will be used instead.
  12337. properties:
  12338. audiences:
  12339. description: |-
  12340. Audience specifies the `aud` claim for the service account token
  12341. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  12342. then this audiences will be appended to the list
  12343. items:
  12344. type: string
  12345. type: array
  12346. name:
  12347. description: The name of the ServiceAccount resource being referred to.
  12348. maxLength: 253
  12349. minLength: 1
  12350. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12351. type: string
  12352. namespace:
  12353. description: |-
  12354. Namespace of the resource being referred to.
  12355. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12356. maxLength: 63
  12357. minLength: 1
  12358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12359. type: string
  12360. required:
  12361. - name
  12362. type: object
  12363. required:
  12364. - mountPath
  12365. - role
  12366. type: object
  12367. ldap:
  12368. description: |-
  12369. Ldap authenticates with Vault by passing username/password pair using
  12370. the LDAP authentication method
  12371. properties:
  12372. path:
  12373. default: ldap
  12374. description: |-
  12375. Path where the LDAP authentication backend is mounted
  12376. in Vault, e.g: "ldap"
  12377. type: string
  12378. secretRef:
  12379. description: |-
  12380. SecretRef to a key in a Secret resource containing password for the LDAP
  12381. user used to authenticate with Vault using the LDAP authentication
  12382. method
  12383. properties:
  12384. key:
  12385. description: |-
  12386. A key in the referenced Secret.
  12387. Some instances of this field may be defaulted, in others it may be required.
  12388. maxLength: 253
  12389. minLength: 1
  12390. pattern: ^[-._a-zA-Z0-9]+$
  12391. type: string
  12392. name:
  12393. description: The name of the Secret resource being referred to.
  12394. maxLength: 253
  12395. minLength: 1
  12396. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12397. type: string
  12398. namespace:
  12399. description: |-
  12400. The namespace of the Secret resource being referred to.
  12401. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12402. maxLength: 63
  12403. minLength: 1
  12404. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12405. type: string
  12406. type: object
  12407. username:
  12408. description: |-
  12409. Username is an LDAP username used to authenticate using the LDAP Vault
  12410. authentication method
  12411. type: string
  12412. required:
  12413. - path
  12414. - username
  12415. type: object
  12416. namespace:
  12417. description: |-
  12418. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  12419. Namespaces is a set of features within Vault Enterprise that allows
  12420. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12421. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12422. This will default to Vault.Namespace field if set, or empty otherwise
  12423. type: string
  12424. tokenSecretRef:
  12425. description: TokenSecretRef authenticates with Vault by presenting a token.
  12426. properties:
  12427. key:
  12428. description: |-
  12429. A key in the referenced Secret.
  12430. Some instances of this field may be defaulted, in others it may be required.
  12431. maxLength: 253
  12432. minLength: 1
  12433. pattern: ^[-._a-zA-Z0-9]+$
  12434. type: string
  12435. name:
  12436. description: The name of the Secret resource being referred to.
  12437. maxLength: 253
  12438. minLength: 1
  12439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12440. type: string
  12441. namespace:
  12442. description: |-
  12443. The namespace of the Secret resource being referred to.
  12444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12445. maxLength: 63
  12446. minLength: 1
  12447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12448. type: string
  12449. type: object
  12450. userPass:
  12451. description: UserPass authenticates with Vault by passing username/password pair
  12452. properties:
  12453. path:
  12454. default: userpass
  12455. description: |-
  12456. Path where the UserPassword authentication backend is mounted
  12457. in Vault, e.g: "userpass"
  12458. type: string
  12459. secretRef:
  12460. description: |-
  12461. SecretRef to a key in a Secret resource containing password for the
  12462. user used to authenticate with Vault using the UserPass authentication
  12463. method
  12464. properties:
  12465. key:
  12466. description: |-
  12467. A key in the referenced Secret.
  12468. Some instances of this field may be defaulted, in others it may be required.
  12469. maxLength: 253
  12470. minLength: 1
  12471. pattern: ^[-._a-zA-Z0-9]+$
  12472. type: string
  12473. name:
  12474. description: The name of the Secret resource being referred to.
  12475. maxLength: 253
  12476. minLength: 1
  12477. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12478. type: string
  12479. namespace:
  12480. description: |-
  12481. The namespace of the Secret resource being referred to.
  12482. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12483. maxLength: 63
  12484. minLength: 1
  12485. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12486. type: string
  12487. type: object
  12488. username:
  12489. description: |-
  12490. Username is a username used to authenticate using the UserPass Vault
  12491. authentication method
  12492. type: string
  12493. required:
  12494. - path
  12495. - username
  12496. type: object
  12497. type: object
  12498. caBundle:
  12499. description: |-
  12500. PEM encoded CA bundle used to validate Vault server certificate. Only used
  12501. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12502. plain HTTP protocol connection. If not set the system root certificates
  12503. are used to validate the TLS connection.
  12504. format: byte
  12505. type: string
  12506. caProvider:
  12507. description: The provider for the CA bundle to use to validate Vault server certificate.
  12508. properties:
  12509. key:
  12510. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12511. maxLength: 253
  12512. minLength: 1
  12513. pattern: ^[-._a-zA-Z0-9]+$
  12514. type: string
  12515. name:
  12516. description: The name of the object located at the provider type.
  12517. maxLength: 253
  12518. minLength: 1
  12519. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12520. type: string
  12521. namespace:
  12522. description: |-
  12523. The namespace the Provider type is in.
  12524. Can only be defined when used in a ClusterSecretStore.
  12525. maxLength: 63
  12526. minLength: 1
  12527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12528. type: string
  12529. type:
  12530. description: The type of provider to use such as "Secret", or "ConfigMap".
  12531. enum:
  12532. - Secret
  12533. - ConfigMap
  12534. type: string
  12535. required:
  12536. - name
  12537. - type
  12538. type: object
  12539. forwardInconsistent:
  12540. description: |-
  12541. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12542. leader instead of simply retrying within a loop. This can increase performance if
  12543. the option is enabled serverside.
  12544. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12545. type: boolean
  12546. headers:
  12547. additionalProperties:
  12548. type: string
  12549. description: Headers to be added in Vault request
  12550. type: object
  12551. namespace:
  12552. description: |-
  12553. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12554. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12555. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12556. type: string
  12557. path:
  12558. description: |-
  12559. Path is the mount path of the Vault KV backend endpoint, e.g:
  12560. "secret". The v2 KV secret engine version specific "/data" path suffix
  12561. for fetching secrets from Vault is optional and will be appended
  12562. if not present in specified path.
  12563. type: string
  12564. readYourWrites:
  12565. description: |-
  12566. ReadYourWrites ensures isolated read-after-write semantics by
  12567. providing discovered cluster replication states in each request.
  12568. More information about eventual consistency in Vault can be found here
  12569. https://www.vaultproject.io/docs/enterprise/consistency
  12570. type: boolean
  12571. server:
  12572. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12573. type: string
  12574. tls:
  12575. description: |-
  12576. The configuration used for client side related TLS communication, when the Vault server
  12577. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12578. This parameter is ignored for plain HTTP protocol connection.
  12579. It's worth noting this configuration is different from the "TLS certificates auth method",
  12580. which is available under the `auth.cert` section.
  12581. properties:
  12582. certSecretRef:
  12583. description: |-
  12584. CertSecretRef is a certificate added to the transport layer
  12585. when communicating with the Vault server.
  12586. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12587. properties:
  12588. key:
  12589. description: |-
  12590. A key in the referenced Secret.
  12591. Some instances of this field may be defaulted, in others it may be required.
  12592. maxLength: 253
  12593. minLength: 1
  12594. pattern: ^[-._a-zA-Z0-9]+$
  12595. type: string
  12596. name:
  12597. description: The name of the Secret resource being referred to.
  12598. maxLength: 253
  12599. minLength: 1
  12600. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12601. type: string
  12602. namespace:
  12603. description: |-
  12604. The namespace of the Secret resource being referred to.
  12605. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12606. maxLength: 63
  12607. minLength: 1
  12608. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12609. type: string
  12610. type: object
  12611. keySecretRef:
  12612. description: |-
  12613. KeySecretRef to a key in a Secret resource containing client private key
  12614. added to the transport layer when communicating with the Vault server.
  12615. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12616. properties:
  12617. key:
  12618. description: |-
  12619. A key in the referenced Secret.
  12620. Some instances of this field may be defaulted, in others it may be required.
  12621. maxLength: 253
  12622. minLength: 1
  12623. pattern: ^[-._a-zA-Z0-9]+$
  12624. type: string
  12625. name:
  12626. description: The name of the Secret resource being referred to.
  12627. maxLength: 253
  12628. minLength: 1
  12629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12630. type: string
  12631. namespace:
  12632. description: |-
  12633. The namespace of the Secret resource being referred to.
  12634. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12635. maxLength: 63
  12636. minLength: 1
  12637. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12638. type: string
  12639. type: object
  12640. type: object
  12641. version:
  12642. default: v2
  12643. description: |-
  12644. Version is the Vault KV secret engine version. This can be either "v1" or
  12645. "v2". Version defaults to "v2".
  12646. enum:
  12647. - v1
  12648. - v2
  12649. type: string
  12650. required:
  12651. - server
  12652. type: object
  12653. webhook:
  12654. description: Webhook configures this store to sync secrets using a generic templated webhook
  12655. properties:
  12656. auth:
  12657. description: Auth specifies a authorization protocol. Only one protocol may be set.
  12658. maxProperties: 1
  12659. minProperties: 1
  12660. properties:
  12661. ntlm:
  12662. description: NTLMProtocol configures the store to use NTLM for auth
  12663. properties:
  12664. passwordSecret:
  12665. description: |-
  12666. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12667. In some instances, `key` is a required field.
  12668. properties:
  12669. key:
  12670. description: |-
  12671. A key in the referenced Secret.
  12672. Some instances of this field may be defaulted, in others it may be required.
  12673. maxLength: 253
  12674. minLength: 1
  12675. pattern: ^[-._a-zA-Z0-9]+$
  12676. type: string
  12677. name:
  12678. description: The name of the Secret resource being referred to.
  12679. maxLength: 253
  12680. minLength: 1
  12681. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12682. type: string
  12683. namespace:
  12684. description: |-
  12685. The namespace of the Secret resource being referred to.
  12686. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12687. maxLength: 63
  12688. minLength: 1
  12689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12690. type: string
  12691. type: object
  12692. usernameSecret:
  12693. description: |-
  12694. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12695. In some instances, `key` is a required field.
  12696. properties:
  12697. key:
  12698. description: |-
  12699. A key in the referenced Secret.
  12700. Some instances of this field may be defaulted, in others it may be required.
  12701. maxLength: 253
  12702. minLength: 1
  12703. pattern: ^[-._a-zA-Z0-9]+$
  12704. type: string
  12705. name:
  12706. description: The name of the Secret resource being referred to.
  12707. maxLength: 253
  12708. minLength: 1
  12709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12710. type: string
  12711. namespace:
  12712. description: |-
  12713. The namespace of the Secret resource being referred to.
  12714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12715. maxLength: 63
  12716. minLength: 1
  12717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12718. type: string
  12719. type: object
  12720. required:
  12721. - passwordSecret
  12722. - usernameSecret
  12723. type: object
  12724. type: object
  12725. body:
  12726. description: Body
  12727. type: string
  12728. caBundle:
  12729. description: |-
  12730. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12731. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12732. plain HTTP protocol connection. If not set the system root certificates
  12733. are used to validate the TLS connection.
  12734. format: byte
  12735. type: string
  12736. caProvider:
  12737. description: The provider for the CA bundle to use to validate webhook server certificate.
  12738. properties:
  12739. key:
  12740. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12741. maxLength: 253
  12742. minLength: 1
  12743. pattern: ^[-._a-zA-Z0-9]+$
  12744. type: string
  12745. name:
  12746. description: The name of the object located at the provider type.
  12747. maxLength: 253
  12748. minLength: 1
  12749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12750. type: string
  12751. namespace:
  12752. description: The namespace the Provider type is in.
  12753. maxLength: 63
  12754. minLength: 1
  12755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12756. type: string
  12757. type:
  12758. description: The type of provider to use such as "Secret", or "ConfigMap".
  12759. enum:
  12760. - Secret
  12761. - ConfigMap
  12762. type: string
  12763. required:
  12764. - name
  12765. - type
  12766. type: object
  12767. headers:
  12768. additionalProperties:
  12769. type: string
  12770. description: Headers
  12771. type: object
  12772. method:
  12773. description: Webhook Method
  12774. type: string
  12775. result:
  12776. description: Result formatting
  12777. properties:
  12778. jsonPath:
  12779. description: Json path of return value
  12780. type: string
  12781. type: object
  12782. secrets:
  12783. description: |-
  12784. Secrets to fill in templates
  12785. These secrets will be passed to the templating function as key value pairs under the given name
  12786. items:
  12787. description: WebhookSecret defines a secret to be used in webhook templates.
  12788. properties:
  12789. name:
  12790. description: Name of this secret in templates
  12791. type: string
  12792. secretRef:
  12793. description: Secret ref to fill in credentials
  12794. properties:
  12795. key:
  12796. description: |-
  12797. A key in the referenced Secret.
  12798. Some instances of this field may be defaulted, in others it may be required.
  12799. maxLength: 253
  12800. minLength: 1
  12801. pattern: ^[-._a-zA-Z0-9]+$
  12802. type: string
  12803. name:
  12804. description: The name of the Secret resource being referred to.
  12805. maxLength: 253
  12806. minLength: 1
  12807. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12808. type: string
  12809. namespace:
  12810. description: |-
  12811. The namespace of the Secret resource being referred to.
  12812. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12813. maxLength: 63
  12814. minLength: 1
  12815. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12816. type: string
  12817. type: object
  12818. required:
  12819. - name
  12820. - secretRef
  12821. type: object
  12822. type: array
  12823. timeout:
  12824. description: Timeout
  12825. type: string
  12826. url:
  12827. description: Webhook url to call
  12828. type: string
  12829. required:
  12830. - result
  12831. - url
  12832. type: object
  12833. yandexcertificatemanager:
  12834. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  12835. properties:
  12836. apiEndpoint:
  12837. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12838. type: string
  12839. auth:
  12840. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  12841. properties:
  12842. authorizedKeySecretRef:
  12843. description: The authorized key used for authentication
  12844. properties:
  12845. key:
  12846. description: |-
  12847. A key in the referenced Secret.
  12848. Some instances of this field may be defaulted, in others it may be required.
  12849. maxLength: 253
  12850. minLength: 1
  12851. pattern: ^[-._a-zA-Z0-9]+$
  12852. type: string
  12853. name:
  12854. description: The name of the Secret resource being referred to.
  12855. maxLength: 253
  12856. minLength: 1
  12857. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12858. type: string
  12859. namespace:
  12860. description: |-
  12861. The namespace of the Secret resource being referred to.
  12862. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12863. maxLength: 63
  12864. minLength: 1
  12865. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12866. type: string
  12867. type: object
  12868. type: object
  12869. caProvider:
  12870. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12871. properties:
  12872. certSecretRef:
  12873. description: |-
  12874. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12875. In some instances, `key` is a required field.
  12876. properties:
  12877. key:
  12878. description: |-
  12879. A key in the referenced Secret.
  12880. Some instances of this field may be defaulted, in others it may be required.
  12881. maxLength: 253
  12882. minLength: 1
  12883. pattern: ^[-._a-zA-Z0-9]+$
  12884. type: string
  12885. name:
  12886. description: The name of the Secret resource being referred to.
  12887. maxLength: 253
  12888. minLength: 1
  12889. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12890. type: string
  12891. namespace:
  12892. description: |-
  12893. The namespace of the Secret resource being referred to.
  12894. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12895. maxLength: 63
  12896. minLength: 1
  12897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12898. type: string
  12899. type: object
  12900. type: object
  12901. required:
  12902. - auth
  12903. type: object
  12904. yandexlockbox:
  12905. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  12906. properties:
  12907. apiEndpoint:
  12908. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  12909. type: string
  12910. auth:
  12911. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  12912. properties:
  12913. authorizedKeySecretRef:
  12914. description: The authorized key used for authentication
  12915. properties:
  12916. key:
  12917. description: |-
  12918. A key in the referenced Secret.
  12919. Some instances of this field may be defaulted, in others it may be required.
  12920. maxLength: 253
  12921. minLength: 1
  12922. pattern: ^[-._a-zA-Z0-9]+$
  12923. type: string
  12924. name:
  12925. description: The name of the Secret resource being referred to.
  12926. maxLength: 253
  12927. minLength: 1
  12928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12929. type: string
  12930. namespace:
  12931. description: |-
  12932. The namespace of the Secret resource being referred to.
  12933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12934. maxLength: 63
  12935. minLength: 1
  12936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12937. type: string
  12938. type: object
  12939. type: object
  12940. caProvider:
  12941. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  12942. properties:
  12943. certSecretRef:
  12944. description: |-
  12945. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  12946. In some instances, `key` is a required field.
  12947. properties:
  12948. key:
  12949. description: |-
  12950. A key in the referenced Secret.
  12951. Some instances of this field may be defaulted, in others it may be required.
  12952. maxLength: 253
  12953. minLength: 1
  12954. pattern: ^[-._a-zA-Z0-9]+$
  12955. type: string
  12956. name:
  12957. description: The name of the Secret resource being referred to.
  12958. maxLength: 253
  12959. minLength: 1
  12960. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  12961. type: string
  12962. namespace:
  12963. description: |-
  12964. The namespace of the Secret resource being referred to.
  12965. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  12966. maxLength: 63
  12967. minLength: 1
  12968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  12969. type: string
  12970. type: object
  12971. type: object
  12972. required:
  12973. - auth
  12974. type: object
  12975. type: object
  12976. refreshInterval:
  12977. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  12978. type: integer
  12979. retrySettings:
  12980. description: Used to configure HTTP retries on failures.
  12981. properties:
  12982. maxRetries:
  12983. description: MaxRetries is the maximum number of retry attempts.
  12984. format: int32
  12985. type: integer
  12986. retryInterval:
  12987. description: RetryInterval is the interval between retry attempts.
  12988. type: string
  12989. type: object
  12990. required:
  12991. - provider
  12992. type: object
  12993. status:
  12994. description: SecretStoreStatus defines the observed state of the SecretStore.
  12995. properties:
  12996. capabilities:
  12997. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  12998. type: string
  12999. conditions:
  13000. items:
  13001. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  13002. properties:
  13003. lastTransitionTime:
  13004. format: date-time
  13005. type: string
  13006. message:
  13007. type: string
  13008. reason:
  13009. type: string
  13010. status:
  13011. type: string
  13012. type:
  13013. description: SecretStoreConditionType represents the condition type of the SecretStore.
  13014. type: string
  13015. required:
  13016. - status
  13017. - type
  13018. type: object
  13019. type: array
  13020. type: object
  13021. type: object
  13022. served: false
  13023. storage: false
  13024. subresources:
  13025. status: {}
  13026. ---
  13027. apiVersion: apiextensions.k8s.io/v1
  13028. kind: CustomResourceDefinition
  13029. metadata:
  13030. annotations:
  13031. controller-gen.kubebuilder.io/version: v0.19.0
  13032. labels:
  13033. external-secrets.io/component: controller
  13034. name: externalsecrets.external-secrets.io
  13035. spec:
  13036. group: external-secrets.io
  13037. names:
  13038. categories:
  13039. - external-secrets
  13040. kind: ExternalSecret
  13041. listKind: ExternalSecretList
  13042. plural: externalsecrets
  13043. shortNames:
  13044. - es
  13045. singular: externalsecret
  13046. scope: Namespaced
  13047. versions:
  13048. - additionalPrinterColumns:
  13049. - jsonPath: .spec.secretStoreRef.kind
  13050. name: StoreType
  13051. type: string
  13052. - jsonPath: .spec.secretStoreRef.name
  13053. name: Store
  13054. type: string
  13055. - jsonPath: .spec.refreshInterval
  13056. name: Refresh Interval
  13057. type: string
  13058. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13059. name: Status
  13060. type: string
  13061. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13062. name: Ready
  13063. type: string
  13064. - jsonPath: .status.refreshTime
  13065. name: Last Sync
  13066. type: date
  13067. name: v1
  13068. schema:
  13069. openAPIV3Schema:
  13070. description: |-
  13071. ExternalSecret is the Schema for the external-secrets API.
  13072. It defines how to fetch data from external APIs and make it available as Kubernetes Secrets.
  13073. properties:
  13074. apiVersion:
  13075. description: |-
  13076. APIVersion defines the versioned schema of this representation of an object.
  13077. Servers should convert recognized schemas to the latest internal value, and
  13078. may reject unrecognized values.
  13079. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13080. type: string
  13081. kind:
  13082. description: |-
  13083. Kind is a string value representing the REST resource this object represents.
  13084. Servers may infer this from the endpoint the client submits requests to.
  13085. Cannot be updated.
  13086. In CamelCase.
  13087. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13088. type: string
  13089. metadata:
  13090. type: object
  13091. spec:
  13092. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13093. properties:
  13094. data:
  13095. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13096. items:
  13097. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13098. properties:
  13099. remoteRef:
  13100. description: |-
  13101. RemoteRef points to the remote secret and defines
  13102. which secret (version/property/..) to fetch.
  13103. properties:
  13104. conversionStrategy:
  13105. default: Default
  13106. description: Used to define a conversion Strategy
  13107. enum:
  13108. - Default
  13109. - Unicode
  13110. type: string
  13111. decodingStrategy:
  13112. default: None
  13113. description: Used to define a decoding Strategy
  13114. enum:
  13115. - Auto
  13116. - Base64
  13117. - Base64URL
  13118. - None
  13119. type: string
  13120. key:
  13121. description: Key is the key used in the Provider, mandatory
  13122. type: string
  13123. metadataPolicy:
  13124. default: None
  13125. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13126. enum:
  13127. - None
  13128. - Fetch
  13129. type: string
  13130. nullBytePolicy:
  13131. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13132. enum:
  13133. - Ignore
  13134. - Fail
  13135. type: string
  13136. property:
  13137. description: Used to select a specific property of the Provider value (if a map), if supported
  13138. type: string
  13139. version:
  13140. description: Used to select a specific version of the Provider value, if supported
  13141. type: string
  13142. required:
  13143. - key
  13144. type: object
  13145. secretKey:
  13146. description: The key in the Kubernetes Secret to store the value.
  13147. maxLength: 253
  13148. minLength: 1
  13149. pattern: ^[-._a-zA-Z0-9]+$
  13150. type: string
  13151. sourceRef:
  13152. description: |-
  13153. SourceRef allows you to override the source
  13154. from which the value will be pulled.
  13155. maxProperties: 1
  13156. minProperties: 1
  13157. properties:
  13158. generatorRef:
  13159. description: |-
  13160. GeneratorRef points to a generator custom resource.
  13161. Deprecated: The generatorRef is not implemented in .data[].
  13162. this will be removed with v1.
  13163. properties:
  13164. apiVersion:
  13165. default: generators.external-secrets.io/v1alpha1
  13166. description: Specify the apiVersion of the generator resource
  13167. type: string
  13168. kind:
  13169. description: Specify the Kind of the generator resource
  13170. enum:
  13171. - ACRAccessToken
  13172. - BeyondtrustWorkloadCredentialsDynamicSecret
  13173. - ClusterGenerator
  13174. - CloudsmithAccessToken
  13175. - ECRAuthorizationToken
  13176. - Fake
  13177. - GCRAccessToken
  13178. - GithubAccessToken
  13179. - GitlabDeployToken
  13180. - QuayAccessToken
  13181. - Password
  13182. - SSHKey
  13183. - STSSessionToken
  13184. - UUID
  13185. - VaultDynamicSecret
  13186. - Webhook
  13187. - Grafana
  13188. - MFA
  13189. type: string
  13190. name:
  13191. description: Specify the name of the generator resource
  13192. maxLength: 253
  13193. minLength: 1
  13194. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13195. type: string
  13196. required:
  13197. - kind
  13198. - name
  13199. type: object
  13200. storeRef:
  13201. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13202. properties:
  13203. kind:
  13204. description: |-
  13205. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13206. Defaults to `SecretStore`
  13207. enum:
  13208. - SecretStore
  13209. - ClusterSecretStore
  13210. type: string
  13211. name:
  13212. description: Name of the SecretStore resource
  13213. maxLength: 253
  13214. minLength: 1
  13215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13216. type: string
  13217. type: object
  13218. type: object
  13219. required:
  13220. - remoteRef
  13221. - secretKey
  13222. type: object
  13223. type: array
  13224. dataFrom:
  13225. description: |-
  13226. DataFrom is used to fetch all properties from a specific Provider data
  13227. If multiple entries are specified, the Secret keys are merged in the specified order
  13228. items:
  13229. description: |-
  13230. ExternalSecretDataFromRemoteRef defines the connection between the Kubernetes Secret keys and the Provider data
  13231. when using DataFrom to fetch multiple values from a Provider.
  13232. properties:
  13233. extract:
  13234. description: |-
  13235. Used to extract multiple key/value pairs from one secret
  13236. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13237. properties:
  13238. conversionStrategy:
  13239. default: Default
  13240. description: Used to define a conversion Strategy
  13241. enum:
  13242. - Default
  13243. - Unicode
  13244. type: string
  13245. decodingStrategy:
  13246. default: None
  13247. description: Used to define a decoding Strategy
  13248. enum:
  13249. - Auto
  13250. - Base64
  13251. - Base64URL
  13252. - None
  13253. type: string
  13254. key:
  13255. description: Key is the key used in the Provider, mandatory
  13256. type: string
  13257. metadataPolicy:
  13258. default: None
  13259. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13260. enum:
  13261. - None
  13262. - Fetch
  13263. type: string
  13264. nullBytePolicy:
  13265. description: Controls how ESO handles fetched secret data containing NUL bytes for this source.
  13266. enum:
  13267. - Ignore
  13268. - Fail
  13269. type: string
  13270. property:
  13271. description: Used to select a specific property of the Provider value (if a map), if supported
  13272. type: string
  13273. version:
  13274. description: Used to select a specific version of the Provider value, if supported
  13275. type: string
  13276. required:
  13277. - key
  13278. type: object
  13279. find:
  13280. description: |-
  13281. Used to find secrets based on tags or regular expressions
  13282. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13283. properties:
  13284. conversionStrategy:
  13285. default: Default
  13286. description: Used to define a conversion Strategy
  13287. enum:
  13288. - Default
  13289. - Unicode
  13290. type: string
  13291. decodingStrategy:
  13292. default: None
  13293. description: Used to define a decoding Strategy
  13294. enum:
  13295. - Auto
  13296. - Base64
  13297. - Base64URL
  13298. - None
  13299. type: string
  13300. name:
  13301. description: Finds secrets based on the name.
  13302. properties:
  13303. regexp:
  13304. description: Finds secrets base
  13305. type: string
  13306. type: object
  13307. nullBytePolicy:
  13308. description: Controls how ESO handles fetched secret data containing NUL bytes for this find source.
  13309. enum:
  13310. - Ignore
  13311. - Fail
  13312. type: string
  13313. path:
  13314. description: A root path to start the find operations.
  13315. type: string
  13316. tags:
  13317. additionalProperties:
  13318. type: string
  13319. description: Find secrets based on tags.
  13320. type: object
  13321. type: object
  13322. rewrite:
  13323. description: |-
  13324. Used to rewrite secret Keys after getting them from the secret Provider
  13325. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  13326. items:
  13327. description: ExternalSecretRewrite defines how to rewrite secret data values before they are written to the Secret.
  13328. maxProperties: 1
  13329. minProperties: 1
  13330. properties:
  13331. merge:
  13332. description: |-
  13333. Used to merge key/values in one single Secret
  13334. The resulting key will contain all values from the specified secrets
  13335. properties:
  13336. conflictPolicy:
  13337. default: Error
  13338. description: Used to define the policy to use in conflict resolution.
  13339. enum:
  13340. - Ignore
  13341. - Error
  13342. type: string
  13343. into:
  13344. default: ""
  13345. description: |-
  13346. Used to define the target key of the merge operation.
  13347. Required if strategy is JSON. Ignored otherwise.
  13348. type: string
  13349. priority:
  13350. description: Used to define key priority in conflict resolution.
  13351. items:
  13352. type: string
  13353. type: array
  13354. priorityPolicy:
  13355. default: Strict
  13356. description: Used to define the policy when a key in the priority list does not exist in the input.
  13357. enum:
  13358. - IgnoreNotFound
  13359. - Strict
  13360. type: string
  13361. strategy:
  13362. default: Extract
  13363. description: Used to define the strategy to use in the merge operation.
  13364. enum:
  13365. - Extract
  13366. - JSON
  13367. type: string
  13368. type: object
  13369. regexp:
  13370. description: |-
  13371. Used to rewrite with regular expressions.
  13372. The resulting key will be the output of a regexp.ReplaceAll operation.
  13373. properties:
  13374. source:
  13375. description: Used to define the regular expression of a re.Compiler.
  13376. type: string
  13377. target:
  13378. description: Used to define the target pattern of a ReplaceAll operation.
  13379. type: string
  13380. required:
  13381. - source
  13382. - target
  13383. type: object
  13384. transform:
  13385. description: |-
  13386. Used to apply string transformation on the secrets.
  13387. The resulting key will be the output of the template applied by the operation.
  13388. properties:
  13389. template:
  13390. description: |-
  13391. Used to define the template to apply on the secret name.
  13392. `.value ` will specify the secret name in the template.
  13393. type: string
  13394. required:
  13395. - template
  13396. type: object
  13397. type: object
  13398. type: array
  13399. sourceRef:
  13400. description: |-
  13401. SourceRef points to a store or generator
  13402. which contains secret values ready to use.
  13403. Use this in combination with Extract or Find pull values out of
  13404. a specific SecretStore.
  13405. When sourceRef points to a generator Extract or Find is not supported.
  13406. The generator returns a static map of values
  13407. maxProperties: 1
  13408. minProperties: 1
  13409. properties:
  13410. generatorRef:
  13411. description: GeneratorRef points to a generator custom resource.
  13412. properties:
  13413. apiVersion:
  13414. default: generators.external-secrets.io/v1alpha1
  13415. description: Specify the apiVersion of the generator resource
  13416. type: string
  13417. kind:
  13418. description: Specify the Kind of the generator resource
  13419. enum:
  13420. - ACRAccessToken
  13421. - BeyondtrustWorkloadCredentialsDynamicSecret
  13422. - ClusterGenerator
  13423. - CloudsmithAccessToken
  13424. - ECRAuthorizationToken
  13425. - Fake
  13426. - GCRAccessToken
  13427. - GithubAccessToken
  13428. - GitlabDeployToken
  13429. - QuayAccessToken
  13430. - Password
  13431. - SSHKey
  13432. - STSSessionToken
  13433. - UUID
  13434. - VaultDynamicSecret
  13435. - Webhook
  13436. - Grafana
  13437. - MFA
  13438. type: string
  13439. name:
  13440. description: Specify the name of the generator resource
  13441. maxLength: 253
  13442. minLength: 1
  13443. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13444. type: string
  13445. required:
  13446. - kind
  13447. - name
  13448. type: object
  13449. storeRef:
  13450. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13451. properties:
  13452. kind:
  13453. description: |-
  13454. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13455. Defaults to `SecretStore`
  13456. enum:
  13457. - SecretStore
  13458. - ClusterSecretStore
  13459. type: string
  13460. name:
  13461. description: Name of the SecretStore resource
  13462. maxLength: 253
  13463. minLength: 1
  13464. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13465. type: string
  13466. type: object
  13467. type: object
  13468. type: object
  13469. type: array
  13470. refreshInterval:
  13471. default: 1h0m0s
  13472. description: |-
  13473. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  13474. specified as Golang Duration strings.
  13475. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  13476. Example values: "1h0m0s", "2h30m0s", "10m0s"
  13477. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  13478. type: string
  13479. refreshPolicy:
  13480. description: |-
  13481. RefreshPolicy determines how the ExternalSecret should be refreshed:
  13482. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  13483. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  13484. No periodic updates occur if refreshInterval is 0.
  13485. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  13486. enum:
  13487. - CreatedOnce
  13488. - Periodic
  13489. - OnChange
  13490. type: string
  13491. secretStoreRef:
  13492. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13493. properties:
  13494. kind:
  13495. description: |-
  13496. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13497. Defaults to `SecretStore`
  13498. enum:
  13499. - SecretStore
  13500. - ClusterSecretStore
  13501. type: string
  13502. name:
  13503. description: Name of the SecretStore resource
  13504. maxLength: 253
  13505. minLength: 1
  13506. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13507. type: string
  13508. type: object
  13509. syncWindows:
  13510. description: |-
  13511. SyncWindows optionally restricts when periodic refreshes may occur.
  13512. Evaluated in UTC, only for Periodic refresh policy (or when refreshPolicy is unset).
  13513. properties:
  13514. kind:
  13515. description: |-
  13516. Kind applies to every window in the list.
  13517. "allow" -- syncs are permitted only while at least one window is active;
  13518. all other times are blocked.
  13519. "deny" -- syncs are blocked while any window is active;
  13520. all other times are permitted.
  13521. enum:
  13522. - allow
  13523. - deny
  13524. type: string
  13525. windows:
  13526. description: Windows is the list of schedule+duration pairs.
  13527. items:
  13528. description: |-
  13529. ExternalSecretSyncWindowEntry defines a single cron-schedule + duration pair
  13530. within a SyncWindows block.
  13531. properties:
  13532. duration:
  13533. description: |-
  13534. Duration specifies how long the window stays open after each Schedule
  13535. firing. Example: "8h".
  13536. type: string
  13537. schedule:
  13538. description: |-
  13539. Schedule is a standard 5-field cron expression evaluated in UTC, or a
  13540. named shorthand such as @daily or @every 1h. It marks the start time of
  13541. each window occurrence.
  13542. Example: "0 22 * * 1-5" opens a window every weekday at 22:00 UTC.
  13543. minLength: 1
  13544. pattern: ^(@(annually|yearly|monthly|weekly|daily|midnight|hourly)|@every [^\s]+.*|[^\s]+( [^\s]+){4})$
  13545. type: string
  13546. required:
  13547. - duration
  13548. - schedule
  13549. type: object
  13550. minItems: 1
  13551. type: array
  13552. required:
  13553. - kind
  13554. - windows
  13555. type: object
  13556. target:
  13557. default:
  13558. creationPolicy: Owner
  13559. deletionPolicy: Retain
  13560. description: |-
  13561. ExternalSecretTarget defines the Kubernetes Secret to be created,
  13562. there can be only one target per ExternalSecret.
  13563. properties:
  13564. creationPolicy:
  13565. default: Owner
  13566. description: |-
  13567. CreationPolicy defines rules on how to create the resulting Secret.
  13568. Defaults to "Owner"
  13569. enum:
  13570. - Owner
  13571. - Orphan
  13572. - Merge
  13573. - None
  13574. type: string
  13575. deletionPolicy:
  13576. default: Retain
  13577. description: |-
  13578. DeletionPolicy defines rules on how to delete the resulting Secret.
  13579. Defaults to "Retain"
  13580. enum:
  13581. - Delete
  13582. - Merge
  13583. - Retain
  13584. type: string
  13585. immutable:
  13586. description: Immutable defines if the final secret will be immutable
  13587. type: boolean
  13588. manifest:
  13589. description: |-
  13590. Manifest defines a custom Kubernetes resource to create instead of a Secret.
  13591. When specified, ExternalSecret will create the resource type defined here
  13592. (e.g., ConfigMap, Custom Resource) instead of a Secret.
  13593. Warning: Using Generic target. Make sure access policies and encryption are properly configured.
  13594. properties:
  13595. apiVersion:
  13596. description: APIVersion of the target resource (e.g., "v1" for ConfigMap, "argoproj.io/v1alpha1" for ArgoCD Application)
  13597. minLength: 1
  13598. type: string
  13599. kind:
  13600. description: Kind of the target resource (e.g., "ConfigMap", "Application")
  13601. minLength: 1
  13602. type: string
  13603. required:
  13604. - apiVersion
  13605. - kind
  13606. type: object
  13607. name:
  13608. description: |-
  13609. The name of the Secret resource to be managed.
  13610. Defaults to the .metadata.name of the ExternalSecret resource
  13611. maxLength: 253
  13612. minLength: 1
  13613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13614. type: string
  13615. template:
  13616. description: Template defines a blueprint for the created Secret resource.
  13617. properties:
  13618. data:
  13619. additionalProperties:
  13620. type: string
  13621. type: object
  13622. engineVersion:
  13623. default: v2
  13624. description: |-
  13625. EngineVersion specifies the template engine version
  13626. that should be used to compile/execute the
  13627. template specified in .data and .templateFrom[].
  13628. enum:
  13629. - v2
  13630. type: string
  13631. mergePolicy:
  13632. default: Replace
  13633. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  13634. enum:
  13635. - Replace
  13636. - Merge
  13637. type: string
  13638. metadata:
  13639. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  13640. properties:
  13641. annotations:
  13642. additionalProperties:
  13643. type: string
  13644. type: object
  13645. finalizers:
  13646. items:
  13647. type: string
  13648. type: array
  13649. labels:
  13650. additionalProperties:
  13651. type: string
  13652. type: object
  13653. type: object
  13654. templateFrom:
  13655. items:
  13656. description: |-
  13657. TemplateFrom specifies a source for templates.
  13658. Each item in the list can either reference a ConfigMap or a Secret resource.
  13659. properties:
  13660. configMap:
  13661. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13662. properties:
  13663. items:
  13664. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13665. items:
  13666. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13667. properties:
  13668. key:
  13669. description: A key in the ConfigMap/Secret
  13670. maxLength: 253
  13671. minLength: 1
  13672. pattern: ^[-._a-zA-Z0-9]+$
  13673. type: string
  13674. templateAs:
  13675. default: Values
  13676. description: TemplateScope specifies how the template keys should be interpreted.
  13677. enum:
  13678. - Values
  13679. - KeysAndValues
  13680. type: string
  13681. required:
  13682. - key
  13683. type: object
  13684. type: array
  13685. name:
  13686. description: The name of the ConfigMap/Secret resource
  13687. maxLength: 253
  13688. minLength: 1
  13689. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13690. type: string
  13691. required:
  13692. - items
  13693. - name
  13694. type: object
  13695. literal:
  13696. type: string
  13697. secret:
  13698. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  13699. properties:
  13700. items:
  13701. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  13702. items:
  13703. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  13704. properties:
  13705. key:
  13706. description: A key in the ConfigMap/Secret
  13707. maxLength: 253
  13708. minLength: 1
  13709. pattern: ^[-._a-zA-Z0-9]+$
  13710. type: string
  13711. templateAs:
  13712. default: Values
  13713. description: TemplateScope specifies how the template keys should be interpreted.
  13714. enum:
  13715. - Values
  13716. - KeysAndValues
  13717. type: string
  13718. required:
  13719. - key
  13720. type: object
  13721. type: array
  13722. name:
  13723. description: The name of the ConfigMap/Secret resource
  13724. maxLength: 253
  13725. minLength: 1
  13726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13727. type: string
  13728. required:
  13729. - items
  13730. - name
  13731. type: object
  13732. target:
  13733. default: Data
  13734. description: |-
  13735. Target specifies where to place the template result.
  13736. For Secret resources, common values are: "Data", "Annotations", "Labels".
  13737. For custom resources (when spec.target.manifest is set), this supports
  13738. nested paths like "spec.database.config" or "data".
  13739. type: string
  13740. valuesDecodingStrategy:
  13741. default: None
  13742. description: Used to define a decoding Strategy for the rendered template values.
  13743. enum:
  13744. - Auto
  13745. - Base64
  13746. - Base64URL
  13747. - None
  13748. type: string
  13749. type: object
  13750. type: array
  13751. type:
  13752. type: string
  13753. type: object
  13754. type: object
  13755. type: object
  13756. status:
  13757. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  13758. properties:
  13759. binding:
  13760. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  13761. properties:
  13762. name:
  13763. default: ""
  13764. description: |-
  13765. Name of the referent.
  13766. This field is effectively required, but due to backwards compatibility is
  13767. allowed to be empty. Instances of this type with an empty value here are
  13768. almost certainly wrong.
  13769. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  13770. type: string
  13771. type: object
  13772. x-kubernetes-map-type: atomic
  13773. conditions:
  13774. items:
  13775. description: ExternalSecretStatusCondition defines a status condition of an ExternalSecret resource.
  13776. properties:
  13777. lastTransitionTime:
  13778. format: date-time
  13779. type: string
  13780. message:
  13781. type: string
  13782. reason:
  13783. type: string
  13784. status:
  13785. type: string
  13786. type:
  13787. description: ExternalSecretConditionType defines a value type for ExternalSecret conditions.
  13788. enum:
  13789. - Ready
  13790. - Deleted
  13791. type: string
  13792. required:
  13793. - status
  13794. - type
  13795. type: object
  13796. type: array
  13797. refreshTime:
  13798. description: |-
  13799. refreshTime is the time and date the external secret was fetched and
  13800. the target secret updated
  13801. format: date-time
  13802. nullable: true
  13803. type: string
  13804. syncedResourceVersion:
  13805. description: SyncedResourceVersion keeps track of the last synced version
  13806. type: string
  13807. type: object
  13808. type: object
  13809. selectableFields:
  13810. - jsonPath: .spec.secretStoreRef.name
  13811. - jsonPath: .spec.secretStoreRef.kind
  13812. - jsonPath: .spec.target.name
  13813. - jsonPath: .spec.refreshInterval
  13814. served: true
  13815. storage: true
  13816. subresources:
  13817. status: {}
  13818. - additionalPrinterColumns:
  13819. - jsonPath: .spec.secretStoreRef.kind
  13820. name: StoreType
  13821. type: string
  13822. - jsonPath: .spec.secretStoreRef.name
  13823. name: Store
  13824. type: string
  13825. - jsonPath: .spec.refreshInterval
  13826. name: Refresh Interval
  13827. type: string
  13828. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  13829. name: Status
  13830. type: string
  13831. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  13832. name: Ready
  13833. type: string
  13834. - jsonPath: .status.refreshTime
  13835. name: Last Sync
  13836. type: date
  13837. deprecated: true
  13838. name: v1beta1
  13839. schema:
  13840. openAPIV3Schema:
  13841. description: ExternalSecret is the schema for the external-secrets API.
  13842. properties:
  13843. apiVersion:
  13844. description: |-
  13845. APIVersion defines the versioned schema of this representation of an object.
  13846. Servers should convert recognized schemas to the latest internal value, and
  13847. may reject unrecognized values.
  13848. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  13849. type: string
  13850. kind:
  13851. description: |-
  13852. Kind is a string value representing the REST resource this object represents.
  13853. Servers may infer this from the endpoint the client submits requests to.
  13854. Cannot be updated.
  13855. In CamelCase.
  13856. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  13857. type: string
  13858. metadata:
  13859. type: object
  13860. spec:
  13861. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  13862. properties:
  13863. data:
  13864. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  13865. items:
  13866. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  13867. properties:
  13868. remoteRef:
  13869. description: |-
  13870. RemoteRef points to the remote secret and defines
  13871. which secret (version/property/..) to fetch.
  13872. properties:
  13873. conversionStrategy:
  13874. default: Default
  13875. description: Used to define a conversion Strategy
  13876. enum:
  13877. - Default
  13878. - Unicode
  13879. type: string
  13880. decodingStrategy:
  13881. default: None
  13882. description: Used to define a decoding Strategy
  13883. enum:
  13884. - Auto
  13885. - Base64
  13886. - Base64URL
  13887. - None
  13888. type: string
  13889. key:
  13890. description: Key is the key used in the Provider, mandatory
  13891. type: string
  13892. metadataPolicy:
  13893. default: None
  13894. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  13895. enum:
  13896. - None
  13897. - Fetch
  13898. type: string
  13899. property:
  13900. description: Used to select a specific property of the Provider value (if a map), if supported
  13901. type: string
  13902. version:
  13903. description: Used to select a specific version of the Provider value, if supported
  13904. type: string
  13905. required:
  13906. - key
  13907. type: object
  13908. secretKey:
  13909. description: The key in the Kubernetes Secret to store the value.
  13910. maxLength: 253
  13911. minLength: 1
  13912. pattern: ^[-._a-zA-Z0-9]+$
  13913. type: string
  13914. sourceRef:
  13915. description: |-
  13916. SourceRef allows you to override the source
  13917. from which the value will be pulled.
  13918. maxProperties: 1
  13919. minProperties: 1
  13920. properties:
  13921. generatorRef:
  13922. description: |-
  13923. GeneratorRef points to a generator custom resource.
  13924. Deprecated: The generatorRef is not implemented in .data[].
  13925. this will be removed with v1.
  13926. properties:
  13927. apiVersion:
  13928. default: generators.external-secrets.io/v1alpha1
  13929. description: Specify the apiVersion of the generator resource
  13930. type: string
  13931. kind:
  13932. description: Specify the Kind of the generator resource
  13933. enum:
  13934. - ACRAccessToken
  13935. - ClusterGenerator
  13936. - ECRAuthorizationToken
  13937. - Fake
  13938. - GCRAccessToken
  13939. - GithubAccessToken
  13940. - QuayAccessToken
  13941. - Password
  13942. - SSHKey
  13943. - STSSessionToken
  13944. - UUID
  13945. - VaultDynamicSecret
  13946. - Webhook
  13947. - Grafana
  13948. type: string
  13949. name:
  13950. description: Specify the name of the generator resource
  13951. maxLength: 253
  13952. minLength: 1
  13953. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13954. type: string
  13955. required:
  13956. - kind
  13957. - name
  13958. type: object
  13959. storeRef:
  13960. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  13961. properties:
  13962. kind:
  13963. description: |-
  13964. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  13965. Defaults to `SecretStore`
  13966. enum:
  13967. - SecretStore
  13968. - ClusterSecretStore
  13969. type: string
  13970. name:
  13971. description: Name of the SecretStore resource
  13972. maxLength: 253
  13973. minLength: 1
  13974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  13975. type: string
  13976. type: object
  13977. type: object
  13978. required:
  13979. - remoteRef
  13980. - secretKey
  13981. type: object
  13982. type: array
  13983. dataFrom:
  13984. description: |-
  13985. DataFrom is used to fetch all properties from a specific Provider data
  13986. If multiple entries are specified, the Secret keys are merged in the specified order
  13987. items:
  13988. description: ExternalSecretDataFromRemoteRef defines a reference to multiple secrets in the provider to be fetched using options.
  13989. properties:
  13990. extract:
  13991. description: |-
  13992. Used to extract multiple key/value pairs from one secret
  13993. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  13994. properties:
  13995. conversionStrategy:
  13996. default: Default
  13997. description: Used to define a conversion Strategy
  13998. enum:
  13999. - Default
  14000. - Unicode
  14001. type: string
  14002. decodingStrategy:
  14003. default: None
  14004. description: Used to define a decoding Strategy
  14005. enum:
  14006. - Auto
  14007. - Base64
  14008. - Base64URL
  14009. - None
  14010. type: string
  14011. key:
  14012. description: Key is the key used in the Provider, mandatory
  14013. type: string
  14014. metadataPolicy:
  14015. default: None
  14016. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  14017. enum:
  14018. - None
  14019. - Fetch
  14020. type: string
  14021. property:
  14022. description: Used to select a specific property of the Provider value (if a map), if supported
  14023. type: string
  14024. version:
  14025. description: Used to select a specific version of the Provider value, if supported
  14026. type: string
  14027. required:
  14028. - key
  14029. type: object
  14030. find:
  14031. description: |-
  14032. Used to find secrets based on tags or regular expressions
  14033. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  14034. properties:
  14035. conversionStrategy:
  14036. default: Default
  14037. description: Used to define a conversion Strategy
  14038. enum:
  14039. - Default
  14040. - Unicode
  14041. type: string
  14042. decodingStrategy:
  14043. default: None
  14044. description: Used to define a decoding Strategy
  14045. enum:
  14046. - Auto
  14047. - Base64
  14048. - Base64URL
  14049. - None
  14050. type: string
  14051. name:
  14052. description: Finds secrets based on the name.
  14053. properties:
  14054. regexp:
  14055. description: Finds secrets base
  14056. type: string
  14057. type: object
  14058. path:
  14059. description: A root path to start the find operations.
  14060. type: string
  14061. tags:
  14062. additionalProperties:
  14063. type: string
  14064. description: Find secrets based on tags.
  14065. type: object
  14066. type: object
  14067. rewrite:
  14068. description: |-
  14069. Used to rewrite secret Keys after getting them from the secret Provider
  14070. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  14071. items:
  14072. description: ExternalSecretRewrite defines rules on how to rewrite secret keys.
  14073. maxProperties: 1
  14074. minProperties: 1
  14075. properties:
  14076. regexp:
  14077. description: |-
  14078. Used to rewrite with regular expressions.
  14079. The resulting key will be the output of a regexp.ReplaceAll operation.
  14080. properties:
  14081. source:
  14082. description: Used to define the regular expression of a re.Compiler.
  14083. type: string
  14084. target:
  14085. description: Used to define the target pattern of a ReplaceAll operation.
  14086. type: string
  14087. required:
  14088. - source
  14089. - target
  14090. type: object
  14091. transform:
  14092. description: |-
  14093. Used to apply string transformation on the secrets.
  14094. The resulting key will be the output of the template applied by the operation.
  14095. properties:
  14096. template:
  14097. description: |-
  14098. Used to define the template to apply on the secret name.
  14099. `.value ` will specify the secret name in the template.
  14100. type: string
  14101. required:
  14102. - template
  14103. type: object
  14104. type: object
  14105. type: array
  14106. sourceRef:
  14107. description: |-
  14108. SourceRef points to a store or generator
  14109. which contains secret values ready to use.
  14110. Use this in combination with Extract or Find pull values out of
  14111. a specific SecretStore.
  14112. When sourceRef points to a generator Extract or Find is not supported.
  14113. The generator returns a static map of values
  14114. maxProperties: 1
  14115. minProperties: 1
  14116. properties:
  14117. generatorRef:
  14118. description: GeneratorRef points to a generator custom resource.
  14119. properties:
  14120. apiVersion:
  14121. default: generators.external-secrets.io/v1alpha1
  14122. description: Specify the apiVersion of the generator resource
  14123. type: string
  14124. kind:
  14125. description: Specify the Kind of the generator resource
  14126. enum:
  14127. - ACRAccessToken
  14128. - ClusterGenerator
  14129. - ECRAuthorizationToken
  14130. - Fake
  14131. - GCRAccessToken
  14132. - GithubAccessToken
  14133. - QuayAccessToken
  14134. - Password
  14135. - SSHKey
  14136. - STSSessionToken
  14137. - UUID
  14138. - VaultDynamicSecret
  14139. - Webhook
  14140. - Grafana
  14141. type: string
  14142. name:
  14143. description: Specify the name of the generator resource
  14144. maxLength: 253
  14145. minLength: 1
  14146. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14147. type: string
  14148. required:
  14149. - kind
  14150. - name
  14151. type: object
  14152. storeRef:
  14153. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14154. properties:
  14155. kind:
  14156. description: |-
  14157. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14158. Defaults to `SecretStore`
  14159. enum:
  14160. - SecretStore
  14161. - ClusterSecretStore
  14162. type: string
  14163. name:
  14164. description: Name of the SecretStore resource
  14165. maxLength: 253
  14166. minLength: 1
  14167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14168. type: string
  14169. type: object
  14170. type: object
  14171. type: object
  14172. type: array
  14173. refreshInterval:
  14174. default: 1h0m0s
  14175. description: |-
  14176. RefreshInterval is the amount of time before the values are read again from the SecretStore provider,
  14177. specified as Golang Duration strings.
  14178. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  14179. Example values: "1h0m0s", "2h30m0s", "10m0s"
  14180. May be set to "0s" to fetch and create it once. Defaults to 1h0m0s.
  14181. type: string
  14182. refreshPolicy:
  14183. description: |-
  14184. RefreshPolicy determines how the ExternalSecret should be refreshed:
  14185. - CreatedOnce: Creates the Secret only if it does not exist and does not update it thereafter
  14186. - Periodic: Synchronizes the Secret from the external source at regular intervals specified by refreshInterval.
  14187. No periodic updates occur if refreshInterval is 0.
  14188. - OnChange: Only synchronizes the Secret when the ExternalSecret's metadata or specification changes
  14189. enum:
  14190. - CreatedOnce
  14191. - Periodic
  14192. - OnChange
  14193. type: string
  14194. secretStoreRef:
  14195. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  14196. properties:
  14197. kind:
  14198. description: |-
  14199. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14200. Defaults to `SecretStore`
  14201. enum:
  14202. - SecretStore
  14203. - ClusterSecretStore
  14204. type: string
  14205. name:
  14206. description: Name of the SecretStore resource
  14207. maxLength: 253
  14208. minLength: 1
  14209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14210. type: string
  14211. type: object
  14212. target:
  14213. default:
  14214. creationPolicy: Owner
  14215. deletionPolicy: Retain
  14216. description: |-
  14217. ExternalSecretTarget defines the Kubernetes Secret to be created
  14218. There can be only one target per ExternalSecret.
  14219. properties:
  14220. creationPolicy:
  14221. default: Owner
  14222. description: |-
  14223. CreationPolicy defines rules on how to create the resulting Secret.
  14224. Defaults to "Owner"
  14225. enum:
  14226. - Owner
  14227. - Orphan
  14228. - Merge
  14229. - None
  14230. type: string
  14231. deletionPolicy:
  14232. default: Retain
  14233. description: |-
  14234. DeletionPolicy defines rules on how to delete the resulting Secret.
  14235. Defaults to "Retain"
  14236. enum:
  14237. - Delete
  14238. - Merge
  14239. - Retain
  14240. type: string
  14241. immutable:
  14242. description: Immutable defines if the final secret will be immutable
  14243. type: boolean
  14244. name:
  14245. description: |-
  14246. The name of the Secret resource to be managed.
  14247. Defaults to the .metadata.name of the ExternalSecret resource
  14248. maxLength: 253
  14249. minLength: 1
  14250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14251. type: string
  14252. template:
  14253. description: Template defines a blueprint for the created Secret resource.
  14254. properties:
  14255. data:
  14256. additionalProperties:
  14257. type: string
  14258. type: object
  14259. engineVersion:
  14260. default: v2
  14261. description: |-
  14262. EngineVersion specifies the template engine version
  14263. that should be used to compile/execute the
  14264. template specified in .data and .templateFrom[].
  14265. enum:
  14266. - v2
  14267. type: string
  14268. mergePolicy:
  14269. default: Replace
  14270. description: TemplateMergePolicy defines how template values should be merged when generating a secret.
  14271. enum:
  14272. - Replace
  14273. - Merge
  14274. type: string
  14275. metadata:
  14276. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14277. properties:
  14278. annotations:
  14279. additionalProperties:
  14280. type: string
  14281. type: object
  14282. labels:
  14283. additionalProperties:
  14284. type: string
  14285. type: object
  14286. type: object
  14287. templateFrom:
  14288. items:
  14289. description: TemplateFrom defines a source for template data.
  14290. properties:
  14291. configMap:
  14292. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14293. properties:
  14294. items:
  14295. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14296. items:
  14297. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14298. properties:
  14299. key:
  14300. description: A key in the ConfigMap/Secret
  14301. maxLength: 253
  14302. minLength: 1
  14303. pattern: ^[-._a-zA-Z0-9]+$
  14304. type: string
  14305. templateAs:
  14306. default: Values
  14307. description: TemplateScope defines the scope of the template when processing template data.
  14308. enum:
  14309. - Values
  14310. - KeysAndValues
  14311. type: string
  14312. required:
  14313. - key
  14314. type: object
  14315. type: array
  14316. name:
  14317. description: The name of the ConfigMap/Secret resource
  14318. maxLength: 253
  14319. minLength: 1
  14320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14321. type: string
  14322. required:
  14323. - items
  14324. - name
  14325. type: object
  14326. literal:
  14327. type: string
  14328. secret:
  14329. description: TemplateRef defines a reference to a template source in a ConfigMap or Secret.
  14330. properties:
  14331. items:
  14332. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14333. items:
  14334. description: TemplateRefItem defines which key in the referenced ConfigMap or Secret to use as a template.
  14335. properties:
  14336. key:
  14337. description: A key in the ConfigMap/Secret
  14338. maxLength: 253
  14339. minLength: 1
  14340. pattern: ^[-._a-zA-Z0-9]+$
  14341. type: string
  14342. templateAs:
  14343. default: Values
  14344. description: TemplateScope defines the scope of the template when processing template data.
  14345. enum:
  14346. - Values
  14347. - KeysAndValues
  14348. type: string
  14349. required:
  14350. - key
  14351. type: object
  14352. type: array
  14353. name:
  14354. description: The name of the ConfigMap/Secret resource
  14355. maxLength: 253
  14356. minLength: 1
  14357. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14358. type: string
  14359. required:
  14360. - items
  14361. - name
  14362. type: object
  14363. target:
  14364. default: Data
  14365. description: TemplateTarget defines the target field where the template result will be stored.
  14366. enum:
  14367. - Data
  14368. - Annotations
  14369. - Labels
  14370. type: string
  14371. type: object
  14372. type: array
  14373. type:
  14374. type: string
  14375. type: object
  14376. type: object
  14377. type: object
  14378. status:
  14379. description: ExternalSecretStatus defines the observed state of ExternalSecret.
  14380. properties:
  14381. binding:
  14382. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  14383. properties:
  14384. name:
  14385. default: ""
  14386. description: |-
  14387. Name of the referent.
  14388. This field is effectively required, but due to backwards compatibility is
  14389. allowed to be empty. Instances of this type with an empty value here are
  14390. almost certainly wrong.
  14391. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  14392. type: string
  14393. type: object
  14394. x-kubernetes-map-type: atomic
  14395. conditions:
  14396. items:
  14397. description: ExternalSecretStatusCondition contains condition information for an ExternalSecret.
  14398. properties:
  14399. lastTransitionTime:
  14400. format: date-time
  14401. type: string
  14402. message:
  14403. type: string
  14404. reason:
  14405. type: string
  14406. status:
  14407. type: string
  14408. type:
  14409. description: ExternalSecretConditionType defines the condition type for an ExternalSecret.
  14410. type: string
  14411. required:
  14412. - status
  14413. - type
  14414. type: object
  14415. type: array
  14416. refreshTime:
  14417. description: |-
  14418. refreshTime is the time and date the external secret was fetched and
  14419. the target secret updated
  14420. format: date-time
  14421. nullable: true
  14422. type: string
  14423. syncedResourceVersion:
  14424. description: SyncedResourceVersion keeps track of the last synced version
  14425. type: string
  14426. type: object
  14427. type: object
  14428. served: false
  14429. storage: false
  14430. subresources:
  14431. status: {}
  14432. ---
  14433. apiVersion: apiextensions.k8s.io/v1
  14434. kind: CustomResourceDefinition
  14435. metadata:
  14436. annotations:
  14437. controller-gen.kubebuilder.io/version: v0.19.0
  14438. labels:
  14439. external-secrets.io/component: controller
  14440. name: pushsecrets.external-secrets.io
  14441. spec:
  14442. group: external-secrets.io
  14443. names:
  14444. categories:
  14445. - external-secrets
  14446. kind: PushSecret
  14447. listKind: PushSecretList
  14448. plural: pushsecrets
  14449. shortNames:
  14450. - ps
  14451. singular: pushsecret
  14452. scope: Namespaced
  14453. versions:
  14454. - additionalPrinterColumns:
  14455. - jsonPath: .metadata.creationTimestamp
  14456. name: AGE
  14457. type: date
  14458. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  14459. name: Status
  14460. type: string
  14461. - jsonPath: .status.refreshTime
  14462. name: Last Sync
  14463. type: date
  14464. name: v1alpha1
  14465. schema:
  14466. openAPIV3Schema:
  14467. description: PushSecret is the Schema for the PushSecrets API that enables pushing Kubernetes secrets to external secret providers.
  14468. properties:
  14469. apiVersion:
  14470. description: |-
  14471. APIVersion defines the versioned schema of this representation of an object.
  14472. Servers should convert recognized schemas to the latest internal value, and
  14473. may reject unrecognized values.
  14474. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  14475. type: string
  14476. kind:
  14477. description: |-
  14478. Kind is a string value representing the REST resource this object represents.
  14479. Servers may infer this from the endpoint the client submits requests to.
  14480. Cannot be updated.
  14481. In CamelCase.
  14482. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  14483. type: string
  14484. metadata:
  14485. type: object
  14486. spec:
  14487. description: PushSecretSpec configures the behavior of the PushSecret.
  14488. properties:
  14489. data:
  14490. description: Secret Data that should be pushed to providers
  14491. items:
  14492. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  14493. properties:
  14494. conversionStrategy:
  14495. default: None
  14496. description: Used to define a conversion Strategy for the secret keys
  14497. enum:
  14498. - None
  14499. - ReverseUnicode
  14500. type: string
  14501. match:
  14502. description: Match a given Secret Key to be pushed to the provider.
  14503. properties:
  14504. remoteRef:
  14505. description: Remote Refs to push to providers.
  14506. properties:
  14507. property:
  14508. description: Name of the property in the resulting secret
  14509. type: string
  14510. remoteKey:
  14511. description: Name of the resulting provider secret.
  14512. type: string
  14513. required:
  14514. - remoteKey
  14515. type: object
  14516. secretKey:
  14517. description: Secret Key to be pushed
  14518. type: string
  14519. required:
  14520. - remoteRef
  14521. type: object
  14522. metadata:
  14523. description: |-
  14524. Metadata is metadata attached to the secret.
  14525. The structure of metadata is provider specific, please look it up in the provider documentation.
  14526. x-kubernetes-preserve-unknown-fields: true
  14527. required:
  14528. - match
  14529. type: object
  14530. type: array
  14531. dataTo:
  14532. description: DataTo defines bulk push rules that expand source Secret keys into provider entries.
  14533. items:
  14534. description: PushSecretDataTo defines how to bulk-push secrets to providers without explicit per-key mappings.
  14535. properties:
  14536. conversionStrategy:
  14537. default: None
  14538. description: Used to define a conversion Strategy for the secret keys
  14539. enum:
  14540. - None
  14541. - ReverseUnicode
  14542. type: string
  14543. match:
  14544. description: |-
  14545. Match pattern for selecting keys from the source Secret.
  14546. If not specified, all keys are selected.
  14547. properties:
  14548. regexp:
  14549. description: |-
  14550. Regexp matches keys by regular expression.
  14551. If not specified, all keys are matched.
  14552. type: string
  14553. type: object
  14554. metadata:
  14555. description: |-
  14556. Metadata is metadata attached to the secret.
  14557. The structure of metadata is provider specific, please look it up in the provider documentation.
  14558. x-kubernetes-preserve-unknown-fields: true
  14559. remoteKey:
  14560. description: |-
  14561. RemoteKey is the name of the single provider secret that will receive ALL
  14562. matched keys bundled as a JSON object (e.g. {"DB_HOST":"...","DB_USER":"..."}).
  14563. When set, per-key expansion is skipped and a single push is performed.
  14564. The provider's store prefix (if any) is still prepended to this value.
  14565. When not set, each matched key is pushed as its own individual provider secret.
  14566. type: string
  14567. rewrite:
  14568. description: |-
  14569. Rewrite operations to transform keys before pushing to the provider.
  14570. Operations are applied sequentially.
  14571. items:
  14572. description: PushSecretRewrite defines how to transform secret keys before pushing.
  14573. properties:
  14574. regexp:
  14575. description: Used to rewrite with regular expressions.
  14576. properties:
  14577. source:
  14578. description: Used to define the regular expression of a re.Compiler.
  14579. type: string
  14580. target:
  14581. description: Used to define the target pattern of a ReplaceAll operation.
  14582. type: string
  14583. required:
  14584. - source
  14585. - target
  14586. type: object
  14587. transform:
  14588. description: Used to apply string transformation on the secrets.
  14589. properties:
  14590. template:
  14591. description: |-
  14592. Used to define the template to apply on the secret name.
  14593. `.value ` will specify the secret name in the template.
  14594. type: string
  14595. required:
  14596. - template
  14597. type: object
  14598. type: object
  14599. x-kubernetes-validations:
  14600. - message: exactly one of regexp or transform must be set
  14601. rule: (has(self.regexp) && !has(self.transform)) || (!has(self.regexp) && has(self.transform))
  14602. type: array
  14603. storeRef:
  14604. description: StoreRef specifies which SecretStore to push to. Required.
  14605. properties:
  14606. kind:
  14607. default: SecretStore
  14608. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14609. enum:
  14610. - SecretStore
  14611. - ClusterSecretStore
  14612. type: string
  14613. labelSelector:
  14614. description: Optionally, sync to secret stores with label selector
  14615. properties:
  14616. matchExpressions:
  14617. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14618. items:
  14619. description: |-
  14620. A label selector requirement is a selector that contains values, a key, and an operator that
  14621. relates the key and values.
  14622. properties:
  14623. key:
  14624. description: key is the label key that the selector applies to.
  14625. type: string
  14626. operator:
  14627. description: |-
  14628. operator represents a key's relationship to a set of values.
  14629. Valid operators are In, NotIn, Exists and DoesNotExist.
  14630. type: string
  14631. values:
  14632. description: |-
  14633. values is an array of string values. If the operator is In or NotIn,
  14634. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14635. the values array must be empty. This array is replaced during a strategic
  14636. merge patch.
  14637. items:
  14638. type: string
  14639. type: array
  14640. x-kubernetes-list-type: atomic
  14641. required:
  14642. - key
  14643. - operator
  14644. type: object
  14645. type: array
  14646. x-kubernetes-list-type: atomic
  14647. matchLabels:
  14648. additionalProperties:
  14649. type: string
  14650. description: |-
  14651. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14652. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14653. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14654. type: object
  14655. type: object
  14656. x-kubernetes-map-type: atomic
  14657. name:
  14658. description: Optionally, sync to the SecretStore of the given name
  14659. maxLength: 253
  14660. minLength: 1
  14661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14662. type: string
  14663. type: object
  14664. type: object
  14665. x-kubernetes-validations:
  14666. - message: storeRef must specify either name or labelSelector
  14667. rule: has(self.storeRef) && (has(self.storeRef.name) || has(self.storeRef.labelSelector))
  14668. - message: 'remoteKey and rewrite are mutually exclusive: rewrite is only supported in per-key mode (without remoteKey)'
  14669. rule: '!has(self.remoteKey) || !has(self.rewrite) || size(self.rewrite) == 0'
  14670. type: array
  14671. deletionPolicy:
  14672. default: None
  14673. description: Deletion Policy to handle Secrets in the provider.
  14674. enum:
  14675. - Delete
  14676. - None
  14677. type: string
  14678. refreshInterval:
  14679. default: 1h0m0s
  14680. description: The Interval to which External Secrets will try to push a secret definition
  14681. type: string
  14682. secretStoreRefs:
  14683. items:
  14684. description: PushSecretStoreRef contains a reference on how to sync to a SecretStore.
  14685. properties:
  14686. kind:
  14687. default: SecretStore
  14688. description: Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  14689. enum:
  14690. - SecretStore
  14691. - ClusterSecretStore
  14692. type: string
  14693. labelSelector:
  14694. description: Optionally, sync to secret stores with label selector
  14695. properties:
  14696. matchExpressions:
  14697. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14698. items:
  14699. description: |-
  14700. A label selector requirement is a selector that contains values, a key, and an operator that
  14701. relates the key and values.
  14702. properties:
  14703. key:
  14704. description: key is the label key that the selector applies to.
  14705. type: string
  14706. operator:
  14707. description: |-
  14708. operator represents a key's relationship to a set of values.
  14709. Valid operators are In, NotIn, Exists and DoesNotExist.
  14710. type: string
  14711. values:
  14712. description: |-
  14713. values is an array of string values. If the operator is In or NotIn,
  14714. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14715. the values array must be empty. This array is replaced during a strategic
  14716. merge patch.
  14717. items:
  14718. type: string
  14719. type: array
  14720. x-kubernetes-list-type: atomic
  14721. required:
  14722. - key
  14723. - operator
  14724. type: object
  14725. type: array
  14726. x-kubernetes-list-type: atomic
  14727. matchLabels:
  14728. additionalProperties:
  14729. type: string
  14730. description: |-
  14731. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14732. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14733. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14734. type: object
  14735. type: object
  14736. x-kubernetes-map-type: atomic
  14737. name:
  14738. description: Optionally, sync to the SecretStore of the given name
  14739. maxLength: 253
  14740. minLength: 1
  14741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14742. type: string
  14743. type: object
  14744. type: array
  14745. selector:
  14746. description: The Secret Selector (k8s source) for the Push Secret
  14747. maxProperties: 1
  14748. minProperties: 1
  14749. properties:
  14750. generatorRef:
  14751. description: Point to a generator to create a Secret.
  14752. properties:
  14753. apiVersion:
  14754. default: generators.external-secrets.io/v1alpha1
  14755. description: Specify the apiVersion of the generator resource
  14756. type: string
  14757. kind:
  14758. description: Specify the Kind of the generator resource
  14759. enum:
  14760. - ACRAccessToken
  14761. - BeyondtrustWorkloadCredentialsDynamicSecret
  14762. - ClusterGenerator
  14763. - CloudsmithAccessToken
  14764. - ECRAuthorizationToken
  14765. - Fake
  14766. - GCRAccessToken
  14767. - GithubAccessToken
  14768. - GitlabDeployToken
  14769. - QuayAccessToken
  14770. - Password
  14771. - SSHKey
  14772. - STSSessionToken
  14773. - UUID
  14774. - VaultDynamicSecret
  14775. - Webhook
  14776. - Grafana
  14777. - MFA
  14778. type: string
  14779. name:
  14780. description: Specify the name of the generator resource
  14781. maxLength: 253
  14782. minLength: 1
  14783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14784. type: string
  14785. required:
  14786. - kind
  14787. - name
  14788. type: object
  14789. secret:
  14790. description: Select a Secret to Push.
  14791. properties:
  14792. name:
  14793. description: |-
  14794. Name of the Secret.
  14795. The Secret must exist in the same namespace as the PushSecret manifest.
  14796. maxLength: 253
  14797. minLength: 1
  14798. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14799. type: string
  14800. selector:
  14801. description: Selector chooses secrets using a labelSelector.
  14802. properties:
  14803. matchExpressions:
  14804. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  14805. items:
  14806. description: |-
  14807. A label selector requirement is a selector that contains values, a key, and an operator that
  14808. relates the key and values.
  14809. properties:
  14810. key:
  14811. description: key is the label key that the selector applies to.
  14812. type: string
  14813. operator:
  14814. description: |-
  14815. operator represents a key's relationship to a set of values.
  14816. Valid operators are In, NotIn, Exists and DoesNotExist.
  14817. type: string
  14818. values:
  14819. description: |-
  14820. values is an array of string values. If the operator is In or NotIn,
  14821. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  14822. the values array must be empty. This array is replaced during a strategic
  14823. merge patch.
  14824. items:
  14825. type: string
  14826. type: array
  14827. x-kubernetes-list-type: atomic
  14828. required:
  14829. - key
  14830. - operator
  14831. type: object
  14832. type: array
  14833. x-kubernetes-list-type: atomic
  14834. matchLabels:
  14835. additionalProperties:
  14836. type: string
  14837. description: |-
  14838. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  14839. map is equivalent to an element of matchExpressions, whose key field is "key", the
  14840. operator is "In", and the values array contains only "value". The requirements are ANDed.
  14841. type: object
  14842. type: object
  14843. x-kubernetes-map-type: atomic
  14844. type: object
  14845. type: object
  14846. template:
  14847. description: Template defines a blueprint for the created Secret resource.
  14848. properties:
  14849. data:
  14850. additionalProperties:
  14851. type: string
  14852. type: object
  14853. engineVersion:
  14854. default: v2
  14855. description: |-
  14856. EngineVersion specifies the template engine version
  14857. that should be used to compile/execute the
  14858. template specified in .data and .templateFrom[].
  14859. enum:
  14860. - v2
  14861. type: string
  14862. mergePolicy:
  14863. default: Replace
  14864. description: TemplateMergePolicy defines how the rendered template should be merged with the existing Secret data.
  14865. enum:
  14866. - Replace
  14867. - Merge
  14868. type: string
  14869. metadata:
  14870. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  14871. properties:
  14872. annotations:
  14873. additionalProperties:
  14874. type: string
  14875. type: object
  14876. finalizers:
  14877. items:
  14878. type: string
  14879. type: array
  14880. labels:
  14881. additionalProperties:
  14882. type: string
  14883. type: object
  14884. type: object
  14885. templateFrom:
  14886. items:
  14887. description: |-
  14888. TemplateFrom specifies a source for templates.
  14889. Each item in the list can either reference a ConfigMap or a Secret resource.
  14890. properties:
  14891. configMap:
  14892. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14893. properties:
  14894. items:
  14895. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14896. items:
  14897. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14898. properties:
  14899. key:
  14900. description: A key in the ConfigMap/Secret
  14901. maxLength: 253
  14902. minLength: 1
  14903. pattern: ^[-._a-zA-Z0-9]+$
  14904. type: string
  14905. templateAs:
  14906. default: Values
  14907. description: TemplateScope specifies how the template keys should be interpreted.
  14908. enum:
  14909. - Values
  14910. - KeysAndValues
  14911. type: string
  14912. required:
  14913. - key
  14914. type: object
  14915. type: array
  14916. name:
  14917. description: The name of the ConfigMap/Secret resource
  14918. maxLength: 253
  14919. minLength: 1
  14920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14921. type: string
  14922. required:
  14923. - items
  14924. - name
  14925. type: object
  14926. literal:
  14927. type: string
  14928. secret:
  14929. description: TemplateRef specifies a reference to either a ConfigMap or a Secret resource.
  14930. properties:
  14931. items:
  14932. description: A list of keys in the ConfigMap/Secret to use as templates for Secret data
  14933. items:
  14934. description: TemplateRefItem specifies a key in the ConfigMap/Secret to use as a template for Secret data.
  14935. properties:
  14936. key:
  14937. description: A key in the ConfigMap/Secret
  14938. maxLength: 253
  14939. minLength: 1
  14940. pattern: ^[-._a-zA-Z0-9]+$
  14941. type: string
  14942. templateAs:
  14943. default: Values
  14944. description: TemplateScope specifies how the template keys should be interpreted.
  14945. enum:
  14946. - Values
  14947. - KeysAndValues
  14948. type: string
  14949. required:
  14950. - key
  14951. type: object
  14952. type: array
  14953. name:
  14954. description: The name of the ConfigMap/Secret resource
  14955. maxLength: 253
  14956. minLength: 1
  14957. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  14958. type: string
  14959. required:
  14960. - items
  14961. - name
  14962. type: object
  14963. target:
  14964. default: Data
  14965. description: |-
  14966. Target specifies where to place the template result.
  14967. For Secret resources, common values are: "Data", "Annotations", "Labels".
  14968. For custom resources (when spec.target.manifest is set), this supports
  14969. nested paths like "spec.database.config" or "data".
  14970. type: string
  14971. valuesDecodingStrategy:
  14972. default: None
  14973. description: Used to define a decoding Strategy for the rendered template values.
  14974. enum:
  14975. - Auto
  14976. - Base64
  14977. - Base64URL
  14978. - None
  14979. type: string
  14980. type: object
  14981. type: array
  14982. type:
  14983. type: string
  14984. type: object
  14985. updatePolicy:
  14986. default: Replace
  14987. description: UpdatePolicy to handle Secrets in the provider.
  14988. enum:
  14989. - Replace
  14990. - IfNotExists
  14991. type: string
  14992. required:
  14993. - secretStoreRefs
  14994. - selector
  14995. type: object
  14996. status:
  14997. description: PushSecretStatus indicates the history of the status of PushSecret.
  14998. properties:
  14999. conditions:
  15000. items:
  15001. description: PushSecretStatusCondition indicates the status of the PushSecret.
  15002. properties:
  15003. lastTransitionTime:
  15004. format: date-time
  15005. type: string
  15006. message:
  15007. type: string
  15008. reason:
  15009. type: string
  15010. status:
  15011. type: string
  15012. type:
  15013. description: PushSecretConditionType indicates the condition of the PushSecret.
  15014. type: string
  15015. required:
  15016. - status
  15017. - type
  15018. type: object
  15019. type: array
  15020. refreshTime:
  15021. description: |-
  15022. refreshTime is the time and date the external secret was fetched and
  15023. the target secret updated
  15024. format: date-time
  15025. nullable: true
  15026. type: string
  15027. syncedPushSecrets:
  15028. additionalProperties:
  15029. additionalProperties:
  15030. description: PushSecretData defines data to be pushed to the provider and associated metadata.
  15031. properties:
  15032. conversionStrategy:
  15033. default: None
  15034. description: Used to define a conversion Strategy for the secret keys
  15035. enum:
  15036. - None
  15037. - ReverseUnicode
  15038. type: string
  15039. match:
  15040. description: Match a given Secret Key to be pushed to the provider.
  15041. properties:
  15042. remoteRef:
  15043. description: Remote Refs to push to providers.
  15044. properties:
  15045. property:
  15046. description: Name of the property in the resulting secret
  15047. type: string
  15048. remoteKey:
  15049. description: Name of the resulting provider secret.
  15050. type: string
  15051. required:
  15052. - remoteKey
  15053. type: object
  15054. secretKey:
  15055. description: Secret Key to be pushed
  15056. type: string
  15057. required:
  15058. - remoteRef
  15059. type: object
  15060. metadata:
  15061. description: |-
  15062. Metadata is metadata attached to the secret.
  15063. The structure of metadata is provider specific, please look it up in the provider documentation.
  15064. x-kubernetes-preserve-unknown-fields: true
  15065. required:
  15066. - match
  15067. type: object
  15068. type: object
  15069. description: |-
  15070. Synced PushSecrets, including secrets that already exist in provider.
  15071. Matches secret stores to PushSecretData that was stored to that secret store.
  15072. type: object
  15073. syncedResourceVersion:
  15074. description: SyncedResourceVersion keeps track of the last synced version.
  15075. type: string
  15076. type: object
  15077. type: object
  15078. served: true
  15079. storage: true
  15080. subresources:
  15081. status: {}
  15082. ---
  15083. apiVersion: apiextensions.k8s.io/v1
  15084. kind: CustomResourceDefinition
  15085. metadata:
  15086. annotations:
  15087. controller-gen.kubebuilder.io/version: v0.19.0
  15088. labels:
  15089. external-secrets.io/component: controller
  15090. name: secretstores.external-secrets.io
  15091. spec:
  15092. group: external-secrets.io
  15093. names:
  15094. categories:
  15095. - external-secrets
  15096. kind: SecretStore
  15097. listKind: SecretStoreList
  15098. plural: secretstores
  15099. shortNames:
  15100. - ss
  15101. singular: secretstore
  15102. scope: Namespaced
  15103. versions:
  15104. - additionalPrinterColumns:
  15105. - jsonPath: .metadata.creationTimestamp
  15106. name: AGE
  15107. type: date
  15108. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  15109. name: Status
  15110. type: string
  15111. - jsonPath: .status.capabilities
  15112. name: Capabilities
  15113. type: string
  15114. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  15115. name: Ready
  15116. type: string
  15117. name: v1
  15118. schema:
  15119. openAPIV3Schema:
  15120. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  15121. properties:
  15122. apiVersion:
  15123. description: |-
  15124. APIVersion defines the versioned schema of this representation of an object.
  15125. Servers should convert recognized schemas to the latest internal value, and
  15126. may reject unrecognized values.
  15127. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  15128. type: string
  15129. kind:
  15130. description: |-
  15131. Kind is a string value representing the REST resource this object represents.
  15132. Servers may infer this from the endpoint the client submits requests to.
  15133. Cannot be updated.
  15134. In CamelCase.
  15135. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  15136. type: string
  15137. metadata:
  15138. type: object
  15139. spec:
  15140. description: SecretStoreSpec defines the desired state of SecretStore.
  15141. properties:
  15142. conditions:
  15143. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  15144. items:
  15145. description: |-
  15146. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  15147. for a ClusterSecretStore instance.
  15148. properties:
  15149. namespaceRegexes:
  15150. description: Choose namespaces by using regex matching
  15151. items:
  15152. type: string
  15153. type: array
  15154. namespaceSelector:
  15155. description: Choose namespace using a labelSelector
  15156. properties:
  15157. matchExpressions:
  15158. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  15159. items:
  15160. description: |-
  15161. A label selector requirement is a selector that contains values, a key, and an operator that
  15162. relates the key and values.
  15163. properties:
  15164. key:
  15165. description: key is the label key that the selector applies to.
  15166. type: string
  15167. operator:
  15168. description: |-
  15169. operator represents a key's relationship to a set of values.
  15170. Valid operators are In, NotIn, Exists and DoesNotExist.
  15171. type: string
  15172. values:
  15173. description: |-
  15174. values is an array of string values. If the operator is In or NotIn,
  15175. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  15176. the values array must be empty. This array is replaced during a strategic
  15177. merge patch.
  15178. items:
  15179. type: string
  15180. type: array
  15181. x-kubernetes-list-type: atomic
  15182. required:
  15183. - key
  15184. - operator
  15185. type: object
  15186. type: array
  15187. x-kubernetes-list-type: atomic
  15188. matchLabels:
  15189. additionalProperties:
  15190. type: string
  15191. description: |-
  15192. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  15193. map is equivalent to an element of matchExpressions, whose key field is "key", the
  15194. operator is "In", and the values array contains only "value". The requirements are ANDed.
  15195. type: object
  15196. type: object
  15197. x-kubernetes-map-type: atomic
  15198. namespaces:
  15199. description: Choose namespaces by name
  15200. items:
  15201. maxLength: 63
  15202. minLength: 1
  15203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15204. type: string
  15205. type: array
  15206. type: object
  15207. type: array
  15208. controller:
  15209. description: |-
  15210. Used to select the correct ESO controller (think: ingress.ingressClassName)
  15211. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  15212. type: string
  15213. provider:
  15214. description: Used to configure the provider. Only one provider may be set
  15215. maxProperties: 1
  15216. minProperties: 1
  15217. properties:
  15218. akeyless:
  15219. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  15220. properties:
  15221. akeylessGWApiURL:
  15222. description: Akeyless GW API Url from which the secrets to be fetched from.
  15223. type: string
  15224. authSecretRef:
  15225. description: Auth configures how the operator authenticates with Akeyless.
  15226. properties:
  15227. kubernetesAuth:
  15228. description: |-
  15229. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  15230. token stored in the named Secret resource.
  15231. properties:
  15232. accessID:
  15233. description: the Akeyless Kubernetes auth-method access-id
  15234. type: string
  15235. k8sConfName:
  15236. description: Kubernetes-auth configuration name in Akeyless-Gateway
  15237. type: string
  15238. secretRef:
  15239. description: |-
  15240. Optional secret field containing a Kubernetes ServiceAccount JWT used
  15241. for authenticating with Akeyless. If a name is specified without a key,
  15242. `token` is the default. If one is not specified, the one bound to
  15243. the controller will be used.
  15244. properties:
  15245. key:
  15246. description: |-
  15247. A key in the referenced Secret.
  15248. Some instances of this field may be defaulted, in others it may be required.
  15249. maxLength: 253
  15250. minLength: 1
  15251. pattern: ^[-._a-zA-Z0-9]+$
  15252. type: string
  15253. name:
  15254. description: The name of the Secret resource being referred to.
  15255. maxLength: 253
  15256. minLength: 1
  15257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15258. type: string
  15259. namespace:
  15260. description: |-
  15261. The namespace of the Secret resource being referred to.
  15262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15263. maxLength: 63
  15264. minLength: 1
  15265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15266. type: string
  15267. type: object
  15268. serviceAccountRef:
  15269. description: |-
  15270. Optional service account field containing the name of a kubernetes ServiceAccount.
  15271. If the service account is specified, the service account secret token JWT will be used
  15272. for authenticating with Akeyless. If the service account selector is not supplied,
  15273. the secretRef will be used instead.
  15274. properties:
  15275. audiences:
  15276. description: |-
  15277. Audience specifies the `aud` claim for the service account token
  15278. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15279. then this audiences will be appended to the list
  15280. items:
  15281. type: string
  15282. type: array
  15283. name:
  15284. description: The name of the ServiceAccount resource being referred to.
  15285. maxLength: 253
  15286. minLength: 1
  15287. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15288. type: string
  15289. namespace:
  15290. description: |-
  15291. Namespace of the resource being referred to.
  15292. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15293. maxLength: 63
  15294. minLength: 1
  15295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15296. type: string
  15297. required:
  15298. - name
  15299. type: object
  15300. required:
  15301. - accessID
  15302. - k8sConfName
  15303. type: object
  15304. secretRef:
  15305. description: |-
  15306. Reference to a Secret that contains the details
  15307. to authenticate with Akeyless.
  15308. properties:
  15309. accessID:
  15310. description: The SecretAccessID is used for authentication
  15311. properties:
  15312. key:
  15313. description: |-
  15314. A key in the referenced Secret.
  15315. Some instances of this field may be defaulted, in others it may be required.
  15316. maxLength: 253
  15317. minLength: 1
  15318. pattern: ^[-._a-zA-Z0-9]+$
  15319. type: string
  15320. name:
  15321. description: The name of the Secret resource being referred to.
  15322. maxLength: 253
  15323. minLength: 1
  15324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15325. type: string
  15326. namespace:
  15327. description: |-
  15328. The namespace of the Secret resource being referred to.
  15329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15330. maxLength: 63
  15331. minLength: 1
  15332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15333. type: string
  15334. type: object
  15335. accessType:
  15336. description: |-
  15337. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15338. In some instances, `key` is a required field.
  15339. properties:
  15340. key:
  15341. description: |-
  15342. A key in the referenced Secret.
  15343. Some instances of this field may be defaulted, in others it may be required.
  15344. maxLength: 253
  15345. minLength: 1
  15346. pattern: ^[-._a-zA-Z0-9]+$
  15347. type: string
  15348. name:
  15349. description: The name of the Secret resource being referred to.
  15350. maxLength: 253
  15351. minLength: 1
  15352. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15353. type: string
  15354. namespace:
  15355. description: |-
  15356. The namespace of the Secret resource being referred to.
  15357. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15358. maxLength: 63
  15359. minLength: 1
  15360. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15361. type: string
  15362. type: object
  15363. accessTypeParam:
  15364. description: |-
  15365. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15366. In some instances, `key` is a required field.
  15367. properties:
  15368. key:
  15369. description: |-
  15370. A key in the referenced Secret.
  15371. Some instances of this field may be defaulted, in others it may be required.
  15372. maxLength: 253
  15373. minLength: 1
  15374. pattern: ^[-._a-zA-Z0-9]+$
  15375. type: string
  15376. name:
  15377. description: The name of the Secret resource being referred to.
  15378. maxLength: 253
  15379. minLength: 1
  15380. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15381. type: string
  15382. namespace:
  15383. description: |-
  15384. The namespace of the Secret resource being referred to.
  15385. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15386. maxLength: 63
  15387. minLength: 1
  15388. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15389. type: string
  15390. type: object
  15391. type: object
  15392. serviceAccountRef:
  15393. description: |-
  15394. ServiceAccountRef specifies a Kubernetes ServiceAccount used for azure_ad
  15395. authentication on AKS Workload Identity. The operator obtains a federated
  15396. identity token from this ServiceAccount via the TokenRequest API instead
  15397. of using the ESO controller pod identity. Ignored for other access types.
  15398. properties:
  15399. audiences:
  15400. description: |-
  15401. Audience specifies the `aud` claim for the service account token
  15402. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15403. then this audiences will be appended to the list
  15404. items:
  15405. type: string
  15406. type: array
  15407. name:
  15408. description: The name of the ServiceAccount resource being referred to.
  15409. maxLength: 253
  15410. minLength: 1
  15411. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15412. type: string
  15413. namespace:
  15414. description: |-
  15415. Namespace of the resource being referred to.
  15416. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15417. maxLength: 63
  15418. minLength: 1
  15419. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15420. type: string
  15421. required:
  15422. - name
  15423. type: object
  15424. type: object
  15425. caBundle:
  15426. description: |-
  15427. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  15428. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  15429. are used to validate the TLS connection.
  15430. format: byte
  15431. type: string
  15432. caProvider:
  15433. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  15434. properties:
  15435. key:
  15436. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  15437. maxLength: 253
  15438. minLength: 1
  15439. pattern: ^[-._a-zA-Z0-9]+$
  15440. type: string
  15441. name:
  15442. description: The name of the object located at the provider type.
  15443. maxLength: 253
  15444. minLength: 1
  15445. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15446. type: string
  15447. namespace:
  15448. description: |-
  15449. The namespace the Provider type is in.
  15450. Can only be defined when used in a ClusterSecretStore.
  15451. maxLength: 63
  15452. minLength: 1
  15453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15454. type: string
  15455. type:
  15456. description: The type of provider to use such as "Secret", or "ConfigMap".
  15457. enum:
  15458. - Secret
  15459. - ConfigMap
  15460. type: string
  15461. required:
  15462. - name
  15463. - type
  15464. type: object
  15465. required:
  15466. - akeylessGWApiURL
  15467. - authSecretRef
  15468. type: object
  15469. aws:
  15470. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  15471. properties:
  15472. additionalRoles:
  15473. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  15474. items:
  15475. type: string
  15476. type: array
  15477. auth:
  15478. description: |-
  15479. Auth defines the information necessary to authenticate against AWS
  15480. if not set aws sdk will infer credentials from your environment
  15481. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  15482. properties:
  15483. jwt:
  15484. description: AWSJWTAuth stores reference to Authenticate against AWS using service account tokens.
  15485. properties:
  15486. serviceAccountRef:
  15487. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  15488. properties:
  15489. audiences:
  15490. description: |-
  15491. Audience specifies the `aud` claim for the service account token
  15492. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15493. then this audiences will be appended to the list
  15494. items:
  15495. type: string
  15496. type: array
  15497. name:
  15498. description: The name of the ServiceAccount resource being referred to.
  15499. maxLength: 253
  15500. minLength: 1
  15501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15502. type: string
  15503. namespace:
  15504. description: |-
  15505. Namespace of the resource being referred to.
  15506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15507. maxLength: 63
  15508. minLength: 1
  15509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15510. type: string
  15511. required:
  15512. - name
  15513. type: object
  15514. type: object
  15515. secretRef:
  15516. description: |-
  15517. AWSAuthSecretRef holds secret references for AWS credentials
  15518. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  15519. properties:
  15520. accessKeyIDSecretRef:
  15521. description: The AccessKeyID is used for authentication
  15522. properties:
  15523. key:
  15524. description: |-
  15525. A key in the referenced Secret.
  15526. Some instances of this field may be defaulted, in others it may be required.
  15527. maxLength: 253
  15528. minLength: 1
  15529. pattern: ^[-._a-zA-Z0-9]+$
  15530. type: string
  15531. name:
  15532. description: The name of the Secret resource being referred to.
  15533. maxLength: 253
  15534. minLength: 1
  15535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15536. type: string
  15537. namespace:
  15538. description: |-
  15539. The namespace of the Secret resource being referred to.
  15540. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15541. maxLength: 63
  15542. minLength: 1
  15543. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15544. type: string
  15545. type: object
  15546. secretAccessKeySecretRef:
  15547. description: The SecretAccessKey is used for authentication
  15548. properties:
  15549. key:
  15550. description: |-
  15551. A key in the referenced Secret.
  15552. Some instances of this field may be defaulted, in others it may be required.
  15553. maxLength: 253
  15554. minLength: 1
  15555. pattern: ^[-._a-zA-Z0-9]+$
  15556. type: string
  15557. name:
  15558. description: The name of the Secret resource being referred to.
  15559. maxLength: 253
  15560. minLength: 1
  15561. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15562. type: string
  15563. namespace:
  15564. description: |-
  15565. The namespace of the Secret resource being referred to.
  15566. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15567. maxLength: 63
  15568. minLength: 1
  15569. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15570. type: string
  15571. type: object
  15572. sessionTokenSecretRef:
  15573. description: |-
  15574. The SessionToken used for authentication
  15575. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  15576. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  15577. properties:
  15578. key:
  15579. description: |-
  15580. A key in the referenced Secret.
  15581. Some instances of this field may be defaulted, in others it may be required.
  15582. maxLength: 253
  15583. minLength: 1
  15584. pattern: ^[-._a-zA-Z0-9]+$
  15585. type: string
  15586. name:
  15587. description: The name of the Secret resource being referred to.
  15588. maxLength: 253
  15589. minLength: 1
  15590. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15591. type: string
  15592. namespace:
  15593. description: |-
  15594. The namespace of the Secret resource being referred to.
  15595. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15596. maxLength: 63
  15597. minLength: 1
  15598. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15599. type: string
  15600. type: object
  15601. type: object
  15602. type: object
  15603. customSessionTags:
  15604. additionalProperties:
  15605. type: string
  15606. description: |-
  15607. CustomSessionTags defines additional STS session tags to include when SessionTagsPolicy is Custom.
  15608. These are merged with the automatically injected esoNamespace, esoStoreName, and esoStoreKind tags.
  15609. type: object
  15610. x-kubernetes-validations:
  15611. - message: 'customSessionTags cannot contain automatically injected reserved keys: esoNamespace, esoStoreName, esoStoreKind'
  15612. rule: '!(''esoNamespace'' in self) && !(''esoStoreName'' in self) && !(''esoStoreKind'' in self)'
  15613. externalID:
  15614. description: AWS External ID set on assumed IAM roles
  15615. type: string
  15616. prefix:
  15617. description: Prefix adds a prefix to all retrieved values.
  15618. type: string
  15619. region:
  15620. description: AWS Region to be used for the provider
  15621. type: string
  15622. role:
  15623. description: Role is a Role ARN which the provider will assume
  15624. type: string
  15625. secretsManager:
  15626. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  15627. properties:
  15628. forceDeleteWithoutRecovery:
  15629. description: |-
  15630. Specifies whether to delete the secret without any recovery window. You
  15631. can't use both this parameter and RecoveryWindowInDays in the same call.
  15632. If you don't use either, then by default Secrets Manager uses a 30 day
  15633. recovery window.
  15634. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  15635. type: boolean
  15636. recoveryWindowInDays:
  15637. description: |-
  15638. The number of days from 7 to 30 that Secrets Manager waits before
  15639. permanently deleting the secret. You can't use both this parameter and
  15640. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  15641. then by default Secrets Manager uses a 30-day recovery window.
  15642. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  15643. format: int64
  15644. type: integer
  15645. type: object
  15646. service:
  15647. description: Service defines which service should be used to fetch the secrets
  15648. enum:
  15649. - SecretsManager
  15650. - ParameterStore
  15651. type: string
  15652. sessionTags:
  15653. description: AWS STS assume role session tags
  15654. items:
  15655. description: |-
  15656. Tag is a key-value pair that can be attached to an AWS resource.
  15657. see: https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html
  15658. properties:
  15659. key:
  15660. type: string
  15661. value:
  15662. type: string
  15663. required:
  15664. - key
  15665. - value
  15666. type: object
  15667. type: array
  15668. sessionTagsPolicy:
  15669. default: None
  15670. description: |-
  15671. SessionTagsPolicy controls whether and how STS session tags are added when assuming roles.
  15672. None (default): no tags are added.
  15673. Simple: automatically adds esoNamespace (from the ExternalSecret), esoStoreName, and esoStoreKind tags.
  15674. Custom: adds esoNamespace, esoStoreName, and esoStoreKind plus any tags defined in CustomSessionTags.
  15675. Note: the IAM role must have sts:TagSession permission when using Simple or Custom.
  15676. enum:
  15677. - None
  15678. - Simple
  15679. - Custom
  15680. type: string
  15681. transitiveTagKeys:
  15682. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  15683. items:
  15684. type: string
  15685. type: array
  15686. required:
  15687. - region
  15688. - service
  15689. type: object
  15690. azurekv:
  15691. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  15692. properties:
  15693. authSecretRef:
  15694. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15695. properties:
  15696. clientCertificate:
  15697. description: The Azure ClientCertificate of the service principle used for authentication.
  15698. properties:
  15699. key:
  15700. description: |-
  15701. A key in the referenced Secret.
  15702. Some instances of this field may be defaulted, in others it may be required.
  15703. maxLength: 253
  15704. minLength: 1
  15705. pattern: ^[-._a-zA-Z0-9]+$
  15706. type: string
  15707. name:
  15708. description: The name of the Secret resource being referred to.
  15709. maxLength: 253
  15710. minLength: 1
  15711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15712. type: string
  15713. namespace:
  15714. description: |-
  15715. The namespace of the Secret resource being referred to.
  15716. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15717. maxLength: 63
  15718. minLength: 1
  15719. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15720. type: string
  15721. type: object
  15722. clientId:
  15723. description: The Azure clientId of the service principle or managed identity used for authentication.
  15724. properties:
  15725. key:
  15726. description: |-
  15727. A key in the referenced Secret.
  15728. Some instances of this field may be defaulted, in others it may be required.
  15729. maxLength: 253
  15730. minLength: 1
  15731. pattern: ^[-._a-zA-Z0-9]+$
  15732. type: string
  15733. name:
  15734. description: The name of the Secret resource being referred to.
  15735. maxLength: 253
  15736. minLength: 1
  15737. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15738. type: string
  15739. namespace:
  15740. description: |-
  15741. The namespace of the Secret resource being referred to.
  15742. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15743. maxLength: 63
  15744. minLength: 1
  15745. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15746. type: string
  15747. type: object
  15748. clientSecret:
  15749. description: The Azure ClientSecret of the service principle used for authentication.
  15750. properties:
  15751. key:
  15752. description: |-
  15753. A key in the referenced Secret.
  15754. Some instances of this field may be defaulted, in others it may be required.
  15755. maxLength: 253
  15756. minLength: 1
  15757. pattern: ^[-._a-zA-Z0-9]+$
  15758. type: string
  15759. name:
  15760. description: The name of the Secret resource being referred to.
  15761. maxLength: 253
  15762. minLength: 1
  15763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15764. type: string
  15765. namespace:
  15766. description: |-
  15767. The namespace of the Secret resource being referred to.
  15768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15769. maxLength: 63
  15770. minLength: 1
  15771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15772. type: string
  15773. type: object
  15774. tenantId:
  15775. description: The Azure tenantId of the managed identity used for authentication.
  15776. properties:
  15777. key:
  15778. description: |-
  15779. A key in the referenced Secret.
  15780. Some instances of this field may be defaulted, in others it may be required.
  15781. maxLength: 253
  15782. minLength: 1
  15783. pattern: ^[-._a-zA-Z0-9]+$
  15784. type: string
  15785. name:
  15786. description: The name of the Secret resource being referred to.
  15787. maxLength: 253
  15788. minLength: 1
  15789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15790. type: string
  15791. namespace:
  15792. description: |-
  15793. The namespace of the Secret resource being referred to.
  15794. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15795. maxLength: 63
  15796. minLength: 1
  15797. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15798. type: string
  15799. type: object
  15800. type: object
  15801. authType:
  15802. default: ServicePrincipal
  15803. description: |-
  15804. Auth type defines how to authenticate to the keyvault service.
  15805. Valid values are:
  15806. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  15807. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  15808. - "WorkloadIdentity": Using a Kubernetes ServiceAccount federated with Entra ID
  15809. enum:
  15810. - ServicePrincipal
  15811. - ManagedIdentity
  15812. - WorkloadIdentity
  15813. type: string
  15814. customCloudConfig:
  15815. description: |-
  15816. CustomCloudConfig defines custom Azure endpoints for non-standard clouds.
  15817. Required when EnvironmentType is AzureStackCloud.
  15818. Optional for other environment types - useful for Azure China when using Workload Identity
  15819. with AKS, where the OIDC issuer (login.partner.microsoftonline.cn) differs from the
  15820. standard China Cloud endpoint (login.chinacloudapi.cn).
  15821. IMPORTANT: This feature REQUIRES UseAzureSDK to be set to true. Custom cloud
  15822. configuration is not supported with the legacy go-autorest SDK.
  15823. properties:
  15824. activeDirectoryEndpoint:
  15825. description: |-
  15826. ActiveDirectoryEndpoint is the AAD endpoint for authentication
  15827. Required when using custom cloud configuration
  15828. type: string
  15829. keyVaultDNSSuffix:
  15830. description: KeyVaultDNSSuffix is the DNS suffix for Key Vault URLs
  15831. type: string
  15832. keyVaultEndpoint:
  15833. description: KeyVaultEndpoint is the Key Vault service endpoint
  15834. type: string
  15835. resourceManagerEndpoint:
  15836. description: ResourceManagerEndpoint is the Azure Resource Manager endpoint
  15837. type: string
  15838. required:
  15839. - activeDirectoryEndpoint
  15840. type: object
  15841. environmentType:
  15842. default: PublicCloud
  15843. description: |-
  15844. EnvironmentType specifies the Azure cloud environment endpoints to use for
  15845. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  15846. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  15847. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud, AzureStackCloud
  15848. Use AzureStackCloud when you need to configure custom Azure Stack Hub or Azure Stack Edge endpoints.
  15849. enum:
  15850. - PublicCloud
  15851. - USGovernmentCloud
  15852. - ChinaCloud
  15853. - GermanCloud
  15854. - AzureStackCloud
  15855. type: string
  15856. identityId:
  15857. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  15858. type: string
  15859. serviceAccountRef:
  15860. description: |-
  15861. ServiceAccountRef specified the service account
  15862. that should be used when authenticating with WorkloadIdentity.
  15863. properties:
  15864. audiences:
  15865. description: |-
  15866. Audience specifies the `aud` claim for the service account token
  15867. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  15868. then this audiences will be appended to the list
  15869. items:
  15870. type: string
  15871. type: array
  15872. name:
  15873. description: The name of the ServiceAccount resource being referred to.
  15874. maxLength: 253
  15875. minLength: 1
  15876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15877. type: string
  15878. namespace:
  15879. description: |-
  15880. Namespace of the resource being referred to.
  15881. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15882. maxLength: 63
  15883. minLength: 1
  15884. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15885. type: string
  15886. required:
  15887. - name
  15888. type: object
  15889. tenantId:
  15890. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  15891. type: string
  15892. useAzureSDK:
  15893. default: false
  15894. description: |-
  15895. UseAzureSDK enables the use of the new Azure SDK for Go (azcore-based) instead of the legacy go-autorest SDK.
  15896. This is experimental and may have behavioral differences. Defaults to false (legacy SDK).
  15897. type: boolean
  15898. vaultUrl:
  15899. description: Vault Url from which the secrets to be fetched from.
  15900. type: string
  15901. required:
  15902. - vaultUrl
  15903. type: object
  15904. barbican:
  15905. description: Barbican configures this store to sync secrets using the OpenStack Barbican provider
  15906. properties:
  15907. auth:
  15908. description: BarbicanAuth contains the authentication information for Barbican.
  15909. properties:
  15910. password:
  15911. description: BarbicanProviderPasswordRef defines a reference to a secret containing password for the Barbican provider.
  15912. properties:
  15913. secretRef:
  15914. description: |-
  15915. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15916. In some instances, `key` is a required field.
  15917. properties:
  15918. key:
  15919. description: |-
  15920. A key in the referenced Secret.
  15921. Some instances of this field may be defaulted, in others it may be required.
  15922. maxLength: 253
  15923. minLength: 1
  15924. pattern: ^[-._a-zA-Z0-9]+$
  15925. type: string
  15926. name:
  15927. description: The name of the Secret resource being referred to.
  15928. maxLength: 253
  15929. minLength: 1
  15930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15931. type: string
  15932. namespace:
  15933. description: |-
  15934. The namespace of the Secret resource being referred to.
  15935. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15936. maxLength: 63
  15937. minLength: 1
  15938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15939. type: string
  15940. type: object
  15941. required:
  15942. - secretRef
  15943. type: object
  15944. username:
  15945. description: BarbicanProviderUsernameRef defines a reference to a secret containing username for the Barbican provider.
  15946. maxProperties: 1
  15947. minProperties: 1
  15948. properties:
  15949. secretRef:
  15950. description: |-
  15951. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  15952. In some instances, `key` is a required field.
  15953. properties:
  15954. key:
  15955. description: |-
  15956. A key in the referenced Secret.
  15957. Some instances of this field may be defaulted, in others it may be required.
  15958. maxLength: 253
  15959. minLength: 1
  15960. pattern: ^[-._a-zA-Z0-9]+$
  15961. type: string
  15962. name:
  15963. description: The name of the Secret resource being referred to.
  15964. maxLength: 253
  15965. minLength: 1
  15966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  15967. type: string
  15968. namespace:
  15969. description: |-
  15970. The namespace of the Secret resource being referred to.
  15971. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  15972. maxLength: 63
  15973. minLength: 1
  15974. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  15975. type: string
  15976. type: object
  15977. value:
  15978. type: string
  15979. type: object
  15980. required:
  15981. - password
  15982. - username
  15983. type: object
  15984. authURL:
  15985. type: string
  15986. domainName:
  15987. type: string
  15988. region:
  15989. type: string
  15990. tenantName:
  15991. type: string
  15992. required:
  15993. - auth
  15994. type: object
  15995. beyondtrust:
  15996. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  15997. properties:
  15998. auth:
  15999. description: Auth configures how the operator authenticates with Beyondtrust.
  16000. properties:
  16001. apiKey:
  16002. description: APIKey If not provided then ClientID/ClientSecret become required.
  16003. properties:
  16004. secretRef:
  16005. description: SecretRef references a key in a secret that will be used as value.
  16006. properties:
  16007. key:
  16008. description: |-
  16009. A key in the referenced Secret.
  16010. Some instances of this field may be defaulted, in others it may be required.
  16011. maxLength: 253
  16012. minLength: 1
  16013. pattern: ^[-._a-zA-Z0-9]+$
  16014. type: string
  16015. name:
  16016. description: The name of the Secret resource being referred to.
  16017. maxLength: 253
  16018. minLength: 1
  16019. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16020. type: string
  16021. namespace:
  16022. description: |-
  16023. The namespace of the Secret resource being referred to.
  16024. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16025. maxLength: 63
  16026. minLength: 1
  16027. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16028. type: string
  16029. type: object
  16030. value:
  16031. description: Value can be specified directly to set a value without using a secret.
  16032. type: string
  16033. type: object
  16034. certificate:
  16035. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  16036. properties:
  16037. secretRef:
  16038. description: SecretRef references a key in a secret that will be used as value.
  16039. properties:
  16040. key:
  16041. description: |-
  16042. A key in the referenced Secret.
  16043. Some instances of this field may be defaulted, in others it may be required.
  16044. maxLength: 253
  16045. minLength: 1
  16046. pattern: ^[-._a-zA-Z0-9]+$
  16047. type: string
  16048. name:
  16049. description: The name of the Secret resource being referred to.
  16050. maxLength: 253
  16051. minLength: 1
  16052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16053. type: string
  16054. namespace:
  16055. description: |-
  16056. The namespace of the Secret resource being referred to.
  16057. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16058. maxLength: 63
  16059. minLength: 1
  16060. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16061. type: string
  16062. type: object
  16063. value:
  16064. description: Value can be specified directly to set a value without using a secret.
  16065. type: string
  16066. type: object
  16067. certificateKey:
  16068. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  16069. properties:
  16070. secretRef:
  16071. description: SecretRef references a key in a secret that will be used as value.
  16072. properties:
  16073. key:
  16074. description: |-
  16075. A key in the referenced Secret.
  16076. Some instances of this field may be defaulted, in others it may be required.
  16077. maxLength: 253
  16078. minLength: 1
  16079. pattern: ^[-._a-zA-Z0-9]+$
  16080. type: string
  16081. name:
  16082. description: The name of the Secret resource being referred to.
  16083. maxLength: 253
  16084. minLength: 1
  16085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16086. type: string
  16087. namespace:
  16088. description: |-
  16089. The namespace of the Secret resource being referred to.
  16090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16091. maxLength: 63
  16092. minLength: 1
  16093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16094. type: string
  16095. type: object
  16096. value:
  16097. description: Value can be specified directly to set a value without using a secret.
  16098. type: string
  16099. type: object
  16100. clientId:
  16101. description: ClientID is the API OAuth Client ID.
  16102. properties:
  16103. secretRef:
  16104. description: SecretRef references a key in a secret that will be used as value.
  16105. properties:
  16106. key:
  16107. description: |-
  16108. A key in the referenced Secret.
  16109. Some instances of this field may be defaulted, in others it may be required.
  16110. maxLength: 253
  16111. minLength: 1
  16112. pattern: ^[-._a-zA-Z0-9]+$
  16113. type: string
  16114. name:
  16115. description: The name of the Secret resource being referred to.
  16116. maxLength: 253
  16117. minLength: 1
  16118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16119. type: string
  16120. namespace:
  16121. description: |-
  16122. The namespace of the Secret resource being referred to.
  16123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16124. maxLength: 63
  16125. minLength: 1
  16126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16127. type: string
  16128. type: object
  16129. value:
  16130. description: Value can be specified directly to set a value without using a secret.
  16131. type: string
  16132. type: object
  16133. clientSecret:
  16134. description: ClientSecret is the API OAuth Client Secret.
  16135. properties:
  16136. secretRef:
  16137. description: SecretRef references a key in a secret that will be used as value.
  16138. properties:
  16139. key:
  16140. description: |-
  16141. A key in the referenced Secret.
  16142. Some instances of this field may be defaulted, in others it may be required.
  16143. maxLength: 253
  16144. minLength: 1
  16145. pattern: ^[-._a-zA-Z0-9]+$
  16146. type: string
  16147. name:
  16148. description: The name of the Secret resource being referred to.
  16149. maxLength: 253
  16150. minLength: 1
  16151. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16152. type: string
  16153. namespace:
  16154. description: |-
  16155. The namespace of the Secret resource being referred to.
  16156. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16157. maxLength: 63
  16158. minLength: 1
  16159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16160. type: string
  16161. type: object
  16162. value:
  16163. description: Value can be specified directly to set a value without using a secret.
  16164. type: string
  16165. type: object
  16166. type: object
  16167. server:
  16168. description: Auth configures how API server works.
  16169. properties:
  16170. apiUrl:
  16171. type: string
  16172. apiVersion:
  16173. type: string
  16174. clientTimeOutSeconds:
  16175. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  16176. type: integer
  16177. decrypt:
  16178. default: true
  16179. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  16180. type: boolean
  16181. retrievalType:
  16182. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  16183. type: string
  16184. separator:
  16185. description: A character that separates the folder names.
  16186. type: string
  16187. verifyCA:
  16188. type: boolean
  16189. required:
  16190. - apiUrl
  16191. - verifyCA
  16192. type: object
  16193. required:
  16194. - auth
  16195. - server
  16196. type: object
  16197. beyondtrustworkloadcredentials:
  16198. description: BeyondtrustWorkloadCredentials configures this store to sync secrets using the BeyondTrust Workload Credentials provider.
  16199. properties:
  16200. auth:
  16201. description: |-
  16202. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  16203. Currently supports API key authentication via Kubernetes secret reference.
  16204. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16205. properties:
  16206. apikey:
  16207. description: |-
  16208. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  16209. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  16210. properties:
  16211. token:
  16212. description: |-
  16213. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  16214. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  16215. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  16216. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  16217. properties:
  16218. key:
  16219. description: |-
  16220. A key in the referenced Secret.
  16221. Some instances of this field may be defaulted, in others it may be required.
  16222. maxLength: 253
  16223. minLength: 1
  16224. pattern: ^[-._a-zA-Z0-9]+$
  16225. type: string
  16226. name:
  16227. description: The name of the Secret resource being referred to.
  16228. maxLength: 253
  16229. minLength: 1
  16230. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16231. type: string
  16232. namespace:
  16233. description: |-
  16234. The namespace of the Secret resource being referred to.
  16235. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16236. maxLength: 63
  16237. minLength: 1
  16238. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16239. type: string
  16240. type: object
  16241. required:
  16242. - token
  16243. type: object
  16244. required:
  16245. - apikey
  16246. type: object
  16247. caBundle:
  16248. description: |-
  16249. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16250. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  16251. If not set, the system's trusted root certificates are used.
  16252. format: byte
  16253. type: string
  16254. caProvider:
  16255. description: |-
  16256. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  16257. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  16258. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  16259. properties:
  16260. key:
  16261. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16262. maxLength: 253
  16263. minLength: 1
  16264. pattern: ^[-._a-zA-Z0-9]+$
  16265. type: string
  16266. name:
  16267. description: The name of the object located at the provider type.
  16268. maxLength: 253
  16269. minLength: 1
  16270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16271. type: string
  16272. namespace:
  16273. description: |-
  16274. The namespace the Provider type is in.
  16275. Can only be defined when used in a ClusterSecretStore.
  16276. maxLength: 63
  16277. minLength: 1
  16278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16279. type: string
  16280. type:
  16281. description: The type of provider to use such as "Secret", or "ConfigMap".
  16282. enum:
  16283. - Secret
  16284. - ConfigMap
  16285. type: string
  16286. required:
  16287. - name
  16288. - type
  16289. type: object
  16290. folderPath:
  16291. description: |-
  16292. FolderPath specifies the default folder path for secret retrieval.
  16293. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  16294. Example: "production/database" or "dev/api-keys"
  16295. Leave empty to retrieve secrets from the root folder.
  16296. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  16297. type: string
  16298. server:
  16299. description: |-
  16300. Server configures the BeyondTrust Workload Credentials server connection details.
  16301. Includes the API URL and Site ID for your BeyondTrust instance.
  16302. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16303. properties:
  16304. apiUrl:
  16305. description: |-
  16306. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  16307. This should be the full URL to your BeyondTrust instance.
  16308. Example: https://api.beyondtrust.io/siie
  16309. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  16310. type: string
  16311. siteId:
  16312. description: |-
  16313. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  16314. This identifier is unique to your BeyondTrust Workload Credentials instance.
  16315. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  16316. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  16317. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  16318. type: string
  16319. required:
  16320. - apiUrl
  16321. - siteId
  16322. type: object
  16323. required:
  16324. - auth
  16325. - server
  16326. type: object
  16327. bitwardensecretsmanager:
  16328. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  16329. properties:
  16330. apiURL:
  16331. type: string
  16332. auth:
  16333. description: |-
  16334. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  16335. Make sure that the token being used has permissions on the given secret.
  16336. properties:
  16337. secretRef:
  16338. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  16339. properties:
  16340. credentials:
  16341. description: AccessToken used for the bitwarden instance.
  16342. properties:
  16343. key:
  16344. description: |-
  16345. A key in the referenced Secret.
  16346. Some instances of this field may be defaulted, in others it may be required.
  16347. maxLength: 253
  16348. minLength: 1
  16349. pattern: ^[-._a-zA-Z0-9]+$
  16350. type: string
  16351. name:
  16352. description: The name of the Secret resource being referred to.
  16353. maxLength: 253
  16354. minLength: 1
  16355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16356. type: string
  16357. namespace:
  16358. description: |-
  16359. The namespace of the Secret resource being referred to.
  16360. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16361. maxLength: 63
  16362. minLength: 1
  16363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16364. type: string
  16365. type: object
  16366. required:
  16367. - credentials
  16368. type: object
  16369. required:
  16370. - secretRef
  16371. type: object
  16372. bitwardenServerSDKURL:
  16373. type: string
  16374. caBundle:
  16375. description: |-
  16376. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  16377. can be performed.
  16378. type: string
  16379. caProvider:
  16380. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  16381. properties:
  16382. key:
  16383. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16384. maxLength: 253
  16385. minLength: 1
  16386. pattern: ^[-._a-zA-Z0-9]+$
  16387. type: string
  16388. name:
  16389. description: The name of the object located at the provider type.
  16390. maxLength: 253
  16391. minLength: 1
  16392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16393. type: string
  16394. namespace:
  16395. description: |-
  16396. The namespace the Provider type is in.
  16397. Can only be defined when used in a ClusterSecretStore.
  16398. maxLength: 63
  16399. minLength: 1
  16400. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16401. type: string
  16402. type:
  16403. description: The type of provider to use such as "Secret", or "ConfigMap".
  16404. enum:
  16405. - Secret
  16406. - ConfigMap
  16407. type: string
  16408. required:
  16409. - name
  16410. - type
  16411. type: object
  16412. identityURL:
  16413. type: string
  16414. organizationID:
  16415. description: OrganizationID determines which organization this secret store manages.
  16416. type: string
  16417. projectID:
  16418. description: ProjectID determines which project this secret store manages.
  16419. type: string
  16420. required:
  16421. - auth
  16422. - organizationID
  16423. - projectID
  16424. type: object
  16425. chef:
  16426. description: Chef configures this store to sync secrets with chef server
  16427. properties:
  16428. auth:
  16429. description: Auth defines the information necessary to authenticate against chef Server
  16430. properties:
  16431. secretRef:
  16432. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  16433. properties:
  16434. privateKeySecretRef:
  16435. description: SecretKey is the Signing Key in PEM format, used for authentication.
  16436. properties:
  16437. key:
  16438. description: |-
  16439. A key in the referenced Secret.
  16440. Some instances of this field may be defaulted, in others it may be required.
  16441. maxLength: 253
  16442. minLength: 1
  16443. pattern: ^[-._a-zA-Z0-9]+$
  16444. type: string
  16445. name:
  16446. description: The name of the Secret resource being referred to.
  16447. maxLength: 253
  16448. minLength: 1
  16449. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16450. type: string
  16451. namespace:
  16452. description: |-
  16453. The namespace of the Secret resource being referred to.
  16454. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16455. maxLength: 63
  16456. minLength: 1
  16457. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16458. type: string
  16459. type: object
  16460. required:
  16461. - privateKeySecretRef
  16462. type: object
  16463. required:
  16464. - secretRef
  16465. type: object
  16466. serverUrl:
  16467. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  16468. type: string
  16469. username:
  16470. description: UserName should be the user ID on the chef server
  16471. type: string
  16472. required:
  16473. - auth
  16474. - serverUrl
  16475. - username
  16476. type: object
  16477. cloudrusm:
  16478. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  16479. properties:
  16480. auth:
  16481. description: CSMAuth contains a secretRef for credentials.
  16482. properties:
  16483. secretRef:
  16484. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  16485. properties:
  16486. accessKeyIDSecretRef:
  16487. description: The AccessKeyID is used for authentication
  16488. properties:
  16489. key:
  16490. description: |-
  16491. A key in the referenced Secret.
  16492. Some instances of this field may be defaulted, in others it may be required.
  16493. maxLength: 253
  16494. minLength: 1
  16495. pattern: ^[-._a-zA-Z0-9]+$
  16496. type: string
  16497. name:
  16498. description: The name of the Secret resource being referred to.
  16499. maxLength: 253
  16500. minLength: 1
  16501. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16502. type: string
  16503. namespace:
  16504. description: |-
  16505. The namespace of the Secret resource being referred to.
  16506. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16507. maxLength: 63
  16508. minLength: 1
  16509. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16510. type: string
  16511. type: object
  16512. accessKeySecretSecretRef:
  16513. description: The AccessKeySecret is used for authentication
  16514. properties:
  16515. key:
  16516. description: |-
  16517. A key in the referenced Secret.
  16518. Some instances of this field may be defaulted, in others it may be required.
  16519. maxLength: 253
  16520. minLength: 1
  16521. pattern: ^[-._a-zA-Z0-9]+$
  16522. type: string
  16523. name:
  16524. description: The name of the Secret resource being referred to.
  16525. maxLength: 253
  16526. minLength: 1
  16527. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16528. type: string
  16529. namespace:
  16530. description: |-
  16531. The namespace of the Secret resource being referred to.
  16532. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16533. maxLength: 63
  16534. minLength: 1
  16535. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16536. type: string
  16537. type: object
  16538. required:
  16539. - accessKeyIDSecretRef
  16540. - accessKeySecretSecretRef
  16541. type: object
  16542. type: object
  16543. projectID:
  16544. description: ProjectID is the project, which the secrets are stored in.
  16545. type: string
  16546. required:
  16547. - auth
  16548. type: object
  16549. conjur:
  16550. description: Conjur configures this store to sync secrets using conjur provider
  16551. properties:
  16552. auth:
  16553. description: Defines authentication settings for connecting to Conjur.
  16554. properties:
  16555. apikey:
  16556. description: Authenticates with Conjur using an API key.
  16557. properties:
  16558. account:
  16559. description: Account is the Conjur organization account name.
  16560. type: string
  16561. apiKeyRef:
  16562. description: |-
  16563. A reference to a specific 'key' containing the Conjur API key
  16564. within a Secret resource. In some instances, `key` is a required field.
  16565. properties:
  16566. key:
  16567. description: |-
  16568. A key in the referenced Secret.
  16569. Some instances of this field may be defaulted, in others it may be required.
  16570. maxLength: 253
  16571. minLength: 1
  16572. pattern: ^[-._a-zA-Z0-9]+$
  16573. type: string
  16574. name:
  16575. description: The name of the Secret resource being referred to.
  16576. maxLength: 253
  16577. minLength: 1
  16578. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16579. type: string
  16580. namespace:
  16581. description: |-
  16582. The namespace of the Secret resource being referred to.
  16583. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16584. maxLength: 63
  16585. minLength: 1
  16586. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16587. type: string
  16588. type: object
  16589. userRef:
  16590. description: |-
  16591. A reference to a specific 'key' containing the Conjur username
  16592. within a Secret resource. In some instances, `key` is a required field.
  16593. properties:
  16594. key:
  16595. description: |-
  16596. A key in the referenced Secret.
  16597. Some instances of this field may be defaulted, in others it may be required.
  16598. maxLength: 253
  16599. minLength: 1
  16600. pattern: ^[-._a-zA-Z0-9]+$
  16601. type: string
  16602. name:
  16603. description: The name of the Secret resource being referred to.
  16604. maxLength: 253
  16605. minLength: 1
  16606. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16607. type: string
  16608. namespace:
  16609. description: |-
  16610. The namespace of the Secret resource being referred to.
  16611. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16612. maxLength: 63
  16613. minLength: 1
  16614. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16615. type: string
  16616. type: object
  16617. required:
  16618. - account
  16619. - apiKeyRef
  16620. - userRef
  16621. type: object
  16622. jwt:
  16623. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  16624. properties:
  16625. account:
  16626. description: Account is the Conjur organization account name.
  16627. type: string
  16628. hostId:
  16629. description: |-
  16630. Optional HostID for JWT authentication. This may be used depending
  16631. on how the Conjur JWT authenticator policy is configured.
  16632. type: string
  16633. secretRef:
  16634. description: |-
  16635. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  16636. authenticate with Conjur using the JWT authentication method.
  16637. properties:
  16638. key:
  16639. description: |-
  16640. A key in the referenced Secret.
  16641. Some instances of this field may be defaulted, in others it may be required.
  16642. maxLength: 253
  16643. minLength: 1
  16644. pattern: ^[-._a-zA-Z0-9]+$
  16645. type: string
  16646. name:
  16647. description: The name of the Secret resource being referred to.
  16648. maxLength: 253
  16649. minLength: 1
  16650. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16651. type: string
  16652. namespace:
  16653. description: |-
  16654. The namespace of the Secret resource being referred to.
  16655. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16656. maxLength: 63
  16657. minLength: 1
  16658. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16659. type: string
  16660. type: object
  16661. serviceAccountRef:
  16662. description: |-
  16663. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  16664. a token for with the `TokenRequest` API.
  16665. properties:
  16666. audiences:
  16667. description: |-
  16668. Audience specifies the `aud` claim for the service account token
  16669. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16670. then this audiences will be appended to the list
  16671. items:
  16672. type: string
  16673. type: array
  16674. name:
  16675. description: The name of the ServiceAccount resource being referred to.
  16676. maxLength: 253
  16677. minLength: 1
  16678. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16679. type: string
  16680. namespace:
  16681. description: |-
  16682. Namespace of the resource being referred to.
  16683. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16684. maxLength: 63
  16685. minLength: 1
  16686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16687. type: string
  16688. required:
  16689. - name
  16690. type: object
  16691. serviceID:
  16692. description: The conjur authn jwt webservice id
  16693. type: string
  16694. required:
  16695. - account
  16696. - serviceID
  16697. type: object
  16698. type: object
  16699. caBundle:
  16700. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  16701. type: string
  16702. caProvider:
  16703. description: |-
  16704. Used to provide custom certificate authority (CA) certificates
  16705. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  16706. that contains a PEM-encoded certificate.
  16707. properties:
  16708. key:
  16709. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  16710. maxLength: 253
  16711. minLength: 1
  16712. pattern: ^[-._a-zA-Z0-9]+$
  16713. type: string
  16714. name:
  16715. description: The name of the object located at the provider type.
  16716. maxLength: 253
  16717. minLength: 1
  16718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16719. type: string
  16720. namespace:
  16721. description: |-
  16722. The namespace the Provider type is in.
  16723. Can only be defined when used in a ClusterSecretStore.
  16724. maxLength: 63
  16725. minLength: 1
  16726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16727. type: string
  16728. type:
  16729. description: The type of provider to use such as "Secret", or "ConfigMap".
  16730. enum:
  16731. - Secret
  16732. - ConfigMap
  16733. type: string
  16734. required:
  16735. - name
  16736. - type
  16737. type: object
  16738. url:
  16739. description: URL is the endpoint of the Conjur instance.
  16740. type: string
  16741. required:
  16742. - auth
  16743. - url
  16744. type: object
  16745. delinea:
  16746. description: |-
  16747. Delinea DevOps Secrets Vault
  16748. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  16749. properties:
  16750. clientId:
  16751. description: ClientID is the non-secret part of the credential.
  16752. properties:
  16753. secretRef:
  16754. description: SecretRef references a key in a secret that will be used as value.
  16755. properties:
  16756. key:
  16757. description: |-
  16758. A key in the referenced Secret.
  16759. Some instances of this field may be defaulted, in others it may be required.
  16760. maxLength: 253
  16761. minLength: 1
  16762. pattern: ^[-._a-zA-Z0-9]+$
  16763. type: string
  16764. name:
  16765. description: The name of the Secret resource being referred to.
  16766. maxLength: 253
  16767. minLength: 1
  16768. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16769. type: string
  16770. namespace:
  16771. description: |-
  16772. The namespace of the Secret resource being referred to.
  16773. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16774. maxLength: 63
  16775. minLength: 1
  16776. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16777. type: string
  16778. type: object
  16779. value:
  16780. description: Value can be specified directly to set a value without using a secret.
  16781. type: string
  16782. type: object
  16783. clientSecret:
  16784. description: ClientSecret is the secret part of the credential.
  16785. properties:
  16786. secretRef:
  16787. description: SecretRef references a key in a secret that will be used as value.
  16788. properties:
  16789. key:
  16790. description: |-
  16791. A key in the referenced Secret.
  16792. Some instances of this field may be defaulted, in others it may be required.
  16793. maxLength: 253
  16794. minLength: 1
  16795. pattern: ^[-._a-zA-Z0-9]+$
  16796. type: string
  16797. name:
  16798. description: The name of the Secret resource being referred to.
  16799. maxLength: 253
  16800. minLength: 1
  16801. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16802. type: string
  16803. namespace:
  16804. description: |-
  16805. The namespace of the Secret resource being referred to.
  16806. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16807. maxLength: 63
  16808. minLength: 1
  16809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16810. type: string
  16811. type: object
  16812. value:
  16813. description: Value can be specified directly to set a value without using a secret.
  16814. type: string
  16815. type: object
  16816. tenant:
  16817. description: Tenant is the chosen hostname / site name.
  16818. type: string
  16819. tld:
  16820. description: |-
  16821. TLD is based on the server location that was chosen during provisioning.
  16822. If unset, defaults to "com".
  16823. type: string
  16824. urlTemplate:
  16825. description: |-
  16826. URLTemplate
  16827. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  16828. type: string
  16829. required:
  16830. - clientId
  16831. - clientSecret
  16832. - tenant
  16833. type: object
  16834. doppler:
  16835. description: Doppler configures this store to sync secrets using the Doppler provider
  16836. properties:
  16837. auth:
  16838. description: Auth configures how the Operator authenticates with the Doppler API
  16839. properties:
  16840. oidcConfig:
  16841. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  16842. properties:
  16843. expirationSeconds:
  16844. default: 600
  16845. description: |-
  16846. ExpirationSeconds sets the ServiceAccount token validity duration.
  16847. Defaults to 10 minutes.
  16848. format: int64
  16849. type: integer
  16850. identity:
  16851. description: Identity is the Doppler Service Account Identity ID configured for OIDC authentication.
  16852. type: string
  16853. serviceAccountRef:
  16854. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  16855. properties:
  16856. audiences:
  16857. description: |-
  16858. Audience specifies the `aud` claim for the service account token
  16859. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  16860. then this audiences will be appended to the list
  16861. items:
  16862. type: string
  16863. type: array
  16864. name:
  16865. description: The name of the ServiceAccount resource being referred to.
  16866. maxLength: 253
  16867. minLength: 1
  16868. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16869. type: string
  16870. namespace:
  16871. description: |-
  16872. Namespace of the resource being referred to.
  16873. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16874. maxLength: 63
  16875. minLength: 1
  16876. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16877. type: string
  16878. required:
  16879. - name
  16880. type: object
  16881. required:
  16882. - identity
  16883. - serviceAccountRef
  16884. type: object
  16885. secretRef:
  16886. description: SecretRef authenticates using a Doppler service token stored in a Kubernetes Secret.
  16887. properties:
  16888. dopplerToken:
  16889. description: |-
  16890. The DopplerToken is used for authentication.
  16891. See https://docs.doppler.com/reference/api#authentication for auth token types.
  16892. The Key attribute defaults to dopplerToken if not specified.
  16893. properties:
  16894. key:
  16895. description: |-
  16896. A key in the referenced Secret.
  16897. Some instances of this field may be defaulted, in others it may be required.
  16898. maxLength: 253
  16899. minLength: 1
  16900. pattern: ^[-._a-zA-Z0-9]+$
  16901. type: string
  16902. name:
  16903. description: The name of the Secret resource being referred to.
  16904. maxLength: 253
  16905. minLength: 1
  16906. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16907. type: string
  16908. namespace:
  16909. description: |-
  16910. The namespace of the Secret resource being referred to.
  16911. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16912. maxLength: 63
  16913. minLength: 1
  16914. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16915. type: string
  16916. type: object
  16917. required:
  16918. - dopplerToken
  16919. type: object
  16920. type: object
  16921. x-kubernetes-validations:
  16922. - message: Exactly one of 'secretRef' or 'oidcConfig' must be specified
  16923. rule: (has(self.secretRef) && !has(self.oidcConfig)) || (!has(self.secretRef) && has(self.oidcConfig))
  16924. config:
  16925. description: Doppler config (required if not using a Service Token)
  16926. type: string
  16927. format:
  16928. description: Format enables the downloading of secrets as a file (string)
  16929. enum:
  16930. - json
  16931. - dotnet-json
  16932. - env
  16933. - yaml
  16934. - docker
  16935. type: string
  16936. nameTransformer:
  16937. description: Environment variable compatible name transforms that change secret names to a different format
  16938. enum:
  16939. - upper-camel
  16940. - camel
  16941. - lower-snake
  16942. - tf-var
  16943. - dotnet-env
  16944. - lower-kebab
  16945. type: string
  16946. project:
  16947. description: Doppler project (required if not using a Service Token)
  16948. type: string
  16949. required:
  16950. - auth
  16951. type: object
  16952. dvls:
  16953. description: DVLS configures this store to sync secrets using Devolutions Server provider
  16954. properties:
  16955. auth:
  16956. description: Auth defines the authentication method to use.
  16957. properties:
  16958. secretRef:
  16959. description: SecretRef contains the Application ID and Application Secret for authentication.
  16960. properties:
  16961. appId:
  16962. description: AppID is the reference to the secret containing the Application ID.
  16963. properties:
  16964. key:
  16965. description: |-
  16966. A key in the referenced Secret.
  16967. Some instances of this field may be defaulted, in others it may be required.
  16968. maxLength: 253
  16969. minLength: 1
  16970. pattern: ^[-._a-zA-Z0-9]+$
  16971. type: string
  16972. name:
  16973. description: The name of the Secret resource being referred to.
  16974. maxLength: 253
  16975. minLength: 1
  16976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  16977. type: string
  16978. namespace:
  16979. description: |-
  16980. The namespace of the Secret resource being referred to.
  16981. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  16982. maxLength: 63
  16983. minLength: 1
  16984. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  16985. type: string
  16986. type: object
  16987. appSecret:
  16988. description: AppSecret is the reference to the secret containing the Application Secret.
  16989. properties:
  16990. key:
  16991. description: |-
  16992. A key in the referenced Secret.
  16993. Some instances of this field may be defaulted, in others it may be required.
  16994. maxLength: 253
  16995. minLength: 1
  16996. pattern: ^[-._a-zA-Z0-9]+$
  16997. type: string
  16998. name:
  16999. description: The name of the Secret resource being referred to.
  17000. maxLength: 253
  17001. minLength: 1
  17002. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17003. type: string
  17004. namespace:
  17005. description: |-
  17006. The namespace of the Secret resource being referred to.
  17007. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17008. maxLength: 63
  17009. minLength: 1
  17010. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17011. type: string
  17012. type: object
  17013. required:
  17014. - appId
  17015. - appSecret
  17016. type: object
  17017. required:
  17018. - secretRef
  17019. type: object
  17020. insecure:
  17021. description: |-
  17022. Insecure allows connecting to DVLS over plain HTTP.
  17023. This is NOT RECOMMENDED for production use.
  17024. Set to true only if you understand the security implications.
  17025. type: boolean
  17026. serverUrl:
  17027. description: ServerURL is the DVLS instance URL (e.g., https://dvls.example.com).
  17028. type: string
  17029. vault:
  17030. description: |-
  17031. Vault is the name or UUID of the vault to fetch secrets from.
  17032. When omitted, the vault must be specified in the secret key using the legacy format "<vault-id>/<entry-id>".
  17033. type: string
  17034. required:
  17035. - auth
  17036. - serverUrl
  17037. type: object
  17038. fake:
  17039. description: Fake configures a store with static key/value pairs
  17040. properties:
  17041. data:
  17042. items:
  17043. description: FakeProviderData defines a key-value pair with optional version for the fake provider.
  17044. properties:
  17045. key:
  17046. type: string
  17047. value:
  17048. type: string
  17049. version:
  17050. type: string
  17051. required:
  17052. - key
  17053. - value
  17054. type: object
  17055. type: array
  17056. validationResult:
  17057. description: ValidationResult is defined type for the number of validation results.
  17058. type: integer
  17059. required:
  17060. - data
  17061. type: object
  17062. fortanix:
  17063. description: Fortanix configures this store to sync secrets using the Fortanix provider
  17064. properties:
  17065. apiKey:
  17066. description: APIKey is the API token to access SDKMS Applications.
  17067. properties:
  17068. secretRef:
  17069. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  17070. properties:
  17071. key:
  17072. description: |-
  17073. A key in the referenced Secret.
  17074. Some instances of this field may be defaulted, in others it may be required.
  17075. maxLength: 253
  17076. minLength: 1
  17077. pattern: ^[-._a-zA-Z0-9]+$
  17078. type: string
  17079. name:
  17080. description: The name of the Secret resource being referred to.
  17081. maxLength: 253
  17082. minLength: 1
  17083. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17084. type: string
  17085. namespace:
  17086. description: |-
  17087. The namespace of the Secret resource being referred to.
  17088. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17089. maxLength: 63
  17090. minLength: 1
  17091. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17092. type: string
  17093. type: object
  17094. type: object
  17095. apiUrl:
  17096. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  17097. type: string
  17098. type: object
  17099. gcpsm:
  17100. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  17101. properties:
  17102. auth:
  17103. description: Auth defines the information necessary to authenticate against GCP
  17104. properties:
  17105. secretRef:
  17106. description: GCPSMAuthSecretRef contains the secret references for GCP Secret Manager authentication.
  17107. properties:
  17108. secretAccessKeySecretRef:
  17109. description: The SecretAccessKey is used for authentication
  17110. properties:
  17111. key:
  17112. description: |-
  17113. A key in the referenced Secret.
  17114. Some instances of this field may be defaulted, in others it may be required.
  17115. maxLength: 253
  17116. minLength: 1
  17117. pattern: ^[-._a-zA-Z0-9]+$
  17118. type: string
  17119. name:
  17120. description: The name of the Secret resource being referred to.
  17121. maxLength: 253
  17122. minLength: 1
  17123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17124. type: string
  17125. namespace:
  17126. description: |-
  17127. The namespace of the Secret resource being referred to.
  17128. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17129. maxLength: 63
  17130. minLength: 1
  17131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17132. type: string
  17133. type: object
  17134. type: object
  17135. workloadIdentity:
  17136. description: GCPWorkloadIdentity defines configuration for workload identity authentication to GCP.
  17137. properties:
  17138. clusterLocation:
  17139. description: |-
  17140. ClusterLocation is the location of the cluster
  17141. If not specified, it fetches information from the metadata server
  17142. type: string
  17143. clusterName:
  17144. description: |-
  17145. ClusterName is the name of the cluster
  17146. If not specified, it fetches information from the metadata server
  17147. type: string
  17148. clusterProjectID:
  17149. description: |-
  17150. ClusterProjectID is the project ID of the cluster
  17151. If not specified, it fetches information from the metadata server
  17152. type: string
  17153. serviceAccountRef:
  17154. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  17155. properties:
  17156. audiences:
  17157. description: |-
  17158. Audience specifies the `aud` claim for the service account token
  17159. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17160. then this audiences will be appended to the list
  17161. items:
  17162. type: string
  17163. type: array
  17164. name:
  17165. description: The name of the ServiceAccount resource being referred to.
  17166. maxLength: 253
  17167. minLength: 1
  17168. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17169. type: string
  17170. namespace:
  17171. description: |-
  17172. Namespace of the resource being referred to.
  17173. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17174. maxLength: 63
  17175. minLength: 1
  17176. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17177. type: string
  17178. required:
  17179. - name
  17180. type: object
  17181. required:
  17182. - serviceAccountRef
  17183. type: object
  17184. workloadIdentityFederation:
  17185. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  17186. properties:
  17187. audience:
  17188. description: |-
  17189. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  17190. If specified, Audience found in the external account credential config will be overridden with the configured value.
  17191. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  17192. type: string
  17193. awsSecurityCredentials:
  17194. description: |-
  17195. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  17196. when using the AWS metadata server is not an option.
  17197. properties:
  17198. awsCredentialsSecretRef:
  17199. description: |-
  17200. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  17201. Secret should be created with below names for keys
  17202. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  17203. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  17204. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  17205. properties:
  17206. name:
  17207. description: name of the secret.
  17208. maxLength: 253
  17209. minLength: 1
  17210. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17211. type: string
  17212. namespace:
  17213. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  17214. maxLength: 63
  17215. minLength: 1
  17216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17217. type: string
  17218. required:
  17219. - name
  17220. type: object
  17221. region:
  17222. description: region is for configuring the AWS region to be used.
  17223. example: ap-south-1
  17224. maxLength: 50
  17225. minLength: 1
  17226. pattern: ^[a-z0-9-]+$
  17227. type: string
  17228. required:
  17229. - awsCredentialsSecretRef
  17230. - region
  17231. type: object
  17232. credConfig:
  17233. description: |-
  17234. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  17235. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  17236. serviceAccountRef must be used by providing operators service account details.
  17237. properties:
  17238. key:
  17239. description: key name holding the external account credential config.
  17240. maxLength: 253
  17241. minLength: 1
  17242. pattern: ^[-._a-zA-Z0-9]+$
  17243. type: string
  17244. name:
  17245. description: name of the configmap.
  17246. maxLength: 253
  17247. minLength: 1
  17248. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17249. type: string
  17250. namespace:
  17251. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  17252. maxLength: 63
  17253. minLength: 1
  17254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17255. type: string
  17256. required:
  17257. - key
  17258. - name
  17259. type: object
  17260. externalTokenEndpoint:
  17261. description: |-
  17262. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  17263. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  17264. URL is having the expected value.
  17265. type: string
  17266. gcpServiceAccountEmail:
  17267. description: |-
  17268. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  17269. after Workload Identity Federation. Use this to grant access through the service account's
  17270. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  17271. service_account_impersonation_url in the external account JSON from credConfig;
  17272. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  17273. on that ServiceAccount.
  17274. example: my-gsa@my-project.iam.gserviceaccount.com
  17275. minLength: 1
  17276. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  17277. type: string
  17278. serviceAccountRef:
  17279. description: |-
  17280. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  17281. when Kubernetes is configured as provider in workload identity pool.
  17282. properties:
  17283. audiences:
  17284. description: |-
  17285. Audience specifies the `aud` claim for the service account token
  17286. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  17287. then this audiences will be appended to the list
  17288. items:
  17289. type: string
  17290. type: array
  17291. name:
  17292. description: The name of the ServiceAccount resource being referred to.
  17293. maxLength: 253
  17294. minLength: 1
  17295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17296. type: string
  17297. namespace:
  17298. description: |-
  17299. Namespace of the resource being referred to.
  17300. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17301. maxLength: 63
  17302. minLength: 1
  17303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17304. type: string
  17305. required:
  17306. - name
  17307. type: object
  17308. type: object
  17309. type: object
  17310. location:
  17311. description: Location optionally defines a location for a secret
  17312. type: string
  17313. projectID:
  17314. description: ProjectID project where secret is located
  17315. type: string
  17316. secretVersionSelectionPolicy:
  17317. default: LatestOrFail
  17318. description: |-
  17319. SecretVersionSelectionPolicy specifies how the provider selects a secret version
  17320. when "latest" is disabled or destroyed.
  17321. Possible values are:
  17322. - LatestOrFail: the provider always uses "latest", or fails if that version is disabled/destroyed.
  17323. - LatestOrFetch: the provider falls back to fetching the latest version if the version is DESTROYED or DISABLED
  17324. type: string
  17325. type: object
  17326. github:
  17327. description: |-
  17328. Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  17329. Note: This provider only supports write operations (PushSecret) and cannot fetch secrets from GitHub
  17330. properties:
  17331. appID:
  17332. description: appID specifies the Github APP that will be used to authenticate the client
  17333. format: int64
  17334. type: integer
  17335. auth:
  17336. description: auth configures how secret-manager authenticates with a Github instance.
  17337. properties:
  17338. privateKey:
  17339. description: |-
  17340. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17341. In some instances, `key` is a required field.
  17342. properties:
  17343. key:
  17344. description: |-
  17345. A key in the referenced Secret.
  17346. Some instances of this field may be defaulted, in others it may be required.
  17347. maxLength: 253
  17348. minLength: 1
  17349. pattern: ^[-._a-zA-Z0-9]+$
  17350. type: string
  17351. name:
  17352. description: The name of the Secret resource being referred to.
  17353. maxLength: 253
  17354. minLength: 1
  17355. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17356. type: string
  17357. namespace:
  17358. description: |-
  17359. The namespace of the Secret resource being referred to.
  17360. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17361. maxLength: 63
  17362. minLength: 1
  17363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17364. type: string
  17365. type: object
  17366. required:
  17367. - privateKey
  17368. type: object
  17369. environment:
  17370. description: environment will be used to fetch secrets from a particular environment within a github repository
  17371. type: string
  17372. installationID:
  17373. description: installationID specifies the Github APP installation that will be used to authenticate the client
  17374. format: int64
  17375. type: integer
  17376. orgSecretVisibility:
  17377. description: |-
  17378. orgSecretVisibility controls the visibility of organization secrets pushed via PushSecret.
  17379. Valid values are "all" or "private".
  17380. When unset, new secrets are created with visibility "all" and existing secrets preserve
  17381. whatever visibility they already have in GitHub.
  17382. enum:
  17383. - all
  17384. - private
  17385. type: string
  17386. organization:
  17387. description: organization will be used to fetch secrets from the Github organization
  17388. type: string
  17389. repository:
  17390. description: repository will be used to fetch secrets from the Github repository within an organization
  17391. type: string
  17392. uploadURL:
  17393. description: Upload URL for enterprise instances. Default to URL.
  17394. type: string
  17395. url:
  17396. default: https://github.com/
  17397. description: URL configures the Github instance URL. Defaults to https://github.com/.
  17398. type: string
  17399. required:
  17400. - appID
  17401. - auth
  17402. - installationID
  17403. - organization
  17404. type: object
  17405. gitlab:
  17406. description: GitLab configures this store to sync secrets using GitLab Variables provider
  17407. properties:
  17408. auth:
  17409. description: Auth configures how secret-manager authenticates with a GitLab instance.
  17410. properties:
  17411. SecretRef:
  17412. description: GitlabSecretRef contains the secret reference for GitLab authentication credentials.
  17413. properties:
  17414. accessToken:
  17415. description: AccessToken is used for authentication.
  17416. properties:
  17417. key:
  17418. description: |-
  17419. A key in the referenced Secret.
  17420. Some instances of this field may be defaulted, in others it may be required.
  17421. maxLength: 253
  17422. minLength: 1
  17423. pattern: ^[-._a-zA-Z0-9]+$
  17424. type: string
  17425. name:
  17426. description: The name of the Secret resource being referred to.
  17427. maxLength: 253
  17428. minLength: 1
  17429. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17430. type: string
  17431. namespace:
  17432. description: |-
  17433. The namespace of the Secret resource being referred to.
  17434. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17435. maxLength: 63
  17436. minLength: 1
  17437. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17438. type: string
  17439. type: object
  17440. type: object
  17441. required:
  17442. - SecretRef
  17443. type: object
  17444. caBundle:
  17445. description: |-
  17446. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  17447. can be performed.
  17448. format: byte
  17449. type: string
  17450. caProvider:
  17451. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  17452. properties:
  17453. key:
  17454. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  17455. maxLength: 253
  17456. minLength: 1
  17457. pattern: ^[-._a-zA-Z0-9]+$
  17458. type: string
  17459. name:
  17460. description: The name of the object located at the provider type.
  17461. maxLength: 253
  17462. minLength: 1
  17463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17464. type: string
  17465. namespace:
  17466. description: |-
  17467. The namespace the Provider type is in.
  17468. Can only be defined when used in a ClusterSecretStore.
  17469. maxLength: 63
  17470. minLength: 1
  17471. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17472. type: string
  17473. type:
  17474. description: The type of provider to use such as "Secret", or "ConfigMap".
  17475. enum:
  17476. - Secret
  17477. - ConfigMap
  17478. type: string
  17479. required:
  17480. - name
  17481. - type
  17482. type: object
  17483. environment:
  17484. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  17485. type: string
  17486. groupIDs:
  17487. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  17488. items:
  17489. type: string
  17490. type: array
  17491. inheritFromGroups:
  17492. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  17493. type: boolean
  17494. projectID:
  17495. description: ProjectID specifies a project where secrets are located.
  17496. type: string
  17497. url:
  17498. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  17499. type: string
  17500. required:
  17501. - auth
  17502. type: object
  17503. ibm:
  17504. description: IBM configures this store to sync secrets using IBM Cloud provider
  17505. properties:
  17506. auth:
  17507. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  17508. maxProperties: 1
  17509. minProperties: 1
  17510. properties:
  17511. containerAuth:
  17512. description: IBMAuthContainerAuth defines container-based authentication with IAM Trusted Profile.
  17513. properties:
  17514. iamEndpoint:
  17515. type: string
  17516. profile:
  17517. description: the IBM Trusted Profile
  17518. type: string
  17519. tokenLocation:
  17520. description: Location the token is mounted on the pod
  17521. type: string
  17522. required:
  17523. - profile
  17524. type: object
  17525. secretRef:
  17526. description: IBMAuthSecretRef contains the secret reference for IBM Cloud API key authentication.
  17527. properties:
  17528. iamEndpoint:
  17529. description: The IAM endpoint used to obain a token
  17530. type: string
  17531. secretApiKeySecretRef:
  17532. description: The SecretAccessKey is used for authentication
  17533. properties:
  17534. key:
  17535. description: |-
  17536. A key in the referenced Secret.
  17537. Some instances of this field may be defaulted, in others it may be required.
  17538. maxLength: 253
  17539. minLength: 1
  17540. pattern: ^[-._a-zA-Z0-9]+$
  17541. type: string
  17542. name:
  17543. description: The name of the Secret resource being referred to.
  17544. maxLength: 253
  17545. minLength: 1
  17546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17547. type: string
  17548. namespace:
  17549. description: |-
  17550. The namespace of the Secret resource being referred to.
  17551. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17552. maxLength: 63
  17553. minLength: 1
  17554. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17555. type: string
  17556. type: object
  17557. type: object
  17558. type: object
  17559. serviceUrl:
  17560. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  17561. type: string
  17562. required:
  17563. - auth
  17564. type: object
  17565. infisical:
  17566. description: Infisical configures this store to sync secrets using the Infisical provider
  17567. properties:
  17568. auth:
  17569. description: Auth configures how the Operator authenticates with the Infisical API
  17570. properties:
  17571. awsAuthCredentials:
  17572. description: AwsAuthCredentials represents the credentials for AWS authentication.
  17573. properties:
  17574. identityId:
  17575. description: |-
  17576. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17577. In some instances, `key` is a required field.
  17578. properties:
  17579. key:
  17580. description: |-
  17581. A key in the referenced Secret.
  17582. Some instances of this field may be defaulted, in others it may be required.
  17583. maxLength: 253
  17584. minLength: 1
  17585. pattern: ^[-._a-zA-Z0-9]+$
  17586. type: string
  17587. name:
  17588. description: The name of the Secret resource being referred to.
  17589. maxLength: 253
  17590. minLength: 1
  17591. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17592. type: string
  17593. namespace:
  17594. description: |-
  17595. The namespace of the Secret resource being referred to.
  17596. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17597. maxLength: 63
  17598. minLength: 1
  17599. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17600. type: string
  17601. type: object
  17602. required:
  17603. - identityId
  17604. type: object
  17605. azureAuthCredentials:
  17606. description: AzureAuthCredentials represents the credentials for Azure authentication.
  17607. properties:
  17608. identityId:
  17609. description: |-
  17610. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17611. In some instances, `key` is a required field.
  17612. properties:
  17613. key:
  17614. description: |-
  17615. A key in the referenced Secret.
  17616. Some instances of this field may be defaulted, in others it may be required.
  17617. maxLength: 253
  17618. minLength: 1
  17619. pattern: ^[-._a-zA-Z0-9]+$
  17620. type: string
  17621. name:
  17622. description: The name of the Secret resource being referred to.
  17623. maxLength: 253
  17624. minLength: 1
  17625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17626. type: string
  17627. namespace:
  17628. description: |-
  17629. The namespace of the Secret resource being referred to.
  17630. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17631. maxLength: 63
  17632. minLength: 1
  17633. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17634. type: string
  17635. type: object
  17636. resource:
  17637. description: |-
  17638. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17639. In some instances, `key` is a required field.
  17640. properties:
  17641. key:
  17642. description: |-
  17643. A key in the referenced Secret.
  17644. Some instances of this field may be defaulted, in others it may be required.
  17645. maxLength: 253
  17646. minLength: 1
  17647. pattern: ^[-._a-zA-Z0-9]+$
  17648. type: string
  17649. name:
  17650. description: The name of the Secret resource being referred to.
  17651. maxLength: 253
  17652. minLength: 1
  17653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17654. type: string
  17655. namespace:
  17656. description: |-
  17657. The namespace of the Secret resource being referred to.
  17658. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17659. maxLength: 63
  17660. minLength: 1
  17661. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17662. type: string
  17663. type: object
  17664. required:
  17665. - identityId
  17666. type: object
  17667. gcpIamAuthCredentials:
  17668. description: GcpIamAuthCredentials represents the credentials for GCP IAM authentication.
  17669. properties:
  17670. identityId:
  17671. description: |-
  17672. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17673. In some instances, `key` is a required field.
  17674. properties:
  17675. key:
  17676. description: |-
  17677. A key in the referenced Secret.
  17678. Some instances of this field may be defaulted, in others it may be required.
  17679. maxLength: 253
  17680. minLength: 1
  17681. pattern: ^[-._a-zA-Z0-9]+$
  17682. type: string
  17683. name:
  17684. description: The name of the Secret resource being referred to.
  17685. maxLength: 253
  17686. minLength: 1
  17687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17688. type: string
  17689. namespace:
  17690. description: |-
  17691. The namespace of the Secret resource being referred to.
  17692. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17693. maxLength: 63
  17694. minLength: 1
  17695. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17696. type: string
  17697. type: object
  17698. serviceAccountKeyFilePath:
  17699. description: |-
  17700. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17701. In some instances, `key` is a required field.
  17702. properties:
  17703. key:
  17704. description: |-
  17705. A key in the referenced Secret.
  17706. Some instances of this field may be defaulted, in others it may be required.
  17707. maxLength: 253
  17708. minLength: 1
  17709. pattern: ^[-._a-zA-Z0-9]+$
  17710. type: string
  17711. name:
  17712. description: The name of the Secret resource being referred to.
  17713. maxLength: 253
  17714. minLength: 1
  17715. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17716. type: string
  17717. namespace:
  17718. description: |-
  17719. The namespace of the Secret resource being referred to.
  17720. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17721. maxLength: 63
  17722. minLength: 1
  17723. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17724. type: string
  17725. type: object
  17726. required:
  17727. - identityId
  17728. - serviceAccountKeyFilePath
  17729. type: object
  17730. gcpIdTokenAuthCredentials:
  17731. description: GcpIDTokenAuthCredentials represents the credentials for GCP ID token authentication.
  17732. properties:
  17733. identityId:
  17734. description: |-
  17735. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17736. In some instances, `key` is a required field.
  17737. properties:
  17738. key:
  17739. description: |-
  17740. A key in the referenced Secret.
  17741. Some instances of this field may be defaulted, in others it may be required.
  17742. maxLength: 253
  17743. minLength: 1
  17744. pattern: ^[-._a-zA-Z0-9]+$
  17745. type: string
  17746. name:
  17747. description: The name of the Secret resource being referred to.
  17748. maxLength: 253
  17749. minLength: 1
  17750. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17751. type: string
  17752. namespace:
  17753. description: |-
  17754. The namespace of the Secret resource being referred to.
  17755. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17756. maxLength: 63
  17757. minLength: 1
  17758. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17759. type: string
  17760. type: object
  17761. required:
  17762. - identityId
  17763. type: object
  17764. jwtAuthCredentials:
  17765. description: JwtAuthCredentials represents the credentials for JWT authentication.
  17766. properties:
  17767. identityId:
  17768. description: |-
  17769. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17770. In some instances, `key` is a required field.
  17771. properties:
  17772. key:
  17773. description: |-
  17774. A key in the referenced Secret.
  17775. Some instances of this field may be defaulted, in others it may be required.
  17776. maxLength: 253
  17777. minLength: 1
  17778. pattern: ^[-._a-zA-Z0-9]+$
  17779. type: string
  17780. name:
  17781. description: The name of the Secret resource being referred to.
  17782. maxLength: 253
  17783. minLength: 1
  17784. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17785. type: string
  17786. namespace:
  17787. description: |-
  17788. The namespace of the Secret resource being referred to.
  17789. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17790. maxLength: 63
  17791. minLength: 1
  17792. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17793. type: string
  17794. type: object
  17795. jwt:
  17796. description: |-
  17797. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17798. In some instances, `key` is a required field.
  17799. properties:
  17800. key:
  17801. description: |-
  17802. A key in the referenced Secret.
  17803. Some instances of this field may be defaulted, in others it may be required.
  17804. maxLength: 253
  17805. minLength: 1
  17806. pattern: ^[-._a-zA-Z0-9]+$
  17807. type: string
  17808. name:
  17809. description: The name of the Secret resource being referred to.
  17810. maxLength: 253
  17811. minLength: 1
  17812. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17813. type: string
  17814. namespace:
  17815. description: |-
  17816. The namespace of the Secret resource being referred to.
  17817. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17818. maxLength: 63
  17819. minLength: 1
  17820. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17821. type: string
  17822. type: object
  17823. required:
  17824. - identityId
  17825. - jwt
  17826. type: object
  17827. kubernetesAuthCredentials:
  17828. description: KubernetesAuthCredentials represents the credentials for Kubernetes authentication.
  17829. properties:
  17830. identityId:
  17831. description: |-
  17832. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17833. In some instances, `key` is a required field.
  17834. properties:
  17835. key:
  17836. description: |-
  17837. A key in the referenced Secret.
  17838. Some instances of this field may be defaulted, in others it may be required.
  17839. maxLength: 253
  17840. minLength: 1
  17841. pattern: ^[-._a-zA-Z0-9]+$
  17842. type: string
  17843. name:
  17844. description: The name of the Secret resource being referred to.
  17845. maxLength: 253
  17846. minLength: 1
  17847. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17848. type: string
  17849. namespace:
  17850. description: |-
  17851. The namespace of the Secret resource being referred to.
  17852. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17853. maxLength: 63
  17854. minLength: 1
  17855. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17856. type: string
  17857. type: object
  17858. serviceAccountTokenPath:
  17859. description: |-
  17860. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17861. In some instances, `key` is a required field.
  17862. properties:
  17863. key:
  17864. description: |-
  17865. A key in the referenced Secret.
  17866. Some instances of this field may be defaulted, in others it may be required.
  17867. maxLength: 253
  17868. minLength: 1
  17869. pattern: ^[-._a-zA-Z0-9]+$
  17870. type: string
  17871. name:
  17872. description: The name of the Secret resource being referred to.
  17873. maxLength: 253
  17874. minLength: 1
  17875. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17876. type: string
  17877. namespace:
  17878. description: |-
  17879. The namespace of the Secret resource being referred to.
  17880. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17881. maxLength: 63
  17882. minLength: 1
  17883. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17884. type: string
  17885. type: object
  17886. required:
  17887. - identityId
  17888. type: object
  17889. ldapAuthCredentials:
  17890. description: LdapAuthCredentials represents the credentials for LDAP authentication.
  17891. properties:
  17892. identityId:
  17893. description: |-
  17894. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17895. In some instances, `key` is a required field.
  17896. properties:
  17897. key:
  17898. description: |-
  17899. A key in the referenced Secret.
  17900. Some instances of this field may be defaulted, in others it may be required.
  17901. maxLength: 253
  17902. minLength: 1
  17903. pattern: ^[-._a-zA-Z0-9]+$
  17904. type: string
  17905. name:
  17906. description: The name of the Secret resource being referred to.
  17907. maxLength: 253
  17908. minLength: 1
  17909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17910. type: string
  17911. namespace:
  17912. description: |-
  17913. The namespace of the Secret resource being referred to.
  17914. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17915. maxLength: 63
  17916. minLength: 1
  17917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17918. type: string
  17919. type: object
  17920. ldapPassword:
  17921. description: |-
  17922. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17923. In some instances, `key` is a required field.
  17924. properties:
  17925. key:
  17926. description: |-
  17927. A key in the referenced Secret.
  17928. Some instances of this field may be defaulted, in others it may be required.
  17929. maxLength: 253
  17930. minLength: 1
  17931. pattern: ^[-._a-zA-Z0-9]+$
  17932. type: string
  17933. name:
  17934. description: The name of the Secret resource being referred to.
  17935. maxLength: 253
  17936. minLength: 1
  17937. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17938. type: string
  17939. namespace:
  17940. description: |-
  17941. The namespace of the Secret resource being referred to.
  17942. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17943. maxLength: 63
  17944. minLength: 1
  17945. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17946. type: string
  17947. type: object
  17948. ldapUsername:
  17949. description: |-
  17950. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17951. In some instances, `key` is a required field.
  17952. properties:
  17953. key:
  17954. description: |-
  17955. A key in the referenced Secret.
  17956. Some instances of this field may be defaulted, in others it may be required.
  17957. maxLength: 253
  17958. minLength: 1
  17959. pattern: ^[-._a-zA-Z0-9]+$
  17960. type: string
  17961. name:
  17962. description: The name of the Secret resource being referred to.
  17963. maxLength: 253
  17964. minLength: 1
  17965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  17966. type: string
  17967. namespace:
  17968. description: |-
  17969. The namespace of the Secret resource being referred to.
  17970. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  17971. maxLength: 63
  17972. minLength: 1
  17973. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  17974. type: string
  17975. type: object
  17976. required:
  17977. - identityId
  17978. - ldapPassword
  17979. - ldapUsername
  17980. type: object
  17981. ociAuthCredentials:
  17982. description: OciAuthCredentials represents the credentials for OCI authentication.
  17983. properties:
  17984. fingerprint:
  17985. description: |-
  17986. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  17987. In some instances, `key` is a required field.
  17988. properties:
  17989. key:
  17990. description: |-
  17991. A key in the referenced Secret.
  17992. Some instances of this field may be defaulted, in others it may be required.
  17993. maxLength: 253
  17994. minLength: 1
  17995. pattern: ^[-._a-zA-Z0-9]+$
  17996. type: string
  17997. name:
  17998. description: The name of the Secret resource being referred to.
  17999. maxLength: 253
  18000. minLength: 1
  18001. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18002. type: string
  18003. namespace:
  18004. description: |-
  18005. The namespace of the Secret resource being referred to.
  18006. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18007. maxLength: 63
  18008. minLength: 1
  18009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18010. type: string
  18011. type: object
  18012. identityId:
  18013. description: |-
  18014. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18015. In some instances, `key` is a required field.
  18016. properties:
  18017. key:
  18018. description: |-
  18019. A key in the referenced Secret.
  18020. Some instances of this field may be defaulted, in others it may be required.
  18021. maxLength: 253
  18022. minLength: 1
  18023. pattern: ^[-._a-zA-Z0-9]+$
  18024. type: string
  18025. name:
  18026. description: The name of the Secret resource being referred to.
  18027. maxLength: 253
  18028. minLength: 1
  18029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18030. type: string
  18031. namespace:
  18032. description: |-
  18033. The namespace of the Secret resource being referred to.
  18034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18035. maxLength: 63
  18036. minLength: 1
  18037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18038. type: string
  18039. type: object
  18040. privateKey:
  18041. description: |-
  18042. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18043. In some instances, `key` is a required field.
  18044. properties:
  18045. key:
  18046. description: |-
  18047. A key in the referenced Secret.
  18048. Some instances of this field may be defaulted, in others it may be required.
  18049. maxLength: 253
  18050. minLength: 1
  18051. pattern: ^[-._a-zA-Z0-9]+$
  18052. type: string
  18053. name:
  18054. description: The name of the Secret resource being referred to.
  18055. maxLength: 253
  18056. minLength: 1
  18057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18058. type: string
  18059. namespace:
  18060. description: |-
  18061. The namespace of the Secret resource being referred to.
  18062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18063. maxLength: 63
  18064. minLength: 1
  18065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18066. type: string
  18067. type: object
  18068. privateKeyPassphrase:
  18069. description: |-
  18070. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18071. In some instances, `key` is a required field.
  18072. properties:
  18073. key:
  18074. description: |-
  18075. A key in the referenced Secret.
  18076. Some instances of this field may be defaulted, in others it may be required.
  18077. maxLength: 253
  18078. minLength: 1
  18079. pattern: ^[-._a-zA-Z0-9]+$
  18080. type: string
  18081. name:
  18082. description: The name of the Secret resource being referred to.
  18083. maxLength: 253
  18084. minLength: 1
  18085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18086. type: string
  18087. namespace:
  18088. description: |-
  18089. The namespace of the Secret resource being referred to.
  18090. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18091. maxLength: 63
  18092. minLength: 1
  18093. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18094. type: string
  18095. type: object
  18096. region:
  18097. description: |-
  18098. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18099. In some instances, `key` is a required field.
  18100. properties:
  18101. key:
  18102. description: |-
  18103. A key in the referenced Secret.
  18104. Some instances of this field may be defaulted, in others it may be required.
  18105. maxLength: 253
  18106. minLength: 1
  18107. pattern: ^[-._a-zA-Z0-9]+$
  18108. type: string
  18109. name:
  18110. description: The name of the Secret resource being referred to.
  18111. maxLength: 253
  18112. minLength: 1
  18113. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18114. type: string
  18115. namespace:
  18116. description: |-
  18117. The namespace of the Secret resource being referred to.
  18118. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18119. maxLength: 63
  18120. minLength: 1
  18121. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18122. type: string
  18123. type: object
  18124. tenancyId:
  18125. description: |-
  18126. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18127. In some instances, `key` is a required field.
  18128. properties:
  18129. key:
  18130. description: |-
  18131. A key in the referenced Secret.
  18132. Some instances of this field may be defaulted, in others it may be required.
  18133. maxLength: 253
  18134. minLength: 1
  18135. pattern: ^[-._a-zA-Z0-9]+$
  18136. type: string
  18137. name:
  18138. description: The name of the Secret resource being referred to.
  18139. maxLength: 253
  18140. minLength: 1
  18141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18142. type: string
  18143. namespace:
  18144. description: |-
  18145. The namespace of the Secret resource being referred to.
  18146. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18147. maxLength: 63
  18148. minLength: 1
  18149. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18150. type: string
  18151. type: object
  18152. userId:
  18153. description: |-
  18154. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18155. In some instances, `key` is a required field.
  18156. properties:
  18157. key:
  18158. description: |-
  18159. A key in the referenced Secret.
  18160. Some instances of this field may be defaulted, in others it may be required.
  18161. maxLength: 253
  18162. minLength: 1
  18163. pattern: ^[-._a-zA-Z0-9]+$
  18164. type: string
  18165. name:
  18166. description: The name of the Secret resource being referred to.
  18167. maxLength: 253
  18168. minLength: 1
  18169. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18170. type: string
  18171. namespace:
  18172. description: |-
  18173. The namespace of the Secret resource being referred to.
  18174. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18175. maxLength: 63
  18176. minLength: 1
  18177. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18178. type: string
  18179. type: object
  18180. required:
  18181. - fingerprint
  18182. - identityId
  18183. - privateKey
  18184. - region
  18185. - tenancyId
  18186. - userId
  18187. type: object
  18188. tokenAuthCredentials:
  18189. description: TokenAuthCredentials represents the credentials for access token-based authentication.
  18190. properties:
  18191. accessToken:
  18192. description: |-
  18193. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18194. In some instances, `key` is a required field.
  18195. properties:
  18196. key:
  18197. description: |-
  18198. A key in the referenced Secret.
  18199. Some instances of this field may be defaulted, in others it may be required.
  18200. maxLength: 253
  18201. minLength: 1
  18202. pattern: ^[-._a-zA-Z0-9]+$
  18203. type: string
  18204. name:
  18205. description: The name of the Secret resource being referred to.
  18206. maxLength: 253
  18207. minLength: 1
  18208. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18209. type: string
  18210. namespace:
  18211. description: |-
  18212. The namespace of the Secret resource being referred to.
  18213. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18214. maxLength: 63
  18215. minLength: 1
  18216. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18217. type: string
  18218. type: object
  18219. required:
  18220. - accessToken
  18221. type: object
  18222. universalAuthCredentials:
  18223. description: UniversalAuthCredentials represents the client credentials for universal authentication.
  18224. properties:
  18225. clientId:
  18226. description: |-
  18227. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18228. In some instances, `key` is a required field.
  18229. properties:
  18230. key:
  18231. description: |-
  18232. A key in the referenced Secret.
  18233. Some instances of this field may be defaulted, in others it may be required.
  18234. maxLength: 253
  18235. minLength: 1
  18236. pattern: ^[-._a-zA-Z0-9]+$
  18237. type: string
  18238. name:
  18239. description: The name of the Secret resource being referred to.
  18240. maxLength: 253
  18241. minLength: 1
  18242. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18243. type: string
  18244. namespace:
  18245. description: |-
  18246. The namespace of the Secret resource being referred to.
  18247. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18248. maxLength: 63
  18249. minLength: 1
  18250. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18251. type: string
  18252. type: object
  18253. clientSecret:
  18254. description: |-
  18255. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18256. In some instances, `key` is a required field.
  18257. properties:
  18258. key:
  18259. description: |-
  18260. A key in the referenced Secret.
  18261. Some instances of this field may be defaulted, in others it may be required.
  18262. maxLength: 253
  18263. minLength: 1
  18264. pattern: ^[-._a-zA-Z0-9]+$
  18265. type: string
  18266. name:
  18267. description: The name of the Secret resource being referred to.
  18268. maxLength: 253
  18269. minLength: 1
  18270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18271. type: string
  18272. namespace:
  18273. description: |-
  18274. The namespace of the Secret resource being referred to.
  18275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18276. maxLength: 63
  18277. minLength: 1
  18278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18279. type: string
  18280. type: object
  18281. required:
  18282. - clientId
  18283. - clientSecret
  18284. type: object
  18285. type: object
  18286. caBundle:
  18287. description: |-
  18288. CABundle is a PEM-encoded CA certificate bundle used to validate
  18289. the Infisical server's TLS certificate. Mutually exclusive with CAProvider.
  18290. format: byte
  18291. type: string
  18292. caProvider:
  18293. description: |-
  18294. CAProvider is a reference to a Secret or ConfigMap that contains a CA certificate.
  18295. The certificate is used to validate the Infisical server's TLS certificate.
  18296. Mutually exclusive with CABundle.
  18297. properties:
  18298. key:
  18299. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18300. maxLength: 253
  18301. minLength: 1
  18302. pattern: ^[-._a-zA-Z0-9]+$
  18303. type: string
  18304. name:
  18305. description: The name of the object located at the provider type.
  18306. maxLength: 253
  18307. minLength: 1
  18308. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18309. type: string
  18310. namespace:
  18311. description: |-
  18312. The namespace the Provider type is in.
  18313. Can only be defined when used in a ClusterSecretStore.
  18314. maxLength: 63
  18315. minLength: 1
  18316. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18317. type: string
  18318. type:
  18319. description: The type of provider to use such as "Secret", or "ConfigMap".
  18320. enum:
  18321. - Secret
  18322. - ConfigMap
  18323. type: string
  18324. required:
  18325. - name
  18326. - type
  18327. type: object
  18328. hostAPI:
  18329. default: https://app.infisical.com/api
  18330. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  18331. type: string
  18332. secretsScope:
  18333. description: SecretsScope defines the scope of the secrets within the workspace
  18334. properties:
  18335. environmentSlug:
  18336. description: EnvironmentSlug is the required slug identifier for the environment.
  18337. type: string
  18338. expandSecretReferences:
  18339. default: true
  18340. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  18341. type: boolean
  18342. organizationSlug:
  18343. description: |-
  18344. OrganizationSlug is the optional slug that identifies the organization that will be used
  18345. during authentication. Useful for sub-organization setups
  18346. type: string
  18347. projectSlug:
  18348. description: ProjectSlug is the required slug identifier for the project.
  18349. type: string
  18350. recursive:
  18351. default: false
  18352. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  18353. type: boolean
  18354. secretsPath:
  18355. default: /
  18356. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  18357. type: string
  18358. required:
  18359. - environmentSlug
  18360. - projectSlug
  18361. type: object
  18362. required:
  18363. - auth
  18364. - secretsScope
  18365. type: object
  18366. keepersecurity:
  18367. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  18368. properties:
  18369. authRef:
  18370. description: |-
  18371. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18372. In some instances, `key` is a required field.
  18373. properties:
  18374. key:
  18375. description: |-
  18376. A key in the referenced Secret.
  18377. Some instances of this field may be defaulted, in others it may be required.
  18378. maxLength: 253
  18379. minLength: 1
  18380. pattern: ^[-._a-zA-Z0-9]+$
  18381. type: string
  18382. name:
  18383. description: The name of the Secret resource being referred to.
  18384. maxLength: 253
  18385. minLength: 1
  18386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18387. type: string
  18388. namespace:
  18389. description: |-
  18390. The namespace of the Secret resource being referred to.
  18391. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18392. maxLength: 63
  18393. minLength: 1
  18394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18395. type: string
  18396. type: object
  18397. folderID:
  18398. type: string
  18399. getByTitleFallback:
  18400. type: boolean
  18401. required:
  18402. - authRef
  18403. - folderID
  18404. type: object
  18405. kubernetes:
  18406. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  18407. properties:
  18408. auth:
  18409. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  18410. maxProperties: 1
  18411. minProperties: 1
  18412. properties:
  18413. cert:
  18414. description: has both clientCert and clientKey as secretKeySelector
  18415. properties:
  18416. clientCert:
  18417. description: |-
  18418. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18419. In some instances, `key` is a required field.
  18420. properties:
  18421. key:
  18422. description: |-
  18423. A key in the referenced Secret.
  18424. Some instances of this field may be defaulted, in others it may be required.
  18425. maxLength: 253
  18426. minLength: 1
  18427. pattern: ^[-._a-zA-Z0-9]+$
  18428. type: string
  18429. name:
  18430. description: The name of the Secret resource being referred to.
  18431. maxLength: 253
  18432. minLength: 1
  18433. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18434. type: string
  18435. namespace:
  18436. description: |-
  18437. The namespace of the Secret resource being referred to.
  18438. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18439. maxLength: 63
  18440. minLength: 1
  18441. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18442. type: string
  18443. type: object
  18444. clientKey:
  18445. description: |-
  18446. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18447. In some instances, `key` is a required field.
  18448. properties:
  18449. key:
  18450. description: |-
  18451. A key in the referenced Secret.
  18452. Some instances of this field may be defaulted, in others it may be required.
  18453. maxLength: 253
  18454. minLength: 1
  18455. pattern: ^[-._a-zA-Z0-9]+$
  18456. type: string
  18457. name:
  18458. description: The name of the Secret resource being referred to.
  18459. maxLength: 253
  18460. minLength: 1
  18461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18462. type: string
  18463. namespace:
  18464. description: |-
  18465. The namespace of the Secret resource being referred to.
  18466. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18467. maxLength: 63
  18468. minLength: 1
  18469. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18470. type: string
  18471. type: object
  18472. type: object
  18473. serviceAccount:
  18474. description: points to a service account that should be used for authentication
  18475. properties:
  18476. audiences:
  18477. description: |-
  18478. Audience specifies the `aud` claim for the service account token
  18479. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  18480. then this audiences will be appended to the list
  18481. items:
  18482. type: string
  18483. type: array
  18484. name:
  18485. description: The name of the ServiceAccount resource being referred to.
  18486. maxLength: 253
  18487. minLength: 1
  18488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18489. type: string
  18490. namespace:
  18491. description: |-
  18492. Namespace of the resource being referred to.
  18493. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18494. maxLength: 63
  18495. minLength: 1
  18496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18497. type: string
  18498. required:
  18499. - name
  18500. type: object
  18501. token:
  18502. description: use static token to authenticate with
  18503. properties:
  18504. bearerToken:
  18505. description: |-
  18506. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18507. In some instances, `key` is a required field.
  18508. properties:
  18509. key:
  18510. description: |-
  18511. A key in the referenced Secret.
  18512. Some instances of this field may be defaulted, in others it may be required.
  18513. maxLength: 253
  18514. minLength: 1
  18515. pattern: ^[-._a-zA-Z0-9]+$
  18516. type: string
  18517. name:
  18518. description: The name of the Secret resource being referred to.
  18519. maxLength: 253
  18520. minLength: 1
  18521. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18522. type: string
  18523. namespace:
  18524. description: |-
  18525. The namespace of the Secret resource being referred to.
  18526. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18527. maxLength: 63
  18528. minLength: 1
  18529. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18530. type: string
  18531. type: object
  18532. type: object
  18533. type: object
  18534. authRef:
  18535. description: A reference to a secret that contains the auth information.
  18536. properties:
  18537. key:
  18538. description: |-
  18539. A key in the referenced Secret.
  18540. Some instances of this field may be defaulted, in others it may be required.
  18541. maxLength: 253
  18542. minLength: 1
  18543. pattern: ^[-._a-zA-Z0-9]+$
  18544. type: string
  18545. name:
  18546. description: The name of the Secret resource being referred to.
  18547. maxLength: 253
  18548. minLength: 1
  18549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18550. type: string
  18551. namespace:
  18552. description: |-
  18553. The namespace of the Secret resource being referred to.
  18554. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18555. maxLength: 63
  18556. minLength: 1
  18557. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18558. type: string
  18559. type: object
  18560. remoteNamespace:
  18561. default: default
  18562. description: Remote namespace to fetch the secrets from
  18563. maxLength: 63
  18564. minLength: 1
  18565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18566. type: string
  18567. server:
  18568. description: configures the Kubernetes server Address.
  18569. properties:
  18570. caBundle:
  18571. description: CABundle is a base64-encoded CA certificate
  18572. format: byte
  18573. type: string
  18574. caProvider:
  18575. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  18576. properties:
  18577. key:
  18578. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  18579. maxLength: 253
  18580. minLength: 1
  18581. pattern: ^[-._a-zA-Z0-9]+$
  18582. type: string
  18583. name:
  18584. description: The name of the object located at the provider type.
  18585. maxLength: 253
  18586. minLength: 1
  18587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18588. type: string
  18589. namespace:
  18590. description: |-
  18591. The namespace the Provider type is in.
  18592. Can only be defined when used in a ClusterSecretStore.
  18593. maxLength: 63
  18594. minLength: 1
  18595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18596. type: string
  18597. type:
  18598. description: The type of provider to use such as "Secret", or "ConfigMap".
  18599. enum:
  18600. - Secret
  18601. - ConfigMap
  18602. type: string
  18603. required:
  18604. - name
  18605. - type
  18606. type: object
  18607. url:
  18608. default: kubernetes.default
  18609. description: configures the Kubernetes server Address.
  18610. type: string
  18611. type: object
  18612. type: object
  18613. nebiusmysterybox:
  18614. description: NebiusMysterybox configures this store to sync secrets using NebiusMysterybox provider
  18615. properties:
  18616. apiDomain:
  18617. description: NebiusMysterybox API endpoint
  18618. type: string
  18619. auth:
  18620. description: Auth defines parameters to authenticate in MysteryBox
  18621. properties:
  18622. serviceAccountCredsSecretRef:
  18623. description: |-
  18624. ServiceAccountCreds references a Kubernetes Secret key that contains a JSON
  18625. document with service account credentials used to get an IAM token.
  18626. Expected JSON structure:
  18627. {
  18628. "subject-credentials": {
  18629. "alg": "RS256",
  18630. "private-key": "-----BEGIN PRIVATE KEY-----\n<private-key>\n-----END PRIVATE KEY-----\n",
  18631. "kid": "<public-key-id>",
  18632. "iss": "<issuer-service-account-id>",
  18633. "sub": "<subject-service-account-id>"
  18634. }
  18635. }
  18636. properties:
  18637. key:
  18638. description: |-
  18639. A key in the referenced Secret.
  18640. Some instances of this field may be defaulted, in others it may be required.
  18641. maxLength: 253
  18642. minLength: 1
  18643. pattern: ^[-._a-zA-Z0-9]+$
  18644. type: string
  18645. name:
  18646. description: The name of the Secret resource being referred to.
  18647. maxLength: 253
  18648. minLength: 1
  18649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18650. type: string
  18651. namespace:
  18652. description: |-
  18653. The namespace of the Secret resource being referred to.
  18654. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18655. maxLength: 63
  18656. minLength: 1
  18657. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18658. type: string
  18659. type: object
  18660. tokenSecretRef:
  18661. description: Token authenticates with Nebius Mysterybox by presenting a token.
  18662. properties:
  18663. key:
  18664. description: |-
  18665. A key in the referenced Secret.
  18666. Some instances of this field may be defaulted, in others it may be required.
  18667. maxLength: 253
  18668. minLength: 1
  18669. pattern: ^[-._a-zA-Z0-9]+$
  18670. type: string
  18671. name:
  18672. description: The name of the Secret resource being referred to.
  18673. maxLength: 253
  18674. minLength: 1
  18675. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18676. type: string
  18677. namespace:
  18678. description: |-
  18679. The namespace of the Secret resource being referred to.
  18680. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18681. maxLength: 63
  18682. minLength: 1
  18683. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18684. type: string
  18685. type: object
  18686. type: object
  18687. x-kubernetes-validations:
  18688. - message: either serviceAccountCredsSecretRef or tokenSecretRef must be set
  18689. rule: has(self.serviceAccountCredsSecretRef) || has(self.tokenSecretRef)
  18690. caProvider:
  18691. description: The provider for the CA bundle to use to validate NebiusMysterybox server certificate.
  18692. properties:
  18693. certSecretRef:
  18694. description: |-
  18695. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  18696. In some instances, `key` is a required field.
  18697. properties:
  18698. key:
  18699. description: |-
  18700. A key in the referenced Secret.
  18701. Some instances of this field may be defaulted, in others it may be required.
  18702. maxLength: 253
  18703. minLength: 1
  18704. pattern: ^[-._a-zA-Z0-9]+$
  18705. type: string
  18706. name:
  18707. description: The name of the Secret resource being referred to.
  18708. maxLength: 253
  18709. minLength: 1
  18710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18711. type: string
  18712. namespace:
  18713. description: |-
  18714. The namespace of the Secret resource being referred to.
  18715. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18716. maxLength: 63
  18717. minLength: 1
  18718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18719. type: string
  18720. type: object
  18721. type: object
  18722. required:
  18723. - apiDomain
  18724. - auth
  18725. type: object
  18726. ngrok:
  18727. description: Ngrok configures this store to sync secrets using the ngrok provider.
  18728. properties:
  18729. apiUrl:
  18730. default: https://api.ngrok.com
  18731. description: APIURL is the URL of the ngrok API.
  18732. type: string
  18733. auth:
  18734. description: Auth configures how the ngrok provider authenticates with the ngrok API.
  18735. maxProperties: 1
  18736. minProperties: 1
  18737. properties:
  18738. apiKey:
  18739. description: APIKey is the API Key used to authenticate with ngrok. See https://ngrok.com/docs/api/#authentication
  18740. properties:
  18741. secretRef:
  18742. description: SecretRef is a reference to a secret containing the ngrok API key.
  18743. properties:
  18744. key:
  18745. description: |-
  18746. A key in the referenced Secret.
  18747. Some instances of this field may be defaulted, in others it may be required.
  18748. maxLength: 253
  18749. minLength: 1
  18750. pattern: ^[-._a-zA-Z0-9]+$
  18751. type: string
  18752. name:
  18753. description: The name of the Secret resource being referred to.
  18754. maxLength: 253
  18755. minLength: 1
  18756. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18757. type: string
  18758. namespace:
  18759. description: |-
  18760. The namespace of the Secret resource being referred to.
  18761. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18762. maxLength: 63
  18763. minLength: 1
  18764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18765. type: string
  18766. type: object
  18767. type: object
  18768. type: object
  18769. vault:
  18770. description: Vault configures the ngrok vault to sync secrets with.
  18771. properties:
  18772. name:
  18773. description: Name is the name of the ngrok vault to sync secrets with.
  18774. type: string
  18775. required:
  18776. - name
  18777. type: object
  18778. required:
  18779. - auth
  18780. - vault
  18781. type: object
  18782. onboardbase:
  18783. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  18784. properties:
  18785. apiHost:
  18786. default: https://public.onboardbase.com/api/v1/
  18787. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  18788. type: string
  18789. auth:
  18790. description: Auth configures how the Operator authenticates with the Onboardbase API
  18791. properties:
  18792. apiKeyRef:
  18793. description: |-
  18794. OnboardbaseAPIKey is the APIKey generated by an admin account.
  18795. It is used to recognize and authorize access to a project and environment within onboardbase
  18796. properties:
  18797. key:
  18798. description: |-
  18799. A key in the referenced Secret.
  18800. Some instances of this field may be defaulted, in others it may be required.
  18801. maxLength: 253
  18802. minLength: 1
  18803. pattern: ^[-._a-zA-Z0-9]+$
  18804. type: string
  18805. name:
  18806. description: The name of the Secret resource being referred to.
  18807. maxLength: 253
  18808. minLength: 1
  18809. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18810. type: string
  18811. namespace:
  18812. description: |-
  18813. The namespace of the Secret resource being referred to.
  18814. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18815. maxLength: 63
  18816. minLength: 1
  18817. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18818. type: string
  18819. type: object
  18820. passcodeRef:
  18821. description: OnboardbasePasscode is the passcode attached to the API Key
  18822. properties:
  18823. key:
  18824. description: |-
  18825. A key in the referenced Secret.
  18826. Some instances of this field may be defaulted, in others it may be required.
  18827. maxLength: 253
  18828. minLength: 1
  18829. pattern: ^[-._a-zA-Z0-9]+$
  18830. type: string
  18831. name:
  18832. description: The name of the Secret resource being referred to.
  18833. maxLength: 253
  18834. minLength: 1
  18835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18836. type: string
  18837. namespace:
  18838. description: |-
  18839. The namespace of the Secret resource being referred to.
  18840. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18841. maxLength: 63
  18842. minLength: 1
  18843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18844. type: string
  18845. type: object
  18846. required:
  18847. - apiKeyRef
  18848. - passcodeRef
  18849. type: object
  18850. environment:
  18851. default: development
  18852. description: Environment is the name of an environmnent within a project to pull the secrets from
  18853. type: string
  18854. project:
  18855. default: development
  18856. description: Project is an onboardbase project that the secrets should be pulled from
  18857. type: string
  18858. required:
  18859. - apiHost
  18860. - auth
  18861. - environment
  18862. - project
  18863. type: object
  18864. onepassword:
  18865. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  18866. properties:
  18867. auth:
  18868. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  18869. properties:
  18870. secretRef:
  18871. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  18872. properties:
  18873. connectTokenSecretRef:
  18874. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  18875. properties:
  18876. key:
  18877. description: |-
  18878. A key in the referenced Secret.
  18879. Some instances of this field may be defaulted, in others it may be required.
  18880. maxLength: 253
  18881. minLength: 1
  18882. pattern: ^[-._a-zA-Z0-9]+$
  18883. type: string
  18884. name:
  18885. description: The name of the Secret resource being referred to.
  18886. maxLength: 253
  18887. minLength: 1
  18888. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18889. type: string
  18890. namespace:
  18891. description: |-
  18892. The namespace of the Secret resource being referred to.
  18893. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18894. maxLength: 63
  18895. minLength: 1
  18896. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18897. type: string
  18898. type: object
  18899. required:
  18900. - connectTokenSecretRef
  18901. type: object
  18902. required:
  18903. - secretRef
  18904. type: object
  18905. connectHost:
  18906. description: ConnectHost defines the OnePassword Connect Server to connect to
  18907. type: string
  18908. vaults:
  18909. additionalProperties:
  18910. type: integer
  18911. description: Vaults defines which OnePassword vaults to search in which order
  18912. type: object
  18913. required:
  18914. - auth
  18915. - connectHost
  18916. - vaults
  18917. type: object
  18918. onepasswordSDK:
  18919. description: OnePasswordSDK configures this store to use 1Password's new Go SDK to sync secrets.
  18920. properties:
  18921. auth:
  18922. description: Auth defines the information necessary to authenticate against OnePassword API.
  18923. properties:
  18924. serviceAccountSecretRef:
  18925. description: ServiceAccountSecretRef points to the secret containing the token to access 1Password vault.
  18926. properties:
  18927. key:
  18928. description: |-
  18929. A key in the referenced Secret.
  18930. Some instances of this field may be defaulted, in others it may be required.
  18931. maxLength: 253
  18932. minLength: 1
  18933. pattern: ^[-._a-zA-Z0-9]+$
  18934. type: string
  18935. name:
  18936. description: The name of the Secret resource being referred to.
  18937. maxLength: 253
  18938. minLength: 1
  18939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  18940. type: string
  18941. namespace:
  18942. description: |-
  18943. The namespace of the Secret resource being referred to.
  18944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  18945. maxLength: 63
  18946. minLength: 1
  18947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  18948. type: string
  18949. type: object
  18950. required:
  18951. - serviceAccountSecretRef
  18952. type: object
  18953. cache:
  18954. description: |-
  18955. Cache configures client-side caching for read operations (GetSecret, GetSecretMap).
  18956. When enabled, secrets are cached with the specified TTL.
  18957. Write operations (PushSecret, DeleteSecret) automatically invalidate relevant cache entries.
  18958. If omitted, caching is disabled (default).
  18959. cache: {} is a valid option to set.
  18960. properties:
  18961. maxSize:
  18962. default: 100
  18963. description: |-
  18964. MaxSize is the maximum number of secrets to cache.
  18965. When the cache is full, least-recently-used entries are evicted.
  18966. minimum: 1
  18967. type: integer
  18968. ttl:
  18969. default: 5m
  18970. description: |-
  18971. TTL is the time-to-live for cached secrets.
  18972. Format: duration string (e.g., "5m", "1h", "30s")
  18973. type: string
  18974. type: object
  18975. integrationInfo:
  18976. description: |-
  18977. IntegrationInfo specifies the name and version of the integration built using the 1Password Go SDK.
  18978. If you don't know which name and version to use, use `DefaultIntegrationName` and `DefaultIntegrationVersion`, respectively.
  18979. properties:
  18980. name:
  18981. default: 1Password SDK
  18982. description: Name defaults to "1Password SDK".
  18983. type: string
  18984. version:
  18985. default: v1.0.0
  18986. description: Version defaults to "v1.0.0".
  18987. type: string
  18988. type: object
  18989. vault:
  18990. description: Vault defines the vault's name or uuid to access. Do NOT add op:// prefix. This will be done automatically.
  18991. type: string
  18992. required:
  18993. - auth
  18994. - vault
  18995. type: object
  18996. openBao:
  18997. description: OpenBao configures this store to sync secrets using the OpenBao provider.
  18998. properties:
  18999. auth:
  19000. description: Auth configures how secret-manager authenticates with the OpenBao server.
  19001. properties:
  19002. appRole:
  19003. description: |-
  19004. AppRole authenticates with OpenBao using the [App Role auth mechanism],
  19005. with the role and secret stored in a Kubernetes Secret resource.
  19006. [App Role auth mechanism]: https://openbao.org/docs/auth/approle/
  19007. properties:
  19008. path:
  19009. default: approle
  19010. description: |-
  19011. Path where the App Role authentication backend is mounted
  19012. in OpenBao, e.g: "approle"
  19013. type: string
  19014. roleId:
  19015. description: |-
  19016. RoleID configured in the App Role authentication backend when setting
  19017. up the authentication backend in OpenBao.
  19018. minLength: 1
  19019. type: string
  19020. roleRef:
  19021. description: |-
  19022. Reference to a key in a Secret that contains the App Role ID used
  19023. to authenticate with OpenBao.
  19024. The `key` field must be specified and denotes which entry within the Secret
  19025. resource is used as the app role id.
  19026. properties:
  19027. key:
  19028. description: |-
  19029. A key in the referenced Secret.
  19030. Some instances of this field may be defaulted, in others it may be required.
  19031. maxLength: 253
  19032. minLength: 1
  19033. pattern: ^[-._a-zA-Z0-9]+$
  19034. type: string
  19035. name:
  19036. description: The name of the Secret resource being referred to.
  19037. maxLength: 253
  19038. minLength: 1
  19039. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19040. type: string
  19041. namespace:
  19042. description: |-
  19043. The namespace of the Secret resource being referred to.
  19044. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19045. maxLength: 63
  19046. minLength: 1
  19047. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19048. type: string
  19049. type: object
  19050. secretRef:
  19051. description: |-
  19052. Reference to a key in a Secret that contains the App Role secret used
  19053. to authenticate with OpenBao.
  19054. The `key` field must be specified and denotes which entry within the Secret
  19055. resource is used as the app role secret.
  19056. properties:
  19057. key:
  19058. description: |-
  19059. A key in the referenced Secret.
  19060. Some instances of this field may be defaulted, in others it may be required.
  19061. maxLength: 253
  19062. minLength: 1
  19063. pattern: ^[-._a-zA-Z0-9]+$
  19064. type: string
  19065. name:
  19066. description: The name of the Secret resource being referred to.
  19067. maxLength: 253
  19068. minLength: 1
  19069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19070. type: string
  19071. namespace:
  19072. description: |-
  19073. The namespace of the Secret resource being referred to.
  19074. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19075. maxLength: 63
  19076. minLength: 1
  19077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19078. type: string
  19079. type: object
  19080. required:
  19081. - path
  19082. - secretRef
  19083. type: object
  19084. x-kubernetes-validations:
  19085. - message: exactly one of the fields in [roleId roleRef] must be set
  19086. rule: '[has(self.roleId),has(self.roleRef)].filter(x,x==true).size() == 1'
  19087. namespace:
  19088. description: |-
  19089. Name of the [OpenBao Namespace] to authenticate to. This can be different
  19090. than the namespace your secret is in. Namespaces is a set of features
  19091. within OpenBao that allows OpenBao environments to support secure
  19092. multi-tenancy. e.g: "ns1". This will default to OpenBao.Namespace field
  19093. if set, or empty otherwise
  19094. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19095. type: string
  19096. tokenSecretRef:
  19097. description: TokenSecretRef authenticates with OpenBao by presenting a token.
  19098. properties:
  19099. key:
  19100. description: |-
  19101. A key in the referenced Secret.
  19102. Some instances of this field may be defaulted, in others it may be required.
  19103. maxLength: 253
  19104. minLength: 1
  19105. pattern: ^[-._a-zA-Z0-9]+$
  19106. type: string
  19107. name:
  19108. description: The name of the Secret resource being referred to.
  19109. maxLength: 253
  19110. minLength: 1
  19111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19112. type: string
  19113. namespace:
  19114. description: |-
  19115. The namespace of the Secret resource being referred to.
  19116. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19117. maxLength: 63
  19118. minLength: 1
  19119. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19120. type: string
  19121. type: object
  19122. userPass:
  19123. description: UserPass authenticates with OpenBao by passing a username/password pair
  19124. properties:
  19125. path:
  19126. default: userpass
  19127. description: |-
  19128. Path where the UserPassword authentication backend is mounted
  19129. in OpenBao, e.g: "userpass"
  19130. type: string
  19131. secretRef:
  19132. description: |-
  19133. SecretRef to a key in a Secret resource containing password for the user
  19134. used to authenticate with OpenBao using the [UserPass authentication
  19135. method]
  19136. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19137. properties:
  19138. key:
  19139. description: |-
  19140. A key in the referenced Secret.
  19141. Some instances of this field may be defaulted, in others it may be required.
  19142. maxLength: 253
  19143. minLength: 1
  19144. pattern: ^[-._a-zA-Z0-9]+$
  19145. type: string
  19146. name:
  19147. description: The name of the Secret resource being referred to.
  19148. maxLength: 253
  19149. minLength: 1
  19150. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19151. type: string
  19152. namespace:
  19153. description: |-
  19154. The namespace of the Secret resource being referred to.
  19155. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19156. maxLength: 63
  19157. minLength: 1
  19158. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19159. type: string
  19160. type: object
  19161. username:
  19162. description: |-
  19163. Username is a username used to authenticate using the [UserPass
  19164. authentication method]
  19165. [UserPass authentication method]: https://openbao.org/docs/auth/userpass/
  19166. type: string
  19167. required:
  19168. - path
  19169. - username
  19170. type: object
  19171. type: object
  19172. x-kubernetes-validations:
  19173. - message: exactly one of the fields in [appRole tokenSecretRef userPass] must be set
  19174. rule: '[has(self.appRole),has(self.tokenSecretRef),has(self.userPass)].filter(x,x==true).size() == 1'
  19175. caBundle:
  19176. description: |-
  19177. PEM encoded CA bundle used to validate the OpenBao server certificate. If
  19178. this and `caProvider` are not set the system root certificates are used
  19179. to validate the TLS connection.
  19180. format: byte
  19181. type: string
  19182. caProvider:
  19183. description: |-
  19184. The provider for the CA bundle to use to validate OpenBao server
  19185. certificate. If this and `caBundle` are not set the system root
  19186. certificates are used to validate the TLS connection.
  19187. properties:
  19188. key:
  19189. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19190. maxLength: 253
  19191. minLength: 1
  19192. pattern: ^[-._a-zA-Z0-9]+$
  19193. type: string
  19194. name:
  19195. description: The name of the object located at the provider type.
  19196. maxLength: 253
  19197. minLength: 1
  19198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19199. type: string
  19200. namespace:
  19201. description: |-
  19202. The namespace the Provider type is in.
  19203. Can only be defined when used in a ClusterSecretStore.
  19204. maxLength: 63
  19205. minLength: 1
  19206. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19207. type: string
  19208. type:
  19209. description: The type of provider to use such as "Secret", or "ConfigMap".
  19210. enum:
  19211. - Secret
  19212. - ConfigMap
  19213. type: string
  19214. required:
  19215. - name
  19216. - type
  19217. type: object
  19218. namespace:
  19219. description: |-
  19220. Name of the [OpenBao Namespace]. Namespaces is a set of features within
  19221. OpenBao that allows OpenBao environments to support secure multi-tenancy.
  19222. e.g: "ns1".
  19223. [OpenBao Namespace]: https://openbao.org/docs/concepts/namespaces/
  19224. type: string
  19225. path:
  19226. description: |-
  19227. Path is the mount path of the OpenBao KV backend endpoint, e.g:
  19228. "secret". The v2 KV secret engine version specific "/data" path suffix
  19229. for fetching secrets from OpenBao is optional and will be appended
  19230. if not present in specified path.
  19231. type: string
  19232. server:
  19233. description: 'Server is the connection address for the OpenBao server, e.g: `https://openbao.example.com:8200`.'
  19234. type: string
  19235. version:
  19236. default: v2
  19237. description: |-
  19238. Version is the OpenBao KV secret engine version. This can be either "v1" or
  19239. "v2". Version defaults to "v2".
  19240. enum:
  19241. - v1
  19242. - v2
  19243. type: string
  19244. required:
  19245. - server
  19246. type: object
  19247. x-kubernetes-validations:
  19248. - message: at most one of the fields in [caBundle caProvider] may be set
  19249. rule: '[has(self.caBundle),has(self.caProvider)].filter(x,x==true).size() <= 1'
  19250. oracle:
  19251. description: Oracle configures this store to sync secrets using Oracle Vault provider
  19252. properties:
  19253. auth:
  19254. description: |-
  19255. Auth configures how secret-manager authenticates with the Oracle Vault.
  19256. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  19257. properties:
  19258. secretRef:
  19259. description: SecretRef to pass through sensitive information.
  19260. properties:
  19261. fingerprint:
  19262. description: Fingerprint is the fingerprint of the API private key.
  19263. properties:
  19264. key:
  19265. description: |-
  19266. A key in the referenced Secret.
  19267. Some instances of this field may be defaulted, in others it may be required.
  19268. maxLength: 253
  19269. minLength: 1
  19270. pattern: ^[-._a-zA-Z0-9]+$
  19271. type: string
  19272. name:
  19273. description: The name of the Secret resource being referred to.
  19274. maxLength: 253
  19275. minLength: 1
  19276. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19277. type: string
  19278. namespace:
  19279. description: |-
  19280. The namespace of the Secret resource being referred to.
  19281. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19282. maxLength: 63
  19283. minLength: 1
  19284. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19285. type: string
  19286. type: object
  19287. privatekey:
  19288. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  19289. properties:
  19290. key:
  19291. description: |-
  19292. A key in the referenced Secret.
  19293. Some instances of this field may be defaulted, in others it may be required.
  19294. maxLength: 253
  19295. minLength: 1
  19296. pattern: ^[-._a-zA-Z0-9]+$
  19297. type: string
  19298. name:
  19299. description: The name of the Secret resource being referred to.
  19300. maxLength: 253
  19301. minLength: 1
  19302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19303. type: string
  19304. namespace:
  19305. description: |-
  19306. The namespace of the Secret resource being referred to.
  19307. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19308. maxLength: 63
  19309. minLength: 1
  19310. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19311. type: string
  19312. type: object
  19313. required:
  19314. - fingerprint
  19315. - privatekey
  19316. type: object
  19317. tenancy:
  19318. description: Tenancy is the tenancy OCID where user is located.
  19319. type: string
  19320. user:
  19321. description: User is an access OCID specific to the account.
  19322. type: string
  19323. required:
  19324. - secretRef
  19325. - tenancy
  19326. - user
  19327. type: object
  19328. compartment:
  19329. description: |-
  19330. Compartment is the vault compartment OCID.
  19331. Required for PushSecret
  19332. type: string
  19333. encryptionKey:
  19334. description: |-
  19335. EncryptionKey is the OCID of the encryption key within the vault.
  19336. Required for PushSecret
  19337. type: string
  19338. principalType:
  19339. description: |-
  19340. The type of principal to use for authentication. If left blank, the Auth struct will
  19341. determine the principal type. This optional field must be specified if using
  19342. workload identity.
  19343. enum:
  19344. - ""
  19345. - UserPrincipal
  19346. - InstancePrincipal
  19347. - Workload
  19348. type: string
  19349. region:
  19350. description: Region is the region where vault is located.
  19351. type: string
  19352. serviceAccountRef:
  19353. description: |-
  19354. ServiceAccountRef specified the service account
  19355. that should be used when authenticating with WorkloadIdentity.
  19356. properties:
  19357. audiences:
  19358. description: |-
  19359. Audience specifies the `aud` claim for the service account token
  19360. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19361. then this audiences will be appended to the list
  19362. items:
  19363. type: string
  19364. type: array
  19365. name:
  19366. description: The name of the ServiceAccount resource being referred to.
  19367. maxLength: 253
  19368. minLength: 1
  19369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19370. type: string
  19371. namespace:
  19372. description: |-
  19373. Namespace of the resource being referred to.
  19374. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19375. maxLength: 63
  19376. minLength: 1
  19377. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19378. type: string
  19379. required:
  19380. - name
  19381. type: object
  19382. vault:
  19383. description: Vault is the vault's OCID of the specific vault where secret is located.
  19384. type: string
  19385. required:
  19386. - region
  19387. - vault
  19388. type: object
  19389. ovh:
  19390. description: OVHcloud configures this store to sync secrets using the OVHcloud provider.
  19391. properties:
  19392. auth:
  19393. description: Authentication method (mtls or token).
  19394. properties:
  19395. mtls:
  19396. description: OvhClientMTLS defines the configuration required to authenticate to OVHcloud's Secret Manager using mTLS.
  19397. properties:
  19398. caBundle:
  19399. format: byte
  19400. type: string
  19401. caProvider:
  19402. description: |-
  19403. CAProvider provides a custom certificate authority for accessing the provider's store.
  19404. The CAProvider points to a Secret or ConfigMap resource that contains a PEM-encoded certificate.
  19405. properties:
  19406. key:
  19407. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19408. maxLength: 253
  19409. minLength: 1
  19410. pattern: ^[-._a-zA-Z0-9]+$
  19411. type: string
  19412. name:
  19413. description: The name of the object located at the provider type.
  19414. maxLength: 253
  19415. minLength: 1
  19416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19417. type: string
  19418. namespace:
  19419. description: |-
  19420. The namespace the Provider type is in.
  19421. Can only be defined when used in a ClusterSecretStore.
  19422. maxLength: 63
  19423. minLength: 1
  19424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19425. type: string
  19426. type:
  19427. description: The type of provider to use such as "Secret", or "ConfigMap".
  19428. enum:
  19429. - Secret
  19430. - ConfigMap
  19431. type: string
  19432. required:
  19433. - name
  19434. - type
  19435. type: object
  19436. certSecretRef:
  19437. description: |-
  19438. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19439. In some instances, `key` is a required field.
  19440. properties:
  19441. key:
  19442. description: |-
  19443. A key in the referenced Secret.
  19444. Some instances of this field may be defaulted, in others it may be required.
  19445. maxLength: 253
  19446. minLength: 1
  19447. pattern: ^[-._a-zA-Z0-9]+$
  19448. type: string
  19449. name:
  19450. description: The name of the Secret resource being referred to.
  19451. maxLength: 253
  19452. minLength: 1
  19453. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19454. type: string
  19455. namespace:
  19456. description: |-
  19457. The namespace of the Secret resource being referred to.
  19458. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19459. maxLength: 63
  19460. minLength: 1
  19461. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19462. type: string
  19463. type: object
  19464. keySecretRef:
  19465. description: |-
  19466. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19467. In some instances, `key` is a required field.
  19468. properties:
  19469. key:
  19470. description: |-
  19471. A key in the referenced Secret.
  19472. Some instances of this field may be defaulted, in others it may be required.
  19473. maxLength: 253
  19474. minLength: 1
  19475. pattern: ^[-._a-zA-Z0-9]+$
  19476. type: string
  19477. name:
  19478. description: The name of the Secret resource being referred to.
  19479. maxLength: 253
  19480. minLength: 1
  19481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19482. type: string
  19483. namespace:
  19484. description: |-
  19485. The namespace of the Secret resource being referred to.
  19486. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19487. maxLength: 63
  19488. minLength: 1
  19489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19490. type: string
  19491. type: object
  19492. required:
  19493. - certSecretRef
  19494. - keySecretRef
  19495. type: object
  19496. token:
  19497. description: OvhClientToken defines the configuration required to authenticate to OVHcloud's Secret Manager using a token.
  19498. properties:
  19499. tokenSecretRef:
  19500. description: |-
  19501. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19502. In some instances, `key` is a required field.
  19503. properties:
  19504. key:
  19505. description: |-
  19506. A key in the referenced Secret.
  19507. Some instances of this field may be defaulted, in others it may be required.
  19508. maxLength: 253
  19509. minLength: 1
  19510. pattern: ^[-._a-zA-Z0-9]+$
  19511. type: string
  19512. name:
  19513. description: The name of the Secret resource being referred to.
  19514. maxLength: 253
  19515. minLength: 1
  19516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19517. type: string
  19518. namespace:
  19519. description: |-
  19520. The namespace of the Secret resource being referred to.
  19521. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19522. maxLength: 63
  19523. minLength: 1
  19524. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19525. type: string
  19526. type: object
  19527. required:
  19528. - tokenSecretRef
  19529. type: object
  19530. type: object
  19531. casRequired:
  19532. description: 'Enables or disables check-and-set (CAS) (default: false).'
  19533. type: boolean
  19534. okmsTimeout:
  19535. default: 30
  19536. description: 'Setup a timeout in seconds when requests to the KMS are made (default: 30).'
  19537. format: int32
  19538. minimum: 1
  19539. type: integer
  19540. okmsid:
  19541. description: specifies the OKMS ID.
  19542. type: string
  19543. server:
  19544. description: specifies the OKMS server endpoint.
  19545. type: string
  19546. required:
  19547. - auth
  19548. - okmsid
  19549. - server
  19550. type: object
  19551. passbolt:
  19552. description: |-
  19553. PassboltProvider provides access to Passbolt secrets manager.
  19554. See: https://www.passbolt.com.
  19555. properties:
  19556. auth:
  19557. description: Auth defines the information necessary to authenticate against Passbolt Server
  19558. properties:
  19559. passwordSecretRef:
  19560. description: |-
  19561. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19562. In some instances, `key` is a required field.
  19563. properties:
  19564. key:
  19565. description: |-
  19566. A key in the referenced Secret.
  19567. Some instances of this field may be defaulted, in others it may be required.
  19568. maxLength: 253
  19569. minLength: 1
  19570. pattern: ^[-._a-zA-Z0-9]+$
  19571. type: string
  19572. name:
  19573. description: The name of the Secret resource being referred to.
  19574. maxLength: 253
  19575. minLength: 1
  19576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19577. type: string
  19578. namespace:
  19579. description: |-
  19580. The namespace of the Secret resource being referred to.
  19581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19582. maxLength: 63
  19583. minLength: 1
  19584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19585. type: string
  19586. type: object
  19587. privateKeySecretRef:
  19588. description: |-
  19589. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  19590. In some instances, `key` is a required field.
  19591. properties:
  19592. key:
  19593. description: |-
  19594. A key in the referenced Secret.
  19595. Some instances of this field may be defaulted, in others it may be required.
  19596. maxLength: 253
  19597. minLength: 1
  19598. pattern: ^[-._a-zA-Z0-9]+$
  19599. type: string
  19600. name:
  19601. description: The name of the Secret resource being referred to.
  19602. maxLength: 253
  19603. minLength: 1
  19604. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19605. type: string
  19606. namespace:
  19607. description: |-
  19608. The namespace of the Secret resource being referred to.
  19609. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19610. maxLength: 63
  19611. minLength: 1
  19612. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19613. type: string
  19614. type: object
  19615. required:
  19616. - passwordSecretRef
  19617. - privateKeySecretRef
  19618. type: object
  19619. caBundle:
  19620. description: |-
  19621. PEM encoded CA bundle used to validate Passbolt server certificate. Only used
  19622. if the Host URL is using HTTPS protocol. If not set the system root certificates
  19623. are used to validate the TLS connection.
  19624. format: byte
  19625. type: string
  19626. caProvider:
  19627. description: The provider for the CA bundle to use to validate Passbolt server certificate.
  19628. properties:
  19629. key:
  19630. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  19631. maxLength: 253
  19632. minLength: 1
  19633. pattern: ^[-._a-zA-Z0-9]+$
  19634. type: string
  19635. name:
  19636. description: The name of the object located at the provider type.
  19637. maxLength: 253
  19638. minLength: 1
  19639. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19640. type: string
  19641. namespace:
  19642. description: |-
  19643. The namespace the Provider type is in.
  19644. Can only be defined when used in a ClusterSecretStore.
  19645. maxLength: 63
  19646. minLength: 1
  19647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19648. type: string
  19649. type:
  19650. description: The type of provider to use such as "Secret", or "ConfigMap".
  19651. enum:
  19652. - Secret
  19653. - ConfigMap
  19654. type: string
  19655. required:
  19656. - name
  19657. - type
  19658. type: object
  19659. host:
  19660. description: Host defines the Passbolt Server to connect to
  19661. type: string
  19662. required:
  19663. - auth
  19664. - host
  19665. type: object
  19666. passworddepot:
  19667. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  19668. properties:
  19669. auth:
  19670. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  19671. properties:
  19672. secretRef:
  19673. description: PasswordDepotSecretRef contains the secret reference for Password Depot authentication.
  19674. properties:
  19675. credentials:
  19676. description: Username / Password is used for authentication.
  19677. properties:
  19678. key:
  19679. description: |-
  19680. A key in the referenced Secret.
  19681. Some instances of this field may be defaulted, in others it may be required.
  19682. maxLength: 253
  19683. minLength: 1
  19684. pattern: ^[-._a-zA-Z0-9]+$
  19685. type: string
  19686. name:
  19687. description: The name of the Secret resource being referred to.
  19688. maxLength: 253
  19689. minLength: 1
  19690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19691. type: string
  19692. namespace:
  19693. description: |-
  19694. The namespace of the Secret resource being referred to.
  19695. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19696. maxLength: 63
  19697. minLength: 1
  19698. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19699. type: string
  19700. type: object
  19701. type: object
  19702. required:
  19703. - secretRef
  19704. type: object
  19705. database:
  19706. description: Database to use as source
  19707. type: string
  19708. host:
  19709. description: URL configures the Password Depot instance URL.
  19710. type: string
  19711. required:
  19712. - auth
  19713. - database
  19714. - host
  19715. type: object
  19716. previder:
  19717. description: Previder configures this store to sync secrets using the Previder provider
  19718. properties:
  19719. auth:
  19720. description: PreviderAuth contains a secretRef for credentials.
  19721. properties:
  19722. secretRef:
  19723. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  19724. properties:
  19725. accessToken:
  19726. description: The AccessToken is used for authentication
  19727. properties:
  19728. key:
  19729. description: |-
  19730. A key in the referenced Secret.
  19731. Some instances of this field may be defaulted, in others it may be required.
  19732. maxLength: 253
  19733. minLength: 1
  19734. pattern: ^[-._a-zA-Z0-9]+$
  19735. type: string
  19736. name:
  19737. description: The name of the Secret resource being referred to.
  19738. maxLength: 253
  19739. minLength: 1
  19740. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19741. type: string
  19742. namespace:
  19743. description: |-
  19744. The namespace of the Secret resource being referred to.
  19745. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19746. maxLength: 63
  19747. minLength: 1
  19748. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19749. type: string
  19750. type: object
  19751. required:
  19752. - accessToken
  19753. type: object
  19754. type: object
  19755. baseUri:
  19756. type: string
  19757. required:
  19758. - auth
  19759. type: object
  19760. pulumi:
  19761. description: Pulumi configures this store to sync secrets using the Pulumi provider
  19762. properties:
  19763. accessToken:
  19764. description: |-
  19765. AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  19766. Deprecated: Use auth.accessToken instead.
  19767. properties:
  19768. secretRef:
  19769. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19770. properties:
  19771. key:
  19772. description: |-
  19773. A key in the referenced Secret.
  19774. Some instances of this field may be defaulted, in others it may be required.
  19775. maxLength: 253
  19776. minLength: 1
  19777. pattern: ^[-._a-zA-Z0-9]+$
  19778. type: string
  19779. name:
  19780. description: The name of the Secret resource being referred to.
  19781. maxLength: 253
  19782. minLength: 1
  19783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19784. type: string
  19785. namespace:
  19786. description: |-
  19787. The namespace of the Secret resource being referred to.
  19788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19789. maxLength: 63
  19790. minLength: 1
  19791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19792. type: string
  19793. type: object
  19794. type: object
  19795. apiUrl:
  19796. default: https://api.pulumi.com/api/esc
  19797. description: APIURL is the URL of the Pulumi API.
  19798. type: string
  19799. auth:
  19800. description: |-
  19801. Auth configures how the Operator authenticates with the Pulumi API.
  19802. Either auth or the deprecated accessToken field must be specified.
  19803. properties:
  19804. accessToken:
  19805. description: AccessToken authenticates using a Pulumi access token stored in a Kubernetes Secret.
  19806. properties:
  19807. secretRef:
  19808. description: SecretRef is a reference to a secret containing the Pulumi API token.
  19809. properties:
  19810. key:
  19811. description: |-
  19812. A key in the referenced Secret.
  19813. Some instances of this field may be defaulted, in others it may be required.
  19814. maxLength: 253
  19815. minLength: 1
  19816. pattern: ^[-._a-zA-Z0-9]+$
  19817. type: string
  19818. name:
  19819. description: The name of the Secret resource being referred to.
  19820. maxLength: 253
  19821. minLength: 1
  19822. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19823. type: string
  19824. namespace:
  19825. description: |-
  19826. The namespace of the Secret resource being referred to.
  19827. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19828. maxLength: 63
  19829. minLength: 1
  19830. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19831. type: string
  19832. type: object
  19833. type: object
  19834. oidcConfig:
  19835. description: OIDCConfig authenticates using Kubernetes ServiceAccount tokens via OIDC.
  19836. properties:
  19837. expirationSeconds:
  19838. default: 600
  19839. description: |-
  19840. ExpirationSeconds sets the token validity duration for service account and OIDC token.
  19841. Defaults to 10 minutes.
  19842. format: int64
  19843. minimum: 600
  19844. type: integer
  19845. organization:
  19846. description: Organization is the name of the Pulumi organization configured for OIDC authentication.
  19847. type: string
  19848. serviceAccountRef:
  19849. description: ServiceAccountRef specifies the Kubernetes ServiceAccount to use for authentication.
  19850. properties:
  19851. audiences:
  19852. description: |-
  19853. Audience specifies the `aud` claim for the service account token
  19854. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  19855. then this audiences will be appended to the list
  19856. items:
  19857. type: string
  19858. type: array
  19859. name:
  19860. description: The name of the ServiceAccount resource being referred to.
  19861. maxLength: 253
  19862. minLength: 1
  19863. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19864. type: string
  19865. namespace:
  19866. description: |-
  19867. Namespace of the resource being referred to.
  19868. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19869. maxLength: 63
  19870. minLength: 1
  19871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19872. type: string
  19873. required:
  19874. - name
  19875. type: object
  19876. required:
  19877. - organization
  19878. - serviceAccountRef
  19879. type: object
  19880. type: object
  19881. x-kubernetes-validations:
  19882. - message: Exactly one of 'accessToken' or 'oidcConfig' must be specified
  19883. rule: (has(self.accessToken) && !has(self.oidcConfig)) || (!has(self.accessToken) && has(self.oidcConfig))
  19884. environment:
  19885. description: |-
  19886. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  19887. dynamically retrieved values from supported providers including all major clouds,
  19888. and other Pulumi ESC environments.
  19889. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  19890. type: string
  19891. organization:
  19892. description: |-
  19893. Organization are a space to collaborate on shared projects and stacks.
  19894. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  19895. type: string
  19896. project:
  19897. description: Project is the name of the Pulumi ESC project the environment belongs to.
  19898. type: string
  19899. required:
  19900. - environment
  19901. - organization
  19902. - project
  19903. type: object
  19904. x-kubernetes-validations:
  19905. - message: Exactly one of 'auth' or deprecated 'accessToken' must be specified
  19906. rule: (has(self.auth) && !has(self.accessToken)) || (!has(self.auth) && has(self.accessToken))
  19907. scaleway:
  19908. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  19909. properties:
  19910. accessKey:
  19911. description: AccessKey is the non-secret part of the api key.
  19912. properties:
  19913. secretRef:
  19914. description: SecretRef references a key in a secret that will be used as value.
  19915. properties:
  19916. key:
  19917. description: |-
  19918. A key in the referenced Secret.
  19919. Some instances of this field may be defaulted, in others it may be required.
  19920. maxLength: 253
  19921. minLength: 1
  19922. pattern: ^[-._a-zA-Z0-9]+$
  19923. type: string
  19924. name:
  19925. description: The name of the Secret resource being referred to.
  19926. maxLength: 253
  19927. minLength: 1
  19928. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19929. type: string
  19930. namespace:
  19931. description: |-
  19932. The namespace of the Secret resource being referred to.
  19933. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19934. maxLength: 63
  19935. minLength: 1
  19936. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19937. type: string
  19938. type: object
  19939. value:
  19940. description: Value can be specified directly to set a value without using a secret.
  19941. type: string
  19942. type: object
  19943. apiUrl:
  19944. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  19945. type: string
  19946. projectId:
  19947. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  19948. type: string
  19949. region:
  19950. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  19951. type: string
  19952. secretKey:
  19953. description: SecretKey is the non-secret part of the api key.
  19954. properties:
  19955. secretRef:
  19956. description: SecretRef references a key in a secret that will be used as value.
  19957. properties:
  19958. key:
  19959. description: |-
  19960. A key in the referenced Secret.
  19961. Some instances of this field may be defaulted, in others it may be required.
  19962. maxLength: 253
  19963. minLength: 1
  19964. pattern: ^[-._a-zA-Z0-9]+$
  19965. type: string
  19966. name:
  19967. description: The name of the Secret resource being referred to.
  19968. maxLength: 253
  19969. minLength: 1
  19970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  19971. type: string
  19972. namespace:
  19973. description: |-
  19974. The namespace of the Secret resource being referred to.
  19975. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  19976. maxLength: 63
  19977. minLength: 1
  19978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  19979. type: string
  19980. type: object
  19981. value:
  19982. description: Value can be specified directly to set a value without using a secret.
  19983. type: string
  19984. type: object
  19985. required:
  19986. - accessKey
  19987. - projectId
  19988. - region
  19989. - secretKey
  19990. type: object
  19991. secretserver:
  19992. description: |-
  19993. SecretServer configures this store to sync secrets using SecretServer provider
  19994. https://docs.delinea.com/online-help/secret-server/start.htm
  19995. properties:
  19996. caBundle:
  19997. description: |-
  19998. PEM/base64 encoded CA bundle used to validate Secret ServerURL. Only used
  19999. if the ServerURL URL is using HTTPS protocol. If not set the system root certificates
  20000. are used to validate the TLS connection.
  20001. format: byte
  20002. type: string
  20003. caProvider:
  20004. description: The provider for the CA bundle to use to validate Secret ServerURL certificate.
  20005. properties:
  20006. key:
  20007. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20008. maxLength: 253
  20009. minLength: 1
  20010. pattern: ^[-._a-zA-Z0-9]+$
  20011. type: string
  20012. name:
  20013. description: The name of the object located at the provider type.
  20014. maxLength: 253
  20015. minLength: 1
  20016. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20017. type: string
  20018. namespace:
  20019. description: |-
  20020. The namespace the Provider type is in.
  20021. Can only be defined when used in a ClusterSecretStore.
  20022. maxLength: 63
  20023. minLength: 1
  20024. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20025. type: string
  20026. type:
  20027. description: The type of provider to use such as "Secret", or "ConfigMap".
  20028. enum:
  20029. - Secret
  20030. - ConfigMap
  20031. type: string
  20032. required:
  20033. - name
  20034. - type
  20035. type: object
  20036. domain:
  20037. description: Domain is the secret server domain.
  20038. type: string
  20039. password:
  20040. description: Password is the secret server account password.
  20041. properties:
  20042. secretRef:
  20043. description: SecretRef references a key in a secret that will be used as value.
  20044. properties:
  20045. key:
  20046. description: |-
  20047. A key in the referenced Secret.
  20048. Some instances of this field may be defaulted, in others it may be required.
  20049. maxLength: 253
  20050. minLength: 1
  20051. pattern: ^[-._a-zA-Z0-9]+$
  20052. type: string
  20053. name:
  20054. description: The name of the Secret resource being referred to.
  20055. maxLength: 253
  20056. minLength: 1
  20057. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20058. type: string
  20059. namespace:
  20060. description: |-
  20061. The namespace of the Secret resource being referred to.
  20062. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20063. maxLength: 63
  20064. minLength: 1
  20065. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20066. type: string
  20067. type: object
  20068. value:
  20069. description: Value can be specified directly to set a value without using a secret.
  20070. type: string
  20071. type: object
  20072. serverURL:
  20073. description: |-
  20074. ServerURL
  20075. URL to your secret server installation
  20076. type: string
  20077. username:
  20078. description: Username is the secret server account username.
  20079. properties:
  20080. secretRef:
  20081. description: SecretRef references a key in a secret that will be used as value.
  20082. properties:
  20083. key:
  20084. description: |-
  20085. A key in the referenced Secret.
  20086. Some instances of this field may be defaulted, in others it may be required.
  20087. maxLength: 253
  20088. minLength: 1
  20089. pattern: ^[-._a-zA-Z0-9]+$
  20090. type: string
  20091. name:
  20092. description: The name of the Secret resource being referred to.
  20093. maxLength: 253
  20094. minLength: 1
  20095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20096. type: string
  20097. namespace:
  20098. description: |-
  20099. The namespace of the Secret resource being referred to.
  20100. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20101. maxLength: 63
  20102. minLength: 1
  20103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20104. type: string
  20105. type: object
  20106. value:
  20107. description: Value can be specified directly to set a value without using a secret.
  20108. type: string
  20109. type: object
  20110. required:
  20111. - password
  20112. - serverURL
  20113. - username
  20114. type: object
  20115. senhasegura:
  20116. description: Senhasegura configures this store to sync secrets using senhasegura provider
  20117. properties:
  20118. auth:
  20119. description: Auth defines parameters to authenticate in senhasegura
  20120. properties:
  20121. clientId:
  20122. type: string
  20123. clientSecretSecretRef:
  20124. description: |-
  20125. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  20126. In some instances, `key` is a required field.
  20127. properties:
  20128. key:
  20129. description: |-
  20130. A key in the referenced Secret.
  20131. Some instances of this field may be defaulted, in others it may be required.
  20132. maxLength: 253
  20133. minLength: 1
  20134. pattern: ^[-._a-zA-Z0-9]+$
  20135. type: string
  20136. name:
  20137. description: The name of the Secret resource being referred to.
  20138. maxLength: 253
  20139. minLength: 1
  20140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20141. type: string
  20142. namespace:
  20143. description: |-
  20144. The namespace of the Secret resource being referred to.
  20145. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20146. maxLength: 63
  20147. minLength: 1
  20148. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20149. type: string
  20150. type: object
  20151. required:
  20152. - clientId
  20153. - clientSecretSecretRef
  20154. type: object
  20155. ignoreSslCertificate:
  20156. default: false
  20157. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  20158. type: boolean
  20159. module:
  20160. description: Module defines which senhasegura module should be used to get secrets
  20161. type: string
  20162. url:
  20163. description: URL of senhasegura
  20164. type: string
  20165. required:
  20166. - auth
  20167. - module
  20168. - url
  20169. type: object
  20170. vault:
  20171. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  20172. properties:
  20173. auth:
  20174. description: Auth configures how secret-manager authenticates with the Vault server.
  20175. properties:
  20176. appRole:
  20177. description: |-
  20178. AppRole authenticates with Vault using the App Role auth mechanism,
  20179. with the role and secret stored in a Kubernetes Secret resource.
  20180. properties:
  20181. path:
  20182. default: approle
  20183. description: |-
  20184. Path where the App Role authentication backend is mounted
  20185. in Vault, e.g: "approle"
  20186. type: string
  20187. roleId:
  20188. description: |-
  20189. RoleID configured in the App Role authentication backend when setting
  20190. up the authentication backend in Vault.
  20191. type: string
  20192. roleRef:
  20193. description: |-
  20194. Reference to a key in a Secret that contains the App Role ID used
  20195. to authenticate with Vault.
  20196. The `key` field must be specified and denotes which entry within the Secret
  20197. resource is used as the app role id.
  20198. properties:
  20199. key:
  20200. description: |-
  20201. A key in the referenced Secret.
  20202. Some instances of this field may be defaulted, in others it may be required.
  20203. maxLength: 253
  20204. minLength: 1
  20205. pattern: ^[-._a-zA-Z0-9]+$
  20206. type: string
  20207. name:
  20208. description: The name of the Secret resource being referred to.
  20209. maxLength: 253
  20210. minLength: 1
  20211. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20212. type: string
  20213. namespace:
  20214. description: |-
  20215. The namespace of the Secret resource being referred to.
  20216. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20217. maxLength: 63
  20218. minLength: 1
  20219. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20220. type: string
  20221. type: object
  20222. secretRef:
  20223. description: |-
  20224. Reference to a key in a Secret that contains the App Role secret used
  20225. to authenticate with Vault.
  20226. The `key` field must be specified and denotes which entry within the Secret
  20227. resource is used as the app role secret.
  20228. properties:
  20229. key:
  20230. description: |-
  20231. A key in the referenced Secret.
  20232. Some instances of this field may be defaulted, in others it may be required.
  20233. maxLength: 253
  20234. minLength: 1
  20235. pattern: ^[-._a-zA-Z0-9]+$
  20236. type: string
  20237. name:
  20238. description: The name of the Secret resource being referred to.
  20239. maxLength: 253
  20240. minLength: 1
  20241. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20242. type: string
  20243. namespace:
  20244. description: |-
  20245. The namespace of the Secret resource being referred to.
  20246. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20247. maxLength: 63
  20248. minLength: 1
  20249. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20250. type: string
  20251. type: object
  20252. required:
  20253. - path
  20254. - secretRef
  20255. type: object
  20256. cert:
  20257. description: |-
  20258. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  20259. Cert authentication method
  20260. properties:
  20261. clientCert:
  20262. description: |-
  20263. ClientCert is a certificate to authenticate using the Cert Vault
  20264. authentication method
  20265. properties:
  20266. key:
  20267. description: |-
  20268. A key in the referenced Secret.
  20269. Some instances of this field may be defaulted, in others it may be required.
  20270. maxLength: 253
  20271. minLength: 1
  20272. pattern: ^[-._a-zA-Z0-9]+$
  20273. type: string
  20274. name:
  20275. description: The name of the Secret resource being referred to.
  20276. maxLength: 253
  20277. minLength: 1
  20278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20279. type: string
  20280. namespace:
  20281. description: |-
  20282. The namespace of the Secret resource being referred to.
  20283. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20284. maxLength: 63
  20285. minLength: 1
  20286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20287. type: string
  20288. type: object
  20289. path:
  20290. default: cert
  20291. description: |-
  20292. Path where the Certificate authentication backend is mounted
  20293. in Vault, e.g: "cert"
  20294. type: string
  20295. secretRef:
  20296. description: |-
  20297. SecretRef to a key in a Secret resource containing client private key to
  20298. authenticate with Vault using the Cert authentication method
  20299. properties:
  20300. key:
  20301. description: |-
  20302. A key in the referenced Secret.
  20303. Some instances of this field may be defaulted, in others it may be required.
  20304. maxLength: 253
  20305. minLength: 1
  20306. pattern: ^[-._a-zA-Z0-9]+$
  20307. type: string
  20308. name:
  20309. description: The name of the Secret resource being referred to.
  20310. maxLength: 253
  20311. minLength: 1
  20312. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20313. type: string
  20314. namespace:
  20315. description: |-
  20316. The namespace of the Secret resource being referred to.
  20317. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20318. maxLength: 63
  20319. minLength: 1
  20320. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20321. type: string
  20322. type: object
  20323. vaultRole:
  20324. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  20325. type: string
  20326. type: object
  20327. gcp:
  20328. description: |-
  20329. Gcp authenticates with Vault using Google Cloud Platform authentication method
  20330. GCP authentication method
  20331. properties:
  20332. location:
  20333. description: Location optionally defines a location/region for the secret
  20334. type: string
  20335. path:
  20336. default: gcp
  20337. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  20338. type: string
  20339. projectID:
  20340. description: Project ID of the Google Cloud Platform project
  20341. type: string
  20342. role:
  20343. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  20344. type: string
  20345. secretRef:
  20346. description: Specify credentials in a Secret object
  20347. properties:
  20348. secretAccessKeySecretRef:
  20349. description: The SecretAccessKey is used for authentication
  20350. properties:
  20351. key:
  20352. description: |-
  20353. A key in the referenced Secret.
  20354. Some instances of this field may be defaulted, in others it may be required.
  20355. maxLength: 253
  20356. minLength: 1
  20357. pattern: ^[-._a-zA-Z0-9]+$
  20358. type: string
  20359. name:
  20360. description: The name of the Secret resource being referred to.
  20361. maxLength: 253
  20362. minLength: 1
  20363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20364. type: string
  20365. namespace:
  20366. description: |-
  20367. The namespace of the Secret resource being referred to.
  20368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20369. maxLength: 63
  20370. minLength: 1
  20371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20372. type: string
  20373. type: object
  20374. type: object
  20375. serviceAccountRef:
  20376. description: ServiceAccountRef to a service account for impersonation
  20377. properties:
  20378. audiences:
  20379. description: |-
  20380. Audience specifies the `aud` claim for the service account token
  20381. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20382. then this audiences will be appended to the list
  20383. items:
  20384. type: string
  20385. type: array
  20386. name:
  20387. description: The name of the ServiceAccount resource being referred to.
  20388. maxLength: 253
  20389. minLength: 1
  20390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20391. type: string
  20392. namespace:
  20393. description: |-
  20394. Namespace of the resource being referred to.
  20395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20396. maxLength: 63
  20397. minLength: 1
  20398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20399. type: string
  20400. required:
  20401. - name
  20402. type: object
  20403. workloadIdentity:
  20404. description: Specify a service account with Workload Identity
  20405. properties:
  20406. clusterLocation:
  20407. description: |-
  20408. ClusterLocation is the location of the cluster
  20409. If not specified, it fetches information from the metadata server
  20410. type: string
  20411. clusterName:
  20412. description: |-
  20413. ClusterName is the name of the cluster
  20414. If not specified, it fetches information from the metadata server
  20415. type: string
  20416. clusterProjectID:
  20417. description: |-
  20418. ClusterProjectID is the project ID of the cluster
  20419. If not specified, it fetches information from the metadata server
  20420. type: string
  20421. serviceAccountRef:
  20422. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20423. properties:
  20424. audiences:
  20425. description: |-
  20426. Audience specifies the `aud` claim for the service account token
  20427. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20428. then this audiences will be appended to the list
  20429. items:
  20430. type: string
  20431. type: array
  20432. name:
  20433. description: The name of the ServiceAccount resource being referred to.
  20434. maxLength: 253
  20435. minLength: 1
  20436. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20437. type: string
  20438. namespace:
  20439. description: |-
  20440. Namespace of the resource being referred to.
  20441. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20442. maxLength: 63
  20443. minLength: 1
  20444. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20445. type: string
  20446. required:
  20447. - name
  20448. type: object
  20449. required:
  20450. - serviceAccountRef
  20451. type: object
  20452. required:
  20453. - role
  20454. type: object
  20455. iam:
  20456. description: |-
  20457. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  20458. AWS IAM authentication method
  20459. properties:
  20460. externalID:
  20461. description: AWS External ID set on assumed IAM roles
  20462. type: string
  20463. jwt:
  20464. description: Specify a service account with IRSA enabled
  20465. properties:
  20466. serviceAccountRef:
  20467. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  20468. properties:
  20469. audiences:
  20470. description: |-
  20471. Audience specifies the `aud` claim for the service account token
  20472. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20473. then this audiences will be appended to the list
  20474. items:
  20475. type: string
  20476. type: array
  20477. name:
  20478. description: The name of the ServiceAccount resource being referred to.
  20479. maxLength: 253
  20480. minLength: 1
  20481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20482. type: string
  20483. namespace:
  20484. description: |-
  20485. Namespace of the resource being referred to.
  20486. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20487. maxLength: 63
  20488. minLength: 1
  20489. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20490. type: string
  20491. required:
  20492. - name
  20493. type: object
  20494. type: object
  20495. path:
  20496. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  20497. type: string
  20498. region:
  20499. description: AWS region
  20500. type: string
  20501. role:
  20502. description: This is the AWS role to be assumed before talking to vault
  20503. type: string
  20504. secretRef:
  20505. description: Specify credentials in a Secret object
  20506. properties:
  20507. accessKeyIDSecretRef:
  20508. description: The AccessKeyID is used for authentication
  20509. properties:
  20510. key:
  20511. description: |-
  20512. A key in the referenced Secret.
  20513. Some instances of this field may be defaulted, in others it may be required.
  20514. maxLength: 253
  20515. minLength: 1
  20516. pattern: ^[-._a-zA-Z0-9]+$
  20517. type: string
  20518. name:
  20519. description: The name of the Secret resource being referred to.
  20520. maxLength: 253
  20521. minLength: 1
  20522. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20523. type: string
  20524. namespace:
  20525. description: |-
  20526. The namespace of the Secret resource being referred to.
  20527. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20528. maxLength: 63
  20529. minLength: 1
  20530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20531. type: string
  20532. type: object
  20533. secretAccessKeySecretRef:
  20534. description: The SecretAccessKey is used for authentication
  20535. properties:
  20536. key:
  20537. description: |-
  20538. A key in the referenced Secret.
  20539. Some instances of this field may be defaulted, in others it may be required.
  20540. maxLength: 253
  20541. minLength: 1
  20542. pattern: ^[-._a-zA-Z0-9]+$
  20543. type: string
  20544. name:
  20545. description: The name of the Secret resource being referred to.
  20546. maxLength: 253
  20547. minLength: 1
  20548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20549. type: string
  20550. namespace:
  20551. description: |-
  20552. The namespace of the Secret resource being referred to.
  20553. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20554. maxLength: 63
  20555. minLength: 1
  20556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20557. type: string
  20558. type: object
  20559. sessionTokenSecretRef:
  20560. description: |-
  20561. The SessionToken used for authentication
  20562. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  20563. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  20564. properties:
  20565. key:
  20566. description: |-
  20567. A key in the referenced Secret.
  20568. Some instances of this field may be defaulted, in others it may be required.
  20569. maxLength: 253
  20570. minLength: 1
  20571. pattern: ^[-._a-zA-Z0-9]+$
  20572. type: string
  20573. name:
  20574. description: The name of the Secret resource being referred to.
  20575. maxLength: 253
  20576. minLength: 1
  20577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20578. type: string
  20579. namespace:
  20580. description: |-
  20581. The namespace of the Secret resource being referred to.
  20582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20583. maxLength: 63
  20584. minLength: 1
  20585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20586. type: string
  20587. type: object
  20588. type: object
  20589. vaultAwsIamServerID:
  20590. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  20591. type: string
  20592. vaultRole:
  20593. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  20594. type: string
  20595. required:
  20596. - vaultRole
  20597. type: object
  20598. jwt:
  20599. description: |-
  20600. Jwt authenticates with Vault by passing role and JWT token using the
  20601. JWT/OIDC authentication method
  20602. properties:
  20603. kubernetesServiceAccountToken:
  20604. description: |-
  20605. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  20606. a token for with the `TokenRequest` API.
  20607. properties:
  20608. audiences:
  20609. description: |-
  20610. Optional audiences field that will be used to request a temporary Kubernetes service
  20611. account token for the service account referenced by `serviceAccountRef`.
  20612. Defaults to a single audience `vault` it not specified.
  20613. Deprecated: use serviceAccountRef.Audiences instead
  20614. items:
  20615. type: string
  20616. type: array
  20617. expirationSeconds:
  20618. description: |-
  20619. Optional expiration time in seconds that will be used to request a temporary
  20620. Kubernetes service account token for the service account referenced by
  20621. `serviceAccountRef`.
  20622. Deprecated: this will be removed in the future.
  20623. Defaults to 10 minutes.
  20624. format: int64
  20625. type: integer
  20626. serviceAccountRef:
  20627. description: Service account field containing the name of a kubernetes ServiceAccount.
  20628. properties:
  20629. audiences:
  20630. description: |-
  20631. Audience specifies the `aud` claim for the service account token
  20632. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20633. then this audiences will be appended to the list
  20634. items:
  20635. type: string
  20636. type: array
  20637. name:
  20638. description: The name of the ServiceAccount resource being referred to.
  20639. maxLength: 253
  20640. minLength: 1
  20641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20642. type: string
  20643. namespace:
  20644. description: |-
  20645. Namespace of the resource being referred to.
  20646. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20647. maxLength: 63
  20648. minLength: 1
  20649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20650. type: string
  20651. required:
  20652. - name
  20653. type: object
  20654. required:
  20655. - serviceAccountRef
  20656. type: object
  20657. path:
  20658. default: jwt
  20659. description: |-
  20660. Path where the JWT authentication backend is mounted
  20661. in Vault, e.g: "jwt"
  20662. type: string
  20663. role:
  20664. description: |-
  20665. Role is a JWT role to authenticate using the JWT/OIDC Vault
  20666. authentication method
  20667. type: string
  20668. secretRef:
  20669. description: |-
  20670. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  20671. authenticate with Vault using the JWT/OIDC authentication method.
  20672. properties:
  20673. key:
  20674. description: |-
  20675. A key in the referenced Secret.
  20676. Some instances of this field may be defaulted, in others it may be required.
  20677. maxLength: 253
  20678. minLength: 1
  20679. pattern: ^[-._a-zA-Z0-9]+$
  20680. type: string
  20681. name:
  20682. description: The name of the Secret resource being referred to.
  20683. maxLength: 253
  20684. minLength: 1
  20685. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20686. type: string
  20687. namespace:
  20688. description: |-
  20689. The namespace of the Secret resource being referred to.
  20690. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20691. maxLength: 63
  20692. minLength: 1
  20693. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20694. type: string
  20695. type: object
  20696. required:
  20697. - path
  20698. type: object
  20699. kubernetes:
  20700. description: |-
  20701. Kubernetes authenticates with Vault by passing the ServiceAccount
  20702. token stored in the named Secret resource to the Vault server.
  20703. properties:
  20704. mountPath:
  20705. default: kubernetes
  20706. description: |-
  20707. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  20708. "kubernetes"
  20709. type: string
  20710. role:
  20711. description: |-
  20712. A required field containing the Vault Role to assume. A Role binds a
  20713. Kubernetes ServiceAccount with a set of Vault policies.
  20714. type: string
  20715. secretRef:
  20716. description: |-
  20717. Optional secret field containing a Kubernetes ServiceAccount JWT used
  20718. for authenticating with Vault. If a name is specified without a key,
  20719. `token` is the default. If one is not specified, the one bound to
  20720. the controller will be used.
  20721. properties:
  20722. key:
  20723. description: |-
  20724. A key in the referenced Secret.
  20725. Some instances of this field may be defaulted, in others it may be required.
  20726. maxLength: 253
  20727. minLength: 1
  20728. pattern: ^[-._a-zA-Z0-9]+$
  20729. type: string
  20730. name:
  20731. description: The name of the Secret resource being referred to.
  20732. maxLength: 253
  20733. minLength: 1
  20734. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20735. type: string
  20736. namespace:
  20737. description: |-
  20738. The namespace of the Secret resource being referred to.
  20739. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20740. maxLength: 63
  20741. minLength: 1
  20742. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20743. type: string
  20744. type: object
  20745. serviceAccountRef:
  20746. description: |-
  20747. Optional service account field containing the name of a kubernetes ServiceAccount.
  20748. If the service account is specified, the service account secret token JWT will be used
  20749. for authenticating with Vault. If the service account selector is not supplied,
  20750. the secretRef will be used instead.
  20751. properties:
  20752. audiences:
  20753. description: |-
  20754. Audience specifies the `aud` claim for the service account token
  20755. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  20756. then this audiences will be appended to the list
  20757. items:
  20758. type: string
  20759. type: array
  20760. name:
  20761. description: The name of the ServiceAccount resource being referred to.
  20762. maxLength: 253
  20763. minLength: 1
  20764. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20765. type: string
  20766. namespace:
  20767. description: |-
  20768. Namespace of the resource being referred to.
  20769. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20770. maxLength: 63
  20771. minLength: 1
  20772. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20773. type: string
  20774. required:
  20775. - name
  20776. type: object
  20777. required:
  20778. - mountPath
  20779. - role
  20780. type: object
  20781. ldap:
  20782. description: |-
  20783. Ldap authenticates with Vault by passing username/password pair using
  20784. the LDAP authentication method
  20785. properties:
  20786. path:
  20787. default: ldap
  20788. description: |-
  20789. Path where the LDAP authentication backend is mounted
  20790. in Vault, e.g: "ldap"
  20791. type: string
  20792. secretRef:
  20793. description: |-
  20794. SecretRef to a key in a Secret resource containing password for the LDAP
  20795. user used to authenticate with Vault using the LDAP authentication
  20796. method
  20797. properties:
  20798. key:
  20799. description: |-
  20800. A key in the referenced Secret.
  20801. Some instances of this field may be defaulted, in others it may be required.
  20802. maxLength: 253
  20803. minLength: 1
  20804. pattern: ^[-._a-zA-Z0-9]+$
  20805. type: string
  20806. name:
  20807. description: The name of the Secret resource being referred to.
  20808. maxLength: 253
  20809. minLength: 1
  20810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20811. type: string
  20812. namespace:
  20813. description: |-
  20814. The namespace of the Secret resource being referred to.
  20815. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20816. maxLength: 63
  20817. minLength: 1
  20818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20819. type: string
  20820. type: object
  20821. username:
  20822. description: |-
  20823. Username is an LDAP username used to authenticate using the LDAP Vault
  20824. authentication method
  20825. type: string
  20826. required:
  20827. - path
  20828. - username
  20829. type: object
  20830. namespace:
  20831. description: |-
  20832. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  20833. Namespaces is a set of features within Vault Enterprise that allows
  20834. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20835. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20836. This will default to Vault.Namespace field if set, or empty otherwise
  20837. type: string
  20838. tokenSecretRef:
  20839. description: TokenSecretRef authenticates with Vault by presenting a token.
  20840. properties:
  20841. key:
  20842. description: |-
  20843. A key in the referenced Secret.
  20844. Some instances of this field may be defaulted, in others it may be required.
  20845. maxLength: 253
  20846. minLength: 1
  20847. pattern: ^[-._a-zA-Z0-9]+$
  20848. type: string
  20849. name:
  20850. description: The name of the Secret resource being referred to.
  20851. maxLength: 253
  20852. minLength: 1
  20853. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20854. type: string
  20855. namespace:
  20856. description: |-
  20857. The namespace of the Secret resource being referred to.
  20858. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20859. maxLength: 63
  20860. minLength: 1
  20861. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20862. type: string
  20863. type: object
  20864. userPass:
  20865. description: UserPass authenticates with Vault by passing username/password pair
  20866. properties:
  20867. path:
  20868. default: userpass
  20869. description: |-
  20870. Path where the UserPassword authentication backend is mounted
  20871. in Vault, e.g: "userpass"
  20872. type: string
  20873. secretRef:
  20874. description: |-
  20875. SecretRef to a key in a Secret resource containing password for the
  20876. user used to authenticate with Vault using the UserPass authentication
  20877. method
  20878. properties:
  20879. key:
  20880. description: |-
  20881. A key in the referenced Secret.
  20882. Some instances of this field may be defaulted, in others it may be required.
  20883. maxLength: 253
  20884. minLength: 1
  20885. pattern: ^[-._a-zA-Z0-9]+$
  20886. type: string
  20887. name:
  20888. description: The name of the Secret resource being referred to.
  20889. maxLength: 253
  20890. minLength: 1
  20891. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20892. type: string
  20893. namespace:
  20894. description: |-
  20895. The namespace of the Secret resource being referred to.
  20896. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  20897. maxLength: 63
  20898. minLength: 1
  20899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20900. type: string
  20901. type: object
  20902. username:
  20903. description: |-
  20904. Username is a username used to authenticate using the UserPass Vault
  20905. authentication method
  20906. type: string
  20907. required:
  20908. - path
  20909. - username
  20910. type: object
  20911. type: object
  20912. caBundle:
  20913. description: |-
  20914. PEM encoded CA bundle used to validate Vault server certificate. Only used
  20915. if the Server URL is using HTTPS protocol. This parameter is ignored for
  20916. plain HTTP protocol connection. If not set the system root certificates
  20917. are used to validate the TLS connection.
  20918. format: byte
  20919. type: string
  20920. caProvider:
  20921. description: The provider for the CA bundle to use to validate Vault server certificate.
  20922. properties:
  20923. key:
  20924. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  20925. maxLength: 253
  20926. minLength: 1
  20927. pattern: ^[-._a-zA-Z0-9]+$
  20928. type: string
  20929. name:
  20930. description: The name of the object located at the provider type.
  20931. maxLength: 253
  20932. minLength: 1
  20933. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  20934. type: string
  20935. namespace:
  20936. description: |-
  20937. The namespace the Provider type is in.
  20938. Can only be defined when used in a ClusterSecretStore.
  20939. maxLength: 63
  20940. minLength: 1
  20941. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  20942. type: string
  20943. type:
  20944. description: The type of provider to use such as "Secret", or "ConfigMap".
  20945. enum:
  20946. - Secret
  20947. - ConfigMap
  20948. type: string
  20949. required:
  20950. - name
  20951. - type
  20952. type: object
  20953. checkAndSet:
  20954. description: |-
  20955. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  20956. Only applies to Vault KV v2 stores. When enabled, write operations must include
  20957. the current version of the secret to prevent unintentional overwrites.
  20958. properties:
  20959. required:
  20960. description: |-
  20961. Required when true, all write operations must include a check-and-set parameter.
  20962. This helps prevent unintentional overwrites of secrets.
  20963. type: boolean
  20964. type: object
  20965. forwardInconsistent:
  20966. description: |-
  20967. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  20968. leader instead of simply retrying within a loop. This can increase performance if
  20969. the option is enabled serverside.
  20970. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  20971. type: boolean
  20972. headers:
  20973. additionalProperties:
  20974. type: string
  20975. description: Headers to be added in Vault request
  20976. type: object
  20977. namespace:
  20978. description: |-
  20979. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  20980. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  20981. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  20982. type: string
  20983. path:
  20984. description: |-
  20985. Path is the mount path of the Vault KV backend endpoint, e.g:
  20986. "secret". The v2 KV secret engine version specific "/data" path suffix
  20987. for fetching secrets from Vault is optional and will be appended
  20988. if not present in specified path.
  20989. type: string
  20990. readYourWrites:
  20991. description: |-
  20992. ReadYourWrites ensures isolated read-after-write semantics by
  20993. providing discovered cluster replication states in each request.
  20994. More information about eventual consistency in Vault can be found here
  20995. https://www.vaultproject.io/docs/enterprise/consistency
  20996. type: boolean
  20997. server:
  20998. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  20999. type: string
  21000. tls:
  21001. description: |-
  21002. The configuration used for client side related TLS communication, when the Vault server
  21003. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  21004. This parameter is ignored for plain HTTP protocol connection.
  21005. It's worth noting this configuration is different from the "TLS certificates auth method",
  21006. which is available under the `auth.cert` section.
  21007. properties:
  21008. certSecretRef:
  21009. description: |-
  21010. CertSecretRef is a certificate added to the transport layer
  21011. when communicating with the Vault server.
  21012. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  21013. properties:
  21014. key:
  21015. description: |-
  21016. A key in the referenced Secret.
  21017. Some instances of this field may be defaulted, in others it may be required.
  21018. maxLength: 253
  21019. minLength: 1
  21020. pattern: ^[-._a-zA-Z0-9]+$
  21021. type: string
  21022. name:
  21023. description: The name of the Secret resource being referred to.
  21024. maxLength: 253
  21025. minLength: 1
  21026. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21027. type: string
  21028. namespace:
  21029. description: |-
  21030. The namespace of the Secret resource being referred to.
  21031. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21032. maxLength: 63
  21033. minLength: 1
  21034. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21035. type: string
  21036. type: object
  21037. keySecretRef:
  21038. description: |-
  21039. KeySecretRef to a key in a Secret resource containing client private key
  21040. added to the transport layer when communicating with the Vault server.
  21041. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  21042. properties:
  21043. key:
  21044. description: |-
  21045. A key in the referenced Secret.
  21046. Some instances of this field may be defaulted, in others it may be required.
  21047. maxLength: 253
  21048. minLength: 1
  21049. pattern: ^[-._a-zA-Z0-9]+$
  21050. type: string
  21051. name:
  21052. description: The name of the Secret resource being referred to.
  21053. maxLength: 253
  21054. minLength: 1
  21055. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21056. type: string
  21057. namespace:
  21058. description: |-
  21059. The namespace of the Secret resource being referred to.
  21060. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21061. maxLength: 63
  21062. minLength: 1
  21063. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21064. type: string
  21065. type: object
  21066. type: object
  21067. version:
  21068. default: v2
  21069. description: |-
  21070. Version is the Vault KV secret engine version. This can be either "v1" or
  21071. "v2". Version defaults to "v2".
  21072. enum:
  21073. - v1
  21074. - v2
  21075. type: string
  21076. required:
  21077. - server
  21078. type: object
  21079. volcengine:
  21080. description: Volcengine configures this store to sync secrets using the Volcengine provider
  21081. properties:
  21082. auth:
  21083. description: |-
  21084. Auth defines the authentication method to use.
  21085. If not specified, the provider will try to use IRSA (IAM Role for Service Account).
  21086. properties:
  21087. secretRef:
  21088. description: |-
  21089. SecretRef defines the static credentials to use for authentication.
  21090. If not set, IRSA is used.
  21091. properties:
  21092. accessKeyID:
  21093. description: AccessKeyID is the reference to the secret containing the Access Key ID.
  21094. properties:
  21095. key:
  21096. description: |-
  21097. A key in the referenced Secret.
  21098. Some instances of this field may be defaulted, in others it may be required.
  21099. maxLength: 253
  21100. minLength: 1
  21101. pattern: ^[-._a-zA-Z0-9]+$
  21102. type: string
  21103. name:
  21104. description: The name of the Secret resource being referred to.
  21105. maxLength: 253
  21106. minLength: 1
  21107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21108. type: string
  21109. namespace:
  21110. description: |-
  21111. The namespace of the Secret resource being referred to.
  21112. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21113. maxLength: 63
  21114. minLength: 1
  21115. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21116. type: string
  21117. type: object
  21118. secretAccessKey:
  21119. description: SecretAccessKey is the reference to the secret containing the Secret Access Key.
  21120. properties:
  21121. key:
  21122. description: |-
  21123. A key in the referenced Secret.
  21124. Some instances of this field may be defaulted, in others it may be required.
  21125. maxLength: 253
  21126. minLength: 1
  21127. pattern: ^[-._a-zA-Z0-9]+$
  21128. type: string
  21129. name:
  21130. description: The name of the Secret resource being referred to.
  21131. maxLength: 253
  21132. minLength: 1
  21133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21134. type: string
  21135. namespace:
  21136. description: |-
  21137. The namespace of the Secret resource being referred to.
  21138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21139. maxLength: 63
  21140. minLength: 1
  21141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21142. type: string
  21143. type: object
  21144. token:
  21145. description: Token is the reference to the secret containing the STS(Security Token Service) Token.
  21146. properties:
  21147. key:
  21148. description: |-
  21149. A key in the referenced Secret.
  21150. Some instances of this field may be defaulted, in others it may be required.
  21151. maxLength: 253
  21152. minLength: 1
  21153. pattern: ^[-._a-zA-Z0-9]+$
  21154. type: string
  21155. name:
  21156. description: The name of the Secret resource being referred to.
  21157. maxLength: 253
  21158. minLength: 1
  21159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21160. type: string
  21161. namespace:
  21162. description: |-
  21163. The namespace of the Secret resource being referred to.
  21164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21165. maxLength: 63
  21166. minLength: 1
  21167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21168. type: string
  21169. type: object
  21170. required:
  21171. - accessKeyID
  21172. - secretAccessKey
  21173. type: object
  21174. type: object
  21175. region:
  21176. description: Region specifies the Volcengine region to connect to.
  21177. type: string
  21178. required:
  21179. - region
  21180. type: object
  21181. webhook:
  21182. description: Webhook configures this store to sync secrets using a generic templated webhook
  21183. properties:
  21184. auth:
  21185. description: Auth specifies a authorization protocol. Only one protocol may be set.
  21186. maxProperties: 1
  21187. minProperties: 1
  21188. properties:
  21189. ntlm:
  21190. description: NTLMProtocol configures the store to use NTLM for auth
  21191. properties:
  21192. passwordSecret:
  21193. description: |-
  21194. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21195. In some instances, `key` is a required field.
  21196. properties:
  21197. key:
  21198. description: |-
  21199. A key in the referenced Secret.
  21200. Some instances of this field may be defaulted, in others it may be required.
  21201. maxLength: 253
  21202. minLength: 1
  21203. pattern: ^[-._a-zA-Z0-9]+$
  21204. type: string
  21205. name:
  21206. description: The name of the Secret resource being referred to.
  21207. maxLength: 253
  21208. minLength: 1
  21209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21210. type: string
  21211. namespace:
  21212. description: |-
  21213. The namespace of the Secret resource being referred to.
  21214. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21215. maxLength: 63
  21216. minLength: 1
  21217. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21218. type: string
  21219. type: object
  21220. usernameSecret:
  21221. description: |-
  21222. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21223. In some instances, `key` is a required field.
  21224. properties:
  21225. key:
  21226. description: |-
  21227. A key in the referenced Secret.
  21228. Some instances of this field may be defaulted, in others it may be required.
  21229. maxLength: 253
  21230. minLength: 1
  21231. pattern: ^[-._a-zA-Z0-9]+$
  21232. type: string
  21233. name:
  21234. description: The name of the Secret resource being referred to.
  21235. maxLength: 253
  21236. minLength: 1
  21237. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21238. type: string
  21239. namespace:
  21240. description: |-
  21241. The namespace of the Secret resource being referred to.
  21242. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21243. maxLength: 63
  21244. minLength: 1
  21245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21246. type: string
  21247. type: object
  21248. required:
  21249. - passwordSecret
  21250. - usernameSecret
  21251. type: object
  21252. type: object
  21253. body:
  21254. description: Body
  21255. type: string
  21256. caBundle:
  21257. description: |-
  21258. PEM encoded CA bundle used to validate webhook server certificate. Only used
  21259. if the Server URL is using HTTPS protocol. This parameter is ignored for
  21260. plain HTTP protocol connection. If not set the system root certificates
  21261. are used to validate the TLS connection.
  21262. format: byte
  21263. type: string
  21264. caProvider:
  21265. description: The provider for the CA bundle to use to validate webhook server certificate.
  21266. properties:
  21267. key:
  21268. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21269. maxLength: 253
  21270. minLength: 1
  21271. pattern: ^[-._a-zA-Z0-9]+$
  21272. type: string
  21273. name:
  21274. description: The name of the object located at the provider type.
  21275. maxLength: 253
  21276. minLength: 1
  21277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21278. type: string
  21279. namespace:
  21280. description: The namespace the Provider type is in.
  21281. maxLength: 63
  21282. minLength: 1
  21283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21284. type: string
  21285. type:
  21286. description: The type of provider to use such as "Secret", or "ConfigMap".
  21287. enum:
  21288. - Secret
  21289. - ConfigMap
  21290. type: string
  21291. required:
  21292. - name
  21293. - type
  21294. type: object
  21295. headers:
  21296. additionalProperties:
  21297. type: string
  21298. description: Headers
  21299. type: object
  21300. method:
  21301. description: Webhook Method
  21302. type: string
  21303. result:
  21304. description: Result formatting
  21305. properties:
  21306. jsonPath:
  21307. description: Json path of return value
  21308. type: string
  21309. type: object
  21310. secrets:
  21311. description: |-
  21312. Secrets to fill in templates
  21313. These secrets will be passed to the templating function as key value pairs under the given name
  21314. items:
  21315. description: WebhookSecret defines a secret that will be passed to the webhook request.
  21316. properties:
  21317. name:
  21318. description: Name of this secret in templates
  21319. type: string
  21320. secretRef:
  21321. description: Secret ref to fill in credentials
  21322. properties:
  21323. key:
  21324. description: |-
  21325. A key in the referenced Secret.
  21326. Some instances of this field may be defaulted, in others it may be required.
  21327. maxLength: 253
  21328. minLength: 1
  21329. pattern: ^[-._a-zA-Z0-9]+$
  21330. type: string
  21331. name:
  21332. description: The name of the Secret resource being referred to.
  21333. maxLength: 253
  21334. minLength: 1
  21335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21336. type: string
  21337. namespace:
  21338. description: |-
  21339. The namespace of the Secret resource being referred to.
  21340. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21341. maxLength: 63
  21342. minLength: 1
  21343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21344. type: string
  21345. type: object
  21346. required:
  21347. - name
  21348. - secretRef
  21349. type: object
  21350. type: array
  21351. timeout:
  21352. description: Timeout
  21353. type: string
  21354. url:
  21355. description: Webhook url to call
  21356. type: string
  21357. required:
  21358. - url
  21359. type: object
  21360. yandexcertificatemanager:
  21361. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  21362. properties:
  21363. apiEndpoint:
  21364. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21365. type: string
  21366. auth:
  21367. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21368. properties:
  21369. authorizedKeySecretRef:
  21370. description: The authorized key used for authentication
  21371. properties:
  21372. key:
  21373. description: |-
  21374. A key in the referenced Secret.
  21375. Some instances of this field may be defaulted, in others it may be required.
  21376. maxLength: 253
  21377. minLength: 1
  21378. pattern: ^[-._a-zA-Z0-9]+$
  21379. type: string
  21380. name:
  21381. description: The name of the Secret resource being referred to.
  21382. maxLength: 253
  21383. minLength: 1
  21384. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21385. type: string
  21386. namespace:
  21387. description: |-
  21388. The namespace of the Secret resource being referred to.
  21389. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21390. maxLength: 63
  21391. minLength: 1
  21392. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21393. type: string
  21394. type: object
  21395. type: object
  21396. caProvider:
  21397. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21398. properties:
  21399. certSecretRef:
  21400. description: |-
  21401. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21402. In some instances, `key` is a required field.
  21403. properties:
  21404. key:
  21405. description: |-
  21406. A key in the referenced Secret.
  21407. Some instances of this field may be defaulted, in others it may be required.
  21408. maxLength: 253
  21409. minLength: 1
  21410. pattern: ^[-._a-zA-Z0-9]+$
  21411. type: string
  21412. name:
  21413. description: The name of the Secret resource being referred to.
  21414. maxLength: 253
  21415. minLength: 1
  21416. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21417. type: string
  21418. namespace:
  21419. description: |-
  21420. The namespace of the Secret resource being referred to.
  21421. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21422. maxLength: 63
  21423. minLength: 1
  21424. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21425. type: string
  21426. type: object
  21427. type: object
  21428. fetching:
  21429. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as certificate ID or certificate name
  21430. maxProperties: 1
  21431. minProperties: 1
  21432. properties:
  21433. byID:
  21434. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21435. type: object
  21436. byName:
  21437. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21438. properties:
  21439. folderID:
  21440. description: The folder to fetch secrets from
  21441. type: string
  21442. required:
  21443. - folderID
  21444. type: object
  21445. type: object
  21446. required:
  21447. - auth
  21448. type: object
  21449. yandexlockbox:
  21450. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  21451. properties:
  21452. apiEndpoint:
  21453. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  21454. type: string
  21455. auth:
  21456. description: Auth defines the information necessary to authenticate against Yandex.Cloud
  21457. properties:
  21458. authorizedKeySecretRef:
  21459. description: The authorized key used for authentication
  21460. properties:
  21461. key:
  21462. description: |-
  21463. A key in the referenced Secret.
  21464. Some instances of this field may be defaulted, in others it may be required.
  21465. maxLength: 253
  21466. minLength: 1
  21467. pattern: ^[-._a-zA-Z0-9]+$
  21468. type: string
  21469. name:
  21470. description: The name of the Secret resource being referred to.
  21471. maxLength: 253
  21472. minLength: 1
  21473. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21474. type: string
  21475. namespace:
  21476. description: |-
  21477. The namespace of the Secret resource being referred to.
  21478. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21479. maxLength: 63
  21480. minLength: 1
  21481. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21482. type: string
  21483. type: object
  21484. type: object
  21485. caProvider:
  21486. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  21487. properties:
  21488. certSecretRef:
  21489. description: |-
  21490. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21491. In some instances, `key` is a required field.
  21492. properties:
  21493. key:
  21494. description: |-
  21495. A key in the referenced Secret.
  21496. Some instances of this field may be defaulted, in others it may be required.
  21497. maxLength: 253
  21498. minLength: 1
  21499. pattern: ^[-._a-zA-Z0-9]+$
  21500. type: string
  21501. name:
  21502. description: The name of the Secret resource being referred to.
  21503. maxLength: 253
  21504. minLength: 1
  21505. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21506. type: string
  21507. namespace:
  21508. description: |-
  21509. The namespace of the Secret resource being referred to.
  21510. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21511. maxLength: 63
  21512. minLength: 1
  21513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21514. type: string
  21515. type: object
  21516. type: object
  21517. fetching:
  21518. description: FetchingPolicy configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID or secret name
  21519. maxProperties: 1
  21520. minProperties: 1
  21521. properties:
  21522. byID:
  21523. description: ByID configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret ID.
  21524. type: object
  21525. byName:
  21526. description: ByName configures the provider to interpret the `data.secretKey.remoteRef.key` field in ExternalSecret as secret name.
  21527. properties:
  21528. folderID:
  21529. description: The folder to fetch secrets from
  21530. type: string
  21531. required:
  21532. - folderID
  21533. type: object
  21534. type: object
  21535. required:
  21536. - auth
  21537. type: object
  21538. type: object
  21539. refreshInterval:
  21540. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  21541. type: integer
  21542. retrySettings:
  21543. description: Used to configure HTTP retries on failures.
  21544. properties:
  21545. maxRetries:
  21546. format: int32
  21547. type: integer
  21548. retryInterval:
  21549. type: string
  21550. type: object
  21551. required:
  21552. - provider
  21553. type: object
  21554. status:
  21555. description: SecretStoreStatus defines the observed state of the SecretStore.
  21556. properties:
  21557. capabilities:
  21558. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  21559. type: string
  21560. conditions:
  21561. items:
  21562. description: SecretStoreStatusCondition contains condition information for a SecretStore.
  21563. properties:
  21564. lastTransitionTime:
  21565. format: date-time
  21566. type: string
  21567. message:
  21568. type: string
  21569. reason:
  21570. type: string
  21571. status:
  21572. type: string
  21573. type:
  21574. description: SecretStoreConditionType represents the condition of the SecretStore.
  21575. type: string
  21576. required:
  21577. - status
  21578. - type
  21579. type: object
  21580. type: array
  21581. type: object
  21582. type: object
  21583. served: true
  21584. storage: true
  21585. subresources:
  21586. status: {}
  21587. - additionalPrinterColumns:
  21588. - jsonPath: .metadata.creationTimestamp
  21589. name: AGE
  21590. type: date
  21591. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  21592. name: Status
  21593. type: string
  21594. - jsonPath: .status.capabilities
  21595. name: Capabilities
  21596. type: string
  21597. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  21598. name: Ready
  21599. type: string
  21600. deprecated: true
  21601. name: v1beta1
  21602. schema:
  21603. openAPIV3Schema:
  21604. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  21605. properties:
  21606. apiVersion:
  21607. description: |-
  21608. APIVersion defines the versioned schema of this representation of an object.
  21609. Servers should convert recognized schemas to the latest internal value, and
  21610. may reject unrecognized values.
  21611. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  21612. type: string
  21613. kind:
  21614. description: |-
  21615. Kind is a string value representing the REST resource this object represents.
  21616. Servers may infer this from the endpoint the client submits requests to.
  21617. Cannot be updated.
  21618. In CamelCase.
  21619. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  21620. type: string
  21621. metadata:
  21622. type: object
  21623. spec:
  21624. description: SecretStoreSpec defines the desired state of SecretStore.
  21625. properties:
  21626. conditions:
  21627. description: Used to constrain a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore.
  21628. items:
  21629. description: |-
  21630. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  21631. for a ClusterSecretStore instance.
  21632. properties:
  21633. namespaceRegexes:
  21634. description: Choose namespaces by using regex matching
  21635. items:
  21636. type: string
  21637. type: array
  21638. namespaceSelector:
  21639. description: Choose namespace using a labelSelector
  21640. properties:
  21641. matchExpressions:
  21642. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  21643. items:
  21644. description: |-
  21645. A label selector requirement is a selector that contains values, a key, and an operator that
  21646. relates the key and values.
  21647. properties:
  21648. key:
  21649. description: key is the label key that the selector applies to.
  21650. type: string
  21651. operator:
  21652. description: |-
  21653. operator represents a key's relationship to a set of values.
  21654. Valid operators are In, NotIn, Exists and DoesNotExist.
  21655. type: string
  21656. values:
  21657. description: |-
  21658. values is an array of string values. If the operator is In or NotIn,
  21659. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  21660. the values array must be empty. This array is replaced during a strategic
  21661. merge patch.
  21662. items:
  21663. type: string
  21664. type: array
  21665. x-kubernetes-list-type: atomic
  21666. required:
  21667. - key
  21668. - operator
  21669. type: object
  21670. type: array
  21671. x-kubernetes-list-type: atomic
  21672. matchLabels:
  21673. additionalProperties:
  21674. type: string
  21675. description: |-
  21676. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  21677. map is equivalent to an element of matchExpressions, whose key field is "key", the
  21678. operator is "In", and the values array contains only "value". The requirements are ANDed.
  21679. type: object
  21680. type: object
  21681. x-kubernetes-map-type: atomic
  21682. namespaces:
  21683. description: Choose namespaces by name
  21684. items:
  21685. maxLength: 63
  21686. minLength: 1
  21687. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21688. type: string
  21689. type: array
  21690. type: object
  21691. type: array
  21692. controller:
  21693. description: |-
  21694. Used to select the correct ESO controller (think: ingress.ingressClassName)
  21695. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  21696. type: string
  21697. provider:
  21698. description: Used to configure the provider. Only one provider may be set
  21699. maxProperties: 1
  21700. minProperties: 1
  21701. properties:
  21702. akeyless:
  21703. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  21704. properties:
  21705. akeylessGWApiURL:
  21706. description: Akeyless GW API Url from which the secrets to be fetched from.
  21707. type: string
  21708. authSecretRef:
  21709. description: Auth configures how the operator authenticates with Akeyless.
  21710. properties:
  21711. kubernetesAuth:
  21712. description: |-
  21713. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  21714. token stored in the named Secret resource.
  21715. properties:
  21716. accessID:
  21717. description: the Akeyless Kubernetes auth-method access-id
  21718. type: string
  21719. k8sConfName:
  21720. description: Kubernetes-auth configuration name in Akeyless-Gateway
  21721. type: string
  21722. secretRef:
  21723. description: |-
  21724. Optional secret field containing a Kubernetes ServiceAccount JWT used
  21725. for authenticating with Akeyless. If a name is specified without a key,
  21726. `token` is the default. If one is not specified, the one bound to
  21727. the controller will be used.
  21728. properties:
  21729. key:
  21730. description: |-
  21731. A key in the referenced Secret.
  21732. Some instances of this field may be defaulted, in others it may be required.
  21733. maxLength: 253
  21734. minLength: 1
  21735. pattern: ^[-._a-zA-Z0-9]+$
  21736. type: string
  21737. name:
  21738. description: The name of the Secret resource being referred to.
  21739. maxLength: 253
  21740. minLength: 1
  21741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21742. type: string
  21743. namespace:
  21744. description: |-
  21745. The namespace of the Secret resource being referred to.
  21746. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21747. maxLength: 63
  21748. minLength: 1
  21749. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21750. type: string
  21751. type: object
  21752. serviceAccountRef:
  21753. description: |-
  21754. Optional service account field containing the name of a kubernetes ServiceAccount.
  21755. If the service account is specified, the service account secret token JWT will be used
  21756. for authenticating with Akeyless. If the service account selector is not supplied,
  21757. the secretRef will be used instead.
  21758. properties:
  21759. audiences:
  21760. description: |-
  21761. Audience specifies the `aud` claim for the service account token
  21762. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  21763. then this audiences will be appended to the list
  21764. items:
  21765. type: string
  21766. type: array
  21767. name:
  21768. description: The name of the ServiceAccount resource being referred to.
  21769. maxLength: 253
  21770. minLength: 1
  21771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21772. type: string
  21773. namespace:
  21774. description: |-
  21775. Namespace of the resource being referred to.
  21776. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21777. maxLength: 63
  21778. minLength: 1
  21779. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21780. type: string
  21781. required:
  21782. - name
  21783. type: object
  21784. required:
  21785. - accessID
  21786. - k8sConfName
  21787. type: object
  21788. secretRef:
  21789. description: |-
  21790. Reference to a Secret that contains the details
  21791. to authenticate with Akeyless.
  21792. properties:
  21793. accessID:
  21794. description: The SecretAccessID is used for authentication
  21795. properties:
  21796. key:
  21797. description: |-
  21798. A key in the referenced Secret.
  21799. Some instances of this field may be defaulted, in others it may be required.
  21800. maxLength: 253
  21801. minLength: 1
  21802. pattern: ^[-._a-zA-Z0-9]+$
  21803. type: string
  21804. name:
  21805. description: The name of the Secret resource being referred to.
  21806. maxLength: 253
  21807. minLength: 1
  21808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21809. type: string
  21810. namespace:
  21811. description: |-
  21812. The namespace of the Secret resource being referred to.
  21813. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21814. maxLength: 63
  21815. minLength: 1
  21816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21817. type: string
  21818. type: object
  21819. accessType:
  21820. description: |-
  21821. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21822. In some instances, `key` is a required field.
  21823. properties:
  21824. key:
  21825. description: |-
  21826. A key in the referenced Secret.
  21827. Some instances of this field may be defaulted, in others it may be required.
  21828. maxLength: 253
  21829. minLength: 1
  21830. pattern: ^[-._a-zA-Z0-9]+$
  21831. type: string
  21832. name:
  21833. description: The name of the Secret resource being referred to.
  21834. maxLength: 253
  21835. minLength: 1
  21836. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21837. type: string
  21838. namespace:
  21839. description: |-
  21840. The namespace of the Secret resource being referred to.
  21841. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21842. maxLength: 63
  21843. minLength: 1
  21844. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21845. type: string
  21846. type: object
  21847. accessTypeParam:
  21848. description: |-
  21849. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  21850. In some instances, `key` is a required field.
  21851. properties:
  21852. key:
  21853. description: |-
  21854. A key in the referenced Secret.
  21855. Some instances of this field may be defaulted, in others it may be required.
  21856. maxLength: 253
  21857. minLength: 1
  21858. pattern: ^[-._a-zA-Z0-9]+$
  21859. type: string
  21860. name:
  21861. description: The name of the Secret resource being referred to.
  21862. maxLength: 253
  21863. minLength: 1
  21864. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21865. type: string
  21866. namespace:
  21867. description: |-
  21868. The namespace of the Secret resource being referred to.
  21869. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21870. maxLength: 63
  21871. minLength: 1
  21872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21873. type: string
  21874. type: object
  21875. type: object
  21876. type: object
  21877. caBundle:
  21878. description: |-
  21879. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  21880. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  21881. are used to validate the TLS connection.
  21882. format: byte
  21883. type: string
  21884. caProvider:
  21885. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  21886. properties:
  21887. key:
  21888. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  21889. maxLength: 253
  21890. minLength: 1
  21891. pattern: ^[-._a-zA-Z0-9]+$
  21892. type: string
  21893. name:
  21894. description: The name of the object located at the provider type.
  21895. maxLength: 253
  21896. minLength: 1
  21897. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21898. type: string
  21899. namespace:
  21900. description: |-
  21901. The namespace the Provider type is in.
  21902. Can only be defined when used in a ClusterSecretStore.
  21903. maxLength: 63
  21904. minLength: 1
  21905. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21906. type: string
  21907. type:
  21908. description: The type of provider to use such as "Secret", or "ConfigMap".
  21909. enum:
  21910. - Secret
  21911. - ConfigMap
  21912. type: string
  21913. required:
  21914. - name
  21915. - type
  21916. type: object
  21917. required:
  21918. - akeylessGWApiURL
  21919. - authSecretRef
  21920. type: object
  21921. alibaba:
  21922. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  21923. properties:
  21924. auth:
  21925. description: AlibabaAuth contains a secretRef for credentials.
  21926. properties:
  21927. rrsa:
  21928. description: AlibabaRRSAAuth authenticates against Alibaba using RRSA (Resource-oriented RAM-based Service Authentication).
  21929. properties:
  21930. oidcProviderArn:
  21931. type: string
  21932. oidcTokenFilePath:
  21933. type: string
  21934. roleArn:
  21935. type: string
  21936. sessionName:
  21937. type: string
  21938. required:
  21939. - oidcProviderArn
  21940. - oidcTokenFilePath
  21941. - roleArn
  21942. - sessionName
  21943. type: object
  21944. secretRef:
  21945. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  21946. properties:
  21947. accessKeyIDSecretRef:
  21948. description: The AccessKeyID is used for authentication
  21949. properties:
  21950. key:
  21951. description: |-
  21952. A key in the referenced Secret.
  21953. Some instances of this field may be defaulted, in others it may be required.
  21954. maxLength: 253
  21955. minLength: 1
  21956. pattern: ^[-._a-zA-Z0-9]+$
  21957. type: string
  21958. name:
  21959. description: The name of the Secret resource being referred to.
  21960. maxLength: 253
  21961. minLength: 1
  21962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21963. type: string
  21964. namespace:
  21965. description: |-
  21966. The namespace of the Secret resource being referred to.
  21967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21968. maxLength: 63
  21969. minLength: 1
  21970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21971. type: string
  21972. type: object
  21973. accessKeySecretSecretRef:
  21974. description: The AccessKeySecret is used for authentication
  21975. properties:
  21976. key:
  21977. description: |-
  21978. A key in the referenced Secret.
  21979. Some instances of this field may be defaulted, in others it may be required.
  21980. maxLength: 253
  21981. minLength: 1
  21982. pattern: ^[-._a-zA-Z0-9]+$
  21983. type: string
  21984. name:
  21985. description: The name of the Secret resource being referred to.
  21986. maxLength: 253
  21987. minLength: 1
  21988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  21989. type: string
  21990. namespace:
  21991. description: |-
  21992. The namespace of the Secret resource being referred to.
  21993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  21994. maxLength: 63
  21995. minLength: 1
  21996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  21997. type: string
  21998. type: object
  21999. required:
  22000. - accessKeyIDSecretRef
  22001. - accessKeySecretSecretRef
  22002. type: object
  22003. type: object
  22004. regionID:
  22005. description: Alibaba Region to be used for the provider
  22006. type: string
  22007. required:
  22008. - auth
  22009. - regionID
  22010. type: object
  22011. aws:
  22012. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  22013. properties:
  22014. additionalRoles:
  22015. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  22016. items:
  22017. type: string
  22018. type: array
  22019. auth:
  22020. description: |-
  22021. Auth defines the information necessary to authenticate against AWS
  22022. if not set aws sdk will infer credentials from your environment
  22023. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  22024. properties:
  22025. jwt:
  22026. description: AWSJWTAuth authenticates against AWS using service account tokens from the Kubernetes cluster.
  22027. properties:
  22028. serviceAccountRef:
  22029. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  22030. properties:
  22031. audiences:
  22032. description: |-
  22033. Audience specifies the `aud` claim for the service account token
  22034. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22035. then this audiences will be appended to the list
  22036. items:
  22037. type: string
  22038. type: array
  22039. name:
  22040. description: The name of the ServiceAccount resource being referred to.
  22041. maxLength: 253
  22042. minLength: 1
  22043. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22044. type: string
  22045. namespace:
  22046. description: |-
  22047. Namespace of the resource being referred to.
  22048. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22049. maxLength: 63
  22050. minLength: 1
  22051. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22052. type: string
  22053. required:
  22054. - name
  22055. type: object
  22056. type: object
  22057. secretRef:
  22058. description: |-
  22059. AWSAuthSecretRef holds secret references for AWS credentials
  22060. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  22061. properties:
  22062. accessKeyIDSecretRef:
  22063. description: The AccessKeyID is used for authentication
  22064. properties:
  22065. key:
  22066. description: |-
  22067. A key in the referenced Secret.
  22068. Some instances of this field may be defaulted, in others it may be required.
  22069. maxLength: 253
  22070. minLength: 1
  22071. pattern: ^[-._a-zA-Z0-9]+$
  22072. type: string
  22073. name:
  22074. description: The name of the Secret resource being referred to.
  22075. maxLength: 253
  22076. minLength: 1
  22077. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22078. type: string
  22079. namespace:
  22080. description: |-
  22081. The namespace of the Secret resource being referred to.
  22082. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22083. maxLength: 63
  22084. minLength: 1
  22085. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22086. type: string
  22087. type: object
  22088. secretAccessKeySecretRef:
  22089. description: The SecretAccessKey is used for authentication
  22090. properties:
  22091. key:
  22092. description: |-
  22093. A key in the referenced Secret.
  22094. Some instances of this field may be defaulted, in others it may be required.
  22095. maxLength: 253
  22096. minLength: 1
  22097. pattern: ^[-._a-zA-Z0-9]+$
  22098. type: string
  22099. name:
  22100. description: The name of the Secret resource being referred to.
  22101. maxLength: 253
  22102. minLength: 1
  22103. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22104. type: string
  22105. namespace:
  22106. description: |-
  22107. The namespace of the Secret resource being referred to.
  22108. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22109. maxLength: 63
  22110. minLength: 1
  22111. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22112. type: string
  22113. type: object
  22114. sessionTokenSecretRef:
  22115. description: |-
  22116. The SessionToken used for authentication
  22117. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  22118. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  22119. properties:
  22120. key:
  22121. description: |-
  22122. A key in the referenced Secret.
  22123. Some instances of this field may be defaulted, in others it may be required.
  22124. maxLength: 253
  22125. minLength: 1
  22126. pattern: ^[-._a-zA-Z0-9]+$
  22127. type: string
  22128. name:
  22129. description: The name of the Secret resource being referred to.
  22130. maxLength: 253
  22131. minLength: 1
  22132. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22133. type: string
  22134. namespace:
  22135. description: |-
  22136. The namespace of the Secret resource being referred to.
  22137. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22138. maxLength: 63
  22139. minLength: 1
  22140. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22141. type: string
  22142. type: object
  22143. type: object
  22144. type: object
  22145. externalID:
  22146. description: AWS External ID set on assumed IAM roles
  22147. type: string
  22148. prefix:
  22149. description: Prefix adds a prefix to all retrieved values.
  22150. type: string
  22151. region:
  22152. description: AWS Region to be used for the provider
  22153. type: string
  22154. role:
  22155. description: Role is a Role ARN which the provider will assume
  22156. type: string
  22157. secretsManager:
  22158. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  22159. properties:
  22160. forceDeleteWithoutRecovery:
  22161. description: |-
  22162. Specifies whether to delete the secret without any recovery window. You
  22163. can't use both this parameter and RecoveryWindowInDays in the same call.
  22164. If you don't use either, then by default Secrets Manager uses a 30 day
  22165. recovery window.
  22166. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  22167. type: boolean
  22168. recoveryWindowInDays:
  22169. description: |-
  22170. The number of days from 7 to 30 that Secrets Manager waits before
  22171. permanently deleting the secret. You can't use both this parameter and
  22172. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  22173. then by default Secrets Manager uses a 30 day recovery window.
  22174. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  22175. format: int64
  22176. type: integer
  22177. type: object
  22178. service:
  22179. description: Service defines which service should be used to fetch the secrets
  22180. enum:
  22181. - SecretsManager
  22182. - ParameterStore
  22183. type: string
  22184. sessionTags:
  22185. description: AWS STS assume role session tags
  22186. items:
  22187. description: Tag defines a tag key and value for AWS resources.
  22188. properties:
  22189. key:
  22190. type: string
  22191. value:
  22192. type: string
  22193. required:
  22194. - key
  22195. - value
  22196. type: object
  22197. type: array
  22198. transitiveTagKeys:
  22199. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  22200. items:
  22201. type: string
  22202. type: array
  22203. required:
  22204. - region
  22205. - service
  22206. type: object
  22207. azurekv:
  22208. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  22209. properties:
  22210. authSecretRef:
  22211. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22212. properties:
  22213. clientCertificate:
  22214. description: The Azure ClientCertificate of the service principle used for authentication.
  22215. properties:
  22216. key:
  22217. description: |-
  22218. A key in the referenced Secret.
  22219. Some instances of this field may be defaulted, in others it may be required.
  22220. maxLength: 253
  22221. minLength: 1
  22222. pattern: ^[-._a-zA-Z0-9]+$
  22223. type: string
  22224. name:
  22225. description: The name of the Secret resource being referred to.
  22226. maxLength: 253
  22227. minLength: 1
  22228. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22229. type: string
  22230. namespace:
  22231. description: |-
  22232. The namespace of the Secret resource being referred to.
  22233. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22234. maxLength: 63
  22235. minLength: 1
  22236. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22237. type: string
  22238. type: object
  22239. clientId:
  22240. description: The Azure clientId of the service principle or managed identity used for authentication.
  22241. properties:
  22242. key:
  22243. description: |-
  22244. A key in the referenced Secret.
  22245. Some instances of this field may be defaulted, in others it may be required.
  22246. maxLength: 253
  22247. minLength: 1
  22248. pattern: ^[-._a-zA-Z0-9]+$
  22249. type: string
  22250. name:
  22251. description: The name of the Secret resource being referred to.
  22252. maxLength: 253
  22253. minLength: 1
  22254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22255. type: string
  22256. namespace:
  22257. description: |-
  22258. The namespace of the Secret resource being referred to.
  22259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22260. maxLength: 63
  22261. minLength: 1
  22262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22263. type: string
  22264. type: object
  22265. clientSecret:
  22266. description: The Azure ClientSecret of the service principle used for authentication.
  22267. properties:
  22268. key:
  22269. description: |-
  22270. A key in the referenced Secret.
  22271. Some instances of this field may be defaulted, in others it may be required.
  22272. maxLength: 253
  22273. minLength: 1
  22274. pattern: ^[-._a-zA-Z0-9]+$
  22275. type: string
  22276. name:
  22277. description: The name of the Secret resource being referred to.
  22278. maxLength: 253
  22279. minLength: 1
  22280. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22281. type: string
  22282. namespace:
  22283. description: |-
  22284. The namespace of the Secret resource being referred to.
  22285. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22286. maxLength: 63
  22287. minLength: 1
  22288. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22289. type: string
  22290. type: object
  22291. tenantId:
  22292. description: The Azure tenantId of the managed identity used for authentication.
  22293. properties:
  22294. key:
  22295. description: |-
  22296. A key in the referenced Secret.
  22297. Some instances of this field may be defaulted, in others it may be required.
  22298. maxLength: 253
  22299. minLength: 1
  22300. pattern: ^[-._a-zA-Z0-9]+$
  22301. type: string
  22302. name:
  22303. description: The name of the Secret resource being referred to.
  22304. maxLength: 253
  22305. minLength: 1
  22306. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22307. type: string
  22308. namespace:
  22309. description: |-
  22310. The namespace of the Secret resource being referred to.
  22311. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22312. maxLength: 63
  22313. minLength: 1
  22314. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22315. type: string
  22316. type: object
  22317. type: object
  22318. authType:
  22319. default: ServicePrincipal
  22320. description: |-
  22321. Auth type defines how to authenticate to the keyvault service.
  22322. Valid values are:
  22323. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  22324. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  22325. enum:
  22326. - ServicePrincipal
  22327. - ManagedIdentity
  22328. - WorkloadIdentity
  22329. type: string
  22330. environmentType:
  22331. default: PublicCloud
  22332. description: |-
  22333. EnvironmentType specifies the Azure cloud environment endpoints to use for
  22334. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  22335. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  22336. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  22337. enum:
  22338. - PublicCloud
  22339. - USGovernmentCloud
  22340. - ChinaCloud
  22341. - GermanCloud
  22342. type: string
  22343. identityId:
  22344. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  22345. type: string
  22346. serviceAccountRef:
  22347. description: |-
  22348. ServiceAccountRef specified the service account
  22349. that should be used when authenticating with WorkloadIdentity.
  22350. properties:
  22351. audiences:
  22352. description: |-
  22353. Audience specifies the `aud` claim for the service account token
  22354. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22355. then this audiences will be appended to the list
  22356. items:
  22357. type: string
  22358. type: array
  22359. name:
  22360. description: The name of the ServiceAccount resource being referred to.
  22361. maxLength: 253
  22362. minLength: 1
  22363. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22364. type: string
  22365. namespace:
  22366. description: |-
  22367. Namespace of the resource being referred to.
  22368. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22369. maxLength: 63
  22370. minLength: 1
  22371. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22372. type: string
  22373. required:
  22374. - name
  22375. type: object
  22376. tenantId:
  22377. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  22378. type: string
  22379. vaultUrl:
  22380. description: Vault Url from which the secrets to be fetched from.
  22381. type: string
  22382. required:
  22383. - vaultUrl
  22384. type: object
  22385. beyondtrust:
  22386. description: Beyondtrust configures this store to sync secrets using Password Safe provider.
  22387. properties:
  22388. auth:
  22389. description: Auth configures how the operator authenticates with Beyondtrust.
  22390. properties:
  22391. apiKey:
  22392. description: APIKey If not provided then ClientID/ClientSecret become required.
  22393. properties:
  22394. secretRef:
  22395. description: SecretRef references a key in a secret that will be used as value.
  22396. properties:
  22397. key:
  22398. description: |-
  22399. A key in the referenced Secret.
  22400. Some instances of this field may be defaulted, in others it may be required.
  22401. maxLength: 253
  22402. minLength: 1
  22403. pattern: ^[-._a-zA-Z0-9]+$
  22404. type: string
  22405. name:
  22406. description: The name of the Secret resource being referred to.
  22407. maxLength: 253
  22408. minLength: 1
  22409. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22410. type: string
  22411. namespace:
  22412. description: |-
  22413. The namespace of the Secret resource being referred to.
  22414. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22415. maxLength: 63
  22416. minLength: 1
  22417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22418. type: string
  22419. type: object
  22420. value:
  22421. description: Value can be specified directly to set a value without using a secret.
  22422. type: string
  22423. type: object
  22424. certificate:
  22425. description: Certificate (cert.pem) for use when authenticating with an OAuth client Id using a Client Certificate.
  22426. properties:
  22427. secretRef:
  22428. description: SecretRef references a key in a secret that will be used as value.
  22429. properties:
  22430. key:
  22431. description: |-
  22432. A key in the referenced Secret.
  22433. Some instances of this field may be defaulted, in others it may be required.
  22434. maxLength: 253
  22435. minLength: 1
  22436. pattern: ^[-._a-zA-Z0-9]+$
  22437. type: string
  22438. name:
  22439. description: The name of the Secret resource being referred to.
  22440. maxLength: 253
  22441. minLength: 1
  22442. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22443. type: string
  22444. namespace:
  22445. description: |-
  22446. The namespace of the Secret resource being referred to.
  22447. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22448. maxLength: 63
  22449. minLength: 1
  22450. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22451. type: string
  22452. type: object
  22453. value:
  22454. description: Value can be specified directly to set a value without using a secret.
  22455. type: string
  22456. type: object
  22457. certificateKey:
  22458. description: Certificate private key (key.pem). For use when authenticating with an OAuth client Id
  22459. properties:
  22460. secretRef:
  22461. description: SecretRef references a key in a secret that will be used as value.
  22462. properties:
  22463. key:
  22464. description: |-
  22465. A key in the referenced Secret.
  22466. Some instances of this field may be defaulted, in others it may be required.
  22467. maxLength: 253
  22468. minLength: 1
  22469. pattern: ^[-._a-zA-Z0-9]+$
  22470. type: string
  22471. name:
  22472. description: The name of the Secret resource being referred to.
  22473. maxLength: 253
  22474. minLength: 1
  22475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22476. type: string
  22477. namespace:
  22478. description: |-
  22479. The namespace of the Secret resource being referred to.
  22480. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22481. maxLength: 63
  22482. minLength: 1
  22483. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22484. type: string
  22485. type: object
  22486. value:
  22487. description: Value can be specified directly to set a value without using a secret.
  22488. type: string
  22489. type: object
  22490. clientId:
  22491. description: ClientID is the API OAuth Client ID.
  22492. properties:
  22493. secretRef:
  22494. description: SecretRef references a key in a secret that will be used as value.
  22495. properties:
  22496. key:
  22497. description: |-
  22498. A key in the referenced Secret.
  22499. Some instances of this field may be defaulted, in others it may be required.
  22500. maxLength: 253
  22501. minLength: 1
  22502. pattern: ^[-._a-zA-Z0-9]+$
  22503. type: string
  22504. name:
  22505. description: The name of the Secret resource being referred to.
  22506. maxLength: 253
  22507. minLength: 1
  22508. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22509. type: string
  22510. namespace:
  22511. description: |-
  22512. The namespace of the Secret resource being referred to.
  22513. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22514. maxLength: 63
  22515. minLength: 1
  22516. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22517. type: string
  22518. type: object
  22519. value:
  22520. description: Value can be specified directly to set a value without using a secret.
  22521. type: string
  22522. type: object
  22523. clientSecret:
  22524. description: ClientSecret is the API OAuth Client Secret.
  22525. properties:
  22526. secretRef:
  22527. description: SecretRef references a key in a secret that will be used as value.
  22528. properties:
  22529. key:
  22530. description: |-
  22531. A key in the referenced Secret.
  22532. Some instances of this field may be defaulted, in others it may be required.
  22533. maxLength: 253
  22534. minLength: 1
  22535. pattern: ^[-._a-zA-Z0-9]+$
  22536. type: string
  22537. name:
  22538. description: The name of the Secret resource being referred to.
  22539. maxLength: 253
  22540. minLength: 1
  22541. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22542. type: string
  22543. namespace:
  22544. description: |-
  22545. The namespace of the Secret resource being referred to.
  22546. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22547. maxLength: 63
  22548. minLength: 1
  22549. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22550. type: string
  22551. type: object
  22552. value:
  22553. description: Value can be specified directly to set a value without using a secret.
  22554. type: string
  22555. type: object
  22556. type: object
  22557. server:
  22558. description: Auth configures how API server works.
  22559. properties:
  22560. apiUrl:
  22561. type: string
  22562. apiVersion:
  22563. type: string
  22564. clientTimeOutSeconds:
  22565. description: Timeout specifies a time limit for requests made by this Client. The timeout includes connection time, any redirects, and reading the response body. Defaults to 45 seconds.
  22566. type: integer
  22567. decrypt:
  22568. default: true
  22569. description: 'When true, the response includes the decrypted password. When false, the password field is omitted. This option only applies to the SECRET retrieval type. Default: true.'
  22570. type: boolean
  22571. retrievalType:
  22572. description: The secret retrieval type. SECRET = Secrets Safe (credential, text, file). MANAGED_ACCOUNT = Password Safe account associated with a system.
  22573. type: string
  22574. separator:
  22575. description: A character that separates the folder names.
  22576. type: string
  22577. verifyCA:
  22578. type: boolean
  22579. required:
  22580. - apiUrl
  22581. - verifyCA
  22582. type: object
  22583. required:
  22584. - auth
  22585. - server
  22586. type: object
  22587. bitwardensecretsmanager:
  22588. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  22589. properties:
  22590. apiURL:
  22591. type: string
  22592. auth:
  22593. description: |-
  22594. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  22595. Make sure that the token being used has permissions on the given secret.
  22596. properties:
  22597. secretRef:
  22598. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  22599. properties:
  22600. credentials:
  22601. description: AccessToken used for the bitwarden instance.
  22602. properties:
  22603. key:
  22604. description: |-
  22605. A key in the referenced Secret.
  22606. Some instances of this field may be defaulted, in others it may be required.
  22607. maxLength: 253
  22608. minLength: 1
  22609. pattern: ^[-._a-zA-Z0-9]+$
  22610. type: string
  22611. name:
  22612. description: The name of the Secret resource being referred to.
  22613. maxLength: 253
  22614. minLength: 1
  22615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22616. type: string
  22617. namespace:
  22618. description: |-
  22619. The namespace of the Secret resource being referred to.
  22620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22621. maxLength: 63
  22622. minLength: 1
  22623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22624. type: string
  22625. type: object
  22626. required:
  22627. - credentials
  22628. type: object
  22629. required:
  22630. - secretRef
  22631. type: object
  22632. bitwardenServerSDKURL:
  22633. type: string
  22634. caBundle:
  22635. description: |-
  22636. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  22637. can be performed.
  22638. type: string
  22639. caProvider:
  22640. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  22641. properties:
  22642. key:
  22643. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22644. maxLength: 253
  22645. minLength: 1
  22646. pattern: ^[-._a-zA-Z0-9]+$
  22647. type: string
  22648. name:
  22649. description: The name of the object located at the provider type.
  22650. maxLength: 253
  22651. minLength: 1
  22652. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22653. type: string
  22654. namespace:
  22655. description: |-
  22656. The namespace the Provider type is in.
  22657. Can only be defined when used in a ClusterSecretStore.
  22658. maxLength: 63
  22659. minLength: 1
  22660. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22661. type: string
  22662. type:
  22663. description: The type of provider to use such as "Secret", or "ConfigMap".
  22664. enum:
  22665. - Secret
  22666. - ConfigMap
  22667. type: string
  22668. required:
  22669. - name
  22670. - type
  22671. type: object
  22672. identityURL:
  22673. type: string
  22674. organizationID:
  22675. description: OrganizationID determines which organization this secret store manages.
  22676. type: string
  22677. projectID:
  22678. description: ProjectID determines which project this secret store manages.
  22679. type: string
  22680. required:
  22681. - auth
  22682. - organizationID
  22683. - projectID
  22684. type: object
  22685. chef:
  22686. description: Chef configures this store to sync secrets with chef server
  22687. properties:
  22688. auth:
  22689. description: Auth defines the information necessary to authenticate against chef Server
  22690. properties:
  22691. secretRef:
  22692. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  22693. properties:
  22694. privateKeySecretRef:
  22695. description: SecretKey is the Signing Key in PEM format, used for authentication.
  22696. properties:
  22697. key:
  22698. description: |-
  22699. A key in the referenced Secret.
  22700. Some instances of this field may be defaulted, in others it may be required.
  22701. maxLength: 253
  22702. minLength: 1
  22703. pattern: ^[-._a-zA-Z0-9]+$
  22704. type: string
  22705. name:
  22706. description: The name of the Secret resource being referred to.
  22707. maxLength: 253
  22708. minLength: 1
  22709. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22710. type: string
  22711. namespace:
  22712. description: |-
  22713. The namespace of the Secret resource being referred to.
  22714. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22715. maxLength: 63
  22716. minLength: 1
  22717. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22718. type: string
  22719. type: object
  22720. required:
  22721. - privateKeySecretRef
  22722. type: object
  22723. required:
  22724. - secretRef
  22725. type: object
  22726. serverUrl:
  22727. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  22728. type: string
  22729. username:
  22730. description: UserName should be the user ID on the chef server
  22731. type: string
  22732. required:
  22733. - auth
  22734. - serverUrl
  22735. - username
  22736. type: object
  22737. cloudrusm:
  22738. description: CloudruSM configures this store to sync secrets using the Cloud.ru Secret Manager provider
  22739. properties:
  22740. auth:
  22741. description: CSMAuth contains a secretRef for credentials.
  22742. properties:
  22743. secretRef:
  22744. description: CSMAuthSecretRef holds secret references for Cloud.ru credentials.
  22745. properties:
  22746. accessKeyIDSecretRef:
  22747. description: The AccessKeyID is used for authentication
  22748. properties:
  22749. key:
  22750. description: |-
  22751. A key in the referenced Secret.
  22752. Some instances of this field may be defaulted, in others it may be required.
  22753. maxLength: 253
  22754. minLength: 1
  22755. pattern: ^[-._a-zA-Z0-9]+$
  22756. type: string
  22757. name:
  22758. description: The name of the Secret resource being referred to.
  22759. maxLength: 253
  22760. minLength: 1
  22761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22762. type: string
  22763. namespace:
  22764. description: |-
  22765. The namespace of the Secret resource being referred to.
  22766. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22767. maxLength: 63
  22768. minLength: 1
  22769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22770. type: string
  22771. type: object
  22772. accessKeySecretSecretRef:
  22773. description: The AccessKeySecret is used for authentication
  22774. properties:
  22775. key:
  22776. description: |-
  22777. A key in the referenced Secret.
  22778. Some instances of this field may be defaulted, in others it may be required.
  22779. maxLength: 253
  22780. minLength: 1
  22781. pattern: ^[-._a-zA-Z0-9]+$
  22782. type: string
  22783. name:
  22784. description: The name of the Secret resource being referred to.
  22785. maxLength: 253
  22786. minLength: 1
  22787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22788. type: string
  22789. namespace:
  22790. description: |-
  22791. The namespace of the Secret resource being referred to.
  22792. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22793. maxLength: 63
  22794. minLength: 1
  22795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22796. type: string
  22797. type: object
  22798. required:
  22799. - accessKeyIDSecretRef
  22800. - accessKeySecretSecretRef
  22801. type: object
  22802. type: object
  22803. projectID:
  22804. description: ProjectID is the project, which the secrets are stored in.
  22805. type: string
  22806. required:
  22807. - auth
  22808. type: object
  22809. conjur:
  22810. description: Conjur configures this store to sync secrets using conjur provider
  22811. properties:
  22812. auth:
  22813. description: Defines authentication settings for connecting to Conjur.
  22814. properties:
  22815. apikey:
  22816. description: Authenticates with Conjur using an API key.
  22817. properties:
  22818. account:
  22819. description: Account is the Conjur organization account name.
  22820. type: string
  22821. apiKeyRef:
  22822. description: |-
  22823. A reference to a specific 'key' containing the Conjur API key
  22824. within a Secret resource. In some instances, `key` is a required field.
  22825. properties:
  22826. key:
  22827. description: |-
  22828. A key in the referenced Secret.
  22829. Some instances of this field may be defaulted, in others it may be required.
  22830. maxLength: 253
  22831. minLength: 1
  22832. pattern: ^[-._a-zA-Z0-9]+$
  22833. type: string
  22834. name:
  22835. description: The name of the Secret resource being referred to.
  22836. maxLength: 253
  22837. minLength: 1
  22838. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22839. type: string
  22840. namespace:
  22841. description: |-
  22842. The namespace of the Secret resource being referred to.
  22843. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22844. maxLength: 63
  22845. minLength: 1
  22846. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22847. type: string
  22848. type: object
  22849. userRef:
  22850. description: |-
  22851. A reference to a specific 'key' containing the Conjur username
  22852. within a Secret resource. In some instances, `key` is a required field.
  22853. properties:
  22854. key:
  22855. description: |-
  22856. A key in the referenced Secret.
  22857. Some instances of this field may be defaulted, in others it may be required.
  22858. maxLength: 253
  22859. minLength: 1
  22860. pattern: ^[-._a-zA-Z0-9]+$
  22861. type: string
  22862. name:
  22863. description: The name of the Secret resource being referred to.
  22864. maxLength: 253
  22865. minLength: 1
  22866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22867. type: string
  22868. namespace:
  22869. description: |-
  22870. The namespace of the Secret resource being referred to.
  22871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22872. maxLength: 63
  22873. minLength: 1
  22874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22875. type: string
  22876. type: object
  22877. required:
  22878. - account
  22879. - apiKeyRef
  22880. - userRef
  22881. type: object
  22882. jwt:
  22883. description: Jwt enables JWT authentication using Kubernetes service account tokens.
  22884. properties:
  22885. account:
  22886. description: Account is the Conjur organization account name.
  22887. type: string
  22888. hostId:
  22889. description: |-
  22890. Optional HostID for JWT authentication. This may be used depending
  22891. on how the Conjur JWT authenticator policy is configured.
  22892. type: string
  22893. secretRef:
  22894. description: |-
  22895. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  22896. authenticate with Conjur using the JWT authentication method.
  22897. properties:
  22898. key:
  22899. description: |-
  22900. A key in the referenced Secret.
  22901. Some instances of this field may be defaulted, in others it may be required.
  22902. maxLength: 253
  22903. minLength: 1
  22904. pattern: ^[-._a-zA-Z0-9]+$
  22905. type: string
  22906. name:
  22907. description: The name of the Secret resource being referred to.
  22908. maxLength: 253
  22909. minLength: 1
  22910. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22911. type: string
  22912. namespace:
  22913. description: |-
  22914. The namespace of the Secret resource being referred to.
  22915. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22916. maxLength: 63
  22917. minLength: 1
  22918. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22919. type: string
  22920. type: object
  22921. serviceAccountRef:
  22922. description: |-
  22923. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  22924. a token for with the `TokenRequest` API.
  22925. properties:
  22926. audiences:
  22927. description: |-
  22928. Audience specifies the `aud` claim for the service account token
  22929. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  22930. then this audiences will be appended to the list
  22931. items:
  22932. type: string
  22933. type: array
  22934. name:
  22935. description: The name of the ServiceAccount resource being referred to.
  22936. maxLength: 253
  22937. minLength: 1
  22938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22939. type: string
  22940. namespace:
  22941. description: |-
  22942. Namespace of the resource being referred to.
  22943. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  22944. maxLength: 63
  22945. minLength: 1
  22946. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22947. type: string
  22948. required:
  22949. - name
  22950. type: object
  22951. serviceID:
  22952. description: The conjur authn jwt webservice id
  22953. type: string
  22954. required:
  22955. - account
  22956. - serviceID
  22957. type: object
  22958. type: object
  22959. caBundle:
  22960. description: CABundle is a PEM encoded CA bundle that will be used to validate the Conjur server certificate.
  22961. type: string
  22962. caProvider:
  22963. description: |-
  22964. Used to provide custom certificate authority (CA) certificates
  22965. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  22966. that contains a PEM-encoded certificate.
  22967. properties:
  22968. key:
  22969. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  22970. maxLength: 253
  22971. minLength: 1
  22972. pattern: ^[-._a-zA-Z0-9]+$
  22973. type: string
  22974. name:
  22975. description: The name of the object located at the provider type.
  22976. maxLength: 253
  22977. minLength: 1
  22978. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  22979. type: string
  22980. namespace:
  22981. description: |-
  22982. The namespace the Provider type is in.
  22983. Can only be defined when used in a ClusterSecretStore.
  22984. maxLength: 63
  22985. minLength: 1
  22986. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  22987. type: string
  22988. type:
  22989. description: The type of provider to use such as "Secret", or "ConfigMap".
  22990. enum:
  22991. - Secret
  22992. - ConfigMap
  22993. type: string
  22994. required:
  22995. - name
  22996. - type
  22997. type: object
  22998. url:
  22999. description: URL is the endpoint of the Conjur instance.
  23000. type: string
  23001. required:
  23002. - auth
  23003. - url
  23004. type: object
  23005. delinea:
  23006. description: |-
  23007. Delinea DevOps Secrets Vault
  23008. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  23009. properties:
  23010. clientId:
  23011. description: ClientID is the non-secret part of the credential.
  23012. properties:
  23013. secretRef:
  23014. description: SecretRef references a key in a secret that will be used as value.
  23015. properties:
  23016. key:
  23017. description: |-
  23018. A key in the referenced Secret.
  23019. Some instances of this field may be defaulted, in others it may be required.
  23020. maxLength: 253
  23021. minLength: 1
  23022. pattern: ^[-._a-zA-Z0-9]+$
  23023. type: string
  23024. name:
  23025. description: The name of the Secret resource being referred to.
  23026. maxLength: 253
  23027. minLength: 1
  23028. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23029. type: string
  23030. namespace:
  23031. description: |-
  23032. The namespace of the Secret resource being referred to.
  23033. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23034. maxLength: 63
  23035. minLength: 1
  23036. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23037. type: string
  23038. type: object
  23039. value:
  23040. description: Value can be specified directly to set a value without using a secret.
  23041. type: string
  23042. type: object
  23043. clientSecret:
  23044. description: ClientSecret is the secret part of the credential.
  23045. properties:
  23046. secretRef:
  23047. description: SecretRef references a key in a secret that will be used as value.
  23048. properties:
  23049. key:
  23050. description: |-
  23051. A key in the referenced Secret.
  23052. Some instances of this field may be defaulted, in others it may be required.
  23053. maxLength: 253
  23054. minLength: 1
  23055. pattern: ^[-._a-zA-Z0-9]+$
  23056. type: string
  23057. name:
  23058. description: The name of the Secret resource being referred to.
  23059. maxLength: 253
  23060. minLength: 1
  23061. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23062. type: string
  23063. namespace:
  23064. description: |-
  23065. The namespace of the Secret resource being referred to.
  23066. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23067. maxLength: 63
  23068. minLength: 1
  23069. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23070. type: string
  23071. type: object
  23072. value:
  23073. description: Value can be specified directly to set a value without using a secret.
  23074. type: string
  23075. type: object
  23076. tenant:
  23077. description: Tenant is the chosen hostname / site name.
  23078. type: string
  23079. tld:
  23080. description: |-
  23081. TLD is based on the server location that was chosen during provisioning.
  23082. If unset, defaults to "com".
  23083. type: string
  23084. urlTemplate:
  23085. description: |-
  23086. URLTemplate
  23087. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  23088. type: string
  23089. required:
  23090. - clientId
  23091. - clientSecret
  23092. - tenant
  23093. type: object
  23094. device42:
  23095. description: Device42 configures this store to sync secrets using the Device42 provider
  23096. properties:
  23097. auth:
  23098. description: Auth configures how secret-manager authenticates with a Device42 instance.
  23099. properties:
  23100. secretRef:
  23101. description: Device42SecretRef defines a reference to a secret containing credentials for the Device42 provider.
  23102. properties:
  23103. credentials:
  23104. description: Username / Password is used for authentication.
  23105. properties:
  23106. key:
  23107. description: |-
  23108. A key in the referenced Secret.
  23109. Some instances of this field may be defaulted, in others it may be required.
  23110. maxLength: 253
  23111. minLength: 1
  23112. pattern: ^[-._a-zA-Z0-9]+$
  23113. type: string
  23114. name:
  23115. description: The name of the Secret resource being referred to.
  23116. maxLength: 253
  23117. minLength: 1
  23118. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23119. type: string
  23120. namespace:
  23121. description: |-
  23122. The namespace of the Secret resource being referred to.
  23123. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23124. maxLength: 63
  23125. minLength: 1
  23126. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23127. type: string
  23128. type: object
  23129. type: object
  23130. required:
  23131. - secretRef
  23132. type: object
  23133. host:
  23134. description: URL configures the Device42 instance URL.
  23135. type: string
  23136. required:
  23137. - auth
  23138. - host
  23139. type: object
  23140. doppler:
  23141. description: Doppler configures this store to sync secrets using the Doppler provider
  23142. properties:
  23143. auth:
  23144. description: Auth configures how the Operator authenticates with the Doppler API
  23145. properties:
  23146. secretRef:
  23147. description: DopplerAuthSecretRef defines a reference to a secret containing credentials for the Doppler provider.
  23148. properties:
  23149. dopplerToken:
  23150. description: |-
  23151. The DopplerToken is used for authentication.
  23152. See https://docs.doppler.com/reference/api#authentication for auth token types.
  23153. The Key attribute defaults to dopplerToken if not specified.
  23154. properties:
  23155. key:
  23156. description: |-
  23157. A key in the referenced Secret.
  23158. Some instances of this field may be defaulted, in others it may be required.
  23159. maxLength: 253
  23160. minLength: 1
  23161. pattern: ^[-._a-zA-Z0-9]+$
  23162. type: string
  23163. name:
  23164. description: The name of the Secret resource being referred to.
  23165. maxLength: 253
  23166. minLength: 1
  23167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23168. type: string
  23169. namespace:
  23170. description: |-
  23171. The namespace of the Secret resource being referred to.
  23172. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23173. maxLength: 63
  23174. minLength: 1
  23175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23176. type: string
  23177. type: object
  23178. required:
  23179. - dopplerToken
  23180. type: object
  23181. required:
  23182. - secretRef
  23183. type: object
  23184. config:
  23185. description: Doppler config (required if not using a Service Token)
  23186. type: string
  23187. format:
  23188. description: Format enables the downloading of secrets as a file (string)
  23189. enum:
  23190. - json
  23191. - dotnet-json
  23192. - env
  23193. - yaml
  23194. - docker
  23195. type: string
  23196. nameTransformer:
  23197. description: Environment variable compatible name transforms that change secret names to a different format
  23198. enum:
  23199. - upper-camel
  23200. - camel
  23201. - lower-snake
  23202. - tf-var
  23203. - dotnet-env
  23204. - lower-kebab
  23205. type: string
  23206. project:
  23207. description: Doppler project (required if not using a Service Token)
  23208. type: string
  23209. required:
  23210. - auth
  23211. type: object
  23212. fake:
  23213. description: Fake configures a store with static key/value pairs
  23214. properties:
  23215. data:
  23216. items:
  23217. description: FakeProviderData defines a key-value pair for the fake provider used in testing.
  23218. properties:
  23219. key:
  23220. type: string
  23221. value:
  23222. type: string
  23223. version:
  23224. type: string
  23225. required:
  23226. - key
  23227. - value
  23228. type: object
  23229. type: array
  23230. required:
  23231. - data
  23232. type: object
  23233. fortanix:
  23234. description: Fortanix configures this store to sync secrets using the Fortanix provider
  23235. properties:
  23236. apiKey:
  23237. description: APIKey is the API token to access SDKMS Applications.
  23238. properties:
  23239. secretRef:
  23240. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  23241. properties:
  23242. key:
  23243. description: |-
  23244. A key in the referenced Secret.
  23245. Some instances of this field may be defaulted, in others it may be required.
  23246. maxLength: 253
  23247. minLength: 1
  23248. pattern: ^[-._a-zA-Z0-9]+$
  23249. type: string
  23250. name:
  23251. description: The name of the Secret resource being referred to.
  23252. maxLength: 253
  23253. minLength: 1
  23254. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23255. type: string
  23256. namespace:
  23257. description: |-
  23258. The namespace of the Secret resource being referred to.
  23259. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23260. maxLength: 63
  23261. minLength: 1
  23262. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23263. type: string
  23264. type: object
  23265. type: object
  23266. apiUrl:
  23267. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  23268. type: string
  23269. type: object
  23270. gcpsm:
  23271. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  23272. properties:
  23273. auth:
  23274. description: Auth defines the information necessary to authenticate against GCP
  23275. properties:
  23276. secretRef:
  23277. description: GCPSMAuthSecretRef defines a reference to a secret containing credentials for the GCP Secret Manager provider.
  23278. properties:
  23279. secretAccessKeySecretRef:
  23280. description: The SecretAccessKey is used for authentication
  23281. properties:
  23282. key:
  23283. description: |-
  23284. A key in the referenced Secret.
  23285. Some instances of this field may be defaulted, in others it may be required.
  23286. maxLength: 253
  23287. minLength: 1
  23288. pattern: ^[-._a-zA-Z0-9]+$
  23289. type: string
  23290. name:
  23291. description: The name of the Secret resource being referred to.
  23292. maxLength: 253
  23293. minLength: 1
  23294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23295. type: string
  23296. namespace:
  23297. description: |-
  23298. The namespace of the Secret resource being referred to.
  23299. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23300. maxLength: 63
  23301. minLength: 1
  23302. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23303. type: string
  23304. type: object
  23305. type: object
  23306. workloadIdentity:
  23307. description: GCPWorkloadIdentity defines configuration for using GCP Workload Identity authentication.
  23308. properties:
  23309. clusterLocation:
  23310. description: |-
  23311. ClusterLocation is the location of the cluster
  23312. If not specified, it fetches information from the metadata server
  23313. type: string
  23314. clusterName:
  23315. description: |-
  23316. ClusterName is the name of the cluster
  23317. If not specified, it fetches information from the metadata server
  23318. type: string
  23319. clusterProjectID:
  23320. description: |-
  23321. ClusterProjectID is the project ID of the cluster
  23322. If not specified, it fetches information from the metadata server
  23323. type: string
  23324. serviceAccountRef:
  23325. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  23326. properties:
  23327. audiences:
  23328. description: |-
  23329. Audience specifies the `aud` claim for the service account token
  23330. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23331. then this audiences will be appended to the list
  23332. items:
  23333. type: string
  23334. type: array
  23335. name:
  23336. description: The name of the ServiceAccount resource being referred to.
  23337. maxLength: 253
  23338. minLength: 1
  23339. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23340. type: string
  23341. namespace:
  23342. description: |-
  23343. Namespace of the resource being referred to.
  23344. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23345. maxLength: 63
  23346. minLength: 1
  23347. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23348. type: string
  23349. required:
  23350. - name
  23351. type: object
  23352. required:
  23353. - serviceAccountRef
  23354. type: object
  23355. type: object
  23356. location:
  23357. description: Location optionally defines a location for a secret
  23358. type: string
  23359. projectID:
  23360. description: ProjectID project where secret is located
  23361. type: string
  23362. type: object
  23363. github:
  23364. description: Github configures this store to push GitHub Actions secrets using the GitHub API provider.
  23365. properties:
  23366. appID:
  23367. description: appID specifies the Github APP that will be used to authenticate the client
  23368. format: int64
  23369. type: integer
  23370. auth:
  23371. description: auth configures how secret-manager authenticates with a Github instance.
  23372. properties:
  23373. privateKey:
  23374. description: |-
  23375. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23376. In some instances, `key` is a required field.
  23377. properties:
  23378. key:
  23379. description: |-
  23380. A key in the referenced Secret.
  23381. Some instances of this field may be defaulted, in others it may be required.
  23382. maxLength: 253
  23383. minLength: 1
  23384. pattern: ^[-._a-zA-Z0-9]+$
  23385. type: string
  23386. name:
  23387. description: The name of the Secret resource being referred to.
  23388. maxLength: 253
  23389. minLength: 1
  23390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23391. type: string
  23392. namespace:
  23393. description: |-
  23394. The namespace of the Secret resource being referred to.
  23395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23396. maxLength: 63
  23397. minLength: 1
  23398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23399. type: string
  23400. type: object
  23401. required:
  23402. - privateKey
  23403. type: object
  23404. environment:
  23405. description: environment will be used to fetch secrets from a particular environment within a github repository
  23406. type: string
  23407. installationID:
  23408. description: installationID specifies the Github APP installation that will be used to authenticate the client
  23409. format: int64
  23410. type: integer
  23411. organization:
  23412. description: organization will be used to fetch secrets from the Github organization
  23413. type: string
  23414. repository:
  23415. description: repository will be used to fetch secrets from the Github repository within an organization
  23416. type: string
  23417. uploadURL:
  23418. description: Upload URL for enterprise instances. Default to URL.
  23419. type: string
  23420. url:
  23421. default: https://github.com/
  23422. description: URL configures the Github instance URL. Defaults to https://github.com/.
  23423. type: string
  23424. required:
  23425. - appID
  23426. - auth
  23427. - installationID
  23428. - organization
  23429. type: object
  23430. gitlab:
  23431. description: GitLab configures this store to sync secrets using GitLab Variables provider
  23432. properties:
  23433. auth:
  23434. description: Auth configures how secret-manager authenticates with a GitLab instance.
  23435. properties:
  23436. SecretRef:
  23437. description: GitlabSecretRef defines a reference to a secret containing credentials for the GitLab provider.
  23438. properties:
  23439. accessToken:
  23440. description: AccessToken is used for authentication.
  23441. properties:
  23442. key:
  23443. description: |-
  23444. A key in the referenced Secret.
  23445. Some instances of this field may be defaulted, in others it may be required.
  23446. maxLength: 253
  23447. minLength: 1
  23448. pattern: ^[-._a-zA-Z0-9]+$
  23449. type: string
  23450. name:
  23451. description: The name of the Secret resource being referred to.
  23452. maxLength: 253
  23453. minLength: 1
  23454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23455. type: string
  23456. namespace:
  23457. description: |-
  23458. The namespace of the Secret resource being referred to.
  23459. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23460. maxLength: 63
  23461. minLength: 1
  23462. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23463. type: string
  23464. type: object
  23465. type: object
  23466. required:
  23467. - SecretRef
  23468. type: object
  23469. caBundle:
  23470. description: |-
  23471. Base64 encoded certificate for the GitLab server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  23472. can be performed.
  23473. format: byte
  23474. type: string
  23475. caProvider:
  23476. description: 'see: https://external-secrets.io/latest/spec/#external-secrets.io/v1alpha1.CAProvider'
  23477. properties:
  23478. key:
  23479. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23480. maxLength: 253
  23481. minLength: 1
  23482. pattern: ^[-._a-zA-Z0-9]+$
  23483. type: string
  23484. name:
  23485. description: The name of the object located at the provider type.
  23486. maxLength: 253
  23487. minLength: 1
  23488. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23489. type: string
  23490. namespace:
  23491. description: |-
  23492. The namespace the Provider type is in.
  23493. Can only be defined when used in a ClusterSecretStore.
  23494. maxLength: 63
  23495. minLength: 1
  23496. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23497. type: string
  23498. type:
  23499. description: The type of provider to use such as "Secret", or "ConfigMap".
  23500. enum:
  23501. - Secret
  23502. - ConfigMap
  23503. type: string
  23504. required:
  23505. - name
  23506. - type
  23507. type: object
  23508. environment:
  23509. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  23510. type: string
  23511. groupIDs:
  23512. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  23513. items:
  23514. type: string
  23515. type: array
  23516. inheritFromGroups:
  23517. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  23518. type: boolean
  23519. projectID:
  23520. description: ProjectID specifies a project where secrets are located.
  23521. type: string
  23522. url:
  23523. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  23524. type: string
  23525. required:
  23526. - auth
  23527. type: object
  23528. ibm:
  23529. description: IBM configures this store to sync secrets using IBM Cloud provider
  23530. properties:
  23531. auth:
  23532. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  23533. maxProperties: 1
  23534. minProperties: 1
  23535. properties:
  23536. containerAuth:
  23537. description: IBMAuthContainerAuth defines authentication using IBM Container-based auth with IAM Trusted Profile.
  23538. properties:
  23539. iamEndpoint:
  23540. type: string
  23541. profile:
  23542. description: the IBM Trusted Profile
  23543. type: string
  23544. tokenLocation:
  23545. description: Location the token is mounted on the pod
  23546. type: string
  23547. required:
  23548. - profile
  23549. type: object
  23550. secretRef:
  23551. description: IBMAuthSecretRef defines a reference to a secret containing credentials for the IBM provider.
  23552. properties:
  23553. secretApiKeySecretRef:
  23554. description: The SecretAccessKey is used for authentication
  23555. properties:
  23556. key:
  23557. description: |-
  23558. A key in the referenced Secret.
  23559. Some instances of this field may be defaulted, in others it may be required.
  23560. maxLength: 253
  23561. minLength: 1
  23562. pattern: ^[-._a-zA-Z0-9]+$
  23563. type: string
  23564. name:
  23565. description: The name of the Secret resource being referred to.
  23566. maxLength: 253
  23567. minLength: 1
  23568. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23569. type: string
  23570. namespace:
  23571. description: |-
  23572. The namespace of the Secret resource being referred to.
  23573. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23574. maxLength: 63
  23575. minLength: 1
  23576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23577. type: string
  23578. type: object
  23579. type: object
  23580. type: object
  23581. serviceUrl:
  23582. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  23583. type: string
  23584. required:
  23585. - auth
  23586. type: object
  23587. infisical:
  23588. description: Infisical configures this store to sync secrets using the Infisical provider
  23589. properties:
  23590. auth:
  23591. description: Auth configures how the Operator authenticates with the Infisical API
  23592. properties:
  23593. universalAuthCredentials:
  23594. description: UniversalAuthCredentials defines the credentials for Infisical Universal Auth.
  23595. properties:
  23596. clientId:
  23597. description: |-
  23598. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23599. In some instances, `key` is a required field.
  23600. properties:
  23601. key:
  23602. description: |-
  23603. A key in the referenced Secret.
  23604. Some instances of this field may be defaulted, in others it may be required.
  23605. maxLength: 253
  23606. minLength: 1
  23607. pattern: ^[-._a-zA-Z0-9]+$
  23608. type: string
  23609. name:
  23610. description: The name of the Secret resource being referred to.
  23611. maxLength: 253
  23612. minLength: 1
  23613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23614. type: string
  23615. namespace:
  23616. description: |-
  23617. The namespace of the Secret resource being referred to.
  23618. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23619. maxLength: 63
  23620. minLength: 1
  23621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23622. type: string
  23623. type: object
  23624. clientSecret:
  23625. description: |-
  23626. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23627. In some instances, `key` is a required field.
  23628. properties:
  23629. key:
  23630. description: |-
  23631. A key in the referenced Secret.
  23632. Some instances of this field may be defaulted, in others it may be required.
  23633. maxLength: 253
  23634. minLength: 1
  23635. pattern: ^[-._a-zA-Z0-9]+$
  23636. type: string
  23637. name:
  23638. description: The name of the Secret resource being referred to.
  23639. maxLength: 253
  23640. minLength: 1
  23641. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23642. type: string
  23643. namespace:
  23644. description: |-
  23645. The namespace of the Secret resource being referred to.
  23646. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23647. maxLength: 63
  23648. minLength: 1
  23649. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23650. type: string
  23651. type: object
  23652. required:
  23653. - clientId
  23654. - clientSecret
  23655. type: object
  23656. type: object
  23657. hostAPI:
  23658. default: https://app.infisical.com/api
  23659. description: HostAPI specifies the base URL of the Infisical API. If not provided, it defaults to "https://app.infisical.com/api".
  23660. type: string
  23661. secretsScope:
  23662. description: SecretsScope defines the scope of the secrets within the workspace
  23663. properties:
  23664. environmentSlug:
  23665. description: EnvironmentSlug is the required slug identifier for the environment.
  23666. type: string
  23667. expandSecretReferences:
  23668. default: true
  23669. description: ExpandSecretReferences indicates whether secret references should be expanded. Defaults to true if not provided.
  23670. type: boolean
  23671. projectSlug:
  23672. description: ProjectSlug is the required slug identifier for the project.
  23673. type: string
  23674. recursive:
  23675. default: false
  23676. description: Recursive indicates whether the secrets should be fetched recursively. Defaults to false if not provided.
  23677. type: boolean
  23678. secretsPath:
  23679. default: /
  23680. description: SecretsPath specifies the path to the secrets within the workspace. Defaults to "/" if not provided.
  23681. type: string
  23682. required:
  23683. - environmentSlug
  23684. - projectSlug
  23685. type: object
  23686. required:
  23687. - auth
  23688. - secretsScope
  23689. type: object
  23690. keepersecurity:
  23691. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  23692. properties:
  23693. authRef:
  23694. description: |-
  23695. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23696. In some instances, `key` is a required field.
  23697. properties:
  23698. key:
  23699. description: |-
  23700. A key in the referenced Secret.
  23701. Some instances of this field may be defaulted, in others it may be required.
  23702. maxLength: 253
  23703. minLength: 1
  23704. pattern: ^[-._a-zA-Z0-9]+$
  23705. type: string
  23706. name:
  23707. description: The name of the Secret resource being referred to.
  23708. maxLength: 253
  23709. minLength: 1
  23710. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23711. type: string
  23712. namespace:
  23713. description: |-
  23714. The namespace of the Secret resource being referred to.
  23715. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23716. maxLength: 63
  23717. minLength: 1
  23718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23719. type: string
  23720. type: object
  23721. folderID:
  23722. type: string
  23723. required:
  23724. - authRef
  23725. - folderID
  23726. type: object
  23727. kubernetes:
  23728. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  23729. properties:
  23730. auth:
  23731. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  23732. maxProperties: 1
  23733. minProperties: 1
  23734. properties:
  23735. cert:
  23736. description: has both clientCert and clientKey as secretKeySelector
  23737. properties:
  23738. clientCert:
  23739. description: |-
  23740. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23741. In some instances, `key` is a required field.
  23742. properties:
  23743. key:
  23744. description: |-
  23745. A key in the referenced Secret.
  23746. Some instances of this field may be defaulted, in others it may be required.
  23747. maxLength: 253
  23748. minLength: 1
  23749. pattern: ^[-._a-zA-Z0-9]+$
  23750. type: string
  23751. name:
  23752. description: The name of the Secret resource being referred to.
  23753. maxLength: 253
  23754. minLength: 1
  23755. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23756. type: string
  23757. namespace:
  23758. description: |-
  23759. The namespace of the Secret resource being referred to.
  23760. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23761. maxLength: 63
  23762. minLength: 1
  23763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23764. type: string
  23765. type: object
  23766. clientKey:
  23767. description: |-
  23768. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23769. In some instances, `key` is a required field.
  23770. properties:
  23771. key:
  23772. description: |-
  23773. A key in the referenced Secret.
  23774. Some instances of this field may be defaulted, in others it may be required.
  23775. maxLength: 253
  23776. minLength: 1
  23777. pattern: ^[-._a-zA-Z0-9]+$
  23778. type: string
  23779. name:
  23780. description: The name of the Secret resource being referred to.
  23781. maxLength: 253
  23782. minLength: 1
  23783. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23784. type: string
  23785. namespace:
  23786. description: |-
  23787. The namespace of the Secret resource being referred to.
  23788. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23789. maxLength: 63
  23790. minLength: 1
  23791. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23792. type: string
  23793. type: object
  23794. type: object
  23795. serviceAccount:
  23796. description: points to a service account that should be used for authentication
  23797. properties:
  23798. audiences:
  23799. description: |-
  23800. Audience specifies the `aud` claim for the service account token
  23801. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  23802. then this audiences will be appended to the list
  23803. items:
  23804. type: string
  23805. type: array
  23806. name:
  23807. description: The name of the ServiceAccount resource being referred to.
  23808. maxLength: 253
  23809. minLength: 1
  23810. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23811. type: string
  23812. namespace:
  23813. description: |-
  23814. Namespace of the resource being referred to.
  23815. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23816. maxLength: 63
  23817. minLength: 1
  23818. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23819. type: string
  23820. required:
  23821. - name
  23822. type: object
  23823. token:
  23824. description: use static token to authenticate with
  23825. properties:
  23826. bearerToken:
  23827. description: |-
  23828. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  23829. In some instances, `key` is a required field.
  23830. properties:
  23831. key:
  23832. description: |-
  23833. A key in the referenced Secret.
  23834. Some instances of this field may be defaulted, in others it may be required.
  23835. maxLength: 253
  23836. minLength: 1
  23837. pattern: ^[-._a-zA-Z0-9]+$
  23838. type: string
  23839. name:
  23840. description: The name of the Secret resource being referred to.
  23841. maxLength: 253
  23842. minLength: 1
  23843. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23844. type: string
  23845. namespace:
  23846. description: |-
  23847. The namespace of the Secret resource being referred to.
  23848. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23849. maxLength: 63
  23850. minLength: 1
  23851. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23852. type: string
  23853. type: object
  23854. type: object
  23855. type: object
  23856. authRef:
  23857. description: A reference to a secret that contains the auth information.
  23858. properties:
  23859. key:
  23860. description: |-
  23861. A key in the referenced Secret.
  23862. Some instances of this field may be defaulted, in others it may be required.
  23863. maxLength: 253
  23864. minLength: 1
  23865. pattern: ^[-._a-zA-Z0-9]+$
  23866. type: string
  23867. name:
  23868. description: The name of the Secret resource being referred to.
  23869. maxLength: 253
  23870. minLength: 1
  23871. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23872. type: string
  23873. namespace:
  23874. description: |-
  23875. The namespace of the Secret resource being referred to.
  23876. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23877. maxLength: 63
  23878. minLength: 1
  23879. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23880. type: string
  23881. type: object
  23882. remoteNamespace:
  23883. default: default
  23884. description: Remote namespace to fetch the secrets from
  23885. maxLength: 63
  23886. minLength: 1
  23887. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23888. type: string
  23889. server:
  23890. description: configures the Kubernetes server Address.
  23891. properties:
  23892. caBundle:
  23893. description: CABundle is a base64-encoded CA certificate
  23894. format: byte
  23895. type: string
  23896. caProvider:
  23897. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  23898. properties:
  23899. key:
  23900. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  23901. maxLength: 253
  23902. minLength: 1
  23903. pattern: ^[-._a-zA-Z0-9]+$
  23904. type: string
  23905. name:
  23906. description: The name of the object located at the provider type.
  23907. maxLength: 253
  23908. minLength: 1
  23909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23910. type: string
  23911. namespace:
  23912. description: |-
  23913. The namespace the Provider type is in.
  23914. Can only be defined when used in a ClusterSecretStore.
  23915. maxLength: 63
  23916. minLength: 1
  23917. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23918. type: string
  23919. type:
  23920. description: The type of provider to use such as "Secret", or "ConfigMap".
  23921. enum:
  23922. - Secret
  23923. - ConfigMap
  23924. type: string
  23925. required:
  23926. - name
  23927. - type
  23928. type: object
  23929. url:
  23930. default: kubernetes.default
  23931. description: configures the Kubernetes server Address.
  23932. type: string
  23933. type: object
  23934. type: object
  23935. onboardbase:
  23936. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  23937. properties:
  23938. apiHost:
  23939. default: https://public.onboardbase.com/api/v1/
  23940. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  23941. type: string
  23942. auth:
  23943. description: Auth configures how the Operator authenticates with the Onboardbase API
  23944. properties:
  23945. apiKeyRef:
  23946. description: |-
  23947. OnboardbaseAPIKey is the APIKey generated by an admin account.
  23948. It is used to recognize and authorize access to a project and environment within onboardbase
  23949. properties:
  23950. key:
  23951. description: |-
  23952. A key in the referenced Secret.
  23953. Some instances of this field may be defaulted, in others it may be required.
  23954. maxLength: 253
  23955. minLength: 1
  23956. pattern: ^[-._a-zA-Z0-9]+$
  23957. type: string
  23958. name:
  23959. description: The name of the Secret resource being referred to.
  23960. maxLength: 253
  23961. minLength: 1
  23962. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23963. type: string
  23964. namespace:
  23965. description: |-
  23966. The namespace of the Secret resource being referred to.
  23967. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23968. maxLength: 63
  23969. minLength: 1
  23970. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23971. type: string
  23972. type: object
  23973. passcodeRef:
  23974. description: OnboardbasePasscode is the passcode attached to the API Key
  23975. properties:
  23976. key:
  23977. description: |-
  23978. A key in the referenced Secret.
  23979. Some instances of this field may be defaulted, in others it may be required.
  23980. maxLength: 253
  23981. minLength: 1
  23982. pattern: ^[-._a-zA-Z0-9]+$
  23983. type: string
  23984. name:
  23985. description: The name of the Secret resource being referred to.
  23986. maxLength: 253
  23987. minLength: 1
  23988. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  23989. type: string
  23990. namespace:
  23991. description: |-
  23992. The namespace of the Secret resource being referred to.
  23993. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  23994. maxLength: 63
  23995. minLength: 1
  23996. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  23997. type: string
  23998. type: object
  23999. required:
  24000. - apiKeyRef
  24001. - passcodeRef
  24002. type: object
  24003. environment:
  24004. default: development
  24005. description: Environment is the name of an environmnent within a project to pull the secrets from
  24006. type: string
  24007. project:
  24008. default: development
  24009. description: Project is an onboardbase project that the secrets should be pulled from
  24010. type: string
  24011. required:
  24012. - apiHost
  24013. - auth
  24014. - environment
  24015. - project
  24016. type: object
  24017. onepassword:
  24018. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  24019. properties:
  24020. auth:
  24021. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  24022. properties:
  24023. secretRef:
  24024. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  24025. properties:
  24026. connectTokenSecretRef:
  24027. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  24028. properties:
  24029. key:
  24030. description: |-
  24031. A key in the referenced Secret.
  24032. Some instances of this field may be defaulted, in others it may be required.
  24033. maxLength: 253
  24034. minLength: 1
  24035. pattern: ^[-._a-zA-Z0-9]+$
  24036. type: string
  24037. name:
  24038. description: The name of the Secret resource being referred to.
  24039. maxLength: 253
  24040. minLength: 1
  24041. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24042. type: string
  24043. namespace:
  24044. description: |-
  24045. The namespace of the Secret resource being referred to.
  24046. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24047. maxLength: 63
  24048. minLength: 1
  24049. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24050. type: string
  24051. type: object
  24052. required:
  24053. - connectTokenSecretRef
  24054. type: object
  24055. required:
  24056. - secretRef
  24057. type: object
  24058. connectHost:
  24059. description: ConnectHost defines the OnePassword Connect Server to connect to
  24060. type: string
  24061. vaults:
  24062. additionalProperties:
  24063. type: integer
  24064. description: Vaults defines which OnePassword vaults to search in which order
  24065. type: object
  24066. required:
  24067. - auth
  24068. - connectHost
  24069. - vaults
  24070. type: object
  24071. oracle:
  24072. description: Oracle configures this store to sync secrets using Oracle Vault provider
  24073. properties:
  24074. auth:
  24075. description: |-
  24076. Auth configures how secret-manager authenticates with the Oracle Vault.
  24077. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  24078. properties:
  24079. secretRef:
  24080. description: SecretRef to pass through sensitive information.
  24081. properties:
  24082. fingerprint:
  24083. description: Fingerprint is the fingerprint of the API private key.
  24084. properties:
  24085. key:
  24086. description: |-
  24087. A key in the referenced Secret.
  24088. Some instances of this field may be defaulted, in others it may be required.
  24089. maxLength: 253
  24090. minLength: 1
  24091. pattern: ^[-._a-zA-Z0-9]+$
  24092. type: string
  24093. name:
  24094. description: The name of the Secret resource being referred to.
  24095. maxLength: 253
  24096. minLength: 1
  24097. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24098. type: string
  24099. namespace:
  24100. description: |-
  24101. The namespace of the Secret resource being referred to.
  24102. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24103. maxLength: 63
  24104. minLength: 1
  24105. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24106. type: string
  24107. type: object
  24108. privatekey:
  24109. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  24110. properties:
  24111. key:
  24112. description: |-
  24113. A key in the referenced Secret.
  24114. Some instances of this field may be defaulted, in others it may be required.
  24115. maxLength: 253
  24116. minLength: 1
  24117. pattern: ^[-._a-zA-Z0-9]+$
  24118. type: string
  24119. name:
  24120. description: The name of the Secret resource being referred to.
  24121. maxLength: 253
  24122. minLength: 1
  24123. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24124. type: string
  24125. namespace:
  24126. description: |-
  24127. The namespace of the Secret resource being referred to.
  24128. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24129. maxLength: 63
  24130. minLength: 1
  24131. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24132. type: string
  24133. type: object
  24134. required:
  24135. - fingerprint
  24136. - privatekey
  24137. type: object
  24138. tenancy:
  24139. description: Tenancy is the tenancy OCID where user is located.
  24140. type: string
  24141. user:
  24142. description: User is an access OCID specific to the account.
  24143. type: string
  24144. required:
  24145. - secretRef
  24146. - tenancy
  24147. - user
  24148. type: object
  24149. compartment:
  24150. description: |-
  24151. Compartment is the vault compartment OCID.
  24152. Required for PushSecret
  24153. type: string
  24154. encryptionKey:
  24155. description: |-
  24156. EncryptionKey is the OCID of the encryption key within the vault.
  24157. Required for PushSecret
  24158. type: string
  24159. principalType:
  24160. description: |-
  24161. The type of principal to use for authentication. If left blank, the Auth struct will
  24162. determine the principal type. This optional field must be specified if using
  24163. workload identity.
  24164. enum:
  24165. - ""
  24166. - UserPrincipal
  24167. - InstancePrincipal
  24168. - Workload
  24169. type: string
  24170. region:
  24171. description: Region is the region where vault is located.
  24172. type: string
  24173. serviceAccountRef:
  24174. description: |-
  24175. ServiceAccountRef specified the service account
  24176. that should be used when authenticating with WorkloadIdentity.
  24177. properties:
  24178. audiences:
  24179. description: |-
  24180. Audience specifies the `aud` claim for the service account token
  24181. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24182. then this audiences will be appended to the list
  24183. items:
  24184. type: string
  24185. type: array
  24186. name:
  24187. description: The name of the ServiceAccount resource being referred to.
  24188. maxLength: 253
  24189. minLength: 1
  24190. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24191. type: string
  24192. namespace:
  24193. description: |-
  24194. Namespace of the resource being referred to.
  24195. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24196. maxLength: 63
  24197. minLength: 1
  24198. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24199. type: string
  24200. required:
  24201. - name
  24202. type: object
  24203. vault:
  24204. description: Vault is the vault's OCID of the specific vault where secret is located.
  24205. type: string
  24206. required:
  24207. - region
  24208. - vault
  24209. type: object
  24210. passbolt:
  24211. description: PassboltProvider defines configuration for the Passbolt provider.
  24212. properties:
  24213. auth:
  24214. description: Auth defines the information necessary to authenticate against Passbolt Server
  24215. properties:
  24216. passwordSecretRef:
  24217. description: PasswordSecretRef is a reference to the secret containing the Passbolt password
  24218. properties:
  24219. key:
  24220. description: |-
  24221. A key in the referenced Secret.
  24222. Some instances of this field may be defaulted, in others it may be required.
  24223. maxLength: 253
  24224. minLength: 1
  24225. pattern: ^[-._a-zA-Z0-9]+$
  24226. type: string
  24227. name:
  24228. description: The name of the Secret resource being referred to.
  24229. maxLength: 253
  24230. minLength: 1
  24231. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24232. type: string
  24233. namespace:
  24234. description: |-
  24235. The namespace of the Secret resource being referred to.
  24236. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24237. maxLength: 63
  24238. minLength: 1
  24239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24240. type: string
  24241. type: object
  24242. privateKeySecretRef:
  24243. description: PrivateKeySecretRef is a reference to the secret containing the Passbolt private key
  24244. properties:
  24245. key:
  24246. description: |-
  24247. A key in the referenced Secret.
  24248. Some instances of this field may be defaulted, in others it may be required.
  24249. maxLength: 253
  24250. minLength: 1
  24251. pattern: ^[-._a-zA-Z0-9]+$
  24252. type: string
  24253. name:
  24254. description: The name of the Secret resource being referred to.
  24255. maxLength: 253
  24256. minLength: 1
  24257. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24258. type: string
  24259. namespace:
  24260. description: |-
  24261. The namespace of the Secret resource being referred to.
  24262. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24263. maxLength: 63
  24264. minLength: 1
  24265. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24266. type: string
  24267. type: object
  24268. required:
  24269. - passwordSecretRef
  24270. - privateKeySecretRef
  24271. type: object
  24272. host:
  24273. description: Host defines the Passbolt Server to connect to
  24274. type: string
  24275. required:
  24276. - auth
  24277. - host
  24278. type: object
  24279. passworddepot:
  24280. description: PasswordDepotProvider configures a store to sync secrets with a Password Depot instance.
  24281. properties:
  24282. auth:
  24283. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  24284. properties:
  24285. secretRef:
  24286. description: PasswordDepotSecretRef defines a reference to a secret containing credentials for the Password Depot provider.
  24287. properties:
  24288. credentials:
  24289. description: Username / Password is used for authentication.
  24290. properties:
  24291. key:
  24292. description: |-
  24293. A key in the referenced Secret.
  24294. Some instances of this field may be defaulted, in others it may be required.
  24295. maxLength: 253
  24296. minLength: 1
  24297. pattern: ^[-._a-zA-Z0-9]+$
  24298. type: string
  24299. name:
  24300. description: The name of the Secret resource being referred to.
  24301. maxLength: 253
  24302. minLength: 1
  24303. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24304. type: string
  24305. namespace:
  24306. description: |-
  24307. The namespace of the Secret resource being referred to.
  24308. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24309. maxLength: 63
  24310. minLength: 1
  24311. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24312. type: string
  24313. type: object
  24314. type: object
  24315. required:
  24316. - secretRef
  24317. type: object
  24318. database:
  24319. description: Database to use as source
  24320. type: string
  24321. host:
  24322. description: URL configures the Password Depot instance URL.
  24323. type: string
  24324. required:
  24325. - auth
  24326. - database
  24327. - host
  24328. type: object
  24329. previder:
  24330. description: Previder configures this store to sync secrets using the Previder provider
  24331. properties:
  24332. auth:
  24333. description: PreviderAuth contains a secretRef for credentials.
  24334. properties:
  24335. secretRef:
  24336. description: PreviderAuthSecretRef holds secret references for Previder Vault credentials.
  24337. properties:
  24338. accessToken:
  24339. description: The AccessToken is used for authentication
  24340. properties:
  24341. key:
  24342. description: |-
  24343. A key in the referenced Secret.
  24344. Some instances of this field may be defaulted, in others it may be required.
  24345. maxLength: 253
  24346. minLength: 1
  24347. pattern: ^[-._a-zA-Z0-9]+$
  24348. type: string
  24349. name:
  24350. description: The name of the Secret resource being referred to.
  24351. maxLength: 253
  24352. minLength: 1
  24353. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24354. type: string
  24355. namespace:
  24356. description: |-
  24357. The namespace of the Secret resource being referred to.
  24358. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24359. maxLength: 63
  24360. minLength: 1
  24361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24362. type: string
  24363. type: object
  24364. required:
  24365. - accessToken
  24366. type: object
  24367. type: object
  24368. baseUri:
  24369. type: string
  24370. required:
  24371. - auth
  24372. type: object
  24373. pulumi:
  24374. description: Pulumi configures this store to sync secrets using the Pulumi provider
  24375. properties:
  24376. accessToken:
  24377. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  24378. properties:
  24379. secretRef:
  24380. description: SecretRef is a reference to a secret containing the Pulumi API token.
  24381. properties:
  24382. key:
  24383. description: |-
  24384. A key in the referenced Secret.
  24385. Some instances of this field may be defaulted, in others it may be required.
  24386. maxLength: 253
  24387. minLength: 1
  24388. pattern: ^[-._a-zA-Z0-9]+$
  24389. type: string
  24390. name:
  24391. description: The name of the Secret resource being referred to.
  24392. maxLength: 253
  24393. minLength: 1
  24394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24395. type: string
  24396. namespace:
  24397. description: |-
  24398. The namespace of the Secret resource being referred to.
  24399. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24400. maxLength: 63
  24401. minLength: 1
  24402. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24403. type: string
  24404. type: object
  24405. type: object
  24406. apiUrl:
  24407. default: https://api.pulumi.com/api/esc
  24408. description: APIURL is the URL of the Pulumi API.
  24409. type: string
  24410. environment:
  24411. description: |-
  24412. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  24413. dynamically retrieved values from supported providers including all major clouds,
  24414. and other Pulumi ESC environments.
  24415. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  24416. type: string
  24417. organization:
  24418. description: |-
  24419. Organization are a space to collaborate on shared projects and stacks.
  24420. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  24421. type: string
  24422. project:
  24423. description: Project is the name of the Pulumi ESC project the environment belongs to.
  24424. type: string
  24425. required:
  24426. - accessToken
  24427. - environment
  24428. - organization
  24429. - project
  24430. type: object
  24431. scaleway:
  24432. description: Scaleway configures this store to sync secrets using the Scaleway provider.
  24433. properties:
  24434. accessKey:
  24435. description: AccessKey is the non-secret part of the api key.
  24436. properties:
  24437. secretRef:
  24438. description: SecretRef references a key in a secret that will be used as value.
  24439. properties:
  24440. key:
  24441. description: |-
  24442. A key in the referenced Secret.
  24443. Some instances of this field may be defaulted, in others it may be required.
  24444. maxLength: 253
  24445. minLength: 1
  24446. pattern: ^[-._a-zA-Z0-9]+$
  24447. type: string
  24448. name:
  24449. description: The name of the Secret resource being referred to.
  24450. maxLength: 253
  24451. minLength: 1
  24452. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24453. type: string
  24454. namespace:
  24455. description: |-
  24456. The namespace of the Secret resource being referred to.
  24457. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24458. maxLength: 63
  24459. minLength: 1
  24460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24461. type: string
  24462. type: object
  24463. value:
  24464. description: Value can be specified directly to set a value without using a secret.
  24465. type: string
  24466. type: object
  24467. apiUrl:
  24468. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  24469. type: string
  24470. projectId:
  24471. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  24472. type: string
  24473. region:
  24474. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  24475. type: string
  24476. secretKey:
  24477. description: SecretKey is the non-secret part of the api key.
  24478. properties:
  24479. secretRef:
  24480. description: SecretRef references a key in a secret that will be used as value.
  24481. properties:
  24482. key:
  24483. description: |-
  24484. A key in the referenced Secret.
  24485. Some instances of this field may be defaulted, in others it may be required.
  24486. maxLength: 253
  24487. minLength: 1
  24488. pattern: ^[-._a-zA-Z0-9]+$
  24489. type: string
  24490. name:
  24491. description: The name of the Secret resource being referred to.
  24492. maxLength: 253
  24493. minLength: 1
  24494. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24495. type: string
  24496. namespace:
  24497. description: |-
  24498. The namespace of the Secret resource being referred to.
  24499. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24500. maxLength: 63
  24501. minLength: 1
  24502. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24503. type: string
  24504. type: object
  24505. value:
  24506. description: Value can be specified directly to set a value without using a secret.
  24507. type: string
  24508. type: object
  24509. required:
  24510. - accessKey
  24511. - projectId
  24512. - region
  24513. - secretKey
  24514. type: object
  24515. secretserver:
  24516. description: |-
  24517. SecretServer configures this store to sync secrets using SecretServer provider
  24518. https://docs.delinea.com/online-help/secret-server/start.htm
  24519. properties:
  24520. password:
  24521. description: Password is the secret server account password.
  24522. properties:
  24523. secretRef:
  24524. description: SecretRef references a key in a secret that will be used as value.
  24525. properties:
  24526. key:
  24527. description: |-
  24528. A key in the referenced Secret.
  24529. Some instances of this field may be defaulted, in others it may be required.
  24530. maxLength: 253
  24531. minLength: 1
  24532. pattern: ^[-._a-zA-Z0-9]+$
  24533. type: string
  24534. name:
  24535. description: The name of the Secret resource being referred to.
  24536. maxLength: 253
  24537. minLength: 1
  24538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24539. type: string
  24540. namespace:
  24541. description: |-
  24542. The namespace of the Secret resource being referred to.
  24543. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24544. maxLength: 63
  24545. minLength: 1
  24546. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24547. type: string
  24548. type: object
  24549. value:
  24550. description: Value can be specified directly to set a value without using a secret.
  24551. type: string
  24552. type: object
  24553. serverURL:
  24554. description: |-
  24555. ServerURL
  24556. URL to your secret server installation
  24557. type: string
  24558. username:
  24559. description: Username is the secret server account username.
  24560. properties:
  24561. secretRef:
  24562. description: SecretRef references a key in a secret that will be used as value.
  24563. properties:
  24564. key:
  24565. description: |-
  24566. A key in the referenced Secret.
  24567. Some instances of this field may be defaulted, in others it may be required.
  24568. maxLength: 253
  24569. minLength: 1
  24570. pattern: ^[-._a-zA-Z0-9]+$
  24571. type: string
  24572. name:
  24573. description: The name of the Secret resource being referred to.
  24574. maxLength: 253
  24575. minLength: 1
  24576. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24577. type: string
  24578. namespace:
  24579. description: |-
  24580. The namespace of the Secret resource being referred to.
  24581. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24582. maxLength: 63
  24583. minLength: 1
  24584. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24585. type: string
  24586. type: object
  24587. value:
  24588. description: Value can be specified directly to set a value without using a secret.
  24589. type: string
  24590. type: object
  24591. required:
  24592. - password
  24593. - serverURL
  24594. - username
  24595. type: object
  24596. senhasegura:
  24597. description: Senhasegura configures this store to sync secrets using senhasegura provider
  24598. properties:
  24599. auth:
  24600. description: Auth defines parameters to authenticate in senhasegura
  24601. properties:
  24602. clientId:
  24603. type: string
  24604. clientSecretSecretRef:
  24605. description: |-
  24606. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  24607. In some instances, `key` is a required field.
  24608. properties:
  24609. key:
  24610. description: |-
  24611. A key in the referenced Secret.
  24612. Some instances of this field may be defaulted, in others it may be required.
  24613. maxLength: 253
  24614. minLength: 1
  24615. pattern: ^[-._a-zA-Z0-9]+$
  24616. type: string
  24617. name:
  24618. description: The name of the Secret resource being referred to.
  24619. maxLength: 253
  24620. minLength: 1
  24621. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24622. type: string
  24623. namespace:
  24624. description: |-
  24625. The namespace of the Secret resource being referred to.
  24626. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24627. maxLength: 63
  24628. minLength: 1
  24629. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24630. type: string
  24631. type: object
  24632. required:
  24633. - clientId
  24634. - clientSecretSecretRef
  24635. type: object
  24636. ignoreSslCertificate:
  24637. default: false
  24638. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  24639. type: boolean
  24640. module:
  24641. description: Module defines which senhasegura module should be used to get secrets
  24642. type: string
  24643. url:
  24644. description: URL of senhasegura
  24645. type: string
  24646. required:
  24647. - auth
  24648. - module
  24649. - url
  24650. type: object
  24651. vault:
  24652. description: Vault configures this store to sync secrets using the HashiCorp Vault provider.
  24653. properties:
  24654. auth:
  24655. description: Auth configures how secret-manager authenticates with the Vault server.
  24656. properties:
  24657. appRole:
  24658. description: |-
  24659. AppRole authenticates with Vault using the App Role auth mechanism,
  24660. with the role and secret stored in a Kubernetes Secret resource.
  24661. properties:
  24662. path:
  24663. default: approle
  24664. description: |-
  24665. Path where the App Role authentication backend is mounted
  24666. in Vault, e.g: "approle"
  24667. type: string
  24668. roleId:
  24669. description: |-
  24670. RoleID configured in the App Role authentication backend when setting
  24671. up the authentication backend in Vault.
  24672. type: string
  24673. roleRef:
  24674. description: |-
  24675. Reference to a key in a Secret that contains the App Role ID used
  24676. to authenticate with Vault.
  24677. The `key` field must be specified and denotes which entry within the Secret
  24678. resource is used as the app role id.
  24679. properties:
  24680. key:
  24681. description: |-
  24682. A key in the referenced Secret.
  24683. Some instances of this field may be defaulted, in others it may be required.
  24684. maxLength: 253
  24685. minLength: 1
  24686. pattern: ^[-._a-zA-Z0-9]+$
  24687. type: string
  24688. name:
  24689. description: The name of the Secret resource being referred to.
  24690. maxLength: 253
  24691. minLength: 1
  24692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24693. type: string
  24694. namespace:
  24695. description: |-
  24696. The namespace of the Secret resource being referred to.
  24697. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24698. maxLength: 63
  24699. minLength: 1
  24700. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24701. type: string
  24702. type: object
  24703. secretRef:
  24704. description: |-
  24705. Reference to a key in a Secret that contains the App Role secret used
  24706. to authenticate with Vault.
  24707. The `key` field must be specified and denotes which entry within the Secret
  24708. resource is used as the app role secret.
  24709. properties:
  24710. key:
  24711. description: |-
  24712. A key in the referenced Secret.
  24713. Some instances of this field may be defaulted, in others it may be required.
  24714. maxLength: 253
  24715. minLength: 1
  24716. pattern: ^[-._a-zA-Z0-9]+$
  24717. type: string
  24718. name:
  24719. description: The name of the Secret resource being referred to.
  24720. maxLength: 253
  24721. minLength: 1
  24722. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24723. type: string
  24724. namespace:
  24725. description: |-
  24726. The namespace of the Secret resource being referred to.
  24727. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24728. maxLength: 63
  24729. minLength: 1
  24730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24731. type: string
  24732. type: object
  24733. required:
  24734. - path
  24735. - secretRef
  24736. type: object
  24737. cert:
  24738. description: |-
  24739. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  24740. Cert authentication method
  24741. properties:
  24742. clientCert:
  24743. description: |-
  24744. ClientCert is a certificate to authenticate using the Cert Vault
  24745. authentication method
  24746. properties:
  24747. key:
  24748. description: |-
  24749. A key in the referenced Secret.
  24750. Some instances of this field may be defaulted, in others it may be required.
  24751. maxLength: 253
  24752. minLength: 1
  24753. pattern: ^[-._a-zA-Z0-9]+$
  24754. type: string
  24755. name:
  24756. description: The name of the Secret resource being referred to.
  24757. maxLength: 253
  24758. minLength: 1
  24759. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24760. type: string
  24761. namespace:
  24762. description: |-
  24763. The namespace of the Secret resource being referred to.
  24764. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24765. maxLength: 63
  24766. minLength: 1
  24767. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24768. type: string
  24769. type: object
  24770. secretRef:
  24771. description: |-
  24772. SecretRef to a key in a Secret resource containing client private key to
  24773. authenticate with Vault using the Cert authentication method
  24774. properties:
  24775. key:
  24776. description: |-
  24777. A key in the referenced Secret.
  24778. Some instances of this field may be defaulted, in others it may be required.
  24779. maxLength: 253
  24780. minLength: 1
  24781. pattern: ^[-._a-zA-Z0-9]+$
  24782. type: string
  24783. name:
  24784. description: The name of the Secret resource being referred to.
  24785. maxLength: 253
  24786. minLength: 1
  24787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24788. type: string
  24789. namespace:
  24790. description: |-
  24791. The namespace of the Secret resource being referred to.
  24792. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24793. maxLength: 63
  24794. minLength: 1
  24795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24796. type: string
  24797. type: object
  24798. type: object
  24799. iam:
  24800. description: |-
  24801. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  24802. AWS IAM authentication method
  24803. properties:
  24804. externalID:
  24805. description: AWS External ID set on assumed IAM roles
  24806. type: string
  24807. jwt:
  24808. description: Specify a service account with IRSA enabled
  24809. properties:
  24810. serviceAccountRef:
  24811. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  24812. properties:
  24813. audiences:
  24814. description: |-
  24815. Audience specifies the `aud` claim for the service account token
  24816. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24817. then this audiences will be appended to the list
  24818. items:
  24819. type: string
  24820. type: array
  24821. name:
  24822. description: The name of the ServiceAccount resource being referred to.
  24823. maxLength: 253
  24824. minLength: 1
  24825. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24826. type: string
  24827. namespace:
  24828. description: |-
  24829. Namespace of the resource being referred to.
  24830. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24831. maxLength: 63
  24832. minLength: 1
  24833. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24834. type: string
  24835. required:
  24836. - name
  24837. type: object
  24838. type: object
  24839. path:
  24840. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  24841. type: string
  24842. region:
  24843. description: AWS region
  24844. type: string
  24845. role:
  24846. description: This is the AWS role to be assumed before talking to vault
  24847. type: string
  24848. secretRef:
  24849. description: Specify credentials in a Secret object
  24850. properties:
  24851. accessKeyIDSecretRef:
  24852. description: The AccessKeyID is used for authentication
  24853. properties:
  24854. key:
  24855. description: |-
  24856. A key in the referenced Secret.
  24857. Some instances of this field may be defaulted, in others it may be required.
  24858. maxLength: 253
  24859. minLength: 1
  24860. pattern: ^[-._a-zA-Z0-9]+$
  24861. type: string
  24862. name:
  24863. description: The name of the Secret resource being referred to.
  24864. maxLength: 253
  24865. minLength: 1
  24866. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24867. type: string
  24868. namespace:
  24869. description: |-
  24870. The namespace of the Secret resource being referred to.
  24871. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24872. maxLength: 63
  24873. minLength: 1
  24874. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24875. type: string
  24876. type: object
  24877. secretAccessKeySecretRef:
  24878. description: The SecretAccessKey is used for authentication
  24879. properties:
  24880. key:
  24881. description: |-
  24882. A key in the referenced Secret.
  24883. Some instances of this field may be defaulted, in others it may be required.
  24884. maxLength: 253
  24885. minLength: 1
  24886. pattern: ^[-._a-zA-Z0-9]+$
  24887. type: string
  24888. name:
  24889. description: The name of the Secret resource being referred to.
  24890. maxLength: 253
  24891. minLength: 1
  24892. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24893. type: string
  24894. namespace:
  24895. description: |-
  24896. The namespace of the Secret resource being referred to.
  24897. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24898. maxLength: 63
  24899. minLength: 1
  24900. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24901. type: string
  24902. type: object
  24903. sessionTokenSecretRef:
  24904. description: |-
  24905. The SessionToken used for authentication
  24906. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  24907. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  24908. properties:
  24909. key:
  24910. description: |-
  24911. A key in the referenced Secret.
  24912. Some instances of this field may be defaulted, in others it may be required.
  24913. maxLength: 253
  24914. minLength: 1
  24915. pattern: ^[-._a-zA-Z0-9]+$
  24916. type: string
  24917. name:
  24918. description: The name of the Secret resource being referred to.
  24919. maxLength: 253
  24920. minLength: 1
  24921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24922. type: string
  24923. namespace:
  24924. description: |-
  24925. The namespace of the Secret resource being referred to.
  24926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24927. maxLength: 63
  24928. minLength: 1
  24929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24930. type: string
  24931. type: object
  24932. type: object
  24933. vaultAwsIamServerID:
  24934. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  24935. type: string
  24936. vaultRole:
  24937. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  24938. type: string
  24939. required:
  24940. - vaultRole
  24941. type: object
  24942. jwt:
  24943. description: |-
  24944. Jwt authenticates with Vault by passing role and JWT token using the
  24945. JWT/OIDC authentication method
  24946. properties:
  24947. kubernetesServiceAccountToken:
  24948. description: |-
  24949. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  24950. a token for with the `TokenRequest` API.
  24951. properties:
  24952. audiences:
  24953. description: |-
  24954. Optional audiences field that will be used to request a temporary Kubernetes service
  24955. account token for the service account referenced by `serviceAccountRef`.
  24956. Defaults to a single audience `vault` it not specified.
  24957. Deprecated: use serviceAccountRef.Audiences instead
  24958. items:
  24959. type: string
  24960. type: array
  24961. expirationSeconds:
  24962. description: |-
  24963. Optional expiration time in seconds that will be used to request a temporary
  24964. Kubernetes service account token for the service account referenced by
  24965. `serviceAccountRef`.
  24966. Deprecated: this will be removed in the future.
  24967. Defaults to 10 minutes.
  24968. format: int64
  24969. type: integer
  24970. serviceAccountRef:
  24971. description: Service account field containing the name of a kubernetes ServiceAccount.
  24972. properties:
  24973. audiences:
  24974. description: |-
  24975. Audience specifies the `aud` claim for the service account token
  24976. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  24977. then this audiences will be appended to the list
  24978. items:
  24979. type: string
  24980. type: array
  24981. name:
  24982. description: The name of the ServiceAccount resource being referred to.
  24983. maxLength: 253
  24984. minLength: 1
  24985. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  24986. type: string
  24987. namespace:
  24988. description: |-
  24989. Namespace of the resource being referred to.
  24990. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  24991. maxLength: 63
  24992. minLength: 1
  24993. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  24994. type: string
  24995. required:
  24996. - name
  24997. type: object
  24998. required:
  24999. - serviceAccountRef
  25000. type: object
  25001. path:
  25002. default: jwt
  25003. description: |-
  25004. Path where the JWT authentication backend is mounted
  25005. in Vault, e.g: "jwt"
  25006. type: string
  25007. role:
  25008. description: |-
  25009. Role is a JWT role to authenticate using the JWT/OIDC Vault
  25010. authentication method
  25011. type: string
  25012. secretRef:
  25013. description: |-
  25014. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  25015. authenticate with Vault using the JWT/OIDC authentication method.
  25016. properties:
  25017. key:
  25018. description: |-
  25019. A key in the referenced Secret.
  25020. Some instances of this field may be defaulted, in others it may be required.
  25021. maxLength: 253
  25022. minLength: 1
  25023. pattern: ^[-._a-zA-Z0-9]+$
  25024. type: string
  25025. name:
  25026. description: The name of the Secret resource being referred to.
  25027. maxLength: 253
  25028. minLength: 1
  25029. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25030. type: string
  25031. namespace:
  25032. description: |-
  25033. The namespace of the Secret resource being referred to.
  25034. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25035. maxLength: 63
  25036. minLength: 1
  25037. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25038. type: string
  25039. type: object
  25040. required:
  25041. - path
  25042. type: object
  25043. kubernetes:
  25044. description: |-
  25045. Kubernetes authenticates with Vault by passing the ServiceAccount
  25046. token stored in the named Secret resource to the Vault server.
  25047. properties:
  25048. mountPath:
  25049. default: kubernetes
  25050. description: |-
  25051. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  25052. "kubernetes"
  25053. type: string
  25054. role:
  25055. description: |-
  25056. A required field containing the Vault Role to assume. A Role binds a
  25057. Kubernetes ServiceAccount with a set of Vault policies.
  25058. type: string
  25059. secretRef:
  25060. description: |-
  25061. Optional secret field containing a Kubernetes ServiceAccount JWT used
  25062. for authenticating with Vault. If a name is specified without a key,
  25063. `token` is the default. If one is not specified, the one bound to
  25064. the controller will be used.
  25065. properties:
  25066. key:
  25067. description: |-
  25068. A key in the referenced Secret.
  25069. Some instances of this field may be defaulted, in others it may be required.
  25070. maxLength: 253
  25071. minLength: 1
  25072. pattern: ^[-._a-zA-Z0-9]+$
  25073. type: string
  25074. name:
  25075. description: The name of the Secret resource being referred to.
  25076. maxLength: 253
  25077. minLength: 1
  25078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25079. type: string
  25080. namespace:
  25081. description: |-
  25082. The namespace of the Secret resource being referred to.
  25083. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25084. maxLength: 63
  25085. minLength: 1
  25086. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25087. type: string
  25088. type: object
  25089. serviceAccountRef:
  25090. description: |-
  25091. Optional service account field containing the name of a kubernetes ServiceAccount.
  25092. If the service account is specified, the service account secret token JWT will be used
  25093. for authenticating with Vault. If the service account selector is not supplied,
  25094. the secretRef will be used instead.
  25095. properties:
  25096. audiences:
  25097. description: |-
  25098. Audience specifies the `aud` claim for the service account token
  25099. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25100. then this audiences will be appended to the list
  25101. items:
  25102. type: string
  25103. type: array
  25104. name:
  25105. description: The name of the ServiceAccount resource being referred to.
  25106. maxLength: 253
  25107. minLength: 1
  25108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25109. type: string
  25110. namespace:
  25111. description: |-
  25112. Namespace of the resource being referred to.
  25113. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25114. maxLength: 63
  25115. minLength: 1
  25116. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25117. type: string
  25118. required:
  25119. - name
  25120. type: object
  25121. required:
  25122. - mountPath
  25123. - role
  25124. type: object
  25125. ldap:
  25126. description: |-
  25127. Ldap authenticates with Vault by passing username/password pair using
  25128. the LDAP authentication method
  25129. properties:
  25130. path:
  25131. default: ldap
  25132. description: |-
  25133. Path where the LDAP authentication backend is mounted
  25134. in Vault, e.g: "ldap"
  25135. type: string
  25136. secretRef:
  25137. description: |-
  25138. SecretRef to a key in a Secret resource containing password for the LDAP
  25139. user used to authenticate with Vault using the LDAP authentication
  25140. method
  25141. properties:
  25142. key:
  25143. description: |-
  25144. A key in the referenced Secret.
  25145. Some instances of this field may be defaulted, in others it may be required.
  25146. maxLength: 253
  25147. minLength: 1
  25148. pattern: ^[-._a-zA-Z0-9]+$
  25149. type: string
  25150. name:
  25151. description: The name of the Secret resource being referred to.
  25152. maxLength: 253
  25153. minLength: 1
  25154. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25155. type: string
  25156. namespace:
  25157. description: |-
  25158. The namespace of the Secret resource being referred to.
  25159. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25160. maxLength: 63
  25161. minLength: 1
  25162. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25163. type: string
  25164. type: object
  25165. username:
  25166. description: |-
  25167. Username is an LDAP username used to authenticate using the LDAP Vault
  25168. authentication method
  25169. type: string
  25170. required:
  25171. - path
  25172. - username
  25173. type: object
  25174. namespace:
  25175. description: |-
  25176. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  25177. Namespaces is a set of features within Vault Enterprise that allows
  25178. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25179. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25180. This will default to Vault.Namespace field if set, or empty otherwise
  25181. type: string
  25182. tokenSecretRef:
  25183. description: TokenSecretRef authenticates with Vault by presenting a token.
  25184. properties:
  25185. key:
  25186. description: |-
  25187. A key in the referenced Secret.
  25188. Some instances of this field may be defaulted, in others it may be required.
  25189. maxLength: 253
  25190. minLength: 1
  25191. pattern: ^[-._a-zA-Z0-9]+$
  25192. type: string
  25193. name:
  25194. description: The name of the Secret resource being referred to.
  25195. maxLength: 253
  25196. minLength: 1
  25197. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25198. type: string
  25199. namespace:
  25200. description: |-
  25201. The namespace of the Secret resource being referred to.
  25202. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25203. maxLength: 63
  25204. minLength: 1
  25205. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25206. type: string
  25207. type: object
  25208. userPass:
  25209. description: UserPass authenticates with Vault by passing username/password pair
  25210. properties:
  25211. path:
  25212. default: userpass
  25213. description: |-
  25214. Path where the UserPassword authentication backend is mounted
  25215. in Vault, e.g: "userpass"
  25216. type: string
  25217. secretRef:
  25218. description: |-
  25219. SecretRef to a key in a Secret resource containing password for the
  25220. user used to authenticate with Vault using the UserPass authentication
  25221. method
  25222. properties:
  25223. key:
  25224. description: |-
  25225. A key in the referenced Secret.
  25226. Some instances of this field may be defaulted, in others it may be required.
  25227. maxLength: 253
  25228. minLength: 1
  25229. pattern: ^[-._a-zA-Z0-9]+$
  25230. type: string
  25231. name:
  25232. description: The name of the Secret resource being referred to.
  25233. maxLength: 253
  25234. minLength: 1
  25235. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25236. type: string
  25237. namespace:
  25238. description: |-
  25239. The namespace of the Secret resource being referred to.
  25240. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25241. maxLength: 63
  25242. minLength: 1
  25243. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25244. type: string
  25245. type: object
  25246. username:
  25247. description: |-
  25248. Username is a username used to authenticate using the UserPass Vault
  25249. authentication method
  25250. type: string
  25251. required:
  25252. - path
  25253. - username
  25254. type: object
  25255. type: object
  25256. caBundle:
  25257. description: |-
  25258. PEM encoded CA bundle used to validate Vault server certificate. Only used
  25259. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25260. plain HTTP protocol connection. If not set the system root certificates
  25261. are used to validate the TLS connection.
  25262. format: byte
  25263. type: string
  25264. caProvider:
  25265. description: The provider for the CA bundle to use to validate Vault server certificate.
  25266. properties:
  25267. key:
  25268. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25269. maxLength: 253
  25270. minLength: 1
  25271. pattern: ^[-._a-zA-Z0-9]+$
  25272. type: string
  25273. name:
  25274. description: The name of the object located at the provider type.
  25275. maxLength: 253
  25276. minLength: 1
  25277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25278. type: string
  25279. namespace:
  25280. description: |-
  25281. The namespace the Provider type is in.
  25282. Can only be defined when used in a ClusterSecretStore.
  25283. maxLength: 63
  25284. minLength: 1
  25285. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25286. type: string
  25287. type:
  25288. description: The type of provider to use such as "Secret", or "ConfigMap".
  25289. enum:
  25290. - Secret
  25291. - ConfigMap
  25292. type: string
  25293. required:
  25294. - name
  25295. - type
  25296. type: object
  25297. forwardInconsistent:
  25298. description: |-
  25299. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  25300. leader instead of simply retrying within a loop. This can increase performance if
  25301. the option is enabled serverside.
  25302. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  25303. type: boolean
  25304. headers:
  25305. additionalProperties:
  25306. type: string
  25307. description: Headers to be added in Vault request
  25308. type: object
  25309. namespace:
  25310. description: |-
  25311. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  25312. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  25313. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  25314. type: string
  25315. path:
  25316. description: |-
  25317. Path is the mount path of the Vault KV backend endpoint, e.g:
  25318. "secret". The v2 KV secret engine version specific "/data" path suffix
  25319. for fetching secrets from Vault is optional and will be appended
  25320. if not present in specified path.
  25321. type: string
  25322. readYourWrites:
  25323. description: |-
  25324. ReadYourWrites ensures isolated read-after-write semantics by
  25325. providing discovered cluster replication states in each request.
  25326. More information about eventual consistency in Vault can be found here
  25327. https://www.vaultproject.io/docs/enterprise/consistency
  25328. type: boolean
  25329. server:
  25330. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  25331. type: string
  25332. tls:
  25333. description: |-
  25334. The configuration used for client side related TLS communication, when the Vault server
  25335. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  25336. This parameter is ignored for plain HTTP protocol connection.
  25337. It's worth noting this configuration is different from the "TLS certificates auth method",
  25338. which is available under the `auth.cert` section.
  25339. properties:
  25340. certSecretRef:
  25341. description: |-
  25342. CertSecretRef is a certificate added to the transport layer
  25343. when communicating with the Vault server.
  25344. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  25345. properties:
  25346. key:
  25347. description: |-
  25348. A key in the referenced Secret.
  25349. Some instances of this field may be defaulted, in others it may be required.
  25350. maxLength: 253
  25351. minLength: 1
  25352. pattern: ^[-._a-zA-Z0-9]+$
  25353. type: string
  25354. name:
  25355. description: The name of the Secret resource being referred to.
  25356. maxLength: 253
  25357. minLength: 1
  25358. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25359. type: string
  25360. namespace:
  25361. description: |-
  25362. The namespace of the Secret resource being referred to.
  25363. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25364. maxLength: 63
  25365. minLength: 1
  25366. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25367. type: string
  25368. type: object
  25369. keySecretRef:
  25370. description: |-
  25371. KeySecretRef to a key in a Secret resource containing client private key
  25372. added to the transport layer when communicating with the Vault server.
  25373. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  25374. properties:
  25375. key:
  25376. description: |-
  25377. A key in the referenced Secret.
  25378. Some instances of this field may be defaulted, in others it may be required.
  25379. maxLength: 253
  25380. minLength: 1
  25381. pattern: ^[-._a-zA-Z0-9]+$
  25382. type: string
  25383. name:
  25384. description: The name of the Secret resource being referred to.
  25385. maxLength: 253
  25386. minLength: 1
  25387. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25388. type: string
  25389. namespace:
  25390. description: |-
  25391. The namespace of the Secret resource being referred to.
  25392. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25393. maxLength: 63
  25394. minLength: 1
  25395. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25396. type: string
  25397. type: object
  25398. type: object
  25399. version:
  25400. default: v2
  25401. description: |-
  25402. Version is the Vault KV secret engine version. This can be either "v1" or
  25403. "v2". Version defaults to "v2".
  25404. enum:
  25405. - v1
  25406. - v2
  25407. type: string
  25408. required:
  25409. - server
  25410. type: object
  25411. webhook:
  25412. description: Webhook configures this store to sync secrets using a generic templated webhook
  25413. properties:
  25414. auth:
  25415. description: Auth specifies a authorization protocol. Only one protocol may be set.
  25416. maxProperties: 1
  25417. minProperties: 1
  25418. properties:
  25419. ntlm:
  25420. description: NTLMProtocol configures the store to use NTLM for auth
  25421. properties:
  25422. passwordSecret:
  25423. description: |-
  25424. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25425. In some instances, `key` is a required field.
  25426. properties:
  25427. key:
  25428. description: |-
  25429. A key in the referenced Secret.
  25430. Some instances of this field may be defaulted, in others it may be required.
  25431. maxLength: 253
  25432. minLength: 1
  25433. pattern: ^[-._a-zA-Z0-9]+$
  25434. type: string
  25435. name:
  25436. description: The name of the Secret resource being referred to.
  25437. maxLength: 253
  25438. minLength: 1
  25439. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25440. type: string
  25441. namespace:
  25442. description: |-
  25443. The namespace of the Secret resource being referred to.
  25444. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25445. maxLength: 63
  25446. minLength: 1
  25447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25448. type: string
  25449. type: object
  25450. usernameSecret:
  25451. description: |-
  25452. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25453. In some instances, `key` is a required field.
  25454. properties:
  25455. key:
  25456. description: |-
  25457. A key in the referenced Secret.
  25458. Some instances of this field may be defaulted, in others it may be required.
  25459. maxLength: 253
  25460. minLength: 1
  25461. pattern: ^[-._a-zA-Z0-9]+$
  25462. type: string
  25463. name:
  25464. description: The name of the Secret resource being referred to.
  25465. maxLength: 253
  25466. minLength: 1
  25467. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25468. type: string
  25469. namespace:
  25470. description: |-
  25471. The namespace of the Secret resource being referred to.
  25472. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25473. maxLength: 63
  25474. minLength: 1
  25475. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25476. type: string
  25477. type: object
  25478. required:
  25479. - passwordSecret
  25480. - usernameSecret
  25481. type: object
  25482. type: object
  25483. body:
  25484. description: Body
  25485. type: string
  25486. caBundle:
  25487. description: |-
  25488. PEM encoded CA bundle used to validate webhook server certificate. Only used
  25489. if the Server URL is using HTTPS protocol. This parameter is ignored for
  25490. plain HTTP protocol connection. If not set the system root certificates
  25491. are used to validate the TLS connection.
  25492. format: byte
  25493. type: string
  25494. caProvider:
  25495. description: The provider for the CA bundle to use to validate webhook server certificate.
  25496. properties:
  25497. key:
  25498. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  25499. maxLength: 253
  25500. minLength: 1
  25501. pattern: ^[-._a-zA-Z0-9]+$
  25502. type: string
  25503. name:
  25504. description: The name of the object located at the provider type.
  25505. maxLength: 253
  25506. minLength: 1
  25507. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25508. type: string
  25509. namespace:
  25510. description: The namespace the Provider type is in.
  25511. maxLength: 63
  25512. minLength: 1
  25513. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25514. type: string
  25515. type:
  25516. description: The type of provider to use such as "Secret", or "ConfigMap".
  25517. enum:
  25518. - Secret
  25519. - ConfigMap
  25520. type: string
  25521. required:
  25522. - name
  25523. - type
  25524. type: object
  25525. headers:
  25526. additionalProperties:
  25527. type: string
  25528. description: Headers
  25529. type: object
  25530. method:
  25531. description: Webhook Method
  25532. type: string
  25533. result:
  25534. description: Result formatting
  25535. properties:
  25536. jsonPath:
  25537. description: Json path of return value
  25538. type: string
  25539. type: object
  25540. secrets:
  25541. description: |-
  25542. Secrets to fill in templates
  25543. These secrets will be passed to the templating function as key value pairs under the given name
  25544. items:
  25545. description: WebhookSecret defines a secret to be used in webhook templates.
  25546. properties:
  25547. name:
  25548. description: Name of this secret in templates
  25549. type: string
  25550. secretRef:
  25551. description: Secret ref to fill in credentials
  25552. properties:
  25553. key:
  25554. description: |-
  25555. A key in the referenced Secret.
  25556. Some instances of this field may be defaulted, in others it may be required.
  25557. maxLength: 253
  25558. minLength: 1
  25559. pattern: ^[-._a-zA-Z0-9]+$
  25560. type: string
  25561. name:
  25562. description: The name of the Secret resource being referred to.
  25563. maxLength: 253
  25564. minLength: 1
  25565. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25566. type: string
  25567. namespace:
  25568. description: |-
  25569. The namespace of the Secret resource being referred to.
  25570. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25571. maxLength: 63
  25572. minLength: 1
  25573. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25574. type: string
  25575. type: object
  25576. required:
  25577. - name
  25578. - secretRef
  25579. type: object
  25580. type: array
  25581. timeout:
  25582. description: Timeout
  25583. type: string
  25584. url:
  25585. description: Webhook url to call
  25586. type: string
  25587. required:
  25588. - result
  25589. - url
  25590. type: object
  25591. yandexcertificatemanager:
  25592. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  25593. properties:
  25594. apiEndpoint:
  25595. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25596. type: string
  25597. auth:
  25598. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  25599. properties:
  25600. authorizedKeySecretRef:
  25601. description: The authorized key used for authentication
  25602. properties:
  25603. key:
  25604. description: |-
  25605. A key in the referenced Secret.
  25606. Some instances of this field may be defaulted, in others it may be required.
  25607. maxLength: 253
  25608. minLength: 1
  25609. pattern: ^[-._a-zA-Z0-9]+$
  25610. type: string
  25611. name:
  25612. description: The name of the Secret resource being referred to.
  25613. maxLength: 253
  25614. minLength: 1
  25615. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25616. type: string
  25617. namespace:
  25618. description: |-
  25619. The namespace of the Secret resource being referred to.
  25620. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25621. maxLength: 63
  25622. minLength: 1
  25623. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25624. type: string
  25625. type: object
  25626. type: object
  25627. caProvider:
  25628. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25629. properties:
  25630. certSecretRef:
  25631. description: |-
  25632. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25633. In some instances, `key` is a required field.
  25634. properties:
  25635. key:
  25636. description: |-
  25637. A key in the referenced Secret.
  25638. Some instances of this field may be defaulted, in others it may be required.
  25639. maxLength: 253
  25640. minLength: 1
  25641. pattern: ^[-._a-zA-Z0-9]+$
  25642. type: string
  25643. name:
  25644. description: The name of the Secret resource being referred to.
  25645. maxLength: 253
  25646. minLength: 1
  25647. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25648. type: string
  25649. namespace:
  25650. description: |-
  25651. The namespace of the Secret resource being referred to.
  25652. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25653. maxLength: 63
  25654. minLength: 1
  25655. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25656. type: string
  25657. type: object
  25658. type: object
  25659. required:
  25660. - auth
  25661. type: object
  25662. yandexlockbox:
  25663. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  25664. properties:
  25665. apiEndpoint:
  25666. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  25667. type: string
  25668. auth:
  25669. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  25670. properties:
  25671. authorizedKeySecretRef:
  25672. description: The authorized key used for authentication
  25673. properties:
  25674. key:
  25675. description: |-
  25676. A key in the referenced Secret.
  25677. Some instances of this field may be defaulted, in others it may be required.
  25678. maxLength: 253
  25679. minLength: 1
  25680. pattern: ^[-._a-zA-Z0-9]+$
  25681. type: string
  25682. name:
  25683. description: The name of the Secret resource being referred to.
  25684. maxLength: 253
  25685. minLength: 1
  25686. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25687. type: string
  25688. namespace:
  25689. description: |-
  25690. The namespace of the Secret resource being referred to.
  25691. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25692. maxLength: 63
  25693. minLength: 1
  25694. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25695. type: string
  25696. type: object
  25697. type: object
  25698. caProvider:
  25699. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  25700. properties:
  25701. certSecretRef:
  25702. description: |-
  25703. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  25704. In some instances, `key` is a required field.
  25705. properties:
  25706. key:
  25707. description: |-
  25708. A key in the referenced Secret.
  25709. Some instances of this field may be defaulted, in others it may be required.
  25710. maxLength: 253
  25711. minLength: 1
  25712. pattern: ^[-._a-zA-Z0-9]+$
  25713. type: string
  25714. name:
  25715. description: The name of the Secret resource being referred to.
  25716. maxLength: 253
  25717. minLength: 1
  25718. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25719. type: string
  25720. namespace:
  25721. description: |-
  25722. The namespace of the Secret resource being referred to.
  25723. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25724. maxLength: 63
  25725. minLength: 1
  25726. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25727. type: string
  25728. type: object
  25729. type: object
  25730. required:
  25731. - auth
  25732. type: object
  25733. type: object
  25734. refreshInterval:
  25735. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  25736. type: integer
  25737. retrySettings:
  25738. description: Used to configure HTTP retries on failures.
  25739. properties:
  25740. maxRetries:
  25741. description: MaxRetries is the maximum number of retry attempts.
  25742. format: int32
  25743. type: integer
  25744. retryInterval:
  25745. description: RetryInterval is the interval between retry attempts.
  25746. type: string
  25747. type: object
  25748. required:
  25749. - provider
  25750. type: object
  25751. status:
  25752. description: SecretStoreStatus defines the observed state of the SecretStore.
  25753. properties:
  25754. capabilities:
  25755. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  25756. type: string
  25757. conditions:
  25758. items:
  25759. description: SecretStoreStatusCondition defines the observed condition of the SecretStore.
  25760. properties:
  25761. lastTransitionTime:
  25762. format: date-time
  25763. type: string
  25764. message:
  25765. type: string
  25766. reason:
  25767. type: string
  25768. status:
  25769. type: string
  25770. type:
  25771. description: SecretStoreConditionType represents the condition type of the SecretStore.
  25772. type: string
  25773. required:
  25774. - status
  25775. - type
  25776. type: object
  25777. type: array
  25778. type: object
  25779. type: object
  25780. served: false
  25781. storage: false
  25782. subresources:
  25783. status: {}
  25784. ---
  25785. apiVersion: apiextensions.k8s.io/v1
  25786. kind: CustomResourceDefinition
  25787. metadata:
  25788. annotations:
  25789. controller-gen.kubebuilder.io/version: v0.19.0
  25790. labels:
  25791. external-secrets.io/component: controller
  25792. name: acraccesstokens.generators.external-secrets.io
  25793. spec:
  25794. group: generators.external-secrets.io
  25795. names:
  25796. categories:
  25797. - external-secrets
  25798. - external-secrets-generators
  25799. kind: ACRAccessToken
  25800. listKind: ACRAccessTokenList
  25801. plural: acraccesstokens
  25802. singular: acraccesstoken
  25803. scope: Namespaced
  25804. versions:
  25805. - name: v1alpha1
  25806. schema:
  25807. openAPIV3Schema:
  25808. description: |-
  25809. ACRAccessToken returns an Azure Container Registry token
  25810. that can be used for pushing/pulling images.
  25811. Note: by default it will return an ACR Refresh Token with full access
  25812. (depending on the identity).
  25813. This can be scoped down to the repository level using .spec.scope.
  25814. In case scope is defined it will return an ACR Access Token.
  25815. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  25816. properties:
  25817. apiVersion:
  25818. description: |-
  25819. APIVersion defines the versioned schema of this representation of an object.
  25820. Servers should convert recognized schemas to the latest internal value, and
  25821. may reject unrecognized values.
  25822. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  25823. type: string
  25824. kind:
  25825. description: |-
  25826. Kind is a string value representing the REST resource this object represents.
  25827. Servers may infer this from the endpoint the client submits requests to.
  25828. Cannot be updated.
  25829. In CamelCase.
  25830. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  25831. type: string
  25832. metadata:
  25833. type: object
  25834. spec:
  25835. description: |-
  25836. ACRAccessTokenSpec defines how to generate the access token
  25837. e.g. how to authenticate and which registry to use.
  25838. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  25839. properties:
  25840. auth:
  25841. description: ACRAuth defines the authentication methods for Azure Container Registry.
  25842. properties:
  25843. managedIdentity:
  25844. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  25845. properties:
  25846. identityId:
  25847. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  25848. type: string
  25849. type: object
  25850. servicePrincipal:
  25851. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  25852. properties:
  25853. secretRef:
  25854. description: |-
  25855. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  25856. It uses static credentials stored in a Kind=Secret.
  25857. properties:
  25858. clientId:
  25859. description: The Azure clientId of the service principle used for authentication.
  25860. properties:
  25861. key:
  25862. description: |-
  25863. A key in the referenced Secret.
  25864. Some instances of this field may be defaulted, in others it may be required.
  25865. maxLength: 253
  25866. minLength: 1
  25867. pattern: ^[-._a-zA-Z0-9]+$
  25868. type: string
  25869. name:
  25870. description: The name of the Secret resource being referred to.
  25871. maxLength: 253
  25872. minLength: 1
  25873. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25874. type: string
  25875. namespace:
  25876. description: |-
  25877. The namespace of the Secret resource being referred to.
  25878. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25879. maxLength: 63
  25880. minLength: 1
  25881. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25882. type: string
  25883. type: object
  25884. clientSecret:
  25885. description: The Azure ClientSecret of the service principle used for authentication.
  25886. properties:
  25887. key:
  25888. description: |-
  25889. A key in the referenced Secret.
  25890. Some instances of this field may be defaulted, in others it may be required.
  25891. maxLength: 253
  25892. minLength: 1
  25893. pattern: ^[-._a-zA-Z0-9]+$
  25894. type: string
  25895. name:
  25896. description: The name of the Secret resource being referred to.
  25897. maxLength: 253
  25898. minLength: 1
  25899. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25900. type: string
  25901. namespace:
  25902. description: |-
  25903. The namespace of the Secret resource being referred to.
  25904. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25905. maxLength: 63
  25906. minLength: 1
  25907. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25908. type: string
  25909. type: object
  25910. type: object
  25911. required:
  25912. - secretRef
  25913. type: object
  25914. workloadIdentity:
  25915. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  25916. properties:
  25917. serviceAccountRef:
  25918. description: |-
  25919. ServiceAccountRef specified the service account
  25920. that should be used when authenticating with WorkloadIdentity.
  25921. properties:
  25922. audiences:
  25923. description: |-
  25924. Audience specifies the `aud` claim for the service account token
  25925. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  25926. then this audiences will be appended to the list
  25927. items:
  25928. type: string
  25929. type: array
  25930. name:
  25931. description: The name of the ServiceAccount resource being referred to.
  25932. maxLength: 253
  25933. minLength: 1
  25934. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  25935. type: string
  25936. namespace:
  25937. description: |-
  25938. Namespace of the resource being referred to.
  25939. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  25940. maxLength: 63
  25941. minLength: 1
  25942. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  25943. type: string
  25944. required:
  25945. - name
  25946. type: object
  25947. type: object
  25948. type: object
  25949. environmentType:
  25950. default: PublicCloud
  25951. description: |-
  25952. EnvironmentType specifies the Azure cloud environment endpoints to use for
  25953. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  25954. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  25955. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  25956. enum:
  25957. - PublicCloud
  25958. - USGovernmentCloud
  25959. - ChinaCloud
  25960. - GermanCloud
  25961. - AzureStackCloud
  25962. type: string
  25963. registry:
  25964. description: |-
  25965. the domain name of the ACR registry
  25966. e.g. foobarexample.azurecr.io
  25967. type: string
  25968. scope:
  25969. description: |-
  25970. Define the scope for the access token, e.g. pull/push access for a repository.
  25971. if not provided it will return a refresh token that has full scope.
  25972. Note: you need to pin it down to the repository level, there is no wildcard available.
  25973. examples:
  25974. repository:my-repository:pull,push
  25975. repository:my-repository:pull
  25976. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  25977. type: string
  25978. tenantId:
  25979. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  25980. type: string
  25981. required:
  25982. - auth
  25983. - registry
  25984. type: object
  25985. type: object
  25986. served: true
  25987. storage: true
  25988. subresources:
  25989. status: {}
  25990. ---
  25991. apiVersion: apiextensions.k8s.io/v1
  25992. kind: CustomResourceDefinition
  25993. metadata:
  25994. annotations:
  25995. controller-gen.kubebuilder.io/version: v0.19.0
  25996. labels:
  25997. external-secrets.io/component: controller
  25998. name: beyondtrustworkloadcredentialsdynamicsecrets.generators.external-secrets.io
  25999. spec:
  26000. group: generators.external-secrets.io
  26001. names:
  26002. categories:
  26003. - external-secrets
  26004. - external-secrets-generators
  26005. kind: BeyondtrustWorkloadCredentialsDynamicSecret
  26006. listKind: BeyondtrustWorkloadCredentialsDynamicSecretList
  26007. plural: beyondtrustworkloadcredentialsdynamicsecrets
  26008. singular: beyondtrustworkloadcredentialsdynamicsecret
  26009. scope: Namespaced
  26010. versions:
  26011. - name: v1alpha1
  26012. schema:
  26013. openAPIV3Schema:
  26014. description: |-
  26015. BeyondtrustWorkloadCredentialsDynamicSecret represents a generator that requests dynamic credentials from BeyondTrust Workload Credentials.
  26016. This generator calls the BeyondTrust Workload Credentials API to generate fresh, temporary credentials
  26017. (such as AWS STS credentials) each time an ExternalSecret is refreshed.
  26018. Dynamic secret definitions must be created in BeyondTrust Workload Credentials before they can be referenced.
  26019. For complete documentation, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26020. properties:
  26021. apiVersion:
  26022. description: |-
  26023. APIVersion defines the versioned schema of this representation of an object.
  26024. Servers should convert recognized schemas to the latest internal value, and
  26025. may reject unrecognized values.
  26026. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26027. type: string
  26028. kind:
  26029. description: |-
  26030. Kind is a string value representing the REST resource this object represents.
  26031. Servers may infer this from the endpoint the client submits requests to.
  26032. Cannot be updated.
  26033. In CamelCase.
  26034. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26035. type: string
  26036. metadata:
  26037. type: object
  26038. spec:
  26039. description: |-
  26040. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26041. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26042. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26043. properties:
  26044. controller:
  26045. description: |-
  26046. Controller selects the controller that should handle this generator.
  26047. Leave empty to use the default controller.
  26048. type: string
  26049. provider:
  26050. description: |-
  26051. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26052. server connection details, and the folder path to the dynamic secret definition.
  26053. The folderPath should point to a dynamic secret definition that has been created in
  26054. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26055. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26056. properties:
  26057. auth:
  26058. description: |-
  26059. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26060. Currently supports API key authentication via Kubernetes secret reference.
  26061. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26062. properties:
  26063. apikey:
  26064. description: |-
  26065. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26066. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26067. properties:
  26068. token:
  26069. description: |-
  26070. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26071. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26072. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26073. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26074. properties:
  26075. key:
  26076. description: |-
  26077. A key in the referenced Secret.
  26078. Some instances of this field may be defaulted, in others it may be required.
  26079. maxLength: 253
  26080. minLength: 1
  26081. pattern: ^[-._a-zA-Z0-9]+$
  26082. type: string
  26083. name:
  26084. description: The name of the Secret resource being referred to.
  26085. maxLength: 253
  26086. minLength: 1
  26087. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26088. type: string
  26089. namespace:
  26090. description: |-
  26091. The namespace of the Secret resource being referred to.
  26092. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26093. maxLength: 63
  26094. minLength: 1
  26095. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26096. type: string
  26097. type: object
  26098. required:
  26099. - token
  26100. type: object
  26101. required:
  26102. - apikey
  26103. type: object
  26104. caBundle:
  26105. description: |-
  26106. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26107. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26108. If not set, the system's trusted root certificates are used.
  26109. format: byte
  26110. type: string
  26111. caProvider:
  26112. description: |-
  26113. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26114. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26115. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26116. properties:
  26117. key:
  26118. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26119. maxLength: 253
  26120. minLength: 1
  26121. pattern: ^[-._a-zA-Z0-9]+$
  26122. type: string
  26123. name:
  26124. description: The name of the object located at the provider type.
  26125. maxLength: 253
  26126. minLength: 1
  26127. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26128. type: string
  26129. namespace:
  26130. description: |-
  26131. The namespace the Provider type is in.
  26132. Can only be defined when used in a ClusterSecretStore.
  26133. maxLength: 63
  26134. minLength: 1
  26135. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26136. type: string
  26137. type:
  26138. description: The type of provider to use such as "Secret", or "ConfigMap".
  26139. enum:
  26140. - Secret
  26141. - ConfigMap
  26142. type: string
  26143. required:
  26144. - name
  26145. - type
  26146. type: object
  26147. folderPath:
  26148. description: |-
  26149. FolderPath specifies the default folder path for secret retrieval.
  26150. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26151. Example: "production/database" or "dev/api-keys"
  26152. Leave empty to retrieve secrets from the root folder.
  26153. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26154. type: string
  26155. server:
  26156. description: |-
  26157. Server configures the BeyondTrust Workload Credentials server connection details.
  26158. Includes the API URL and Site ID for your BeyondTrust instance.
  26159. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26160. properties:
  26161. apiUrl:
  26162. description: |-
  26163. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26164. This should be the full URL to your BeyondTrust instance.
  26165. Example: https://api.beyondtrust.io/siie
  26166. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26167. type: string
  26168. siteId:
  26169. description: |-
  26170. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26171. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26172. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26173. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26174. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26175. type: string
  26176. required:
  26177. - apiUrl
  26178. - siteId
  26179. type: object
  26180. required:
  26181. - auth
  26182. - server
  26183. type: object
  26184. retrySettings:
  26185. description: |-
  26186. RetrySettings configures exponential backoff for failed API requests.
  26187. If not specified, uses the default retry settings.
  26188. properties:
  26189. maxRetries:
  26190. format: int32
  26191. type: integer
  26192. retryInterval:
  26193. type: string
  26194. type: object
  26195. required:
  26196. - provider
  26197. type: object
  26198. type: object
  26199. served: true
  26200. storage: true
  26201. subresources:
  26202. status: {}
  26203. ---
  26204. apiVersion: apiextensions.k8s.io/v1
  26205. kind: CustomResourceDefinition
  26206. metadata:
  26207. annotations:
  26208. controller-gen.kubebuilder.io/version: v0.19.0
  26209. labels:
  26210. external-secrets.io/component: controller
  26211. name: cloudsmithaccesstokens.generators.external-secrets.io
  26212. spec:
  26213. group: generators.external-secrets.io
  26214. names:
  26215. categories:
  26216. - external-secrets
  26217. - external-secrets-generators
  26218. kind: CloudsmithAccessToken
  26219. listKind: CloudsmithAccessTokenList
  26220. plural: cloudsmithaccesstokens
  26221. singular: cloudsmithaccesstoken
  26222. scope: Namespaced
  26223. versions:
  26224. - name: v1alpha1
  26225. schema:
  26226. openAPIV3Schema:
  26227. description: CloudsmithAccessToken generates Cloudsmith access token using OIDC authentication
  26228. properties:
  26229. apiVersion:
  26230. description: |-
  26231. APIVersion defines the versioned schema of this representation of an object.
  26232. Servers should convert recognized schemas to the latest internal value, and
  26233. may reject unrecognized values.
  26234. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26235. type: string
  26236. kind:
  26237. description: |-
  26238. Kind is a string value representing the REST resource this object represents.
  26239. Servers may infer this from the endpoint the client submits requests to.
  26240. Cannot be updated.
  26241. In CamelCase.
  26242. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26243. type: string
  26244. metadata:
  26245. type: object
  26246. spec:
  26247. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26248. properties:
  26249. apiUrl:
  26250. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26251. type: string
  26252. orgSlug:
  26253. description: OrgSlug is the organization slug in Cloudsmith
  26254. type: string
  26255. serviceAccountRef:
  26256. description: Name of the service account you are federating with
  26257. properties:
  26258. audiences:
  26259. description: |-
  26260. Audience specifies the `aud` claim for the service account token
  26261. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26262. then this audiences will be appended to the list
  26263. items:
  26264. type: string
  26265. type: array
  26266. name:
  26267. description: The name of the ServiceAccount resource being referred to.
  26268. maxLength: 253
  26269. minLength: 1
  26270. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26271. type: string
  26272. namespace:
  26273. description: |-
  26274. Namespace of the resource being referred to.
  26275. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26276. maxLength: 63
  26277. minLength: 1
  26278. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26279. type: string
  26280. required:
  26281. - name
  26282. type: object
  26283. serviceSlug:
  26284. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26285. type: string
  26286. required:
  26287. - orgSlug
  26288. - serviceAccountRef
  26289. - serviceSlug
  26290. type: object
  26291. type: object
  26292. served: true
  26293. storage: true
  26294. subresources:
  26295. status: {}
  26296. ---
  26297. apiVersion: apiextensions.k8s.io/v1
  26298. kind: CustomResourceDefinition
  26299. metadata:
  26300. annotations:
  26301. controller-gen.kubebuilder.io/version: v0.19.0
  26302. labels:
  26303. external-secrets.io/component: controller
  26304. name: clustergenerators.generators.external-secrets.io
  26305. spec:
  26306. group: generators.external-secrets.io
  26307. names:
  26308. categories:
  26309. - external-secrets
  26310. - external-secrets-generators
  26311. kind: ClusterGenerator
  26312. listKind: ClusterGeneratorList
  26313. plural: clustergenerators
  26314. singular: clustergenerator
  26315. scope: Cluster
  26316. versions:
  26317. - name: v1alpha1
  26318. schema:
  26319. openAPIV3Schema:
  26320. description: ClusterGenerator represents a cluster-wide generator which can be referenced as part of `generatorRef` fields.
  26321. properties:
  26322. apiVersion:
  26323. description: |-
  26324. APIVersion defines the versioned schema of this representation of an object.
  26325. Servers should convert recognized schemas to the latest internal value, and
  26326. may reject unrecognized values.
  26327. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  26328. type: string
  26329. kind:
  26330. description: |-
  26331. Kind is a string value representing the REST resource this object represents.
  26332. Servers may infer this from the endpoint the client submits requests to.
  26333. Cannot be updated.
  26334. In CamelCase.
  26335. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  26336. type: string
  26337. metadata:
  26338. type: object
  26339. spec:
  26340. description: ClusterGeneratorSpec defines the desired state of a ClusterGenerator.
  26341. properties:
  26342. generator:
  26343. description: Generator the spec for this generator, must match the kind.
  26344. maxProperties: 1
  26345. minProperties: 1
  26346. properties:
  26347. acrAccessTokenSpec:
  26348. description: |-
  26349. ACRAccessTokenSpec defines how to generate the access token
  26350. e.g. how to authenticate and which registry to use.
  26351. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  26352. properties:
  26353. auth:
  26354. description: ACRAuth defines the authentication methods for Azure Container Registry.
  26355. properties:
  26356. managedIdentity:
  26357. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  26358. properties:
  26359. identityId:
  26360. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  26361. type: string
  26362. type: object
  26363. servicePrincipal:
  26364. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  26365. properties:
  26366. secretRef:
  26367. description: |-
  26368. AzureACRServicePrincipalAuthSecretRef defines the secret references for Azure Service Principal authentication.
  26369. It uses static credentials stored in a Kind=Secret.
  26370. properties:
  26371. clientId:
  26372. description: The Azure clientId of the service principle used for authentication.
  26373. properties:
  26374. key:
  26375. description: |-
  26376. A key in the referenced Secret.
  26377. Some instances of this field may be defaulted, in others it may be required.
  26378. maxLength: 253
  26379. minLength: 1
  26380. pattern: ^[-._a-zA-Z0-9]+$
  26381. type: string
  26382. name:
  26383. description: The name of the Secret resource being referred to.
  26384. maxLength: 253
  26385. minLength: 1
  26386. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26387. type: string
  26388. namespace:
  26389. description: |-
  26390. The namespace of the Secret resource being referred to.
  26391. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26392. maxLength: 63
  26393. minLength: 1
  26394. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26395. type: string
  26396. type: object
  26397. clientSecret:
  26398. description: The Azure ClientSecret of the service principle used for authentication.
  26399. properties:
  26400. key:
  26401. description: |-
  26402. A key in the referenced Secret.
  26403. Some instances of this field may be defaulted, in others it may be required.
  26404. maxLength: 253
  26405. minLength: 1
  26406. pattern: ^[-._a-zA-Z0-9]+$
  26407. type: string
  26408. name:
  26409. description: The name of the Secret resource being referred to.
  26410. maxLength: 253
  26411. minLength: 1
  26412. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26413. type: string
  26414. namespace:
  26415. description: |-
  26416. The namespace of the Secret resource being referred to.
  26417. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26418. maxLength: 63
  26419. minLength: 1
  26420. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26421. type: string
  26422. type: object
  26423. type: object
  26424. required:
  26425. - secretRef
  26426. type: object
  26427. workloadIdentity:
  26428. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  26429. properties:
  26430. serviceAccountRef:
  26431. description: |-
  26432. ServiceAccountRef specified the service account
  26433. that should be used when authenticating with WorkloadIdentity.
  26434. properties:
  26435. audiences:
  26436. description: |-
  26437. Audience specifies the `aud` claim for the service account token
  26438. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26439. then this audiences will be appended to the list
  26440. items:
  26441. type: string
  26442. type: array
  26443. name:
  26444. description: The name of the ServiceAccount resource being referred to.
  26445. maxLength: 253
  26446. minLength: 1
  26447. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26448. type: string
  26449. namespace:
  26450. description: |-
  26451. Namespace of the resource being referred to.
  26452. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26453. maxLength: 63
  26454. minLength: 1
  26455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26456. type: string
  26457. required:
  26458. - name
  26459. type: object
  26460. type: object
  26461. type: object
  26462. environmentType:
  26463. default: PublicCloud
  26464. description: |-
  26465. EnvironmentType specifies the Azure cloud environment endpoints to use for
  26466. connecting and authenticating with Azure. By default, it points to the public cloud AAD endpoint.
  26467. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  26468. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  26469. enum:
  26470. - PublicCloud
  26471. - USGovernmentCloud
  26472. - ChinaCloud
  26473. - GermanCloud
  26474. - AzureStackCloud
  26475. type: string
  26476. registry:
  26477. description: |-
  26478. the domain name of the ACR registry
  26479. e.g. foobarexample.azurecr.io
  26480. type: string
  26481. scope:
  26482. description: |-
  26483. Define the scope for the access token, e.g. pull/push access for a repository.
  26484. if not provided it will return a refresh token that has full scope.
  26485. Note: you need to pin it down to the repository level, there is no wildcard available.
  26486. examples:
  26487. repository:my-repository:pull,push
  26488. repository:my-repository:pull
  26489. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  26490. type: string
  26491. tenantId:
  26492. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  26493. type: string
  26494. required:
  26495. - auth
  26496. - registry
  26497. type: object
  26498. beyondtrustWorkloadCredentialsDynamicSecretSpec:
  26499. description: |-
  26500. BeyondtrustWorkloadCredentialsDynamicSecretSpec defines the desired spec for BeyondtrustWorkloadCredentials dynamic generator.
  26501. This generator enables obtaining temporary, short-lived credentials from BeyondTrust Workload Credentials.
  26502. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26503. properties:
  26504. controller:
  26505. description: |-
  26506. Controller selects the controller that should handle this generator.
  26507. Leave empty to use the default controller.
  26508. type: string
  26509. provider:
  26510. description: |-
  26511. Provider contains the BeyondtrustWorkloadCredentials provider configuration including authentication,
  26512. server connection details, and the folder path to the dynamic secret definition.
  26513. The folderPath should point to a dynamic secret definition that has been created in
  26514. BeyondTrust Workload Credentials (e.g., "production/aws-temp").
  26515. For setup details, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26516. properties:
  26517. auth:
  26518. description: |-
  26519. Auth configures how the Operator authenticates with the BeyondTrust Workload Credentials API.
  26520. Currently supports API key authentication via Kubernetes secret reference.
  26521. For authentication setup, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26522. properties:
  26523. apikey:
  26524. description: |-
  26525. APIKey configures API token authentication for BeyondTrust Workload Credentials.
  26526. The token is retrieved from a Kubernetes secret and used as a Bearer token for API requests.
  26527. properties:
  26528. token:
  26529. description: |-
  26530. Token references the Kubernetes secret containing the BeyondTrust Workload Credentials API token.
  26531. The secret should contain the API key used to authenticate with BeyondTrust Workload Credentials.
  26532. Create an API token in your BeyondTrust Workload Credentials console and store it in a Kubernetes secret.
  26533. For details on creating API tokens, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#authentication
  26534. properties:
  26535. key:
  26536. description: |-
  26537. A key in the referenced Secret.
  26538. Some instances of this field may be defaulted, in others it may be required.
  26539. maxLength: 253
  26540. minLength: 1
  26541. pattern: ^[-._a-zA-Z0-9]+$
  26542. type: string
  26543. name:
  26544. description: The name of the Secret resource being referred to.
  26545. maxLength: 253
  26546. minLength: 1
  26547. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26548. type: string
  26549. namespace:
  26550. description: |-
  26551. The namespace of the Secret resource being referred to.
  26552. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26553. maxLength: 63
  26554. minLength: 1
  26555. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26556. type: string
  26557. type: object
  26558. required:
  26559. - token
  26560. type: object
  26561. required:
  26562. - apikey
  26563. type: object
  26564. caBundle:
  26565. description: |-
  26566. CABundle is a base64-encoded CA certificate used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26567. Use this when your BeyondTrust instance uses a self-signed certificate or internal CA.
  26568. If not set, the system's trusted root certificates are used.
  26569. format: byte
  26570. type: string
  26571. caProvider:
  26572. description: |-
  26573. CAProvider points to a Secret or ConfigMap containing a PEM-encoded CA certificate.
  26574. This is used to validate the BeyondTrust Workload Credentials API TLS certificate.
  26575. Use this as an alternative to CABundle when you want to reference an existing Kubernetes resource.
  26576. properties:
  26577. key:
  26578. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  26579. maxLength: 253
  26580. minLength: 1
  26581. pattern: ^[-._a-zA-Z0-9]+$
  26582. type: string
  26583. name:
  26584. description: The name of the object located at the provider type.
  26585. maxLength: 253
  26586. minLength: 1
  26587. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26588. type: string
  26589. namespace:
  26590. description: |-
  26591. The namespace the Provider type is in.
  26592. Can only be defined when used in a ClusterSecretStore.
  26593. maxLength: 63
  26594. minLength: 1
  26595. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26596. type: string
  26597. type:
  26598. description: The type of provider to use such as "Secret", or "ConfigMap".
  26599. enum:
  26600. - Secret
  26601. - ConfigMap
  26602. type: string
  26603. required:
  26604. - name
  26605. - type
  26606. type: object
  26607. folderPath:
  26608. description: |-
  26609. FolderPath specifies the default folder path for secret retrieval.
  26610. Secrets will be fetched from this folder unless overridden in the ExternalSecret spec.
  26611. Example: "production/database" or "dev/api-keys"
  26612. Leave empty to retrieve secrets from the root folder.
  26613. For folder organization, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#folders
  26614. type: string
  26615. server:
  26616. description: |-
  26617. Server configures the BeyondTrust Workload Credentials server connection details.
  26618. Includes the API URL and Site ID for your BeyondTrust instance.
  26619. For API reference, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26620. properties:
  26621. apiUrl:
  26622. description: |-
  26623. APIURL is the base URL of your BeyondTrust Workload Credentials API server.
  26624. This should be the full URL to your BeyondTrust instance.
  26625. Example: https://api.beyondtrust.io/siie
  26626. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api#base-url
  26627. type: string
  26628. siteId:
  26629. description: |-
  26630. SiteID is your BeyondTrust Workload Credentials site identifier (UUID format).
  26631. This identifier is unique to your BeyondTrust Workload Credentials instance.
  26632. You can find your Site ID in the BeyondTrust Workload Credentials admin console.
  26633. Example: a1b2c3d4-e5f6-4890-abcd-ef1234567890
  26634. For more information, see: https://docs.beyondtrust.com/bt-docs/docs/secrets-api
  26635. type: string
  26636. required:
  26637. - apiUrl
  26638. - siteId
  26639. type: object
  26640. required:
  26641. - auth
  26642. - server
  26643. type: object
  26644. retrySettings:
  26645. description: |-
  26646. RetrySettings configures exponential backoff for failed API requests.
  26647. If not specified, uses the default retry settings.
  26648. properties:
  26649. maxRetries:
  26650. format: int32
  26651. type: integer
  26652. retryInterval:
  26653. type: string
  26654. type: object
  26655. required:
  26656. - provider
  26657. type: object
  26658. cloudsmithAccessTokenSpec:
  26659. description: CloudsmithAccessTokenSpec defines the configuration for generating a Cloudsmith access token using OIDC authentication.
  26660. properties:
  26661. apiUrl:
  26662. description: APIURL configures the Cloudsmith API URL. Defaults to https://api.cloudsmith.io.
  26663. type: string
  26664. orgSlug:
  26665. description: OrgSlug is the organization slug in Cloudsmith
  26666. type: string
  26667. serviceAccountRef:
  26668. description: Name of the service account you are federating with
  26669. properties:
  26670. audiences:
  26671. description: |-
  26672. Audience specifies the `aud` claim for the service account token
  26673. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26674. then this audiences will be appended to the list
  26675. items:
  26676. type: string
  26677. type: array
  26678. name:
  26679. description: The name of the ServiceAccount resource being referred to.
  26680. maxLength: 253
  26681. minLength: 1
  26682. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26683. type: string
  26684. namespace:
  26685. description: |-
  26686. Namespace of the resource being referred to.
  26687. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26688. maxLength: 63
  26689. minLength: 1
  26690. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26691. type: string
  26692. required:
  26693. - name
  26694. type: object
  26695. serviceSlug:
  26696. description: ServiceSlug is the service slug in Cloudsmith for OIDC authentication
  26697. type: string
  26698. required:
  26699. - orgSlug
  26700. - serviceAccountRef
  26701. - serviceSlug
  26702. type: object
  26703. ecrAuthorizationTokenSpec:
  26704. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  26705. properties:
  26706. auth:
  26707. description: Auth defines how to authenticate with AWS
  26708. properties:
  26709. jwt:
  26710. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  26711. properties:
  26712. serviceAccountRef:
  26713. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26714. properties:
  26715. audiences:
  26716. description: |-
  26717. Audience specifies the `aud` claim for the service account token
  26718. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26719. then this audiences will be appended to the list
  26720. items:
  26721. type: string
  26722. type: array
  26723. name:
  26724. description: The name of the ServiceAccount resource being referred to.
  26725. maxLength: 253
  26726. minLength: 1
  26727. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26728. type: string
  26729. namespace:
  26730. description: |-
  26731. Namespace of the resource being referred to.
  26732. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26733. maxLength: 63
  26734. minLength: 1
  26735. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26736. type: string
  26737. required:
  26738. - name
  26739. type: object
  26740. type: object
  26741. secretRef:
  26742. description: |-
  26743. AWSAuthSecretRef holds secret references for AWS credentials
  26744. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  26745. properties:
  26746. accessKeyIDSecretRef:
  26747. description: The AccessKeyID is used for authentication
  26748. properties:
  26749. key:
  26750. description: |-
  26751. A key in the referenced Secret.
  26752. Some instances of this field may be defaulted, in others it may be required.
  26753. maxLength: 253
  26754. minLength: 1
  26755. pattern: ^[-._a-zA-Z0-9]+$
  26756. type: string
  26757. name:
  26758. description: The name of the Secret resource being referred to.
  26759. maxLength: 253
  26760. minLength: 1
  26761. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26762. type: string
  26763. namespace:
  26764. description: |-
  26765. The namespace of the Secret resource being referred to.
  26766. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26767. maxLength: 63
  26768. minLength: 1
  26769. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26770. type: string
  26771. type: object
  26772. secretAccessKeySecretRef:
  26773. description: The SecretAccessKey is used for authentication
  26774. properties:
  26775. key:
  26776. description: |-
  26777. A key in the referenced Secret.
  26778. Some instances of this field may be defaulted, in others it may be required.
  26779. maxLength: 253
  26780. minLength: 1
  26781. pattern: ^[-._a-zA-Z0-9]+$
  26782. type: string
  26783. name:
  26784. description: The name of the Secret resource being referred to.
  26785. maxLength: 253
  26786. minLength: 1
  26787. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26788. type: string
  26789. namespace:
  26790. description: |-
  26791. The namespace of the Secret resource being referred to.
  26792. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26793. maxLength: 63
  26794. minLength: 1
  26795. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26796. type: string
  26797. type: object
  26798. sessionTokenSecretRef:
  26799. description: |-
  26800. The SessionToken used for authentication
  26801. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  26802. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  26803. properties:
  26804. key:
  26805. description: |-
  26806. A key in the referenced Secret.
  26807. Some instances of this field may be defaulted, in others it may be required.
  26808. maxLength: 253
  26809. minLength: 1
  26810. pattern: ^[-._a-zA-Z0-9]+$
  26811. type: string
  26812. name:
  26813. description: The name of the Secret resource being referred to.
  26814. maxLength: 253
  26815. minLength: 1
  26816. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26817. type: string
  26818. namespace:
  26819. description: |-
  26820. The namespace of the Secret resource being referred to.
  26821. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26822. maxLength: 63
  26823. minLength: 1
  26824. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26825. type: string
  26826. type: object
  26827. type: object
  26828. type: object
  26829. region:
  26830. description: Region specifies the region to operate in.
  26831. type: string
  26832. role:
  26833. description: |-
  26834. You can assume a role before making calls to the
  26835. desired AWS service.
  26836. type: string
  26837. scope:
  26838. description: |-
  26839. Scope specifies the ECR service scope.
  26840. Valid options are private and public.
  26841. type: string
  26842. required:
  26843. - region
  26844. type: object
  26845. fakeSpec:
  26846. description: FakeSpec contains the static data.
  26847. properties:
  26848. controller:
  26849. description: |-
  26850. Used to select the correct ESO controller (think: ingress.ingressClassName)
  26851. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  26852. type: string
  26853. data:
  26854. additionalProperties:
  26855. type: string
  26856. description: |-
  26857. Data defines the static data returned
  26858. by this generator.
  26859. type: object
  26860. type: object
  26861. gcrAccessTokenSpec:
  26862. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  26863. properties:
  26864. auth:
  26865. description: Auth defines the means for authenticating with GCP
  26866. properties:
  26867. secretRef:
  26868. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  26869. properties:
  26870. secretAccessKeySecretRef:
  26871. description: The SecretAccessKey is used for authentication
  26872. properties:
  26873. key:
  26874. description: |-
  26875. A key in the referenced Secret.
  26876. Some instances of this field may be defaulted, in others it may be required.
  26877. maxLength: 253
  26878. minLength: 1
  26879. pattern: ^[-._a-zA-Z0-9]+$
  26880. type: string
  26881. name:
  26882. description: The name of the Secret resource being referred to.
  26883. maxLength: 253
  26884. minLength: 1
  26885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26886. type: string
  26887. namespace:
  26888. description: |-
  26889. The namespace of the Secret resource being referred to.
  26890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26891. maxLength: 63
  26892. minLength: 1
  26893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26894. type: string
  26895. type: object
  26896. type: object
  26897. workloadIdentity:
  26898. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  26899. properties:
  26900. clusterLocation:
  26901. type: string
  26902. clusterName:
  26903. type: string
  26904. clusterProjectID:
  26905. type: string
  26906. serviceAccountRef:
  26907. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  26908. properties:
  26909. audiences:
  26910. description: |-
  26911. Audience specifies the `aud` claim for the service account token
  26912. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  26913. then this audiences will be appended to the list
  26914. items:
  26915. type: string
  26916. type: array
  26917. name:
  26918. description: The name of the ServiceAccount resource being referred to.
  26919. maxLength: 253
  26920. minLength: 1
  26921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26922. type: string
  26923. namespace:
  26924. description: |-
  26925. Namespace of the resource being referred to.
  26926. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  26927. maxLength: 63
  26928. minLength: 1
  26929. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26930. type: string
  26931. required:
  26932. - name
  26933. type: object
  26934. required:
  26935. - clusterLocation
  26936. - clusterName
  26937. - serviceAccountRef
  26938. type: object
  26939. workloadIdentityFederation:
  26940. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  26941. properties:
  26942. audience:
  26943. description: |-
  26944. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  26945. If specified, Audience found in the external account credential config will be overridden with the configured value.
  26946. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  26947. type: string
  26948. awsSecurityCredentials:
  26949. description: |-
  26950. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  26951. when using the AWS metadata server is not an option.
  26952. properties:
  26953. awsCredentialsSecretRef:
  26954. description: |-
  26955. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  26956. Secret should be created with below names for keys
  26957. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  26958. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  26959. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  26960. properties:
  26961. name:
  26962. description: name of the secret.
  26963. maxLength: 253
  26964. minLength: 1
  26965. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  26966. type: string
  26967. namespace:
  26968. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  26969. maxLength: 63
  26970. minLength: 1
  26971. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  26972. type: string
  26973. required:
  26974. - name
  26975. type: object
  26976. region:
  26977. description: region is for configuring the AWS region to be used.
  26978. example: ap-south-1
  26979. maxLength: 50
  26980. minLength: 1
  26981. pattern: ^[a-z0-9-]+$
  26982. type: string
  26983. required:
  26984. - awsCredentialsSecretRef
  26985. - region
  26986. type: object
  26987. credConfig:
  26988. description: |-
  26989. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  26990. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  26991. serviceAccountRef must be used by providing operators service account details.
  26992. properties:
  26993. key:
  26994. description: key name holding the external account credential config.
  26995. maxLength: 253
  26996. minLength: 1
  26997. pattern: ^[-._a-zA-Z0-9]+$
  26998. type: string
  26999. name:
  27000. description: name of the configmap.
  27001. maxLength: 253
  27002. minLength: 1
  27003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27004. type: string
  27005. namespace:
  27006. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  27007. maxLength: 63
  27008. minLength: 1
  27009. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27010. type: string
  27011. required:
  27012. - key
  27013. - name
  27014. type: object
  27015. externalTokenEndpoint:
  27016. description: |-
  27017. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  27018. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  27019. URL is having the expected value.
  27020. type: string
  27021. gcpServiceAccountEmail:
  27022. description: |-
  27023. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  27024. after Workload Identity Federation. Use this to grant access through the service account's
  27025. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  27026. service_account_impersonation_url in the external account JSON from credConfig;
  27027. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  27028. on that ServiceAccount.
  27029. example: my-gsa@my-project.iam.gserviceaccount.com
  27030. minLength: 1
  27031. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  27032. type: string
  27033. serviceAccountRef:
  27034. description: |-
  27035. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  27036. when Kubernetes is configured as provider in workload identity pool.
  27037. properties:
  27038. audiences:
  27039. description: |-
  27040. Audience specifies the `aud` claim for the service account token
  27041. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27042. then this audiences will be appended to the list
  27043. items:
  27044. type: string
  27045. type: array
  27046. name:
  27047. description: The name of the ServiceAccount resource being referred to.
  27048. maxLength: 253
  27049. minLength: 1
  27050. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27051. type: string
  27052. namespace:
  27053. description: |-
  27054. Namespace of the resource being referred to.
  27055. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27056. maxLength: 63
  27057. minLength: 1
  27058. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27059. type: string
  27060. required:
  27061. - name
  27062. type: object
  27063. type: object
  27064. type: object
  27065. projectID:
  27066. description: ProjectID defines which project to use to authenticate with
  27067. type: string
  27068. required:
  27069. - auth
  27070. - projectID
  27071. type: object
  27072. githubAccessTokenSpec:
  27073. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  27074. properties:
  27075. appID:
  27076. type: string
  27077. auth:
  27078. description: Auth configures how ESO authenticates with a Github instance.
  27079. properties:
  27080. privateKey:
  27081. description: GithubSecretRef references a secret containing GitHub credentials.
  27082. properties:
  27083. secretRef:
  27084. description: |-
  27085. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27086. In some instances, `key` is a required field.
  27087. properties:
  27088. key:
  27089. description: |-
  27090. A key in the referenced Secret.
  27091. Some instances of this field may be defaulted, in others it may be required.
  27092. maxLength: 253
  27093. minLength: 1
  27094. pattern: ^[-._a-zA-Z0-9]+$
  27095. type: string
  27096. name:
  27097. description: The name of the Secret resource being referred to.
  27098. maxLength: 253
  27099. minLength: 1
  27100. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27101. type: string
  27102. namespace:
  27103. description: |-
  27104. The namespace of the Secret resource being referred to.
  27105. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27106. maxLength: 63
  27107. minLength: 1
  27108. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27109. type: string
  27110. type: object
  27111. required:
  27112. - secretRef
  27113. type: object
  27114. required:
  27115. - privateKey
  27116. type: object
  27117. installID:
  27118. type: string
  27119. permissions:
  27120. additionalProperties:
  27121. type: string
  27122. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  27123. type: object
  27124. repositories:
  27125. description: |-
  27126. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  27127. is installed to.
  27128. items:
  27129. type: string
  27130. type: array
  27131. url:
  27132. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  27133. type: string
  27134. required:
  27135. - appID
  27136. - auth
  27137. - installID
  27138. type: object
  27139. gitlabDeployTokenSpec:
  27140. description: GitlabDeployTokenSpec defines the desired state to generate a GitLab deploy token.
  27141. properties:
  27142. auth:
  27143. description: Auth configures how ESO authenticates with the GitLab API.
  27144. properties:
  27145. token:
  27146. description: |-
  27147. Token references a secret containing a GitLab access token (personal, group, or
  27148. project) with the api scope and at least the Maintainer role on the target.
  27149. properties:
  27150. secretRef:
  27151. description: |-
  27152. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  27153. In some instances, `key` is a required field.
  27154. properties:
  27155. key:
  27156. description: |-
  27157. A key in the referenced Secret.
  27158. Some instances of this field may be defaulted, in others it may be required.
  27159. maxLength: 253
  27160. minLength: 1
  27161. pattern: ^[-._a-zA-Z0-9]+$
  27162. type: string
  27163. name:
  27164. description: The name of the Secret resource being referred to.
  27165. maxLength: 253
  27166. minLength: 1
  27167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27168. type: string
  27169. namespace:
  27170. description: |-
  27171. The namespace of the Secret resource being referred to.
  27172. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27173. maxLength: 63
  27174. minLength: 1
  27175. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27176. type: string
  27177. type: object
  27178. required:
  27179. - secretRef
  27180. type: object
  27181. required:
  27182. - token
  27183. type: object
  27184. expiresAt:
  27185. description: |-
  27186. ExpiresAt is an optional expiry for the deploy token. If omitted the token does
  27187. not expire on the GitLab side and is revoked only when the generator state is
  27188. cleaned up (on regeneration or when the consuming ExternalSecret is deleted).
  27189. format: date-time
  27190. type: string
  27191. groupID:
  27192. description: |-
  27193. GroupID is the numeric ID or unescaped path (e.g. parent/group) of the group to
  27194. create the deploy token in. The generator URL-escapes paths before calling the
  27195. GitLab API, so do not pre-encode. Mutually exclusive with projectID.
  27196. minLength: 1
  27197. type: string
  27198. name:
  27199. description: Name of the deploy token.
  27200. minLength: 1
  27201. type: string
  27202. projectID:
  27203. description: |-
  27204. ProjectID is the numeric ID or unescaped path (e.g. group/project) of the
  27205. project to create the deploy token in. The generator URL-escapes paths before
  27206. calling the GitLab API, so do not pre-encode. Mutually exclusive with groupID.
  27207. minLength: 1
  27208. type: string
  27209. scopes:
  27210. description: Scopes granted to the deploy token. At least one scope is required.
  27211. items:
  27212. description: GitlabDeployTokenScope is a scope that can be granted to a GitLab deploy token.
  27213. enum:
  27214. - read_repository
  27215. - read_registry
  27216. - write_registry
  27217. - read_package_registry
  27218. - write_package_registry
  27219. - read_virtual_registry
  27220. - write_virtual_registry
  27221. type: string
  27222. minItems: 1
  27223. type: array
  27224. url:
  27225. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com.
  27226. type: string
  27227. username:
  27228. description: |-
  27229. Username is an optional username for the deploy token. GitLab defaults it to
  27230. gitlab+deploy-token-{n} when omitted.
  27231. type: string
  27232. required:
  27233. - auth
  27234. - name
  27235. - scopes
  27236. type: object
  27237. x-kubernetes-validations:
  27238. - message: exactly one of projectID or groupID must be set
  27239. rule: has(self.projectID) != has(self.groupID)
  27240. grafanaSpec:
  27241. description: GrafanaSpec controls the behavior of the grafana generator.
  27242. properties:
  27243. auth:
  27244. description: |-
  27245. Auth is the authentication configuration to authenticate
  27246. against the Grafana instance.
  27247. properties:
  27248. basic:
  27249. description: |-
  27250. Basic auth credentials used to authenticate against the Grafana instance.
  27251. Note: you need a token which has elevated permissions to create service accounts.
  27252. See here for the documentation on basic roles offered by Grafana:
  27253. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27254. properties:
  27255. password:
  27256. description: A basic auth password used to authenticate against the Grafana instance.
  27257. properties:
  27258. key:
  27259. description: The key where the token is found.
  27260. maxLength: 253
  27261. minLength: 1
  27262. pattern: ^[-._a-zA-Z0-9]+$
  27263. type: string
  27264. name:
  27265. description: The name of the Secret resource being referred to.
  27266. maxLength: 253
  27267. minLength: 1
  27268. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27269. type: string
  27270. type: object
  27271. username:
  27272. description: A basic auth username used to authenticate against the Grafana instance.
  27273. type: string
  27274. required:
  27275. - password
  27276. - username
  27277. type: object
  27278. token:
  27279. description: |-
  27280. A service account token used to authenticate against the Grafana instance.
  27281. Note: you need a token which has elevated permissions to create service accounts.
  27282. See here for the documentation on basic roles offered by Grafana:
  27283. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27284. properties:
  27285. key:
  27286. description: The key where the token is found.
  27287. maxLength: 253
  27288. minLength: 1
  27289. pattern: ^[-._a-zA-Z0-9]+$
  27290. type: string
  27291. name:
  27292. description: The name of the Secret resource being referred to.
  27293. maxLength: 253
  27294. minLength: 1
  27295. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27296. type: string
  27297. type: object
  27298. type: object
  27299. serviceAccount:
  27300. description: |-
  27301. ServiceAccount is the configuration for the service account that
  27302. is supposed to be generated by the generator.
  27303. properties:
  27304. name:
  27305. description: Name is the name of the service account that will be created by ESO.
  27306. type: string
  27307. role:
  27308. description: |-
  27309. Role is the role of the service account.
  27310. See here for the documentation on basic roles offered by Grafana:
  27311. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  27312. type: string
  27313. secondsToLive:
  27314. description: |-
  27315. SecondsToLive is the number of seconds before the generated service account token will expire.
  27316. Some Grafana deployments (e.g. AWS Managed Grafana) require this value to be set.
  27317. format: int64
  27318. minimum: 1
  27319. type: integer
  27320. required:
  27321. - name
  27322. - role
  27323. type: object
  27324. url:
  27325. description: URL is the URL of the Grafana instance.
  27326. type: string
  27327. required:
  27328. - auth
  27329. - serviceAccount
  27330. - url
  27331. type: object
  27332. mfaSpec:
  27333. description: MFASpec controls the behavior of the mfa generator.
  27334. properties:
  27335. algorithm:
  27336. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  27337. type: string
  27338. length:
  27339. description: Length defines the token length. Defaults to 6 characters.
  27340. type: integer
  27341. secret:
  27342. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  27343. properties:
  27344. key:
  27345. description: |-
  27346. A key in the referenced Secret.
  27347. Some instances of this field may be defaulted, in others it may be required.
  27348. maxLength: 253
  27349. minLength: 1
  27350. pattern: ^[-._a-zA-Z0-9]+$
  27351. type: string
  27352. name:
  27353. description: The name of the Secret resource being referred to.
  27354. maxLength: 253
  27355. minLength: 1
  27356. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27357. type: string
  27358. namespace:
  27359. description: |-
  27360. The namespace of the Secret resource being referred to.
  27361. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27362. maxLength: 63
  27363. minLength: 1
  27364. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27365. type: string
  27366. type: object
  27367. timePeriod:
  27368. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  27369. type: integer
  27370. when:
  27371. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  27372. format: date-time
  27373. type: string
  27374. required:
  27375. - secret
  27376. type: object
  27377. passwordSpec:
  27378. description: PasswordSpec controls the behavior of the password generator.
  27379. properties:
  27380. allowRepeat:
  27381. default: false
  27382. description: set AllowRepeat to true to allow repeating characters.
  27383. type: boolean
  27384. digits:
  27385. description: |-
  27386. Digits specifies the number of digits in the generated
  27387. password. If omitted it defaults to 25% of the length of the password
  27388. type: integer
  27389. encoding:
  27390. default: raw
  27391. description: |-
  27392. Encoding specifies the encoding of the generated password.
  27393. Valid values are:
  27394. - "raw" (default): no encoding
  27395. - "base64": standard base64 encoding
  27396. - "base64url": base64url encoding
  27397. - "base32": base32 encoding
  27398. - "hex": hexadecimal encoding
  27399. enum:
  27400. - base64
  27401. - base64url
  27402. - base32
  27403. - hex
  27404. - raw
  27405. type: string
  27406. length:
  27407. default: 24
  27408. description: |-
  27409. Length of the password to be generated.
  27410. Defaults to 24
  27411. type: integer
  27412. noUpper:
  27413. default: false
  27414. description: Set NoUpper to disable uppercase characters
  27415. type: boolean
  27416. secretKeys:
  27417. description: |-
  27418. SecretKeys defines the keys that will be populated with generated passwords.
  27419. Defaults to "password" when not set.
  27420. items:
  27421. type: string
  27422. minItems: 1
  27423. type: array
  27424. symbolCharacters:
  27425. description: |-
  27426. SymbolCharacters specifies the special characters that should be used
  27427. in the generated password.
  27428. type: string
  27429. symbols:
  27430. description: |-
  27431. Symbols specifies the number of symbol characters in the generated
  27432. password. If omitted it defaults to 25% of the length of the password
  27433. type: integer
  27434. required:
  27435. - allowRepeat
  27436. - length
  27437. - noUpper
  27438. type: object
  27439. quayAccessTokenSpec:
  27440. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  27441. properties:
  27442. robotAccount:
  27443. description: Name of the robot account you are federating with
  27444. type: string
  27445. serviceAccountRef:
  27446. description: Name of the service account you are federating with
  27447. properties:
  27448. audiences:
  27449. description: |-
  27450. Audience specifies the `aud` claim for the service account token
  27451. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27452. then this audiences will be appended to the list
  27453. items:
  27454. type: string
  27455. type: array
  27456. name:
  27457. description: The name of the ServiceAccount resource being referred to.
  27458. maxLength: 253
  27459. minLength: 1
  27460. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27461. type: string
  27462. namespace:
  27463. description: |-
  27464. Namespace of the resource being referred to.
  27465. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27466. maxLength: 63
  27467. minLength: 1
  27468. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27469. type: string
  27470. required:
  27471. - name
  27472. type: object
  27473. url:
  27474. description: URL configures the Quay instance URL. Defaults to quay.io.
  27475. type: string
  27476. required:
  27477. - robotAccount
  27478. - serviceAccountRef
  27479. type: object
  27480. sshKeySpec:
  27481. description: SSHKeySpec controls the behavior of the ssh key generator.
  27482. properties:
  27483. comment:
  27484. description: Comment specifies an optional comment for the SSH key
  27485. type: string
  27486. keySize:
  27487. description: |-
  27488. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  27489. For RSA keys: 2048, 3072, 4096
  27490. For ECDSA keys: 256, 384, 521
  27491. Ignored for ed25519 keys
  27492. maximum: 8192
  27493. minimum: 256
  27494. type: integer
  27495. keyType:
  27496. default: rsa
  27497. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  27498. enum:
  27499. - rsa
  27500. - ecdsa
  27501. - ed25519
  27502. type: string
  27503. type: object
  27504. stsSessionTokenSpec:
  27505. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  27506. properties:
  27507. auth:
  27508. description: Auth defines how to authenticate with AWS
  27509. properties:
  27510. jwt:
  27511. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  27512. properties:
  27513. serviceAccountRef:
  27514. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27515. properties:
  27516. audiences:
  27517. description: |-
  27518. Audience specifies the `aud` claim for the service account token
  27519. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27520. then this audiences will be appended to the list
  27521. items:
  27522. type: string
  27523. type: array
  27524. name:
  27525. description: The name of the ServiceAccount resource being referred to.
  27526. maxLength: 253
  27527. minLength: 1
  27528. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27529. type: string
  27530. namespace:
  27531. description: |-
  27532. Namespace of the resource being referred to.
  27533. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27534. maxLength: 63
  27535. minLength: 1
  27536. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27537. type: string
  27538. required:
  27539. - name
  27540. type: object
  27541. type: object
  27542. secretRef:
  27543. description: |-
  27544. AWSAuthSecretRef holds secret references for AWS credentials
  27545. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  27546. properties:
  27547. accessKeyIDSecretRef:
  27548. description: The AccessKeyID is used for authentication
  27549. properties:
  27550. key:
  27551. description: |-
  27552. A key in the referenced Secret.
  27553. Some instances of this field may be defaulted, in others it may be required.
  27554. maxLength: 253
  27555. minLength: 1
  27556. pattern: ^[-._a-zA-Z0-9]+$
  27557. type: string
  27558. name:
  27559. description: The name of the Secret resource being referred to.
  27560. maxLength: 253
  27561. minLength: 1
  27562. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27563. type: string
  27564. namespace:
  27565. description: |-
  27566. The namespace of the Secret resource being referred to.
  27567. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27568. maxLength: 63
  27569. minLength: 1
  27570. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27571. type: string
  27572. type: object
  27573. secretAccessKeySecretRef:
  27574. description: The SecretAccessKey is used for authentication
  27575. properties:
  27576. key:
  27577. description: |-
  27578. A key in the referenced Secret.
  27579. Some instances of this field may be defaulted, in others it may be required.
  27580. maxLength: 253
  27581. minLength: 1
  27582. pattern: ^[-._a-zA-Z0-9]+$
  27583. type: string
  27584. name:
  27585. description: The name of the Secret resource being referred to.
  27586. maxLength: 253
  27587. minLength: 1
  27588. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27589. type: string
  27590. namespace:
  27591. description: |-
  27592. The namespace of the Secret resource being referred to.
  27593. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27594. maxLength: 63
  27595. minLength: 1
  27596. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27597. type: string
  27598. type: object
  27599. sessionTokenSecretRef:
  27600. description: |-
  27601. The SessionToken used for authentication
  27602. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  27603. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  27604. properties:
  27605. key:
  27606. description: |-
  27607. A key in the referenced Secret.
  27608. Some instances of this field may be defaulted, in others it may be required.
  27609. maxLength: 253
  27610. minLength: 1
  27611. pattern: ^[-._a-zA-Z0-9]+$
  27612. type: string
  27613. name:
  27614. description: The name of the Secret resource being referred to.
  27615. maxLength: 253
  27616. minLength: 1
  27617. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27618. type: string
  27619. namespace:
  27620. description: |-
  27621. The namespace of the Secret resource being referred to.
  27622. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27623. maxLength: 63
  27624. minLength: 1
  27625. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27626. type: string
  27627. type: object
  27628. type: object
  27629. type: object
  27630. region:
  27631. description: Region specifies the region to operate in.
  27632. type: string
  27633. requestParameters:
  27634. description: RequestParameters contains parameters that can be passed to the STS service.
  27635. properties:
  27636. serialNumber:
  27637. description: |-
  27638. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  27639. the GetSessionToken call.
  27640. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  27641. (such as arn:aws:iam::123456789012:mfa/user)
  27642. type: string
  27643. sessionDuration:
  27644. format: int32
  27645. type: integer
  27646. tokenCode:
  27647. description: TokenCode is the value provided by the MFA device, if MFA is required.
  27648. type: string
  27649. type: object
  27650. role:
  27651. description: |-
  27652. You can assume a role before making calls to the
  27653. desired AWS service.
  27654. type: string
  27655. required:
  27656. - region
  27657. type: object
  27658. uuidSpec:
  27659. description: UUIDSpec controls the behavior of the uuid generator.
  27660. type: object
  27661. vaultDynamicSecretSpec:
  27662. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  27663. properties:
  27664. allowEmptyResponse:
  27665. default: false
  27666. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  27667. type: boolean
  27668. controller:
  27669. description: |-
  27670. Used to select the correct ESO controller (think: ingress.ingressClassName)
  27671. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  27672. type: string
  27673. getParameters:
  27674. additionalProperties:
  27675. items:
  27676. type: string
  27677. type: array
  27678. description: |-
  27679. GetParameters are query-string parameters passed to Vault on GET calls.
  27680. Each key may map to multiple values, matching HTTP query-string semantics.
  27681. Ignored for non-GET methods; use Parameters for write bodies.
  27682. type: object
  27683. method:
  27684. description: Vault API method to use (GET/POST/other)
  27685. type: string
  27686. parameters:
  27687. description: Parameters to pass to Vault write (for non-GET methods)
  27688. x-kubernetes-preserve-unknown-fields: true
  27689. path:
  27690. description: Vault path to obtain the dynamic secret from
  27691. type: string
  27692. provider:
  27693. description: Vault provider common spec
  27694. properties:
  27695. auth:
  27696. description: Auth configures how secret-manager authenticates with the Vault server.
  27697. properties:
  27698. appRole:
  27699. description: |-
  27700. AppRole authenticates with Vault using the App Role auth mechanism,
  27701. with the role and secret stored in a Kubernetes Secret resource.
  27702. properties:
  27703. path:
  27704. default: approle
  27705. description: |-
  27706. Path where the App Role authentication backend is mounted
  27707. in Vault, e.g: "approle"
  27708. type: string
  27709. roleId:
  27710. description: |-
  27711. RoleID configured in the App Role authentication backend when setting
  27712. up the authentication backend in Vault.
  27713. type: string
  27714. roleRef:
  27715. description: |-
  27716. Reference to a key in a Secret that contains the App Role ID used
  27717. to authenticate with Vault.
  27718. The `key` field must be specified and denotes which entry within the Secret
  27719. resource is used as the app role id.
  27720. properties:
  27721. key:
  27722. description: |-
  27723. A key in the referenced Secret.
  27724. Some instances of this field may be defaulted, in others it may be required.
  27725. maxLength: 253
  27726. minLength: 1
  27727. pattern: ^[-._a-zA-Z0-9]+$
  27728. type: string
  27729. name:
  27730. description: The name of the Secret resource being referred to.
  27731. maxLength: 253
  27732. minLength: 1
  27733. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27734. type: string
  27735. namespace:
  27736. description: |-
  27737. The namespace of the Secret resource being referred to.
  27738. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27739. maxLength: 63
  27740. minLength: 1
  27741. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27742. type: string
  27743. type: object
  27744. secretRef:
  27745. description: |-
  27746. Reference to a key in a Secret that contains the App Role secret used
  27747. to authenticate with Vault.
  27748. The `key` field must be specified and denotes which entry within the Secret
  27749. resource is used as the app role secret.
  27750. properties:
  27751. key:
  27752. description: |-
  27753. A key in the referenced Secret.
  27754. Some instances of this field may be defaulted, in others it may be required.
  27755. maxLength: 253
  27756. minLength: 1
  27757. pattern: ^[-._a-zA-Z0-9]+$
  27758. type: string
  27759. name:
  27760. description: The name of the Secret resource being referred to.
  27761. maxLength: 253
  27762. minLength: 1
  27763. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27764. type: string
  27765. namespace:
  27766. description: |-
  27767. The namespace of the Secret resource being referred to.
  27768. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27769. maxLength: 63
  27770. minLength: 1
  27771. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27772. type: string
  27773. type: object
  27774. required:
  27775. - path
  27776. - secretRef
  27777. type: object
  27778. cert:
  27779. description: |-
  27780. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  27781. Cert authentication method
  27782. properties:
  27783. clientCert:
  27784. description: |-
  27785. ClientCert is a certificate to authenticate using the Cert Vault
  27786. authentication method
  27787. properties:
  27788. key:
  27789. description: |-
  27790. A key in the referenced Secret.
  27791. Some instances of this field may be defaulted, in others it may be required.
  27792. maxLength: 253
  27793. minLength: 1
  27794. pattern: ^[-._a-zA-Z0-9]+$
  27795. type: string
  27796. name:
  27797. description: The name of the Secret resource being referred to.
  27798. maxLength: 253
  27799. minLength: 1
  27800. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27801. type: string
  27802. namespace:
  27803. description: |-
  27804. The namespace of the Secret resource being referred to.
  27805. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27806. maxLength: 63
  27807. minLength: 1
  27808. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27809. type: string
  27810. type: object
  27811. path:
  27812. default: cert
  27813. description: |-
  27814. Path where the Certificate authentication backend is mounted
  27815. in Vault, e.g: "cert"
  27816. type: string
  27817. secretRef:
  27818. description: |-
  27819. SecretRef to a key in a Secret resource containing client private key to
  27820. authenticate with Vault using the Cert authentication method
  27821. properties:
  27822. key:
  27823. description: |-
  27824. A key in the referenced Secret.
  27825. Some instances of this field may be defaulted, in others it may be required.
  27826. maxLength: 253
  27827. minLength: 1
  27828. pattern: ^[-._a-zA-Z0-9]+$
  27829. type: string
  27830. name:
  27831. description: The name of the Secret resource being referred to.
  27832. maxLength: 253
  27833. minLength: 1
  27834. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27835. type: string
  27836. namespace:
  27837. description: |-
  27838. The namespace of the Secret resource being referred to.
  27839. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27840. maxLength: 63
  27841. minLength: 1
  27842. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27843. type: string
  27844. type: object
  27845. vaultRole:
  27846. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  27847. type: string
  27848. type: object
  27849. gcp:
  27850. description: |-
  27851. Gcp authenticates with Vault using Google Cloud Platform authentication method
  27852. GCP authentication method
  27853. properties:
  27854. location:
  27855. description: Location optionally defines a location/region for the secret
  27856. type: string
  27857. path:
  27858. default: gcp
  27859. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  27860. type: string
  27861. projectID:
  27862. description: Project ID of the Google Cloud Platform project
  27863. type: string
  27864. role:
  27865. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  27866. type: string
  27867. secretRef:
  27868. description: Specify credentials in a Secret object
  27869. properties:
  27870. secretAccessKeySecretRef:
  27871. description: The SecretAccessKey is used for authentication
  27872. properties:
  27873. key:
  27874. description: |-
  27875. A key in the referenced Secret.
  27876. Some instances of this field may be defaulted, in others it may be required.
  27877. maxLength: 253
  27878. minLength: 1
  27879. pattern: ^[-._a-zA-Z0-9]+$
  27880. type: string
  27881. name:
  27882. description: The name of the Secret resource being referred to.
  27883. maxLength: 253
  27884. minLength: 1
  27885. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27886. type: string
  27887. namespace:
  27888. description: |-
  27889. The namespace of the Secret resource being referred to.
  27890. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27891. maxLength: 63
  27892. minLength: 1
  27893. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27894. type: string
  27895. type: object
  27896. type: object
  27897. serviceAccountRef:
  27898. description: ServiceAccountRef to a service account for impersonation
  27899. properties:
  27900. audiences:
  27901. description: |-
  27902. Audience specifies the `aud` claim for the service account token
  27903. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27904. then this audiences will be appended to the list
  27905. items:
  27906. type: string
  27907. type: array
  27908. name:
  27909. description: The name of the ServiceAccount resource being referred to.
  27910. maxLength: 253
  27911. minLength: 1
  27912. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27913. type: string
  27914. namespace:
  27915. description: |-
  27916. Namespace of the resource being referred to.
  27917. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27918. maxLength: 63
  27919. minLength: 1
  27920. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27921. type: string
  27922. required:
  27923. - name
  27924. type: object
  27925. workloadIdentity:
  27926. description: Specify a service account with Workload Identity
  27927. properties:
  27928. clusterLocation:
  27929. description: |-
  27930. ClusterLocation is the location of the cluster
  27931. If not specified, it fetches information from the metadata server
  27932. type: string
  27933. clusterName:
  27934. description: |-
  27935. ClusterName is the name of the cluster
  27936. If not specified, it fetches information from the metadata server
  27937. type: string
  27938. clusterProjectID:
  27939. description: |-
  27940. ClusterProjectID is the project ID of the cluster
  27941. If not specified, it fetches information from the metadata server
  27942. type: string
  27943. serviceAccountRef:
  27944. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27945. properties:
  27946. audiences:
  27947. description: |-
  27948. Audience specifies the `aud` claim for the service account token
  27949. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27950. then this audiences will be appended to the list
  27951. items:
  27952. type: string
  27953. type: array
  27954. name:
  27955. description: The name of the ServiceAccount resource being referred to.
  27956. maxLength: 253
  27957. minLength: 1
  27958. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  27959. type: string
  27960. namespace:
  27961. description: |-
  27962. Namespace of the resource being referred to.
  27963. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  27964. maxLength: 63
  27965. minLength: 1
  27966. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  27967. type: string
  27968. required:
  27969. - name
  27970. type: object
  27971. required:
  27972. - serviceAccountRef
  27973. type: object
  27974. required:
  27975. - role
  27976. type: object
  27977. iam:
  27978. description: |-
  27979. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  27980. AWS IAM authentication method
  27981. properties:
  27982. externalID:
  27983. description: AWS External ID set on assumed IAM roles
  27984. type: string
  27985. jwt:
  27986. description: Specify a service account with IRSA enabled
  27987. properties:
  27988. serviceAccountRef:
  27989. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  27990. properties:
  27991. audiences:
  27992. description: |-
  27993. Audience specifies the `aud` claim for the service account token
  27994. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  27995. then this audiences will be appended to the list
  27996. items:
  27997. type: string
  27998. type: array
  27999. name:
  28000. description: The name of the ServiceAccount resource being referred to.
  28001. maxLength: 253
  28002. minLength: 1
  28003. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28004. type: string
  28005. namespace:
  28006. description: |-
  28007. Namespace of the resource being referred to.
  28008. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28009. maxLength: 63
  28010. minLength: 1
  28011. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28012. type: string
  28013. required:
  28014. - name
  28015. type: object
  28016. type: object
  28017. path:
  28018. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  28019. type: string
  28020. region:
  28021. description: AWS region
  28022. type: string
  28023. role:
  28024. description: This is the AWS role to be assumed before talking to vault
  28025. type: string
  28026. secretRef:
  28027. description: Specify credentials in a Secret object
  28028. properties:
  28029. accessKeyIDSecretRef:
  28030. description: The AccessKeyID is used for authentication
  28031. properties:
  28032. key:
  28033. description: |-
  28034. A key in the referenced Secret.
  28035. Some instances of this field may be defaulted, in others it may be required.
  28036. maxLength: 253
  28037. minLength: 1
  28038. pattern: ^[-._a-zA-Z0-9]+$
  28039. type: string
  28040. name:
  28041. description: The name of the Secret resource being referred to.
  28042. maxLength: 253
  28043. minLength: 1
  28044. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28045. type: string
  28046. namespace:
  28047. description: |-
  28048. The namespace of the Secret resource being referred to.
  28049. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28050. maxLength: 63
  28051. minLength: 1
  28052. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28053. type: string
  28054. type: object
  28055. secretAccessKeySecretRef:
  28056. description: The SecretAccessKey is used for authentication
  28057. properties:
  28058. key:
  28059. description: |-
  28060. A key in the referenced Secret.
  28061. Some instances of this field may be defaulted, in others it may be required.
  28062. maxLength: 253
  28063. minLength: 1
  28064. pattern: ^[-._a-zA-Z0-9]+$
  28065. type: string
  28066. name:
  28067. description: The name of the Secret resource being referred to.
  28068. maxLength: 253
  28069. minLength: 1
  28070. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28071. type: string
  28072. namespace:
  28073. description: |-
  28074. The namespace of the Secret resource being referred to.
  28075. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28076. maxLength: 63
  28077. minLength: 1
  28078. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28079. type: string
  28080. type: object
  28081. sessionTokenSecretRef:
  28082. description: |-
  28083. The SessionToken used for authentication
  28084. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28085. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28086. properties:
  28087. key:
  28088. description: |-
  28089. A key in the referenced Secret.
  28090. Some instances of this field may be defaulted, in others it may be required.
  28091. maxLength: 253
  28092. minLength: 1
  28093. pattern: ^[-._a-zA-Z0-9]+$
  28094. type: string
  28095. name:
  28096. description: The name of the Secret resource being referred to.
  28097. maxLength: 253
  28098. minLength: 1
  28099. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28100. type: string
  28101. namespace:
  28102. description: |-
  28103. The namespace of the Secret resource being referred to.
  28104. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28105. maxLength: 63
  28106. minLength: 1
  28107. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28108. type: string
  28109. type: object
  28110. type: object
  28111. vaultAwsIamServerID:
  28112. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  28113. type: string
  28114. vaultRole:
  28115. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  28116. type: string
  28117. required:
  28118. - vaultRole
  28119. type: object
  28120. jwt:
  28121. description: |-
  28122. Jwt authenticates with Vault by passing role and JWT token using the
  28123. JWT/OIDC authentication method
  28124. properties:
  28125. kubernetesServiceAccountToken:
  28126. description: |-
  28127. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  28128. a token for with the `TokenRequest` API.
  28129. properties:
  28130. audiences:
  28131. description: |-
  28132. Optional audiences field that will be used to request a temporary Kubernetes service
  28133. account token for the service account referenced by `serviceAccountRef`.
  28134. Defaults to a single audience `vault` it not specified.
  28135. Deprecated: use serviceAccountRef.Audiences instead
  28136. items:
  28137. type: string
  28138. type: array
  28139. expirationSeconds:
  28140. description: |-
  28141. Optional expiration time in seconds that will be used to request a temporary
  28142. Kubernetes service account token for the service account referenced by
  28143. `serviceAccountRef`.
  28144. Deprecated: this will be removed in the future.
  28145. Defaults to 10 minutes.
  28146. format: int64
  28147. type: integer
  28148. serviceAccountRef:
  28149. description: Service account field containing the name of a kubernetes ServiceAccount.
  28150. properties:
  28151. audiences:
  28152. description: |-
  28153. Audience specifies the `aud` claim for the service account token
  28154. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28155. then this audiences will be appended to the list
  28156. items:
  28157. type: string
  28158. type: array
  28159. name:
  28160. description: The name of the ServiceAccount resource being referred to.
  28161. maxLength: 253
  28162. minLength: 1
  28163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28164. type: string
  28165. namespace:
  28166. description: |-
  28167. Namespace of the resource being referred to.
  28168. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28169. maxLength: 63
  28170. minLength: 1
  28171. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28172. type: string
  28173. required:
  28174. - name
  28175. type: object
  28176. required:
  28177. - serviceAccountRef
  28178. type: object
  28179. path:
  28180. default: jwt
  28181. description: |-
  28182. Path where the JWT authentication backend is mounted
  28183. in Vault, e.g: "jwt"
  28184. type: string
  28185. role:
  28186. description: |-
  28187. Role is a JWT role to authenticate using the JWT/OIDC Vault
  28188. authentication method
  28189. type: string
  28190. secretRef:
  28191. description: |-
  28192. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  28193. authenticate with Vault using the JWT/OIDC authentication method.
  28194. properties:
  28195. key:
  28196. description: |-
  28197. A key in the referenced Secret.
  28198. Some instances of this field may be defaulted, in others it may be required.
  28199. maxLength: 253
  28200. minLength: 1
  28201. pattern: ^[-._a-zA-Z0-9]+$
  28202. type: string
  28203. name:
  28204. description: The name of the Secret resource being referred to.
  28205. maxLength: 253
  28206. minLength: 1
  28207. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28208. type: string
  28209. namespace:
  28210. description: |-
  28211. The namespace of the Secret resource being referred to.
  28212. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28213. maxLength: 63
  28214. minLength: 1
  28215. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28216. type: string
  28217. type: object
  28218. required:
  28219. - path
  28220. type: object
  28221. kubernetes:
  28222. description: |-
  28223. Kubernetes authenticates with Vault by passing the ServiceAccount
  28224. token stored in the named Secret resource to the Vault server.
  28225. properties:
  28226. mountPath:
  28227. default: kubernetes
  28228. description: |-
  28229. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  28230. "kubernetes"
  28231. type: string
  28232. role:
  28233. description: |-
  28234. A required field containing the Vault Role to assume. A Role binds a
  28235. Kubernetes ServiceAccount with a set of Vault policies.
  28236. type: string
  28237. secretRef:
  28238. description: |-
  28239. Optional secret field containing a Kubernetes ServiceAccount JWT used
  28240. for authenticating with Vault. If a name is specified without a key,
  28241. `token` is the default. If one is not specified, the one bound to
  28242. the controller will be used.
  28243. properties:
  28244. key:
  28245. description: |-
  28246. A key in the referenced Secret.
  28247. Some instances of this field may be defaulted, in others it may be required.
  28248. maxLength: 253
  28249. minLength: 1
  28250. pattern: ^[-._a-zA-Z0-9]+$
  28251. type: string
  28252. name:
  28253. description: The name of the Secret resource being referred to.
  28254. maxLength: 253
  28255. minLength: 1
  28256. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28257. type: string
  28258. namespace:
  28259. description: |-
  28260. The namespace of the Secret resource being referred to.
  28261. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28262. maxLength: 63
  28263. minLength: 1
  28264. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28265. type: string
  28266. type: object
  28267. serviceAccountRef:
  28268. description: |-
  28269. Optional service account field containing the name of a kubernetes ServiceAccount.
  28270. If the service account is specified, the service account secret token JWT will be used
  28271. for authenticating with Vault. If the service account selector is not supplied,
  28272. the secretRef will be used instead.
  28273. properties:
  28274. audiences:
  28275. description: |-
  28276. Audience specifies the `aud` claim for the service account token
  28277. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28278. then this audiences will be appended to the list
  28279. items:
  28280. type: string
  28281. type: array
  28282. name:
  28283. description: The name of the ServiceAccount resource being referred to.
  28284. maxLength: 253
  28285. minLength: 1
  28286. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28287. type: string
  28288. namespace:
  28289. description: |-
  28290. Namespace of the resource being referred to.
  28291. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28292. maxLength: 63
  28293. minLength: 1
  28294. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28295. type: string
  28296. required:
  28297. - name
  28298. type: object
  28299. required:
  28300. - mountPath
  28301. - role
  28302. type: object
  28303. ldap:
  28304. description: |-
  28305. Ldap authenticates with Vault by passing username/password pair using
  28306. the LDAP authentication method
  28307. properties:
  28308. path:
  28309. default: ldap
  28310. description: |-
  28311. Path where the LDAP authentication backend is mounted
  28312. in Vault, e.g: "ldap"
  28313. type: string
  28314. secretRef:
  28315. description: |-
  28316. SecretRef to a key in a Secret resource containing password for the LDAP
  28317. user used to authenticate with Vault using the LDAP authentication
  28318. method
  28319. properties:
  28320. key:
  28321. description: |-
  28322. A key in the referenced Secret.
  28323. Some instances of this field may be defaulted, in others it may be required.
  28324. maxLength: 253
  28325. minLength: 1
  28326. pattern: ^[-._a-zA-Z0-9]+$
  28327. type: string
  28328. name:
  28329. description: The name of the Secret resource being referred to.
  28330. maxLength: 253
  28331. minLength: 1
  28332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28333. type: string
  28334. namespace:
  28335. description: |-
  28336. The namespace of the Secret resource being referred to.
  28337. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28338. maxLength: 63
  28339. minLength: 1
  28340. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28341. type: string
  28342. type: object
  28343. username:
  28344. description: |-
  28345. Username is an LDAP username used to authenticate using the LDAP Vault
  28346. authentication method
  28347. type: string
  28348. required:
  28349. - path
  28350. - username
  28351. type: object
  28352. namespace:
  28353. description: |-
  28354. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  28355. Namespaces is a set of features within Vault Enterprise that allows
  28356. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28357. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28358. This will default to Vault.Namespace field if set, or empty otherwise
  28359. type: string
  28360. tokenSecretRef:
  28361. description: TokenSecretRef authenticates with Vault by presenting a token.
  28362. properties:
  28363. key:
  28364. description: |-
  28365. A key in the referenced Secret.
  28366. Some instances of this field may be defaulted, in others it may be required.
  28367. maxLength: 253
  28368. minLength: 1
  28369. pattern: ^[-._a-zA-Z0-9]+$
  28370. type: string
  28371. name:
  28372. description: The name of the Secret resource being referred to.
  28373. maxLength: 253
  28374. minLength: 1
  28375. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28376. type: string
  28377. namespace:
  28378. description: |-
  28379. The namespace of the Secret resource being referred to.
  28380. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28381. maxLength: 63
  28382. minLength: 1
  28383. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28384. type: string
  28385. type: object
  28386. userPass:
  28387. description: UserPass authenticates with Vault by passing username/password pair
  28388. properties:
  28389. path:
  28390. default: userpass
  28391. description: |-
  28392. Path where the UserPassword authentication backend is mounted
  28393. in Vault, e.g: "userpass"
  28394. type: string
  28395. secretRef:
  28396. description: |-
  28397. SecretRef to a key in a Secret resource containing password for the
  28398. user used to authenticate with Vault using the UserPass authentication
  28399. method
  28400. properties:
  28401. key:
  28402. description: |-
  28403. A key in the referenced Secret.
  28404. Some instances of this field may be defaulted, in others it may be required.
  28405. maxLength: 253
  28406. minLength: 1
  28407. pattern: ^[-._a-zA-Z0-9]+$
  28408. type: string
  28409. name:
  28410. description: The name of the Secret resource being referred to.
  28411. maxLength: 253
  28412. minLength: 1
  28413. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28414. type: string
  28415. namespace:
  28416. description: |-
  28417. The namespace of the Secret resource being referred to.
  28418. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28419. maxLength: 63
  28420. minLength: 1
  28421. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28422. type: string
  28423. type: object
  28424. username:
  28425. description: |-
  28426. Username is a username used to authenticate using the UserPass Vault
  28427. authentication method
  28428. type: string
  28429. required:
  28430. - path
  28431. - username
  28432. type: object
  28433. type: object
  28434. caBundle:
  28435. description: |-
  28436. PEM encoded CA bundle used to validate Vault server certificate. Only used
  28437. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28438. plain HTTP protocol connection. If not set the system root certificates
  28439. are used to validate the TLS connection.
  28440. format: byte
  28441. type: string
  28442. caProvider:
  28443. description: The provider for the CA bundle to use to validate Vault server certificate.
  28444. properties:
  28445. key:
  28446. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28447. maxLength: 253
  28448. minLength: 1
  28449. pattern: ^[-._a-zA-Z0-9]+$
  28450. type: string
  28451. name:
  28452. description: The name of the object located at the provider type.
  28453. maxLength: 253
  28454. minLength: 1
  28455. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28456. type: string
  28457. namespace:
  28458. description: |-
  28459. The namespace the Provider type is in.
  28460. Can only be defined when used in a ClusterSecretStore.
  28461. maxLength: 63
  28462. minLength: 1
  28463. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28464. type: string
  28465. type:
  28466. description: The type of provider to use such as "Secret", or "ConfigMap".
  28467. enum:
  28468. - Secret
  28469. - ConfigMap
  28470. type: string
  28471. required:
  28472. - name
  28473. - type
  28474. type: object
  28475. checkAndSet:
  28476. description: |-
  28477. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  28478. Only applies to Vault KV v2 stores. When enabled, write operations must include
  28479. the current version of the secret to prevent unintentional overwrites.
  28480. properties:
  28481. required:
  28482. description: |-
  28483. Required when true, all write operations must include a check-and-set parameter.
  28484. This helps prevent unintentional overwrites of secrets.
  28485. type: boolean
  28486. type: object
  28487. forwardInconsistent:
  28488. description: |-
  28489. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  28490. leader instead of simply retrying within a loop. This can increase performance if
  28491. the option is enabled serverside.
  28492. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  28493. type: boolean
  28494. headers:
  28495. additionalProperties:
  28496. type: string
  28497. description: Headers to be added in Vault request
  28498. type: object
  28499. namespace:
  28500. description: |-
  28501. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  28502. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  28503. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  28504. type: string
  28505. path:
  28506. description: |-
  28507. Path is the mount path of the Vault KV backend endpoint, e.g:
  28508. "secret". The v2 KV secret engine version specific "/data" path suffix
  28509. for fetching secrets from Vault is optional and will be appended
  28510. if not present in specified path.
  28511. type: string
  28512. readYourWrites:
  28513. description: |-
  28514. ReadYourWrites ensures isolated read-after-write semantics by
  28515. providing discovered cluster replication states in each request.
  28516. More information about eventual consistency in Vault can be found here
  28517. https://www.vaultproject.io/docs/enterprise/consistency
  28518. type: boolean
  28519. server:
  28520. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  28521. type: string
  28522. tls:
  28523. description: |-
  28524. The configuration used for client side related TLS communication, when the Vault server
  28525. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  28526. This parameter is ignored for plain HTTP protocol connection.
  28527. It's worth noting this configuration is different from the "TLS certificates auth method",
  28528. which is available under the `auth.cert` section.
  28529. properties:
  28530. certSecretRef:
  28531. description: |-
  28532. CertSecretRef is a certificate added to the transport layer
  28533. when communicating with the Vault server.
  28534. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  28535. properties:
  28536. key:
  28537. description: |-
  28538. A key in the referenced Secret.
  28539. Some instances of this field may be defaulted, in others it may be required.
  28540. maxLength: 253
  28541. minLength: 1
  28542. pattern: ^[-._a-zA-Z0-9]+$
  28543. type: string
  28544. name:
  28545. description: The name of the Secret resource being referred to.
  28546. maxLength: 253
  28547. minLength: 1
  28548. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28549. type: string
  28550. namespace:
  28551. description: |-
  28552. The namespace of the Secret resource being referred to.
  28553. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28554. maxLength: 63
  28555. minLength: 1
  28556. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28557. type: string
  28558. type: object
  28559. keySecretRef:
  28560. description: |-
  28561. KeySecretRef to a key in a Secret resource containing client private key
  28562. added to the transport layer when communicating with the Vault server.
  28563. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  28564. properties:
  28565. key:
  28566. description: |-
  28567. A key in the referenced Secret.
  28568. Some instances of this field may be defaulted, in others it may be required.
  28569. maxLength: 253
  28570. minLength: 1
  28571. pattern: ^[-._a-zA-Z0-9]+$
  28572. type: string
  28573. name:
  28574. description: The name of the Secret resource being referred to.
  28575. maxLength: 253
  28576. minLength: 1
  28577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28578. type: string
  28579. namespace:
  28580. description: |-
  28581. The namespace of the Secret resource being referred to.
  28582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28583. maxLength: 63
  28584. minLength: 1
  28585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28586. type: string
  28587. type: object
  28588. type: object
  28589. version:
  28590. default: v2
  28591. description: |-
  28592. Version is the Vault KV secret engine version. This can be either "v1" or
  28593. "v2". Version defaults to "v2".
  28594. enum:
  28595. - v1
  28596. - v2
  28597. type: string
  28598. required:
  28599. - server
  28600. type: object
  28601. resultType:
  28602. default: Data
  28603. description: |-
  28604. Result type defines which data is returned from the generator.
  28605. By default, it is the "data" section of the Vault API response.
  28606. When using e.g. /auth/token/create the "data" section is empty but
  28607. the "auth" section contains the generated token.
  28608. Please refer to the vault docs regarding the result data structure.
  28609. Additionally, accessing the raw response is possibly by using "Raw" result type.
  28610. enum:
  28611. - Data
  28612. - Auth
  28613. - Raw
  28614. type: string
  28615. retrySettings:
  28616. description: Used to configure http retries if failed
  28617. properties:
  28618. maxRetries:
  28619. format: int32
  28620. type: integer
  28621. retryInterval:
  28622. type: string
  28623. type: object
  28624. required:
  28625. - path
  28626. - provider
  28627. type: object
  28628. webhookSpec:
  28629. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  28630. properties:
  28631. auth:
  28632. description: Auth specifies a authorization protocol. Only one protocol may be set.
  28633. maxProperties: 1
  28634. minProperties: 1
  28635. properties:
  28636. ntlm:
  28637. description: NTLMProtocol configures the store to use NTLM for auth
  28638. properties:
  28639. passwordSecret:
  28640. description: |-
  28641. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28642. In some instances, `key` is a required field.
  28643. properties:
  28644. key:
  28645. description: |-
  28646. A key in the referenced Secret.
  28647. Some instances of this field may be defaulted, in others it may be required.
  28648. maxLength: 253
  28649. minLength: 1
  28650. pattern: ^[-._a-zA-Z0-9]+$
  28651. type: string
  28652. name:
  28653. description: The name of the Secret resource being referred to.
  28654. maxLength: 253
  28655. minLength: 1
  28656. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28657. type: string
  28658. namespace:
  28659. description: |-
  28660. The namespace of the Secret resource being referred to.
  28661. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28662. maxLength: 63
  28663. minLength: 1
  28664. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28665. type: string
  28666. type: object
  28667. usernameSecret:
  28668. description: |-
  28669. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  28670. In some instances, `key` is a required field.
  28671. properties:
  28672. key:
  28673. description: |-
  28674. A key in the referenced Secret.
  28675. Some instances of this field may be defaulted, in others it may be required.
  28676. maxLength: 253
  28677. minLength: 1
  28678. pattern: ^[-._a-zA-Z0-9]+$
  28679. type: string
  28680. name:
  28681. description: The name of the Secret resource being referred to.
  28682. maxLength: 253
  28683. minLength: 1
  28684. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28685. type: string
  28686. namespace:
  28687. description: |-
  28688. The namespace of the Secret resource being referred to.
  28689. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28690. maxLength: 63
  28691. minLength: 1
  28692. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28693. type: string
  28694. type: object
  28695. required:
  28696. - passwordSecret
  28697. - usernameSecret
  28698. type: object
  28699. type: object
  28700. body:
  28701. description: Body
  28702. type: string
  28703. caBundle:
  28704. description: |-
  28705. PEM encoded CA bundle used to validate webhook server certificate. Only used
  28706. if the Server URL is using HTTPS protocol. This parameter is ignored for
  28707. plain HTTP protocol connection. If not set the system root certificates
  28708. are used to validate the TLS connection.
  28709. format: byte
  28710. type: string
  28711. caProvider:
  28712. description: The provider for the CA bundle to use to validate webhook server certificate.
  28713. properties:
  28714. key:
  28715. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  28716. maxLength: 253
  28717. minLength: 1
  28718. pattern: ^[-._a-zA-Z0-9]+$
  28719. type: string
  28720. name:
  28721. description: The name of the object located at the provider type.
  28722. maxLength: 253
  28723. minLength: 1
  28724. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28725. type: string
  28726. namespace:
  28727. description: The namespace the Provider type is in.
  28728. maxLength: 63
  28729. minLength: 1
  28730. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28731. type: string
  28732. type:
  28733. description: The type of provider to use such as "Secret", or "ConfigMap".
  28734. enum:
  28735. - Secret
  28736. - ConfigMap
  28737. type: string
  28738. required:
  28739. - name
  28740. - type
  28741. type: object
  28742. headers:
  28743. additionalProperties:
  28744. type: string
  28745. description: Headers
  28746. type: object
  28747. method:
  28748. description: Webhook Method
  28749. type: string
  28750. result:
  28751. description: Result formatting
  28752. properties:
  28753. jsonPath:
  28754. description: Json path of return value
  28755. type: string
  28756. type: object
  28757. secrets:
  28758. description: |-
  28759. Secrets to fill in templates
  28760. These secrets will be passed to the templating function as key value pairs under the given name
  28761. items:
  28762. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  28763. properties:
  28764. name:
  28765. description: Name of this secret in templates
  28766. type: string
  28767. secretRef:
  28768. description: Secret ref to fill in credentials
  28769. properties:
  28770. key:
  28771. description: The key where the token is found.
  28772. maxLength: 253
  28773. minLength: 1
  28774. pattern: ^[-._a-zA-Z0-9]+$
  28775. type: string
  28776. name:
  28777. description: The name of the Secret resource being referred to.
  28778. maxLength: 253
  28779. minLength: 1
  28780. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28781. type: string
  28782. type: object
  28783. required:
  28784. - name
  28785. - secretRef
  28786. type: object
  28787. type: array
  28788. timeout:
  28789. description: Timeout
  28790. type: string
  28791. url:
  28792. description: Webhook url to call
  28793. type: string
  28794. required:
  28795. - result
  28796. - url
  28797. type: object
  28798. type: object
  28799. kind:
  28800. description: Kind the kind of this generator.
  28801. enum:
  28802. - ACRAccessToken
  28803. - BeyondtrustWorkloadCredentialsDynamicSecret
  28804. - CloudsmithAccessToken
  28805. - ECRAuthorizationToken
  28806. - Fake
  28807. - GCRAccessToken
  28808. - GithubAccessToken
  28809. - GitlabDeployToken
  28810. - QuayAccessToken
  28811. - Password
  28812. - SSHKey
  28813. - STSSessionToken
  28814. - UUID
  28815. - VaultDynamicSecret
  28816. - Webhook
  28817. - Grafana
  28818. - MFA
  28819. type: string
  28820. required:
  28821. - generator
  28822. - kind
  28823. type: object
  28824. type: object
  28825. served: true
  28826. storage: true
  28827. subresources:
  28828. status: {}
  28829. ---
  28830. apiVersion: apiextensions.k8s.io/v1
  28831. kind: CustomResourceDefinition
  28832. metadata:
  28833. annotations:
  28834. controller-gen.kubebuilder.io/version: v0.19.0
  28835. labels:
  28836. external-secrets.io/component: controller
  28837. name: ecrauthorizationtokens.generators.external-secrets.io
  28838. spec:
  28839. group: generators.external-secrets.io
  28840. names:
  28841. categories:
  28842. - external-secrets
  28843. - external-secrets-generators
  28844. kind: ECRAuthorizationToken
  28845. listKind: ECRAuthorizationTokenList
  28846. plural: ecrauthorizationtokens
  28847. singular: ecrauthorizationtoken
  28848. scope: Namespaced
  28849. versions:
  28850. - name: v1alpha1
  28851. schema:
  28852. openAPIV3Schema:
  28853. description: |-
  28854. ECRAuthorizationToken uses the GetAuthorizationToken API to retrieve an authorization token.
  28855. The authorization token is valid for 12 hours.
  28856. The authorizationToken returned is a base64 encoded string that can be decoded
  28857. and used in a docker login command to authenticate to a registry.
  28858. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  28859. properties:
  28860. apiVersion:
  28861. description: |-
  28862. APIVersion defines the versioned schema of this representation of an object.
  28863. Servers should convert recognized schemas to the latest internal value, and
  28864. may reject unrecognized values.
  28865. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  28866. type: string
  28867. kind:
  28868. description: |-
  28869. Kind is a string value representing the REST resource this object represents.
  28870. Servers may infer this from the endpoint the client submits requests to.
  28871. Cannot be updated.
  28872. In CamelCase.
  28873. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  28874. type: string
  28875. metadata:
  28876. type: object
  28877. spec:
  28878. description: ECRAuthorizationTokenSpec defines the desired state to generate an AWS ECR authorization token.
  28879. properties:
  28880. auth:
  28881. description: Auth defines how to authenticate with AWS
  28882. properties:
  28883. jwt:
  28884. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  28885. properties:
  28886. serviceAccountRef:
  28887. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  28888. properties:
  28889. audiences:
  28890. description: |-
  28891. Audience specifies the `aud` claim for the service account token
  28892. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  28893. then this audiences will be appended to the list
  28894. items:
  28895. type: string
  28896. type: array
  28897. name:
  28898. description: The name of the ServiceAccount resource being referred to.
  28899. maxLength: 253
  28900. minLength: 1
  28901. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28902. type: string
  28903. namespace:
  28904. description: |-
  28905. Namespace of the resource being referred to.
  28906. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28907. maxLength: 63
  28908. minLength: 1
  28909. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28910. type: string
  28911. required:
  28912. - name
  28913. type: object
  28914. type: object
  28915. secretRef:
  28916. description: |-
  28917. AWSAuthSecretRef holds secret references for AWS credentials
  28918. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  28919. properties:
  28920. accessKeyIDSecretRef:
  28921. description: The AccessKeyID is used for authentication
  28922. properties:
  28923. key:
  28924. description: |-
  28925. A key in the referenced Secret.
  28926. Some instances of this field may be defaulted, in others it may be required.
  28927. maxLength: 253
  28928. minLength: 1
  28929. pattern: ^[-._a-zA-Z0-9]+$
  28930. type: string
  28931. name:
  28932. description: The name of the Secret resource being referred to.
  28933. maxLength: 253
  28934. minLength: 1
  28935. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28936. type: string
  28937. namespace:
  28938. description: |-
  28939. The namespace of the Secret resource being referred to.
  28940. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28941. maxLength: 63
  28942. minLength: 1
  28943. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28944. type: string
  28945. type: object
  28946. secretAccessKeySecretRef:
  28947. description: The SecretAccessKey is used for authentication
  28948. properties:
  28949. key:
  28950. description: |-
  28951. A key in the referenced Secret.
  28952. Some instances of this field may be defaulted, in others it may be required.
  28953. maxLength: 253
  28954. minLength: 1
  28955. pattern: ^[-._a-zA-Z0-9]+$
  28956. type: string
  28957. name:
  28958. description: The name of the Secret resource being referred to.
  28959. maxLength: 253
  28960. minLength: 1
  28961. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28962. type: string
  28963. namespace:
  28964. description: |-
  28965. The namespace of the Secret resource being referred to.
  28966. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28967. maxLength: 63
  28968. minLength: 1
  28969. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28970. type: string
  28971. type: object
  28972. sessionTokenSecretRef:
  28973. description: |-
  28974. The SessionToken used for authentication
  28975. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  28976. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  28977. properties:
  28978. key:
  28979. description: |-
  28980. A key in the referenced Secret.
  28981. Some instances of this field may be defaulted, in others it may be required.
  28982. maxLength: 253
  28983. minLength: 1
  28984. pattern: ^[-._a-zA-Z0-9]+$
  28985. type: string
  28986. name:
  28987. description: The name of the Secret resource being referred to.
  28988. maxLength: 253
  28989. minLength: 1
  28990. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  28991. type: string
  28992. namespace:
  28993. description: |-
  28994. The namespace of the Secret resource being referred to.
  28995. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  28996. maxLength: 63
  28997. minLength: 1
  28998. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  28999. type: string
  29000. type: object
  29001. type: object
  29002. type: object
  29003. region:
  29004. description: Region specifies the region to operate in.
  29005. type: string
  29006. role:
  29007. description: |-
  29008. You can assume a role before making calls to the
  29009. desired AWS service.
  29010. type: string
  29011. scope:
  29012. description: |-
  29013. Scope specifies the ECR service scope.
  29014. Valid options are private and public.
  29015. type: string
  29016. required:
  29017. - region
  29018. type: object
  29019. type: object
  29020. served: true
  29021. storage: true
  29022. subresources:
  29023. status: {}
  29024. ---
  29025. apiVersion: apiextensions.k8s.io/v1
  29026. kind: CustomResourceDefinition
  29027. metadata:
  29028. annotations:
  29029. controller-gen.kubebuilder.io/version: v0.19.0
  29030. labels:
  29031. external-secrets.io/component: controller
  29032. name: fakes.generators.external-secrets.io
  29033. spec:
  29034. group: generators.external-secrets.io
  29035. names:
  29036. categories:
  29037. - external-secrets
  29038. - external-secrets-generators
  29039. kind: Fake
  29040. listKind: FakeList
  29041. plural: fakes
  29042. singular: fake
  29043. scope: Namespaced
  29044. versions:
  29045. - name: v1alpha1
  29046. schema:
  29047. openAPIV3Schema:
  29048. description: |-
  29049. Fake generator is used for testing. It lets you define
  29050. a static set of credentials that is always returned.
  29051. properties:
  29052. apiVersion:
  29053. description: |-
  29054. APIVersion defines the versioned schema of this representation of an object.
  29055. Servers should convert recognized schemas to the latest internal value, and
  29056. may reject unrecognized values.
  29057. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29058. type: string
  29059. kind:
  29060. description: |-
  29061. Kind is a string value representing the REST resource this object represents.
  29062. Servers may infer this from the endpoint the client submits requests to.
  29063. Cannot be updated.
  29064. In CamelCase.
  29065. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29066. type: string
  29067. metadata:
  29068. type: object
  29069. spec:
  29070. description: FakeSpec contains the static data.
  29071. properties:
  29072. controller:
  29073. description: |-
  29074. Used to select the correct ESO controller (think: ingress.ingressClassName)
  29075. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  29076. type: string
  29077. data:
  29078. additionalProperties:
  29079. type: string
  29080. description: |-
  29081. Data defines the static data returned
  29082. by this generator.
  29083. type: object
  29084. type: object
  29085. type: object
  29086. served: true
  29087. storage: true
  29088. subresources:
  29089. status: {}
  29090. ---
  29091. apiVersion: apiextensions.k8s.io/v1
  29092. kind: CustomResourceDefinition
  29093. metadata:
  29094. annotations:
  29095. controller-gen.kubebuilder.io/version: v0.19.0
  29096. labels:
  29097. external-secrets.io/component: controller
  29098. name: gcraccesstokens.generators.external-secrets.io
  29099. spec:
  29100. group: generators.external-secrets.io
  29101. names:
  29102. categories:
  29103. - external-secrets
  29104. - external-secrets-generators
  29105. kind: GCRAccessToken
  29106. listKind: GCRAccessTokenList
  29107. plural: gcraccesstokens
  29108. singular: gcraccesstoken
  29109. scope: Namespaced
  29110. versions:
  29111. - name: v1alpha1
  29112. schema:
  29113. openAPIV3Schema:
  29114. description: |-
  29115. GCRAccessToken generates an GCP access token
  29116. that can be used to authenticate with GCR.
  29117. properties:
  29118. apiVersion:
  29119. description: |-
  29120. APIVersion defines the versioned schema of this representation of an object.
  29121. Servers should convert recognized schemas to the latest internal value, and
  29122. may reject unrecognized values.
  29123. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29124. type: string
  29125. kind:
  29126. description: |-
  29127. Kind is a string value representing the REST resource this object represents.
  29128. Servers may infer this from the endpoint the client submits requests to.
  29129. Cannot be updated.
  29130. In CamelCase.
  29131. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29132. type: string
  29133. metadata:
  29134. type: object
  29135. spec:
  29136. description: GCRAccessTokenSpec defines the desired state to generate a Google Container Registry access token.
  29137. properties:
  29138. auth:
  29139. description: Auth defines the means for authenticating with GCP
  29140. properties:
  29141. secretRef:
  29142. description: GCPSMAuthSecretRef defines the reference to a secret containing Google Cloud Platform credentials.
  29143. properties:
  29144. secretAccessKeySecretRef:
  29145. description: The SecretAccessKey is used for authentication
  29146. properties:
  29147. key:
  29148. description: |-
  29149. A key in the referenced Secret.
  29150. Some instances of this field may be defaulted, in others it may be required.
  29151. maxLength: 253
  29152. minLength: 1
  29153. pattern: ^[-._a-zA-Z0-9]+$
  29154. type: string
  29155. name:
  29156. description: The name of the Secret resource being referred to.
  29157. maxLength: 253
  29158. minLength: 1
  29159. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29160. type: string
  29161. namespace:
  29162. description: |-
  29163. The namespace of the Secret resource being referred to.
  29164. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29165. maxLength: 63
  29166. minLength: 1
  29167. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29168. type: string
  29169. type: object
  29170. type: object
  29171. workloadIdentity:
  29172. description: GCPWorkloadIdentity defines the configuration for using GCP Workload Identity authentication.
  29173. properties:
  29174. clusterLocation:
  29175. type: string
  29176. clusterName:
  29177. type: string
  29178. clusterProjectID:
  29179. type: string
  29180. serviceAccountRef:
  29181. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  29182. properties:
  29183. audiences:
  29184. description: |-
  29185. Audience specifies the `aud` claim for the service account token
  29186. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29187. then this audiences will be appended to the list
  29188. items:
  29189. type: string
  29190. type: array
  29191. name:
  29192. description: The name of the ServiceAccount resource being referred to.
  29193. maxLength: 253
  29194. minLength: 1
  29195. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29196. type: string
  29197. namespace:
  29198. description: |-
  29199. Namespace of the resource being referred to.
  29200. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29201. maxLength: 63
  29202. minLength: 1
  29203. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29204. type: string
  29205. required:
  29206. - name
  29207. type: object
  29208. required:
  29209. - clusterLocation
  29210. - clusterName
  29211. - serviceAccountRef
  29212. type: object
  29213. workloadIdentityFederation:
  29214. description: GCPWorkloadIdentityFederation holds the configurations required for generating federated access tokens.
  29215. properties:
  29216. audience:
  29217. description: |-
  29218. audience is the Secure Token Service (STS) audience which contains the resource name for the workload identity pool and the provider identifier in that pool.
  29219. If specified, Audience found in the external account credential config will be overridden with the configured value.
  29220. audience must be provided when serviceAccountRef or awsSecurityCredentials is configured.
  29221. type: string
  29222. awsSecurityCredentials:
  29223. description: |-
  29224. awsSecurityCredentials is for configuring AWS region and credentials to use for obtaining the access token,
  29225. when using the AWS metadata server is not an option.
  29226. properties:
  29227. awsCredentialsSecretRef:
  29228. description: |-
  29229. awsCredentialsSecretRef is the reference to the secret which holds the AWS credentials.
  29230. Secret should be created with below names for keys
  29231. - aws_access_key_id: Access Key ID, which is the unique identifier for the AWS account or the IAM user.
  29232. - aws_secret_access_key: Secret Access Key, which is used to authenticate requests made to AWS services.
  29233. - aws_session_token: Session Token, is the short-lived token to authenticate requests made to AWS services.
  29234. properties:
  29235. name:
  29236. description: name of the secret.
  29237. maxLength: 253
  29238. minLength: 1
  29239. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29240. type: string
  29241. namespace:
  29242. description: namespace in which the secret exists. If empty, secret will looked up in local namespace.
  29243. maxLength: 63
  29244. minLength: 1
  29245. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29246. type: string
  29247. required:
  29248. - name
  29249. type: object
  29250. region:
  29251. description: region is for configuring the AWS region to be used.
  29252. example: ap-south-1
  29253. maxLength: 50
  29254. minLength: 1
  29255. pattern: ^[a-z0-9-]+$
  29256. type: string
  29257. required:
  29258. - awsCredentialsSecretRef
  29259. - region
  29260. type: object
  29261. credConfig:
  29262. description: |-
  29263. credConfig holds the configmap reference containing the GCP external account credential configuration in JSON format and the key name containing the json data.
  29264. For using Kubernetes cluster as the identity provider, use serviceAccountRef instead. Operators mounted serviceaccount token cannot be used as the token source, instead
  29265. serviceAccountRef must be used by providing operators service account details.
  29266. properties:
  29267. key:
  29268. description: key name holding the external account credential config.
  29269. maxLength: 253
  29270. minLength: 1
  29271. pattern: ^[-._a-zA-Z0-9]+$
  29272. type: string
  29273. name:
  29274. description: name of the configmap.
  29275. maxLength: 253
  29276. minLength: 1
  29277. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29278. type: string
  29279. namespace:
  29280. description: namespace in which the configmap exists. If empty, configmap will looked up in local namespace.
  29281. maxLength: 63
  29282. minLength: 1
  29283. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29284. type: string
  29285. required:
  29286. - key
  29287. - name
  29288. type: object
  29289. externalTokenEndpoint:
  29290. description: |-
  29291. externalTokenEndpoint is the endpoint explicitly set up to provide tokens, which will be matched against the
  29292. credential_source.url in the provided credConfig. This field is merely to double-check the external token source
  29293. URL is having the expected value.
  29294. type: string
  29295. gcpServiceAccountEmail:
  29296. description: |-
  29297. GCPServiceAccountEmail is the email of the Google Cloud service account to impersonate
  29298. after Workload Identity Federation. Use this to grant access through the service account's
  29299. IAM bindings (for example roles/secretmanager.secretAccessor). When set, it overrides
  29300. service_account_impersonation_url in the external account JSON from credConfig;
  29301. when serviceAccountRef is set, it also overrides the "iam.gke.io/gcp-service-account" annotation
  29302. on that ServiceAccount.
  29303. example: my-gsa@my-project.iam.gserviceaccount.com
  29304. minLength: 1
  29305. pattern: ^.*@.*\.iam\.gserviceaccount\.com$
  29306. type: string
  29307. serviceAccountRef:
  29308. description: |-
  29309. serviceAccountRef is the reference to the kubernetes ServiceAccount to be used for obtaining the tokens,
  29310. when Kubernetes is configured as provider in workload identity pool.
  29311. properties:
  29312. audiences:
  29313. description: |-
  29314. Audience specifies the `aud` claim for the service account token
  29315. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  29316. then this audiences will be appended to the list
  29317. items:
  29318. type: string
  29319. type: array
  29320. name:
  29321. description: The name of the ServiceAccount resource being referred to.
  29322. maxLength: 253
  29323. minLength: 1
  29324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29325. type: string
  29326. namespace:
  29327. description: |-
  29328. Namespace of the resource being referred to.
  29329. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29330. maxLength: 63
  29331. minLength: 1
  29332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29333. type: string
  29334. required:
  29335. - name
  29336. type: object
  29337. type: object
  29338. type: object
  29339. projectID:
  29340. description: ProjectID defines which project to use to authenticate with
  29341. type: string
  29342. required:
  29343. - auth
  29344. - projectID
  29345. type: object
  29346. type: object
  29347. served: true
  29348. storage: true
  29349. subresources:
  29350. status: {}
  29351. ---
  29352. apiVersion: apiextensions.k8s.io/v1
  29353. kind: CustomResourceDefinition
  29354. metadata:
  29355. annotations:
  29356. controller-gen.kubebuilder.io/version: v0.19.0
  29357. labels:
  29358. external-secrets.io/component: controller
  29359. name: generatorstates.generators.external-secrets.io
  29360. spec:
  29361. group: generators.external-secrets.io
  29362. names:
  29363. categories:
  29364. - external-secrets
  29365. - external-secrets-generators
  29366. kind: GeneratorState
  29367. listKind: GeneratorStateList
  29368. plural: generatorstates
  29369. shortNames:
  29370. - gs
  29371. singular: generatorstate
  29372. scope: Namespaced
  29373. versions:
  29374. - additionalPrinterColumns:
  29375. - jsonPath: .spec.garbageCollectionDeadline
  29376. name: GC Deadline
  29377. type: string
  29378. - jsonPath: .metadata.creationTimestamp
  29379. name: Age
  29380. type: date
  29381. name: v1alpha1
  29382. schema:
  29383. openAPIV3Schema:
  29384. description: GeneratorState represents the state created and managed by a generator resource.
  29385. properties:
  29386. apiVersion:
  29387. description: |-
  29388. APIVersion defines the versioned schema of this representation of an object.
  29389. Servers should convert recognized schemas to the latest internal value, and
  29390. may reject unrecognized values.
  29391. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29392. type: string
  29393. kind:
  29394. description: |-
  29395. Kind is a string value representing the REST resource this object represents.
  29396. Servers may infer this from the endpoint the client submits requests to.
  29397. Cannot be updated.
  29398. In CamelCase.
  29399. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29400. type: string
  29401. metadata:
  29402. type: object
  29403. spec:
  29404. description: GeneratorStateSpec defines the desired state of a generator state resource.
  29405. properties:
  29406. garbageCollectionDeadline:
  29407. description: |-
  29408. GarbageCollectionDeadline is the time after which the generator state
  29409. will be deleted.
  29410. It is set by the controller which creates the generator state and
  29411. can be set configured by the user.
  29412. If the garbage collection deadline is not set the generator state will not be deleted.
  29413. format: date-time
  29414. type: string
  29415. resource:
  29416. description: |-
  29417. Resource is the generator manifest that produced the state.
  29418. It is a snapshot of the generator manifest at the time the state was produced.
  29419. This manifest will be used to delete the resource. Any configuration that is referenced
  29420. in the manifest should be available at the time of garbage collection. If that is not the case deletion will
  29421. be blocked by a finalizer.
  29422. x-kubernetes-preserve-unknown-fields: true
  29423. state:
  29424. description: State is the state that was produced by the generator implementation.
  29425. x-kubernetes-preserve-unknown-fields: true
  29426. required:
  29427. - resource
  29428. - state
  29429. type: object
  29430. status:
  29431. description: GeneratorStateStatus defines the observed state of a generator state resource.
  29432. properties:
  29433. conditions:
  29434. items:
  29435. description: GeneratorStateStatusCondition represents the observed condition of a generator state.
  29436. properties:
  29437. lastTransitionTime:
  29438. format: date-time
  29439. type: string
  29440. message:
  29441. type: string
  29442. reason:
  29443. type: string
  29444. status:
  29445. type: string
  29446. type:
  29447. description: GeneratorStateConditionType represents the type of condition for a generator state.
  29448. type: string
  29449. required:
  29450. - status
  29451. - type
  29452. type: object
  29453. type: array
  29454. type: object
  29455. type: object
  29456. served: true
  29457. storage: true
  29458. subresources: {}
  29459. ---
  29460. apiVersion: apiextensions.k8s.io/v1
  29461. kind: CustomResourceDefinition
  29462. metadata:
  29463. annotations:
  29464. controller-gen.kubebuilder.io/version: v0.19.0
  29465. labels:
  29466. external-secrets.io/component: controller
  29467. name: githubaccesstokens.generators.external-secrets.io
  29468. spec:
  29469. group: generators.external-secrets.io
  29470. names:
  29471. categories:
  29472. - external-secrets
  29473. - external-secrets-generators
  29474. kind: GithubAccessToken
  29475. listKind: GithubAccessTokenList
  29476. plural: githubaccesstokens
  29477. singular: githubaccesstoken
  29478. scope: Namespaced
  29479. versions:
  29480. - name: v1alpha1
  29481. schema:
  29482. openAPIV3Schema:
  29483. description: GithubAccessToken generates ghs_ accessToken
  29484. properties:
  29485. apiVersion:
  29486. description: |-
  29487. APIVersion defines the versioned schema of this representation of an object.
  29488. Servers should convert recognized schemas to the latest internal value, and
  29489. may reject unrecognized values.
  29490. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29491. type: string
  29492. kind:
  29493. description: |-
  29494. Kind is a string value representing the REST resource this object represents.
  29495. Servers may infer this from the endpoint the client submits requests to.
  29496. Cannot be updated.
  29497. In CamelCase.
  29498. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29499. type: string
  29500. metadata:
  29501. type: object
  29502. spec:
  29503. description: GithubAccessTokenSpec defines the desired state to generate a GitHub access token.
  29504. properties:
  29505. appID:
  29506. type: string
  29507. auth:
  29508. description: Auth configures how ESO authenticates with a Github instance.
  29509. properties:
  29510. privateKey:
  29511. description: GithubSecretRef references a secret containing GitHub credentials.
  29512. properties:
  29513. secretRef:
  29514. description: |-
  29515. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29516. In some instances, `key` is a required field.
  29517. properties:
  29518. key:
  29519. description: |-
  29520. A key in the referenced Secret.
  29521. Some instances of this field may be defaulted, in others it may be required.
  29522. maxLength: 253
  29523. minLength: 1
  29524. pattern: ^[-._a-zA-Z0-9]+$
  29525. type: string
  29526. name:
  29527. description: The name of the Secret resource being referred to.
  29528. maxLength: 253
  29529. minLength: 1
  29530. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29531. type: string
  29532. namespace:
  29533. description: |-
  29534. The namespace of the Secret resource being referred to.
  29535. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29536. maxLength: 63
  29537. minLength: 1
  29538. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29539. type: string
  29540. type: object
  29541. required:
  29542. - secretRef
  29543. type: object
  29544. required:
  29545. - privateKey
  29546. type: object
  29547. installID:
  29548. type: string
  29549. permissions:
  29550. additionalProperties:
  29551. type: string
  29552. description: Map of permissions the token will have. If omitted, defaults to all permissions the GitHub App has.
  29553. type: object
  29554. repositories:
  29555. description: |-
  29556. List of repositories the token will have access to. If omitted, defaults to all repositories the GitHub App
  29557. is installed to.
  29558. items:
  29559. type: string
  29560. type: array
  29561. url:
  29562. description: URL configures the GitHub instance URL. Defaults to https://github.com/.
  29563. type: string
  29564. required:
  29565. - appID
  29566. - auth
  29567. - installID
  29568. type: object
  29569. type: object
  29570. served: true
  29571. storage: true
  29572. subresources:
  29573. status: {}
  29574. ---
  29575. apiVersion: apiextensions.k8s.io/v1
  29576. kind: CustomResourceDefinition
  29577. metadata:
  29578. annotations:
  29579. controller-gen.kubebuilder.io/version: v0.19.0
  29580. labels:
  29581. external-secrets.io/component: controller
  29582. name: gitlabdeploytokens.generators.external-secrets.io
  29583. spec:
  29584. group: generators.external-secrets.io
  29585. names:
  29586. categories:
  29587. - external-secrets
  29588. - external-secrets-generators
  29589. kind: GitlabDeployToken
  29590. listKind: GitlabDeployTokenList
  29591. plural: gitlabdeploytokens
  29592. singular: gitlabdeploytoken
  29593. scope: Namespaced
  29594. versions:
  29595. - name: v1alpha1
  29596. schema:
  29597. openAPIV3Schema:
  29598. description: GitlabDeployToken generates a GitLab deploy token.
  29599. properties:
  29600. apiVersion:
  29601. description: |-
  29602. APIVersion defines the versioned schema of this representation of an object.
  29603. Servers should convert recognized schemas to the latest internal value, and
  29604. may reject unrecognized values.
  29605. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29606. type: string
  29607. kind:
  29608. description: |-
  29609. Kind is a string value representing the REST resource this object represents.
  29610. Servers may infer this from the endpoint the client submits requests to.
  29611. Cannot be updated.
  29612. In CamelCase.
  29613. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29614. type: string
  29615. metadata:
  29616. type: object
  29617. spec:
  29618. description: GitlabDeployTokenSpec defines the desired state to generate a GitLab deploy token.
  29619. properties:
  29620. auth:
  29621. description: Auth configures how ESO authenticates with the GitLab API.
  29622. properties:
  29623. token:
  29624. description: |-
  29625. Token references a secret containing a GitLab access token (personal, group, or
  29626. project) with the api scope and at least the Maintainer role on the target.
  29627. properties:
  29628. secretRef:
  29629. description: |-
  29630. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  29631. In some instances, `key` is a required field.
  29632. properties:
  29633. key:
  29634. description: |-
  29635. A key in the referenced Secret.
  29636. Some instances of this field may be defaulted, in others it may be required.
  29637. maxLength: 253
  29638. minLength: 1
  29639. pattern: ^[-._a-zA-Z0-9]+$
  29640. type: string
  29641. name:
  29642. description: The name of the Secret resource being referred to.
  29643. maxLength: 253
  29644. minLength: 1
  29645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29646. type: string
  29647. namespace:
  29648. description: |-
  29649. The namespace of the Secret resource being referred to.
  29650. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29651. maxLength: 63
  29652. minLength: 1
  29653. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29654. type: string
  29655. type: object
  29656. required:
  29657. - secretRef
  29658. type: object
  29659. required:
  29660. - token
  29661. type: object
  29662. expiresAt:
  29663. description: |-
  29664. ExpiresAt is an optional expiry for the deploy token. If omitted the token does
  29665. not expire on the GitLab side and is revoked only when the generator state is
  29666. cleaned up (on regeneration or when the consuming ExternalSecret is deleted).
  29667. format: date-time
  29668. type: string
  29669. groupID:
  29670. description: |-
  29671. GroupID is the numeric ID or unescaped path (e.g. parent/group) of the group to
  29672. create the deploy token in. The generator URL-escapes paths before calling the
  29673. GitLab API, so do not pre-encode. Mutually exclusive with projectID.
  29674. minLength: 1
  29675. type: string
  29676. name:
  29677. description: Name of the deploy token.
  29678. minLength: 1
  29679. type: string
  29680. projectID:
  29681. description: |-
  29682. ProjectID is the numeric ID or unescaped path (e.g. group/project) of the
  29683. project to create the deploy token in. The generator URL-escapes paths before
  29684. calling the GitLab API, so do not pre-encode. Mutually exclusive with groupID.
  29685. minLength: 1
  29686. type: string
  29687. scopes:
  29688. description: Scopes granted to the deploy token. At least one scope is required.
  29689. items:
  29690. description: GitlabDeployTokenScope is a scope that can be granted to a GitLab deploy token.
  29691. enum:
  29692. - read_repository
  29693. - read_registry
  29694. - write_registry
  29695. - read_package_registry
  29696. - write_package_registry
  29697. - read_virtual_registry
  29698. - write_virtual_registry
  29699. type: string
  29700. minItems: 1
  29701. type: array
  29702. url:
  29703. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com.
  29704. type: string
  29705. username:
  29706. description: |-
  29707. Username is an optional username for the deploy token. GitLab defaults it to
  29708. gitlab+deploy-token-{n} when omitted.
  29709. type: string
  29710. required:
  29711. - auth
  29712. - name
  29713. - scopes
  29714. type: object
  29715. x-kubernetes-validations:
  29716. - message: exactly one of projectID or groupID must be set
  29717. rule: has(self.projectID) != has(self.groupID)
  29718. type: object
  29719. served: true
  29720. storage: true
  29721. subresources:
  29722. status: {}
  29723. ---
  29724. apiVersion: apiextensions.k8s.io/v1
  29725. kind: CustomResourceDefinition
  29726. metadata:
  29727. annotations:
  29728. controller-gen.kubebuilder.io/version: v0.19.0
  29729. labels:
  29730. external-secrets.io/component: controller
  29731. name: grafanas.generators.external-secrets.io
  29732. spec:
  29733. group: generators.external-secrets.io
  29734. names:
  29735. categories:
  29736. - external-secrets
  29737. - external-secrets-generators
  29738. kind: Grafana
  29739. listKind: GrafanaList
  29740. plural: grafanas
  29741. singular: grafana
  29742. scope: Namespaced
  29743. versions:
  29744. - name: v1alpha1
  29745. schema:
  29746. openAPIV3Schema:
  29747. description: Grafana represents a generator for Grafana service account tokens.
  29748. properties:
  29749. apiVersion:
  29750. description: |-
  29751. APIVersion defines the versioned schema of this representation of an object.
  29752. Servers should convert recognized schemas to the latest internal value, and
  29753. may reject unrecognized values.
  29754. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29755. type: string
  29756. kind:
  29757. description: |-
  29758. Kind is a string value representing the REST resource this object represents.
  29759. Servers may infer this from the endpoint the client submits requests to.
  29760. Cannot be updated.
  29761. In CamelCase.
  29762. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29763. type: string
  29764. metadata:
  29765. type: object
  29766. spec:
  29767. description: GrafanaSpec controls the behavior of the grafana generator.
  29768. properties:
  29769. auth:
  29770. description: |-
  29771. Auth is the authentication configuration to authenticate
  29772. against the Grafana instance.
  29773. properties:
  29774. basic:
  29775. description: |-
  29776. Basic auth credentials used to authenticate against the Grafana instance.
  29777. Note: you need a token which has elevated permissions to create service accounts.
  29778. See here for the documentation on basic roles offered by Grafana:
  29779. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29780. properties:
  29781. password:
  29782. description: A basic auth password used to authenticate against the Grafana instance.
  29783. properties:
  29784. key:
  29785. description: The key where the token is found.
  29786. maxLength: 253
  29787. minLength: 1
  29788. pattern: ^[-._a-zA-Z0-9]+$
  29789. type: string
  29790. name:
  29791. description: The name of the Secret resource being referred to.
  29792. maxLength: 253
  29793. minLength: 1
  29794. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29795. type: string
  29796. type: object
  29797. username:
  29798. description: A basic auth username used to authenticate against the Grafana instance.
  29799. type: string
  29800. required:
  29801. - password
  29802. - username
  29803. type: object
  29804. token:
  29805. description: |-
  29806. A service account token used to authenticate against the Grafana instance.
  29807. Note: you need a token which has elevated permissions to create service accounts.
  29808. See here for the documentation on basic roles offered by Grafana:
  29809. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29810. properties:
  29811. key:
  29812. description: The key where the token is found.
  29813. maxLength: 253
  29814. minLength: 1
  29815. pattern: ^[-._a-zA-Z0-9]+$
  29816. type: string
  29817. name:
  29818. description: The name of the Secret resource being referred to.
  29819. maxLength: 253
  29820. minLength: 1
  29821. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29822. type: string
  29823. type: object
  29824. type: object
  29825. serviceAccount:
  29826. description: |-
  29827. ServiceAccount is the configuration for the service account that
  29828. is supposed to be generated by the generator.
  29829. properties:
  29830. name:
  29831. description: Name is the name of the service account that will be created by ESO.
  29832. type: string
  29833. role:
  29834. description: |-
  29835. Role is the role of the service account.
  29836. See here for the documentation on basic roles offered by Grafana:
  29837. https://grafana.com/docs/grafana/latest/administration/roles-and-permissions/access-control/rbac-fixed-basic-role-definitions/
  29838. type: string
  29839. secondsToLive:
  29840. description: |-
  29841. SecondsToLive is the number of seconds before the generated service account token will expire.
  29842. Some Grafana deployments (e.g. AWS Managed Grafana) require this value to be set.
  29843. format: int64
  29844. minimum: 1
  29845. type: integer
  29846. required:
  29847. - name
  29848. - role
  29849. type: object
  29850. url:
  29851. description: URL is the URL of the Grafana instance.
  29852. type: string
  29853. required:
  29854. - auth
  29855. - serviceAccount
  29856. - url
  29857. type: object
  29858. type: object
  29859. served: true
  29860. storage: true
  29861. subresources:
  29862. status: {}
  29863. ---
  29864. apiVersion: apiextensions.k8s.io/v1
  29865. kind: CustomResourceDefinition
  29866. metadata:
  29867. annotations:
  29868. controller-gen.kubebuilder.io/version: v0.19.0
  29869. labels:
  29870. external-secrets.io/component: controller
  29871. name: mfas.generators.external-secrets.io
  29872. spec:
  29873. group: generators.external-secrets.io
  29874. names:
  29875. categories:
  29876. - external-secrets
  29877. - external-secrets-generators
  29878. kind: MFA
  29879. listKind: MFAList
  29880. plural: mfas
  29881. singular: mfa
  29882. scope: Namespaced
  29883. versions:
  29884. - name: v1alpha1
  29885. schema:
  29886. openAPIV3Schema:
  29887. description: MFA generates a new TOTP token that is compliant with RFC 6238.
  29888. properties:
  29889. apiVersion:
  29890. description: |-
  29891. APIVersion defines the versioned schema of this representation of an object.
  29892. Servers should convert recognized schemas to the latest internal value, and
  29893. may reject unrecognized values.
  29894. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29895. type: string
  29896. kind:
  29897. description: |-
  29898. Kind is a string value representing the REST resource this object represents.
  29899. Servers may infer this from the endpoint the client submits requests to.
  29900. Cannot be updated.
  29901. In CamelCase.
  29902. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29903. type: string
  29904. metadata:
  29905. type: object
  29906. spec:
  29907. description: MFASpec controls the behavior of the mfa generator.
  29908. properties:
  29909. algorithm:
  29910. description: Algorithm to use for encoding. Defaults to SHA1 as per the RFC.
  29911. type: string
  29912. length:
  29913. description: Length defines the token length. Defaults to 6 characters.
  29914. type: integer
  29915. secret:
  29916. description: Secret is a secret selector to a secret containing the seed secret to generate the TOTP value from.
  29917. properties:
  29918. key:
  29919. description: |-
  29920. A key in the referenced Secret.
  29921. Some instances of this field may be defaulted, in others it may be required.
  29922. maxLength: 253
  29923. minLength: 1
  29924. pattern: ^[-._a-zA-Z0-9]+$
  29925. type: string
  29926. name:
  29927. description: The name of the Secret resource being referred to.
  29928. maxLength: 253
  29929. minLength: 1
  29930. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  29931. type: string
  29932. namespace:
  29933. description: |-
  29934. The namespace of the Secret resource being referred to.
  29935. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  29936. maxLength: 63
  29937. minLength: 1
  29938. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  29939. type: string
  29940. type: object
  29941. timePeriod:
  29942. description: TimePeriod defines how long the token can be active. Defaults to 30 seconds.
  29943. type: integer
  29944. when:
  29945. description: When defines a time parameter that can be used to pin the origin time of the generated token.
  29946. format: date-time
  29947. type: string
  29948. required:
  29949. - secret
  29950. type: object
  29951. type: object
  29952. served: true
  29953. storage: true
  29954. subresources:
  29955. status: {}
  29956. ---
  29957. apiVersion: apiextensions.k8s.io/v1
  29958. kind: CustomResourceDefinition
  29959. metadata:
  29960. annotations:
  29961. controller-gen.kubebuilder.io/version: v0.19.0
  29962. labels:
  29963. external-secrets.io/component: controller
  29964. name: passwords.generators.external-secrets.io
  29965. spec:
  29966. group: generators.external-secrets.io
  29967. names:
  29968. categories:
  29969. - external-secrets
  29970. - external-secrets-generators
  29971. kind: Password
  29972. listKind: PasswordList
  29973. plural: passwords
  29974. singular: password
  29975. scope: Namespaced
  29976. versions:
  29977. - name: v1alpha1
  29978. schema:
  29979. openAPIV3Schema:
  29980. description: |-
  29981. Password generates a random password based on the
  29982. configuration parameters in spec.
  29983. You can specify the length, characterset and other attributes.
  29984. properties:
  29985. apiVersion:
  29986. description: |-
  29987. APIVersion defines the versioned schema of this representation of an object.
  29988. Servers should convert recognized schemas to the latest internal value, and
  29989. may reject unrecognized values.
  29990. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  29991. type: string
  29992. kind:
  29993. description: |-
  29994. Kind is a string value representing the REST resource this object represents.
  29995. Servers may infer this from the endpoint the client submits requests to.
  29996. Cannot be updated.
  29997. In CamelCase.
  29998. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  29999. type: string
  30000. metadata:
  30001. type: object
  30002. spec:
  30003. description: PasswordSpec controls the behavior of the password generator.
  30004. properties:
  30005. allowRepeat:
  30006. default: false
  30007. description: set AllowRepeat to true to allow repeating characters.
  30008. type: boolean
  30009. digits:
  30010. description: |-
  30011. Digits specifies the number of digits in the generated
  30012. password. If omitted it defaults to 25% of the length of the password
  30013. type: integer
  30014. encoding:
  30015. default: raw
  30016. description: |-
  30017. Encoding specifies the encoding of the generated password.
  30018. Valid values are:
  30019. - "raw" (default): no encoding
  30020. - "base64": standard base64 encoding
  30021. - "base64url": base64url encoding
  30022. - "base32": base32 encoding
  30023. - "hex": hexadecimal encoding
  30024. enum:
  30025. - base64
  30026. - base64url
  30027. - base32
  30028. - hex
  30029. - raw
  30030. type: string
  30031. length:
  30032. default: 24
  30033. description: |-
  30034. Length of the password to be generated.
  30035. Defaults to 24
  30036. type: integer
  30037. noUpper:
  30038. default: false
  30039. description: Set NoUpper to disable uppercase characters
  30040. type: boolean
  30041. secretKeys:
  30042. description: |-
  30043. SecretKeys defines the keys that will be populated with generated passwords.
  30044. Defaults to "password" when not set.
  30045. items:
  30046. type: string
  30047. minItems: 1
  30048. type: array
  30049. symbolCharacters:
  30050. description: |-
  30051. SymbolCharacters specifies the special characters that should be used
  30052. in the generated password.
  30053. type: string
  30054. symbols:
  30055. description: |-
  30056. Symbols specifies the number of symbol characters in the generated
  30057. password. If omitted it defaults to 25% of the length of the password
  30058. type: integer
  30059. required:
  30060. - allowRepeat
  30061. - length
  30062. - noUpper
  30063. type: object
  30064. type: object
  30065. served: true
  30066. storage: true
  30067. subresources:
  30068. status: {}
  30069. ---
  30070. apiVersion: apiextensions.k8s.io/v1
  30071. kind: CustomResourceDefinition
  30072. metadata:
  30073. annotations:
  30074. controller-gen.kubebuilder.io/version: v0.19.0
  30075. labels:
  30076. external-secrets.io/component: controller
  30077. name: quayaccesstokens.generators.external-secrets.io
  30078. spec:
  30079. group: generators.external-secrets.io
  30080. names:
  30081. categories:
  30082. - external-secrets
  30083. - external-secrets-generators
  30084. kind: QuayAccessToken
  30085. listKind: QuayAccessTokenList
  30086. plural: quayaccesstokens
  30087. singular: quayaccesstoken
  30088. scope: Namespaced
  30089. versions:
  30090. - name: v1alpha1
  30091. schema:
  30092. openAPIV3Schema:
  30093. description: QuayAccessToken generates Quay oauth token for pulling/pushing images
  30094. properties:
  30095. apiVersion:
  30096. description: |-
  30097. APIVersion defines the versioned schema of this representation of an object.
  30098. Servers should convert recognized schemas to the latest internal value, and
  30099. may reject unrecognized values.
  30100. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30101. type: string
  30102. kind:
  30103. description: |-
  30104. Kind is a string value representing the REST resource this object represents.
  30105. Servers may infer this from the endpoint the client submits requests to.
  30106. Cannot be updated.
  30107. In CamelCase.
  30108. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30109. type: string
  30110. metadata:
  30111. type: object
  30112. spec:
  30113. description: QuayAccessTokenSpec defines the desired state to generate a Quay access token.
  30114. properties:
  30115. robotAccount:
  30116. description: Name of the robot account you are federating with
  30117. type: string
  30118. serviceAccountRef:
  30119. description: Name of the service account you are federating with
  30120. properties:
  30121. audiences:
  30122. description: |-
  30123. Audience specifies the `aud` claim for the service account token
  30124. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30125. then this audiences will be appended to the list
  30126. items:
  30127. type: string
  30128. type: array
  30129. name:
  30130. description: The name of the ServiceAccount resource being referred to.
  30131. maxLength: 253
  30132. minLength: 1
  30133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30134. type: string
  30135. namespace:
  30136. description: |-
  30137. Namespace of the resource being referred to.
  30138. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30139. maxLength: 63
  30140. minLength: 1
  30141. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30142. type: string
  30143. required:
  30144. - name
  30145. type: object
  30146. url:
  30147. description: URL configures the Quay instance URL. Defaults to quay.io.
  30148. type: string
  30149. required:
  30150. - robotAccount
  30151. - serviceAccountRef
  30152. type: object
  30153. type: object
  30154. served: true
  30155. storage: true
  30156. subresources:
  30157. status: {}
  30158. ---
  30159. apiVersion: apiextensions.k8s.io/v1
  30160. kind: CustomResourceDefinition
  30161. metadata:
  30162. annotations:
  30163. controller-gen.kubebuilder.io/version: v0.19.0
  30164. labels:
  30165. external-secrets.io/component: controller
  30166. name: sshkeys.generators.external-secrets.io
  30167. spec:
  30168. group: generators.external-secrets.io
  30169. names:
  30170. categories:
  30171. - external-secrets
  30172. - external-secrets-generators
  30173. kind: SSHKey
  30174. listKind: SSHKeyList
  30175. plural: sshkeys
  30176. singular: sshkey
  30177. scope: Namespaced
  30178. versions:
  30179. - name: v1alpha1
  30180. schema:
  30181. openAPIV3Schema:
  30182. description: SSHKey generates SSH key pairs.
  30183. properties:
  30184. apiVersion:
  30185. description: |-
  30186. APIVersion defines the versioned schema of this representation of an object.
  30187. Servers should convert recognized schemas to the latest internal value, and
  30188. may reject unrecognized values.
  30189. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30190. type: string
  30191. kind:
  30192. description: |-
  30193. Kind is a string value representing the REST resource this object represents.
  30194. Servers may infer this from the endpoint the client submits requests to.
  30195. Cannot be updated.
  30196. In CamelCase.
  30197. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30198. type: string
  30199. metadata:
  30200. type: object
  30201. spec:
  30202. description: SSHKeySpec controls the behavior of the ssh key generator.
  30203. properties:
  30204. comment:
  30205. description: Comment specifies an optional comment for the SSH key
  30206. type: string
  30207. keySize:
  30208. description: |-
  30209. KeySize specifies the key size for RSA keys (default: 2048) and ECDSA keys (default: 256).
  30210. For RSA keys: 2048, 3072, 4096
  30211. For ECDSA keys: 256, 384, 521
  30212. Ignored for ed25519 keys
  30213. maximum: 8192
  30214. minimum: 256
  30215. type: integer
  30216. keyType:
  30217. default: rsa
  30218. description: KeyType specifies the SSH key type (rsa, ecdsa, ed25519)
  30219. enum:
  30220. - rsa
  30221. - ecdsa
  30222. - ed25519
  30223. type: string
  30224. type: object
  30225. type: object
  30226. served: true
  30227. storage: true
  30228. subresources:
  30229. status: {}
  30230. ---
  30231. apiVersion: apiextensions.k8s.io/v1
  30232. kind: CustomResourceDefinition
  30233. metadata:
  30234. annotations:
  30235. controller-gen.kubebuilder.io/version: v0.19.0
  30236. labels:
  30237. external-secrets.io/component: controller
  30238. name: stssessiontokens.generators.external-secrets.io
  30239. spec:
  30240. group: generators.external-secrets.io
  30241. names:
  30242. categories:
  30243. - external-secrets
  30244. - external-secrets-generators
  30245. kind: STSSessionToken
  30246. listKind: STSSessionTokenList
  30247. plural: stssessiontokens
  30248. singular: stssessiontoken
  30249. scope: Namespaced
  30250. versions:
  30251. - name: v1alpha1
  30252. schema:
  30253. openAPIV3Schema:
  30254. description: |-
  30255. STSSessionToken uses the GetSessionToken API to retrieve an authorization token.
  30256. The authorization token is valid for 12 hours.
  30257. The authorizationToken returned is a base64 encoded string that can be decoded.
  30258. For more information, see GetSessionToken (https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html).
  30259. properties:
  30260. apiVersion:
  30261. description: |-
  30262. APIVersion defines the versioned schema of this representation of an object.
  30263. Servers should convert recognized schemas to the latest internal value, and
  30264. may reject unrecognized values.
  30265. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30266. type: string
  30267. kind:
  30268. description: |-
  30269. Kind is a string value representing the REST resource this object represents.
  30270. Servers may infer this from the endpoint the client submits requests to.
  30271. Cannot be updated.
  30272. In CamelCase.
  30273. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30274. type: string
  30275. metadata:
  30276. type: object
  30277. spec:
  30278. description: STSSessionTokenSpec defines the desired state to generate an AWS STS session token.
  30279. properties:
  30280. auth:
  30281. description: Auth defines how to authenticate with AWS
  30282. properties:
  30283. jwt:
  30284. description: AWSJWTAuth provides configuration to authenticate against AWS using service account tokens.
  30285. properties:
  30286. serviceAccountRef:
  30287. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30288. properties:
  30289. audiences:
  30290. description: |-
  30291. Audience specifies the `aud` claim for the service account token
  30292. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30293. then this audiences will be appended to the list
  30294. items:
  30295. type: string
  30296. type: array
  30297. name:
  30298. description: The name of the ServiceAccount resource being referred to.
  30299. maxLength: 253
  30300. minLength: 1
  30301. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30302. type: string
  30303. namespace:
  30304. description: |-
  30305. Namespace of the resource being referred to.
  30306. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30307. maxLength: 63
  30308. minLength: 1
  30309. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30310. type: string
  30311. required:
  30312. - name
  30313. type: object
  30314. type: object
  30315. secretRef:
  30316. description: |-
  30317. AWSAuthSecretRef holds secret references for AWS credentials
  30318. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  30319. properties:
  30320. accessKeyIDSecretRef:
  30321. description: The AccessKeyID is used for authentication
  30322. properties:
  30323. key:
  30324. description: |-
  30325. A key in the referenced Secret.
  30326. Some instances of this field may be defaulted, in others it may be required.
  30327. maxLength: 253
  30328. minLength: 1
  30329. pattern: ^[-._a-zA-Z0-9]+$
  30330. type: string
  30331. name:
  30332. description: The name of the Secret resource being referred to.
  30333. maxLength: 253
  30334. minLength: 1
  30335. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30336. type: string
  30337. namespace:
  30338. description: |-
  30339. The namespace of the Secret resource being referred to.
  30340. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30341. maxLength: 63
  30342. minLength: 1
  30343. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30344. type: string
  30345. type: object
  30346. secretAccessKeySecretRef:
  30347. description: The SecretAccessKey is used for authentication
  30348. properties:
  30349. key:
  30350. description: |-
  30351. A key in the referenced Secret.
  30352. Some instances of this field may be defaulted, in others it may be required.
  30353. maxLength: 253
  30354. minLength: 1
  30355. pattern: ^[-._a-zA-Z0-9]+$
  30356. type: string
  30357. name:
  30358. description: The name of the Secret resource being referred to.
  30359. maxLength: 253
  30360. minLength: 1
  30361. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30362. type: string
  30363. namespace:
  30364. description: |-
  30365. The namespace of the Secret resource being referred to.
  30366. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30367. maxLength: 63
  30368. minLength: 1
  30369. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30370. type: string
  30371. type: object
  30372. sessionTokenSecretRef:
  30373. description: |-
  30374. The SessionToken used for authentication
  30375. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30376. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30377. properties:
  30378. key:
  30379. description: |-
  30380. A key in the referenced Secret.
  30381. Some instances of this field may be defaulted, in others it may be required.
  30382. maxLength: 253
  30383. minLength: 1
  30384. pattern: ^[-._a-zA-Z0-9]+$
  30385. type: string
  30386. name:
  30387. description: The name of the Secret resource being referred to.
  30388. maxLength: 253
  30389. minLength: 1
  30390. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30391. type: string
  30392. namespace:
  30393. description: |-
  30394. The namespace of the Secret resource being referred to.
  30395. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30396. maxLength: 63
  30397. minLength: 1
  30398. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30399. type: string
  30400. type: object
  30401. type: object
  30402. type: object
  30403. region:
  30404. description: Region specifies the region to operate in.
  30405. type: string
  30406. requestParameters:
  30407. description: RequestParameters contains parameters that can be passed to the STS service.
  30408. properties:
  30409. serialNumber:
  30410. description: |-
  30411. SerialNumber is the identification number of the MFA device that is associated with the IAM user who is making
  30412. the GetSessionToken call.
  30413. Possible values: hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
  30414. (such as arn:aws:iam::123456789012:mfa/user)
  30415. type: string
  30416. sessionDuration:
  30417. format: int32
  30418. type: integer
  30419. tokenCode:
  30420. description: TokenCode is the value provided by the MFA device, if MFA is required.
  30421. type: string
  30422. type: object
  30423. role:
  30424. description: |-
  30425. You can assume a role before making calls to the
  30426. desired AWS service.
  30427. type: string
  30428. required:
  30429. - region
  30430. type: object
  30431. type: object
  30432. served: true
  30433. storage: true
  30434. subresources:
  30435. status: {}
  30436. ---
  30437. apiVersion: apiextensions.k8s.io/v1
  30438. kind: CustomResourceDefinition
  30439. metadata:
  30440. annotations:
  30441. controller-gen.kubebuilder.io/version: v0.19.0
  30442. labels:
  30443. external-secrets.io/component: controller
  30444. name: uuids.generators.external-secrets.io
  30445. spec:
  30446. group: generators.external-secrets.io
  30447. names:
  30448. categories:
  30449. - external-secrets
  30450. - external-secrets-generators
  30451. kind: UUID
  30452. listKind: UUIDList
  30453. plural: uuids
  30454. singular: uuid
  30455. scope: Namespaced
  30456. versions:
  30457. - name: v1alpha1
  30458. schema:
  30459. openAPIV3Schema:
  30460. description: UUID generates a version 1 UUID (e56657e3-764f-11ef-a397-65231a88c216).
  30461. properties:
  30462. apiVersion:
  30463. description: |-
  30464. APIVersion defines the versioned schema of this representation of an object.
  30465. Servers should convert recognized schemas to the latest internal value, and
  30466. may reject unrecognized values.
  30467. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30468. type: string
  30469. kind:
  30470. description: |-
  30471. Kind is a string value representing the REST resource this object represents.
  30472. Servers may infer this from the endpoint the client submits requests to.
  30473. Cannot be updated.
  30474. In CamelCase.
  30475. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30476. type: string
  30477. metadata:
  30478. type: object
  30479. spec:
  30480. description: UUIDSpec controls the behavior of the uuid generator.
  30481. type: object
  30482. type: object
  30483. served: true
  30484. storage: true
  30485. subresources:
  30486. status: {}
  30487. ---
  30488. apiVersion: apiextensions.k8s.io/v1
  30489. kind: CustomResourceDefinition
  30490. metadata:
  30491. annotations:
  30492. controller-gen.kubebuilder.io/version: v0.19.0
  30493. labels:
  30494. external-secrets.io/component: controller
  30495. name: vaultdynamicsecrets.generators.external-secrets.io
  30496. spec:
  30497. group: generators.external-secrets.io
  30498. names:
  30499. categories:
  30500. - external-secrets
  30501. - external-secrets-generators
  30502. kind: VaultDynamicSecret
  30503. listKind: VaultDynamicSecretList
  30504. plural: vaultdynamicsecrets
  30505. singular: vaultdynamicsecret
  30506. scope: Namespaced
  30507. versions:
  30508. - name: v1alpha1
  30509. schema:
  30510. openAPIV3Schema:
  30511. description: VaultDynamicSecret represents a generator that can create dynamic secrets from HashiCorp Vault.
  30512. properties:
  30513. apiVersion:
  30514. description: |-
  30515. APIVersion defines the versioned schema of this representation of an object.
  30516. Servers should convert recognized schemas to the latest internal value, and
  30517. may reject unrecognized values.
  30518. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  30519. type: string
  30520. kind:
  30521. description: |-
  30522. Kind is a string value representing the REST resource this object represents.
  30523. Servers may infer this from the endpoint the client submits requests to.
  30524. Cannot be updated.
  30525. In CamelCase.
  30526. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  30527. type: string
  30528. metadata:
  30529. type: object
  30530. spec:
  30531. description: VaultDynamicSecretSpec defines the desired spec of VaultDynamicSecret.
  30532. properties:
  30533. allowEmptyResponse:
  30534. default: false
  30535. description: Do not fail if no secrets are found. Useful for requests where no data is expected.
  30536. type: boolean
  30537. controller:
  30538. description: |-
  30539. Used to select the correct ESO controller (think: ingress.ingressClassName)
  30540. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  30541. type: string
  30542. getParameters:
  30543. additionalProperties:
  30544. items:
  30545. type: string
  30546. type: array
  30547. description: |-
  30548. GetParameters are query-string parameters passed to Vault on GET calls.
  30549. Each key may map to multiple values, matching HTTP query-string semantics.
  30550. Ignored for non-GET methods; use Parameters for write bodies.
  30551. type: object
  30552. method:
  30553. description: Vault API method to use (GET/POST/other)
  30554. type: string
  30555. parameters:
  30556. description: Parameters to pass to Vault write (for non-GET methods)
  30557. x-kubernetes-preserve-unknown-fields: true
  30558. path:
  30559. description: Vault path to obtain the dynamic secret from
  30560. type: string
  30561. provider:
  30562. description: Vault provider common spec
  30563. properties:
  30564. auth:
  30565. description: Auth configures how secret-manager authenticates with the Vault server.
  30566. properties:
  30567. appRole:
  30568. description: |-
  30569. AppRole authenticates with Vault using the App Role auth mechanism,
  30570. with the role and secret stored in a Kubernetes Secret resource.
  30571. properties:
  30572. path:
  30573. default: approle
  30574. description: |-
  30575. Path where the App Role authentication backend is mounted
  30576. in Vault, e.g: "approle"
  30577. type: string
  30578. roleId:
  30579. description: |-
  30580. RoleID configured in the App Role authentication backend when setting
  30581. up the authentication backend in Vault.
  30582. type: string
  30583. roleRef:
  30584. description: |-
  30585. Reference to a key in a Secret that contains the App Role ID used
  30586. to authenticate with Vault.
  30587. The `key` field must be specified and denotes which entry within the Secret
  30588. resource is used as the app role id.
  30589. properties:
  30590. key:
  30591. description: |-
  30592. A key in the referenced Secret.
  30593. Some instances of this field may be defaulted, in others it may be required.
  30594. maxLength: 253
  30595. minLength: 1
  30596. pattern: ^[-._a-zA-Z0-9]+$
  30597. type: string
  30598. name:
  30599. description: The name of the Secret resource being referred to.
  30600. maxLength: 253
  30601. minLength: 1
  30602. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30603. type: string
  30604. namespace:
  30605. description: |-
  30606. The namespace of the Secret resource being referred to.
  30607. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30608. maxLength: 63
  30609. minLength: 1
  30610. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30611. type: string
  30612. type: object
  30613. secretRef:
  30614. description: |-
  30615. Reference to a key in a Secret that contains the App Role secret used
  30616. to authenticate with Vault.
  30617. The `key` field must be specified and denotes which entry within the Secret
  30618. resource is used as the app role secret.
  30619. properties:
  30620. key:
  30621. description: |-
  30622. A key in the referenced Secret.
  30623. Some instances of this field may be defaulted, in others it may be required.
  30624. maxLength: 253
  30625. minLength: 1
  30626. pattern: ^[-._a-zA-Z0-9]+$
  30627. type: string
  30628. name:
  30629. description: The name of the Secret resource being referred to.
  30630. maxLength: 253
  30631. minLength: 1
  30632. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30633. type: string
  30634. namespace:
  30635. description: |-
  30636. The namespace of the Secret resource being referred to.
  30637. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30638. maxLength: 63
  30639. minLength: 1
  30640. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30641. type: string
  30642. type: object
  30643. required:
  30644. - path
  30645. - secretRef
  30646. type: object
  30647. cert:
  30648. description: |-
  30649. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  30650. Cert authentication method
  30651. properties:
  30652. clientCert:
  30653. description: |-
  30654. ClientCert is a certificate to authenticate using the Cert Vault
  30655. authentication method
  30656. properties:
  30657. key:
  30658. description: |-
  30659. A key in the referenced Secret.
  30660. Some instances of this field may be defaulted, in others it may be required.
  30661. maxLength: 253
  30662. minLength: 1
  30663. pattern: ^[-._a-zA-Z0-9]+$
  30664. type: string
  30665. name:
  30666. description: The name of the Secret resource being referred to.
  30667. maxLength: 253
  30668. minLength: 1
  30669. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30670. type: string
  30671. namespace:
  30672. description: |-
  30673. The namespace of the Secret resource being referred to.
  30674. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30675. maxLength: 63
  30676. minLength: 1
  30677. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30678. type: string
  30679. type: object
  30680. path:
  30681. default: cert
  30682. description: |-
  30683. Path where the Certificate authentication backend is mounted
  30684. in Vault, e.g: "cert"
  30685. type: string
  30686. secretRef:
  30687. description: |-
  30688. SecretRef to a key in a Secret resource containing client private key to
  30689. authenticate with Vault using the Cert authentication method
  30690. properties:
  30691. key:
  30692. description: |-
  30693. A key in the referenced Secret.
  30694. Some instances of this field may be defaulted, in others it may be required.
  30695. maxLength: 253
  30696. minLength: 1
  30697. pattern: ^[-._a-zA-Z0-9]+$
  30698. type: string
  30699. name:
  30700. description: The name of the Secret resource being referred to.
  30701. maxLength: 253
  30702. minLength: 1
  30703. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30704. type: string
  30705. namespace:
  30706. description: |-
  30707. The namespace of the Secret resource being referred to.
  30708. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30709. maxLength: 63
  30710. minLength: 1
  30711. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30712. type: string
  30713. type: object
  30714. vaultRole:
  30715. description: VaultRole specifies the Vault role to use for TLS certificate authentication.
  30716. type: string
  30717. type: object
  30718. gcp:
  30719. description: |-
  30720. Gcp authenticates with Vault using Google Cloud Platform authentication method
  30721. GCP authentication method
  30722. properties:
  30723. location:
  30724. description: Location optionally defines a location/region for the secret
  30725. type: string
  30726. path:
  30727. default: gcp
  30728. description: 'Path where the GCP auth method is enabled in Vault, e.g: "gcp"'
  30729. type: string
  30730. projectID:
  30731. description: Project ID of the Google Cloud Platform project
  30732. type: string
  30733. role:
  30734. description: Vault Role. In Vault, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secrets engine.
  30735. type: string
  30736. secretRef:
  30737. description: Specify credentials in a Secret object
  30738. properties:
  30739. secretAccessKeySecretRef:
  30740. description: The SecretAccessKey is used for authentication
  30741. properties:
  30742. key:
  30743. description: |-
  30744. A key in the referenced Secret.
  30745. Some instances of this field may be defaulted, in others it may be required.
  30746. maxLength: 253
  30747. minLength: 1
  30748. pattern: ^[-._a-zA-Z0-9]+$
  30749. type: string
  30750. name:
  30751. description: The name of the Secret resource being referred to.
  30752. maxLength: 253
  30753. minLength: 1
  30754. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30755. type: string
  30756. namespace:
  30757. description: |-
  30758. The namespace of the Secret resource being referred to.
  30759. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30760. maxLength: 63
  30761. minLength: 1
  30762. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30763. type: string
  30764. type: object
  30765. type: object
  30766. serviceAccountRef:
  30767. description: ServiceAccountRef to a service account for impersonation
  30768. properties:
  30769. audiences:
  30770. description: |-
  30771. Audience specifies the `aud` claim for the service account token
  30772. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30773. then this audiences will be appended to the list
  30774. items:
  30775. type: string
  30776. type: array
  30777. name:
  30778. description: The name of the ServiceAccount resource being referred to.
  30779. maxLength: 253
  30780. minLength: 1
  30781. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30782. type: string
  30783. namespace:
  30784. description: |-
  30785. Namespace of the resource being referred to.
  30786. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30787. maxLength: 63
  30788. minLength: 1
  30789. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30790. type: string
  30791. required:
  30792. - name
  30793. type: object
  30794. workloadIdentity:
  30795. description: Specify a service account with Workload Identity
  30796. properties:
  30797. clusterLocation:
  30798. description: |-
  30799. ClusterLocation is the location of the cluster
  30800. If not specified, it fetches information from the metadata server
  30801. type: string
  30802. clusterName:
  30803. description: |-
  30804. ClusterName is the name of the cluster
  30805. If not specified, it fetches information from the metadata server
  30806. type: string
  30807. clusterProjectID:
  30808. description: |-
  30809. ClusterProjectID is the project ID of the cluster
  30810. If not specified, it fetches information from the metadata server
  30811. type: string
  30812. serviceAccountRef:
  30813. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30814. properties:
  30815. audiences:
  30816. description: |-
  30817. Audience specifies the `aud` claim for the service account token
  30818. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30819. then this audiences will be appended to the list
  30820. items:
  30821. type: string
  30822. type: array
  30823. name:
  30824. description: The name of the ServiceAccount resource being referred to.
  30825. maxLength: 253
  30826. minLength: 1
  30827. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30828. type: string
  30829. namespace:
  30830. description: |-
  30831. Namespace of the resource being referred to.
  30832. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30833. maxLength: 63
  30834. minLength: 1
  30835. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30836. type: string
  30837. required:
  30838. - name
  30839. type: object
  30840. required:
  30841. - serviceAccountRef
  30842. type: object
  30843. required:
  30844. - role
  30845. type: object
  30846. iam:
  30847. description: |-
  30848. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  30849. AWS IAM authentication method
  30850. properties:
  30851. externalID:
  30852. description: AWS External ID set on assumed IAM roles
  30853. type: string
  30854. jwt:
  30855. description: Specify a service account with IRSA enabled
  30856. properties:
  30857. serviceAccountRef:
  30858. description: ServiceAccountSelector is a reference to a ServiceAccount resource.
  30859. properties:
  30860. audiences:
  30861. description: |-
  30862. Audience specifies the `aud` claim for the service account token
  30863. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  30864. then this audiences will be appended to the list
  30865. items:
  30866. type: string
  30867. type: array
  30868. name:
  30869. description: The name of the ServiceAccount resource being referred to.
  30870. maxLength: 253
  30871. minLength: 1
  30872. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30873. type: string
  30874. namespace:
  30875. description: |-
  30876. Namespace of the resource being referred to.
  30877. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30878. maxLength: 63
  30879. minLength: 1
  30880. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30881. type: string
  30882. required:
  30883. - name
  30884. type: object
  30885. type: object
  30886. path:
  30887. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  30888. type: string
  30889. region:
  30890. description: AWS region
  30891. type: string
  30892. role:
  30893. description: This is the AWS role to be assumed before talking to vault
  30894. type: string
  30895. secretRef:
  30896. description: Specify credentials in a Secret object
  30897. properties:
  30898. accessKeyIDSecretRef:
  30899. description: The AccessKeyID is used for authentication
  30900. properties:
  30901. key:
  30902. description: |-
  30903. A key in the referenced Secret.
  30904. Some instances of this field may be defaulted, in others it may be required.
  30905. maxLength: 253
  30906. minLength: 1
  30907. pattern: ^[-._a-zA-Z0-9]+$
  30908. type: string
  30909. name:
  30910. description: The name of the Secret resource being referred to.
  30911. maxLength: 253
  30912. minLength: 1
  30913. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30914. type: string
  30915. namespace:
  30916. description: |-
  30917. The namespace of the Secret resource being referred to.
  30918. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30919. maxLength: 63
  30920. minLength: 1
  30921. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30922. type: string
  30923. type: object
  30924. secretAccessKeySecretRef:
  30925. description: The SecretAccessKey is used for authentication
  30926. properties:
  30927. key:
  30928. description: |-
  30929. A key in the referenced Secret.
  30930. Some instances of this field may be defaulted, in others it may be required.
  30931. maxLength: 253
  30932. minLength: 1
  30933. pattern: ^[-._a-zA-Z0-9]+$
  30934. type: string
  30935. name:
  30936. description: The name of the Secret resource being referred to.
  30937. maxLength: 253
  30938. minLength: 1
  30939. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30940. type: string
  30941. namespace:
  30942. description: |-
  30943. The namespace of the Secret resource being referred to.
  30944. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30945. maxLength: 63
  30946. minLength: 1
  30947. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30948. type: string
  30949. type: object
  30950. sessionTokenSecretRef:
  30951. description: |-
  30952. The SessionToken used for authentication
  30953. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  30954. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  30955. properties:
  30956. key:
  30957. description: |-
  30958. A key in the referenced Secret.
  30959. Some instances of this field may be defaulted, in others it may be required.
  30960. maxLength: 253
  30961. minLength: 1
  30962. pattern: ^[-._a-zA-Z0-9]+$
  30963. type: string
  30964. name:
  30965. description: The name of the Secret resource being referred to.
  30966. maxLength: 253
  30967. minLength: 1
  30968. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  30969. type: string
  30970. namespace:
  30971. description: |-
  30972. The namespace of the Secret resource being referred to.
  30973. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  30974. maxLength: 63
  30975. minLength: 1
  30976. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  30977. type: string
  30978. type: object
  30979. type: object
  30980. vaultAwsIamServerID:
  30981. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  30982. type: string
  30983. vaultRole:
  30984. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  30985. type: string
  30986. required:
  30987. - vaultRole
  30988. type: object
  30989. jwt:
  30990. description: |-
  30991. Jwt authenticates with Vault by passing role and JWT token using the
  30992. JWT/OIDC authentication method
  30993. properties:
  30994. kubernetesServiceAccountToken:
  30995. description: |-
  30996. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  30997. a token for with the `TokenRequest` API.
  30998. properties:
  30999. audiences:
  31000. description: |-
  31001. Optional audiences field that will be used to request a temporary Kubernetes service
  31002. account token for the service account referenced by `serviceAccountRef`.
  31003. Defaults to a single audience `vault` it not specified.
  31004. Deprecated: use serviceAccountRef.Audiences instead
  31005. items:
  31006. type: string
  31007. type: array
  31008. expirationSeconds:
  31009. description: |-
  31010. Optional expiration time in seconds that will be used to request a temporary
  31011. Kubernetes service account token for the service account referenced by
  31012. `serviceAccountRef`.
  31013. Deprecated: this will be removed in the future.
  31014. Defaults to 10 minutes.
  31015. format: int64
  31016. type: integer
  31017. serviceAccountRef:
  31018. description: Service account field containing the name of a kubernetes ServiceAccount.
  31019. properties:
  31020. audiences:
  31021. description: |-
  31022. Audience specifies the `aud` claim for the service account token
  31023. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  31024. then this audiences will be appended to the list
  31025. items:
  31026. type: string
  31027. type: array
  31028. name:
  31029. description: The name of the ServiceAccount resource being referred to.
  31030. maxLength: 253
  31031. minLength: 1
  31032. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31033. type: string
  31034. namespace:
  31035. description: |-
  31036. Namespace of the resource being referred to.
  31037. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31038. maxLength: 63
  31039. minLength: 1
  31040. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31041. type: string
  31042. required:
  31043. - name
  31044. type: object
  31045. required:
  31046. - serviceAccountRef
  31047. type: object
  31048. path:
  31049. default: jwt
  31050. description: |-
  31051. Path where the JWT authentication backend is mounted
  31052. in Vault, e.g: "jwt"
  31053. type: string
  31054. role:
  31055. description: |-
  31056. Role is a JWT role to authenticate using the JWT/OIDC Vault
  31057. authentication method
  31058. type: string
  31059. secretRef:
  31060. description: |-
  31061. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  31062. authenticate with Vault using the JWT/OIDC authentication method.
  31063. properties:
  31064. key:
  31065. description: |-
  31066. A key in the referenced Secret.
  31067. Some instances of this field may be defaulted, in others it may be required.
  31068. maxLength: 253
  31069. minLength: 1
  31070. pattern: ^[-._a-zA-Z0-9]+$
  31071. type: string
  31072. name:
  31073. description: The name of the Secret resource being referred to.
  31074. maxLength: 253
  31075. minLength: 1
  31076. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31077. type: string
  31078. namespace:
  31079. description: |-
  31080. The namespace of the Secret resource being referred to.
  31081. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31082. maxLength: 63
  31083. minLength: 1
  31084. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31085. type: string
  31086. type: object
  31087. required:
  31088. - path
  31089. type: object
  31090. kubernetes:
  31091. description: |-
  31092. Kubernetes authenticates with Vault by passing the ServiceAccount
  31093. token stored in the named Secret resource to the Vault server.
  31094. properties:
  31095. mountPath:
  31096. default: kubernetes
  31097. description: |-
  31098. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  31099. "kubernetes"
  31100. type: string
  31101. role:
  31102. description: |-
  31103. A required field containing the Vault Role to assume. A Role binds a
  31104. Kubernetes ServiceAccount with a set of Vault policies.
  31105. type: string
  31106. secretRef:
  31107. description: |-
  31108. Optional secret field containing a Kubernetes ServiceAccount JWT used
  31109. for authenticating with Vault. If a name is specified without a key,
  31110. `token` is the default. If one is not specified, the one bound to
  31111. the controller will be used.
  31112. properties:
  31113. key:
  31114. description: |-
  31115. A key in the referenced Secret.
  31116. Some instances of this field may be defaulted, in others it may be required.
  31117. maxLength: 253
  31118. minLength: 1
  31119. pattern: ^[-._a-zA-Z0-9]+$
  31120. type: string
  31121. name:
  31122. description: The name of the Secret resource being referred to.
  31123. maxLength: 253
  31124. minLength: 1
  31125. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31126. type: string
  31127. namespace:
  31128. description: |-
  31129. The namespace of the Secret resource being referred to.
  31130. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31131. maxLength: 63
  31132. minLength: 1
  31133. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31134. type: string
  31135. type: object
  31136. serviceAccountRef:
  31137. description: |-
  31138. Optional service account field containing the name of a kubernetes ServiceAccount.
  31139. If the service account is specified, the service account secret token JWT will be used
  31140. for authenticating with Vault. If the service account selector is not supplied,
  31141. the secretRef will be used instead.
  31142. properties:
  31143. audiences:
  31144. description: |-
  31145. Audience specifies the `aud` claim for the service account token
  31146. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  31147. then this audiences will be appended to the list
  31148. items:
  31149. type: string
  31150. type: array
  31151. name:
  31152. description: The name of the ServiceAccount resource being referred to.
  31153. maxLength: 253
  31154. minLength: 1
  31155. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31156. type: string
  31157. namespace:
  31158. description: |-
  31159. Namespace of the resource being referred to.
  31160. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31161. maxLength: 63
  31162. minLength: 1
  31163. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31164. type: string
  31165. required:
  31166. - name
  31167. type: object
  31168. required:
  31169. - mountPath
  31170. - role
  31171. type: object
  31172. ldap:
  31173. description: |-
  31174. Ldap authenticates with Vault by passing username/password pair using
  31175. the LDAP authentication method
  31176. properties:
  31177. path:
  31178. default: ldap
  31179. description: |-
  31180. Path where the LDAP authentication backend is mounted
  31181. in Vault, e.g: "ldap"
  31182. type: string
  31183. secretRef:
  31184. description: |-
  31185. SecretRef to a key in a Secret resource containing password for the LDAP
  31186. user used to authenticate with Vault using the LDAP authentication
  31187. method
  31188. properties:
  31189. key:
  31190. description: |-
  31191. A key in the referenced Secret.
  31192. Some instances of this field may be defaulted, in others it may be required.
  31193. maxLength: 253
  31194. minLength: 1
  31195. pattern: ^[-._a-zA-Z0-9]+$
  31196. type: string
  31197. name:
  31198. description: The name of the Secret resource being referred to.
  31199. maxLength: 253
  31200. minLength: 1
  31201. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31202. type: string
  31203. namespace:
  31204. description: |-
  31205. The namespace of the Secret resource being referred to.
  31206. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31207. maxLength: 63
  31208. minLength: 1
  31209. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31210. type: string
  31211. type: object
  31212. username:
  31213. description: |-
  31214. Username is an LDAP username used to authenticate using the LDAP Vault
  31215. authentication method
  31216. type: string
  31217. required:
  31218. - path
  31219. - username
  31220. type: object
  31221. namespace:
  31222. description: |-
  31223. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  31224. Namespaces is a set of features within Vault Enterprise that allows
  31225. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31226. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31227. This will default to Vault.Namespace field if set, or empty otherwise
  31228. type: string
  31229. tokenSecretRef:
  31230. description: TokenSecretRef authenticates with Vault by presenting a token.
  31231. properties:
  31232. key:
  31233. description: |-
  31234. A key in the referenced Secret.
  31235. Some instances of this field may be defaulted, in others it may be required.
  31236. maxLength: 253
  31237. minLength: 1
  31238. pattern: ^[-._a-zA-Z0-9]+$
  31239. type: string
  31240. name:
  31241. description: The name of the Secret resource being referred to.
  31242. maxLength: 253
  31243. minLength: 1
  31244. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31245. type: string
  31246. namespace:
  31247. description: |-
  31248. The namespace of the Secret resource being referred to.
  31249. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31250. maxLength: 63
  31251. minLength: 1
  31252. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31253. type: string
  31254. type: object
  31255. userPass:
  31256. description: UserPass authenticates with Vault by passing username/password pair
  31257. properties:
  31258. path:
  31259. default: userpass
  31260. description: |-
  31261. Path where the UserPassword authentication backend is mounted
  31262. in Vault, e.g: "userpass"
  31263. type: string
  31264. secretRef:
  31265. description: |-
  31266. SecretRef to a key in a Secret resource containing password for the
  31267. user used to authenticate with Vault using the UserPass authentication
  31268. method
  31269. properties:
  31270. key:
  31271. description: |-
  31272. A key in the referenced Secret.
  31273. Some instances of this field may be defaulted, in others it may be required.
  31274. maxLength: 253
  31275. minLength: 1
  31276. pattern: ^[-._a-zA-Z0-9]+$
  31277. type: string
  31278. name:
  31279. description: The name of the Secret resource being referred to.
  31280. maxLength: 253
  31281. minLength: 1
  31282. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31283. type: string
  31284. namespace:
  31285. description: |-
  31286. The namespace of the Secret resource being referred to.
  31287. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31288. maxLength: 63
  31289. minLength: 1
  31290. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31291. type: string
  31292. type: object
  31293. username:
  31294. description: |-
  31295. Username is a username used to authenticate using the UserPass Vault
  31296. authentication method
  31297. type: string
  31298. required:
  31299. - path
  31300. - username
  31301. type: object
  31302. type: object
  31303. caBundle:
  31304. description: |-
  31305. PEM encoded CA bundle used to validate Vault server certificate. Only used
  31306. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31307. plain HTTP protocol connection. If not set the system root certificates
  31308. are used to validate the TLS connection.
  31309. format: byte
  31310. type: string
  31311. caProvider:
  31312. description: The provider for the CA bundle to use to validate Vault server certificate.
  31313. properties:
  31314. key:
  31315. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31316. maxLength: 253
  31317. minLength: 1
  31318. pattern: ^[-._a-zA-Z0-9]+$
  31319. type: string
  31320. name:
  31321. description: The name of the object located at the provider type.
  31322. maxLength: 253
  31323. minLength: 1
  31324. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31325. type: string
  31326. namespace:
  31327. description: |-
  31328. The namespace the Provider type is in.
  31329. Can only be defined when used in a ClusterSecretStore.
  31330. maxLength: 63
  31331. minLength: 1
  31332. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31333. type: string
  31334. type:
  31335. description: The type of provider to use such as "Secret", or "ConfigMap".
  31336. enum:
  31337. - Secret
  31338. - ConfigMap
  31339. type: string
  31340. required:
  31341. - name
  31342. - type
  31343. type: object
  31344. checkAndSet:
  31345. description: |-
  31346. CheckAndSet defines the Check-And-Set (CAS) settings for PushSecret operations.
  31347. Only applies to Vault KV v2 stores. When enabled, write operations must include
  31348. the current version of the secret to prevent unintentional overwrites.
  31349. properties:
  31350. required:
  31351. description: |-
  31352. Required when true, all write operations must include a check-and-set parameter.
  31353. This helps prevent unintentional overwrites of secrets.
  31354. type: boolean
  31355. type: object
  31356. forwardInconsistent:
  31357. description: |-
  31358. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  31359. leader instead of simply retrying within a loop. This can increase performance if
  31360. the option is enabled serverside.
  31361. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  31362. type: boolean
  31363. headers:
  31364. additionalProperties:
  31365. type: string
  31366. description: Headers to be added in Vault request
  31367. type: object
  31368. namespace:
  31369. description: |-
  31370. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  31371. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  31372. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  31373. type: string
  31374. path:
  31375. description: |-
  31376. Path is the mount path of the Vault KV backend endpoint, e.g:
  31377. "secret". The v2 KV secret engine version specific "/data" path suffix
  31378. for fetching secrets from Vault is optional and will be appended
  31379. if not present in specified path.
  31380. type: string
  31381. readYourWrites:
  31382. description: |-
  31383. ReadYourWrites ensures isolated read-after-write semantics by
  31384. providing discovered cluster replication states in each request.
  31385. More information about eventual consistency in Vault can be found here
  31386. https://www.vaultproject.io/docs/enterprise/consistency
  31387. type: boolean
  31388. server:
  31389. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  31390. type: string
  31391. tls:
  31392. description: |-
  31393. The configuration used for client side related TLS communication, when the Vault server
  31394. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  31395. This parameter is ignored for plain HTTP protocol connection.
  31396. It's worth noting this configuration is different from the "TLS certificates auth method",
  31397. which is available under the `auth.cert` section.
  31398. properties:
  31399. certSecretRef:
  31400. description: |-
  31401. CertSecretRef is a certificate added to the transport layer
  31402. when communicating with the Vault server.
  31403. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  31404. properties:
  31405. key:
  31406. description: |-
  31407. A key in the referenced Secret.
  31408. Some instances of this field may be defaulted, in others it may be required.
  31409. maxLength: 253
  31410. minLength: 1
  31411. pattern: ^[-._a-zA-Z0-9]+$
  31412. type: string
  31413. name:
  31414. description: The name of the Secret resource being referred to.
  31415. maxLength: 253
  31416. minLength: 1
  31417. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31418. type: string
  31419. namespace:
  31420. description: |-
  31421. The namespace of the Secret resource being referred to.
  31422. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31423. maxLength: 63
  31424. minLength: 1
  31425. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31426. type: string
  31427. type: object
  31428. keySecretRef:
  31429. description: |-
  31430. KeySecretRef to a key in a Secret resource containing client private key
  31431. added to the transport layer when communicating with the Vault server.
  31432. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  31433. properties:
  31434. key:
  31435. description: |-
  31436. A key in the referenced Secret.
  31437. Some instances of this field may be defaulted, in others it may be required.
  31438. maxLength: 253
  31439. minLength: 1
  31440. pattern: ^[-._a-zA-Z0-9]+$
  31441. type: string
  31442. name:
  31443. description: The name of the Secret resource being referred to.
  31444. maxLength: 253
  31445. minLength: 1
  31446. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31447. type: string
  31448. namespace:
  31449. description: |-
  31450. The namespace of the Secret resource being referred to.
  31451. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31452. maxLength: 63
  31453. minLength: 1
  31454. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31455. type: string
  31456. type: object
  31457. type: object
  31458. version:
  31459. default: v2
  31460. description: |-
  31461. Version is the Vault KV secret engine version. This can be either "v1" or
  31462. "v2". Version defaults to "v2".
  31463. enum:
  31464. - v1
  31465. - v2
  31466. type: string
  31467. required:
  31468. - server
  31469. type: object
  31470. resultType:
  31471. default: Data
  31472. description: |-
  31473. Result type defines which data is returned from the generator.
  31474. By default, it is the "data" section of the Vault API response.
  31475. When using e.g. /auth/token/create the "data" section is empty but
  31476. the "auth" section contains the generated token.
  31477. Please refer to the vault docs regarding the result data structure.
  31478. Additionally, accessing the raw response is possibly by using "Raw" result type.
  31479. enum:
  31480. - Data
  31481. - Auth
  31482. - Raw
  31483. type: string
  31484. retrySettings:
  31485. description: Used to configure http retries if failed
  31486. properties:
  31487. maxRetries:
  31488. format: int32
  31489. type: integer
  31490. retryInterval:
  31491. type: string
  31492. type: object
  31493. required:
  31494. - path
  31495. - provider
  31496. type: object
  31497. type: object
  31498. served: true
  31499. storage: true
  31500. subresources:
  31501. status: {}
  31502. ---
  31503. apiVersion: apiextensions.k8s.io/v1
  31504. kind: CustomResourceDefinition
  31505. metadata:
  31506. annotations:
  31507. controller-gen.kubebuilder.io/version: v0.19.0
  31508. labels:
  31509. external-secrets.io/component: controller
  31510. name: webhooks.generators.external-secrets.io
  31511. spec:
  31512. group: generators.external-secrets.io
  31513. names:
  31514. categories:
  31515. - external-secrets
  31516. - external-secrets-generators
  31517. kind: Webhook
  31518. listKind: WebhookList
  31519. plural: webhooks
  31520. singular: webhook
  31521. scope: Namespaced
  31522. versions:
  31523. - name: v1alpha1
  31524. schema:
  31525. openAPIV3Schema:
  31526. description: |-
  31527. Webhook connects to a third party API server to handle the secrets generation
  31528. configuration parameters in spec.
  31529. You can specify the server, the token, and additional body parameters.
  31530. See documentation for the full API specification for requests and responses.
  31531. properties:
  31532. apiVersion:
  31533. description: |-
  31534. APIVersion defines the versioned schema of this representation of an object.
  31535. Servers should convert recognized schemas to the latest internal value, and
  31536. may reject unrecognized values.
  31537. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  31538. type: string
  31539. kind:
  31540. description: |-
  31541. Kind is a string value representing the REST resource this object represents.
  31542. Servers may infer this from the endpoint the client submits requests to.
  31543. Cannot be updated.
  31544. In CamelCase.
  31545. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  31546. type: string
  31547. metadata:
  31548. type: object
  31549. spec:
  31550. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  31551. properties:
  31552. auth:
  31553. description: Auth specifies a authorization protocol. Only one protocol may be set.
  31554. maxProperties: 1
  31555. minProperties: 1
  31556. properties:
  31557. ntlm:
  31558. description: NTLMProtocol configures the store to use NTLM for auth
  31559. properties:
  31560. passwordSecret:
  31561. description: |-
  31562. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31563. In some instances, `key` is a required field.
  31564. properties:
  31565. key:
  31566. description: |-
  31567. A key in the referenced Secret.
  31568. Some instances of this field may be defaulted, in others it may be required.
  31569. maxLength: 253
  31570. minLength: 1
  31571. pattern: ^[-._a-zA-Z0-9]+$
  31572. type: string
  31573. name:
  31574. description: The name of the Secret resource being referred to.
  31575. maxLength: 253
  31576. minLength: 1
  31577. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31578. type: string
  31579. namespace:
  31580. description: |-
  31581. The namespace of the Secret resource being referred to.
  31582. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31583. maxLength: 63
  31584. minLength: 1
  31585. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31586. type: string
  31587. type: object
  31588. usernameSecret:
  31589. description: |-
  31590. SecretKeySelector is a reference to a specific 'key' within a Secret resource.
  31591. In some instances, `key` is a required field.
  31592. properties:
  31593. key:
  31594. description: |-
  31595. A key in the referenced Secret.
  31596. Some instances of this field may be defaulted, in others it may be required.
  31597. maxLength: 253
  31598. minLength: 1
  31599. pattern: ^[-._a-zA-Z0-9]+$
  31600. type: string
  31601. name:
  31602. description: The name of the Secret resource being referred to.
  31603. maxLength: 253
  31604. minLength: 1
  31605. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31606. type: string
  31607. namespace:
  31608. description: |-
  31609. The namespace of the Secret resource being referred to.
  31610. Ignored if referent is not cluster-scoped, otherwise defaults to the namespace of the referent.
  31611. maxLength: 63
  31612. minLength: 1
  31613. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31614. type: string
  31615. type: object
  31616. required:
  31617. - passwordSecret
  31618. - usernameSecret
  31619. type: object
  31620. type: object
  31621. body:
  31622. description: Body
  31623. type: string
  31624. caBundle:
  31625. description: |-
  31626. PEM encoded CA bundle used to validate webhook server certificate. Only used
  31627. if the Server URL is using HTTPS protocol. This parameter is ignored for
  31628. plain HTTP protocol connection. If not set the system root certificates
  31629. are used to validate the TLS connection.
  31630. format: byte
  31631. type: string
  31632. caProvider:
  31633. description: The provider for the CA bundle to use to validate webhook server certificate.
  31634. properties:
  31635. key:
  31636. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  31637. maxLength: 253
  31638. minLength: 1
  31639. pattern: ^[-._a-zA-Z0-9]+$
  31640. type: string
  31641. name:
  31642. description: The name of the object located at the provider type.
  31643. maxLength: 253
  31644. minLength: 1
  31645. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31646. type: string
  31647. namespace:
  31648. description: The namespace the Provider type is in.
  31649. maxLength: 63
  31650. minLength: 1
  31651. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
  31652. type: string
  31653. type:
  31654. description: The type of provider to use such as "Secret", or "ConfigMap".
  31655. enum:
  31656. - Secret
  31657. - ConfigMap
  31658. type: string
  31659. required:
  31660. - name
  31661. - type
  31662. type: object
  31663. headers:
  31664. additionalProperties:
  31665. type: string
  31666. description: Headers
  31667. type: object
  31668. method:
  31669. description: Webhook Method
  31670. type: string
  31671. result:
  31672. description: Result formatting
  31673. properties:
  31674. jsonPath:
  31675. description: Json path of return value
  31676. type: string
  31677. type: object
  31678. secrets:
  31679. description: |-
  31680. Secrets to fill in templates
  31681. These secrets will be passed to the templating function as key value pairs under the given name
  31682. items:
  31683. description: WebhookSecret defines a secret reference that will be used in webhook templates.
  31684. properties:
  31685. name:
  31686. description: Name of this secret in templates
  31687. type: string
  31688. secretRef:
  31689. description: Secret ref to fill in credentials
  31690. properties:
  31691. key:
  31692. description: The key where the token is found.
  31693. maxLength: 253
  31694. minLength: 1
  31695. pattern: ^[-._a-zA-Z0-9]+$
  31696. type: string
  31697. name:
  31698. description: The name of the Secret resource being referred to.
  31699. maxLength: 253
  31700. minLength: 1
  31701. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
  31702. type: string
  31703. type: object
  31704. required:
  31705. - name
  31706. - secretRef
  31707. type: object
  31708. type: array
  31709. timeout:
  31710. description: Timeout
  31711. type: string
  31712. url:
  31713. description: Webhook url to call
  31714. type: string
  31715. required:
  31716. - result
  31717. - url
  31718. type: object
  31719. type: object
  31720. served: true
  31721. storage: true
  31722. subresources:
  31723. status: {}