bundle.yaml 685 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463546454655466546754685469547054715472547354745475547654775478547954805481548254835484548554865487548854895490549154925493549454955496549754985499550055015502550355045505550655075508550955105511551255135514551555165517551855195520552155225523552455255526552755285529553055315532553355345535553655375538553955405541554255435544554555465547554855495550555155525553555455555556555755585559556055615562556355645565556655675568556955705571557255735574557555765577557855795580558155825583558455855586558755885589559055915592559355945595559655975598559956005601560256035604560556065607560856095610561156125613561456155616561756185619562056215622562356245625562656275628562956305631563256335634563556365637563856395640564156425643564456455646564756485649565056515652565356545655565656575658565956605661566256635664566556665667566856695670567156725673567456755676567756785679568056815682568356845685568656875688568956905691569256935694569556965697569856995700570157025703570457055706570757085709571057115712571357145715571657175718571957205721572257235724572557265727572857295730573157325733573457355736573757385739574057415742574357445745574657475748574957505751575257535754575557565757575857595760576157625763576457655766576757685769577057715772577357745775577657775778577957805781578257835784578557865787578857895790579157925793579457955796579757985799580058015802580358045805580658075808580958105811581258135814581558165817581858195820582158225823582458255826582758285829583058315832583358345835583658375838583958405841584258435844584558465847584858495850585158525853585458555856585758585859586058615862586358645865586658675868586958705871587258735874587558765877587858795880588158825883588458855886588758885889589058915892589358945895589658975898589959005901590259035904590559065907590859095910591159125913591459155916591759185919592059215922592359245925592659275928592959305931593259335934593559365937593859395940594159425943594459455946594759485949595059515952595359545955595659575958595959605961596259635964596559665967596859695970597159725973597459755976597759785979598059815982598359845985598659875988598959905991599259935994599559965997599859996000600160026003600460056006600760086009601060116012601360146015601660176018601960206021602260236024602560266027602860296030603160326033603460356036603760386039604060416042604360446045604660476048604960506051605260536054605560566057605860596060606160626063606460656066606760686069607060716072607360746075607660776078607960806081608260836084608560866087608860896090609160926093609460956096609760986099610061016102610361046105610661076108610961106111611261136114611561166117611861196120612161226123612461256126612761286129613061316132613361346135613661376138613961406141614261436144614561466147614861496150615161526153615461556156615761586159616061616162616361646165616661676168616961706171617261736174617561766177617861796180618161826183618461856186618761886189619061916192619361946195619661976198619962006201620262036204620562066207620862096210621162126213621462156216621762186219622062216222622362246225622662276228622962306231623262336234623562366237623862396240624162426243624462456246624762486249625062516252625362546255625662576258625962606261626262636264626562666267626862696270627162726273627462756276627762786279628062816282628362846285628662876288628962906291629262936294629562966297629862996300630163026303630463056306630763086309631063116312631363146315631663176318631963206321632263236324632563266327632863296330633163326333633463356336633763386339634063416342634363446345634663476348634963506351635263536354635563566357635863596360636163626363636463656366636763686369637063716372637363746375637663776378637963806381638263836384638563866387638863896390639163926393639463956396639763986399640064016402640364046405640664076408640964106411641264136414641564166417641864196420642164226423642464256426642764286429643064316432643364346435643664376438643964406441644264436444644564466447644864496450645164526453645464556456645764586459646064616462646364646465646664676468646964706471647264736474647564766477647864796480648164826483648464856486648764886489649064916492649364946495649664976498649965006501650265036504650565066507650865096510651165126513651465156516651765186519652065216522652365246525652665276528652965306531653265336534653565366537653865396540654165426543654465456546654765486549655065516552655365546555655665576558655965606561656265636564656565666567656865696570657165726573657465756576657765786579658065816582658365846585658665876588658965906591659265936594659565966597659865996600660166026603660466056606660766086609661066116612661366146615661666176618661966206621662266236624662566266627662866296630663166326633663466356636663766386639664066416642664366446645664666476648664966506651665266536654665566566657665866596660666166626663666466656666666766686669667066716672667366746675667666776678667966806681668266836684668566866687668866896690669166926693669466956696669766986699670067016702670367046705670667076708670967106711671267136714671567166717671867196720672167226723672467256726672767286729673067316732673367346735673667376738673967406741674267436744674567466747674867496750675167526753675467556756675767586759676067616762676367646765676667676768676967706771677267736774677567766777677867796780678167826783678467856786678767886789679067916792679367946795679667976798679968006801680268036804680568066807680868096810681168126813681468156816681768186819682068216822682368246825682668276828682968306831683268336834683568366837683868396840684168426843684468456846684768486849685068516852685368546855685668576858685968606861686268636864686568666867686868696870687168726873687468756876687768786879688068816882688368846885688668876888688968906891689268936894689568966897689868996900690169026903690469056906690769086909691069116912691369146915691669176918691969206921692269236924692569266927692869296930693169326933693469356936693769386939694069416942694369446945694669476948694969506951695269536954695569566957695869596960696169626963696469656966696769686969697069716972697369746975697669776978697969806981698269836984698569866987698869896990699169926993699469956996699769986999700070017002700370047005700670077008700970107011701270137014701570167017701870197020702170227023702470257026702770287029703070317032703370347035703670377038703970407041704270437044704570467047704870497050705170527053705470557056705770587059706070617062706370647065706670677068706970707071707270737074707570767077707870797080708170827083708470857086708770887089709070917092709370947095709670977098709971007101710271037104710571067107710871097110711171127113711471157116711771187119712071217122712371247125712671277128712971307131713271337134713571367137713871397140714171427143714471457146714771487149715071517152715371547155715671577158715971607161716271637164716571667167716871697170717171727173717471757176717771787179718071817182718371847185718671877188718971907191719271937194719571967197719871997200720172027203720472057206720772087209721072117212721372147215721672177218721972207221722272237224722572267227722872297230723172327233723472357236723772387239724072417242724372447245724672477248724972507251725272537254725572567257725872597260726172627263726472657266726772687269727072717272727372747275727672777278727972807281728272837284728572867287728872897290729172927293729472957296729772987299730073017302730373047305730673077308730973107311731273137314731573167317731873197320732173227323732473257326732773287329733073317332733373347335733673377338733973407341734273437344734573467347734873497350735173527353735473557356735773587359736073617362736373647365736673677368736973707371737273737374737573767377737873797380738173827383738473857386738773887389739073917392739373947395739673977398739974007401740274037404740574067407740874097410741174127413741474157416741774187419742074217422742374247425742674277428742974307431743274337434743574367437743874397440744174427443744474457446744774487449745074517452745374547455745674577458745974607461746274637464746574667467746874697470747174727473747474757476747774787479748074817482748374847485748674877488748974907491749274937494749574967497749874997500750175027503750475057506750775087509751075117512751375147515751675177518751975207521752275237524752575267527752875297530753175327533753475357536753775387539754075417542754375447545754675477548754975507551755275537554755575567557755875597560756175627563756475657566756775687569757075717572757375747575757675777578757975807581758275837584758575867587758875897590759175927593759475957596759775987599760076017602760376047605760676077608760976107611761276137614761576167617761876197620762176227623762476257626762776287629763076317632763376347635763676377638763976407641764276437644764576467647764876497650765176527653765476557656765776587659766076617662766376647665766676677668766976707671767276737674767576767677767876797680768176827683768476857686768776887689769076917692769376947695769676977698769977007701770277037704770577067707770877097710771177127713771477157716771777187719772077217722772377247725772677277728772977307731773277337734773577367737773877397740774177427743774477457746774777487749775077517752775377547755775677577758775977607761776277637764776577667767776877697770777177727773777477757776777777787779778077817782778377847785778677877788778977907791779277937794779577967797779877997800780178027803780478057806780778087809781078117812781378147815781678177818781978207821782278237824782578267827782878297830783178327833783478357836783778387839784078417842784378447845784678477848784978507851785278537854785578567857785878597860786178627863786478657866786778687869787078717872787378747875787678777878787978807881788278837884788578867887788878897890789178927893789478957896789778987899790079017902790379047905790679077908790979107911791279137914791579167917791879197920792179227923792479257926792779287929793079317932793379347935793679377938793979407941794279437944794579467947794879497950795179527953795479557956795779587959796079617962796379647965796679677968796979707971797279737974797579767977797879797980798179827983798479857986798779887989799079917992799379947995799679977998799980008001800280038004800580068007800880098010801180128013801480158016801780188019802080218022802380248025802680278028802980308031803280338034803580368037803880398040804180428043804480458046804780488049805080518052805380548055805680578058805980608061806280638064806580668067806880698070807180728073807480758076807780788079808080818082808380848085808680878088808980908091809280938094809580968097809880998100810181028103810481058106810781088109811081118112811381148115811681178118811981208121812281238124812581268127812881298130813181328133813481358136813781388139814081418142814381448145814681478148814981508151815281538154815581568157815881598160816181628163816481658166816781688169817081718172817381748175817681778178817981808181818281838184818581868187818881898190819181928193819481958196819781988199820082018202820382048205820682078208820982108211821282138214821582168217821882198220822182228223822482258226822782288229823082318232823382348235823682378238823982408241824282438244824582468247824882498250825182528253825482558256825782588259826082618262826382648265826682678268826982708271827282738274827582768277827882798280828182828283828482858286828782888289829082918292829382948295829682978298829983008301830283038304830583068307830883098310831183128313831483158316831783188319832083218322832383248325832683278328832983308331833283338334833583368337833883398340834183428343834483458346834783488349835083518352835383548355835683578358835983608361836283638364836583668367836883698370837183728373837483758376837783788379838083818382838383848385838683878388838983908391839283938394839583968397839883998400840184028403840484058406840784088409841084118412841384148415841684178418841984208421842284238424842584268427842884298430843184328433843484358436843784388439844084418442844384448445844684478448844984508451845284538454845584568457845884598460846184628463846484658466846784688469847084718472847384748475847684778478847984808481848284838484848584868487848884898490849184928493849484958496849784988499850085018502850385048505850685078508850985108511851285138514851585168517851885198520852185228523852485258526852785288529853085318532853385348535853685378538853985408541854285438544854585468547854885498550855185528553855485558556855785588559856085618562856385648565856685678568856985708571857285738574857585768577857885798580858185828583858485858586858785888589859085918592859385948595859685978598859986008601860286038604860586068607860886098610861186128613861486158616861786188619862086218622862386248625862686278628862986308631863286338634863586368637863886398640864186428643864486458646864786488649865086518652865386548655865686578658865986608661866286638664866586668667866886698670867186728673867486758676867786788679868086818682868386848685868686878688868986908691869286938694869586968697869886998700870187028703870487058706870787088709871087118712871387148715871687178718871987208721872287238724872587268727872887298730873187328733873487358736873787388739874087418742874387448745874687478748874987508751875287538754875587568757875887598760876187628763876487658766876787688769877087718772877387748775877687778778877987808781878287838784878587868787878887898790879187928793879487958796879787988799880088018802880388048805880688078808880988108811881288138814881588168817881888198820882188228823882488258826882788288829883088318832883388348835883688378838883988408841884288438844884588468847884888498850885188528853885488558856885788588859886088618862886388648865886688678868886988708871887288738874887588768877887888798880888188828883888488858886888788888889889088918892889388948895889688978898889989008901890289038904890589068907890889098910891189128913891489158916891789188919892089218922892389248925892689278928892989308931893289338934893589368937893889398940894189428943894489458946894789488949895089518952895389548955895689578958895989608961896289638964896589668967896889698970897189728973897489758976897789788979898089818982898389848985898689878988898989908991899289938994899589968997899889999000900190029003900490059006900790089009901090119012901390149015901690179018901990209021902290239024902590269027902890299030903190329033903490359036903790389039904090419042904390449045904690479048904990509051905290539054905590569057905890599060906190629063906490659066906790689069907090719072907390749075907690779078907990809081908290839084908590869087908890899090909190929093909490959096909790989099910091019102910391049105910691079108910991109111911291139114911591169117911891199120912191229123912491259126912791289129913091319132913391349135913691379138913991409141914291439144914591469147914891499150915191529153915491559156915791589159916091619162916391649165916691679168916991709171917291739174917591769177917891799180918191829183918491859186918791889189919091919192919391949195919691979198919992009201920292039204920592069207920892099210921192129213921492159216921792189219922092219222922392249225922692279228922992309231923292339234923592369237923892399240924192429243924492459246924792489249925092519252925392549255925692579258925992609261926292639264926592669267926892699270927192729273927492759276927792789279928092819282928392849285928692879288928992909291929292939294929592969297929892999300930193029303930493059306930793089309931093119312931393149315931693179318931993209321932293239324932593269327932893299330933193329333933493359336933793389339934093419342934393449345934693479348934993509351935293539354935593569357935893599360936193629363936493659366936793689369937093719372937393749375937693779378937993809381938293839384938593869387938893899390939193929393939493959396939793989399940094019402940394049405940694079408940994109411941294139414941594169417941894199420942194229423942494259426942794289429943094319432943394349435943694379438943994409441944294439444944594469447944894499450945194529453945494559456945794589459946094619462946394649465946694679468946994709471947294739474947594769477947894799480948194829483948494859486948794889489949094919492949394949495949694979498949995009501950295039504950595069507950895099510951195129513951495159516951795189519952095219522952395249525952695279528952995309531953295339534953595369537953895399540954195429543954495459546954795489549955095519552955395549555955695579558955995609561956295639564956595669567956895699570957195729573957495759576957795789579958095819582958395849585958695879588958995909591959295939594959595969597959895999600960196029603960496059606960796089609961096119612961396149615961696179618961996209621962296239624962596269627962896299630963196329633963496359636963796389639964096419642964396449645964696479648964996509651965296539654965596569657965896599660966196629663966496659666966796689669967096719672967396749675967696779678967996809681968296839684968596869687968896899690969196929693969496959696969796989699970097019702970397049705970697079708970997109711971297139714971597169717971897199720972197229723972497259726972797289729973097319732973397349735973697379738973997409741974297439744974597469747974897499750975197529753975497559756975797589759976097619762976397649765976697679768976997709771977297739774977597769777977897799780978197829783978497859786978797889789979097919792979397949795979697979798979998009801980298039804980598069807980898099810981198129813981498159816981798189819982098219822982398249825982698279828982998309831983298339834983598369837983898399840984198429843984498459846984798489849985098519852985398549855985698579858985998609861986298639864986598669867986898699870987198729873987498759876987798789879988098819882988398849885988698879888988998909891989298939894989598969897989898999900990199029903990499059906990799089909991099119912991399149915991699179918991999209921992299239924992599269927992899299930993199329933993499359936993799389939994099419942994399449945994699479948994999509951995299539954995599569957995899599960996199629963996499659966996799689969997099719972997399749975997699779978997999809981998299839984998599869987998899899990999199929993999499959996999799989999100001000110002100031000410005100061000710008100091001010011100121001310014100151001610017100181001910020100211002210023100241002510026100271002810029100301003110032100331003410035100361003710038100391004010041100421004310044100451004610047100481004910050100511005210053100541005510056100571005810059100601006110062100631006410065100661006710068100691007010071100721007310074100751007610077100781007910080100811008210083100841008510086100871008810089100901009110092100931009410095100961009710098100991010010101101021010310104101051010610107101081010910110101111011210113101141011510116101171011810119101201012110122101231012410125101261012710128101291013010131101321013310134101351013610137101381013910140101411014210143101441014510146101471014810149101501015110152101531015410155101561015710158101591016010161101621016310164101651016610167101681016910170101711017210173101741017510176101771017810179101801018110182101831018410185101861018710188101891019010191101921019310194101951019610197101981019910200102011020210203102041020510206102071020810209102101021110212102131021410215102161021710218102191022010221102221022310224102251022610227102281022910230102311023210233102341023510236102371023810239102401024110242102431024410245102461024710248102491025010251102521025310254102551025610257102581025910260102611026210263102641026510266102671026810269102701027110272102731027410275102761027710278102791028010281102821028310284102851028610287102881028910290102911029210293102941029510296102971029810299103001030110302103031030410305103061030710308103091031010311103121031310314103151031610317103181031910320103211032210323103241032510326103271032810329103301033110332103331033410335103361033710338103391034010341103421034310344103451034610347103481034910350103511035210353103541035510356103571035810359103601036110362103631036410365103661036710368103691037010371103721037310374103751037610377103781037910380103811038210383103841038510386103871038810389103901039110392103931039410395103961039710398103991040010401104021040310404104051040610407104081040910410104111041210413104141041510416104171041810419104201042110422104231042410425104261042710428104291043010431104321043310434104351043610437104381043910440104411044210443104441044510446104471044810449104501045110452104531045410455104561045710458104591046010461104621046310464104651046610467104681046910470104711047210473104741047510476104771047810479104801048110482104831048410485104861048710488104891049010491104921049310494104951049610497104981049910500105011050210503105041050510506105071050810509105101051110512105131051410515105161051710518105191052010521105221052310524105251052610527105281052910530105311053210533105341053510536105371053810539105401054110542105431054410545105461054710548105491055010551105521055310554105551055610557105581055910560105611056210563105641056510566105671056810569105701057110572105731057410575105761057710578105791058010581105821058310584105851058610587105881058910590105911059210593105941059510596105971059810599106001060110602106031060410605106061060710608106091061010611106121061310614106151061610617106181061910620106211062210623106241062510626106271062810629106301063110632106331063410635106361063710638106391064010641106421064310644106451064610647106481064910650106511065210653106541065510656106571065810659106601066110662106631066410665106661066710668106691067010671106721067310674106751067610677106781067910680106811068210683106841068510686106871068810689106901069110692106931069410695106961069710698106991070010701107021070310704107051070610707107081070910710107111071210713107141071510716107171071810719107201072110722107231072410725107261072710728107291073010731107321073310734107351073610737107381073910740107411074210743107441074510746107471074810749107501075110752107531075410755107561075710758107591076010761107621076310764107651076610767107681076910770107711077210773107741077510776107771077810779107801078110782107831078410785107861078710788107891079010791107921079310794107951079610797107981079910800108011080210803108041080510806108071080810809108101081110812108131081410815108161081710818108191082010821108221082310824108251082610827108281082910830108311083210833108341083510836108371083810839108401084110842108431084410845108461084710848108491085010851108521085310854108551085610857108581085910860108611086210863108641086510866108671086810869108701087110872108731087410875108761087710878108791088010881108821088310884108851088610887108881088910890108911089210893108941089510896108971089810899109001090110902109031090410905109061090710908109091091010911109121091310914109151091610917109181091910920109211092210923109241092510926109271092810929109301093110932109331093410935109361093710938109391094010941109421094310944109451094610947109481094910950109511095210953109541095510956109571095810959109601096110962109631096410965109661096710968109691097010971109721097310974109751097610977109781097910980109811098210983109841098510986109871098810989109901099110992109931099410995109961099710998109991100011001110021100311004110051100611007110081100911010110111101211013110141101511016110171101811019110201102111022110231102411025110261102711028110291103011031110321103311034110351103611037110381103911040110411104211043110441104511046110471104811049110501105111052110531105411055110561105711058110591106011061110621106311064110651106611067110681106911070110711107211073110741107511076110771107811079110801108111082110831108411085110861108711088110891109011091110921109311094110951109611097110981109911100111011110211103111041110511106111071110811109111101111111112111131111411115111161111711118111191112011121111221112311124111251112611127111281112911130111311113211133111341113511136111371113811139111401114111142111431114411145111461114711148111491115011151111521115311154111551115611157111581115911160111611116211163111641116511166111671116811169111701117111172111731117411175111761117711178111791118011181111821118311184111851118611187111881118911190111911119211193111941119511196111971119811199112001120111202112031120411205112061120711208112091121011211112121121311214112151121611217112181121911220112211122211223112241122511226112271122811229112301123111232112331123411235112361123711238112391124011241112421124311244112451124611247112481124911250112511125211253112541125511256112571125811259112601126111262112631126411265112661126711268112691127011271112721127311274112751127611277112781127911280112811128211283112841128511286112871128811289112901129111292112931129411295112961129711298112991130011301113021130311304113051130611307113081130911310113111131211313113141131511316113171131811319113201132111322113231132411325113261132711328113291133011331113321133311334113351133611337113381133911340113411134211343113441134511346113471134811349113501135111352113531135411355113561135711358113591136011361113621136311364113651136611367113681136911370113711137211373113741137511376113771137811379113801138111382113831138411385113861138711388113891139011391113921139311394113951139611397113981139911400114011140211403114041140511406114071140811409114101141111412114131141411415114161141711418114191142011421114221142311424114251142611427114281142911430114311143211433114341143511436114371143811439114401144111442114431144411445114461144711448114491145011451114521145311454114551145611457114581145911460114611146211463114641146511466114671146811469114701147111472114731147411475114761147711478114791148011481114821148311484114851148611487114881148911490114911149211493114941149511496114971149811499115001150111502115031150411505115061150711508115091151011511115121151311514115151151611517115181151911520115211152211523115241152511526115271152811529115301153111532115331153411535115361153711538115391154011541115421154311544115451154611547115481154911550115511155211553115541155511556115571155811559115601156111562115631156411565115661156711568115691157011571115721157311574115751157611577115781157911580115811158211583115841158511586115871158811589115901159111592115931159411595115961159711598115991160011601116021160311604116051160611607116081160911610116111161211613116141161511616116171161811619116201162111622116231162411625116261162711628116291163011631116321163311634116351163611637116381163911640116411164211643116441164511646116471164811649116501165111652116531165411655116561165711658116591166011661116621166311664116651166611667116681166911670116711167211673116741167511676116771167811679116801168111682116831168411685116861168711688116891169011691116921169311694116951169611697116981169911700117011170211703117041170511706117071170811709117101171111712117131171411715117161171711718117191172011721117221172311724117251172611727117281172911730117311173211733117341173511736117371173811739117401174111742117431174411745117461174711748117491175011751117521175311754117551175611757117581175911760117611176211763117641176511766117671176811769117701177111772117731177411775117761177711778117791178011781117821178311784117851178611787117881178911790117911179211793117941179511796117971179811799118001180111802118031180411805118061180711808118091181011811118121181311814118151181611817118181181911820118211182211823118241182511826118271182811829118301183111832118331183411835118361183711838118391184011841118421184311844118451184611847118481184911850118511185211853118541185511856118571185811859118601186111862118631186411865118661186711868118691187011871118721187311874118751187611877118781187911880118811188211883118841188511886118871188811889118901189111892118931189411895118961189711898118991190011901119021190311904119051190611907119081190911910119111191211913119141191511916119171191811919119201192111922119231192411925119261192711928119291193011931119321193311934119351193611937119381193911940119411194211943119441194511946119471194811949119501195111952119531195411955119561195711958119591196011961119621196311964119651196611967119681196911970119711197211973119741197511976119771197811979119801198111982119831198411985119861198711988119891199011991119921199311994119951199611997119981199912000120011200212003120041200512006120071200812009120101201112012120131201412015120161201712018120191202012021120221202312024120251202612027120281202912030120311203212033120341203512036120371203812039120401204112042120431204412045120461204712048120491205012051120521205312054120551205612057120581205912060120611206212063120641206512066120671206812069120701207112072120731207412075120761207712078120791208012081120821208312084120851208612087120881208912090120911209212093120941209512096120971209812099121001210112102121031210412105121061210712108121091211012111121121211312114121151211612117121181211912120121211212212123121241212512126121271212812129121301213112132121331213412135121361213712138121391214012141121421214312144121451214612147121481214912150121511215212153121541215512156121571215812159121601216112162121631216412165121661216712168121691217012171121721217312174121751217612177121781217912180121811218212183121841218512186121871218812189121901219112192121931219412195121961219712198121991220012201122021220312204122051220612207122081220912210122111221212213122141221512216122171221812219122201222112222122231222412225122261222712228122291223012231122321223312234122351223612237122381223912240122411224212243122441224512246122471224812249122501225112252122531225412255122561225712258122591226012261122621226312264122651226612267122681226912270122711227212273122741227512276122771227812279122801228112282122831228412285122861228712288122891229012291122921229312294122951229612297122981229912300
  1. apiVersion: apiextensions.k8s.io/v1
  2. kind: CustomResourceDefinition
  3. metadata:
  4. annotations:
  5. controller-gen.kubebuilder.io/version: v0.15.0
  6. labels:
  7. external-secrets.io/component: controller
  8. name: clusterexternalsecrets.external-secrets.io
  9. spec:
  10. group: external-secrets.io
  11. names:
  12. categories:
  13. - externalsecrets
  14. kind: ClusterExternalSecret
  15. listKind: ClusterExternalSecretList
  16. plural: clusterexternalsecrets
  17. shortNames:
  18. - ces
  19. singular: clusterexternalsecret
  20. scope: Cluster
  21. versions:
  22. - additionalPrinterColumns:
  23. - jsonPath: .spec.externalSecretSpec.secretStoreRef.name
  24. name: Store
  25. type: string
  26. - jsonPath: .spec.refreshTime
  27. name: Refresh Interval
  28. type: string
  29. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  30. name: Ready
  31. type: string
  32. name: v1beta1
  33. schema:
  34. openAPIV3Schema:
  35. description: ClusterExternalSecret is the Schema for the clusterexternalsecrets API.
  36. properties:
  37. apiVersion:
  38. description: |-
  39. APIVersion defines the versioned schema of this representation of an object.
  40. Servers should convert recognized schemas to the latest internal value, and
  41. may reject unrecognized values.
  42. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  43. type: string
  44. kind:
  45. description: |-
  46. Kind is a string value representing the REST resource this object represents.
  47. Servers may infer this from the endpoint the client submits requests to.
  48. Cannot be updated.
  49. In CamelCase.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  51. type: string
  52. metadata:
  53. type: object
  54. spec:
  55. description: ClusterExternalSecretSpec defines the desired state of ClusterExternalSecret.
  56. properties:
  57. externalSecretMetadata:
  58. description: The metadata of the external secrets to be created
  59. properties:
  60. annotations:
  61. additionalProperties:
  62. type: string
  63. type: object
  64. labels:
  65. additionalProperties:
  66. type: string
  67. type: object
  68. type: object
  69. externalSecretName:
  70. description: The name of the external secrets to be created defaults to the name of the ClusterExternalSecret
  71. type: string
  72. externalSecretSpec:
  73. description: The spec for the ExternalSecrets to be created
  74. properties:
  75. data:
  76. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  77. items:
  78. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  79. properties:
  80. remoteRef:
  81. description: |-
  82. RemoteRef points to the remote secret and defines
  83. which secret (version/property/..) to fetch.
  84. properties:
  85. conversionStrategy:
  86. default: Default
  87. description: Used to define a conversion Strategy
  88. enum:
  89. - Default
  90. - Unicode
  91. type: string
  92. decodingStrategy:
  93. default: None
  94. description: Used to define a decoding Strategy
  95. enum:
  96. - Auto
  97. - Base64
  98. - Base64URL
  99. - None
  100. type: string
  101. key:
  102. description: Key is the key used in the Provider, mandatory
  103. type: string
  104. metadataPolicy:
  105. default: None
  106. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  107. enum:
  108. - None
  109. - Fetch
  110. type: string
  111. property:
  112. description: Used to select a specific property of the Provider value (if a map), if supported
  113. type: string
  114. version:
  115. description: Used to select a specific version of the Provider value, if supported
  116. type: string
  117. required:
  118. - key
  119. type: object
  120. secretKey:
  121. description: |-
  122. SecretKey defines the key in which the controller stores
  123. the value. This is the key in the Kind=Secret
  124. type: string
  125. sourceRef:
  126. description: |-
  127. SourceRef allows you to override the source
  128. from which the value will pulled from.
  129. maxProperties: 1
  130. properties:
  131. generatorRef:
  132. description: |-
  133. GeneratorRef points to a generator custom resource.
  134. Deprecated: The generatorRef is not implemented in .data[].
  135. this will be removed with v1.
  136. properties:
  137. apiVersion:
  138. default: generators.external-secrets.io/v1alpha1
  139. description: Specify the apiVersion of the generator resource
  140. type: string
  141. kind:
  142. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  143. type: string
  144. name:
  145. description: Specify the name of the generator resource
  146. type: string
  147. required:
  148. - kind
  149. - name
  150. type: object
  151. storeRef:
  152. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  153. properties:
  154. kind:
  155. description: |-
  156. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  157. Defaults to `SecretStore`
  158. type: string
  159. name:
  160. description: Name of the SecretStore resource
  161. type: string
  162. required:
  163. - name
  164. type: object
  165. type: object
  166. required:
  167. - remoteRef
  168. - secretKey
  169. type: object
  170. type: array
  171. dataFrom:
  172. description: |-
  173. DataFrom is used to fetch all properties from a specific Provider data
  174. If multiple entries are specified, the Secret keys are merged in the specified order
  175. items:
  176. properties:
  177. extract:
  178. description: |-
  179. Used to extract multiple key/value pairs from one secret
  180. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  181. properties:
  182. conversionStrategy:
  183. default: Default
  184. description: Used to define a conversion Strategy
  185. enum:
  186. - Default
  187. - Unicode
  188. type: string
  189. decodingStrategy:
  190. default: None
  191. description: Used to define a decoding Strategy
  192. enum:
  193. - Auto
  194. - Base64
  195. - Base64URL
  196. - None
  197. type: string
  198. key:
  199. description: Key is the key used in the Provider, mandatory
  200. type: string
  201. metadataPolicy:
  202. default: None
  203. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  204. enum:
  205. - None
  206. - Fetch
  207. type: string
  208. property:
  209. description: Used to select a specific property of the Provider value (if a map), if supported
  210. type: string
  211. version:
  212. description: Used to select a specific version of the Provider value, if supported
  213. type: string
  214. required:
  215. - key
  216. type: object
  217. find:
  218. description: |-
  219. Used to find secrets based on tags or regular expressions
  220. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  221. properties:
  222. conversionStrategy:
  223. default: Default
  224. description: Used to define a conversion Strategy
  225. enum:
  226. - Default
  227. - Unicode
  228. type: string
  229. decodingStrategy:
  230. default: None
  231. description: Used to define a decoding Strategy
  232. enum:
  233. - Auto
  234. - Base64
  235. - Base64URL
  236. - None
  237. type: string
  238. name:
  239. description: Finds secrets based on the name.
  240. properties:
  241. regexp:
  242. description: Finds secrets base
  243. type: string
  244. type: object
  245. path:
  246. description: A root path to start the find operations.
  247. type: string
  248. tags:
  249. additionalProperties:
  250. type: string
  251. description: Find secrets based on tags.
  252. type: object
  253. type: object
  254. rewrite:
  255. description: |-
  256. Used to rewrite secret Keys after getting them from the secret Provider
  257. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  258. items:
  259. properties:
  260. regexp:
  261. description: |-
  262. Used to rewrite with regular expressions.
  263. The resulting key will be the output of a regexp.ReplaceAll operation.
  264. properties:
  265. source:
  266. description: Used to define the regular expression of a re.Compiler.
  267. type: string
  268. target:
  269. description: Used to define the target pattern of a ReplaceAll operation.
  270. type: string
  271. required:
  272. - source
  273. - target
  274. type: object
  275. transform:
  276. description: |-
  277. Used to apply string transformation on the secrets.
  278. The resulting key will be the output of the template applied by the operation.
  279. properties:
  280. template:
  281. description: |-
  282. Used to define the template to apply on the secret name.
  283. `.value ` will specify the secret name in the template.
  284. type: string
  285. required:
  286. - template
  287. type: object
  288. type: object
  289. type: array
  290. sourceRef:
  291. description: |-
  292. SourceRef points to a store or generator
  293. which contains secret values ready to use.
  294. Use this in combination with Extract or Find pull values out of
  295. a specific SecretStore.
  296. When sourceRef points to a generator Extract or Find is not supported.
  297. The generator returns a static map of values
  298. maxProperties: 1
  299. properties:
  300. generatorRef:
  301. description: GeneratorRef points to a generator custom resource.
  302. properties:
  303. apiVersion:
  304. default: generators.external-secrets.io/v1alpha1
  305. description: Specify the apiVersion of the generator resource
  306. type: string
  307. kind:
  308. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  309. type: string
  310. name:
  311. description: Specify the name of the generator resource
  312. type: string
  313. required:
  314. - kind
  315. - name
  316. type: object
  317. storeRef:
  318. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  319. properties:
  320. kind:
  321. description: |-
  322. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  323. Defaults to `SecretStore`
  324. type: string
  325. name:
  326. description: Name of the SecretStore resource
  327. type: string
  328. required:
  329. - name
  330. type: object
  331. type: object
  332. type: object
  333. type: array
  334. refreshInterval:
  335. default: 1h
  336. description: |-
  337. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  338. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  339. May be set to zero to fetch and create it once. Defaults to 1h.
  340. type: string
  341. secretStoreRef:
  342. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  343. properties:
  344. kind:
  345. description: |-
  346. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  347. Defaults to `SecretStore`
  348. type: string
  349. name:
  350. description: Name of the SecretStore resource
  351. type: string
  352. required:
  353. - name
  354. type: object
  355. target:
  356. default:
  357. creationPolicy: Owner
  358. deletionPolicy: Retain
  359. description: |-
  360. ExternalSecretTarget defines the Kubernetes Secret to be created
  361. There can be only one target per ExternalSecret.
  362. properties:
  363. creationPolicy:
  364. default: Owner
  365. description: |-
  366. CreationPolicy defines rules on how to create the resulting Secret
  367. Defaults to 'Owner'
  368. enum:
  369. - Owner
  370. - Orphan
  371. - Merge
  372. - None
  373. type: string
  374. deletionPolicy:
  375. default: Retain
  376. description: |-
  377. DeletionPolicy defines rules on how to delete the resulting Secret
  378. Defaults to 'Retain'
  379. enum:
  380. - Delete
  381. - Merge
  382. - Retain
  383. type: string
  384. immutable:
  385. description: Immutable defines if the final secret will be immutable
  386. type: boolean
  387. name:
  388. description: |-
  389. Name defines the name of the Secret resource to be managed
  390. This field is immutable
  391. Defaults to the .metadata.name of the ExternalSecret resource
  392. type: string
  393. template:
  394. description: Template defines a blueprint for the created Secret resource.
  395. properties:
  396. data:
  397. additionalProperties:
  398. type: string
  399. type: object
  400. engineVersion:
  401. default: v2
  402. description: |-
  403. EngineVersion specifies the template engine version
  404. that should be used to compile/execute the
  405. template specified in .data and .templateFrom[].
  406. enum:
  407. - v1
  408. - v2
  409. type: string
  410. mergePolicy:
  411. default: Replace
  412. enum:
  413. - Replace
  414. - Merge
  415. type: string
  416. metadata:
  417. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  418. properties:
  419. annotations:
  420. additionalProperties:
  421. type: string
  422. type: object
  423. labels:
  424. additionalProperties:
  425. type: string
  426. type: object
  427. type: object
  428. templateFrom:
  429. items:
  430. properties:
  431. configMap:
  432. properties:
  433. items:
  434. items:
  435. properties:
  436. key:
  437. type: string
  438. templateAs:
  439. default: Values
  440. enum:
  441. - Values
  442. - KeysAndValues
  443. type: string
  444. required:
  445. - key
  446. type: object
  447. type: array
  448. name:
  449. type: string
  450. required:
  451. - items
  452. - name
  453. type: object
  454. literal:
  455. type: string
  456. secret:
  457. properties:
  458. items:
  459. items:
  460. properties:
  461. key:
  462. type: string
  463. templateAs:
  464. default: Values
  465. enum:
  466. - Values
  467. - KeysAndValues
  468. type: string
  469. required:
  470. - key
  471. type: object
  472. type: array
  473. name:
  474. type: string
  475. required:
  476. - items
  477. - name
  478. type: object
  479. target:
  480. default: Data
  481. enum:
  482. - Data
  483. - Annotations
  484. - Labels
  485. type: string
  486. type: object
  487. type: array
  488. type:
  489. type: string
  490. type: object
  491. type: object
  492. type: object
  493. namespaceSelector:
  494. description: |-
  495. The labels to select by to find the Namespaces to create the ExternalSecrets in.
  496. Deprecated: Use NamespaceSelectors instead.
  497. properties:
  498. matchExpressions:
  499. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  500. items:
  501. description: |-
  502. A label selector requirement is a selector that contains values, a key, and an operator that
  503. relates the key and values.
  504. properties:
  505. key:
  506. description: key is the label key that the selector applies to.
  507. type: string
  508. operator:
  509. description: |-
  510. operator represents a key's relationship to a set of values.
  511. Valid operators are In, NotIn, Exists and DoesNotExist.
  512. type: string
  513. values:
  514. description: |-
  515. values is an array of string values. If the operator is In or NotIn,
  516. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  517. the values array must be empty. This array is replaced during a strategic
  518. merge patch.
  519. items:
  520. type: string
  521. type: array
  522. x-kubernetes-list-type: atomic
  523. required:
  524. - key
  525. - operator
  526. type: object
  527. type: array
  528. x-kubernetes-list-type: atomic
  529. matchLabels:
  530. additionalProperties:
  531. type: string
  532. description: |-
  533. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  534. map is equivalent to an element of matchExpressions, whose key field is "key", the
  535. operator is "In", and the values array contains only "value". The requirements are ANDed.
  536. type: object
  537. type: object
  538. x-kubernetes-map-type: atomic
  539. namespaceSelectors:
  540. description: A list of labels to select by to find the Namespaces to create the ExternalSecrets in. The selectors are ORed.
  541. items:
  542. description: |-
  543. A label selector is a label query over a set of resources. The result of matchLabels and
  544. matchExpressions are ANDed. An empty label selector matches all objects. A null
  545. label selector matches no objects.
  546. properties:
  547. matchExpressions:
  548. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  549. items:
  550. description: |-
  551. A label selector requirement is a selector that contains values, a key, and an operator that
  552. relates the key and values.
  553. properties:
  554. key:
  555. description: key is the label key that the selector applies to.
  556. type: string
  557. operator:
  558. description: |-
  559. operator represents a key's relationship to a set of values.
  560. Valid operators are In, NotIn, Exists and DoesNotExist.
  561. type: string
  562. values:
  563. description: |-
  564. values is an array of string values. If the operator is In or NotIn,
  565. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  566. the values array must be empty. This array is replaced during a strategic
  567. merge patch.
  568. items:
  569. type: string
  570. type: array
  571. x-kubernetes-list-type: atomic
  572. required:
  573. - key
  574. - operator
  575. type: object
  576. type: array
  577. x-kubernetes-list-type: atomic
  578. matchLabels:
  579. additionalProperties:
  580. type: string
  581. description: |-
  582. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  583. map is equivalent to an element of matchExpressions, whose key field is "key", the
  584. operator is "In", and the values array contains only "value". The requirements are ANDed.
  585. type: object
  586. type: object
  587. x-kubernetes-map-type: atomic
  588. type: array
  589. namespaces:
  590. description: Choose namespaces by name. This field is ORed with anything that NamespaceSelectors ends up choosing.
  591. items:
  592. type: string
  593. type: array
  594. refreshTime:
  595. description: The time in which the controller should reconcile its objects and recheck namespaces for labels.
  596. type: string
  597. required:
  598. - externalSecretSpec
  599. type: object
  600. status:
  601. description: ClusterExternalSecretStatus defines the observed state of ClusterExternalSecret.
  602. properties:
  603. conditions:
  604. items:
  605. properties:
  606. message:
  607. type: string
  608. status:
  609. type: string
  610. type:
  611. type: string
  612. required:
  613. - status
  614. - type
  615. type: object
  616. type: array
  617. externalSecretName:
  618. description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
  619. type: string
  620. failedNamespaces:
  621. description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
  622. items:
  623. description: ClusterExternalSecretNamespaceFailure represents a failed namespace deployment and it's reason.
  624. properties:
  625. namespace:
  626. description: Namespace is the namespace that failed when trying to apply an ExternalSecret
  627. type: string
  628. reason:
  629. description: Reason is why the ExternalSecret failed to apply to the namespace
  630. type: string
  631. required:
  632. - namespace
  633. type: object
  634. type: array
  635. provisionedNamespaces:
  636. description: ProvisionedNamespaces are the namespaces where the ClusterExternalSecret has secrets
  637. items:
  638. type: string
  639. type: array
  640. type: object
  641. type: object
  642. served: true
  643. storage: true
  644. subresources:
  645. status: {}
  646. conversion:
  647. strategy: Webhook
  648. webhook:
  649. conversionReviewVersions:
  650. - v1
  651. clientConfig:
  652. service:
  653. name: kubernetes
  654. namespace: default
  655. path: /convert
  656. ---
  657. apiVersion: apiextensions.k8s.io/v1
  658. kind: CustomResourceDefinition
  659. metadata:
  660. annotations:
  661. controller-gen.kubebuilder.io/version: v0.15.0
  662. labels:
  663. external-secrets.io/component: controller
  664. name: clustersecretstores.external-secrets.io
  665. spec:
  666. group: external-secrets.io
  667. names:
  668. categories:
  669. - externalsecrets
  670. kind: ClusterSecretStore
  671. listKind: ClusterSecretStoreList
  672. plural: clustersecretstores
  673. shortNames:
  674. - css
  675. singular: clustersecretstore
  676. scope: Cluster
  677. versions:
  678. - additionalPrinterColumns:
  679. - jsonPath: .metadata.creationTimestamp
  680. name: AGE
  681. type: date
  682. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  683. name: Status
  684. type: string
  685. deprecated: true
  686. name: v1alpha1
  687. schema:
  688. openAPIV3Schema:
  689. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  690. properties:
  691. apiVersion:
  692. description: |-
  693. APIVersion defines the versioned schema of this representation of an object.
  694. Servers should convert recognized schemas to the latest internal value, and
  695. may reject unrecognized values.
  696. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  697. type: string
  698. kind:
  699. description: |-
  700. Kind is a string value representing the REST resource this object represents.
  701. Servers may infer this from the endpoint the client submits requests to.
  702. Cannot be updated.
  703. In CamelCase.
  704. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  705. type: string
  706. metadata:
  707. type: object
  708. spec:
  709. description: SecretStoreSpec defines the desired state of SecretStore.
  710. properties:
  711. controller:
  712. description: |-
  713. Used to select the correct ESO controller (think: ingress.ingressClassName)
  714. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  715. type: string
  716. provider:
  717. description: Used to configure the provider. Only one provider may be set
  718. maxProperties: 1
  719. minProperties: 1
  720. properties:
  721. akeyless:
  722. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  723. properties:
  724. akeylessGWApiURL:
  725. description: Akeyless GW API Url from which the secrets to be fetched from.
  726. type: string
  727. authSecretRef:
  728. description: Auth configures how the operator authenticates with Akeyless.
  729. properties:
  730. kubernetesAuth:
  731. description: |-
  732. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  733. token stored in the named Secret resource.
  734. properties:
  735. accessID:
  736. description: the Akeyless Kubernetes auth-method access-id
  737. type: string
  738. k8sConfName:
  739. description: Kubernetes-auth configuration name in Akeyless-Gateway
  740. type: string
  741. secretRef:
  742. description: |-
  743. Optional secret field containing a Kubernetes ServiceAccount JWT used
  744. for authenticating with Akeyless. If a name is specified without a key,
  745. `token` is the default. If one is not specified, the one bound to
  746. the controller will be used.
  747. properties:
  748. key:
  749. description: |-
  750. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  751. defaulted, in others it may be required.
  752. type: string
  753. name:
  754. description: The name of the Secret resource being referred to.
  755. type: string
  756. namespace:
  757. description: |-
  758. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  759. to the namespace of the referent.
  760. type: string
  761. type: object
  762. serviceAccountRef:
  763. description: |-
  764. Optional service account field containing the name of a kubernetes ServiceAccount.
  765. If the service account is specified, the service account secret token JWT will be used
  766. for authenticating with Akeyless. If the service account selector is not supplied,
  767. the secretRef will be used instead.
  768. properties:
  769. audiences:
  770. description: |-
  771. Audience specifies the `aud` claim for the service account token
  772. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  773. then this audiences will be appended to the list
  774. items:
  775. type: string
  776. type: array
  777. name:
  778. description: The name of the ServiceAccount resource being referred to.
  779. type: string
  780. namespace:
  781. description: |-
  782. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  783. to the namespace of the referent.
  784. type: string
  785. required:
  786. - name
  787. type: object
  788. required:
  789. - accessID
  790. - k8sConfName
  791. type: object
  792. secretRef:
  793. description: |-
  794. Reference to a Secret that contains the details
  795. to authenticate with Akeyless.
  796. properties:
  797. accessID:
  798. description: The SecretAccessID is used for authentication
  799. properties:
  800. key:
  801. description: |-
  802. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  803. defaulted, in others it may be required.
  804. type: string
  805. name:
  806. description: The name of the Secret resource being referred to.
  807. type: string
  808. namespace:
  809. description: |-
  810. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  811. to the namespace of the referent.
  812. type: string
  813. type: object
  814. accessType:
  815. description: |-
  816. A reference to a specific 'key' within a Secret resource,
  817. In some instances, `key` is a required field.
  818. properties:
  819. key:
  820. description: |-
  821. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  822. defaulted, in others it may be required.
  823. type: string
  824. name:
  825. description: The name of the Secret resource being referred to.
  826. type: string
  827. namespace:
  828. description: |-
  829. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  830. to the namespace of the referent.
  831. type: string
  832. type: object
  833. accessTypeParam:
  834. description: |-
  835. A reference to a specific 'key' within a Secret resource,
  836. In some instances, `key` is a required field.
  837. properties:
  838. key:
  839. description: |-
  840. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  841. defaulted, in others it may be required.
  842. type: string
  843. name:
  844. description: The name of the Secret resource being referred to.
  845. type: string
  846. namespace:
  847. description: |-
  848. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  849. to the namespace of the referent.
  850. type: string
  851. type: object
  852. type: object
  853. type: object
  854. caBundle:
  855. description: |-
  856. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  857. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  858. are used to validate the TLS connection.
  859. format: byte
  860. type: string
  861. caProvider:
  862. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  863. properties:
  864. key:
  865. description: The key the value inside of the provider type to use, only used with "Secret" type
  866. type: string
  867. name:
  868. description: The name of the object located at the provider type.
  869. type: string
  870. namespace:
  871. description: The namespace the Provider type is in.
  872. type: string
  873. type:
  874. description: The type of provider to use such as "Secret", or "ConfigMap".
  875. enum:
  876. - Secret
  877. - ConfigMap
  878. type: string
  879. required:
  880. - name
  881. - type
  882. type: object
  883. required:
  884. - akeylessGWApiURL
  885. - authSecretRef
  886. type: object
  887. alibaba:
  888. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  889. properties:
  890. auth:
  891. description: AlibabaAuth contains a secretRef for credentials.
  892. properties:
  893. rrsa:
  894. description: Authenticate against Alibaba using RRSA.
  895. properties:
  896. oidcProviderArn:
  897. type: string
  898. oidcTokenFilePath:
  899. type: string
  900. roleArn:
  901. type: string
  902. sessionName:
  903. type: string
  904. required:
  905. - oidcProviderArn
  906. - oidcTokenFilePath
  907. - roleArn
  908. - sessionName
  909. type: object
  910. secretRef:
  911. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  912. properties:
  913. accessKeyIDSecretRef:
  914. description: The AccessKeyID is used for authentication
  915. properties:
  916. key:
  917. description: |-
  918. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  919. defaulted, in others it may be required.
  920. type: string
  921. name:
  922. description: The name of the Secret resource being referred to.
  923. type: string
  924. namespace:
  925. description: |-
  926. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  927. to the namespace of the referent.
  928. type: string
  929. type: object
  930. accessKeySecretSecretRef:
  931. description: The AccessKeySecret is used for authentication
  932. properties:
  933. key:
  934. description: |-
  935. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  936. defaulted, in others it may be required.
  937. type: string
  938. name:
  939. description: The name of the Secret resource being referred to.
  940. type: string
  941. namespace:
  942. description: |-
  943. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  944. to the namespace of the referent.
  945. type: string
  946. type: object
  947. required:
  948. - accessKeyIDSecretRef
  949. - accessKeySecretSecretRef
  950. type: object
  951. type: object
  952. regionID:
  953. description: Alibaba Region to be used for the provider
  954. type: string
  955. required:
  956. - auth
  957. - regionID
  958. type: object
  959. aws:
  960. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  961. properties:
  962. auth:
  963. description: |-
  964. Auth defines the information necessary to authenticate against AWS
  965. if not set aws sdk will infer credentials from your environment
  966. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  967. properties:
  968. jwt:
  969. description: Authenticate against AWS using service account tokens.
  970. properties:
  971. serviceAccountRef:
  972. description: A reference to a ServiceAccount resource.
  973. properties:
  974. audiences:
  975. description: |-
  976. Audience specifies the `aud` claim for the service account token
  977. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  978. then this audiences will be appended to the list
  979. items:
  980. type: string
  981. type: array
  982. name:
  983. description: The name of the ServiceAccount resource being referred to.
  984. type: string
  985. namespace:
  986. description: |-
  987. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  988. to the namespace of the referent.
  989. type: string
  990. required:
  991. - name
  992. type: object
  993. type: object
  994. secretRef:
  995. description: |-
  996. AWSAuthSecretRef holds secret references for AWS credentials
  997. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  998. properties:
  999. accessKeyIDSecretRef:
  1000. description: The AccessKeyID is used for authentication
  1001. properties:
  1002. key:
  1003. description: |-
  1004. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1005. defaulted, in others it may be required.
  1006. type: string
  1007. name:
  1008. description: The name of the Secret resource being referred to.
  1009. type: string
  1010. namespace:
  1011. description: |-
  1012. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1013. to the namespace of the referent.
  1014. type: string
  1015. type: object
  1016. secretAccessKeySecretRef:
  1017. description: The SecretAccessKey is used for authentication
  1018. properties:
  1019. key:
  1020. description: |-
  1021. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1022. defaulted, in others it may be required.
  1023. type: string
  1024. name:
  1025. description: The name of the Secret resource being referred to.
  1026. type: string
  1027. namespace:
  1028. description: |-
  1029. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1030. to the namespace of the referent.
  1031. type: string
  1032. type: object
  1033. type: object
  1034. type: object
  1035. region:
  1036. description: AWS Region to be used for the provider
  1037. type: string
  1038. role:
  1039. description: Role is a Role ARN which the SecretManager provider will assume
  1040. type: string
  1041. service:
  1042. description: Service defines which service should be used to fetch the secrets
  1043. enum:
  1044. - SecretsManager
  1045. - ParameterStore
  1046. type: string
  1047. required:
  1048. - region
  1049. - service
  1050. type: object
  1051. azurekv:
  1052. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  1053. properties:
  1054. authSecretRef:
  1055. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  1056. properties:
  1057. clientId:
  1058. description: The Azure clientId of the service principle used for authentication.
  1059. properties:
  1060. key:
  1061. description: |-
  1062. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1063. defaulted, in others it may be required.
  1064. type: string
  1065. name:
  1066. description: The name of the Secret resource being referred to.
  1067. type: string
  1068. namespace:
  1069. description: |-
  1070. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1071. to the namespace of the referent.
  1072. type: string
  1073. type: object
  1074. clientSecret:
  1075. description: The Azure ClientSecret of the service principle used for authentication.
  1076. properties:
  1077. key:
  1078. description: |-
  1079. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1080. defaulted, in others it may be required.
  1081. type: string
  1082. name:
  1083. description: The name of the Secret resource being referred to.
  1084. type: string
  1085. namespace:
  1086. description: |-
  1087. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1088. to the namespace of the referent.
  1089. type: string
  1090. type: object
  1091. type: object
  1092. authType:
  1093. default: ServicePrincipal
  1094. description: |-
  1095. Auth type defines how to authenticate to the keyvault service.
  1096. Valid values are:
  1097. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  1098. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  1099. enum:
  1100. - ServicePrincipal
  1101. - ManagedIdentity
  1102. - WorkloadIdentity
  1103. type: string
  1104. identityId:
  1105. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  1106. type: string
  1107. serviceAccountRef:
  1108. description: |-
  1109. ServiceAccountRef specified the service account
  1110. that should be used when authenticating with WorkloadIdentity.
  1111. properties:
  1112. audiences:
  1113. description: |-
  1114. Audience specifies the `aud` claim for the service account token
  1115. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1116. then this audiences will be appended to the list
  1117. items:
  1118. type: string
  1119. type: array
  1120. name:
  1121. description: The name of the ServiceAccount resource being referred to.
  1122. type: string
  1123. namespace:
  1124. description: |-
  1125. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1126. to the namespace of the referent.
  1127. type: string
  1128. required:
  1129. - name
  1130. type: object
  1131. tenantId:
  1132. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  1133. type: string
  1134. vaultUrl:
  1135. description: Vault Url from which the secrets to be fetched from.
  1136. type: string
  1137. required:
  1138. - vaultUrl
  1139. type: object
  1140. fake:
  1141. description: Fake configures a store with static key/value pairs
  1142. properties:
  1143. data:
  1144. items:
  1145. properties:
  1146. key:
  1147. type: string
  1148. value:
  1149. type: string
  1150. valueMap:
  1151. additionalProperties:
  1152. type: string
  1153. type: object
  1154. version:
  1155. type: string
  1156. required:
  1157. - key
  1158. type: object
  1159. type: array
  1160. required:
  1161. - data
  1162. type: object
  1163. gcpsm:
  1164. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  1165. properties:
  1166. auth:
  1167. description: Auth defines the information necessary to authenticate against GCP
  1168. properties:
  1169. secretRef:
  1170. properties:
  1171. secretAccessKeySecretRef:
  1172. description: The SecretAccessKey is used for authentication
  1173. properties:
  1174. key:
  1175. description: |-
  1176. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1177. defaulted, in others it may be required.
  1178. type: string
  1179. name:
  1180. description: The name of the Secret resource being referred to.
  1181. type: string
  1182. namespace:
  1183. description: |-
  1184. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1185. to the namespace of the referent.
  1186. type: string
  1187. type: object
  1188. type: object
  1189. workloadIdentity:
  1190. properties:
  1191. clusterLocation:
  1192. type: string
  1193. clusterName:
  1194. type: string
  1195. clusterProjectID:
  1196. type: string
  1197. serviceAccountRef:
  1198. description: A reference to a ServiceAccount resource.
  1199. properties:
  1200. audiences:
  1201. description: |-
  1202. Audience specifies the `aud` claim for the service account token
  1203. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1204. then this audiences will be appended to the list
  1205. items:
  1206. type: string
  1207. type: array
  1208. name:
  1209. description: The name of the ServiceAccount resource being referred to.
  1210. type: string
  1211. namespace:
  1212. description: |-
  1213. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1214. to the namespace of the referent.
  1215. type: string
  1216. required:
  1217. - name
  1218. type: object
  1219. required:
  1220. - clusterLocation
  1221. - clusterName
  1222. - serviceAccountRef
  1223. type: object
  1224. type: object
  1225. projectID:
  1226. description: ProjectID project where secret is located
  1227. type: string
  1228. type: object
  1229. gitlab:
  1230. description: GitLab configures this store to sync secrets using GitLab Variables provider
  1231. properties:
  1232. auth:
  1233. description: Auth configures how secret-manager authenticates with a GitLab instance.
  1234. properties:
  1235. SecretRef:
  1236. properties:
  1237. accessToken:
  1238. description: AccessToken is used for authentication.
  1239. properties:
  1240. key:
  1241. description: |-
  1242. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1243. defaulted, in others it may be required.
  1244. type: string
  1245. name:
  1246. description: The name of the Secret resource being referred to.
  1247. type: string
  1248. namespace:
  1249. description: |-
  1250. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1251. to the namespace of the referent.
  1252. type: string
  1253. type: object
  1254. type: object
  1255. required:
  1256. - SecretRef
  1257. type: object
  1258. projectID:
  1259. description: ProjectID specifies a project where secrets are located.
  1260. type: string
  1261. url:
  1262. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  1263. type: string
  1264. required:
  1265. - auth
  1266. type: object
  1267. ibm:
  1268. description: IBM configures this store to sync secrets using IBM Cloud provider
  1269. properties:
  1270. auth:
  1271. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  1272. properties:
  1273. secretRef:
  1274. properties:
  1275. secretApiKeySecretRef:
  1276. description: The SecretAccessKey is used for authentication
  1277. properties:
  1278. key:
  1279. description: |-
  1280. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1281. defaulted, in others it may be required.
  1282. type: string
  1283. name:
  1284. description: The name of the Secret resource being referred to.
  1285. type: string
  1286. namespace:
  1287. description: |-
  1288. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1289. to the namespace of the referent.
  1290. type: string
  1291. type: object
  1292. type: object
  1293. required:
  1294. - secretRef
  1295. type: object
  1296. serviceUrl:
  1297. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  1298. type: string
  1299. required:
  1300. - auth
  1301. type: object
  1302. kubernetes:
  1303. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  1304. properties:
  1305. auth:
  1306. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  1307. maxProperties: 1
  1308. minProperties: 1
  1309. properties:
  1310. cert:
  1311. description: has both clientCert and clientKey as secretKeySelector
  1312. properties:
  1313. clientCert:
  1314. description: |-
  1315. A reference to a specific 'key' within a Secret resource,
  1316. In some instances, `key` is a required field.
  1317. properties:
  1318. key:
  1319. description: |-
  1320. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1321. defaulted, in others it may be required.
  1322. type: string
  1323. name:
  1324. description: The name of the Secret resource being referred to.
  1325. type: string
  1326. namespace:
  1327. description: |-
  1328. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1329. to the namespace of the referent.
  1330. type: string
  1331. type: object
  1332. clientKey:
  1333. description: |-
  1334. A reference to a specific 'key' within a Secret resource,
  1335. In some instances, `key` is a required field.
  1336. properties:
  1337. key:
  1338. description: |-
  1339. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1340. defaulted, in others it may be required.
  1341. type: string
  1342. name:
  1343. description: The name of the Secret resource being referred to.
  1344. type: string
  1345. namespace:
  1346. description: |-
  1347. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1348. to the namespace of the referent.
  1349. type: string
  1350. type: object
  1351. type: object
  1352. serviceAccount:
  1353. description: points to a service account that should be used for authentication
  1354. properties:
  1355. serviceAccount:
  1356. description: A reference to a ServiceAccount resource.
  1357. properties:
  1358. audiences:
  1359. description: |-
  1360. Audience specifies the `aud` claim for the service account token
  1361. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1362. then this audiences will be appended to the list
  1363. items:
  1364. type: string
  1365. type: array
  1366. name:
  1367. description: The name of the ServiceAccount resource being referred to.
  1368. type: string
  1369. namespace:
  1370. description: |-
  1371. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1372. to the namespace of the referent.
  1373. type: string
  1374. required:
  1375. - name
  1376. type: object
  1377. type: object
  1378. token:
  1379. description: use static token to authenticate with
  1380. properties:
  1381. bearerToken:
  1382. description: |-
  1383. A reference to a specific 'key' within a Secret resource,
  1384. In some instances, `key` is a required field.
  1385. properties:
  1386. key:
  1387. description: |-
  1388. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1389. defaulted, in others it may be required.
  1390. type: string
  1391. name:
  1392. description: The name of the Secret resource being referred to.
  1393. type: string
  1394. namespace:
  1395. description: |-
  1396. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1397. to the namespace of the referent.
  1398. type: string
  1399. type: object
  1400. type: object
  1401. type: object
  1402. remoteNamespace:
  1403. default: default
  1404. description: Remote namespace to fetch the secrets from
  1405. type: string
  1406. server:
  1407. description: configures the Kubernetes server Address.
  1408. properties:
  1409. caBundle:
  1410. description: CABundle is a base64-encoded CA certificate
  1411. format: byte
  1412. type: string
  1413. caProvider:
  1414. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  1415. properties:
  1416. key:
  1417. description: The key the value inside of the provider type to use, only used with "Secret" type
  1418. type: string
  1419. name:
  1420. description: The name of the object located at the provider type.
  1421. type: string
  1422. namespace:
  1423. description: The namespace the Provider type is in.
  1424. type: string
  1425. type:
  1426. description: The type of provider to use such as "Secret", or "ConfigMap".
  1427. enum:
  1428. - Secret
  1429. - ConfigMap
  1430. type: string
  1431. required:
  1432. - name
  1433. - type
  1434. type: object
  1435. url:
  1436. default: kubernetes.default
  1437. description: configures the Kubernetes server Address.
  1438. type: string
  1439. type: object
  1440. required:
  1441. - auth
  1442. type: object
  1443. oracle:
  1444. description: Oracle configures this store to sync secrets using Oracle Vault provider
  1445. properties:
  1446. auth:
  1447. description: |-
  1448. Auth configures how secret-manager authenticates with the Oracle Vault.
  1449. If empty, instance principal is used. Optionally, the authenticating principal type
  1450. and/or user data may be supplied for the use of workload identity and user principal.
  1451. properties:
  1452. secretRef:
  1453. description: SecretRef to pass through sensitive information.
  1454. properties:
  1455. fingerprint:
  1456. description: Fingerprint is the fingerprint of the API private key.
  1457. properties:
  1458. key:
  1459. description: |-
  1460. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1461. defaulted, in others it may be required.
  1462. type: string
  1463. name:
  1464. description: The name of the Secret resource being referred to.
  1465. type: string
  1466. namespace:
  1467. description: |-
  1468. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1469. to the namespace of the referent.
  1470. type: string
  1471. type: object
  1472. privatekey:
  1473. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  1474. properties:
  1475. key:
  1476. description: |-
  1477. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1478. defaulted, in others it may be required.
  1479. type: string
  1480. name:
  1481. description: The name of the Secret resource being referred to.
  1482. type: string
  1483. namespace:
  1484. description: |-
  1485. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1486. to the namespace of the referent.
  1487. type: string
  1488. type: object
  1489. required:
  1490. - fingerprint
  1491. - privatekey
  1492. type: object
  1493. tenancy:
  1494. description: Tenancy is the tenancy OCID where user is located.
  1495. type: string
  1496. user:
  1497. description: User is an access OCID specific to the account.
  1498. type: string
  1499. required:
  1500. - secretRef
  1501. - tenancy
  1502. - user
  1503. type: object
  1504. compartment:
  1505. description: |-
  1506. Compartment is the vault compartment OCID.
  1507. Required for PushSecret
  1508. type: string
  1509. encryptionKey:
  1510. description: |-
  1511. EncryptionKey is the OCID of the encryption key within the vault.
  1512. Required for PushSecret
  1513. type: string
  1514. principalType:
  1515. description: |-
  1516. The type of principal to use for authentication. If left blank, the Auth struct will
  1517. determine the principal type. This optional field must be specified if using
  1518. workload identity.
  1519. enum:
  1520. - ""
  1521. - UserPrincipal
  1522. - InstancePrincipal
  1523. - Workload
  1524. type: string
  1525. region:
  1526. description: Region is the region where vault is located.
  1527. type: string
  1528. serviceAccountRef:
  1529. description: |-
  1530. ServiceAccountRef specified the service account
  1531. that should be used when authenticating with WorkloadIdentity.
  1532. properties:
  1533. audiences:
  1534. description: |-
  1535. Audience specifies the `aud` claim for the service account token
  1536. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1537. then this audiences will be appended to the list
  1538. items:
  1539. type: string
  1540. type: array
  1541. name:
  1542. description: The name of the ServiceAccount resource being referred to.
  1543. type: string
  1544. namespace:
  1545. description: |-
  1546. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1547. to the namespace of the referent.
  1548. type: string
  1549. required:
  1550. - name
  1551. type: object
  1552. vault:
  1553. description: Vault is the vault's OCID of the specific vault where secret is located.
  1554. type: string
  1555. required:
  1556. - region
  1557. - vault
  1558. type: object
  1559. passworddepot:
  1560. description: Configures a store to sync secrets with a Password Depot instance.
  1561. properties:
  1562. auth:
  1563. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  1564. properties:
  1565. secretRef:
  1566. properties:
  1567. credentials:
  1568. description: Username / Password is used for authentication.
  1569. properties:
  1570. key:
  1571. description: |-
  1572. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1573. defaulted, in others it may be required.
  1574. type: string
  1575. name:
  1576. description: The name of the Secret resource being referred to.
  1577. type: string
  1578. namespace:
  1579. description: |-
  1580. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1581. to the namespace of the referent.
  1582. type: string
  1583. type: object
  1584. type: object
  1585. required:
  1586. - secretRef
  1587. type: object
  1588. database:
  1589. description: Database to use as source
  1590. type: string
  1591. host:
  1592. description: URL configures the Password Depot instance URL.
  1593. type: string
  1594. required:
  1595. - auth
  1596. - database
  1597. - host
  1598. type: object
  1599. vault:
  1600. description: Vault configures this store to sync secrets using Hashi provider
  1601. properties:
  1602. auth:
  1603. description: Auth configures how secret-manager authenticates with the Vault server.
  1604. properties:
  1605. appRole:
  1606. description: |-
  1607. AppRole authenticates with Vault using the App Role auth mechanism,
  1608. with the role and secret stored in a Kubernetes Secret resource.
  1609. properties:
  1610. path:
  1611. default: approle
  1612. description: |-
  1613. Path where the App Role authentication backend is mounted
  1614. in Vault, e.g: "approle"
  1615. type: string
  1616. roleId:
  1617. description: |-
  1618. RoleID configured in the App Role authentication backend when setting
  1619. up the authentication backend in Vault.
  1620. type: string
  1621. secretRef:
  1622. description: |-
  1623. Reference to a key in a Secret that contains the App Role secret used
  1624. to authenticate with Vault.
  1625. The `key` field must be specified and denotes which entry within the Secret
  1626. resource is used as the app role secret.
  1627. properties:
  1628. key:
  1629. description: |-
  1630. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1631. defaulted, in others it may be required.
  1632. type: string
  1633. name:
  1634. description: The name of the Secret resource being referred to.
  1635. type: string
  1636. namespace:
  1637. description: |-
  1638. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1639. to the namespace of the referent.
  1640. type: string
  1641. type: object
  1642. required:
  1643. - path
  1644. - roleId
  1645. - secretRef
  1646. type: object
  1647. cert:
  1648. description: |-
  1649. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1650. Cert authentication method
  1651. properties:
  1652. clientCert:
  1653. description: |-
  1654. ClientCert is a certificate to authenticate using the Cert Vault
  1655. authentication method
  1656. properties:
  1657. key:
  1658. description: |-
  1659. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1660. defaulted, in others it may be required.
  1661. type: string
  1662. name:
  1663. description: The name of the Secret resource being referred to.
  1664. type: string
  1665. namespace:
  1666. description: |-
  1667. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1668. to the namespace of the referent.
  1669. type: string
  1670. type: object
  1671. secretRef:
  1672. description: |-
  1673. SecretRef to a key in a Secret resource containing client private key to
  1674. authenticate with Vault using the Cert authentication method
  1675. properties:
  1676. key:
  1677. description: |-
  1678. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1679. defaulted, in others it may be required.
  1680. type: string
  1681. name:
  1682. description: The name of the Secret resource being referred to.
  1683. type: string
  1684. namespace:
  1685. description: |-
  1686. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1687. to the namespace of the referent.
  1688. type: string
  1689. type: object
  1690. type: object
  1691. jwt:
  1692. description: |-
  1693. Jwt authenticates with Vault by passing role and JWT token using the
  1694. JWT/OIDC authentication method
  1695. properties:
  1696. kubernetesServiceAccountToken:
  1697. description: |-
  1698. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1699. a token for with the `TokenRequest` API.
  1700. properties:
  1701. audiences:
  1702. description: |-
  1703. Optional audiences field that will be used to request a temporary Kubernetes service
  1704. account token for the service account referenced by `serviceAccountRef`.
  1705. Defaults to a single audience `vault` it not specified.
  1706. items:
  1707. type: string
  1708. type: array
  1709. expirationSeconds:
  1710. description: |-
  1711. Optional expiration time in seconds that will be used to request a temporary
  1712. Kubernetes service account token for the service account referenced by
  1713. `serviceAccountRef`.
  1714. Defaults to 10 minutes.
  1715. format: int64
  1716. type: integer
  1717. serviceAccountRef:
  1718. description: Service account field containing the name of a kubernetes ServiceAccount.
  1719. properties:
  1720. audiences:
  1721. description: |-
  1722. Audience specifies the `aud` claim for the service account token
  1723. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1724. then this audiences will be appended to the list
  1725. items:
  1726. type: string
  1727. type: array
  1728. name:
  1729. description: The name of the ServiceAccount resource being referred to.
  1730. type: string
  1731. namespace:
  1732. description: |-
  1733. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1734. to the namespace of the referent.
  1735. type: string
  1736. required:
  1737. - name
  1738. type: object
  1739. required:
  1740. - serviceAccountRef
  1741. type: object
  1742. path:
  1743. default: jwt
  1744. description: |-
  1745. Path where the JWT authentication backend is mounted
  1746. in Vault, e.g: "jwt"
  1747. type: string
  1748. role:
  1749. description: |-
  1750. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1751. authentication method
  1752. type: string
  1753. secretRef:
  1754. description: |-
  1755. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1756. authenticate with Vault using the JWT/OIDC authentication method.
  1757. properties:
  1758. key:
  1759. description: |-
  1760. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1761. defaulted, in others it may be required.
  1762. type: string
  1763. name:
  1764. description: The name of the Secret resource being referred to.
  1765. type: string
  1766. namespace:
  1767. description: |-
  1768. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1769. to the namespace of the referent.
  1770. type: string
  1771. type: object
  1772. required:
  1773. - path
  1774. type: object
  1775. kubernetes:
  1776. description: |-
  1777. Kubernetes authenticates with Vault by passing the ServiceAccount
  1778. token stored in the named Secret resource to the Vault server.
  1779. properties:
  1780. mountPath:
  1781. default: kubernetes
  1782. description: |-
  1783. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1784. "kubernetes"
  1785. type: string
  1786. role:
  1787. description: |-
  1788. A required field containing the Vault Role to assume. A Role binds a
  1789. Kubernetes ServiceAccount with a set of Vault policies.
  1790. type: string
  1791. secretRef:
  1792. description: |-
  1793. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1794. for authenticating with Vault. If a name is specified without a key,
  1795. `token` is the default. If one is not specified, the one bound to
  1796. the controller will be used.
  1797. properties:
  1798. key:
  1799. description: |-
  1800. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1801. defaulted, in others it may be required.
  1802. type: string
  1803. name:
  1804. description: The name of the Secret resource being referred to.
  1805. type: string
  1806. namespace:
  1807. description: |-
  1808. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1809. to the namespace of the referent.
  1810. type: string
  1811. type: object
  1812. serviceAccountRef:
  1813. description: |-
  1814. Optional service account field containing the name of a kubernetes ServiceAccount.
  1815. If the service account is specified, the service account secret token JWT will be used
  1816. for authenticating with Vault. If the service account selector is not supplied,
  1817. the secretRef will be used instead.
  1818. properties:
  1819. audiences:
  1820. description: |-
  1821. Audience specifies the `aud` claim for the service account token
  1822. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1823. then this audiences will be appended to the list
  1824. items:
  1825. type: string
  1826. type: array
  1827. name:
  1828. description: The name of the ServiceAccount resource being referred to.
  1829. type: string
  1830. namespace:
  1831. description: |-
  1832. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1833. to the namespace of the referent.
  1834. type: string
  1835. required:
  1836. - name
  1837. type: object
  1838. required:
  1839. - mountPath
  1840. - role
  1841. type: object
  1842. ldap:
  1843. description: |-
  1844. Ldap authenticates with Vault by passing username/password pair using
  1845. the LDAP authentication method
  1846. properties:
  1847. path:
  1848. default: ldap
  1849. description: |-
  1850. Path where the LDAP authentication backend is mounted
  1851. in Vault, e.g: "ldap"
  1852. type: string
  1853. secretRef:
  1854. description: |-
  1855. SecretRef to a key in a Secret resource containing password for the LDAP
  1856. user used to authenticate with Vault using the LDAP authentication
  1857. method
  1858. properties:
  1859. key:
  1860. description: |-
  1861. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1862. defaulted, in others it may be required.
  1863. type: string
  1864. name:
  1865. description: The name of the Secret resource being referred to.
  1866. type: string
  1867. namespace:
  1868. description: |-
  1869. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1870. to the namespace of the referent.
  1871. type: string
  1872. type: object
  1873. username:
  1874. description: |-
  1875. Username is a LDAP user name used to authenticate using the LDAP Vault
  1876. authentication method
  1877. type: string
  1878. required:
  1879. - path
  1880. - username
  1881. type: object
  1882. tokenSecretRef:
  1883. description: TokenSecretRef authenticates with Vault by presenting a token.
  1884. properties:
  1885. key:
  1886. description: |-
  1887. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1888. defaulted, in others it may be required.
  1889. type: string
  1890. name:
  1891. description: The name of the Secret resource being referred to.
  1892. type: string
  1893. namespace:
  1894. description: |-
  1895. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1896. to the namespace of the referent.
  1897. type: string
  1898. type: object
  1899. type: object
  1900. caBundle:
  1901. description: |-
  1902. PEM encoded CA bundle used to validate Vault server certificate. Only used
  1903. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1904. plain HTTP protocol connection. If not set the system root certificates
  1905. are used to validate the TLS connection.
  1906. format: byte
  1907. type: string
  1908. caProvider:
  1909. description: The provider for the CA bundle to use to validate Vault server certificate.
  1910. properties:
  1911. key:
  1912. description: The key the value inside of the provider type to use, only used with "Secret" type
  1913. type: string
  1914. name:
  1915. description: The name of the object located at the provider type.
  1916. type: string
  1917. namespace:
  1918. description: The namespace the Provider type is in.
  1919. type: string
  1920. type:
  1921. description: The type of provider to use such as "Secret", or "ConfigMap".
  1922. enum:
  1923. - Secret
  1924. - ConfigMap
  1925. type: string
  1926. required:
  1927. - name
  1928. - type
  1929. type: object
  1930. forwardInconsistent:
  1931. description: |-
  1932. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  1933. leader instead of simply retrying within a loop. This can increase performance if
  1934. the option is enabled serverside.
  1935. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1936. type: boolean
  1937. namespace:
  1938. description: |-
  1939. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  1940. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1941. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1942. type: string
  1943. path:
  1944. description: |-
  1945. Path is the mount path of the Vault KV backend endpoint, e.g:
  1946. "secret". The v2 KV secret engine version specific "/data" path suffix
  1947. for fetching secrets from Vault is optional and will be appended
  1948. if not present in specified path.
  1949. type: string
  1950. readYourWrites:
  1951. description: |-
  1952. ReadYourWrites ensures isolated read-after-write semantics by
  1953. providing discovered cluster replication states in each request.
  1954. More information about eventual consistency in Vault can be found here
  1955. https://www.vaultproject.io/docs/enterprise/consistency
  1956. type: boolean
  1957. server:
  1958. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1959. type: string
  1960. version:
  1961. default: v2
  1962. description: |-
  1963. Version is the Vault KV secret engine version. This can be either "v1" or
  1964. "v2". Version defaults to "v2".
  1965. enum:
  1966. - v1
  1967. - v2
  1968. type: string
  1969. required:
  1970. - auth
  1971. - server
  1972. type: object
  1973. webhook:
  1974. description: Webhook configures this store to sync secrets using a generic templated webhook
  1975. properties:
  1976. body:
  1977. description: Body
  1978. type: string
  1979. caBundle:
  1980. description: |-
  1981. PEM encoded CA bundle used to validate webhook server certificate. Only used
  1982. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1983. plain HTTP protocol connection. If not set the system root certificates
  1984. are used to validate the TLS connection.
  1985. format: byte
  1986. type: string
  1987. caProvider:
  1988. description: The provider for the CA bundle to use to validate webhook server certificate.
  1989. properties:
  1990. key:
  1991. description: The key the value inside of the provider type to use, only used with "Secret" type
  1992. type: string
  1993. name:
  1994. description: The name of the object located at the provider type.
  1995. type: string
  1996. namespace:
  1997. description: The namespace the Provider type is in.
  1998. type: string
  1999. type:
  2000. description: The type of provider to use such as "Secret", or "ConfigMap".
  2001. enum:
  2002. - Secret
  2003. - ConfigMap
  2004. type: string
  2005. required:
  2006. - name
  2007. - type
  2008. type: object
  2009. headers:
  2010. additionalProperties:
  2011. type: string
  2012. description: Headers
  2013. type: object
  2014. method:
  2015. description: Webhook Method
  2016. type: string
  2017. result:
  2018. description: Result formatting
  2019. properties:
  2020. jsonPath:
  2021. description: Json path of return value
  2022. type: string
  2023. type: object
  2024. secrets:
  2025. description: |-
  2026. Secrets to fill in templates
  2027. These secrets will be passed to the templating function as key value pairs under the given name
  2028. items:
  2029. properties:
  2030. name:
  2031. description: Name of this secret in templates
  2032. type: string
  2033. secretRef:
  2034. description: Secret ref to fill in credentials
  2035. properties:
  2036. key:
  2037. description: |-
  2038. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2039. defaulted, in others it may be required.
  2040. type: string
  2041. name:
  2042. description: The name of the Secret resource being referred to.
  2043. type: string
  2044. namespace:
  2045. description: |-
  2046. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2047. to the namespace of the referent.
  2048. type: string
  2049. type: object
  2050. required:
  2051. - name
  2052. - secretRef
  2053. type: object
  2054. type: array
  2055. timeout:
  2056. description: Timeout
  2057. type: string
  2058. url:
  2059. description: Webhook url to call
  2060. type: string
  2061. required:
  2062. - result
  2063. - url
  2064. type: object
  2065. yandexlockbox:
  2066. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  2067. properties:
  2068. apiEndpoint:
  2069. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  2070. type: string
  2071. auth:
  2072. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  2073. properties:
  2074. authorizedKeySecretRef:
  2075. description: The authorized key used for authentication
  2076. properties:
  2077. key:
  2078. description: |-
  2079. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2080. defaulted, in others it may be required.
  2081. type: string
  2082. name:
  2083. description: The name of the Secret resource being referred to.
  2084. type: string
  2085. namespace:
  2086. description: |-
  2087. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2088. to the namespace of the referent.
  2089. type: string
  2090. type: object
  2091. type: object
  2092. caProvider:
  2093. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  2094. properties:
  2095. certSecretRef:
  2096. description: |-
  2097. A reference to a specific 'key' within a Secret resource,
  2098. In some instances, `key` is a required field.
  2099. properties:
  2100. key:
  2101. description: |-
  2102. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2103. defaulted, in others it may be required.
  2104. type: string
  2105. name:
  2106. description: The name of the Secret resource being referred to.
  2107. type: string
  2108. namespace:
  2109. description: |-
  2110. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2111. to the namespace of the referent.
  2112. type: string
  2113. type: object
  2114. type: object
  2115. required:
  2116. - auth
  2117. type: object
  2118. type: object
  2119. retrySettings:
  2120. description: Used to configure http retries if failed
  2121. properties:
  2122. maxRetries:
  2123. format: int32
  2124. type: integer
  2125. retryInterval:
  2126. type: string
  2127. type: object
  2128. required:
  2129. - provider
  2130. type: object
  2131. status:
  2132. description: SecretStoreStatus defines the observed state of the SecretStore.
  2133. properties:
  2134. conditions:
  2135. items:
  2136. properties:
  2137. lastTransitionTime:
  2138. format: date-time
  2139. type: string
  2140. message:
  2141. type: string
  2142. reason:
  2143. type: string
  2144. status:
  2145. type: string
  2146. type:
  2147. type: string
  2148. required:
  2149. - status
  2150. - type
  2151. type: object
  2152. type: array
  2153. type: object
  2154. type: object
  2155. served: true
  2156. storage: false
  2157. subresources:
  2158. status: {}
  2159. - additionalPrinterColumns:
  2160. - jsonPath: .metadata.creationTimestamp
  2161. name: AGE
  2162. type: date
  2163. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  2164. name: Status
  2165. type: string
  2166. - jsonPath: .status.capabilities
  2167. name: Capabilities
  2168. type: string
  2169. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  2170. name: Ready
  2171. type: string
  2172. name: v1beta1
  2173. schema:
  2174. openAPIV3Schema:
  2175. description: ClusterSecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  2176. properties:
  2177. apiVersion:
  2178. description: |-
  2179. APIVersion defines the versioned schema of this representation of an object.
  2180. Servers should convert recognized schemas to the latest internal value, and
  2181. may reject unrecognized values.
  2182. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  2183. type: string
  2184. kind:
  2185. description: |-
  2186. Kind is a string value representing the REST resource this object represents.
  2187. Servers may infer this from the endpoint the client submits requests to.
  2188. Cannot be updated.
  2189. In CamelCase.
  2190. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  2191. type: string
  2192. metadata:
  2193. type: object
  2194. spec:
  2195. description: SecretStoreSpec defines the desired state of SecretStore.
  2196. properties:
  2197. conditions:
  2198. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  2199. items:
  2200. description: |-
  2201. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  2202. for a ClusterSecretStore instance.
  2203. properties:
  2204. namespaceRegexes:
  2205. description: Choose namespaces by using regex matching
  2206. items:
  2207. type: string
  2208. type: array
  2209. namespaceSelector:
  2210. description: Choose namespace using a labelSelector
  2211. properties:
  2212. matchExpressions:
  2213. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  2214. items:
  2215. description: |-
  2216. A label selector requirement is a selector that contains values, a key, and an operator that
  2217. relates the key and values.
  2218. properties:
  2219. key:
  2220. description: key is the label key that the selector applies to.
  2221. type: string
  2222. operator:
  2223. description: |-
  2224. operator represents a key's relationship to a set of values.
  2225. Valid operators are In, NotIn, Exists and DoesNotExist.
  2226. type: string
  2227. values:
  2228. description: |-
  2229. values is an array of string values. If the operator is In or NotIn,
  2230. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  2231. the values array must be empty. This array is replaced during a strategic
  2232. merge patch.
  2233. items:
  2234. type: string
  2235. type: array
  2236. x-kubernetes-list-type: atomic
  2237. required:
  2238. - key
  2239. - operator
  2240. type: object
  2241. type: array
  2242. x-kubernetes-list-type: atomic
  2243. matchLabels:
  2244. additionalProperties:
  2245. type: string
  2246. description: |-
  2247. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  2248. map is equivalent to an element of matchExpressions, whose key field is "key", the
  2249. operator is "In", and the values array contains only "value". The requirements are ANDed.
  2250. type: object
  2251. type: object
  2252. x-kubernetes-map-type: atomic
  2253. namespaces:
  2254. description: Choose namespaces by name
  2255. items:
  2256. type: string
  2257. type: array
  2258. type: object
  2259. type: array
  2260. controller:
  2261. description: |-
  2262. Used to select the correct ESO controller (think: ingress.ingressClassName)
  2263. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  2264. type: string
  2265. provider:
  2266. description: Used to configure the provider. Only one provider may be set
  2267. maxProperties: 1
  2268. minProperties: 1
  2269. properties:
  2270. akeyless:
  2271. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  2272. properties:
  2273. akeylessGWApiURL:
  2274. description: Akeyless GW API Url from which the secrets to be fetched from.
  2275. type: string
  2276. authSecretRef:
  2277. description: Auth configures how the operator authenticates with Akeyless.
  2278. properties:
  2279. kubernetesAuth:
  2280. description: |-
  2281. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  2282. token stored in the named Secret resource.
  2283. properties:
  2284. accessID:
  2285. description: the Akeyless Kubernetes auth-method access-id
  2286. type: string
  2287. k8sConfName:
  2288. description: Kubernetes-auth configuration name in Akeyless-Gateway
  2289. type: string
  2290. secretRef:
  2291. description: |-
  2292. Optional secret field containing a Kubernetes ServiceAccount JWT used
  2293. for authenticating with Akeyless. If a name is specified without a key,
  2294. `token` is the default. If one is not specified, the one bound to
  2295. the controller will be used.
  2296. properties:
  2297. key:
  2298. description: |-
  2299. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2300. defaulted, in others it may be required.
  2301. type: string
  2302. name:
  2303. description: The name of the Secret resource being referred to.
  2304. type: string
  2305. namespace:
  2306. description: |-
  2307. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2308. to the namespace of the referent.
  2309. type: string
  2310. type: object
  2311. serviceAccountRef:
  2312. description: |-
  2313. Optional service account field containing the name of a kubernetes ServiceAccount.
  2314. If the service account is specified, the service account secret token JWT will be used
  2315. for authenticating with Akeyless. If the service account selector is not supplied,
  2316. the secretRef will be used instead.
  2317. properties:
  2318. audiences:
  2319. description: |-
  2320. Audience specifies the `aud` claim for the service account token
  2321. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2322. then this audiences will be appended to the list
  2323. items:
  2324. type: string
  2325. type: array
  2326. name:
  2327. description: The name of the ServiceAccount resource being referred to.
  2328. type: string
  2329. namespace:
  2330. description: |-
  2331. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2332. to the namespace of the referent.
  2333. type: string
  2334. required:
  2335. - name
  2336. type: object
  2337. required:
  2338. - accessID
  2339. - k8sConfName
  2340. type: object
  2341. secretRef:
  2342. description: |-
  2343. Reference to a Secret that contains the details
  2344. to authenticate with Akeyless.
  2345. properties:
  2346. accessID:
  2347. description: The SecretAccessID is used for authentication
  2348. properties:
  2349. key:
  2350. description: |-
  2351. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2352. defaulted, in others it may be required.
  2353. type: string
  2354. name:
  2355. description: The name of the Secret resource being referred to.
  2356. type: string
  2357. namespace:
  2358. description: |-
  2359. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2360. to the namespace of the referent.
  2361. type: string
  2362. type: object
  2363. accessType:
  2364. description: |-
  2365. A reference to a specific 'key' within a Secret resource,
  2366. In some instances, `key` is a required field.
  2367. properties:
  2368. key:
  2369. description: |-
  2370. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2371. defaulted, in others it may be required.
  2372. type: string
  2373. name:
  2374. description: The name of the Secret resource being referred to.
  2375. type: string
  2376. namespace:
  2377. description: |-
  2378. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2379. to the namespace of the referent.
  2380. type: string
  2381. type: object
  2382. accessTypeParam:
  2383. description: |-
  2384. A reference to a specific 'key' within a Secret resource,
  2385. In some instances, `key` is a required field.
  2386. properties:
  2387. key:
  2388. description: |-
  2389. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2390. defaulted, in others it may be required.
  2391. type: string
  2392. name:
  2393. description: The name of the Secret resource being referred to.
  2394. type: string
  2395. namespace:
  2396. description: |-
  2397. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2398. to the namespace of the referent.
  2399. type: string
  2400. type: object
  2401. type: object
  2402. type: object
  2403. caBundle:
  2404. description: |-
  2405. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  2406. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  2407. are used to validate the TLS connection.
  2408. format: byte
  2409. type: string
  2410. caProvider:
  2411. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  2412. properties:
  2413. key:
  2414. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2415. type: string
  2416. name:
  2417. description: The name of the object located at the provider type.
  2418. type: string
  2419. namespace:
  2420. description: |-
  2421. The namespace the Provider type is in.
  2422. Can only be defined when used in a ClusterSecretStore.
  2423. type: string
  2424. type:
  2425. description: The type of provider to use such as "Secret", or "ConfigMap".
  2426. enum:
  2427. - Secret
  2428. - ConfigMap
  2429. type: string
  2430. required:
  2431. - name
  2432. - type
  2433. type: object
  2434. required:
  2435. - akeylessGWApiURL
  2436. - authSecretRef
  2437. type: object
  2438. alibaba:
  2439. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  2440. properties:
  2441. auth:
  2442. description: AlibabaAuth contains a secretRef for credentials.
  2443. properties:
  2444. rrsa:
  2445. description: Authenticate against Alibaba using RRSA.
  2446. properties:
  2447. oidcProviderArn:
  2448. type: string
  2449. oidcTokenFilePath:
  2450. type: string
  2451. roleArn:
  2452. type: string
  2453. sessionName:
  2454. type: string
  2455. required:
  2456. - oidcProviderArn
  2457. - oidcTokenFilePath
  2458. - roleArn
  2459. - sessionName
  2460. type: object
  2461. secretRef:
  2462. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  2463. properties:
  2464. accessKeyIDSecretRef:
  2465. description: The AccessKeyID is used for authentication
  2466. properties:
  2467. key:
  2468. description: |-
  2469. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2470. defaulted, in others it may be required.
  2471. type: string
  2472. name:
  2473. description: The name of the Secret resource being referred to.
  2474. type: string
  2475. namespace:
  2476. description: |-
  2477. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2478. to the namespace of the referent.
  2479. type: string
  2480. type: object
  2481. accessKeySecretSecretRef:
  2482. description: The AccessKeySecret is used for authentication
  2483. properties:
  2484. key:
  2485. description: |-
  2486. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2487. defaulted, in others it may be required.
  2488. type: string
  2489. name:
  2490. description: The name of the Secret resource being referred to.
  2491. type: string
  2492. namespace:
  2493. description: |-
  2494. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2495. to the namespace of the referent.
  2496. type: string
  2497. type: object
  2498. required:
  2499. - accessKeyIDSecretRef
  2500. - accessKeySecretSecretRef
  2501. type: object
  2502. type: object
  2503. regionID:
  2504. description: Alibaba Region to be used for the provider
  2505. type: string
  2506. required:
  2507. - auth
  2508. - regionID
  2509. type: object
  2510. aws:
  2511. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  2512. properties:
  2513. additionalRoles:
  2514. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  2515. items:
  2516. type: string
  2517. type: array
  2518. auth:
  2519. description: |-
  2520. Auth defines the information necessary to authenticate against AWS
  2521. if not set aws sdk will infer credentials from your environment
  2522. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  2523. properties:
  2524. jwt:
  2525. description: Authenticate against AWS using service account tokens.
  2526. properties:
  2527. serviceAccountRef:
  2528. description: A reference to a ServiceAccount resource.
  2529. properties:
  2530. audiences:
  2531. description: |-
  2532. Audience specifies the `aud` claim for the service account token
  2533. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2534. then this audiences will be appended to the list
  2535. items:
  2536. type: string
  2537. type: array
  2538. name:
  2539. description: The name of the ServiceAccount resource being referred to.
  2540. type: string
  2541. namespace:
  2542. description: |-
  2543. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2544. to the namespace of the referent.
  2545. type: string
  2546. required:
  2547. - name
  2548. type: object
  2549. type: object
  2550. secretRef:
  2551. description: |-
  2552. AWSAuthSecretRef holds secret references for AWS credentials
  2553. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  2554. properties:
  2555. accessKeyIDSecretRef:
  2556. description: The AccessKeyID is used for authentication
  2557. properties:
  2558. key:
  2559. description: |-
  2560. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2561. defaulted, in others it may be required.
  2562. type: string
  2563. name:
  2564. description: The name of the Secret resource being referred to.
  2565. type: string
  2566. namespace:
  2567. description: |-
  2568. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2569. to the namespace of the referent.
  2570. type: string
  2571. type: object
  2572. secretAccessKeySecretRef:
  2573. description: The SecretAccessKey is used for authentication
  2574. properties:
  2575. key:
  2576. description: |-
  2577. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2578. defaulted, in others it may be required.
  2579. type: string
  2580. name:
  2581. description: The name of the Secret resource being referred to.
  2582. type: string
  2583. namespace:
  2584. description: |-
  2585. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2586. to the namespace of the referent.
  2587. type: string
  2588. type: object
  2589. sessionTokenSecretRef:
  2590. description: |-
  2591. The SessionToken used for authentication
  2592. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  2593. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  2594. properties:
  2595. key:
  2596. description: |-
  2597. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2598. defaulted, in others it may be required.
  2599. type: string
  2600. name:
  2601. description: The name of the Secret resource being referred to.
  2602. type: string
  2603. namespace:
  2604. description: |-
  2605. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2606. to the namespace of the referent.
  2607. type: string
  2608. type: object
  2609. type: object
  2610. type: object
  2611. externalID:
  2612. description: AWS External ID set on assumed IAM roles
  2613. type: string
  2614. region:
  2615. description: AWS Region to be used for the provider
  2616. type: string
  2617. role:
  2618. description: Role is a Role ARN which the provider will assume
  2619. type: string
  2620. secretsManager:
  2621. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  2622. properties:
  2623. forceDeleteWithoutRecovery:
  2624. description: |-
  2625. Specifies whether to delete the secret without any recovery window. You
  2626. can't use both this parameter and RecoveryWindowInDays in the same call.
  2627. If you don't use either, then by default Secrets Manager uses a 30 day
  2628. recovery window.
  2629. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  2630. type: boolean
  2631. recoveryWindowInDays:
  2632. description: |-
  2633. The number of days from 7 to 30 that Secrets Manager waits before
  2634. permanently deleting the secret. You can't use both this parameter and
  2635. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  2636. then by default Secrets Manager uses a 30 day recovery window.
  2637. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  2638. format: int64
  2639. type: integer
  2640. type: object
  2641. service:
  2642. description: Service defines which service should be used to fetch the secrets
  2643. enum:
  2644. - SecretsManager
  2645. - ParameterStore
  2646. type: string
  2647. sessionTags:
  2648. description: AWS STS assume role session tags
  2649. items:
  2650. properties:
  2651. key:
  2652. type: string
  2653. value:
  2654. type: string
  2655. required:
  2656. - key
  2657. - value
  2658. type: object
  2659. type: array
  2660. transitiveTagKeys:
  2661. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2662. items:
  2663. type: string
  2664. type: array
  2665. required:
  2666. - region
  2667. - service
  2668. type: object
  2669. azurekv:
  2670. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2671. properties:
  2672. authSecretRef:
  2673. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2674. properties:
  2675. clientCertificate:
  2676. description: The Azure ClientCertificate of the service principle used for authentication.
  2677. properties:
  2678. key:
  2679. description: |-
  2680. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2681. defaulted, in others it may be required.
  2682. type: string
  2683. name:
  2684. description: The name of the Secret resource being referred to.
  2685. type: string
  2686. namespace:
  2687. description: |-
  2688. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2689. to the namespace of the referent.
  2690. type: string
  2691. type: object
  2692. clientId:
  2693. description: The Azure clientId of the service principle or managed identity used for authentication.
  2694. properties:
  2695. key:
  2696. description: |-
  2697. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2698. defaulted, in others it may be required.
  2699. type: string
  2700. name:
  2701. description: The name of the Secret resource being referred to.
  2702. type: string
  2703. namespace:
  2704. description: |-
  2705. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2706. to the namespace of the referent.
  2707. type: string
  2708. type: object
  2709. clientSecret:
  2710. description: The Azure ClientSecret of the service principle used for authentication.
  2711. properties:
  2712. key:
  2713. description: |-
  2714. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2715. defaulted, in others it may be required.
  2716. type: string
  2717. name:
  2718. description: The name of the Secret resource being referred to.
  2719. type: string
  2720. namespace:
  2721. description: |-
  2722. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2723. to the namespace of the referent.
  2724. type: string
  2725. type: object
  2726. tenantId:
  2727. description: The Azure tenantId of the managed identity used for authentication.
  2728. properties:
  2729. key:
  2730. description: |-
  2731. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2732. defaulted, in others it may be required.
  2733. type: string
  2734. name:
  2735. description: The name of the Secret resource being referred to.
  2736. type: string
  2737. namespace:
  2738. description: |-
  2739. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2740. to the namespace of the referent.
  2741. type: string
  2742. type: object
  2743. type: object
  2744. authType:
  2745. default: ServicePrincipal
  2746. description: |-
  2747. Auth type defines how to authenticate to the keyvault service.
  2748. Valid values are:
  2749. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2750. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2751. enum:
  2752. - ServicePrincipal
  2753. - ManagedIdentity
  2754. - WorkloadIdentity
  2755. type: string
  2756. environmentType:
  2757. default: PublicCloud
  2758. description: |-
  2759. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2760. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2761. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2762. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  2763. enum:
  2764. - PublicCloud
  2765. - USGovernmentCloud
  2766. - ChinaCloud
  2767. - GermanCloud
  2768. type: string
  2769. identityId:
  2770. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2771. type: string
  2772. serviceAccountRef:
  2773. description: |-
  2774. ServiceAccountRef specified the service account
  2775. that should be used when authenticating with WorkloadIdentity.
  2776. properties:
  2777. audiences:
  2778. description: |-
  2779. Audience specifies the `aud` claim for the service account token
  2780. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2781. then this audiences will be appended to the list
  2782. items:
  2783. type: string
  2784. type: array
  2785. name:
  2786. description: The name of the ServiceAccount resource being referred to.
  2787. type: string
  2788. namespace:
  2789. description: |-
  2790. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2791. to the namespace of the referent.
  2792. type: string
  2793. required:
  2794. - name
  2795. type: object
  2796. tenantId:
  2797. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2798. type: string
  2799. vaultUrl:
  2800. description: Vault Url from which the secrets to be fetched from.
  2801. type: string
  2802. required:
  2803. - vaultUrl
  2804. type: object
  2805. bitwardensecretsmanager:
  2806. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  2807. properties:
  2808. apiURL:
  2809. type: string
  2810. auth:
  2811. description: |-
  2812. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  2813. Make sure that the token being used has permissions on the given secret.
  2814. properties:
  2815. secretRef:
  2816. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  2817. properties:
  2818. credentials:
  2819. description: AccessToken used for the bitwarden instance.
  2820. properties:
  2821. key:
  2822. description: |-
  2823. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2824. defaulted, in others it may be required.
  2825. type: string
  2826. name:
  2827. description: The name of the Secret resource being referred to.
  2828. type: string
  2829. namespace:
  2830. description: |-
  2831. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2832. to the namespace of the referent.
  2833. type: string
  2834. type: object
  2835. required:
  2836. - credentials
  2837. type: object
  2838. required:
  2839. - secretRef
  2840. type: object
  2841. bitwardenServerSDKURL:
  2842. type: string
  2843. caBundle:
  2844. description: |-
  2845. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  2846. can be performed.
  2847. type: string
  2848. identityURL:
  2849. type: string
  2850. organizationID:
  2851. description: OrganizationID determines which organization this secret store manages.
  2852. type: string
  2853. projectID:
  2854. description: ProjectID determines which project this secret store manages.
  2855. type: string
  2856. required:
  2857. - auth
  2858. - caBundle
  2859. - organizationID
  2860. - projectID
  2861. type: object
  2862. chef:
  2863. description: Chef configures this store to sync secrets with chef server
  2864. properties:
  2865. auth:
  2866. description: Auth defines the information necessary to authenticate against chef Server
  2867. properties:
  2868. secretRef:
  2869. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  2870. properties:
  2871. privateKeySecretRef:
  2872. description: SecretKey is the Signing Key in PEM format, used for authentication.
  2873. properties:
  2874. key:
  2875. description: |-
  2876. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2877. defaulted, in others it may be required.
  2878. type: string
  2879. name:
  2880. description: The name of the Secret resource being referred to.
  2881. type: string
  2882. namespace:
  2883. description: |-
  2884. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2885. to the namespace of the referent.
  2886. type: string
  2887. type: object
  2888. required:
  2889. - privateKeySecretRef
  2890. type: object
  2891. required:
  2892. - secretRef
  2893. type: object
  2894. serverUrl:
  2895. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  2896. type: string
  2897. username:
  2898. description: UserName should be the user ID on the chef server
  2899. type: string
  2900. required:
  2901. - auth
  2902. - serverUrl
  2903. - username
  2904. type: object
  2905. conjur:
  2906. description: Conjur configures this store to sync secrets using conjur provider
  2907. properties:
  2908. auth:
  2909. properties:
  2910. apikey:
  2911. properties:
  2912. account:
  2913. type: string
  2914. apiKeyRef:
  2915. description: |-
  2916. A reference to a specific 'key' within a Secret resource,
  2917. In some instances, `key` is a required field.
  2918. properties:
  2919. key:
  2920. description: |-
  2921. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2922. defaulted, in others it may be required.
  2923. type: string
  2924. name:
  2925. description: The name of the Secret resource being referred to.
  2926. type: string
  2927. namespace:
  2928. description: |-
  2929. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2930. to the namespace of the referent.
  2931. type: string
  2932. type: object
  2933. userRef:
  2934. description: |-
  2935. A reference to a specific 'key' within a Secret resource,
  2936. In some instances, `key` is a required field.
  2937. properties:
  2938. key:
  2939. description: |-
  2940. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2941. defaulted, in others it may be required.
  2942. type: string
  2943. name:
  2944. description: The name of the Secret resource being referred to.
  2945. type: string
  2946. namespace:
  2947. description: |-
  2948. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2949. to the namespace of the referent.
  2950. type: string
  2951. type: object
  2952. required:
  2953. - account
  2954. - apiKeyRef
  2955. - userRef
  2956. type: object
  2957. jwt:
  2958. properties:
  2959. account:
  2960. type: string
  2961. hostId:
  2962. description: |-
  2963. Optional HostID for JWT authentication. This may be used depending
  2964. on how the Conjur JWT authenticator policy is configured.
  2965. type: string
  2966. secretRef:
  2967. description: |-
  2968. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  2969. authenticate with Conjur using the JWT authentication method.
  2970. properties:
  2971. key:
  2972. description: |-
  2973. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2974. defaulted, in others it may be required.
  2975. type: string
  2976. name:
  2977. description: The name of the Secret resource being referred to.
  2978. type: string
  2979. namespace:
  2980. description: |-
  2981. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2982. to the namespace of the referent.
  2983. type: string
  2984. type: object
  2985. serviceAccountRef:
  2986. description: |-
  2987. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  2988. a token for with the `TokenRequest` API.
  2989. properties:
  2990. audiences:
  2991. description: |-
  2992. Audience specifies the `aud` claim for the service account token
  2993. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2994. then this audiences will be appended to the list
  2995. items:
  2996. type: string
  2997. type: array
  2998. name:
  2999. description: The name of the ServiceAccount resource being referred to.
  3000. type: string
  3001. namespace:
  3002. description: |-
  3003. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3004. to the namespace of the referent.
  3005. type: string
  3006. required:
  3007. - name
  3008. type: object
  3009. serviceID:
  3010. description: The conjur authn jwt webservice id
  3011. type: string
  3012. required:
  3013. - account
  3014. - serviceID
  3015. type: object
  3016. type: object
  3017. caBundle:
  3018. type: string
  3019. caProvider:
  3020. description: |-
  3021. Used to provide custom certificate authority (CA) certificates
  3022. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  3023. that contains a PEM-encoded certificate.
  3024. properties:
  3025. key:
  3026. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3027. type: string
  3028. name:
  3029. description: The name of the object located at the provider type.
  3030. type: string
  3031. namespace:
  3032. description: |-
  3033. The namespace the Provider type is in.
  3034. Can only be defined when used in a ClusterSecretStore.
  3035. type: string
  3036. type:
  3037. description: The type of provider to use such as "Secret", or "ConfigMap".
  3038. enum:
  3039. - Secret
  3040. - ConfigMap
  3041. type: string
  3042. required:
  3043. - name
  3044. - type
  3045. type: object
  3046. url:
  3047. type: string
  3048. required:
  3049. - auth
  3050. - url
  3051. type: object
  3052. delinea:
  3053. description: |-
  3054. Delinea DevOps Secrets Vault
  3055. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  3056. properties:
  3057. clientId:
  3058. description: ClientID is the non-secret part of the credential.
  3059. properties:
  3060. secretRef:
  3061. description: SecretRef references a key in a secret that will be used as value.
  3062. properties:
  3063. key:
  3064. description: |-
  3065. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3066. defaulted, in others it may be required.
  3067. type: string
  3068. name:
  3069. description: The name of the Secret resource being referred to.
  3070. type: string
  3071. namespace:
  3072. description: |-
  3073. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3074. to the namespace of the referent.
  3075. type: string
  3076. type: object
  3077. value:
  3078. description: Value can be specified directly to set a value without using a secret.
  3079. type: string
  3080. type: object
  3081. clientSecret:
  3082. description: ClientSecret is the secret part of the credential.
  3083. properties:
  3084. secretRef:
  3085. description: SecretRef references a key in a secret that will be used as value.
  3086. properties:
  3087. key:
  3088. description: |-
  3089. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3090. defaulted, in others it may be required.
  3091. type: string
  3092. name:
  3093. description: The name of the Secret resource being referred to.
  3094. type: string
  3095. namespace:
  3096. description: |-
  3097. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3098. to the namespace of the referent.
  3099. type: string
  3100. type: object
  3101. value:
  3102. description: Value can be specified directly to set a value without using a secret.
  3103. type: string
  3104. type: object
  3105. tenant:
  3106. description: Tenant is the chosen hostname / site name.
  3107. type: string
  3108. tld:
  3109. description: |-
  3110. TLD is based on the server location that was chosen during provisioning.
  3111. If unset, defaults to "com".
  3112. type: string
  3113. urlTemplate:
  3114. description: |-
  3115. URLTemplate
  3116. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  3117. type: string
  3118. required:
  3119. - clientId
  3120. - clientSecret
  3121. - tenant
  3122. type: object
  3123. device42:
  3124. description: Device42 configures this store to sync secrets using the Device42 provider
  3125. properties:
  3126. auth:
  3127. description: Auth configures how secret-manager authenticates with a Device42 instance.
  3128. properties:
  3129. secretRef:
  3130. properties:
  3131. credentials:
  3132. description: Username / Password is used for authentication.
  3133. properties:
  3134. key:
  3135. description: |-
  3136. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3137. defaulted, in others it may be required.
  3138. type: string
  3139. name:
  3140. description: The name of the Secret resource being referred to.
  3141. type: string
  3142. namespace:
  3143. description: |-
  3144. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3145. to the namespace of the referent.
  3146. type: string
  3147. type: object
  3148. type: object
  3149. required:
  3150. - secretRef
  3151. type: object
  3152. host:
  3153. description: URL configures the Device42 instance URL.
  3154. type: string
  3155. required:
  3156. - auth
  3157. - host
  3158. type: object
  3159. doppler:
  3160. description: Doppler configures this store to sync secrets using the Doppler provider
  3161. properties:
  3162. auth:
  3163. description: Auth configures how the Operator authenticates with the Doppler API
  3164. properties:
  3165. secretRef:
  3166. properties:
  3167. dopplerToken:
  3168. description: |-
  3169. The DopplerToken is used for authentication.
  3170. See https://docs.doppler.com/reference/api#authentication for auth token types.
  3171. The Key attribute defaults to dopplerToken if not specified.
  3172. properties:
  3173. key:
  3174. description: |-
  3175. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3176. defaulted, in others it may be required.
  3177. type: string
  3178. name:
  3179. description: The name of the Secret resource being referred to.
  3180. type: string
  3181. namespace:
  3182. description: |-
  3183. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3184. to the namespace of the referent.
  3185. type: string
  3186. type: object
  3187. required:
  3188. - dopplerToken
  3189. type: object
  3190. required:
  3191. - secretRef
  3192. type: object
  3193. config:
  3194. description: Doppler config (required if not using a Service Token)
  3195. type: string
  3196. format:
  3197. description: Format enables the downloading of secrets as a file (string)
  3198. enum:
  3199. - json
  3200. - dotnet-json
  3201. - env
  3202. - yaml
  3203. - docker
  3204. type: string
  3205. nameTransformer:
  3206. description: Environment variable compatible name transforms that change secret names to a different format
  3207. enum:
  3208. - upper-camel
  3209. - camel
  3210. - lower-snake
  3211. - tf-var
  3212. - dotnet-env
  3213. - lower-kebab
  3214. type: string
  3215. project:
  3216. description: Doppler project (required if not using a Service Token)
  3217. type: string
  3218. required:
  3219. - auth
  3220. type: object
  3221. fake:
  3222. description: Fake configures a store with static key/value pairs
  3223. properties:
  3224. data:
  3225. items:
  3226. properties:
  3227. key:
  3228. type: string
  3229. value:
  3230. type: string
  3231. valueMap:
  3232. additionalProperties:
  3233. type: string
  3234. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  3235. type: object
  3236. version:
  3237. type: string
  3238. required:
  3239. - key
  3240. type: object
  3241. type: array
  3242. required:
  3243. - data
  3244. type: object
  3245. fortanix:
  3246. description: Fortanix configures this store to sync secrets using the Fortanix provider
  3247. properties:
  3248. apiKey:
  3249. description: APIKey is the API token to access SDKMS Applications.
  3250. properties:
  3251. secretRef:
  3252. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  3253. properties:
  3254. key:
  3255. description: |-
  3256. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3257. defaulted, in others it may be required.
  3258. type: string
  3259. name:
  3260. description: The name of the Secret resource being referred to.
  3261. type: string
  3262. namespace:
  3263. description: |-
  3264. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3265. to the namespace of the referent.
  3266. type: string
  3267. type: object
  3268. type: object
  3269. apiUrl:
  3270. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  3271. type: string
  3272. type: object
  3273. gcpsm:
  3274. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  3275. properties:
  3276. auth:
  3277. description: Auth defines the information necessary to authenticate against GCP
  3278. properties:
  3279. secretRef:
  3280. properties:
  3281. secretAccessKeySecretRef:
  3282. description: The SecretAccessKey is used for authentication
  3283. properties:
  3284. key:
  3285. description: |-
  3286. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3287. defaulted, in others it may be required.
  3288. type: string
  3289. name:
  3290. description: The name of the Secret resource being referred to.
  3291. type: string
  3292. namespace:
  3293. description: |-
  3294. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3295. to the namespace of the referent.
  3296. type: string
  3297. type: object
  3298. type: object
  3299. workloadIdentity:
  3300. properties:
  3301. clusterLocation:
  3302. type: string
  3303. clusterName:
  3304. type: string
  3305. clusterProjectID:
  3306. type: string
  3307. serviceAccountRef:
  3308. description: A reference to a ServiceAccount resource.
  3309. properties:
  3310. audiences:
  3311. description: |-
  3312. Audience specifies the `aud` claim for the service account token
  3313. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3314. then this audiences will be appended to the list
  3315. items:
  3316. type: string
  3317. type: array
  3318. name:
  3319. description: The name of the ServiceAccount resource being referred to.
  3320. type: string
  3321. namespace:
  3322. description: |-
  3323. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3324. to the namespace of the referent.
  3325. type: string
  3326. required:
  3327. - name
  3328. type: object
  3329. required:
  3330. - clusterLocation
  3331. - clusterName
  3332. - serviceAccountRef
  3333. type: object
  3334. type: object
  3335. location:
  3336. description: Location optionally defines a location for a secret
  3337. type: string
  3338. projectID:
  3339. description: ProjectID project where secret is located
  3340. type: string
  3341. type: object
  3342. gitlab:
  3343. description: GitLab configures this store to sync secrets using GitLab Variables provider
  3344. properties:
  3345. auth:
  3346. description: Auth configures how secret-manager authenticates with a GitLab instance.
  3347. properties:
  3348. SecretRef:
  3349. properties:
  3350. accessToken:
  3351. description: AccessToken is used for authentication.
  3352. properties:
  3353. key:
  3354. description: |-
  3355. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3356. defaulted, in others it may be required.
  3357. type: string
  3358. name:
  3359. description: The name of the Secret resource being referred to.
  3360. type: string
  3361. namespace:
  3362. description: |-
  3363. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3364. to the namespace of the referent.
  3365. type: string
  3366. type: object
  3367. type: object
  3368. required:
  3369. - SecretRef
  3370. type: object
  3371. environment:
  3372. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  3373. type: string
  3374. groupIDs:
  3375. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  3376. items:
  3377. type: string
  3378. type: array
  3379. inheritFromGroups:
  3380. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  3381. type: boolean
  3382. projectID:
  3383. description: ProjectID specifies a project where secrets are located.
  3384. type: string
  3385. url:
  3386. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  3387. type: string
  3388. required:
  3389. - auth
  3390. type: object
  3391. ibm:
  3392. description: IBM configures this store to sync secrets using IBM Cloud provider
  3393. properties:
  3394. auth:
  3395. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  3396. maxProperties: 1
  3397. minProperties: 1
  3398. properties:
  3399. containerAuth:
  3400. description: IBM Container-based auth with IAM Trusted Profile.
  3401. properties:
  3402. iamEndpoint:
  3403. type: string
  3404. profile:
  3405. description: the IBM Trusted Profile
  3406. type: string
  3407. tokenLocation:
  3408. description: Location the token is mounted on the pod
  3409. type: string
  3410. required:
  3411. - profile
  3412. type: object
  3413. secretRef:
  3414. properties:
  3415. secretApiKeySecretRef:
  3416. description: The SecretAccessKey is used for authentication
  3417. properties:
  3418. key:
  3419. description: |-
  3420. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3421. defaulted, in others it may be required.
  3422. type: string
  3423. name:
  3424. description: The name of the Secret resource being referred to.
  3425. type: string
  3426. namespace:
  3427. description: |-
  3428. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3429. to the namespace of the referent.
  3430. type: string
  3431. type: object
  3432. type: object
  3433. type: object
  3434. serviceUrl:
  3435. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  3436. type: string
  3437. required:
  3438. - auth
  3439. type: object
  3440. infisical:
  3441. description: Infisical configures this store to sync secrets using the Infisical provider
  3442. properties:
  3443. auth:
  3444. description: Auth configures how the Operator authenticates with the Infisical API
  3445. properties:
  3446. universalAuthCredentials:
  3447. properties:
  3448. clientId:
  3449. description: |-
  3450. A reference to a specific 'key' within a Secret resource,
  3451. In some instances, `key` is a required field.
  3452. properties:
  3453. key:
  3454. description: |-
  3455. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3456. defaulted, in others it may be required.
  3457. type: string
  3458. name:
  3459. description: The name of the Secret resource being referred to.
  3460. type: string
  3461. namespace:
  3462. description: |-
  3463. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3464. to the namespace of the referent.
  3465. type: string
  3466. type: object
  3467. clientSecret:
  3468. description: |-
  3469. A reference to a specific 'key' within a Secret resource,
  3470. In some instances, `key` is a required field.
  3471. properties:
  3472. key:
  3473. description: |-
  3474. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3475. defaulted, in others it may be required.
  3476. type: string
  3477. name:
  3478. description: The name of the Secret resource being referred to.
  3479. type: string
  3480. namespace:
  3481. description: |-
  3482. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3483. to the namespace of the referent.
  3484. type: string
  3485. type: object
  3486. required:
  3487. - clientId
  3488. - clientSecret
  3489. type: object
  3490. type: object
  3491. hostAPI:
  3492. default: https://app.infisical.com/api
  3493. type: string
  3494. secretsScope:
  3495. properties:
  3496. environmentSlug:
  3497. type: string
  3498. projectSlug:
  3499. type: string
  3500. secretsPath:
  3501. default: /
  3502. type: string
  3503. required:
  3504. - environmentSlug
  3505. - projectSlug
  3506. type: object
  3507. required:
  3508. - auth
  3509. - secretsScope
  3510. type: object
  3511. keepersecurity:
  3512. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  3513. properties:
  3514. authRef:
  3515. description: |-
  3516. A reference to a specific 'key' within a Secret resource,
  3517. In some instances, `key` is a required field.
  3518. properties:
  3519. key:
  3520. description: |-
  3521. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3522. defaulted, in others it may be required.
  3523. type: string
  3524. name:
  3525. description: The name of the Secret resource being referred to.
  3526. type: string
  3527. namespace:
  3528. description: |-
  3529. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3530. to the namespace of the referent.
  3531. type: string
  3532. type: object
  3533. folderID:
  3534. type: string
  3535. required:
  3536. - authRef
  3537. - folderID
  3538. type: object
  3539. kubernetes:
  3540. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  3541. properties:
  3542. auth:
  3543. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  3544. maxProperties: 1
  3545. minProperties: 1
  3546. properties:
  3547. cert:
  3548. description: has both clientCert and clientKey as secretKeySelector
  3549. properties:
  3550. clientCert:
  3551. description: |-
  3552. A reference to a specific 'key' within a Secret resource,
  3553. In some instances, `key` is a required field.
  3554. properties:
  3555. key:
  3556. description: |-
  3557. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3558. defaulted, in others it may be required.
  3559. type: string
  3560. name:
  3561. description: The name of the Secret resource being referred to.
  3562. type: string
  3563. namespace:
  3564. description: |-
  3565. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3566. to the namespace of the referent.
  3567. type: string
  3568. type: object
  3569. clientKey:
  3570. description: |-
  3571. A reference to a specific 'key' within a Secret resource,
  3572. In some instances, `key` is a required field.
  3573. properties:
  3574. key:
  3575. description: |-
  3576. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3577. defaulted, in others it may be required.
  3578. type: string
  3579. name:
  3580. description: The name of the Secret resource being referred to.
  3581. type: string
  3582. namespace:
  3583. description: |-
  3584. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3585. to the namespace of the referent.
  3586. type: string
  3587. type: object
  3588. type: object
  3589. serviceAccount:
  3590. description: points to a service account that should be used for authentication
  3591. properties:
  3592. audiences:
  3593. description: |-
  3594. Audience specifies the `aud` claim for the service account token
  3595. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3596. then this audiences will be appended to the list
  3597. items:
  3598. type: string
  3599. type: array
  3600. name:
  3601. description: The name of the ServiceAccount resource being referred to.
  3602. type: string
  3603. namespace:
  3604. description: |-
  3605. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3606. to the namespace of the referent.
  3607. type: string
  3608. required:
  3609. - name
  3610. type: object
  3611. token:
  3612. description: use static token to authenticate with
  3613. properties:
  3614. bearerToken:
  3615. description: |-
  3616. A reference to a specific 'key' within a Secret resource,
  3617. In some instances, `key` is a required field.
  3618. properties:
  3619. key:
  3620. description: |-
  3621. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3622. defaulted, in others it may be required.
  3623. type: string
  3624. name:
  3625. description: The name of the Secret resource being referred to.
  3626. type: string
  3627. namespace:
  3628. description: |-
  3629. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3630. to the namespace of the referent.
  3631. type: string
  3632. type: object
  3633. type: object
  3634. type: object
  3635. remoteNamespace:
  3636. default: default
  3637. description: Remote namespace to fetch the secrets from
  3638. type: string
  3639. server:
  3640. description: configures the Kubernetes server Address.
  3641. properties:
  3642. caBundle:
  3643. description: CABundle is a base64-encoded CA certificate
  3644. format: byte
  3645. type: string
  3646. caProvider:
  3647. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  3648. properties:
  3649. key:
  3650. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3651. type: string
  3652. name:
  3653. description: The name of the object located at the provider type.
  3654. type: string
  3655. namespace:
  3656. description: |-
  3657. The namespace the Provider type is in.
  3658. Can only be defined when used in a ClusterSecretStore.
  3659. type: string
  3660. type:
  3661. description: The type of provider to use such as "Secret", or "ConfigMap".
  3662. enum:
  3663. - Secret
  3664. - ConfigMap
  3665. type: string
  3666. required:
  3667. - name
  3668. - type
  3669. type: object
  3670. url:
  3671. default: kubernetes.default
  3672. description: configures the Kubernetes server Address.
  3673. type: string
  3674. type: object
  3675. required:
  3676. - auth
  3677. type: object
  3678. onboardbase:
  3679. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  3680. properties:
  3681. apiHost:
  3682. default: https://public.onboardbase.com/api/v1/
  3683. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  3684. type: string
  3685. auth:
  3686. description: Auth configures how the Operator authenticates with the Onboardbase API
  3687. properties:
  3688. apiKeyRef:
  3689. description: |-
  3690. OnboardbaseAPIKey is the APIKey generated by an admin account.
  3691. It is used to recognize and authorize access to a project and environment within onboardbase
  3692. properties:
  3693. key:
  3694. description: |-
  3695. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3696. defaulted, in others it may be required.
  3697. type: string
  3698. name:
  3699. description: The name of the Secret resource being referred to.
  3700. type: string
  3701. namespace:
  3702. description: |-
  3703. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3704. to the namespace of the referent.
  3705. type: string
  3706. type: object
  3707. passcodeRef:
  3708. description: OnboardbasePasscode is the passcode attached to the API Key
  3709. properties:
  3710. key:
  3711. description: |-
  3712. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3713. defaulted, in others it may be required.
  3714. type: string
  3715. name:
  3716. description: The name of the Secret resource being referred to.
  3717. type: string
  3718. namespace:
  3719. description: |-
  3720. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3721. to the namespace of the referent.
  3722. type: string
  3723. type: object
  3724. required:
  3725. - apiKeyRef
  3726. - passcodeRef
  3727. type: object
  3728. environment:
  3729. default: development
  3730. description: Environment is the name of an environmnent within a project to pull the secrets from
  3731. type: string
  3732. project:
  3733. default: development
  3734. description: Project is an onboardbase project that the secrets should be pulled from
  3735. type: string
  3736. required:
  3737. - apiHost
  3738. - auth
  3739. - environment
  3740. - project
  3741. type: object
  3742. onepassword:
  3743. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  3744. properties:
  3745. auth:
  3746. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  3747. properties:
  3748. secretRef:
  3749. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  3750. properties:
  3751. connectTokenSecretRef:
  3752. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  3753. properties:
  3754. key:
  3755. description: |-
  3756. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3757. defaulted, in others it may be required.
  3758. type: string
  3759. name:
  3760. description: The name of the Secret resource being referred to.
  3761. type: string
  3762. namespace:
  3763. description: |-
  3764. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3765. to the namespace of the referent.
  3766. type: string
  3767. type: object
  3768. required:
  3769. - connectTokenSecretRef
  3770. type: object
  3771. required:
  3772. - secretRef
  3773. type: object
  3774. connectHost:
  3775. description: ConnectHost defines the OnePassword Connect Server to connect to
  3776. type: string
  3777. vaults:
  3778. additionalProperties:
  3779. type: integer
  3780. description: Vaults defines which OnePassword vaults to search in which order
  3781. type: object
  3782. required:
  3783. - auth
  3784. - connectHost
  3785. - vaults
  3786. type: object
  3787. oracle:
  3788. description: Oracle configures this store to sync secrets using Oracle Vault provider
  3789. properties:
  3790. auth:
  3791. description: |-
  3792. Auth configures how secret-manager authenticates with the Oracle Vault.
  3793. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  3794. properties:
  3795. secretRef:
  3796. description: SecretRef to pass through sensitive information.
  3797. properties:
  3798. fingerprint:
  3799. description: Fingerprint is the fingerprint of the API private key.
  3800. properties:
  3801. key:
  3802. description: |-
  3803. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3804. defaulted, in others it may be required.
  3805. type: string
  3806. name:
  3807. description: The name of the Secret resource being referred to.
  3808. type: string
  3809. namespace:
  3810. description: |-
  3811. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3812. to the namespace of the referent.
  3813. type: string
  3814. type: object
  3815. privatekey:
  3816. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  3817. properties:
  3818. key:
  3819. description: |-
  3820. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3821. defaulted, in others it may be required.
  3822. type: string
  3823. name:
  3824. description: The name of the Secret resource being referred to.
  3825. type: string
  3826. namespace:
  3827. description: |-
  3828. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3829. to the namespace of the referent.
  3830. type: string
  3831. type: object
  3832. required:
  3833. - fingerprint
  3834. - privatekey
  3835. type: object
  3836. tenancy:
  3837. description: Tenancy is the tenancy OCID where user is located.
  3838. type: string
  3839. user:
  3840. description: User is an access OCID specific to the account.
  3841. type: string
  3842. required:
  3843. - secretRef
  3844. - tenancy
  3845. - user
  3846. type: object
  3847. compartment:
  3848. description: |-
  3849. Compartment is the vault compartment OCID.
  3850. Required for PushSecret
  3851. type: string
  3852. encryptionKey:
  3853. description: |-
  3854. EncryptionKey is the OCID of the encryption key within the vault.
  3855. Required for PushSecret
  3856. type: string
  3857. principalType:
  3858. description: |-
  3859. The type of principal to use for authentication. If left blank, the Auth struct will
  3860. determine the principal type. This optional field must be specified if using
  3861. workload identity.
  3862. enum:
  3863. - ""
  3864. - UserPrincipal
  3865. - InstancePrincipal
  3866. - Workload
  3867. type: string
  3868. region:
  3869. description: Region is the region where vault is located.
  3870. type: string
  3871. serviceAccountRef:
  3872. description: |-
  3873. ServiceAccountRef specified the service account
  3874. that should be used when authenticating with WorkloadIdentity.
  3875. properties:
  3876. audiences:
  3877. description: |-
  3878. Audience specifies the `aud` claim for the service account token
  3879. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3880. then this audiences will be appended to the list
  3881. items:
  3882. type: string
  3883. type: array
  3884. name:
  3885. description: The name of the ServiceAccount resource being referred to.
  3886. type: string
  3887. namespace:
  3888. description: |-
  3889. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3890. to the namespace of the referent.
  3891. type: string
  3892. required:
  3893. - name
  3894. type: object
  3895. vault:
  3896. description: Vault is the vault's OCID of the specific vault where secret is located.
  3897. type: string
  3898. required:
  3899. - region
  3900. - vault
  3901. type: object
  3902. passbolt:
  3903. properties:
  3904. auth:
  3905. description: Auth defines the information necessary to authenticate against Passbolt Server
  3906. properties:
  3907. passwordSecretRef:
  3908. description: |-
  3909. A reference to a specific 'key' within a Secret resource,
  3910. In some instances, `key` is a required field.
  3911. properties:
  3912. key:
  3913. description: |-
  3914. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3915. defaulted, in others it may be required.
  3916. type: string
  3917. name:
  3918. description: The name of the Secret resource being referred to.
  3919. type: string
  3920. namespace:
  3921. description: |-
  3922. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3923. to the namespace of the referent.
  3924. type: string
  3925. type: object
  3926. privateKeySecretRef:
  3927. description: |-
  3928. A reference to a specific 'key' within a Secret resource,
  3929. In some instances, `key` is a required field.
  3930. properties:
  3931. key:
  3932. description: |-
  3933. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3934. defaulted, in others it may be required.
  3935. type: string
  3936. name:
  3937. description: The name of the Secret resource being referred to.
  3938. type: string
  3939. namespace:
  3940. description: |-
  3941. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3942. to the namespace of the referent.
  3943. type: string
  3944. type: object
  3945. required:
  3946. - passwordSecretRef
  3947. - privateKeySecretRef
  3948. type: object
  3949. host:
  3950. description: Host defines the Passbolt Server to connect to
  3951. type: string
  3952. required:
  3953. - auth
  3954. - host
  3955. type: object
  3956. passworddepot:
  3957. description: Configures a store to sync secrets with a Password Depot instance.
  3958. properties:
  3959. auth:
  3960. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  3961. properties:
  3962. secretRef:
  3963. properties:
  3964. credentials:
  3965. description: Username / Password is used for authentication.
  3966. properties:
  3967. key:
  3968. description: |-
  3969. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3970. defaulted, in others it may be required.
  3971. type: string
  3972. name:
  3973. description: The name of the Secret resource being referred to.
  3974. type: string
  3975. namespace:
  3976. description: |-
  3977. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3978. to the namespace of the referent.
  3979. type: string
  3980. type: object
  3981. type: object
  3982. required:
  3983. - secretRef
  3984. type: object
  3985. database:
  3986. description: Database to use as source
  3987. type: string
  3988. host:
  3989. description: URL configures the Password Depot instance URL.
  3990. type: string
  3991. required:
  3992. - auth
  3993. - database
  3994. - host
  3995. type: object
  3996. pulumi:
  3997. description: Pulumi configures this store to sync secrets using the Pulumi provider
  3998. properties:
  3999. accessToken:
  4000. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  4001. properties:
  4002. secretRef:
  4003. description: SecretRef is a reference to a secret containing the Pulumi API token.
  4004. properties:
  4005. key:
  4006. description: |-
  4007. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4008. defaulted, in others it may be required.
  4009. type: string
  4010. name:
  4011. description: The name of the Secret resource being referred to.
  4012. type: string
  4013. namespace:
  4014. description: |-
  4015. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4016. to the namespace of the referent.
  4017. type: string
  4018. type: object
  4019. type: object
  4020. apiUrl:
  4021. default: https://api.pulumi.com
  4022. description: APIURL is the URL of the Pulumi API.
  4023. type: string
  4024. environment:
  4025. description: |-
  4026. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  4027. dynamically retrieved values from supported providers including all major clouds,
  4028. and other Pulumi ESC environments.
  4029. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  4030. type: string
  4031. organization:
  4032. description: |-
  4033. Organization are a space to collaborate on shared projects and stacks.
  4034. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  4035. type: string
  4036. required:
  4037. - accessToken
  4038. - environment
  4039. - organization
  4040. type: object
  4041. scaleway:
  4042. description: Scaleway
  4043. properties:
  4044. accessKey:
  4045. description: AccessKey is the non-secret part of the api key.
  4046. properties:
  4047. secretRef:
  4048. description: SecretRef references a key in a secret that will be used as value.
  4049. properties:
  4050. key:
  4051. description: |-
  4052. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4053. defaulted, in others it may be required.
  4054. type: string
  4055. name:
  4056. description: The name of the Secret resource being referred to.
  4057. type: string
  4058. namespace:
  4059. description: |-
  4060. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4061. to the namespace of the referent.
  4062. type: string
  4063. type: object
  4064. value:
  4065. description: Value can be specified directly to set a value without using a secret.
  4066. type: string
  4067. type: object
  4068. apiUrl:
  4069. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  4070. type: string
  4071. projectId:
  4072. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  4073. type: string
  4074. region:
  4075. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  4076. type: string
  4077. secretKey:
  4078. description: SecretKey is the non-secret part of the api key.
  4079. properties:
  4080. secretRef:
  4081. description: SecretRef references a key in a secret that will be used as value.
  4082. properties:
  4083. key:
  4084. description: |-
  4085. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4086. defaulted, in others it may be required.
  4087. type: string
  4088. name:
  4089. description: The name of the Secret resource being referred to.
  4090. type: string
  4091. namespace:
  4092. description: |-
  4093. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4094. to the namespace of the referent.
  4095. type: string
  4096. type: object
  4097. value:
  4098. description: Value can be specified directly to set a value without using a secret.
  4099. type: string
  4100. type: object
  4101. required:
  4102. - accessKey
  4103. - projectId
  4104. - region
  4105. - secretKey
  4106. type: object
  4107. secretserver:
  4108. description: |-
  4109. SecretServer configures this store to sync secrets using SecretServer provider
  4110. https://docs.delinea.com/online-help/secret-server/start.htm
  4111. properties:
  4112. password:
  4113. description: Password is the secret server account password.
  4114. properties:
  4115. secretRef:
  4116. description: SecretRef references a key in a secret that will be used as value.
  4117. properties:
  4118. key:
  4119. description: |-
  4120. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4121. defaulted, in others it may be required.
  4122. type: string
  4123. name:
  4124. description: The name of the Secret resource being referred to.
  4125. type: string
  4126. namespace:
  4127. description: |-
  4128. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4129. to the namespace of the referent.
  4130. type: string
  4131. type: object
  4132. value:
  4133. description: Value can be specified directly to set a value without using a secret.
  4134. type: string
  4135. type: object
  4136. serverURL:
  4137. description: |-
  4138. ServerURL
  4139. URL to your secret server installation
  4140. type: string
  4141. username:
  4142. description: Username is the secret server account username.
  4143. properties:
  4144. secretRef:
  4145. description: SecretRef references a key in a secret that will be used as value.
  4146. properties:
  4147. key:
  4148. description: |-
  4149. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4150. defaulted, in others it may be required.
  4151. type: string
  4152. name:
  4153. description: The name of the Secret resource being referred to.
  4154. type: string
  4155. namespace:
  4156. description: |-
  4157. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4158. to the namespace of the referent.
  4159. type: string
  4160. type: object
  4161. value:
  4162. description: Value can be specified directly to set a value without using a secret.
  4163. type: string
  4164. type: object
  4165. required:
  4166. - password
  4167. - serverURL
  4168. - username
  4169. type: object
  4170. senhasegura:
  4171. description: Senhasegura configures this store to sync secrets using senhasegura provider
  4172. properties:
  4173. auth:
  4174. description: Auth defines parameters to authenticate in senhasegura
  4175. properties:
  4176. clientId:
  4177. type: string
  4178. clientSecretSecretRef:
  4179. description: |-
  4180. A reference to a specific 'key' within a Secret resource,
  4181. In some instances, `key` is a required field.
  4182. properties:
  4183. key:
  4184. description: |-
  4185. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4186. defaulted, in others it may be required.
  4187. type: string
  4188. name:
  4189. description: The name of the Secret resource being referred to.
  4190. type: string
  4191. namespace:
  4192. description: |-
  4193. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4194. to the namespace of the referent.
  4195. type: string
  4196. type: object
  4197. required:
  4198. - clientId
  4199. - clientSecretSecretRef
  4200. type: object
  4201. ignoreSslCertificate:
  4202. default: false
  4203. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  4204. type: boolean
  4205. module:
  4206. description: Module defines which senhasegura module should be used to get secrets
  4207. type: string
  4208. url:
  4209. description: URL of senhasegura
  4210. type: string
  4211. required:
  4212. - auth
  4213. - module
  4214. - url
  4215. type: object
  4216. vault:
  4217. description: Vault configures this store to sync secrets using Hashi provider
  4218. properties:
  4219. auth:
  4220. description: Auth configures how secret-manager authenticates with the Vault server.
  4221. properties:
  4222. appRole:
  4223. description: |-
  4224. AppRole authenticates with Vault using the App Role auth mechanism,
  4225. with the role and secret stored in a Kubernetes Secret resource.
  4226. properties:
  4227. path:
  4228. default: approle
  4229. description: |-
  4230. Path where the App Role authentication backend is mounted
  4231. in Vault, e.g: "approle"
  4232. type: string
  4233. roleId:
  4234. description: |-
  4235. RoleID configured in the App Role authentication backend when setting
  4236. up the authentication backend in Vault.
  4237. type: string
  4238. roleRef:
  4239. description: |-
  4240. Reference to a key in a Secret that contains the App Role ID used
  4241. to authenticate with Vault.
  4242. The `key` field must be specified and denotes which entry within the Secret
  4243. resource is used as the app role id.
  4244. properties:
  4245. key:
  4246. description: |-
  4247. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4248. defaulted, in others it may be required.
  4249. type: string
  4250. name:
  4251. description: The name of the Secret resource being referred to.
  4252. type: string
  4253. namespace:
  4254. description: |-
  4255. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4256. to the namespace of the referent.
  4257. type: string
  4258. type: object
  4259. secretRef:
  4260. description: |-
  4261. Reference to a key in a Secret that contains the App Role secret used
  4262. to authenticate with Vault.
  4263. The `key` field must be specified and denotes which entry within the Secret
  4264. resource is used as the app role secret.
  4265. properties:
  4266. key:
  4267. description: |-
  4268. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4269. defaulted, in others it may be required.
  4270. type: string
  4271. name:
  4272. description: The name of the Secret resource being referred to.
  4273. type: string
  4274. namespace:
  4275. description: |-
  4276. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4277. to the namespace of the referent.
  4278. type: string
  4279. type: object
  4280. required:
  4281. - path
  4282. - secretRef
  4283. type: object
  4284. cert:
  4285. description: |-
  4286. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  4287. Cert authentication method
  4288. properties:
  4289. clientCert:
  4290. description: |-
  4291. ClientCert is a certificate to authenticate using the Cert Vault
  4292. authentication method
  4293. properties:
  4294. key:
  4295. description: |-
  4296. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4297. defaulted, in others it may be required.
  4298. type: string
  4299. name:
  4300. description: The name of the Secret resource being referred to.
  4301. type: string
  4302. namespace:
  4303. description: |-
  4304. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4305. to the namespace of the referent.
  4306. type: string
  4307. type: object
  4308. secretRef:
  4309. description: |-
  4310. SecretRef to a key in a Secret resource containing client private key to
  4311. authenticate with Vault using the Cert authentication method
  4312. properties:
  4313. key:
  4314. description: |-
  4315. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4316. defaulted, in others it may be required.
  4317. type: string
  4318. name:
  4319. description: The name of the Secret resource being referred to.
  4320. type: string
  4321. namespace:
  4322. description: |-
  4323. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4324. to the namespace of the referent.
  4325. type: string
  4326. type: object
  4327. type: object
  4328. iam:
  4329. description: |-
  4330. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  4331. AWS IAM authentication method
  4332. properties:
  4333. externalID:
  4334. description: AWS External ID set on assumed IAM roles
  4335. type: string
  4336. jwt:
  4337. description: Specify a service account with IRSA enabled
  4338. properties:
  4339. serviceAccountRef:
  4340. description: A reference to a ServiceAccount resource.
  4341. properties:
  4342. audiences:
  4343. description: |-
  4344. Audience specifies the `aud` claim for the service account token
  4345. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4346. then this audiences will be appended to the list
  4347. items:
  4348. type: string
  4349. type: array
  4350. name:
  4351. description: The name of the ServiceAccount resource being referred to.
  4352. type: string
  4353. namespace:
  4354. description: |-
  4355. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4356. to the namespace of the referent.
  4357. type: string
  4358. required:
  4359. - name
  4360. type: object
  4361. type: object
  4362. path:
  4363. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  4364. type: string
  4365. region:
  4366. description: AWS region
  4367. type: string
  4368. role:
  4369. description: This is the AWS role to be assumed before talking to vault
  4370. type: string
  4371. secretRef:
  4372. description: Specify credentials in a Secret object
  4373. properties:
  4374. accessKeyIDSecretRef:
  4375. description: The AccessKeyID is used for authentication
  4376. properties:
  4377. key:
  4378. description: |-
  4379. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4380. defaulted, in others it may be required.
  4381. type: string
  4382. name:
  4383. description: The name of the Secret resource being referred to.
  4384. type: string
  4385. namespace:
  4386. description: |-
  4387. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4388. to the namespace of the referent.
  4389. type: string
  4390. type: object
  4391. secretAccessKeySecretRef:
  4392. description: The SecretAccessKey is used for authentication
  4393. properties:
  4394. key:
  4395. description: |-
  4396. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4397. defaulted, in others it may be required.
  4398. type: string
  4399. name:
  4400. description: The name of the Secret resource being referred to.
  4401. type: string
  4402. namespace:
  4403. description: |-
  4404. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4405. to the namespace of the referent.
  4406. type: string
  4407. type: object
  4408. sessionTokenSecretRef:
  4409. description: |-
  4410. The SessionToken used for authentication
  4411. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  4412. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  4413. properties:
  4414. key:
  4415. description: |-
  4416. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4417. defaulted, in others it may be required.
  4418. type: string
  4419. name:
  4420. description: The name of the Secret resource being referred to.
  4421. type: string
  4422. namespace:
  4423. description: |-
  4424. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4425. to the namespace of the referent.
  4426. type: string
  4427. type: object
  4428. type: object
  4429. vaultAwsIamServerID:
  4430. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  4431. type: string
  4432. vaultRole:
  4433. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  4434. type: string
  4435. required:
  4436. - vaultRole
  4437. type: object
  4438. jwt:
  4439. description: |-
  4440. Jwt authenticates with Vault by passing role and JWT token using the
  4441. JWT/OIDC authentication method
  4442. properties:
  4443. kubernetesServiceAccountToken:
  4444. description: |-
  4445. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  4446. a token for with the `TokenRequest` API.
  4447. properties:
  4448. audiences:
  4449. description: |-
  4450. Optional audiences field that will be used to request a temporary Kubernetes service
  4451. account token for the service account referenced by `serviceAccountRef`.
  4452. Defaults to a single audience `vault` it not specified.
  4453. Deprecated: use serviceAccountRef.Audiences instead
  4454. items:
  4455. type: string
  4456. type: array
  4457. expirationSeconds:
  4458. description: |-
  4459. Optional expiration time in seconds that will be used to request a temporary
  4460. Kubernetes service account token for the service account referenced by
  4461. `serviceAccountRef`.
  4462. Deprecated: this will be removed in the future.
  4463. Defaults to 10 minutes.
  4464. format: int64
  4465. type: integer
  4466. serviceAccountRef:
  4467. description: Service account field containing the name of a kubernetes ServiceAccount.
  4468. properties:
  4469. audiences:
  4470. description: |-
  4471. Audience specifies the `aud` claim for the service account token
  4472. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4473. then this audiences will be appended to the list
  4474. items:
  4475. type: string
  4476. type: array
  4477. name:
  4478. description: The name of the ServiceAccount resource being referred to.
  4479. type: string
  4480. namespace:
  4481. description: |-
  4482. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4483. to the namespace of the referent.
  4484. type: string
  4485. required:
  4486. - name
  4487. type: object
  4488. required:
  4489. - serviceAccountRef
  4490. type: object
  4491. path:
  4492. default: jwt
  4493. description: |-
  4494. Path where the JWT authentication backend is mounted
  4495. in Vault, e.g: "jwt"
  4496. type: string
  4497. role:
  4498. description: |-
  4499. Role is a JWT role to authenticate using the JWT/OIDC Vault
  4500. authentication method
  4501. type: string
  4502. secretRef:
  4503. description: |-
  4504. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  4505. authenticate with Vault using the JWT/OIDC authentication method.
  4506. properties:
  4507. key:
  4508. description: |-
  4509. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4510. defaulted, in others it may be required.
  4511. type: string
  4512. name:
  4513. description: The name of the Secret resource being referred to.
  4514. type: string
  4515. namespace:
  4516. description: |-
  4517. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4518. to the namespace of the referent.
  4519. type: string
  4520. type: object
  4521. required:
  4522. - path
  4523. type: object
  4524. kubernetes:
  4525. description: |-
  4526. Kubernetes authenticates with Vault by passing the ServiceAccount
  4527. token stored in the named Secret resource to the Vault server.
  4528. properties:
  4529. mountPath:
  4530. default: kubernetes
  4531. description: |-
  4532. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  4533. "kubernetes"
  4534. type: string
  4535. role:
  4536. description: |-
  4537. A required field containing the Vault Role to assume. A Role binds a
  4538. Kubernetes ServiceAccount with a set of Vault policies.
  4539. type: string
  4540. secretRef:
  4541. description: |-
  4542. Optional secret field containing a Kubernetes ServiceAccount JWT used
  4543. for authenticating with Vault. If a name is specified without a key,
  4544. `token` is the default. If one is not specified, the one bound to
  4545. the controller will be used.
  4546. properties:
  4547. key:
  4548. description: |-
  4549. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4550. defaulted, in others it may be required.
  4551. type: string
  4552. name:
  4553. description: The name of the Secret resource being referred to.
  4554. type: string
  4555. namespace:
  4556. description: |-
  4557. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4558. to the namespace of the referent.
  4559. type: string
  4560. type: object
  4561. serviceAccountRef:
  4562. description: |-
  4563. Optional service account field containing the name of a kubernetes ServiceAccount.
  4564. If the service account is specified, the service account secret token JWT will be used
  4565. for authenticating with Vault. If the service account selector is not supplied,
  4566. the secretRef will be used instead.
  4567. properties:
  4568. audiences:
  4569. description: |-
  4570. Audience specifies the `aud` claim for the service account token
  4571. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  4572. then this audiences will be appended to the list
  4573. items:
  4574. type: string
  4575. type: array
  4576. name:
  4577. description: The name of the ServiceAccount resource being referred to.
  4578. type: string
  4579. namespace:
  4580. description: |-
  4581. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4582. to the namespace of the referent.
  4583. type: string
  4584. required:
  4585. - name
  4586. type: object
  4587. required:
  4588. - mountPath
  4589. - role
  4590. type: object
  4591. ldap:
  4592. description: |-
  4593. Ldap authenticates with Vault by passing username/password pair using
  4594. the LDAP authentication method
  4595. properties:
  4596. path:
  4597. default: ldap
  4598. description: |-
  4599. Path where the LDAP authentication backend is mounted
  4600. in Vault, e.g: "ldap"
  4601. type: string
  4602. secretRef:
  4603. description: |-
  4604. SecretRef to a key in a Secret resource containing password for the LDAP
  4605. user used to authenticate with Vault using the LDAP authentication
  4606. method
  4607. properties:
  4608. key:
  4609. description: |-
  4610. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4611. defaulted, in others it may be required.
  4612. type: string
  4613. name:
  4614. description: The name of the Secret resource being referred to.
  4615. type: string
  4616. namespace:
  4617. description: |-
  4618. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4619. to the namespace of the referent.
  4620. type: string
  4621. type: object
  4622. username:
  4623. description: |-
  4624. Username is a LDAP user name used to authenticate using the LDAP Vault
  4625. authentication method
  4626. type: string
  4627. required:
  4628. - path
  4629. - username
  4630. type: object
  4631. namespace:
  4632. description: |-
  4633. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  4634. Namespaces is a set of features within Vault Enterprise that allows
  4635. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4636. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4637. This will default to Vault.Namespace field if set, or empty otherwise
  4638. type: string
  4639. tokenSecretRef:
  4640. description: TokenSecretRef authenticates with Vault by presenting a token.
  4641. properties:
  4642. key:
  4643. description: |-
  4644. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4645. defaulted, in others it may be required.
  4646. type: string
  4647. name:
  4648. description: The name of the Secret resource being referred to.
  4649. type: string
  4650. namespace:
  4651. description: |-
  4652. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4653. to the namespace of the referent.
  4654. type: string
  4655. type: object
  4656. userPass:
  4657. description: UserPass authenticates with Vault by passing username/password pair
  4658. properties:
  4659. path:
  4660. default: user
  4661. description: |-
  4662. Path where the UserPassword authentication backend is mounted
  4663. in Vault, e.g: "user"
  4664. type: string
  4665. secretRef:
  4666. description: |-
  4667. SecretRef to a key in a Secret resource containing password for the
  4668. user used to authenticate with Vault using the UserPass authentication
  4669. method
  4670. properties:
  4671. key:
  4672. description: |-
  4673. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4674. defaulted, in others it may be required.
  4675. type: string
  4676. name:
  4677. description: The name of the Secret resource being referred to.
  4678. type: string
  4679. namespace:
  4680. description: |-
  4681. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4682. to the namespace of the referent.
  4683. type: string
  4684. type: object
  4685. username:
  4686. description: |-
  4687. Username is a user name used to authenticate using the UserPass Vault
  4688. authentication method
  4689. type: string
  4690. required:
  4691. - path
  4692. - username
  4693. type: object
  4694. type: object
  4695. caBundle:
  4696. description: |-
  4697. PEM encoded CA bundle used to validate Vault server certificate. Only used
  4698. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4699. plain HTTP protocol connection. If not set the system root certificates
  4700. are used to validate the TLS connection.
  4701. format: byte
  4702. type: string
  4703. caProvider:
  4704. description: The provider for the CA bundle to use to validate Vault server certificate.
  4705. properties:
  4706. key:
  4707. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  4708. type: string
  4709. name:
  4710. description: The name of the object located at the provider type.
  4711. type: string
  4712. namespace:
  4713. description: |-
  4714. The namespace the Provider type is in.
  4715. Can only be defined when used in a ClusterSecretStore.
  4716. type: string
  4717. type:
  4718. description: The type of provider to use such as "Secret", or "ConfigMap".
  4719. enum:
  4720. - Secret
  4721. - ConfigMap
  4722. type: string
  4723. required:
  4724. - name
  4725. - type
  4726. type: object
  4727. forwardInconsistent:
  4728. description: |-
  4729. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  4730. leader instead of simply retrying within a loop. This can increase performance if
  4731. the option is enabled serverside.
  4732. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  4733. type: boolean
  4734. namespace:
  4735. description: |-
  4736. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  4737. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  4738. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  4739. type: string
  4740. path:
  4741. description: |-
  4742. Path is the mount path of the Vault KV backend endpoint, e.g:
  4743. "secret". The v2 KV secret engine version specific "/data" path suffix
  4744. for fetching secrets from Vault is optional and will be appended
  4745. if not present in specified path.
  4746. type: string
  4747. readYourWrites:
  4748. description: |-
  4749. ReadYourWrites ensures isolated read-after-write semantics by
  4750. providing discovered cluster replication states in each request.
  4751. More information about eventual consistency in Vault can be found here
  4752. https://www.vaultproject.io/docs/enterprise/consistency
  4753. type: boolean
  4754. server:
  4755. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  4756. type: string
  4757. tls:
  4758. description: |-
  4759. The configuration used for client side related TLS communication, when the Vault server
  4760. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  4761. This parameter is ignored for plain HTTP protocol connection.
  4762. It's worth noting this configuration is different from the "TLS certificates auth method",
  4763. which is available under the `auth.cert` section.
  4764. properties:
  4765. certSecretRef:
  4766. description: |-
  4767. CertSecretRef is a certificate added to the transport layer
  4768. when communicating with the Vault server.
  4769. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  4770. properties:
  4771. key:
  4772. description: |-
  4773. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4774. defaulted, in others it may be required.
  4775. type: string
  4776. name:
  4777. description: The name of the Secret resource being referred to.
  4778. type: string
  4779. namespace:
  4780. description: |-
  4781. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4782. to the namespace of the referent.
  4783. type: string
  4784. type: object
  4785. keySecretRef:
  4786. description: |-
  4787. KeySecretRef to a key in a Secret resource containing client private key
  4788. added to the transport layer when communicating with the Vault server.
  4789. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  4790. properties:
  4791. key:
  4792. description: |-
  4793. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4794. defaulted, in others it may be required.
  4795. type: string
  4796. name:
  4797. description: The name of the Secret resource being referred to.
  4798. type: string
  4799. namespace:
  4800. description: |-
  4801. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4802. to the namespace of the referent.
  4803. type: string
  4804. type: object
  4805. type: object
  4806. version:
  4807. default: v2
  4808. description: |-
  4809. Version is the Vault KV secret engine version. This can be either "v1" or
  4810. "v2". Version defaults to "v2".
  4811. enum:
  4812. - v1
  4813. - v2
  4814. type: string
  4815. required:
  4816. - auth
  4817. - server
  4818. type: object
  4819. webhook:
  4820. description: Webhook configures this store to sync secrets using a generic templated webhook
  4821. properties:
  4822. body:
  4823. description: Body
  4824. type: string
  4825. caBundle:
  4826. description: |-
  4827. PEM encoded CA bundle used to validate webhook server certificate. Only used
  4828. if the Server URL is using HTTPS protocol. This parameter is ignored for
  4829. plain HTTP protocol connection. If not set the system root certificates
  4830. are used to validate the TLS connection.
  4831. format: byte
  4832. type: string
  4833. caProvider:
  4834. description: The provider for the CA bundle to use to validate webhook server certificate.
  4835. properties:
  4836. key:
  4837. description: The key the value inside of the provider type to use, only used with "Secret" type
  4838. type: string
  4839. name:
  4840. description: The name of the object located at the provider type.
  4841. type: string
  4842. namespace:
  4843. description: The namespace the Provider type is in.
  4844. type: string
  4845. type:
  4846. description: The type of provider to use such as "Secret", or "ConfigMap".
  4847. enum:
  4848. - Secret
  4849. - ConfigMap
  4850. type: string
  4851. required:
  4852. - name
  4853. - type
  4854. type: object
  4855. headers:
  4856. additionalProperties:
  4857. type: string
  4858. description: Headers
  4859. type: object
  4860. method:
  4861. description: Webhook Method
  4862. type: string
  4863. result:
  4864. description: Result formatting
  4865. properties:
  4866. jsonPath:
  4867. description: Json path of return value
  4868. type: string
  4869. type: object
  4870. secrets:
  4871. description: |-
  4872. Secrets to fill in templates
  4873. These secrets will be passed to the templating function as key value pairs under the given name
  4874. items:
  4875. properties:
  4876. name:
  4877. description: Name of this secret in templates
  4878. type: string
  4879. secretRef:
  4880. description: Secret ref to fill in credentials
  4881. properties:
  4882. key:
  4883. description: |-
  4884. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4885. defaulted, in others it may be required.
  4886. type: string
  4887. name:
  4888. description: The name of the Secret resource being referred to.
  4889. type: string
  4890. namespace:
  4891. description: |-
  4892. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4893. to the namespace of the referent.
  4894. type: string
  4895. type: object
  4896. required:
  4897. - name
  4898. - secretRef
  4899. type: object
  4900. type: array
  4901. timeout:
  4902. description: Timeout
  4903. type: string
  4904. url:
  4905. description: Webhook url to call
  4906. type: string
  4907. required:
  4908. - result
  4909. - url
  4910. type: object
  4911. yandexcertificatemanager:
  4912. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  4913. properties:
  4914. apiEndpoint:
  4915. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4916. type: string
  4917. auth:
  4918. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  4919. properties:
  4920. authorizedKeySecretRef:
  4921. description: The authorized key used for authentication
  4922. properties:
  4923. key:
  4924. description: |-
  4925. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4926. defaulted, in others it may be required.
  4927. type: string
  4928. name:
  4929. description: The name of the Secret resource being referred to.
  4930. type: string
  4931. namespace:
  4932. description: |-
  4933. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4934. to the namespace of the referent.
  4935. type: string
  4936. type: object
  4937. type: object
  4938. caProvider:
  4939. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4940. properties:
  4941. certSecretRef:
  4942. description: |-
  4943. A reference to a specific 'key' within a Secret resource,
  4944. In some instances, `key` is a required field.
  4945. properties:
  4946. key:
  4947. description: |-
  4948. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4949. defaulted, in others it may be required.
  4950. type: string
  4951. name:
  4952. description: The name of the Secret resource being referred to.
  4953. type: string
  4954. namespace:
  4955. description: |-
  4956. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4957. to the namespace of the referent.
  4958. type: string
  4959. type: object
  4960. type: object
  4961. required:
  4962. - auth
  4963. type: object
  4964. yandexlockbox:
  4965. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4966. properties:
  4967. apiEndpoint:
  4968. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4969. type: string
  4970. auth:
  4971. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4972. properties:
  4973. authorizedKeySecretRef:
  4974. description: The authorized key used for authentication
  4975. properties:
  4976. key:
  4977. description: |-
  4978. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4979. defaulted, in others it may be required.
  4980. type: string
  4981. name:
  4982. description: The name of the Secret resource being referred to.
  4983. type: string
  4984. namespace:
  4985. description: |-
  4986. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4987. to the namespace of the referent.
  4988. type: string
  4989. type: object
  4990. type: object
  4991. caProvider:
  4992. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4993. properties:
  4994. certSecretRef:
  4995. description: |-
  4996. A reference to a specific 'key' within a Secret resource,
  4997. In some instances, `key` is a required field.
  4998. properties:
  4999. key:
  5000. description: |-
  5001. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  5002. defaulted, in others it may be required.
  5003. type: string
  5004. name:
  5005. description: The name of the Secret resource being referred to.
  5006. type: string
  5007. namespace:
  5008. description: |-
  5009. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  5010. to the namespace of the referent.
  5011. type: string
  5012. type: object
  5013. type: object
  5014. required:
  5015. - auth
  5016. type: object
  5017. type: object
  5018. refreshInterval:
  5019. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  5020. type: integer
  5021. retrySettings:
  5022. description: Used to configure http retries if failed
  5023. properties:
  5024. maxRetries:
  5025. format: int32
  5026. type: integer
  5027. retryInterval:
  5028. type: string
  5029. type: object
  5030. required:
  5031. - provider
  5032. type: object
  5033. status:
  5034. description: SecretStoreStatus defines the observed state of the SecretStore.
  5035. properties:
  5036. capabilities:
  5037. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  5038. type: string
  5039. conditions:
  5040. items:
  5041. properties:
  5042. lastTransitionTime:
  5043. format: date-time
  5044. type: string
  5045. message:
  5046. type: string
  5047. reason:
  5048. type: string
  5049. status:
  5050. type: string
  5051. type:
  5052. type: string
  5053. required:
  5054. - status
  5055. - type
  5056. type: object
  5057. type: array
  5058. type: object
  5059. type: object
  5060. served: true
  5061. storage: true
  5062. subresources:
  5063. status: {}
  5064. conversion:
  5065. strategy: Webhook
  5066. webhook:
  5067. conversionReviewVersions:
  5068. - v1
  5069. clientConfig:
  5070. service:
  5071. name: kubernetes
  5072. namespace: default
  5073. path: /convert
  5074. ---
  5075. apiVersion: apiextensions.k8s.io/v1
  5076. kind: CustomResourceDefinition
  5077. metadata:
  5078. annotations:
  5079. controller-gen.kubebuilder.io/version: v0.15.0
  5080. labels:
  5081. external-secrets.io/component: controller
  5082. name: externalsecrets.external-secrets.io
  5083. spec:
  5084. group: external-secrets.io
  5085. names:
  5086. categories:
  5087. - externalsecrets
  5088. kind: ExternalSecret
  5089. listKind: ExternalSecretList
  5090. plural: externalsecrets
  5091. shortNames:
  5092. - es
  5093. singular: externalsecret
  5094. scope: Namespaced
  5095. versions:
  5096. - additionalPrinterColumns:
  5097. - jsonPath: .spec.secretStoreRef.name
  5098. name: Store
  5099. type: string
  5100. - jsonPath: .spec.refreshInterval
  5101. name: Refresh Interval
  5102. type: string
  5103. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5104. name: Status
  5105. type: string
  5106. deprecated: true
  5107. name: v1alpha1
  5108. schema:
  5109. openAPIV3Schema:
  5110. description: ExternalSecret is the Schema for the external-secrets API.
  5111. properties:
  5112. apiVersion:
  5113. description: |-
  5114. APIVersion defines the versioned schema of this representation of an object.
  5115. Servers should convert recognized schemas to the latest internal value, and
  5116. may reject unrecognized values.
  5117. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5118. type: string
  5119. kind:
  5120. description: |-
  5121. Kind is a string value representing the REST resource this object represents.
  5122. Servers may infer this from the endpoint the client submits requests to.
  5123. Cannot be updated.
  5124. In CamelCase.
  5125. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5126. type: string
  5127. metadata:
  5128. type: object
  5129. spec:
  5130. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  5131. properties:
  5132. data:
  5133. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  5134. items:
  5135. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  5136. properties:
  5137. remoteRef:
  5138. description: ExternalSecretDataRemoteRef defines Provider data location.
  5139. properties:
  5140. conversionStrategy:
  5141. default: Default
  5142. description: Used to define a conversion Strategy
  5143. enum:
  5144. - Default
  5145. - Unicode
  5146. type: string
  5147. key:
  5148. description: Key is the key used in the Provider, mandatory
  5149. type: string
  5150. property:
  5151. description: Used to select a specific property of the Provider value (if a map), if supported
  5152. type: string
  5153. version:
  5154. description: Used to select a specific version of the Provider value, if supported
  5155. type: string
  5156. required:
  5157. - key
  5158. type: object
  5159. secretKey:
  5160. type: string
  5161. required:
  5162. - remoteRef
  5163. - secretKey
  5164. type: object
  5165. type: array
  5166. dataFrom:
  5167. description: |-
  5168. DataFrom is used to fetch all properties from a specific Provider data
  5169. If multiple entries are specified, the Secret keys are merged in the specified order
  5170. items:
  5171. description: ExternalSecretDataRemoteRef defines Provider data location.
  5172. properties:
  5173. conversionStrategy:
  5174. default: Default
  5175. description: Used to define a conversion Strategy
  5176. enum:
  5177. - Default
  5178. - Unicode
  5179. type: string
  5180. key:
  5181. description: Key is the key used in the Provider, mandatory
  5182. type: string
  5183. property:
  5184. description: Used to select a specific property of the Provider value (if a map), if supported
  5185. type: string
  5186. version:
  5187. description: Used to select a specific version of the Provider value, if supported
  5188. type: string
  5189. required:
  5190. - key
  5191. type: object
  5192. type: array
  5193. refreshInterval:
  5194. default: 1h
  5195. description: |-
  5196. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  5197. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  5198. May be set to zero to fetch and create it once. Defaults to 1h.
  5199. type: string
  5200. secretStoreRef:
  5201. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5202. properties:
  5203. kind:
  5204. description: |-
  5205. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5206. Defaults to `SecretStore`
  5207. type: string
  5208. name:
  5209. description: Name of the SecretStore resource
  5210. type: string
  5211. required:
  5212. - name
  5213. type: object
  5214. target:
  5215. description: |-
  5216. ExternalSecretTarget defines the Kubernetes Secret to be created
  5217. There can be only one target per ExternalSecret.
  5218. properties:
  5219. creationPolicy:
  5220. default: Owner
  5221. description: |-
  5222. CreationPolicy defines rules on how to create the resulting Secret
  5223. Defaults to 'Owner'
  5224. enum:
  5225. - Owner
  5226. - Merge
  5227. - None
  5228. type: string
  5229. immutable:
  5230. description: Immutable defines if the final secret will be immutable
  5231. type: boolean
  5232. name:
  5233. description: |-
  5234. Name defines the name of the Secret resource to be managed
  5235. This field is immutable
  5236. Defaults to the .metadata.name of the ExternalSecret resource
  5237. type: string
  5238. template:
  5239. description: Template defines a blueprint for the created Secret resource.
  5240. properties:
  5241. data:
  5242. additionalProperties:
  5243. type: string
  5244. type: object
  5245. engineVersion:
  5246. default: v1
  5247. description: |-
  5248. EngineVersion specifies the template engine version
  5249. that should be used to compile/execute the
  5250. template specified in .data and .templateFrom[].
  5251. enum:
  5252. - v1
  5253. - v2
  5254. type: string
  5255. metadata:
  5256. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5257. properties:
  5258. annotations:
  5259. additionalProperties:
  5260. type: string
  5261. type: object
  5262. labels:
  5263. additionalProperties:
  5264. type: string
  5265. type: object
  5266. type: object
  5267. templateFrom:
  5268. items:
  5269. maxProperties: 1
  5270. minProperties: 1
  5271. properties:
  5272. configMap:
  5273. properties:
  5274. items:
  5275. items:
  5276. properties:
  5277. key:
  5278. type: string
  5279. required:
  5280. - key
  5281. type: object
  5282. type: array
  5283. name:
  5284. type: string
  5285. required:
  5286. - items
  5287. - name
  5288. type: object
  5289. secret:
  5290. properties:
  5291. items:
  5292. items:
  5293. properties:
  5294. key:
  5295. type: string
  5296. required:
  5297. - key
  5298. type: object
  5299. type: array
  5300. name:
  5301. type: string
  5302. required:
  5303. - items
  5304. - name
  5305. type: object
  5306. type: object
  5307. type: array
  5308. type:
  5309. type: string
  5310. type: object
  5311. type: object
  5312. required:
  5313. - secretStoreRef
  5314. - target
  5315. type: object
  5316. status:
  5317. properties:
  5318. binding:
  5319. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  5320. properties:
  5321. name:
  5322. default: ""
  5323. description: |-
  5324. Name of the referent.
  5325. This field is effectively required, but due to backwards compatibility is
  5326. allowed to be empty. Instances of this type with an empty value here are
  5327. almost certainly wrong.
  5328. TODO: Add other useful fields. apiVersion, kind, uid?
  5329. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5330. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  5331. type: string
  5332. type: object
  5333. x-kubernetes-map-type: atomic
  5334. conditions:
  5335. items:
  5336. properties:
  5337. lastTransitionTime:
  5338. format: date-time
  5339. type: string
  5340. message:
  5341. type: string
  5342. reason:
  5343. type: string
  5344. status:
  5345. type: string
  5346. type:
  5347. type: string
  5348. required:
  5349. - status
  5350. - type
  5351. type: object
  5352. type: array
  5353. refreshTime:
  5354. description: |-
  5355. refreshTime is the time and date the external secret was fetched and
  5356. the target secret updated
  5357. format: date-time
  5358. nullable: true
  5359. type: string
  5360. syncedResourceVersion:
  5361. description: SyncedResourceVersion keeps track of the last synced version
  5362. type: string
  5363. type: object
  5364. type: object
  5365. served: true
  5366. storage: false
  5367. subresources:
  5368. status: {}
  5369. - additionalPrinterColumns:
  5370. - jsonPath: .spec.secretStoreRef.name
  5371. name: Store
  5372. type: string
  5373. - jsonPath: .spec.refreshInterval
  5374. name: Refresh Interval
  5375. type: string
  5376. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5377. name: Status
  5378. type: string
  5379. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  5380. name: Ready
  5381. type: string
  5382. name: v1beta1
  5383. schema:
  5384. openAPIV3Schema:
  5385. description: ExternalSecret is the Schema for the external-secrets API.
  5386. properties:
  5387. apiVersion:
  5388. description: |-
  5389. APIVersion defines the versioned schema of this representation of an object.
  5390. Servers should convert recognized schemas to the latest internal value, and
  5391. may reject unrecognized values.
  5392. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5393. type: string
  5394. kind:
  5395. description: |-
  5396. Kind is a string value representing the REST resource this object represents.
  5397. Servers may infer this from the endpoint the client submits requests to.
  5398. Cannot be updated.
  5399. In CamelCase.
  5400. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5401. type: string
  5402. metadata:
  5403. type: object
  5404. spec:
  5405. description: ExternalSecretSpec defines the desired state of ExternalSecret.
  5406. properties:
  5407. data:
  5408. description: Data defines the connection between the Kubernetes Secret keys and the Provider data
  5409. items:
  5410. description: ExternalSecretData defines the connection between the Kubernetes Secret key (spec.data.<key>) and the Provider data.
  5411. properties:
  5412. remoteRef:
  5413. description: |-
  5414. RemoteRef points to the remote secret and defines
  5415. which secret (version/property/..) to fetch.
  5416. properties:
  5417. conversionStrategy:
  5418. default: Default
  5419. description: Used to define a conversion Strategy
  5420. enum:
  5421. - Default
  5422. - Unicode
  5423. type: string
  5424. decodingStrategy:
  5425. default: None
  5426. description: Used to define a decoding Strategy
  5427. enum:
  5428. - Auto
  5429. - Base64
  5430. - Base64URL
  5431. - None
  5432. type: string
  5433. key:
  5434. description: Key is the key used in the Provider, mandatory
  5435. type: string
  5436. metadataPolicy:
  5437. default: None
  5438. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5439. enum:
  5440. - None
  5441. - Fetch
  5442. type: string
  5443. property:
  5444. description: Used to select a specific property of the Provider value (if a map), if supported
  5445. type: string
  5446. version:
  5447. description: Used to select a specific version of the Provider value, if supported
  5448. type: string
  5449. required:
  5450. - key
  5451. type: object
  5452. secretKey:
  5453. description: |-
  5454. SecretKey defines the key in which the controller stores
  5455. the value. This is the key in the Kind=Secret
  5456. type: string
  5457. sourceRef:
  5458. description: |-
  5459. SourceRef allows you to override the source
  5460. from which the value will pulled from.
  5461. maxProperties: 1
  5462. properties:
  5463. generatorRef:
  5464. description: |-
  5465. GeneratorRef points to a generator custom resource.
  5466. Deprecated: The generatorRef is not implemented in .data[].
  5467. this will be removed with v1.
  5468. properties:
  5469. apiVersion:
  5470. default: generators.external-secrets.io/v1alpha1
  5471. description: Specify the apiVersion of the generator resource
  5472. type: string
  5473. kind:
  5474. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5475. type: string
  5476. name:
  5477. description: Specify the name of the generator resource
  5478. type: string
  5479. required:
  5480. - kind
  5481. - name
  5482. type: object
  5483. storeRef:
  5484. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5485. properties:
  5486. kind:
  5487. description: |-
  5488. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5489. Defaults to `SecretStore`
  5490. type: string
  5491. name:
  5492. description: Name of the SecretStore resource
  5493. type: string
  5494. required:
  5495. - name
  5496. type: object
  5497. type: object
  5498. required:
  5499. - remoteRef
  5500. - secretKey
  5501. type: object
  5502. type: array
  5503. dataFrom:
  5504. description: |-
  5505. DataFrom is used to fetch all properties from a specific Provider data
  5506. If multiple entries are specified, the Secret keys are merged in the specified order
  5507. items:
  5508. properties:
  5509. extract:
  5510. description: |-
  5511. Used to extract multiple key/value pairs from one secret
  5512. Note: Extract does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5513. properties:
  5514. conversionStrategy:
  5515. default: Default
  5516. description: Used to define a conversion Strategy
  5517. enum:
  5518. - Default
  5519. - Unicode
  5520. type: string
  5521. decodingStrategy:
  5522. default: None
  5523. description: Used to define a decoding Strategy
  5524. enum:
  5525. - Auto
  5526. - Base64
  5527. - Base64URL
  5528. - None
  5529. type: string
  5530. key:
  5531. description: Key is the key used in the Provider, mandatory
  5532. type: string
  5533. metadataPolicy:
  5534. default: None
  5535. description: Policy for fetching tags/labels from provider secrets, possible options are Fetch, None. Defaults to None
  5536. enum:
  5537. - None
  5538. - Fetch
  5539. type: string
  5540. property:
  5541. description: Used to select a specific property of the Provider value (if a map), if supported
  5542. type: string
  5543. version:
  5544. description: Used to select a specific version of the Provider value, if supported
  5545. type: string
  5546. required:
  5547. - key
  5548. type: object
  5549. find:
  5550. description: |-
  5551. Used to find secrets based on tags or regular expressions
  5552. Note: Find does not support sourceRef.Generator or sourceRef.GeneratorRef.
  5553. properties:
  5554. conversionStrategy:
  5555. default: Default
  5556. description: Used to define a conversion Strategy
  5557. enum:
  5558. - Default
  5559. - Unicode
  5560. type: string
  5561. decodingStrategy:
  5562. default: None
  5563. description: Used to define a decoding Strategy
  5564. enum:
  5565. - Auto
  5566. - Base64
  5567. - Base64URL
  5568. - None
  5569. type: string
  5570. name:
  5571. description: Finds secrets based on the name.
  5572. properties:
  5573. regexp:
  5574. description: Finds secrets base
  5575. type: string
  5576. type: object
  5577. path:
  5578. description: A root path to start the find operations.
  5579. type: string
  5580. tags:
  5581. additionalProperties:
  5582. type: string
  5583. description: Find secrets based on tags.
  5584. type: object
  5585. type: object
  5586. rewrite:
  5587. description: |-
  5588. Used to rewrite secret Keys after getting them from the secret Provider
  5589. Multiple Rewrite operations can be provided. They are applied in a layered order (first to last)
  5590. items:
  5591. properties:
  5592. regexp:
  5593. description: |-
  5594. Used to rewrite with regular expressions.
  5595. The resulting key will be the output of a regexp.ReplaceAll operation.
  5596. properties:
  5597. source:
  5598. description: Used to define the regular expression of a re.Compiler.
  5599. type: string
  5600. target:
  5601. description: Used to define the target pattern of a ReplaceAll operation.
  5602. type: string
  5603. required:
  5604. - source
  5605. - target
  5606. type: object
  5607. transform:
  5608. description: |-
  5609. Used to apply string transformation on the secrets.
  5610. The resulting key will be the output of the template applied by the operation.
  5611. properties:
  5612. template:
  5613. description: |-
  5614. Used to define the template to apply on the secret name.
  5615. `.value ` will specify the secret name in the template.
  5616. type: string
  5617. required:
  5618. - template
  5619. type: object
  5620. type: object
  5621. type: array
  5622. sourceRef:
  5623. description: |-
  5624. SourceRef points to a store or generator
  5625. which contains secret values ready to use.
  5626. Use this in combination with Extract or Find pull values out of
  5627. a specific SecretStore.
  5628. When sourceRef points to a generator Extract or Find is not supported.
  5629. The generator returns a static map of values
  5630. maxProperties: 1
  5631. properties:
  5632. generatorRef:
  5633. description: GeneratorRef points to a generator custom resource.
  5634. properties:
  5635. apiVersion:
  5636. default: generators.external-secrets.io/v1alpha1
  5637. description: Specify the apiVersion of the generator resource
  5638. type: string
  5639. kind:
  5640. description: Specify the Kind of the resource, e.g. Password, ACRAccessToken etc.
  5641. type: string
  5642. name:
  5643. description: Specify the name of the generator resource
  5644. type: string
  5645. required:
  5646. - kind
  5647. - name
  5648. type: object
  5649. storeRef:
  5650. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5651. properties:
  5652. kind:
  5653. description: |-
  5654. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5655. Defaults to `SecretStore`
  5656. type: string
  5657. name:
  5658. description: Name of the SecretStore resource
  5659. type: string
  5660. required:
  5661. - name
  5662. type: object
  5663. type: object
  5664. type: object
  5665. type: array
  5666. refreshInterval:
  5667. default: 1h
  5668. description: |-
  5669. RefreshInterval is the amount of time before the values are read again from the SecretStore provider
  5670. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h"
  5671. May be set to zero to fetch and create it once. Defaults to 1h.
  5672. type: string
  5673. secretStoreRef:
  5674. description: SecretStoreRef defines which SecretStore to fetch the ExternalSecret data.
  5675. properties:
  5676. kind:
  5677. description: |-
  5678. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5679. Defaults to `SecretStore`
  5680. type: string
  5681. name:
  5682. description: Name of the SecretStore resource
  5683. type: string
  5684. required:
  5685. - name
  5686. type: object
  5687. target:
  5688. default:
  5689. creationPolicy: Owner
  5690. deletionPolicy: Retain
  5691. description: |-
  5692. ExternalSecretTarget defines the Kubernetes Secret to be created
  5693. There can be only one target per ExternalSecret.
  5694. properties:
  5695. creationPolicy:
  5696. default: Owner
  5697. description: |-
  5698. CreationPolicy defines rules on how to create the resulting Secret
  5699. Defaults to 'Owner'
  5700. enum:
  5701. - Owner
  5702. - Orphan
  5703. - Merge
  5704. - None
  5705. type: string
  5706. deletionPolicy:
  5707. default: Retain
  5708. description: |-
  5709. DeletionPolicy defines rules on how to delete the resulting Secret
  5710. Defaults to 'Retain'
  5711. enum:
  5712. - Delete
  5713. - Merge
  5714. - Retain
  5715. type: string
  5716. immutable:
  5717. description: Immutable defines if the final secret will be immutable
  5718. type: boolean
  5719. name:
  5720. description: |-
  5721. Name defines the name of the Secret resource to be managed
  5722. This field is immutable
  5723. Defaults to the .metadata.name of the ExternalSecret resource
  5724. type: string
  5725. template:
  5726. description: Template defines a blueprint for the created Secret resource.
  5727. properties:
  5728. data:
  5729. additionalProperties:
  5730. type: string
  5731. type: object
  5732. engineVersion:
  5733. default: v2
  5734. description: |-
  5735. EngineVersion specifies the template engine version
  5736. that should be used to compile/execute the
  5737. template specified in .data and .templateFrom[].
  5738. enum:
  5739. - v1
  5740. - v2
  5741. type: string
  5742. mergePolicy:
  5743. default: Replace
  5744. enum:
  5745. - Replace
  5746. - Merge
  5747. type: string
  5748. metadata:
  5749. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  5750. properties:
  5751. annotations:
  5752. additionalProperties:
  5753. type: string
  5754. type: object
  5755. labels:
  5756. additionalProperties:
  5757. type: string
  5758. type: object
  5759. type: object
  5760. templateFrom:
  5761. items:
  5762. properties:
  5763. configMap:
  5764. properties:
  5765. items:
  5766. items:
  5767. properties:
  5768. key:
  5769. type: string
  5770. templateAs:
  5771. default: Values
  5772. enum:
  5773. - Values
  5774. - KeysAndValues
  5775. type: string
  5776. required:
  5777. - key
  5778. type: object
  5779. type: array
  5780. name:
  5781. type: string
  5782. required:
  5783. - items
  5784. - name
  5785. type: object
  5786. literal:
  5787. type: string
  5788. secret:
  5789. properties:
  5790. items:
  5791. items:
  5792. properties:
  5793. key:
  5794. type: string
  5795. templateAs:
  5796. default: Values
  5797. enum:
  5798. - Values
  5799. - KeysAndValues
  5800. type: string
  5801. required:
  5802. - key
  5803. type: object
  5804. type: array
  5805. name:
  5806. type: string
  5807. required:
  5808. - items
  5809. - name
  5810. type: object
  5811. target:
  5812. default: Data
  5813. enum:
  5814. - Data
  5815. - Annotations
  5816. - Labels
  5817. type: string
  5818. type: object
  5819. type: array
  5820. type:
  5821. type: string
  5822. type: object
  5823. type: object
  5824. type: object
  5825. status:
  5826. properties:
  5827. binding:
  5828. description: Binding represents a servicebinding.io Provisioned Service reference to the secret
  5829. properties:
  5830. name:
  5831. default: ""
  5832. description: |-
  5833. Name of the referent.
  5834. This field is effectively required, but due to backwards compatibility is
  5835. allowed to be empty. Instances of this type with an empty value here are
  5836. almost certainly wrong.
  5837. TODO: Add other useful fields. apiVersion, kind, uid?
  5838. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
  5839. TODO: Drop `kubebuilder:default` when controller-gen doesn't need it https://github.com/kubernetes-sigs/kubebuilder/issues/3896.
  5840. type: string
  5841. type: object
  5842. x-kubernetes-map-type: atomic
  5843. conditions:
  5844. items:
  5845. properties:
  5846. lastTransitionTime:
  5847. format: date-time
  5848. type: string
  5849. message:
  5850. type: string
  5851. reason:
  5852. type: string
  5853. status:
  5854. type: string
  5855. type:
  5856. type: string
  5857. required:
  5858. - status
  5859. - type
  5860. type: object
  5861. type: array
  5862. refreshTime:
  5863. description: |-
  5864. refreshTime is the time and date the external secret was fetched and
  5865. the target secret updated
  5866. format: date-time
  5867. nullable: true
  5868. type: string
  5869. syncedResourceVersion:
  5870. description: SyncedResourceVersion keeps track of the last synced version
  5871. type: string
  5872. type: object
  5873. type: object
  5874. served: true
  5875. storage: true
  5876. subresources:
  5877. status: {}
  5878. conversion:
  5879. strategy: Webhook
  5880. webhook:
  5881. conversionReviewVersions:
  5882. - v1
  5883. clientConfig:
  5884. service:
  5885. name: kubernetes
  5886. namespace: default
  5887. path: /convert
  5888. ---
  5889. apiVersion: apiextensions.k8s.io/v1
  5890. kind: CustomResourceDefinition
  5891. metadata:
  5892. annotations:
  5893. controller-gen.kubebuilder.io/version: v0.15.0
  5894. name: pushsecrets.external-secrets.io
  5895. spec:
  5896. group: external-secrets.io
  5897. names:
  5898. categories:
  5899. - pushsecrets
  5900. kind: PushSecret
  5901. listKind: PushSecretList
  5902. plural: pushsecrets
  5903. singular: pushsecret
  5904. scope: Namespaced
  5905. versions:
  5906. - additionalPrinterColumns:
  5907. - jsonPath: .metadata.creationTimestamp
  5908. name: AGE
  5909. type: date
  5910. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  5911. name: Status
  5912. type: string
  5913. name: v1alpha1
  5914. schema:
  5915. openAPIV3Schema:
  5916. properties:
  5917. apiVersion:
  5918. description: |-
  5919. APIVersion defines the versioned schema of this representation of an object.
  5920. Servers should convert recognized schemas to the latest internal value, and
  5921. may reject unrecognized values.
  5922. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  5923. type: string
  5924. kind:
  5925. description: |-
  5926. Kind is a string value representing the REST resource this object represents.
  5927. Servers may infer this from the endpoint the client submits requests to.
  5928. Cannot be updated.
  5929. In CamelCase.
  5930. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  5931. type: string
  5932. metadata:
  5933. type: object
  5934. spec:
  5935. description: PushSecretSpec configures the behavior of the PushSecret.
  5936. properties:
  5937. data:
  5938. description: Secret Data that should be pushed to providers
  5939. items:
  5940. properties:
  5941. conversionStrategy:
  5942. default: None
  5943. description: Used to define a conversion Strategy for the secret keys
  5944. enum:
  5945. - None
  5946. - ReverseUnicode
  5947. type: string
  5948. match:
  5949. description: Match a given Secret Key to be pushed to the provider.
  5950. properties:
  5951. remoteRef:
  5952. description: Remote Refs to push to providers.
  5953. properties:
  5954. property:
  5955. description: Name of the property in the resulting secret
  5956. type: string
  5957. remoteKey:
  5958. description: Name of the resulting provider secret.
  5959. type: string
  5960. required:
  5961. - remoteKey
  5962. type: object
  5963. secretKey:
  5964. description: Secret Key to be pushed
  5965. type: string
  5966. required:
  5967. - remoteRef
  5968. type: object
  5969. metadata:
  5970. description: |-
  5971. Metadata is metadata attached to the secret.
  5972. The structure of metadata is provider specific, please look it up in the provider documentation.
  5973. x-kubernetes-preserve-unknown-fields: true
  5974. required:
  5975. - match
  5976. type: object
  5977. type: array
  5978. deletionPolicy:
  5979. default: None
  5980. description: 'Deletion Policy to handle Secrets in the provider. Possible Values: "Delete/None". Defaults to "None".'
  5981. enum:
  5982. - Delete
  5983. - None
  5984. type: string
  5985. refreshInterval:
  5986. description: The Interval to which External Secrets will try to push a secret definition
  5987. type: string
  5988. secretStoreRefs:
  5989. items:
  5990. properties:
  5991. kind:
  5992. default: SecretStore
  5993. description: |-
  5994. Kind of the SecretStore resource (SecretStore or ClusterSecretStore)
  5995. Defaults to `SecretStore`
  5996. type: string
  5997. labelSelector:
  5998. description: Optionally, sync to secret stores with label selector
  5999. properties:
  6000. matchExpressions:
  6001. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  6002. items:
  6003. description: |-
  6004. A label selector requirement is a selector that contains values, a key, and an operator that
  6005. relates the key and values.
  6006. properties:
  6007. key:
  6008. description: key is the label key that the selector applies to.
  6009. type: string
  6010. operator:
  6011. description: |-
  6012. operator represents a key's relationship to a set of values.
  6013. Valid operators are In, NotIn, Exists and DoesNotExist.
  6014. type: string
  6015. values:
  6016. description: |-
  6017. values is an array of string values. If the operator is In or NotIn,
  6018. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  6019. the values array must be empty. This array is replaced during a strategic
  6020. merge patch.
  6021. items:
  6022. type: string
  6023. type: array
  6024. x-kubernetes-list-type: atomic
  6025. required:
  6026. - key
  6027. - operator
  6028. type: object
  6029. type: array
  6030. x-kubernetes-list-type: atomic
  6031. matchLabels:
  6032. additionalProperties:
  6033. type: string
  6034. description: |-
  6035. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  6036. map is equivalent to an element of matchExpressions, whose key field is "key", the
  6037. operator is "In", and the values array contains only "value". The requirements are ANDed.
  6038. type: object
  6039. type: object
  6040. x-kubernetes-map-type: atomic
  6041. name:
  6042. description: Optionally, sync to the SecretStore of the given name
  6043. type: string
  6044. type: object
  6045. type: array
  6046. selector:
  6047. description: The Secret Selector (k8s source) for the Push Secret
  6048. properties:
  6049. secret:
  6050. description: Select a Secret to Push.
  6051. properties:
  6052. name:
  6053. description: Name of the Secret. The Secret must exist in the same namespace as the PushSecret manifest.
  6054. type: string
  6055. required:
  6056. - name
  6057. type: object
  6058. required:
  6059. - secret
  6060. type: object
  6061. template:
  6062. description: Template defines a blueprint for the created Secret resource.
  6063. properties:
  6064. data:
  6065. additionalProperties:
  6066. type: string
  6067. type: object
  6068. engineVersion:
  6069. default: v2
  6070. description: |-
  6071. EngineVersion specifies the template engine version
  6072. that should be used to compile/execute the
  6073. template specified in .data and .templateFrom[].
  6074. enum:
  6075. - v1
  6076. - v2
  6077. type: string
  6078. mergePolicy:
  6079. default: Replace
  6080. enum:
  6081. - Replace
  6082. - Merge
  6083. type: string
  6084. metadata:
  6085. description: ExternalSecretTemplateMetadata defines metadata fields for the Secret blueprint.
  6086. properties:
  6087. annotations:
  6088. additionalProperties:
  6089. type: string
  6090. type: object
  6091. labels:
  6092. additionalProperties:
  6093. type: string
  6094. type: object
  6095. type: object
  6096. templateFrom:
  6097. items:
  6098. properties:
  6099. configMap:
  6100. properties:
  6101. items:
  6102. items:
  6103. properties:
  6104. key:
  6105. type: string
  6106. templateAs:
  6107. default: Values
  6108. enum:
  6109. - Values
  6110. - KeysAndValues
  6111. type: string
  6112. required:
  6113. - key
  6114. type: object
  6115. type: array
  6116. name:
  6117. type: string
  6118. required:
  6119. - items
  6120. - name
  6121. type: object
  6122. literal:
  6123. type: string
  6124. secret:
  6125. properties:
  6126. items:
  6127. items:
  6128. properties:
  6129. key:
  6130. type: string
  6131. templateAs:
  6132. default: Values
  6133. enum:
  6134. - Values
  6135. - KeysAndValues
  6136. type: string
  6137. required:
  6138. - key
  6139. type: object
  6140. type: array
  6141. name:
  6142. type: string
  6143. required:
  6144. - items
  6145. - name
  6146. type: object
  6147. target:
  6148. default: Data
  6149. enum:
  6150. - Data
  6151. - Annotations
  6152. - Labels
  6153. type: string
  6154. type: object
  6155. type: array
  6156. type:
  6157. type: string
  6158. type: object
  6159. updatePolicy:
  6160. default: Replace
  6161. description: 'UpdatePolicy to handle Secrets in the provider. Possible Values: "Replace/IfNotExists". Defaults to "Replace".'
  6162. enum:
  6163. - Replace
  6164. - IfNotExists
  6165. type: string
  6166. required:
  6167. - secretStoreRefs
  6168. - selector
  6169. type: object
  6170. status:
  6171. description: PushSecretStatus indicates the history of the status of PushSecret.
  6172. properties:
  6173. conditions:
  6174. items:
  6175. description: PushSecretStatusCondition indicates the status of the PushSecret.
  6176. properties:
  6177. lastTransitionTime:
  6178. format: date-time
  6179. type: string
  6180. message:
  6181. type: string
  6182. reason:
  6183. type: string
  6184. status:
  6185. type: string
  6186. type:
  6187. description: PushSecretConditionType indicates the condition of the PushSecret.
  6188. type: string
  6189. required:
  6190. - status
  6191. - type
  6192. type: object
  6193. type: array
  6194. refreshTime:
  6195. description: |-
  6196. refreshTime is the time and date the external secret was fetched and
  6197. the target secret updated
  6198. format: date-time
  6199. nullable: true
  6200. type: string
  6201. syncedPushSecrets:
  6202. additionalProperties:
  6203. additionalProperties:
  6204. properties:
  6205. conversionStrategy:
  6206. default: None
  6207. description: Used to define a conversion Strategy for the secret keys
  6208. enum:
  6209. - None
  6210. - ReverseUnicode
  6211. type: string
  6212. match:
  6213. description: Match a given Secret Key to be pushed to the provider.
  6214. properties:
  6215. remoteRef:
  6216. description: Remote Refs to push to providers.
  6217. properties:
  6218. property:
  6219. description: Name of the property in the resulting secret
  6220. type: string
  6221. remoteKey:
  6222. description: Name of the resulting provider secret.
  6223. type: string
  6224. required:
  6225. - remoteKey
  6226. type: object
  6227. secretKey:
  6228. description: Secret Key to be pushed
  6229. type: string
  6230. required:
  6231. - remoteRef
  6232. type: object
  6233. metadata:
  6234. description: |-
  6235. Metadata is metadata attached to the secret.
  6236. The structure of metadata is provider specific, please look it up in the provider documentation.
  6237. x-kubernetes-preserve-unknown-fields: true
  6238. required:
  6239. - match
  6240. type: object
  6241. type: object
  6242. description: |-
  6243. Synced PushSecrets, including secrets that already exist in provider.
  6244. Matches secret stores to PushSecretData that was stored to that secret store.
  6245. type: object
  6246. syncedResourceVersion:
  6247. description: SyncedResourceVersion keeps track of the last synced version.
  6248. type: string
  6249. type: object
  6250. type: object
  6251. served: true
  6252. storage: true
  6253. subresources:
  6254. status: {}
  6255. conversion:
  6256. strategy: Webhook
  6257. webhook:
  6258. conversionReviewVersions:
  6259. - v1
  6260. clientConfig:
  6261. service:
  6262. name: kubernetes
  6263. namespace: default
  6264. path: /convert
  6265. ---
  6266. apiVersion: apiextensions.k8s.io/v1
  6267. kind: CustomResourceDefinition
  6268. metadata:
  6269. annotations:
  6270. controller-gen.kubebuilder.io/version: v0.15.0
  6271. labels:
  6272. external-secrets.io/component: controller
  6273. name: secretstores.external-secrets.io
  6274. spec:
  6275. group: external-secrets.io
  6276. names:
  6277. categories:
  6278. - externalsecrets
  6279. kind: SecretStore
  6280. listKind: SecretStoreList
  6281. plural: secretstores
  6282. shortNames:
  6283. - ss
  6284. singular: secretstore
  6285. scope: Namespaced
  6286. versions:
  6287. - additionalPrinterColumns:
  6288. - jsonPath: .metadata.creationTimestamp
  6289. name: AGE
  6290. type: date
  6291. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  6292. name: Status
  6293. type: string
  6294. deprecated: true
  6295. name: v1alpha1
  6296. schema:
  6297. openAPIV3Schema:
  6298. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  6299. properties:
  6300. apiVersion:
  6301. description: |-
  6302. APIVersion defines the versioned schema of this representation of an object.
  6303. Servers should convert recognized schemas to the latest internal value, and
  6304. may reject unrecognized values.
  6305. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  6306. type: string
  6307. kind:
  6308. description: |-
  6309. Kind is a string value representing the REST resource this object represents.
  6310. Servers may infer this from the endpoint the client submits requests to.
  6311. Cannot be updated.
  6312. In CamelCase.
  6313. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  6314. type: string
  6315. metadata:
  6316. type: object
  6317. spec:
  6318. description: SecretStoreSpec defines the desired state of SecretStore.
  6319. properties:
  6320. controller:
  6321. description: |-
  6322. Used to select the correct ESO controller (think: ingress.ingressClassName)
  6323. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  6324. type: string
  6325. provider:
  6326. description: Used to configure the provider. Only one provider may be set
  6327. maxProperties: 1
  6328. minProperties: 1
  6329. properties:
  6330. akeyless:
  6331. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  6332. properties:
  6333. akeylessGWApiURL:
  6334. description: Akeyless GW API Url from which the secrets to be fetched from.
  6335. type: string
  6336. authSecretRef:
  6337. description: Auth configures how the operator authenticates with Akeyless.
  6338. properties:
  6339. kubernetesAuth:
  6340. description: |-
  6341. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  6342. token stored in the named Secret resource.
  6343. properties:
  6344. accessID:
  6345. description: the Akeyless Kubernetes auth-method access-id
  6346. type: string
  6347. k8sConfName:
  6348. description: Kubernetes-auth configuration name in Akeyless-Gateway
  6349. type: string
  6350. secretRef:
  6351. description: |-
  6352. Optional secret field containing a Kubernetes ServiceAccount JWT used
  6353. for authenticating with Akeyless. If a name is specified without a key,
  6354. `token` is the default. If one is not specified, the one bound to
  6355. the controller will be used.
  6356. properties:
  6357. key:
  6358. description: |-
  6359. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6360. defaulted, in others it may be required.
  6361. type: string
  6362. name:
  6363. description: The name of the Secret resource being referred to.
  6364. type: string
  6365. namespace:
  6366. description: |-
  6367. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6368. to the namespace of the referent.
  6369. type: string
  6370. type: object
  6371. serviceAccountRef:
  6372. description: |-
  6373. Optional service account field containing the name of a kubernetes ServiceAccount.
  6374. If the service account is specified, the service account secret token JWT will be used
  6375. for authenticating with Akeyless. If the service account selector is not supplied,
  6376. the secretRef will be used instead.
  6377. properties:
  6378. audiences:
  6379. description: |-
  6380. Audience specifies the `aud` claim for the service account token
  6381. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6382. then this audiences will be appended to the list
  6383. items:
  6384. type: string
  6385. type: array
  6386. name:
  6387. description: The name of the ServiceAccount resource being referred to.
  6388. type: string
  6389. namespace:
  6390. description: |-
  6391. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6392. to the namespace of the referent.
  6393. type: string
  6394. required:
  6395. - name
  6396. type: object
  6397. required:
  6398. - accessID
  6399. - k8sConfName
  6400. type: object
  6401. secretRef:
  6402. description: |-
  6403. Reference to a Secret that contains the details
  6404. to authenticate with Akeyless.
  6405. properties:
  6406. accessID:
  6407. description: The SecretAccessID is used for authentication
  6408. properties:
  6409. key:
  6410. description: |-
  6411. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6412. defaulted, in others it may be required.
  6413. type: string
  6414. name:
  6415. description: The name of the Secret resource being referred to.
  6416. type: string
  6417. namespace:
  6418. description: |-
  6419. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6420. to the namespace of the referent.
  6421. type: string
  6422. type: object
  6423. accessType:
  6424. description: |-
  6425. A reference to a specific 'key' within a Secret resource,
  6426. In some instances, `key` is a required field.
  6427. properties:
  6428. key:
  6429. description: |-
  6430. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6431. defaulted, in others it may be required.
  6432. type: string
  6433. name:
  6434. description: The name of the Secret resource being referred to.
  6435. type: string
  6436. namespace:
  6437. description: |-
  6438. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6439. to the namespace of the referent.
  6440. type: string
  6441. type: object
  6442. accessTypeParam:
  6443. description: |-
  6444. A reference to a specific 'key' within a Secret resource,
  6445. In some instances, `key` is a required field.
  6446. properties:
  6447. key:
  6448. description: |-
  6449. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6450. defaulted, in others it may be required.
  6451. type: string
  6452. name:
  6453. description: The name of the Secret resource being referred to.
  6454. type: string
  6455. namespace:
  6456. description: |-
  6457. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6458. to the namespace of the referent.
  6459. type: string
  6460. type: object
  6461. type: object
  6462. type: object
  6463. caBundle:
  6464. description: |-
  6465. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  6466. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  6467. are used to validate the TLS connection.
  6468. format: byte
  6469. type: string
  6470. caProvider:
  6471. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  6472. properties:
  6473. key:
  6474. description: The key the value inside of the provider type to use, only used with "Secret" type
  6475. type: string
  6476. name:
  6477. description: The name of the object located at the provider type.
  6478. type: string
  6479. namespace:
  6480. description: The namespace the Provider type is in.
  6481. type: string
  6482. type:
  6483. description: The type of provider to use such as "Secret", or "ConfigMap".
  6484. enum:
  6485. - Secret
  6486. - ConfigMap
  6487. type: string
  6488. required:
  6489. - name
  6490. - type
  6491. type: object
  6492. required:
  6493. - akeylessGWApiURL
  6494. - authSecretRef
  6495. type: object
  6496. alibaba:
  6497. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  6498. properties:
  6499. auth:
  6500. description: AlibabaAuth contains a secretRef for credentials.
  6501. properties:
  6502. rrsa:
  6503. description: Authenticate against Alibaba using RRSA.
  6504. properties:
  6505. oidcProviderArn:
  6506. type: string
  6507. oidcTokenFilePath:
  6508. type: string
  6509. roleArn:
  6510. type: string
  6511. sessionName:
  6512. type: string
  6513. required:
  6514. - oidcProviderArn
  6515. - oidcTokenFilePath
  6516. - roleArn
  6517. - sessionName
  6518. type: object
  6519. secretRef:
  6520. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  6521. properties:
  6522. accessKeyIDSecretRef:
  6523. description: The AccessKeyID is used for authentication
  6524. properties:
  6525. key:
  6526. description: |-
  6527. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6528. defaulted, in others it may be required.
  6529. type: string
  6530. name:
  6531. description: The name of the Secret resource being referred to.
  6532. type: string
  6533. namespace:
  6534. description: |-
  6535. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6536. to the namespace of the referent.
  6537. type: string
  6538. type: object
  6539. accessKeySecretSecretRef:
  6540. description: The AccessKeySecret is used for authentication
  6541. properties:
  6542. key:
  6543. description: |-
  6544. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6545. defaulted, in others it may be required.
  6546. type: string
  6547. name:
  6548. description: The name of the Secret resource being referred to.
  6549. type: string
  6550. namespace:
  6551. description: |-
  6552. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6553. to the namespace of the referent.
  6554. type: string
  6555. type: object
  6556. required:
  6557. - accessKeyIDSecretRef
  6558. - accessKeySecretSecretRef
  6559. type: object
  6560. type: object
  6561. regionID:
  6562. description: Alibaba Region to be used for the provider
  6563. type: string
  6564. required:
  6565. - auth
  6566. - regionID
  6567. type: object
  6568. aws:
  6569. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  6570. properties:
  6571. auth:
  6572. description: |-
  6573. Auth defines the information necessary to authenticate against AWS
  6574. if not set aws sdk will infer credentials from your environment
  6575. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  6576. properties:
  6577. jwt:
  6578. description: Authenticate against AWS using service account tokens.
  6579. properties:
  6580. serviceAccountRef:
  6581. description: A reference to a ServiceAccount resource.
  6582. properties:
  6583. audiences:
  6584. description: |-
  6585. Audience specifies the `aud` claim for the service account token
  6586. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6587. then this audiences will be appended to the list
  6588. items:
  6589. type: string
  6590. type: array
  6591. name:
  6592. description: The name of the ServiceAccount resource being referred to.
  6593. type: string
  6594. namespace:
  6595. description: |-
  6596. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6597. to the namespace of the referent.
  6598. type: string
  6599. required:
  6600. - name
  6601. type: object
  6602. type: object
  6603. secretRef:
  6604. description: |-
  6605. AWSAuthSecretRef holds secret references for AWS credentials
  6606. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  6607. properties:
  6608. accessKeyIDSecretRef:
  6609. description: The AccessKeyID is used for authentication
  6610. properties:
  6611. key:
  6612. description: |-
  6613. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6614. defaulted, in others it may be required.
  6615. type: string
  6616. name:
  6617. description: The name of the Secret resource being referred to.
  6618. type: string
  6619. namespace:
  6620. description: |-
  6621. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6622. to the namespace of the referent.
  6623. type: string
  6624. type: object
  6625. secretAccessKeySecretRef:
  6626. description: The SecretAccessKey is used for authentication
  6627. properties:
  6628. key:
  6629. description: |-
  6630. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6631. defaulted, in others it may be required.
  6632. type: string
  6633. name:
  6634. description: The name of the Secret resource being referred to.
  6635. type: string
  6636. namespace:
  6637. description: |-
  6638. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6639. to the namespace of the referent.
  6640. type: string
  6641. type: object
  6642. type: object
  6643. type: object
  6644. region:
  6645. description: AWS Region to be used for the provider
  6646. type: string
  6647. role:
  6648. description: Role is a Role ARN which the SecretManager provider will assume
  6649. type: string
  6650. service:
  6651. description: Service defines which service should be used to fetch the secrets
  6652. enum:
  6653. - SecretsManager
  6654. - ParameterStore
  6655. type: string
  6656. required:
  6657. - region
  6658. - service
  6659. type: object
  6660. azurekv:
  6661. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  6662. properties:
  6663. authSecretRef:
  6664. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  6665. properties:
  6666. clientId:
  6667. description: The Azure clientId of the service principle used for authentication.
  6668. properties:
  6669. key:
  6670. description: |-
  6671. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6672. defaulted, in others it may be required.
  6673. type: string
  6674. name:
  6675. description: The name of the Secret resource being referred to.
  6676. type: string
  6677. namespace:
  6678. description: |-
  6679. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6680. to the namespace of the referent.
  6681. type: string
  6682. type: object
  6683. clientSecret:
  6684. description: The Azure ClientSecret of the service principle used for authentication.
  6685. properties:
  6686. key:
  6687. description: |-
  6688. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6689. defaulted, in others it may be required.
  6690. type: string
  6691. name:
  6692. description: The name of the Secret resource being referred to.
  6693. type: string
  6694. namespace:
  6695. description: |-
  6696. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6697. to the namespace of the referent.
  6698. type: string
  6699. type: object
  6700. type: object
  6701. authType:
  6702. default: ServicePrincipal
  6703. description: |-
  6704. Auth type defines how to authenticate to the keyvault service.
  6705. Valid values are:
  6706. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  6707. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  6708. enum:
  6709. - ServicePrincipal
  6710. - ManagedIdentity
  6711. - WorkloadIdentity
  6712. type: string
  6713. identityId:
  6714. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  6715. type: string
  6716. serviceAccountRef:
  6717. description: |-
  6718. ServiceAccountRef specified the service account
  6719. that should be used when authenticating with WorkloadIdentity.
  6720. properties:
  6721. audiences:
  6722. description: |-
  6723. Audience specifies the `aud` claim for the service account token
  6724. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6725. then this audiences will be appended to the list
  6726. items:
  6727. type: string
  6728. type: array
  6729. name:
  6730. description: The name of the ServiceAccount resource being referred to.
  6731. type: string
  6732. namespace:
  6733. description: |-
  6734. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6735. to the namespace of the referent.
  6736. type: string
  6737. required:
  6738. - name
  6739. type: object
  6740. tenantId:
  6741. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  6742. type: string
  6743. vaultUrl:
  6744. description: Vault Url from which the secrets to be fetched from.
  6745. type: string
  6746. required:
  6747. - vaultUrl
  6748. type: object
  6749. fake:
  6750. description: Fake configures a store with static key/value pairs
  6751. properties:
  6752. data:
  6753. items:
  6754. properties:
  6755. key:
  6756. type: string
  6757. value:
  6758. type: string
  6759. valueMap:
  6760. additionalProperties:
  6761. type: string
  6762. type: object
  6763. version:
  6764. type: string
  6765. required:
  6766. - key
  6767. type: object
  6768. type: array
  6769. required:
  6770. - data
  6771. type: object
  6772. gcpsm:
  6773. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  6774. properties:
  6775. auth:
  6776. description: Auth defines the information necessary to authenticate against GCP
  6777. properties:
  6778. secretRef:
  6779. properties:
  6780. secretAccessKeySecretRef:
  6781. description: The SecretAccessKey is used for authentication
  6782. properties:
  6783. key:
  6784. description: |-
  6785. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6786. defaulted, in others it may be required.
  6787. type: string
  6788. name:
  6789. description: The name of the Secret resource being referred to.
  6790. type: string
  6791. namespace:
  6792. description: |-
  6793. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6794. to the namespace of the referent.
  6795. type: string
  6796. type: object
  6797. type: object
  6798. workloadIdentity:
  6799. properties:
  6800. clusterLocation:
  6801. type: string
  6802. clusterName:
  6803. type: string
  6804. clusterProjectID:
  6805. type: string
  6806. serviceAccountRef:
  6807. description: A reference to a ServiceAccount resource.
  6808. properties:
  6809. audiences:
  6810. description: |-
  6811. Audience specifies the `aud` claim for the service account token
  6812. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6813. then this audiences will be appended to the list
  6814. items:
  6815. type: string
  6816. type: array
  6817. name:
  6818. description: The name of the ServiceAccount resource being referred to.
  6819. type: string
  6820. namespace:
  6821. description: |-
  6822. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6823. to the namespace of the referent.
  6824. type: string
  6825. required:
  6826. - name
  6827. type: object
  6828. required:
  6829. - clusterLocation
  6830. - clusterName
  6831. - serviceAccountRef
  6832. type: object
  6833. type: object
  6834. projectID:
  6835. description: ProjectID project where secret is located
  6836. type: string
  6837. type: object
  6838. gitlab:
  6839. description: GitLab configures this store to sync secrets using GitLab Variables provider
  6840. properties:
  6841. auth:
  6842. description: Auth configures how secret-manager authenticates with a GitLab instance.
  6843. properties:
  6844. SecretRef:
  6845. properties:
  6846. accessToken:
  6847. description: AccessToken is used for authentication.
  6848. properties:
  6849. key:
  6850. description: |-
  6851. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6852. defaulted, in others it may be required.
  6853. type: string
  6854. name:
  6855. description: The name of the Secret resource being referred to.
  6856. type: string
  6857. namespace:
  6858. description: |-
  6859. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6860. to the namespace of the referent.
  6861. type: string
  6862. type: object
  6863. type: object
  6864. required:
  6865. - SecretRef
  6866. type: object
  6867. projectID:
  6868. description: ProjectID specifies a project where secrets are located.
  6869. type: string
  6870. url:
  6871. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  6872. type: string
  6873. required:
  6874. - auth
  6875. type: object
  6876. ibm:
  6877. description: IBM configures this store to sync secrets using IBM Cloud provider
  6878. properties:
  6879. auth:
  6880. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  6881. properties:
  6882. secretRef:
  6883. properties:
  6884. secretApiKeySecretRef:
  6885. description: The SecretAccessKey is used for authentication
  6886. properties:
  6887. key:
  6888. description: |-
  6889. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6890. defaulted, in others it may be required.
  6891. type: string
  6892. name:
  6893. description: The name of the Secret resource being referred to.
  6894. type: string
  6895. namespace:
  6896. description: |-
  6897. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6898. to the namespace of the referent.
  6899. type: string
  6900. type: object
  6901. type: object
  6902. required:
  6903. - secretRef
  6904. type: object
  6905. serviceUrl:
  6906. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  6907. type: string
  6908. required:
  6909. - auth
  6910. type: object
  6911. kubernetes:
  6912. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  6913. properties:
  6914. auth:
  6915. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  6916. maxProperties: 1
  6917. minProperties: 1
  6918. properties:
  6919. cert:
  6920. description: has both clientCert and clientKey as secretKeySelector
  6921. properties:
  6922. clientCert:
  6923. description: |-
  6924. A reference to a specific 'key' within a Secret resource,
  6925. In some instances, `key` is a required field.
  6926. properties:
  6927. key:
  6928. description: |-
  6929. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6930. defaulted, in others it may be required.
  6931. type: string
  6932. name:
  6933. description: The name of the Secret resource being referred to.
  6934. type: string
  6935. namespace:
  6936. description: |-
  6937. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6938. to the namespace of the referent.
  6939. type: string
  6940. type: object
  6941. clientKey:
  6942. description: |-
  6943. A reference to a specific 'key' within a Secret resource,
  6944. In some instances, `key` is a required field.
  6945. properties:
  6946. key:
  6947. description: |-
  6948. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6949. defaulted, in others it may be required.
  6950. type: string
  6951. name:
  6952. description: The name of the Secret resource being referred to.
  6953. type: string
  6954. namespace:
  6955. description: |-
  6956. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6957. to the namespace of the referent.
  6958. type: string
  6959. type: object
  6960. type: object
  6961. serviceAccount:
  6962. description: points to a service account that should be used for authentication
  6963. properties:
  6964. serviceAccount:
  6965. description: A reference to a ServiceAccount resource.
  6966. properties:
  6967. audiences:
  6968. description: |-
  6969. Audience specifies the `aud` claim for the service account token
  6970. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  6971. then this audiences will be appended to the list
  6972. items:
  6973. type: string
  6974. type: array
  6975. name:
  6976. description: The name of the ServiceAccount resource being referred to.
  6977. type: string
  6978. namespace:
  6979. description: |-
  6980. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  6981. to the namespace of the referent.
  6982. type: string
  6983. required:
  6984. - name
  6985. type: object
  6986. type: object
  6987. token:
  6988. description: use static token to authenticate with
  6989. properties:
  6990. bearerToken:
  6991. description: |-
  6992. A reference to a specific 'key' within a Secret resource,
  6993. In some instances, `key` is a required field.
  6994. properties:
  6995. key:
  6996. description: |-
  6997. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  6998. defaulted, in others it may be required.
  6999. type: string
  7000. name:
  7001. description: The name of the Secret resource being referred to.
  7002. type: string
  7003. namespace:
  7004. description: |-
  7005. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7006. to the namespace of the referent.
  7007. type: string
  7008. type: object
  7009. type: object
  7010. type: object
  7011. remoteNamespace:
  7012. default: default
  7013. description: Remote namespace to fetch the secrets from
  7014. type: string
  7015. server:
  7016. description: configures the Kubernetes server Address.
  7017. properties:
  7018. caBundle:
  7019. description: CABundle is a base64-encoded CA certificate
  7020. format: byte
  7021. type: string
  7022. caProvider:
  7023. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  7024. properties:
  7025. key:
  7026. description: The key the value inside of the provider type to use, only used with "Secret" type
  7027. type: string
  7028. name:
  7029. description: The name of the object located at the provider type.
  7030. type: string
  7031. namespace:
  7032. description: The namespace the Provider type is in.
  7033. type: string
  7034. type:
  7035. description: The type of provider to use such as "Secret", or "ConfigMap".
  7036. enum:
  7037. - Secret
  7038. - ConfigMap
  7039. type: string
  7040. required:
  7041. - name
  7042. - type
  7043. type: object
  7044. url:
  7045. default: kubernetes.default
  7046. description: configures the Kubernetes server Address.
  7047. type: string
  7048. type: object
  7049. required:
  7050. - auth
  7051. type: object
  7052. oracle:
  7053. description: Oracle configures this store to sync secrets using Oracle Vault provider
  7054. properties:
  7055. auth:
  7056. description: |-
  7057. Auth configures how secret-manager authenticates with the Oracle Vault.
  7058. If empty, instance principal is used. Optionally, the authenticating principal type
  7059. and/or user data may be supplied for the use of workload identity and user principal.
  7060. properties:
  7061. secretRef:
  7062. description: SecretRef to pass through sensitive information.
  7063. properties:
  7064. fingerprint:
  7065. description: Fingerprint is the fingerprint of the API private key.
  7066. properties:
  7067. key:
  7068. description: |-
  7069. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7070. defaulted, in others it may be required.
  7071. type: string
  7072. name:
  7073. description: The name of the Secret resource being referred to.
  7074. type: string
  7075. namespace:
  7076. description: |-
  7077. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7078. to the namespace of the referent.
  7079. type: string
  7080. type: object
  7081. privatekey:
  7082. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  7083. properties:
  7084. key:
  7085. description: |-
  7086. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7087. defaulted, in others it may be required.
  7088. type: string
  7089. name:
  7090. description: The name of the Secret resource being referred to.
  7091. type: string
  7092. namespace:
  7093. description: |-
  7094. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7095. to the namespace of the referent.
  7096. type: string
  7097. type: object
  7098. required:
  7099. - fingerprint
  7100. - privatekey
  7101. type: object
  7102. tenancy:
  7103. description: Tenancy is the tenancy OCID where user is located.
  7104. type: string
  7105. user:
  7106. description: User is an access OCID specific to the account.
  7107. type: string
  7108. required:
  7109. - secretRef
  7110. - tenancy
  7111. - user
  7112. type: object
  7113. compartment:
  7114. description: |-
  7115. Compartment is the vault compartment OCID.
  7116. Required for PushSecret
  7117. type: string
  7118. encryptionKey:
  7119. description: |-
  7120. EncryptionKey is the OCID of the encryption key within the vault.
  7121. Required for PushSecret
  7122. type: string
  7123. principalType:
  7124. description: |-
  7125. The type of principal to use for authentication. If left blank, the Auth struct will
  7126. determine the principal type. This optional field must be specified if using
  7127. workload identity.
  7128. enum:
  7129. - ""
  7130. - UserPrincipal
  7131. - InstancePrincipal
  7132. - Workload
  7133. type: string
  7134. region:
  7135. description: Region is the region where vault is located.
  7136. type: string
  7137. serviceAccountRef:
  7138. description: |-
  7139. ServiceAccountRef specified the service account
  7140. that should be used when authenticating with WorkloadIdentity.
  7141. properties:
  7142. audiences:
  7143. description: |-
  7144. Audience specifies the `aud` claim for the service account token
  7145. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7146. then this audiences will be appended to the list
  7147. items:
  7148. type: string
  7149. type: array
  7150. name:
  7151. description: The name of the ServiceAccount resource being referred to.
  7152. type: string
  7153. namespace:
  7154. description: |-
  7155. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7156. to the namespace of the referent.
  7157. type: string
  7158. required:
  7159. - name
  7160. type: object
  7161. vault:
  7162. description: Vault is the vault's OCID of the specific vault where secret is located.
  7163. type: string
  7164. required:
  7165. - region
  7166. - vault
  7167. type: object
  7168. passworddepot:
  7169. description: Configures a store to sync secrets with a Password Depot instance.
  7170. properties:
  7171. auth:
  7172. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  7173. properties:
  7174. secretRef:
  7175. properties:
  7176. credentials:
  7177. description: Username / Password is used for authentication.
  7178. properties:
  7179. key:
  7180. description: |-
  7181. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7182. defaulted, in others it may be required.
  7183. type: string
  7184. name:
  7185. description: The name of the Secret resource being referred to.
  7186. type: string
  7187. namespace:
  7188. description: |-
  7189. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7190. to the namespace of the referent.
  7191. type: string
  7192. type: object
  7193. type: object
  7194. required:
  7195. - secretRef
  7196. type: object
  7197. database:
  7198. description: Database to use as source
  7199. type: string
  7200. host:
  7201. description: URL configures the Password Depot instance URL.
  7202. type: string
  7203. required:
  7204. - auth
  7205. - database
  7206. - host
  7207. type: object
  7208. vault:
  7209. description: Vault configures this store to sync secrets using Hashi provider
  7210. properties:
  7211. auth:
  7212. description: Auth configures how secret-manager authenticates with the Vault server.
  7213. properties:
  7214. appRole:
  7215. description: |-
  7216. AppRole authenticates with Vault using the App Role auth mechanism,
  7217. with the role and secret stored in a Kubernetes Secret resource.
  7218. properties:
  7219. path:
  7220. default: approle
  7221. description: |-
  7222. Path where the App Role authentication backend is mounted
  7223. in Vault, e.g: "approle"
  7224. type: string
  7225. roleId:
  7226. description: |-
  7227. RoleID configured in the App Role authentication backend when setting
  7228. up the authentication backend in Vault.
  7229. type: string
  7230. secretRef:
  7231. description: |-
  7232. Reference to a key in a Secret that contains the App Role secret used
  7233. to authenticate with Vault.
  7234. The `key` field must be specified and denotes which entry within the Secret
  7235. resource is used as the app role secret.
  7236. properties:
  7237. key:
  7238. description: |-
  7239. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7240. defaulted, in others it may be required.
  7241. type: string
  7242. name:
  7243. description: The name of the Secret resource being referred to.
  7244. type: string
  7245. namespace:
  7246. description: |-
  7247. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7248. to the namespace of the referent.
  7249. type: string
  7250. type: object
  7251. required:
  7252. - path
  7253. - roleId
  7254. - secretRef
  7255. type: object
  7256. cert:
  7257. description: |-
  7258. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  7259. Cert authentication method
  7260. properties:
  7261. clientCert:
  7262. description: |-
  7263. ClientCert is a certificate to authenticate using the Cert Vault
  7264. authentication method
  7265. properties:
  7266. key:
  7267. description: |-
  7268. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7269. defaulted, in others it may be required.
  7270. type: string
  7271. name:
  7272. description: The name of the Secret resource being referred to.
  7273. type: string
  7274. namespace:
  7275. description: |-
  7276. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7277. to the namespace of the referent.
  7278. type: string
  7279. type: object
  7280. secretRef:
  7281. description: |-
  7282. SecretRef to a key in a Secret resource containing client private key to
  7283. authenticate with Vault using the Cert authentication method
  7284. properties:
  7285. key:
  7286. description: |-
  7287. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7288. defaulted, in others it may be required.
  7289. type: string
  7290. name:
  7291. description: The name of the Secret resource being referred to.
  7292. type: string
  7293. namespace:
  7294. description: |-
  7295. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7296. to the namespace of the referent.
  7297. type: string
  7298. type: object
  7299. type: object
  7300. jwt:
  7301. description: |-
  7302. Jwt authenticates with Vault by passing role and JWT token using the
  7303. JWT/OIDC authentication method
  7304. properties:
  7305. kubernetesServiceAccountToken:
  7306. description: |-
  7307. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  7308. a token for with the `TokenRequest` API.
  7309. properties:
  7310. audiences:
  7311. description: |-
  7312. Optional audiences field that will be used to request a temporary Kubernetes service
  7313. account token for the service account referenced by `serviceAccountRef`.
  7314. Defaults to a single audience `vault` it not specified.
  7315. items:
  7316. type: string
  7317. type: array
  7318. expirationSeconds:
  7319. description: |-
  7320. Optional expiration time in seconds that will be used to request a temporary
  7321. Kubernetes service account token for the service account referenced by
  7322. `serviceAccountRef`.
  7323. Defaults to 10 minutes.
  7324. format: int64
  7325. type: integer
  7326. serviceAccountRef:
  7327. description: Service account field containing the name of a kubernetes ServiceAccount.
  7328. properties:
  7329. audiences:
  7330. description: |-
  7331. Audience specifies the `aud` claim for the service account token
  7332. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7333. then this audiences will be appended to the list
  7334. items:
  7335. type: string
  7336. type: array
  7337. name:
  7338. description: The name of the ServiceAccount resource being referred to.
  7339. type: string
  7340. namespace:
  7341. description: |-
  7342. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7343. to the namespace of the referent.
  7344. type: string
  7345. required:
  7346. - name
  7347. type: object
  7348. required:
  7349. - serviceAccountRef
  7350. type: object
  7351. path:
  7352. default: jwt
  7353. description: |-
  7354. Path where the JWT authentication backend is mounted
  7355. in Vault, e.g: "jwt"
  7356. type: string
  7357. role:
  7358. description: |-
  7359. Role is a JWT role to authenticate using the JWT/OIDC Vault
  7360. authentication method
  7361. type: string
  7362. secretRef:
  7363. description: |-
  7364. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  7365. authenticate with Vault using the JWT/OIDC authentication method.
  7366. properties:
  7367. key:
  7368. description: |-
  7369. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7370. defaulted, in others it may be required.
  7371. type: string
  7372. name:
  7373. description: The name of the Secret resource being referred to.
  7374. type: string
  7375. namespace:
  7376. description: |-
  7377. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7378. to the namespace of the referent.
  7379. type: string
  7380. type: object
  7381. required:
  7382. - path
  7383. type: object
  7384. kubernetes:
  7385. description: |-
  7386. Kubernetes authenticates with Vault by passing the ServiceAccount
  7387. token stored in the named Secret resource to the Vault server.
  7388. properties:
  7389. mountPath:
  7390. default: kubernetes
  7391. description: |-
  7392. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  7393. "kubernetes"
  7394. type: string
  7395. role:
  7396. description: |-
  7397. A required field containing the Vault Role to assume. A Role binds a
  7398. Kubernetes ServiceAccount with a set of Vault policies.
  7399. type: string
  7400. secretRef:
  7401. description: |-
  7402. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7403. for authenticating with Vault. If a name is specified without a key,
  7404. `token` is the default. If one is not specified, the one bound to
  7405. the controller will be used.
  7406. properties:
  7407. key:
  7408. description: |-
  7409. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7410. defaulted, in others it may be required.
  7411. type: string
  7412. name:
  7413. description: The name of the Secret resource being referred to.
  7414. type: string
  7415. namespace:
  7416. description: |-
  7417. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7418. to the namespace of the referent.
  7419. type: string
  7420. type: object
  7421. serviceAccountRef:
  7422. description: |-
  7423. Optional service account field containing the name of a kubernetes ServiceAccount.
  7424. If the service account is specified, the service account secret token JWT will be used
  7425. for authenticating with Vault. If the service account selector is not supplied,
  7426. the secretRef will be used instead.
  7427. properties:
  7428. audiences:
  7429. description: |-
  7430. Audience specifies the `aud` claim for the service account token
  7431. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7432. then this audiences will be appended to the list
  7433. items:
  7434. type: string
  7435. type: array
  7436. name:
  7437. description: The name of the ServiceAccount resource being referred to.
  7438. type: string
  7439. namespace:
  7440. description: |-
  7441. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7442. to the namespace of the referent.
  7443. type: string
  7444. required:
  7445. - name
  7446. type: object
  7447. required:
  7448. - mountPath
  7449. - role
  7450. type: object
  7451. ldap:
  7452. description: |-
  7453. Ldap authenticates with Vault by passing username/password pair using
  7454. the LDAP authentication method
  7455. properties:
  7456. path:
  7457. default: ldap
  7458. description: |-
  7459. Path where the LDAP authentication backend is mounted
  7460. in Vault, e.g: "ldap"
  7461. type: string
  7462. secretRef:
  7463. description: |-
  7464. SecretRef to a key in a Secret resource containing password for the LDAP
  7465. user used to authenticate with Vault using the LDAP authentication
  7466. method
  7467. properties:
  7468. key:
  7469. description: |-
  7470. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7471. defaulted, in others it may be required.
  7472. type: string
  7473. name:
  7474. description: The name of the Secret resource being referred to.
  7475. type: string
  7476. namespace:
  7477. description: |-
  7478. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7479. to the namespace of the referent.
  7480. type: string
  7481. type: object
  7482. username:
  7483. description: |-
  7484. Username is a LDAP user name used to authenticate using the LDAP Vault
  7485. authentication method
  7486. type: string
  7487. required:
  7488. - path
  7489. - username
  7490. type: object
  7491. tokenSecretRef:
  7492. description: TokenSecretRef authenticates with Vault by presenting a token.
  7493. properties:
  7494. key:
  7495. description: |-
  7496. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7497. defaulted, in others it may be required.
  7498. type: string
  7499. name:
  7500. description: The name of the Secret resource being referred to.
  7501. type: string
  7502. namespace:
  7503. description: |-
  7504. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7505. to the namespace of the referent.
  7506. type: string
  7507. type: object
  7508. type: object
  7509. caBundle:
  7510. description: |-
  7511. PEM encoded CA bundle used to validate Vault server certificate. Only used
  7512. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7513. plain HTTP protocol connection. If not set the system root certificates
  7514. are used to validate the TLS connection.
  7515. format: byte
  7516. type: string
  7517. caProvider:
  7518. description: The provider for the CA bundle to use to validate Vault server certificate.
  7519. properties:
  7520. key:
  7521. description: The key the value inside of the provider type to use, only used with "Secret" type
  7522. type: string
  7523. name:
  7524. description: The name of the object located at the provider type.
  7525. type: string
  7526. namespace:
  7527. description: The namespace the Provider type is in.
  7528. type: string
  7529. type:
  7530. description: The type of provider to use such as "Secret", or "ConfigMap".
  7531. enum:
  7532. - Secret
  7533. - ConfigMap
  7534. type: string
  7535. required:
  7536. - name
  7537. - type
  7538. type: object
  7539. forwardInconsistent:
  7540. description: |-
  7541. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  7542. leader instead of simply retrying within a loop. This can increase performance if
  7543. the option is enabled serverside.
  7544. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  7545. type: boolean
  7546. namespace:
  7547. description: |-
  7548. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  7549. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  7550. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  7551. type: string
  7552. path:
  7553. description: |-
  7554. Path is the mount path of the Vault KV backend endpoint, e.g:
  7555. "secret". The v2 KV secret engine version specific "/data" path suffix
  7556. for fetching secrets from Vault is optional and will be appended
  7557. if not present in specified path.
  7558. type: string
  7559. readYourWrites:
  7560. description: |-
  7561. ReadYourWrites ensures isolated read-after-write semantics by
  7562. providing discovered cluster replication states in each request.
  7563. More information about eventual consistency in Vault can be found here
  7564. https://www.vaultproject.io/docs/enterprise/consistency
  7565. type: boolean
  7566. server:
  7567. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  7568. type: string
  7569. version:
  7570. default: v2
  7571. description: |-
  7572. Version is the Vault KV secret engine version. This can be either "v1" or
  7573. "v2". Version defaults to "v2".
  7574. enum:
  7575. - v1
  7576. - v2
  7577. type: string
  7578. required:
  7579. - auth
  7580. - server
  7581. type: object
  7582. webhook:
  7583. description: Webhook configures this store to sync secrets using a generic templated webhook
  7584. properties:
  7585. body:
  7586. description: Body
  7587. type: string
  7588. caBundle:
  7589. description: |-
  7590. PEM encoded CA bundle used to validate webhook server certificate. Only used
  7591. if the Server URL is using HTTPS protocol. This parameter is ignored for
  7592. plain HTTP protocol connection. If not set the system root certificates
  7593. are used to validate the TLS connection.
  7594. format: byte
  7595. type: string
  7596. caProvider:
  7597. description: The provider for the CA bundle to use to validate webhook server certificate.
  7598. properties:
  7599. key:
  7600. description: The key the value inside of the provider type to use, only used with "Secret" type
  7601. type: string
  7602. name:
  7603. description: The name of the object located at the provider type.
  7604. type: string
  7605. namespace:
  7606. description: The namespace the Provider type is in.
  7607. type: string
  7608. type:
  7609. description: The type of provider to use such as "Secret", or "ConfigMap".
  7610. enum:
  7611. - Secret
  7612. - ConfigMap
  7613. type: string
  7614. required:
  7615. - name
  7616. - type
  7617. type: object
  7618. headers:
  7619. additionalProperties:
  7620. type: string
  7621. description: Headers
  7622. type: object
  7623. method:
  7624. description: Webhook Method
  7625. type: string
  7626. result:
  7627. description: Result formatting
  7628. properties:
  7629. jsonPath:
  7630. description: Json path of return value
  7631. type: string
  7632. type: object
  7633. secrets:
  7634. description: |-
  7635. Secrets to fill in templates
  7636. These secrets will be passed to the templating function as key value pairs under the given name
  7637. items:
  7638. properties:
  7639. name:
  7640. description: Name of this secret in templates
  7641. type: string
  7642. secretRef:
  7643. description: Secret ref to fill in credentials
  7644. properties:
  7645. key:
  7646. description: |-
  7647. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7648. defaulted, in others it may be required.
  7649. type: string
  7650. name:
  7651. description: The name of the Secret resource being referred to.
  7652. type: string
  7653. namespace:
  7654. description: |-
  7655. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7656. to the namespace of the referent.
  7657. type: string
  7658. type: object
  7659. required:
  7660. - name
  7661. - secretRef
  7662. type: object
  7663. type: array
  7664. timeout:
  7665. description: Timeout
  7666. type: string
  7667. url:
  7668. description: Webhook url to call
  7669. type: string
  7670. required:
  7671. - result
  7672. - url
  7673. type: object
  7674. yandexlockbox:
  7675. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  7676. properties:
  7677. apiEndpoint:
  7678. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  7679. type: string
  7680. auth:
  7681. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  7682. properties:
  7683. authorizedKeySecretRef:
  7684. description: The authorized key used for authentication
  7685. properties:
  7686. key:
  7687. description: |-
  7688. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7689. defaulted, in others it may be required.
  7690. type: string
  7691. name:
  7692. description: The name of the Secret resource being referred to.
  7693. type: string
  7694. namespace:
  7695. description: |-
  7696. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7697. to the namespace of the referent.
  7698. type: string
  7699. type: object
  7700. type: object
  7701. caProvider:
  7702. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  7703. properties:
  7704. certSecretRef:
  7705. description: |-
  7706. A reference to a specific 'key' within a Secret resource,
  7707. In some instances, `key` is a required field.
  7708. properties:
  7709. key:
  7710. description: |-
  7711. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7712. defaulted, in others it may be required.
  7713. type: string
  7714. name:
  7715. description: The name of the Secret resource being referred to.
  7716. type: string
  7717. namespace:
  7718. description: |-
  7719. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7720. to the namespace of the referent.
  7721. type: string
  7722. type: object
  7723. type: object
  7724. required:
  7725. - auth
  7726. type: object
  7727. type: object
  7728. retrySettings:
  7729. description: Used to configure http retries if failed
  7730. properties:
  7731. maxRetries:
  7732. format: int32
  7733. type: integer
  7734. retryInterval:
  7735. type: string
  7736. type: object
  7737. required:
  7738. - provider
  7739. type: object
  7740. status:
  7741. description: SecretStoreStatus defines the observed state of the SecretStore.
  7742. properties:
  7743. conditions:
  7744. items:
  7745. properties:
  7746. lastTransitionTime:
  7747. format: date-time
  7748. type: string
  7749. message:
  7750. type: string
  7751. reason:
  7752. type: string
  7753. status:
  7754. type: string
  7755. type:
  7756. type: string
  7757. required:
  7758. - status
  7759. - type
  7760. type: object
  7761. type: array
  7762. type: object
  7763. type: object
  7764. served: true
  7765. storage: false
  7766. subresources:
  7767. status: {}
  7768. - additionalPrinterColumns:
  7769. - jsonPath: .metadata.creationTimestamp
  7770. name: AGE
  7771. type: date
  7772. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  7773. name: Status
  7774. type: string
  7775. - jsonPath: .status.capabilities
  7776. name: Capabilities
  7777. type: string
  7778. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  7779. name: Ready
  7780. type: string
  7781. name: v1beta1
  7782. schema:
  7783. openAPIV3Schema:
  7784. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  7785. properties:
  7786. apiVersion:
  7787. description: |-
  7788. APIVersion defines the versioned schema of this representation of an object.
  7789. Servers should convert recognized schemas to the latest internal value, and
  7790. may reject unrecognized values.
  7791. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  7792. type: string
  7793. kind:
  7794. description: |-
  7795. Kind is a string value representing the REST resource this object represents.
  7796. Servers may infer this from the endpoint the client submits requests to.
  7797. Cannot be updated.
  7798. In CamelCase.
  7799. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  7800. type: string
  7801. metadata:
  7802. type: object
  7803. spec:
  7804. description: SecretStoreSpec defines the desired state of SecretStore.
  7805. properties:
  7806. conditions:
  7807. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  7808. items:
  7809. description: |-
  7810. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  7811. for a ClusterSecretStore instance.
  7812. properties:
  7813. namespaceRegexes:
  7814. description: Choose namespaces by using regex matching
  7815. items:
  7816. type: string
  7817. type: array
  7818. namespaceSelector:
  7819. description: Choose namespace using a labelSelector
  7820. properties:
  7821. matchExpressions:
  7822. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  7823. items:
  7824. description: |-
  7825. A label selector requirement is a selector that contains values, a key, and an operator that
  7826. relates the key and values.
  7827. properties:
  7828. key:
  7829. description: key is the label key that the selector applies to.
  7830. type: string
  7831. operator:
  7832. description: |-
  7833. operator represents a key's relationship to a set of values.
  7834. Valid operators are In, NotIn, Exists and DoesNotExist.
  7835. type: string
  7836. values:
  7837. description: |-
  7838. values is an array of string values. If the operator is In or NotIn,
  7839. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  7840. the values array must be empty. This array is replaced during a strategic
  7841. merge patch.
  7842. items:
  7843. type: string
  7844. type: array
  7845. x-kubernetes-list-type: atomic
  7846. required:
  7847. - key
  7848. - operator
  7849. type: object
  7850. type: array
  7851. x-kubernetes-list-type: atomic
  7852. matchLabels:
  7853. additionalProperties:
  7854. type: string
  7855. description: |-
  7856. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  7857. map is equivalent to an element of matchExpressions, whose key field is "key", the
  7858. operator is "In", and the values array contains only "value". The requirements are ANDed.
  7859. type: object
  7860. type: object
  7861. x-kubernetes-map-type: atomic
  7862. namespaces:
  7863. description: Choose namespaces by name
  7864. items:
  7865. type: string
  7866. type: array
  7867. type: object
  7868. type: array
  7869. controller:
  7870. description: |-
  7871. Used to select the correct ESO controller (think: ingress.ingressClassName)
  7872. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  7873. type: string
  7874. provider:
  7875. description: Used to configure the provider. Only one provider may be set
  7876. maxProperties: 1
  7877. minProperties: 1
  7878. properties:
  7879. akeyless:
  7880. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  7881. properties:
  7882. akeylessGWApiURL:
  7883. description: Akeyless GW API Url from which the secrets to be fetched from.
  7884. type: string
  7885. authSecretRef:
  7886. description: Auth configures how the operator authenticates with Akeyless.
  7887. properties:
  7888. kubernetesAuth:
  7889. description: |-
  7890. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  7891. token stored in the named Secret resource.
  7892. properties:
  7893. accessID:
  7894. description: the Akeyless Kubernetes auth-method access-id
  7895. type: string
  7896. k8sConfName:
  7897. description: Kubernetes-auth configuration name in Akeyless-Gateway
  7898. type: string
  7899. secretRef:
  7900. description: |-
  7901. Optional secret field containing a Kubernetes ServiceAccount JWT used
  7902. for authenticating with Akeyless. If a name is specified without a key,
  7903. `token` is the default. If one is not specified, the one bound to
  7904. the controller will be used.
  7905. properties:
  7906. key:
  7907. description: |-
  7908. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7909. defaulted, in others it may be required.
  7910. type: string
  7911. name:
  7912. description: The name of the Secret resource being referred to.
  7913. type: string
  7914. namespace:
  7915. description: |-
  7916. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7917. to the namespace of the referent.
  7918. type: string
  7919. type: object
  7920. serviceAccountRef:
  7921. description: |-
  7922. Optional service account field containing the name of a kubernetes ServiceAccount.
  7923. If the service account is specified, the service account secret token JWT will be used
  7924. for authenticating with Akeyless. If the service account selector is not supplied,
  7925. the secretRef will be used instead.
  7926. properties:
  7927. audiences:
  7928. description: |-
  7929. Audience specifies the `aud` claim for the service account token
  7930. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  7931. then this audiences will be appended to the list
  7932. items:
  7933. type: string
  7934. type: array
  7935. name:
  7936. description: The name of the ServiceAccount resource being referred to.
  7937. type: string
  7938. namespace:
  7939. description: |-
  7940. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7941. to the namespace of the referent.
  7942. type: string
  7943. required:
  7944. - name
  7945. type: object
  7946. required:
  7947. - accessID
  7948. - k8sConfName
  7949. type: object
  7950. secretRef:
  7951. description: |-
  7952. Reference to a Secret that contains the details
  7953. to authenticate with Akeyless.
  7954. properties:
  7955. accessID:
  7956. description: The SecretAccessID is used for authentication
  7957. properties:
  7958. key:
  7959. description: |-
  7960. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7961. defaulted, in others it may be required.
  7962. type: string
  7963. name:
  7964. description: The name of the Secret resource being referred to.
  7965. type: string
  7966. namespace:
  7967. description: |-
  7968. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7969. to the namespace of the referent.
  7970. type: string
  7971. type: object
  7972. accessType:
  7973. description: |-
  7974. A reference to a specific 'key' within a Secret resource,
  7975. In some instances, `key` is a required field.
  7976. properties:
  7977. key:
  7978. description: |-
  7979. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7980. defaulted, in others it may be required.
  7981. type: string
  7982. name:
  7983. description: The name of the Secret resource being referred to.
  7984. type: string
  7985. namespace:
  7986. description: |-
  7987. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  7988. to the namespace of the referent.
  7989. type: string
  7990. type: object
  7991. accessTypeParam:
  7992. description: |-
  7993. A reference to a specific 'key' within a Secret resource,
  7994. In some instances, `key` is a required field.
  7995. properties:
  7996. key:
  7997. description: |-
  7998. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  7999. defaulted, in others it may be required.
  8000. type: string
  8001. name:
  8002. description: The name of the Secret resource being referred to.
  8003. type: string
  8004. namespace:
  8005. description: |-
  8006. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8007. to the namespace of the referent.
  8008. type: string
  8009. type: object
  8010. type: object
  8011. type: object
  8012. caBundle:
  8013. description: |-
  8014. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  8015. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  8016. are used to validate the TLS connection.
  8017. format: byte
  8018. type: string
  8019. caProvider:
  8020. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  8021. properties:
  8022. key:
  8023. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8024. type: string
  8025. name:
  8026. description: The name of the object located at the provider type.
  8027. type: string
  8028. namespace:
  8029. description: |-
  8030. The namespace the Provider type is in.
  8031. Can only be defined when used in a ClusterSecretStore.
  8032. type: string
  8033. type:
  8034. description: The type of provider to use such as "Secret", or "ConfigMap".
  8035. enum:
  8036. - Secret
  8037. - ConfigMap
  8038. type: string
  8039. required:
  8040. - name
  8041. - type
  8042. type: object
  8043. required:
  8044. - akeylessGWApiURL
  8045. - authSecretRef
  8046. type: object
  8047. alibaba:
  8048. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  8049. properties:
  8050. auth:
  8051. description: AlibabaAuth contains a secretRef for credentials.
  8052. properties:
  8053. rrsa:
  8054. description: Authenticate against Alibaba using RRSA.
  8055. properties:
  8056. oidcProviderArn:
  8057. type: string
  8058. oidcTokenFilePath:
  8059. type: string
  8060. roleArn:
  8061. type: string
  8062. sessionName:
  8063. type: string
  8064. required:
  8065. - oidcProviderArn
  8066. - oidcTokenFilePath
  8067. - roleArn
  8068. - sessionName
  8069. type: object
  8070. secretRef:
  8071. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  8072. properties:
  8073. accessKeyIDSecretRef:
  8074. description: The AccessKeyID is used for authentication
  8075. properties:
  8076. key:
  8077. description: |-
  8078. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8079. defaulted, in others it may be required.
  8080. type: string
  8081. name:
  8082. description: The name of the Secret resource being referred to.
  8083. type: string
  8084. namespace:
  8085. description: |-
  8086. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8087. to the namespace of the referent.
  8088. type: string
  8089. type: object
  8090. accessKeySecretSecretRef:
  8091. description: The AccessKeySecret is used for authentication
  8092. properties:
  8093. key:
  8094. description: |-
  8095. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8096. defaulted, in others it may be required.
  8097. type: string
  8098. name:
  8099. description: The name of the Secret resource being referred to.
  8100. type: string
  8101. namespace:
  8102. description: |-
  8103. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8104. to the namespace of the referent.
  8105. type: string
  8106. type: object
  8107. required:
  8108. - accessKeyIDSecretRef
  8109. - accessKeySecretSecretRef
  8110. type: object
  8111. type: object
  8112. regionID:
  8113. description: Alibaba Region to be used for the provider
  8114. type: string
  8115. required:
  8116. - auth
  8117. - regionID
  8118. type: object
  8119. aws:
  8120. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  8121. properties:
  8122. additionalRoles:
  8123. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  8124. items:
  8125. type: string
  8126. type: array
  8127. auth:
  8128. description: |-
  8129. Auth defines the information necessary to authenticate against AWS
  8130. if not set aws sdk will infer credentials from your environment
  8131. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  8132. properties:
  8133. jwt:
  8134. description: Authenticate against AWS using service account tokens.
  8135. properties:
  8136. serviceAccountRef:
  8137. description: A reference to a ServiceAccount resource.
  8138. properties:
  8139. audiences:
  8140. description: |-
  8141. Audience specifies the `aud` claim for the service account token
  8142. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8143. then this audiences will be appended to the list
  8144. items:
  8145. type: string
  8146. type: array
  8147. name:
  8148. description: The name of the ServiceAccount resource being referred to.
  8149. type: string
  8150. namespace:
  8151. description: |-
  8152. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8153. to the namespace of the referent.
  8154. type: string
  8155. required:
  8156. - name
  8157. type: object
  8158. type: object
  8159. secretRef:
  8160. description: |-
  8161. AWSAuthSecretRef holds secret references for AWS credentials
  8162. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  8163. properties:
  8164. accessKeyIDSecretRef:
  8165. description: The AccessKeyID is used for authentication
  8166. properties:
  8167. key:
  8168. description: |-
  8169. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8170. defaulted, in others it may be required.
  8171. type: string
  8172. name:
  8173. description: The name of the Secret resource being referred to.
  8174. type: string
  8175. namespace:
  8176. description: |-
  8177. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8178. to the namespace of the referent.
  8179. type: string
  8180. type: object
  8181. secretAccessKeySecretRef:
  8182. description: The SecretAccessKey is used for authentication
  8183. properties:
  8184. key:
  8185. description: |-
  8186. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8187. defaulted, in others it may be required.
  8188. type: string
  8189. name:
  8190. description: The name of the Secret resource being referred to.
  8191. type: string
  8192. namespace:
  8193. description: |-
  8194. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8195. to the namespace of the referent.
  8196. type: string
  8197. type: object
  8198. sessionTokenSecretRef:
  8199. description: |-
  8200. The SessionToken used for authentication
  8201. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  8202. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  8203. properties:
  8204. key:
  8205. description: |-
  8206. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8207. defaulted, in others it may be required.
  8208. type: string
  8209. name:
  8210. description: The name of the Secret resource being referred to.
  8211. type: string
  8212. namespace:
  8213. description: |-
  8214. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8215. to the namespace of the referent.
  8216. type: string
  8217. type: object
  8218. type: object
  8219. type: object
  8220. externalID:
  8221. description: AWS External ID set on assumed IAM roles
  8222. type: string
  8223. region:
  8224. description: AWS Region to be used for the provider
  8225. type: string
  8226. role:
  8227. description: Role is a Role ARN which the provider will assume
  8228. type: string
  8229. secretsManager:
  8230. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  8231. properties:
  8232. forceDeleteWithoutRecovery:
  8233. description: |-
  8234. Specifies whether to delete the secret without any recovery window. You
  8235. can't use both this parameter and RecoveryWindowInDays in the same call.
  8236. If you don't use either, then by default Secrets Manager uses a 30 day
  8237. recovery window.
  8238. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  8239. type: boolean
  8240. recoveryWindowInDays:
  8241. description: |-
  8242. The number of days from 7 to 30 that Secrets Manager waits before
  8243. permanently deleting the secret. You can't use both this parameter and
  8244. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  8245. then by default Secrets Manager uses a 30 day recovery window.
  8246. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  8247. format: int64
  8248. type: integer
  8249. type: object
  8250. service:
  8251. description: Service defines which service should be used to fetch the secrets
  8252. enum:
  8253. - SecretsManager
  8254. - ParameterStore
  8255. type: string
  8256. sessionTags:
  8257. description: AWS STS assume role session tags
  8258. items:
  8259. properties:
  8260. key:
  8261. type: string
  8262. value:
  8263. type: string
  8264. required:
  8265. - key
  8266. - value
  8267. type: object
  8268. type: array
  8269. transitiveTagKeys:
  8270. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  8271. items:
  8272. type: string
  8273. type: array
  8274. required:
  8275. - region
  8276. - service
  8277. type: object
  8278. azurekv:
  8279. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  8280. properties:
  8281. authSecretRef:
  8282. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  8283. properties:
  8284. clientCertificate:
  8285. description: The Azure ClientCertificate of the service principle used for authentication.
  8286. properties:
  8287. key:
  8288. description: |-
  8289. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8290. defaulted, in others it may be required.
  8291. type: string
  8292. name:
  8293. description: The name of the Secret resource being referred to.
  8294. type: string
  8295. namespace:
  8296. description: |-
  8297. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8298. to the namespace of the referent.
  8299. type: string
  8300. type: object
  8301. clientId:
  8302. description: The Azure clientId of the service principle or managed identity used for authentication.
  8303. properties:
  8304. key:
  8305. description: |-
  8306. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8307. defaulted, in others it may be required.
  8308. type: string
  8309. name:
  8310. description: The name of the Secret resource being referred to.
  8311. type: string
  8312. namespace:
  8313. description: |-
  8314. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8315. to the namespace of the referent.
  8316. type: string
  8317. type: object
  8318. clientSecret:
  8319. description: The Azure ClientSecret of the service principle used for authentication.
  8320. properties:
  8321. key:
  8322. description: |-
  8323. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8324. defaulted, in others it may be required.
  8325. type: string
  8326. name:
  8327. description: The name of the Secret resource being referred to.
  8328. type: string
  8329. namespace:
  8330. description: |-
  8331. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8332. to the namespace of the referent.
  8333. type: string
  8334. type: object
  8335. tenantId:
  8336. description: The Azure tenantId of the managed identity used for authentication.
  8337. properties:
  8338. key:
  8339. description: |-
  8340. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8341. defaulted, in others it may be required.
  8342. type: string
  8343. name:
  8344. description: The name of the Secret resource being referred to.
  8345. type: string
  8346. namespace:
  8347. description: |-
  8348. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8349. to the namespace of the referent.
  8350. type: string
  8351. type: object
  8352. type: object
  8353. authType:
  8354. default: ServicePrincipal
  8355. description: |-
  8356. Auth type defines how to authenticate to the keyvault service.
  8357. Valid values are:
  8358. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  8359. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  8360. enum:
  8361. - ServicePrincipal
  8362. - ManagedIdentity
  8363. - WorkloadIdentity
  8364. type: string
  8365. environmentType:
  8366. default: PublicCloud
  8367. description: |-
  8368. EnvironmentType specifies the Azure cloud environment endpoints to use for
  8369. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  8370. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  8371. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  8372. enum:
  8373. - PublicCloud
  8374. - USGovernmentCloud
  8375. - ChinaCloud
  8376. - GermanCloud
  8377. type: string
  8378. identityId:
  8379. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  8380. type: string
  8381. serviceAccountRef:
  8382. description: |-
  8383. ServiceAccountRef specified the service account
  8384. that should be used when authenticating with WorkloadIdentity.
  8385. properties:
  8386. audiences:
  8387. description: |-
  8388. Audience specifies the `aud` claim for the service account token
  8389. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8390. then this audiences will be appended to the list
  8391. items:
  8392. type: string
  8393. type: array
  8394. name:
  8395. description: The name of the ServiceAccount resource being referred to.
  8396. type: string
  8397. namespace:
  8398. description: |-
  8399. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8400. to the namespace of the referent.
  8401. type: string
  8402. required:
  8403. - name
  8404. type: object
  8405. tenantId:
  8406. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  8407. type: string
  8408. vaultUrl:
  8409. description: Vault Url from which the secrets to be fetched from.
  8410. type: string
  8411. required:
  8412. - vaultUrl
  8413. type: object
  8414. bitwardensecretsmanager:
  8415. description: BitwardenSecretsManager configures this store to sync secrets using BitwardenSecretsManager provider
  8416. properties:
  8417. apiURL:
  8418. type: string
  8419. auth:
  8420. description: |-
  8421. Auth configures how secret-manager authenticates with a bitwarden machine account instance.
  8422. Make sure that the token being used has permissions on the given secret.
  8423. properties:
  8424. secretRef:
  8425. description: BitwardenSecretsManagerSecretRef contains the credential ref to the bitwarden instance.
  8426. properties:
  8427. credentials:
  8428. description: AccessToken used for the bitwarden instance.
  8429. properties:
  8430. key:
  8431. description: |-
  8432. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8433. defaulted, in others it may be required.
  8434. type: string
  8435. name:
  8436. description: The name of the Secret resource being referred to.
  8437. type: string
  8438. namespace:
  8439. description: |-
  8440. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8441. to the namespace of the referent.
  8442. type: string
  8443. type: object
  8444. required:
  8445. - credentials
  8446. type: object
  8447. required:
  8448. - secretRef
  8449. type: object
  8450. bitwardenServerSDKURL:
  8451. type: string
  8452. caBundle:
  8453. description: |-
  8454. Base64 encoded certificate for the bitwarden server sdk. The sdk MUST run with HTTPS to make sure no MITM attack
  8455. can be performed.
  8456. type: string
  8457. identityURL:
  8458. type: string
  8459. organizationID:
  8460. description: OrganizationID determines which organization this secret store manages.
  8461. type: string
  8462. projectID:
  8463. description: ProjectID determines which project this secret store manages.
  8464. type: string
  8465. required:
  8466. - auth
  8467. - caBundle
  8468. - organizationID
  8469. - projectID
  8470. type: object
  8471. chef:
  8472. description: Chef configures this store to sync secrets with chef server
  8473. properties:
  8474. auth:
  8475. description: Auth defines the information necessary to authenticate against chef Server
  8476. properties:
  8477. secretRef:
  8478. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  8479. properties:
  8480. privateKeySecretRef:
  8481. description: SecretKey is the Signing Key in PEM format, used for authentication.
  8482. properties:
  8483. key:
  8484. description: |-
  8485. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8486. defaulted, in others it may be required.
  8487. type: string
  8488. name:
  8489. description: The name of the Secret resource being referred to.
  8490. type: string
  8491. namespace:
  8492. description: |-
  8493. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8494. to the namespace of the referent.
  8495. type: string
  8496. type: object
  8497. required:
  8498. - privateKeySecretRef
  8499. type: object
  8500. required:
  8501. - secretRef
  8502. type: object
  8503. serverUrl:
  8504. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  8505. type: string
  8506. username:
  8507. description: UserName should be the user ID on the chef server
  8508. type: string
  8509. required:
  8510. - auth
  8511. - serverUrl
  8512. - username
  8513. type: object
  8514. conjur:
  8515. description: Conjur configures this store to sync secrets using conjur provider
  8516. properties:
  8517. auth:
  8518. properties:
  8519. apikey:
  8520. properties:
  8521. account:
  8522. type: string
  8523. apiKeyRef:
  8524. description: |-
  8525. A reference to a specific 'key' within a Secret resource,
  8526. In some instances, `key` is a required field.
  8527. properties:
  8528. key:
  8529. description: |-
  8530. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8531. defaulted, in others it may be required.
  8532. type: string
  8533. name:
  8534. description: The name of the Secret resource being referred to.
  8535. type: string
  8536. namespace:
  8537. description: |-
  8538. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8539. to the namespace of the referent.
  8540. type: string
  8541. type: object
  8542. userRef:
  8543. description: |-
  8544. A reference to a specific 'key' within a Secret resource,
  8545. In some instances, `key` is a required field.
  8546. properties:
  8547. key:
  8548. description: |-
  8549. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8550. defaulted, in others it may be required.
  8551. type: string
  8552. name:
  8553. description: The name of the Secret resource being referred to.
  8554. type: string
  8555. namespace:
  8556. description: |-
  8557. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8558. to the namespace of the referent.
  8559. type: string
  8560. type: object
  8561. required:
  8562. - account
  8563. - apiKeyRef
  8564. - userRef
  8565. type: object
  8566. jwt:
  8567. properties:
  8568. account:
  8569. type: string
  8570. hostId:
  8571. description: |-
  8572. Optional HostID for JWT authentication. This may be used depending
  8573. on how the Conjur JWT authenticator policy is configured.
  8574. type: string
  8575. secretRef:
  8576. description: |-
  8577. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  8578. authenticate with Conjur using the JWT authentication method.
  8579. properties:
  8580. key:
  8581. description: |-
  8582. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8583. defaulted, in others it may be required.
  8584. type: string
  8585. name:
  8586. description: The name of the Secret resource being referred to.
  8587. type: string
  8588. namespace:
  8589. description: |-
  8590. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8591. to the namespace of the referent.
  8592. type: string
  8593. type: object
  8594. serviceAccountRef:
  8595. description: |-
  8596. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  8597. a token for with the `TokenRequest` API.
  8598. properties:
  8599. audiences:
  8600. description: |-
  8601. Audience specifies the `aud` claim for the service account token
  8602. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8603. then this audiences will be appended to the list
  8604. items:
  8605. type: string
  8606. type: array
  8607. name:
  8608. description: The name of the ServiceAccount resource being referred to.
  8609. type: string
  8610. namespace:
  8611. description: |-
  8612. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8613. to the namespace of the referent.
  8614. type: string
  8615. required:
  8616. - name
  8617. type: object
  8618. serviceID:
  8619. description: The conjur authn jwt webservice id
  8620. type: string
  8621. required:
  8622. - account
  8623. - serviceID
  8624. type: object
  8625. type: object
  8626. caBundle:
  8627. type: string
  8628. caProvider:
  8629. description: |-
  8630. Used to provide custom certificate authority (CA) certificates
  8631. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  8632. that contains a PEM-encoded certificate.
  8633. properties:
  8634. key:
  8635. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  8636. type: string
  8637. name:
  8638. description: The name of the object located at the provider type.
  8639. type: string
  8640. namespace:
  8641. description: |-
  8642. The namespace the Provider type is in.
  8643. Can only be defined when used in a ClusterSecretStore.
  8644. type: string
  8645. type:
  8646. description: The type of provider to use such as "Secret", or "ConfigMap".
  8647. enum:
  8648. - Secret
  8649. - ConfigMap
  8650. type: string
  8651. required:
  8652. - name
  8653. - type
  8654. type: object
  8655. url:
  8656. type: string
  8657. required:
  8658. - auth
  8659. - url
  8660. type: object
  8661. delinea:
  8662. description: |-
  8663. Delinea DevOps Secrets Vault
  8664. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  8665. properties:
  8666. clientId:
  8667. description: ClientID is the non-secret part of the credential.
  8668. properties:
  8669. secretRef:
  8670. description: SecretRef references a key in a secret that will be used as value.
  8671. properties:
  8672. key:
  8673. description: |-
  8674. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8675. defaulted, in others it may be required.
  8676. type: string
  8677. name:
  8678. description: The name of the Secret resource being referred to.
  8679. type: string
  8680. namespace:
  8681. description: |-
  8682. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8683. to the namespace of the referent.
  8684. type: string
  8685. type: object
  8686. value:
  8687. description: Value can be specified directly to set a value without using a secret.
  8688. type: string
  8689. type: object
  8690. clientSecret:
  8691. description: ClientSecret is the secret part of the credential.
  8692. properties:
  8693. secretRef:
  8694. description: SecretRef references a key in a secret that will be used as value.
  8695. properties:
  8696. key:
  8697. description: |-
  8698. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8699. defaulted, in others it may be required.
  8700. type: string
  8701. name:
  8702. description: The name of the Secret resource being referred to.
  8703. type: string
  8704. namespace:
  8705. description: |-
  8706. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8707. to the namespace of the referent.
  8708. type: string
  8709. type: object
  8710. value:
  8711. description: Value can be specified directly to set a value without using a secret.
  8712. type: string
  8713. type: object
  8714. tenant:
  8715. description: Tenant is the chosen hostname / site name.
  8716. type: string
  8717. tld:
  8718. description: |-
  8719. TLD is based on the server location that was chosen during provisioning.
  8720. If unset, defaults to "com".
  8721. type: string
  8722. urlTemplate:
  8723. description: |-
  8724. URLTemplate
  8725. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  8726. type: string
  8727. required:
  8728. - clientId
  8729. - clientSecret
  8730. - tenant
  8731. type: object
  8732. device42:
  8733. description: Device42 configures this store to sync secrets using the Device42 provider
  8734. properties:
  8735. auth:
  8736. description: Auth configures how secret-manager authenticates with a Device42 instance.
  8737. properties:
  8738. secretRef:
  8739. properties:
  8740. credentials:
  8741. description: Username / Password is used for authentication.
  8742. properties:
  8743. key:
  8744. description: |-
  8745. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8746. defaulted, in others it may be required.
  8747. type: string
  8748. name:
  8749. description: The name of the Secret resource being referred to.
  8750. type: string
  8751. namespace:
  8752. description: |-
  8753. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8754. to the namespace of the referent.
  8755. type: string
  8756. type: object
  8757. type: object
  8758. required:
  8759. - secretRef
  8760. type: object
  8761. host:
  8762. description: URL configures the Device42 instance URL.
  8763. type: string
  8764. required:
  8765. - auth
  8766. - host
  8767. type: object
  8768. doppler:
  8769. description: Doppler configures this store to sync secrets using the Doppler provider
  8770. properties:
  8771. auth:
  8772. description: Auth configures how the Operator authenticates with the Doppler API
  8773. properties:
  8774. secretRef:
  8775. properties:
  8776. dopplerToken:
  8777. description: |-
  8778. The DopplerToken is used for authentication.
  8779. See https://docs.doppler.com/reference/api#authentication for auth token types.
  8780. The Key attribute defaults to dopplerToken if not specified.
  8781. properties:
  8782. key:
  8783. description: |-
  8784. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8785. defaulted, in others it may be required.
  8786. type: string
  8787. name:
  8788. description: The name of the Secret resource being referred to.
  8789. type: string
  8790. namespace:
  8791. description: |-
  8792. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8793. to the namespace of the referent.
  8794. type: string
  8795. type: object
  8796. required:
  8797. - dopplerToken
  8798. type: object
  8799. required:
  8800. - secretRef
  8801. type: object
  8802. config:
  8803. description: Doppler config (required if not using a Service Token)
  8804. type: string
  8805. format:
  8806. description: Format enables the downloading of secrets as a file (string)
  8807. enum:
  8808. - json
  8809. - dotnet-json
  8810. - env
  8811. - yaml
  8812. - docker
  8813. type: string
  8814. nameTransformer:
  8815. description: Environment variable compatible name transforms that change secret names to a different format
  8816. enum:
  8817. - upper-camel
  8818. - camel
  8819. - lower-snake
  8820. - tf-var
  8821. - dotnet-env
  8822. - lower-kebab
  8823. type: string
  8824. project:
  8825. description: Doppler project (required if not using a Service Token)
  8826. type: string
  8827. required:
  8828. - auth
  8829. type: object
  8830. fake:
  8831. description: Fake configures a store with static key/value pairs
  8832. properties:
  8833. data:
  8834. items:
  8835. properties:
  8836. key:
  8837. type: string
  8838. value:
  8839. type: string
  8840. valueMap:
  8841. additionalProperties:
  8842. type: string
  8843. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  8844. type: object
  8845. version:
  8846. type: string
  8847. required:
  8848. - key
  8849. type: object
  8850. type: array
  8851. required:
  8852. - data
  8853. type: object
  8854. fortanix:
  8855. description: Fortanix configures this store to sync secrets using the Fortanix provider
  8856. properties:
  8857. apiKey:
  8858. description: APIKey is the API token to access SDKMS Applications.
  8859. properties:
  8860. secretRef:
  8861. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  8862. properties:
  8863. key:
  8864. description: |-
  8865. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8866. defaulted, in others it may be required.
  8867. type: string
  8868. name:
  8869. description: The name of the Secret resource being referred to.
  8870. type: string
  8871. namespace:
  8872. description: |-
  8873. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8874. to the namespace of the referent.
  8875. type: string
  8876. type: object
  8877. type: object
  8878. apiUrl:
  8879. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  8880. type: string
  8881. type: object
  8882. gcpsm:
  8883. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  8884. properties:
  8885. auth:
  8886. description: Auth defines the information necessary to authenticate against GCP
  8887. properties:
  8888. secretRef:
  8889. properties:
  8890. secretAccessKeySecretRef:
  8891. description: The SecretAccessKey is used for authentication
  8892. properties:
  8893. key:
  8894. description: |-
  8895. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8896. defaulted, in others it may be required.
  8897. type: string
  8898. name:
  8899. description: The name of the Secret resource being referred to.
  8900. type: string
  8901. namespace:
  8902. description: |-
  8903. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8904. to the namespace of the referent.
  8905. type: string
  8906. type: object
  8907. type: object
  8908. workloadIdentity:
  8909. properties:
  8910. clusterLocation:
  8911. type: string
  8912. clusterName:
  8913. type: string
  8914. clusterProjectID:
  8915. type: string
  8916. serviceAccountRef:
  8917. description: A reference to a ServiceAccount resource.
  8918. properties:
  8919. audiences:
  8920. description: |-
  8921. Audience specifies the `aud` claim for the service account token
  8922. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  8923. then this audiences will be appended to the list
  8924. items:
  8925. type: string
  8926. type: array
  8927. name:
  8928. description: The name of the ServiceAccount resource being referred to.
  8929. type: string
  8930. namespace:
  8931. description: |-
  8932. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8933. to the namespace of the referent.
  8934. type: string
  8935. required:
  8936. - name
  8937. type: object
  8938. required:
  8939. - clusterLocation
  8940. - clusterName
  8941. - serviceAccountRef
  8942. type: object
  8943. type: object
  8944. location:
  8945. description: Location optionally defines a location for a secret
  8946. type: string
  8947. projectID:
  8948. description: ProjectID project where secret is located
  8949. type: string
  8950. type: object
  8951. gitlab:
  8952. description: GitLab configures this store to sync secrets using GitLab Variables provider
  8953. properties:
  8954. auth:
  8955. description: Auth configures how secret-manager authenticates with a GitLab instance.
  8956. properties:
  8957. SecretRef:
  8958. properties:
  8959. accessToken:
  8960. description: AccessToken is used for authentication.
  8961. properties:
  8962. key:
  8963. description: |-
  8964. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  8965. defaulted, in others it may be required.
  8966. type: string
  8967. name:
  8968. description: The name of the Secret resource being referred to.
  8969. type: string
  8970. namespace:
  8971. description: |-
  8972. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  8973. to the namespace of the referent.
  8974. type: string
  8975. type: object
  8976. type: object
  8977. required:
  8978. - SecretRef
  8979. type: object
  8980. environment:
  8981. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  8982. type: string
  8983. groupIDs:
  8984. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  8985. items:
  8986. type: string
  8987. type: array
  8988. inheritFromGroups:
  8989. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  8990. type: boolean
  8991. projectID:
  8992. description: ProjectID specifies a project where secrets are located.
  8993. type: string
  8994. url:
  8995. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  8996. type: string
  8997. required:
  8998. - auth
  8999. type: object
  9000. ibm:
  9001. description: IBM configures this store to sync secrets using IBM Cloud provider
  9002. properties:
  9003. auth:
  9004. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  9005. maxProperties: 1
  9006. minProperties: 1
  9007. properties:
  9008. containerAuth:
  9009. description: IBM Container-based auth with IAM Trusted Profile.
  9010. properties:
  9011. iamEndpoint:
  9012. type: string
  9013. profile:
  9014. description: the IBM Trusted Profile
  9015. type: string
  9016. tokenLocation:
  9017. description: Location the token is mounted on the pod
  9018. type: string
  9019. required:
  9020. - profile
  9021. type: object
  9022. secretRef:
  9023. properties:
  9024. secretApiKeySecretRef:
  9025. description: The SecretAccessKey is used for authentication
  9026. properties:
  9027. key:
  9028. description: |-
  9029. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9030. defaulted, in others it may be required.
  9031. type: string
  9032. name:
  9033. description: The name of the Secret resource being referred to.
  9034. type: string
  9035. namespace:
  9036. description: |-
  9037. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9038. to the namespace of the referent.
  9039. type: string
  9040. type: object
  9041. type: object
  9042. type: object
  9043. serviceUrl:
  9044. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  9045. type: string
  9046. required:
  9047. - auth
  9048. type: object
  9049. infisical:
  9050. description: Infisical configures this store to sync secrets using the Infisical provider
  9051. properties:
  9052. auth:
  9053. description: Auth configures how the Operator authenticates with the Infisical API
  9054. properties:
  9055. universalAuthCredentials:
  9056. properties:
  9057. clientId:
  9058. description: |-
  9059. A reference to a specific 'key' within a Secret resource,
  9060. In some instances, `key` is a required field.
  9061. properties:
  9062. key:
  9063. description: |-
  9064. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9065. defaulted, in others it may be required.
  9066. type: string
  9067. name:
  9068. description: The name of the Secret resource being referred to.
  9069. type: string
  9070. namespace:
  9071. description: |-
  9072. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9073. to the namespace of the referent.
  9074. type: string
  9075. type: object
  9076. clientSecret:
  9077. description: |-
  9078. A reference to a specific 'key' within a Secret resource,
  9079. In some instances, `key` is a required field.
  9080. properties:
  9081. key:
  9082. description: |-
  9083. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9084. defaulted, in others it may be required.
  9085. type: string
  9086. name:
  9087. description: The name of the Secret resource being referred to.
  9088. type: string
  9089. namespace:
  9090. description: |-
  9091. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9092. to the namespace of the referent.
  9093. type: string
  9094. type: object
  9095. required:
  9096. - clientId
  9097. - clientSecret
  9098. type: object
  9099. type: object
  9100. hostAPI:
  9101. default: https://app.infisical.com/api
  9102. type: string
  9103. secretsScope:
  9104. properties:
  9105. environmentSlug:
  9106. type: string
  9107. projectSlug:
  9108. type: string
  9109. secretsPath:
  9110. default: /
  9111. type: string
  9112. required:
  9113. - environmentSlug
  9114. - projectSlug
  9115. type: object
  9116. required:
  9117. - auth
  9118. - secretsScope
  9119. type: object
  9120. keepersecurity:
  9121. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  9122. properties:
  9123. authRef:
  9124. description: |-
  9125. A reference to a specific 'key' within a Secret resource,
  9126. In some instances, `key` is a required field.
  9127. properties:
  9128. key:
  9129. description: |-
  9130. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9131. defaulted, in others it may be required.
  9132. type: string
  9133. name:
  9134. description: The name of the Secret resource being referred to.
  9135. type: string
  9136. namespace:
  9137. description: |-
  9138. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9139. to the namespace of the referent.
  9140. type: string
  9141. type: object
  9142. folderID:
  9143. type: string
  9144. required:
  9145. - authRef
  9146. - folderID
  9147. type: object
  9148. kubernetes:
  9149. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  9150. properties:
  9151. auth:
  9152. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  9153. maxProperties: 1
  9154. minProperties: 1
  9155. properties:
  9156. cert:
  9157. description: has both clientCert and clientKey as secretKeySelector
  9158. properties:
  9159. clientCert:
  9160. description: |-
  9161. A reference to a specific 'key' within a Secret resource,
  9162. In some instances, `key` is a required field.
  9163. properties:
  9164. key:
  9165. description: |-
  9166. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9167. defaulted, in others it may be required.
  9168. type: string
  9169. name:
  9170. description: The name of the Secret resource being referred to.
  9171. type: string
  9172. namespace:
  9173. description: |-
  9174. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9175. to the namespace of the referent.
  9176. type: string
  9177. type: object
  9178. clientKey:
  9179. description: |-
  9180. A reference to a specific 'key' within a Secret resource,
  9181. In some instances, `key` is a required field.
  9182. properties:
  9183. key:
  9184. description: |-
  9185. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9186. defaulted, in others it may be required.
  9187. type: string
  9188. name:
  9189. description: The name of the Secret resource being referred to.
  9190. type: string
  9191. namespace:
  9192. description: |-
  9193. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9194. to the namespace of the referent.
  9195. type: string
  9196. type: object
  9197. type: object
  9198. serviceAccount:
  9199. description: points to a service account that should be used for authentication
  9200. properties:
  9201. audiences:
  9202. description: |-
  9203. Audience specifies the `aud` claim for the service account token
  9204. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9205. then this audiences will be appended to the list
  9206. items:
  9207. type: string
  9208. type: array
  9209. name:
  9210. description: The name of the ServiceAccount resource being referred to.
  9211. type: string
  9212. namespace:
  9213. description: |-
  9214. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9215. to the namespace of the referent.
  9216. type: string
  9217. required:
  9218. - name
  9219. type: object
  9220. token:
  9221. description: use static token to authenticate with
  9222. properties:
  9223. bearerToken:
  9224. description: |-
  9225. A reference to a specific 'key' within a Secret resource,
  9226. In some instances, `key` is a required field.
  9227. properties:
  9228. key:
  9229. description: |-
  9230. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9231. defaulted, in others it may be required.
  9232. type: string
  9233. name:
  9234. description: The name of the Secret resource being referred to.
  9235. type: string
  9236. namespace:
  9237. description: |-
  9238. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9239. to the namespace of the referent.
  9240. type: string
  9241. type: object
  9242. type: object
  9243. type: object
  9244. remoteNamespace:
  9245. default: default
  9246. description: Remote namespace to fetch the secrets from
  9247. type: string
  9248. server:
  9249. description: configures the Kubernetes server Address.
  9250. properties:
  9251. caBundle:
  9252. description: CABundle is a base64-encoded CA certificate
  9253. format: byte
  9254. type: string
  9255. caProvider:
  9256. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  9257. properties:
  9258. key:
  9259. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  9260. type: string
  9261. name:
  9262. description: The name of the object located at the provider type.
  9263. type: string
  9264. namespace:
  9265. description: |-
  9266. The namespace the Provider type is in.
  9267. Can only be defined when used in a ClusterSecretStore.
  9268. type: string
  9269. type:
  9270. description: The type of provider to use such as "Secret", or "ConfigMap".
  9271. enum:
  9272. - Secret
  9273. - ConfigMap
  9274. type: string
  9275. required:
  9276. - name
  9277. - type
  9278. type: object
  9279. url:
  9280. default: kubernetes.default
  9281. description: configures the Kubernetes server Address.
  9282. type: string
  9283. type: object
  9284. required:
  9285. - auth
  9286. type: object
  9287. onboardbase:
  9288. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  9289. properties:
  9290. apiHost:
  9291. default: https://public.onboardbase.com/api/v1/
  9292. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  9293. type: string
  9294. auth:
  9295. description: Auth configures how the Operator authenticates with the Onboardbase API
  9296. properties:
  9297. apiKeyRef:
  9298. description: |-
  9299. OnboardbaseAPIKey is the APIKey generated by an admin account.
  9300. It is used to recognize and authorize access to a project and environment within onboardbase
  9301. properties:
  9302. key:
  9303. description: |-
  9304. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9305. defaulted, in others it may be required.
  9306. type: string
  9307. name:
  9308. description: The name of the Secret resource being referred to.
  9309. type: string
  9310. namespace:
  9311. description: |-
  9312. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9313. to the namespace of the referent.
  9314. type: string
  9315. type: object
  9316. passcodeRef:
  9317. description: OnboardbasePasscode is the passcode attached to the API Key
  9318. properties:
  9319. key:
  9320. description: |-
  9321. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9322. defaulted, in others it may be required.
  9323. type: string
  9324. name:
  9325. description: The name of the Secret resource being referred to.
  9326. type: string
  9327. namespace:
  9328. description: |-
  9329. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9330. to the namespace of the referent.
  9331. type: string
  9332. type: object
  9333. required:
  9334. - apiKeyRef
  9335. - passcodeRef
  9336. type: object
  9337. environment:
  9338. default: development
  9339. description: Environment is the name of an environmnent within a project to pull the secrets from
  9340. type: string
  9341. project:
  9342. default: development
  9343. description: Project is an onboardbase project that the secrets should be pulled from
  9344. type: string
  9345. required:
  9346. - apiHost
  9347. - auth
  9348. - environment
  9349. - project
  9350. type: object
  9351. onepassword:
  9352. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  9353. properties:
  9354. auth:
  9355. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  9356. properties:
  9357. secretRef:
  9358. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  9359. properties:
  9360. connectTokenSecretRef:
  9361. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  9362. properties:
  9363. key:
  9364. description: |-
  9365. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9366. defaulted, in others it may be required.
  9367. type: string
  9368. name:
  9369. description: The name of the Secret resource being referred to.
  9370. type: string
  9371. namespace:
  9372. description: |-
  9373. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9374. to the namespace of the referent.
  9375. type: string
  9376. type: object
  9377. required:
  9378. - connectTokenSecretRef
  9379. type: object
  9380. required:
  9381. - secretRef
  9382. type: object
  9383. connectHost:
  9384. description: ConnectHost defines the OnePassword Connect Server to connect to
  9385. type: string
  9386. vaults:
  9387. additionalProperties:
  9388. type: integer
  9389. description: Vaults defines which OnePassword vaults to search in which order
  9390. type: object
  9391. required:
  9392. - auth
  9393. - connectHost
  9394. - vaults
  9395. type: object
  9396. oracle:
  9397. description: Oracle configures this store to sync secrets using Oracle Vault provider
  9398. properties:
  9399. auth:
  9400. description: |-
  9401. Auth configures how secret-manager authenticates with the Oracle Vault.
  9402. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  9403. properties:
  9404. secretRef:
  9405. description: SecretRef to pass through sensitive information.
  9406. properties:
  9407. fingerprint:
  9408. description: Fingerprint is the fingerprint of the API private key.
  9409. properties:
  9410. key:
  9411. description: |-
  9412. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9413. defaulted, in others it may be required.
  9414. type: string
  9415. name:
  9416. description: The name of the Secret resource being referred to.
  9417. type: string
  9418. namespace:
  9419. description: |-
  9420. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9421. to the namespace of the referent.
  9422. type: string
  9423. type: object
  9424. privatekey:
  9425. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  9426. properties:
  9427. key:
  9428. description: |-
  9429. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9430. defaulted, in others it may be required.
  9431. type: string
  9432. name:
  9433. description: The name of the Secret resource being referred to.
  9434. type: string
  9435. namespace:
  9436. description: |-
  9437. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9438. to the namespace of the referent.
  9439. type: string
  9440. type: object
  9441. required:
  9442. - fingerprint
  9443. - privatekey
  9444. type: object
  9445. tenancy:
  9446. description: Tenancy is the tenancy OCID where user is located.
  9447. type: string
  9448. user:
  9449. description: User is an access OCID specific to the account.
  9450. type: string
  9451. required:
  9452. - secretRef
  9453. - tenancy
  9454. - user
  9455. type: object
  9456. compartment:
  9457. description: |-
  9458. Compartment is the vault compartment OCID.
  9459. Required for PushSecret
  9460. type: string
  9461. encryptionKey:
  9462. description: |-
  9463. EncryptionKey is the OCID of the encryption key within the vault.
  9464. Required for PushSecret
  9465. type: string
  9466. principalType:
  9467. description: |-
  9468. The type of principal to use for authentication. If left blank, the Auth struct will
  9469. determine the principal type. This optional field must be specified if using
  9470. workload identity.
  9471. enum:
  9472. - ""
  9473. - UserPrincipal
  9474. - InstancePrincipal
  9475. - Workload
  9476. type: string
  9477. region:
  9478. description: Region is the region where vault is located.
  9479. type: string
  9480. serviceAccountRef:
  9481. description: |-
  9482. ServiceAccountRef specified the service account
  9483. that should be used when authenticating with WorkloadIdentity.
  9484. properties:
  9485. audiences:
  9486. description: |-
  9487. Audience specifies the `aud` claim for the service account token
  9488. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9489. then this audiences will be appended to the list
  9490. items:
  9491. type: string
  9492. type: array
  9493. name:
  9494. description: The name of the ServiceAccount resource being referred to.
  9495. type: string
  9496. namespace:
  9497. description: |-
  9498. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9499. to the namespace of the referent.
  9500. type: string
  9501. required:
  9502. - name
  9503. type: object
  9504. vault:
  9505. description: Vault is the vault's OCID of the specific vault where secret is located.
  9506. type: string
  9507. required:
  9508. - region
  9509. - vault
  9510. type: object
  9511. passbolt:
  9512. properties:
  9513. auth:
  9514. description: Auth defines the information necessary to authenticate against Passbolt Server
  9515. properties:
  9516. passwordSecretRef:
  9517. description: |-
  9518. A reference to a specific 'key' within a Secret resource,
  9519. In some instances, `key` is a required field.
  9520. properties:
  9521. key:
  9522. description: |-
  9523. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9524. defaulted, in others it may be required.
  9525. type: string
  9526. name:
  9527. description: The name of the Secret resource being referred to.
  9528. type: string
  9529. namespace:
  9530. description: |-
  9531. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9532. to the namespace of the referent.
  9533. type: string
  9534. type: object
  9535. privateKeySecretRef:
  9536. description: |-
  9537. A reference to a specific 'key' within a Secret resource,
  9538. In some instances, `key` is a required field.
  9539. properties:
  9540. key:
  9541. description: |-
  9542. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9543. defaulted, in others it may be required.
  9544. type: string
  9545. name:
  9546. description: The name of the Secret resource being referred to.
  9547. type: string
  9548. namespace:
  9549. description: |-
  9550. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9551. to the namespace of the referent.
  9552. type: string
  9553. type: object
  9554. required:
  9555. - passwordSecretRef
  9556. - privateKeySecretRef
  9557. type: object
  9558. host:
  9559. description: Host defines the Passbolt Server to connect to
  9560. type: string
  9561. required:
  9562. - auth
  9563. - host
  9564. type: object
  9565. passworddepot:
  9566. description: Configures a store to sync secrets with a Password Depot instance.
  9567. properties:
  9568. auth:
  9569. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  9570. properties:
  9571. secretRef:
  9572. properties:
  9573. credentials:
  9574. description: Username / Password is used for authentication.
  9575. properties:
  9576. key:
  9577. description: |-
  9578. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9579. defaulted, in others it may be required.
  9580. type: string
  9581. name:
  9582. description: The name of the Secret resource being referred to.
  9583. type: string
  9584. namespace:
  9585. description: |-
  9586. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9587. to the namespace of the referent.
  9588. type: string
  9589. type: object
  9590. type: object
  9591. required:
  9592. - secretRef
  9593. type: object
  9594. database:
  9595. description: Database to use as source
  9596. type: string
  9597. host:
  9598. description: URL configures the Password Depot instance URL.
  9599. type: string
  9600. required:
  9601. - auth
  9602. - database
  9603. - host
  9604. type: object
  9605. pulumi:
  9606. description: Pulumi configures this store to sync secrets using the Pulumi provider
  9607. properties:
  9608. accessToken:
  9609. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  9610. properties:
  9611. secretRef:
  9612. description: SecretRef is a reference to a secret containing the Pulumi API token.
  9613. properties:
  9614. key:
  9615. description: |-
  9616. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9617. defaulted, in others it may be required.
  9618. type: string
  9619. name:
  9620. description: The name of the Secret resource being referred to.
  9621. type: string
  9622. namespace:
  9623. description: |-
  9624. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9625. to the namespace of the referent.
  9626. type: string
  9627. type: object
  9628. type: object
  9629. apiUrl:
  9630. default: https://api.pulumi.com
  9631. description: APIURL is the URL of the Pulumi API.
  9632. type: string
  9633. environment:
  9634. description: |-
  9635. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  9636. dynamically retrieved values from supported providers including all major clouds,
  9637. and other Pulumi ESC environments.
  9638. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  9639. type: string
  9640. organization:
  9641. description: |-
  9642. Organization are a space to collaborate on shared projects and stacks.
  9643. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  9644. type: string
  9645. required:
  9646. - accessToken
  9647. - environment
  9648. - organization
  9649. type: object
  9650. scaleway:
  9651. description: Scaleway
  9652. properties:
  9653. accessKey:
  9654. description: AccessKey is the non-secret part of the api key.
  9655. properties:
  9656. secretRef:
  9657. description: SecretRef references a key in a secret that will be used as value.
  9658. properties:
  9659. key:
  9660. description: |-
  9661. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9662. defaulted, in others it may be required.
  9663. type: string
  9664. name:
  9665. description: The name of the Secret resource being referred to.
  9666. type: string
  9667. namespace:
  9668. description: |-
  9669. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9670. to the namespace of the referent.
  9671. type: string
  9672. type: object
  9673. value:
  9674. description: Value can be specified directly to set a value without using a secret.
  9675. type: string
  9676. type: object
  9677. apiUrl:
  9678. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  9679. type: string
  9680. projectId:
  9681. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  9682. type: string
  9683. region:
  9684. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  9685. type: string
  9686. secretKey:
  9687. description: SecretKey is the non-secret part of the api key.
  9688. properties:
  9689. secretRef:
  9690. description: SecretRef references a key in a secret that will be used as value.
  9691. properties:
  9692. key:
  9693. description: |-
  9694. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9695. defaulted, in others it may be required.
  9696. type: string
  9697. name:
  9698. description: The name of the Secret resource being referred to.
  9699. type: string
  9700. namespace:
  9701. description: |-
  9702. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9703. to the namespace of the referent.
  9704. type: string
  9705. type: object
  9706. value:
  9707. description: Value can be specified directly to set a value without using a secret.
  9708. type: string
  9709. type: object
  9710. required:
  9711. - accessKey
  9712. - projectId
  9713. - region
  9714. - secretKey
  9715. type: object
  9716. secretserver:
  9717. description: |-
  9718. SecretServer configures this store to sync secrets using SecretServer provider
  9719. https://docs.delinea.com/online-help/secret-server/start.htm
  9720. properties:
  9721. password:
  9722. description: Password is the secret server account password.
  9723. properties:
  9724. secretRef:
  9725. description: SecretRef references a key in a secret that will be used as value.
  9726. properties:
  9727. key:
  9728. description: |-
  9729. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9730. defaulted, in others it may be required.
  9731. type: string
  9732. name:
  9733. description: The name of the Secret resource being referred to.
  9734. type: string
  9735. namespace:
  9736. description: |-
  9737. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9738. to the namespace of the referent.
  9739. type: string
  9740. type: object
  9741. value:
  9742. description: Value can be specified directly to set a value without using a secret.
  9743. type: string
  9744. type: object
  9745. serverURL:
  9746. description: |-
  9747. ServerURL
  9748. URL to your secret server installation
  9749. type: string
  9750. username:
  9751. description: Username is the secret server account username.
  9752. properties:
  9753. secretRef:
  9754. description: SecretRef references a key in a secret that will be used as value.
  9755. properties:
  9756. key:
  9757. description: |-
  9758. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9759. defaulted, in others it may be required.
  9760. type: string
  9761. name:
  9762. description: The name of the Secret resource being referred to.
  9763. type: string
  9764. namespace:
  9765. description: |-
  9766. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9767. to the namespace of the referent.
  9768. type: string
  9769. type: object
  9770. value:
  9771. description: Value can be specified directly to set a value without using a secret.
  9772. type: string
  9773. type: object
  9774. required:
  9775. - password
  9776. - serverURL
  9777. - username
  9778. type: object
  9779. senhasegura:
  9780. description: Senhasegura configures this store to sync secrets using senhasegura provider
  9781. properties:
  9782. auth:
  9783. description: Auth defines parameters to authenticate in senhasegura
  9784. properties:
  9785. clientId:
  9786. type: string
  9787. clientSecretSecretRef:
  9788. description: |-
  9789. A reference to a specific 'key' within a Secret resource,
  9790. In some instances, `key` is a required field.
  9791. properties:
  9792. key:
  9793. description: |-
  9794. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9795. defaulted, in others it may be required.
  9796. type: string
  9797. name:
  9798. description: The name of the Secret resource being referred to.
  9799. type: string
  9800. namespace:
  9801. description: |-
  9802. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9803. to the namespace of the referent.
  9804. type: string
  9805. type: object
  9806. required:
  9807. - clientId
  9808. - clientSecretSecretRef
  9809. type: object
  9810. ignoreSslCertificate:
  9811. default: false
  9812. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  9813. type: boolean
  9814. module:
  9815. description: Module defines which senhasegura module should be used to get secrets
  9816. type: string
  9817. url:
  9818. description: URL of senhasegura
  9819. type: string
  9820. required:
  9821. - auth
  9822. - module
  9823. - url
  9824. type: object
  9825. vault:
  9826. description: Vault configures this store to sync secrets using Hashi provider
  9827. properties:
  9828. auth:
  9829. description: Auth configures how secret-manager authenticates with the Vault server.
  9830. properties:
  9831. appRole:
  9832. description: |-
  9833. AppRole authenticates with Vault using the App Role auth mechanism,
  9834. with the role and secret stored in a Kubernetes Secret resource.
  9835. properties:
  9836. path:
  9837. default: approle
  9838. description: |-
  9839. Path where the App Role authentication backend is mounted
  9840. in Vault, e.g: "approle"
  9841. type: string
  9842. roleId:
  9843. description: |-
  9844. RoleID configured in the App Role authentication backend when setting
  9845. up the authentication backend in Vault.
  9846. type: string
  9847. roleRef:
  9848. description: |-
  9849. Reference to a key in a Secret that contains the App Role ID used
  9850. to authenticate with Vault.
  9851. The `key` field must be specified and denotes which entry within the Secret
  9852. resource is used as the app role id.
  9853. properties:
  9854. key:
  9855. description: |-
  9856. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9857. defaulted, in others it may be required.
  9858. type: string
  9859. name:
  9860. description: The name of the Secret resource being referred to.
  9861. type: string
  9862. namespace:
  9863. description: |-
  9864. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9865. to the namespace of the referent.
  9866. type: string
  9867. type: object
  9868. secretRef:
  9869. description: |-
  9870. Reference to a key in a Secret that contains the App Role secret used
  9871. to authenticate with Vault.
  9872. The `key` field must be specified and denotes which entry within the Secret
  9873. resource is used as the app role secret.
  9874. properties:
  9875. key:
  9876. description: |-
  9877. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9878. defaulted, in others it may be required.
  9879. type: string
  9880. name:
  9881. description: The name of the Secret resource being referred to.
  9882. type: string
  9883. namespace:
  9884. description: |-
  9885. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9886. to the namespace of the referent.
  9887. type: string
  9888. type: object
  9889. required:
  9890. - path
  9891. - secretRef
  9892. type: object
  9893. cert:
  9894. description: |-
  9895. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  9896. Cert authentication method
  9897. properties:
  9898. clientCert:
  9899. description: |-
  9900. ClientCert is a certificate to authenticate using the Cert Vault
  9901. authentication method
  9902. properties:
  9903. key:
  9904. description: |-
  9905. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9906. defaulted, in others it may be required.
  9907. type: string
  9908. name:
  9909. description: The name of the Secret resource being referred to.
  9910. type: string
  9911. namespace:
  9912. description: |-
  9913. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9914. to the namespace of the referent.
  9915. type: string
  9916. type: object
  9917. secretRef:
  9918. description: |-
  9919. SecretRef to a key in a Secret resource containing client private key to
  9920. authenticate with Vault using the Cert authentication method
  9921. properties:
  9922. key:
  9923. description: |-
  9924. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9925. defaulted, in others it may be required.
  9926. type: string
  9927. name:
  9928. description: The name of the Secret resource being referred to.
  9929. type: string
  9930. namespace:
  9931. description: |-
  9932. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9933. to the namespace of the referent.
  9934. type: string
  9935. type: object
  9936. type: object
  9937. iam:
  9938. description: |-
  9939. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  9940. AWS IAM authentication method
  9941. properties:
  9942. externalID:
  9943. description: AWS External ID set on assumed IAM roles
  9944. type: string
  9945. jwt:
  9946. description: Specify a service account with IRSA enabled
  9947. properties:
  9948. serviceAccountRef:
  9949. description: A reference to a ServiceAccount resource.
  9950. properties:
  9951. audiences:
  9952. description: |-
  9953. Audience specifies the `aud` claim for the service account token
  9954. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  9955. then this audiences will be appended to the list
  9956. items:
  9957. type: string
  9958. type: array
  9959. name:
  9960. description: The name of the ServiceAccount resource being referred to.
  9961. type: string
  9962. namespace:
  9963. description: |-
  9964. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9965. to the namespace of the referent.
  9966. type: string
  9967. required:
  9968. - name
  9969. type: object
  9970. type: object
  9971. path:
  9972. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  9973. type: string
  9974. region:
  9975. description: AWS region
  9976. type: string
  9977. role:
  9978. description: This is the AWS role to be assumed before talking to vault
  9979. type: string
  9980. secretRef:
  9981. description: Specify credentials in a Secret object
  9982. properties:
  9983. accessKeyIDSecretRef:
  9984. description: The AccessKeyID is used for authentication
  9985. properties:
  9986. key:
  9987. description: |-
  9988. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  9989. defaulted, in others it may be required.
  9990. type: string
  9991. name:
  9992. description: The name of the Secret resource being referred to.
  9993. type: string
  9994. namespace:
  9995. description: |-
  9996. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  9997. to the namespace of the referent.
  9998. type: string
  9999. type: object
  10000. secretAccessKeySecretRef:
  10001. description: The SecretAccessKey is used for authentication
  10002. properties:
  10003. key:
  10004. description: |-
  10005. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10006. defaulted, in others it may be required.
  10007. type: string
  10008. name:
  10009. description: The name of the Secret resource being referred to.
  10010. type: string
  10011. namespace:
  10012. description: |-
  10013. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10014. to the namespace of the referent.
  10015. type: string
  10016. type: object
  10017. sessionTokenSecretRef:
  10018. description: |-
  10019. The SessionToken used for authentication
  10020. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  10021. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  10022. properties:
  10023. key:
  10024. description: |-
  10025. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10026. defaulted, in others it may be required.
  10027. type: string
  10028. name:
  10029. description: The name of the Secret resource being referred to.
  10030. type: string
  10031. namespace:
  10032. description: |-
  10033. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10034. to the namespace of the referent.
  10035. type: string
  10036. type: object
  10037. type: object
  10038. vaultAwsIamServerID:
  10039. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  10040. type: string
  10041. vaultRole:
  10042. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  10043. type: string
  10044. required:
  10045. - vaultRole
  10046. type: object
  10047. jwt:
  10048. description: |-
  10049. Jwt authenticates with Vault by passing role and JWT token using the
  10050. JWT/OIDC authentication method
  10051. properties:
  10052. kubernetesServiceAccountToken:
  10053. description: |-
  10054. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  10055. a token for with the `TokenRequest` API.
  10056. properties:
  10057. audiences:
  10058. description: |-
  10059. Optional audiences field that will be used to request a temporary Kubernetes service
  10060. account token for the service account referenced by `serviceAccountRef`.
  10061. Defaults to a single audience `vault` it not specified.
  10062. Deprecated: use serviceAccountRef.Audiences instead
  10063. items:
  10064. type: string
  10065. type: array
  10066. expirationSeconds:
  10067. description: |-
  10068. Optional expiration time in seconds that will be used to request a temporary
  10069. Kubernetes service account token for the service account referenced by
  10070. `serviceAccountRef`.
  10071. Deprecated: this will be removed in the future.
  10072. Defaults to 10 minutes.
  10073. format: int64
  10074. type: integer
  10075. serviceAccountRef:
  10076. description: Service account field containing the name of a kubernetes ServiceAccount.
  10077. properties:
  10078. audiences:
  10079. description: |-
  10080. Audience specifies the `aud` claim for the service account token
  10081. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10082. then this audiences will be appended to the list
  10083. items:
  10084. type: string
  10085. type: array
  10086. name:
  10087. description: The name of the ServiceAccount resource being referred to.
  10088. type: string
  10089. namespace:
  10090. description: |-
  10091. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10092. to the namespace of the referent.
  10093. type: string
  10094. required:
  10095. - name
  10096. type: object
  10097. required:
  10098. - serviceAccountRef
  10099. type: object
  10100. path:
  10101. default: jwt
  10102. description: |-
  10103. Path where the JWT authentication backend is mounted
  10104. in Vault, e.g: "jwt"
  10105. type: string
  10106. role:
  10107. description: |-
  10108. Role is a JWT role to authenticate using the JWT/OIDC Vault
  10109. authentication method
  10110. type: string
  10111. secretRef:
  10112. description: |-
  10113. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  10114. authenticate with Vault using the JWT/OIDC authentication method.
  10115. properties:
  10116. key:
  10117. description: |-
  10118. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10119. defaulted, in others it may be required.
  10120. type: string
  10121. name:
  10122. description: The name of the Secret resource being referred to.
  10123. type: string
  10124. namespace:
  10125. description: |-
  10126. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10127. to the namespace of the referent.
  10128. type: string
  10129. type: object
  10130. required:
  10131. - path
  10132. type: object
  10133. kubernetes:
  10134. description: |-
  10135. Kubernetes authenticates with Vault by passing the ServiceAccount
  10136. token stored in the named Secret resource to the Vault server.
  10137. properties:
  10138. mountPath:
  10139. default: kubernetes
  10140. description: |-
  10141. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  10142. "kubernetes"
  10143. type: string
  10144. role:
  10145. description: |-
  10146. A required field containing the Vault Role to assume. A Role binds a
  10147. Kubernetes ServiceAccount with a set of Vault policies.
  10148. type: string
  10149. secretRef:
  10150. description: |-
  10151. Optional secret field containing a Kubernetes ServiceAccount JWT used
  10152. for authenticating with Vault. If a name is specified without a key,
  10153. `token` is the default. If one is not specified, the one bound to
  10154. the controller will be used.
  10155. properties:
  10156. key:
  10157. description: |-
  10158. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10159. defaulted, in others it may be required.
  10160. type: string
  10161. name:
  10162. description: The name of the Secret resource being referred to.
  10163. type: string
  10164. namespace:
  10165. description: |-
  10166. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10167. to the namespace of the referent.
  10168. type: string
  10169. type: object
  10170. serviceAccountRef:
  10171. description: |-
  10172. Optional service account field containing the name of a kubernetes ServiceAccount.
  10173. If the service account is specified, the service account secret token JWT will be used
  10174. for authenticating with Vault. If the service account selector is not supplied,
  10175. the secretRef will be used instead.
  10176. properties:
  10177. audiences:
  10178. description: |-
  10179. Audience specifies the `aud` claim for the service account token
  10180. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10181. then this audiences will be appended to the list
  10182. items:
  10183. type: string
  10184. type: array
  10185. name:
  10186. description: The name of the ServiceAccount resource being referred to.
  10187. type: string
  10188. namespace:
  10189. description: |-
  10190. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10191. to the namespace of the referent.
  10192. type: string
  10193. required:
  10194. - name
  10195. type: object
  10196. required:
  10197. - mountPath
  10198. - role
  10199. type: object
  10200. ldap:
  10201. description: |-
  10202. Ldap authenticates with Vault by passing username/password pair using
  10203. the LDAP authentication method
  10204. properties:
  10205. path:
  10206. default: ldap
  10207. description: |-
  10208. Path where the LDAP authentication backend is mounted
  10209. in Vault, e.g: "ldap"
  10210. type: string
  10211. secretRef:
  10212. description: |-
  10213. SecretRef to a key in a Secret resource containing password for the LDAP
  10214. user used to authenticate with Vault using the LDAP authentication
  10215. method
  10216. properties:
  10217. key:
  10218. description: |-
  10219. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10220. defaulted, in others it may be required.
  10221. type: string
  10222. name:
  10223. description: The name of the Secret resource being referred to.
  10224. type: string
  10225. namespace:
  10226. description: |-
  10227. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10228. to the namespace of the referent.
  10229. type: string
  10230. type: object
  10231. username:
  10232. description: |-
  10233. Username is a LDAP user name used to authenticate using the LDAP Vault
  10234. authentication method
  10235. type: string
  10236. required:
  10237. - path
  10238. - username
  10239. type: object
  10240. namespace:
  10241. description: |-
  10242. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  10243. Namespaces is a set of features within Vault Enterprise that allows
  10244. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  10245. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  10246. This will default to Vault.Namespace field if set, or empty otherwise
  10247. type: string
  10248. tokenSecretRef:
  10249. description: TokenSecretRef authenticates with Vault by presenting a token.
  10250. properties:
  10251. key:
  10252. description: |-
  10253. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10254. defaulted, in others it may be required.
  10255. type: string
  10256. name:
  10257. description: The name of the Secret resource being referred to.
  10258. type: string
  10259. namespace:
  10260. description: |-
  10261. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10262. to the namespace of the referent.
  10263. type: string
  10264. type: object
  10265. userPass:
  10266. description: UserPass authenticates with Vault by passing username/password pair
  10267. properties:
  10268. path:
  10269. default: user
  10270. description: |-
  10271. Path where the UserPassword authentication backend is mounted
  10272. in Vault, e.g: "user"
  10273. type: string
  10274. secretRef:
  10275. description: |-
  10276. SecretRef to a key in a Secret resource containing password for the
  10277. user used to authenticate with Vault using the UserPass authentication
  10278. method
  10279. properties:
  10280. key:
  10281. description: |-
  10282. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10283. defaulted, in others it may be required.
  10284. type: string
  10285. name:
  10286. description: The name of the Secret resource being referred to.
  10287. type: string
  10288. namespace:
  10289. description: |-
  10290. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10291. to the namespace of the referent.
  10292. type: string
  10293. type: object
  10294. username:
  10295. description: |-
  10296. Username is a user name used to authenticate using the UserPass Vault
  10297. authentication method
  10298. type: string
  10299. required:
  10300. - path
  10301. - username
  10302. type: object
  10303. type: object
  10304. caBundle:
  10305. description: |-
  10306. PEM encoded CA bundle used to validate Vault server certificate. Only used
  10307. if the Server URL is using HTTPS protocol. This parameter is ignored for
  10308. plain HTTP protocol connection. If not set the system root certificates
  10309. are used to validate the TLS connection.
  10310. format: byte
  10311. type: string
  10312. caProvider:
  10313. description: The provider for the CA bundle to use to validate Vault server certificate.
  10314. properties:
  10315. key:
  10316. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  10317. type: string
  10318. name:
  10319. description: The name of the object located at the provider type.
  10320. type: string
  10321. namespace:
  10322. description: |-
  10323. The namespace the Provider type is in.
  10324. Can only be defined when used in a ClusterSecretStore.
  10325. type: string
  10326. type:
  10327. description: The type of provider to use such as "Secret", or "ConfigMap".
  10328. enum:
  10329. - Secret
  10330. - ConfigMap
  10331. type: string
  10332. required:
  10333. - name
  10334. - type
  10335. type: object
  10336. forwardInconsistent:
  10337. description: |-
  10338. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  10339. leader instead of simply retrying within a loop. This can increase performance if
  10340. the option is enabled serverside.
  10341. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  10342. type: boolean
  10343. namespace:
  10344. description: |-
  10345. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  10346. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  10347. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  10348. type: string
  10349. path:
  10350. description: |-
  10351. Path is the mount path of the Vault KV backend endpoint, e.g:
  10352. "secret". The v2 KV secret engine version specific "/data" path suffix
  10353. for fetching secrets from Vault is optional and will be appended
  10354. if not present in specified path.
  10355. type: string
  10356. readYourWrites:
  10357. description: |-
  10358. ReadYourWrites ensures isolated read-after-write semantics by
  10359. providing discovered cluster replication states in each request.
  10360. More information about eventual consistency in Vault can be found here
  10361. https://www.vaultproject.io/docs/enterprise/consistency
  10362. type: boolean
  10363. server:
  10364. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  10365. type: string
  10366. tls:
  10367. description: |-
  10368. The configuration used for client side related TLS communication, when the Vault server
  10369. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  10370. This parameter is ignored for plain HTTP protocol connection.
  10371. It's worth noting this configuration is different from the "TLS certificates auth method",
  10372. which is available under the `auth.cert` section.
  10373. properties:
  10374. certSecretRef:
  10375. description: |-
  10376. CertSecretRef is a certificate added to the transport layer
  10377. when communicating with the Vault server.
  10378. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  10379. properties:
  10380. key:
  10381. description: |-
  10382. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10383. defaulted, in others it may be required.
  10384. type: string
  10385. name:
  10386. description: The name of the Secret resource being referred to.
  10387. type: string
  10388. namespace:
  10389. description: |-
  10390. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10391. to the namespace of the referent.
  10392. type: string
  10393. type: object
  10394. keySecretRef:
  10395. description: |-
  10396. KeySecretRef to a key in a Secret resource containing client private key
  10397. added to the transport layer when communicating with the Vault server.
  10398. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  10399. properties:
  10400. key:
  10401. description: |-
  10402. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10403. defaulted, in others it may be required.
  10404. type: string
  10405. name:
  10406. description: The name of the Secret resource being referred to.
  10407. type: string
  10408. namespace:
  10409. description: |-
  10410. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10411. to the namespace of the referent.
  10412. type: string
  10413. type: object
  10414. type: object
  10415. version:
  10416. default: v2
  10417. description: |-
  10418. Version is the Vault KV secret engine version. This can be either "v1" or
  10419. "v2". Version defaults to "v2".
  10420. enum:
  10421. - v1
  10422. - v2
  10423. type: string
  10424. required:
  10425. - auth
  10426. - server
  10427. type: object
  10428. webhook:
  10429. description: Webhook configures this store to sync secrets using a generic templated webhook
  10430. properties:
  10431. body:
  10432. description: Body
  10433. type: string
  10434. caBundle:
  10435. description: |-
  10436. PEM encoded CA bundle used to validate webhook server certificate. Only used
  10437. if the Server URL is using HTTPS protocol. This parameter is ignored for
  10438. plain HTTP protocol connection. If not set the system root certificates
  10439. are used to validate the TLS connection.
  10440. format: byte
  10441. type: string
  10442. caProvider:
  10443. description: The provider for the CA bundle to use to validate webhook server certificate.
  10444. properties:
  10445. key:
  10446. description: The key the value inside of the provider type to use, only used with "Secret" type
  10447. type: string
  10448. name:
  10449. description: The name of the object located at the provider type.
  10450. type: string
  10451. namespace:
  10452. description: The namespace the Provider type is in.
  10453. type: string
  10454. type:
  10455. description: The type of provider to use such as "Secret", or "ConfigMap".
  10456. enum:
  10457. - Secret
  10458. - ConfigMap
  10459. type: string
  10460. required:
  10461. - name
  10462. - type
  10463. type: object
  10464. headers:
  10465. additionalProperties:
  10466. type: string
  10467. description: Headers
  10468. type: object
  10469. method:
  10470. description: Webhook Method
  10471. type: string
  10472. result:
  10473. description: Result formatting
  10474. properties:
  10475. jsonPath:
  10476. description: Json path of return value
  10477. type: string
  10478. type: object
  10479. secrets:
  10480. description: |-
  10481. Secrets to fill in templates
  10482. These secrets will be passed to the templating function as key value pairs under the given name
  10483. items:
  10484. properties:
  10485. name:
  10486. description: Name of this secret in templates
  10487. type: string
  10488. secretRef:
  10489. description: Secret ref to fill in credentials
  10490. properties:
  10491. key:
  10492. description: |-
  10493. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10494. defaulted, in others it may be required.
  10495. type: string
  10496. name:
  10497. description: The name of the Secret resource being referred to.
  10498. type: string
  10499. namespace:
  10500. description: |-
  10501. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10502. to the namespace of the referent.
  10503. type: string
  10504. type: object
  10505. required:
  10506. - name
  10507. - secretRef
  10508. type: object
  10509. type: array
  10510. timeout:
  10511. description: Timeout
  10512. type: string
  10513. url:
  10514. description: Webhook url to call
  10515. type: string
  10516. required:
  10517. - result
  10518. - url
  10519. type: object
  10520. yandexcertificatemanager:
  10521. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  10522. properties:
  10523. apiEndpoint:
  10524. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  10525. type: string
  10526. auth:
  10527. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  10528. properties:
  10529. authorizedKeySecretRef:
  10530. description: The authorized key used for authentication
  10531. properties:
  10532. key:
  10533. description: |-
  10534. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10535. defaulted, in others it may be required.
  10536. type: string
  10537. name:
  10538. description: The name of the Secret resource being referred to.
  10539. type: string
  10540. namespace:
  10541. description: |-
  10542. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10543. to the namespace of the referent.
  10544. type: string
  10545. type: object
  10546. type: object
  10547. caProvider:
  10548. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10549. properties:
  10550. certSecretRef:
  10551. description: |-
  10552. A reference to a specific 'key' within a Secret resource,
  10553. In some instances, `key` is a required field.
  10554. properties:
  10555. key:
  10556. description: |-
  10557. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10558. defaulted, in others it may be required.
  10559. type: string
  10560. name:
  10561. description: The name of the Secret resource being referred to.
  10562. type: string
  10563. namespace:
  10564. description: |-
  10565. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10566. to the namespace of the referent.
  10567. type: string
  10568. type: object
  10569. type: object
  10570. required:
  10571. - auth
  10572. type: object
  10573. yandexlockbox:
  10574. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  10575. properties:
  10576. apiEndpoint:
  10577. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  10578. type: string
  10579. auth:
  10580. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  10581. properties:
  10582. authorizedKeySecretRef:
  10583. description: The authorized key used for authentication
  10584. properties:
  10585. key:
  10586. description: |-
  10587. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10588. defaulted, in others it may be required.
  10589. type: string
  10590. name:
  10591. description: The name of the Secret resource being referred to.
  10592. type: string
  10593. namespace:
  10594. description: |-
  10595. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10596. to the namespace of the referent.
  10597. type: string
  10598. type: object
  10599. type: object
  10600. caProvider:
  10601. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  10602. properties:
  10603. certSecretRef:
  10604. description: |-
  10605. A reference to a specific 'key' within a Secret resource,
  10606. In some instances, `key` is a required field.
  10607. properties:
  10608. key:
  10609. description: |-
  10610. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10611. defaulted, in others it may be required.
  10612. type: string
  10613. name:
  10614. description: The name of the Secret resource being referred to.
  10615. type: string
  10616. namespace:
  10617. description: |-
  10618. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10619. to the namespace of the referent.
  10620. type: string
  10621. type: object
  10622. type: object
  10623. required:
  10624. - auth
  10625. type: object
  10626. type: object
  10627. refreshInterval:
  10628. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  10629. type: integer
  10630. retrySettings:
  10631. description: Used to configure http retries if failed
  10632. properties:
  10633. maxRetries:
  10634. format: int32
  10635. type: integer
  10636. retryInterval:
  10637. type: string
  10638. type: object
  10639. required:
  10640. - provider
  10641. type: object
  10642. status:
  10643. description: SecretStoreStatus defines the observed state of the SecretStore.
  10644. properties:
  10645. capabilities:
  10646. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  10647. type: string
  10648. conditions:
  10649. items:
  10650. properties:
  10651. lastTransitionTime:
  10652. format: date-time
  10653. type: string
  10654. message:
  10655. type: string
  10656. reason:
  10657. type: string
  10658. status:
  10659. type: string
  10660. type:
  10661. type: string
  10662. required:
  10663. - status
  10664. - type
  10665. type: object
  10666. type: array
  10667. type: object
  10668. type: object
  10669. served: true
  10670. storage: true
  10671. subresources:
  10672. status: {}
  10673. conversion:
  10674. strategy: Webhook
  10675. webhook:
  10676. conversionReviewVersions:
  10677. - v1
  10678. clientConfig:
  10679. service:
  10680. name: kubernetes
  10681. namespace: default
  10682. path: /convert
  10683. ---
  10684. apiVersion: apiextensions.k8s.io/v1
  10685. kind: CustomResourceDefinition
  10686. metadata:
  10687. annotations:
  10688. controller-gen.kubebuilder.io/version: v0.15.0
  10689. labels:
  10690. external-secrets.io/component: controller
  10691. name: acraccesstokens.generators.external-secrets.io
  10692. spec:
  10693. group: generators.external-secrets.io
  10694. names:
  10695. categories:
  10696. - acraccesstoken
  10697. kind: ACRAccessToken
  10698. listKind: ACRAccessTokenList
  10699. plural: acraccesstokens
  10700. shortNames:
  10701. - acraccesstoken
  10702. singular: acraccesstoken
  10703. scope: Namespaced
  10704. versions:
  10705. - name: v1alpha1
  10706. schema:
  10707. openAPIV3Schema:
  10708. description: |-
  10709. ACRAccessToken returns a Azure Container Registry token
  10710. that can be used for pushing/pulling images.
  10711. Note: by default it will return an ACR Refresh Token with full access
  10712. (depending on the identity).
  10713. This can be scoped down to the repository level using .spec.scope.
  10714. In case scope is defined it will return an ACR Access Token.
  10715. See docs: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md
  10716. properties:
  10717. apiVersion:
  10718. description: |-
  10719. APIVersion defines the versioned schema of this representation of an object.
  10720. Servers should convert recognized schemas to the latest internal value, and
  10721. may reject unrecognized values.
  10722. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10723. type: string
  10724. kind:
  10725. description: |-
  10726. Kind is a string value representing the REST resource this object represents.
  10727. Servers may infer this from the endpoint the client submits requests to.
  10728. Cannot be updated.
  10729. In CamelCase.
  10730. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10731. type: string
  10732. metadata:
  10733. type: object
  10734. spec:
  10735. description: |-
  10736. ACRAccessTokenSpec defines how to generate the access token
  10737. e.g. how to authenticate and which registry to use.
  10738. see: https://github.com/Azure/acr/blob/main/docs/AAD-OAuth.md#overview
  10739. properties:
  10740. auth:
  10741. properties:
  10742. managedIdentity:
  10743. description: ManagedIdentity uses Azure Managed Identity to authenticate with Azure.
  10744. properties:
  10745. identityId:
  10746. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  10747. type: string
  10748. type: object
  10749. servicePrincipal:
  10750. description: ServicePrincipal uses Azure Service Principal credentials to authenticate with Azure.
  10751. properties:
  10752. secretRef:
  10753. description: |-
  10754. Configuration used to authenticate with Azure using static
  10755. credentials stored in a Kind=Secret.
  10756. properties:
  10757. clientId:
  10758. description: The Azure clientId of the service principle used for authentication.
  10759. properties:
  10760. key:
  10761. description: |-
  10762. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10763. defaulted, in others it may be required.
  10764. type: string
  10765. name:
  10766. description: The name of the Secret resource being referred to.
  10767. type: string
  10768. namespace:
  10769. description: |-
  10770. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10771. to the namespace of the referent.
  10772. type: string
  10773. type: object
  10774. clientSecret:
  10775. description: The Azure ClientSecret of the service principle used for authentication.
  10776. properties:
  10777. key:
  10778. description: |-
  10779. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10780. defaulted, in others it may be required.
  10781. type: string
  10782. name:
  10783. description: The name of the Secret resource being referred to.
  10784. type: string
  10785. namespace:
  10786. description: |-
  10787. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10788. to the namespace of the referent.
  10789. type: string
  10790. type: object
  10791. type: object
  10792. required:
  10793. - secretRef
  10794. type: object
  10795. workloadIdentity:
  10796. description: WorkloadIdentity uses Azure Workload Identity to authenticate with Azure.
  10797. properties:
  10798. serviceAccountRef:
  10799. description: |-
  10800. ServiceAccountRef specified the service account
  10801. that should be used when authenticating with WorkloadIdentity.
  10802. properties:
  10803. audiences:
  10804. description: |-
  10805. Audience specifies the `aud` claim for the service account token
  10806. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10807. then this audiences will be appended to the list
  10808. items:
  10809. type: string
  10810. type: array
  10811. name:
  10812. description: The name of the ServiceAccount resource being referred to.
  10813. type: string
  10814. namespace:
  10815. description: |-
  10816. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10817. to the namespace of the referent.
  10818. type: string
  10819. required:
  10820. - name
  10821. type: object
  10822. type: object
  10823. type: object
  10824. environmentType:
  10825. default: PublicCloud
  10826. description: |-
  10827. EnvironmentType specifies the Azure cloud environment endpoints to use for
  10828. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  10829. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  10830. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  10831. enum:
  10832. - PublicCloud
  10833. - USGovernmentCloud
  10834. - ChinaCloud
  10835. - GermanCloud
  10836. type: string
  10837. registry:
  10838. description: |-
  10839. the domain name of the ACR registry
  10840. e.g. foobarexample.azurecr.io
  10841. type: string
  10842. scope:
  10843. description: |-
  10844. Define the scope for the access token, e.g. pull/push access for a repository.
  10845. if not provided it will return a refresh token that has full scope.
  10846. Note: you need to pin it down to the repository level, there is no wildcard available.
  10847. examples:
  10848. repository:my-repository:pull,push
  10849. repository:my-repository:pull
  10850. see docs for details: https://docs.docker.com/registry/spec/auth/scope/
  10851. type: string
  10852. tenantId:
  10853. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  10854. type: string
  10855. required:
  10856. - auth
  10857. - registry
  10858. type: object
  10859. type: object
  10860. served: true
  10861. storage: true
  10862. subresources:
  10863. status: {}
  10864. conversion:
  10865. strategy: Webhook
  10866. webhook:
  10867. conversionReviewVersions:
  10868. - v1
  10869. clientConfig:
  10870. service:
  10871. name: kubernetes
  10872. namespace: default
  10873. path: /convert
  10874. ---
  10875. apiVersion: apiextensions.k8s.io/v1
  10876. kind: CustomResourceDefinition
  10877. metadata:
  10878. annotations:
  10879. controller-gen.kubebuilder.io/version: v0.15.0
  10880. labels:
  10881. external-secrets.io/component: controller
  10882. name: ecrauthorizationtokens.generators.external-secrets.io
  10883. spec:
  10884. group: generators.external-secrets.io
  10885. names:
  10886. categories:
  10887. - ecrauthorizationtoken
  10888. kind: ECRAuthorizationToken
  10889. listKind: ECRAuthorizationTokenList
  10890. plural: ecrauthorizationtokens
  10891. shortNames:
  10892. - ecrauthorizationtoken
  10893. singular: ecrauthorizationtoken
  10894. scope: Namespaced
  10895. versions:
  10896. - name: v1alpha1
  10897. schema:
  10898. openAPIV3Schema:
  10899. description: |-
  10900. ECRAuthorizationTokenSpec uses the GetAuthorizationToken API to retrieve an
  10901. authorization token.
  10902. The authorization token is valid for 12 hours.
  10903. The authorizationToken returned is a base64 encoded string that can be decoded
  10904. and used in a docker login command to authenticate to a registry.
  10905. For more information, see Registry authentication (https://docs.aws.amazon.com/AmazonECR/latest/userguide/Registries.html#registry_auth) in the Amazon Elastic Container Registry User Guide.
  10906. properties:
  10907. apiVersion:
  10908. description: |-
  10909. APIVersion defines the versioned schema of this representation of an object.
  10910. Servers should convert recognized schemas to the latest internal value, and
  10911. may reject unrecognized values.
  10912. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  10913. type: string
  10914. kind:
  10915. description: |-
  10916. Kind is a string value representing the REST resource this object represents.
  10917. Servers may infer this from the endpoint the client submits requests to.
  10918. Cannot be updated.
  10919. In CamelCase.
  10920. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  10921. type: string
  10922. metadata:
  10923. type: object
  10924. spec:
  10925. properties:
  10926. auth:
  10927. description: Auth defines how to authenticate with AWS
  10928. properties:
  10929. jwt:
  10930. description: Authenticate against AWS using service account tokens.
  10931. properties:
  10932. serviceAccountRef:
  10933. description: A reference to a ServiceAccount resource.
  10934. properties:
  10935. audiences:
  10936. description: |-
  10937. Audience specifies the `aud` claim for the service account token
  10938. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  10939. then this audiences will be appended to the list
  10940. items:
  10941. type: string
  10942. type: array
  10943. name:
  10944. description: The name of the ServiceAccount resource being referred to.
  10945. type: string
  10946. namespace:
  10947. description: |-
  10948. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10949. to the namespace of the referent.
  10950. type: string
  10951. required:
  10952. - name
  10953. type: object
  10954. type: object
  10955. secretRef:
  10956. description: |-
  10957. AWSAuthSecretRef holds secret references for AWS credentials
  10958. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  10959. properties:
  10960. accessKeyIDSecretRef:
  10961. description: The AccessKeyID is used for authentication
  10962. properties:
  10963. key:
  10964. description: |-
  10965. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10966. defaulted, in others it may be required.
  10967. type: string
  10968. name:
  10969. description: The name of the Secret resource being referred to.
  10970. type: string
  10971. namespace:
  10972. description: |-
  10973. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10974. to the namespace of the referent.
  10975. type: string
  10976. type: object
  10977. secretAccessKeySecretRef:
  10978. description: The SecretAccessKey is used for authentication
  10979. properties:
  10980. key:
  10981. description: |-
  10982. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  10983. defaulted, in others it may be required.
  10984. type: string
  10985. name:
  10986. description: The name of the Secret resource being referred to.
  10987. type: string
  10988. namespace:
  10989. description: |-
  10990. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  10991. to the namespace of the referent.
  10992. type: string
  10993. type: object
  10994. sessionTokenSecretRef:
  10995. description: |-
  10996. The SessionToken used for authentication
  10997. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  10998. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  10999. properties:
  11000. key:
  11001. description: |-
  11002. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11003. defaulted, in others it may be required.
  11004. type: string
  11005. name:
  11006. description: The name of the Secret resource being referred to.
  11007. type: string
  11008. namespace:
  11009. description: |-
  11010. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11011. to the namespace of the referent.
  11012. type: string
  11013. type: object
  11014. type: object
  11015. type: object
  11016. region:
  11017. description: Region specifies the region to operate in.
  11018. type: string
  11019. role:
  11020. description: |-
  11021. You can assume a role before making calls to the
  11022. desired AWS service.
  11023. type: string
  11024. required:
  11025. - region
  11026. type: object
  11027. type: object
  11028. served: true
  11029. storage: true
  11030. subresources:
  11031. status: {}
  11032. conversion:
  11033. strategy: Webhook
  11034. webhook:
  11035. conversionReviewVersions:
  11036. - v1
  11037. clientConfig:
  11038. service:
  11039. name: kubernetes
  11040. namespace: default
  11041. path: /convert
  11042. ---
  11043. apiVersion: apiextensions.k8s.io/v1
  11044. kind: CustomResourceDefinition
  11045. metadata:
  11046. annotations:
  11047. controller-gen.kubebuilder.io/version: v0.15.0
  11048. labels:
  11049. external-secrets.io/component: controller
  11050. name: fakes.generators.external-secrets.io
  11051. spec:
  11052. group: generators.external-secrets.io
  11053. names:
  11054. categories:
  11055. - fake
  11056. kind: Fake
  11057. listKind: FakeList
  11058. plural: fakes
  11059. shortNames:
  11060. - fake
  11061. singular: fake
  11062. scope: Namespaced
  11063. versions:
  11064. - name: v1alpha1
  11065. schema:
  11066. openAPIV3Schema:
  11067. description: |-
  11068. Fake generator is used for testing. It lets you define
  11069. a static set of credentials that is always returned.
  11070. properties:
  11071. apiVersion:
  11072. description: |-
  11073. APIVersion defines the versioned schema of this representation of an object.
  11074. Servers should convert recognized schemas to the latest internal value, and
  11075. may reject unrecognized values.
  11076. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11077. type: string
  11078. kind:
  11079. description: |-
  11080. Kind is a string value representing the REST resource this object represents.
  11081. Servers may infer this from the endpoint the client submits requests to.
  11082. Cannot be updated.
  11083. In CamelCase.
  11084. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11085. type: string
  11086. metadata:
  11087. type: object
  11088. spec:
  11089. description: FakeSpec contains the static data.
  11090. properties:
  11091. controller:
  11092. description: |-
  11093. Used to select the correct ESO controller (think: ingress.ingressClassName)
  11094. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  11095. type: string
  11096. data:
  11097. additionalProperties:
  11098. type: string
  11099. description: |-
  11100. Data defines the static data returned
  11101. by this generator.
  11102. type: object
  11103. type: object
  11104. type: object
  11105. served: true
  11106. storage: true
  11107. subresources:
  11108. status: {}
  11109. conversion:
  11110. strategy: Webhook
  11111. webhook:
  11112. conversionReviewVersions:
  11113. - v1
  11114. clientConfig:
  11115. service:
  11116. name: kubernetes
  11117. namespace: default
  11118. path: /convert
  11119. ---
  11120. apiVersion: apiextensions.k8s.io/v1
  11121. kind: CustomResourceDefinition
  11122. metadata:
  11123. annotations:
  11124. controller-gen.kubebuilder.io/version: v0.15.0
  11125. labels:
  11126. external-secrets.io/component: controller
  11127. name: gcraccesstokens.generators.external-secrets.io
  11128. spec:
  11129. group: generators.external-secrets.io
  11130. names:
  11131. categories:
  11132. - gcraccesstoken
  11133. kind: GCRAccessToken
  11134. listKind: GCRAccessTokenList
  11135. plural: gcraccesstokens
  11136. shortNames:
  11137. - gcraccesstoken
  11138. singular: gcraccesstoken
  11139. scope: Namespaced
  11140. versions:
  11141. - name: v1alpha1
  11142. schema:
  11143. openAPIV3Schema:
  11144. description: |-
  11145. GCRAccessToken generates an GCP access token
  11146. that can be used to authenticate with GCR.
  11147. properties:
  11148. apiVersion:
  11149. description: |-
  11150. APIVersion defines the versioned schema of this representation of an object.
  11151. Servers should convert recognized schemas to the latest internal value, and
  11152. may reject unrecognized values.
  11153. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11154. type: string
  11155. kind:
  11156. description: |-
  11157. Kind is a string value representing the REST resource this object represents.
  11158. Servers may infer this from the endpoint the client submits requests to.
  11159. Cannot be updated.
  11160. In CamelCase.
  11161. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11162. type: string
  11163. metadata:
  11164. type: object
  11165. spec:
  11166. properties:
  11167. auth:
  11168. description: Auth defines the means for authenticating with GCP
  11169. properties:
  11170. secretRef:
  11171. properties:
  11172. secretAccessKeySecretRef:
  11173. description: The SecretAccessKey is used for authentication
  11174. properties:
  11175. key:
  11176. description: |-
  11177. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11178. defaulted, in others it may be required.
  11179. type: string
  11180. name:
  11181. description: The name of the Secret resource being referred to.
  11182. type: string
  11183. namespace:
  11184. description: |-
  11185. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11186. to the namespace of the referent.
  11187. type: string
  11188. type: object
  11189. type: object
  11190. workloadIdentity:
  11191. properties:
  11192. clusterLocation:
  11193. type: string
  11194. clusterName:
  11195. type: string
  11196. clusterProjectID:
  11197. type: string
  11198. serviceAccountRef:
  11199. description: A reference to a ServiceAccount resource.
  11200. properties:
  11201. audiences:
  11202. description: |-
  11203. Audience specifies the `aud` claim for the service account token
  11204. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11205. then this audiences will be appended to the list
  11206. items:
  11207. type: string
  11208. type: array
  11209. name:
  11210. description: The name of the ServiceAccount resource being referred to.
  11211. type: string
  11212. namespace:
  11213. description: |-
  11214. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11215. to the namespace of the referent.
  11216. type: string
  11217. required:
  11218. - name
  11219. type: object
  11220. required:
  11221. - clusterLocation
  11222. - clusterName
  11223. - serviceAccountRef
  11224. type: object
  11225. type: object
  11226. projectID:
  11227. description: ProjectID defines which project to use to authenticate with
  11228. type: string
  11229. required:
  11230. - auth
  11231. - projectID
  11232. type: object
  11233. type: object
  11234. served: true
  11235. storage: true
  11236. subresources:
  11237. status: {}
  11238. conversion:
  11239. strategy: Webhook
  11240. webhook:
  11241. conversionReviewVersions:
  11242. - v1
  11243. clientConfig:
  11244. service:
  11245. name: kubernetes
  11246. namespace: default
  11247. path: /convert
  11248. ---
  11249. apiVersion: apiextensions.k8s.io/v1
  11250. kind: CustomResourceDefinition
  11251. metadata:
  11252. annotations:
  11253. controller-gen.kubebuilder.io/version: v0.15.0
  11254. labels:
  11255. external-secrets.io/component: controller
  11256. name: githubaccesstokens.generators.external-secrets.io
  11257. spec:
  11258. group: generators.external-secrets.io
  11259. names:
  11260. categories:
  11261. - githubaccesstoken
  11262. kind: GithubAccessToken
  11263. listKind: GithubAccessTokenList
  11264. plural: githubaccesstokens
  11265. shortNames:
  11266. - githubaccesstoken
  11267. singular: githubaccesstoken
  11268. scope: Namespaced
  11269. versions:
  11270. - name: v1alpha1
  11271. schema:
  11272. openAPIV3Schema:
  11273. description: GithubAccessToken generates ghs_ accessToken
  11274. properties:
  11275. apiVersion:
  11276. description: |-
  11277. APIVersion defines the versioned schema of this representation of an object.
  11278. Servers should convert recognized schemas to the latest internal value, and
  11279. may reject unrecognized values.
  11280. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11281. type: string
  11282. kind:
  11283. description: |-
  11284. Kind is a string value representing the REST resource this object represents.
  11285. Servers may infer this from the endpoint the client submits requests to.
  11286. Cannot be updated.
  11287. In CamelCase.
  11288. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11289. type: string
  11290. metadata:
  11291. type: object
  11292. spec:
  11293. properties:
  11294. appID:
  11295. type: string
  11296. auth:
  11297. description: Auth configures how ESO authenticates with a Github instance.
  11298. properties:
  11299. privateKey:
  11300. properties:
  11301. secretRef:
  11302. description: |-
  11303. A reference to a specific 'key' within a Secret resource,
  11304. In some instances, `key` is a required field.
  11305. properties:
  11306. key:
  11307. description: |-
  11308. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11309. defaulted, in others it may be required.
  11310. type: string
  11311. name:
  11312. description: The name of the Secret resource being referred to.
  11313. type: string
  11314. namespace:
  11315. description: |-
  11316. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11317. to the namespace of the referent.
  11318. type: string
  11319. type: object
  11320. required:
  11321. - secretRef
  11322. type: object
  11323. required:
  11324. - privateKey
  11325. type: object
  11326. installID:
  11327. type: string
  11328. url:
  11329. description: URL configures the Github instance URL. Defaults to https://github.com/.
  11330. type: string
  11331. required:
  11332. - appID
  11333. - auth
  11334. - installID
  11335. type: object
  11336. type: object
  11337. served: true
  11338. storage: true
  11339. subresources:
  11340. status: {}
  11341. conversion:
  11342. strategy: Webhook
  11343. webhook:
  11344. conversionReviewVersions:
  11345. - v1
  11346. clientConfig:
  11347. service:
  11348. name: kubernetes
  11349. namespace: default
  11350. path: /convert
  11351. ---
  11352. apiVersion: apiextensions.k8s.io/v1
  11353. kind: CustomResourceDefinition
  11354. metadata:
  11355. annotations:
  11356. controller-gen.kubebuilder.io/version: v0.15.0
  11357. labels:
  11358. external-secrets.io/component: controller
  11359. name: passwords.generators.external-secrets.io
  11360. spec:
  11361. group: generators.external-secrets.io
  11362. names:
  11363. categories:
  11364. - password
  11365. kind: Password
  11366. listKind: PasswordList
  11367. plural: passwords
  11368. shortNames:
  11369. - password
  11370. singular: password
  11371. scope: Namespaced
  11372. versions:
  11373. - name: v1alpha1
  11374. schema:
  11375. openAPIV3Schema:
  11376. description: |-
  11377. Password generates a random password based on the
  11378. configuration parameters in spec.
  11379. You can specify the length, characterset and other attributes.
  11380. properties:
  11381. apiVersion:
  11382. description: |-
  11383. APIVersion defines the versioned schema of this representation of an object.
  11384. Servers should convert recognized schemas to the latest internal value, and
  11385. may reject unrecognized values.
  11386. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11387. type: string
  11388. kind:
  11389. description: |-
  11390. Kind is a string value representing the REST resource this object represents.
  11391. Servers may infer this from the endpoint the client submits requests to.
  11392. Cannot be updated.
  11393. In CamelCase.
  11394. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11395. type: string
  11396. metadata:
  11397. type: object
  11398. spec:
  11399. description: PasswordSpec controls the behavior of the password generator.
  11400. properties:
  11401. allowRepeat:
  11402. default: false
  11403. description: set AllowRepeat to true to allow repeating characters.
  11404. type: boolean
  11405. digits:
  11406. description: |-
  11407. Digits specifies the number of digits in the generated
  11408. password. If omitted it defaults to 25% of the length of the password
  11409. type: integer
  11410. length:
  11411. default: 24
  11412. description: |-
  11413. Length of the password to be generated.
  11414. Defaults to 24
  11415. type: integer
  11416. noUpper:
  11417. default: false
  11418. description: Set NoUpper to disable uppercase characters
  11419. type: boolean
  11420. symbolCharacters:
  11421. description: |-
  11422. SymbolCharacters specifies the special characters that should be used
  11423. in the generated password.
  11424. type: string
  11425. symbols:
  11426. description: |-
  11427. Symbols specifies the number of symbol characters in the generated
  11428. password. If omitted it defaults to 25% of the length of the password
  11429. type: integer
  11430. required:
  11431. - allowRepeat
  11432. - length
  11433. - noUpper
  11434. type: object
  11435. type: object
  11436. served: true
  11437. storage: true
  11438. subresources:
  11439. status: {}
  11440. conversion:
  11441. strategy: Webhook
  11442. webhook:
  11443. conversionReviewVersions:
  11444. - v1
  11445. clientConfig:
  11446. service:
  11447. name: kubernetes
  11448. namespace: default
  11449. path: /convert
  11450. ---
  11451. apiVersion: apiextensions.k8s.io/v1
  11452. kind: CustomResourceDefinition
  11453. metadata:
  11454. annotations:
  11455. controller-gen.kubebuilder.io/version: v0.15.0
  11456. labels:
  11457. external-secrets.io/component: controller
  11458. name: vaultdynamicsecrets.generators.external-secrets.io
  11459. spec:
  11460. group: generators.external-secrets.io
  11461. names:
  11462. categories:
  11463. - vaultdynamicsecret
  11464. kind: VaultDynamicSecret
  11465. listKind: VaultDynamicSecretList
  11466. plural: vaultdynamicsecrets
  11467. shortNames:
  11468. - vaultdynamicsecret
  11469. singular: vaultdynamicsecret
  11470. scope: Namespaced
  11471. versions:
  11472. - name: v1alpha1
  11473. schema:
  11474. openAPIV3Schema:
  11475. properties:
  11476. apiVersion:
  11477. description: |-
  11478. APIVersion defines the versioned schema of this representation of an object.
  11479. Servers should convert recognized schemas to the latest internal value, and
  11480. may reject unrecognized values.
  11481. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  11482. type: string
  11483. kind:
  11484. description: |-
  11485. Kind is a string value representing the REST resource this object represents.
  11486. Servers may infer this from the endpoint the client submits requests to.
  11487. Cannot be updated.
  11488. In CamelCase.
  11489. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  11490. type: string
  11491. metadata:
  11492. type: object
  11493. spec:
  11494. properties:
  11495. controller:
  11496. description: |-
  11497. Used to select the correct ESO controller (think: ingress.ingressClassName)
  11498. The ESO controller is instantiated with a specific controller name and filters VDS based on this property
  11499. type: string
  11500. method:
  11501. description: Vault API method to use (GET/POST/other)
  11502. type: string
  11503. parameters:
  11504. description: Parameters to pass to Vault write (for non-GET methods)
  11505. x-kubernetes-preserve-unknown-fields: true
  11506. path:
  11507. description: Vault path to obtain the dynamic secret from
  11508. type: string
  11509. provider:
  11510. description: Vault provider common spec
  11511. properties:
  11512. auth:
  11513. description: Auth configures how secret-manager authenticates with the Vault server.
  11514. properties:
  11515. appRole:
  11516. description: |-
  11517. AppRole authenticates with Vault using the App Role auth mechanism,
  11518. with the role and secret stored in a Kubernetes Secret resource.
  11519. properties:
  11520. path:
  11521. default: approle
  11522. description: |-
  11523. Path where the App Role authentication backend is mounted
  11524. in Vault, e.g: "approle"
  11525. type: string
  11526. roleId:
  11527. description: |-
  11528. RoleID configured in the App Role authentication backend when setting
  11529. up the authentication backend in Vault.
  11530. type: string
  11531. roleRef:
  11532. description: |-
  11533. Reference to a key in a Secret that contains the App Role ID used
  11534. to authenticate with Vault.
  11535. The `key` field must be specified and denotes which entry within the Secret
  11536. resource is used as the app role id.
  11537. properties:
  11538. key:
  11539. description: |-
  11540. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11541. defaulted, in others it may be required.
  11542. type: string
  11543. name:
  11544. description: The name of the Secret resource being referred to.
  11545. type: string
  11546. namespace:
  11547. description: |-
  11548. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11549. to the namespace of the referent.
  11550. type: string
  11551. type: object
  11552. secretRef:
  11553. description: |-
  11554. Reference to a key in a Secret that contains the App Role secret used
  11555. to authenticate with Vault.
  11556. The `key` field must be specified and denotes which entry within the Secret
  11557. resource is used as the app role secret.
  11558. properties:
  11559. key:
  11560. description: |-
  11561. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11562. defaulted, in others it may be required.
  11563. type: string
  11564. name:
  11565. description: The name of the Secret resource being referred to.
  11566. type: string
  11567. namespace:
  11568. description: |-
  11569. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11570. to the namespace of the referent.
  11571. type: string
  11572. type: object
  11573. required:
  11574. - path
  11575. - secretRef
  11576. type: object
  11577. cert:
  11578. description: |-
  11579. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  11580. Cert authentication method
  11581. properties:
  11582. clientCert:
  11583. description: |-
  11584. ClientCert is a certificate to authenticate using the Cert Vault
  11585. authentication method
  11586. properties:
  11587. key:
  11588. description: |-
  11589. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11590. defaulted, in others it may be required.
  11591. type: string
  11592. name:
  11593. description: The name of the Secret resource being referred to.
  11594. type: string
  11595. namespace:
  11596. description: |-
  11597. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11598. to the namespace of the referent.
  11599. type: string
  11600. type: object
  11601. secretRef:
  11602. description: |-
  11603. SecretRef to a key in a Secret resource containing client private key to
  11604. authenticate with Vault using the Cert authentication method
  11605. properties:
  11606. key:
  11607. description: |-
  11608. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11609. defaulted, in others it may be required.
  11610. type: string
  11611. name:
  11612. description: The name of the Secret resource being referred to.
  11613. type: string
  11614. namespace:
  11615. description: |-
  11616. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11617. to the namespace of the referent.
  11618. type: string
  11619. type: object
  11620. type: object
  11621. iam:
  11622. description: |-
  11623. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  11624. AWS IAM authentication method
  11625. properties:
  11626. externalID:
  11627. description: AWS External ID set on assumed IAM roles
  11628. type: string
  11629. jwt:
  11630. description: Specify a service account with IRSA enabled
  11631. properties:
  11632. serviceAccountRef:
  11633. description: A reference to a ServiceAccount resource.
  11634. properties:
  11635. audiences:
  11636. description: |-
  11637. Audience specifies the `aud` claim for the service account token
  11638. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11639. then this audiences will be appended to the list
  11640. items:
  11641. type: string
  11642. type: array
  11643. name:
  11644. description: The name of the ServiceAccount resource being referred to.
  11645. type: string
  11646. namespace:
  11647. description: |-
  11648. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11649. to the namespace of the referent.
  11650. type: string
  11651. required:
  11652. - name
  11653. type: object
  11654. type: object
  11655. path:
  11656. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  11657. type: string
  11658. region:
  11659. description: AWS region
  11660. type: string
  11661. role:
  11662. description: This is the AWS role to be assumed before talking to vault
  11663. type: string
  11664. secretRef:
  11665. description: Specify credentials in a Secret object
  11666. properties:
  11667. accessKeyIDSecretRef:
  11668. description: The AccessKeyID is used for authentication
  11669. properties:
  11670. key:
  11671. description: |-
  11672. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11673. defaulted, in others it may be required.
  11674. type: string
  11675. name:
  11676. description: The name of the Secret resource being referred to.
  11677. type: string
  11678. namespace:
  11679. description: |-
  11680. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11681. to the namespace of the referent.
  11682. type: string
  11683. type: object
  11684. secretAccessKeySecretRef:
  11685. description: The SecretAccessKey is used for authentication
  11686. properties:
  11687. key:
  11688. description: |-
  11689. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11690. defaulted, in others it may be required.
  11691. type: string
  11692. name:
  11693. description: The name of the Secret resource being referred to.
  11694. type: string
  11695. namespace:
  11696. description: |-
  11697. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11698. to the namespace of the referent.
  11699. type: string
  11700. type: object
  11701. sessionTokenSecretRef:
  11702. description: |-
  11703. The SessionToken used for authentication
  11704. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  11705. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  11706. properties:
  11707. key:
  11708. description: |-
  11709. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11710. defaulted, in others it may be required.
  11711. type: string
  11712. name:
  11713. description: The name of the Secret resource being referred to.
  11714. type: string
  11715. namespace:
  11716. description: |-
  11717. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11718. to the namespace of the referent.
  11719. type: string
  11720. type: object
  11721. type: object
  11722. vaultAwsIamServerID:
  11723. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  11724. type: string
  11725. vaultRole:
  11726. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  11727. type: string
  11728. required:
  11729. - vaultRole
  11730. type: object
  11731. jwt:
  11732. description: |-
  11733. Jwt authenticates with Vault by passing role and JWT token using the
  11734. JWT/OIDC authentication method
  11735. properties:
  11736. kubernetesServiceAccountToken:
  11737. description: |-
  11738. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  11739. a token for with the `TokenRequest` API.
  11740. properties:
  11741. audiences:
  11742. description: |-
  11743. Optional audiences field that will be used to request a temporary Kubernetes service
  11744. account token for the service account referenced by `serviceAccountRef`.
  11745. Defaults to a single audience `vault` it not specified.
  11746. Deprecated: use serviceAccountRef.Audiences instead
  11747. items:
  11748. type: string
  11749. type: array
  11750. expirationSeconds:
  11751. description: |-
  11752. Optional expiration time in seconds that will be used to request a temporary
  11753. Kubernetes service account token for the service account referenced by
  11754. `serviceAccountRef`.
  11755. Deprecated: this will be removed in the future.
  11756. Defaults to 10 minutes.
  11757. format: int64
  11758. type: integer
  11759. serviceAccountRef:
  11760. description: Service account field containing the name of a kubernetes ServiceAccount.
  11761. properties:
  11762. audiences:
  11763. description: |-
  11764. Audience specifies the `aud` claim for the service account token
  11765. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11766. then this audiences will be appended to the list
  11767. items:
  11768. type: string
  11769. type: array
  11770. name:
  11771. description: The name of the ServiceAccount resource being referred to.
  11772. type: string
  11773. namespace:
  11774. description: |-
  11775. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11776. to the namespace of the referent.
  11777. type: string
  11778. required:
  11779. - name
  11780. type: object
  11781. required:
  11782. - serviceAccountRef
  11783. type: object
  11784. path:
  11785. default: jwt
  11786. description: |-
  11787. Path where the JWT authentication backend is mounted
  11788. in Vault, e.g: "jwt"
  11789. type: string
  11790. role:
  11791. description: |-
  11792. Role is a JWT role to authenticate using the JWT/OIDC Vault
  11793. authentication method
  11794. type: string
  11795. secretRef:
  11796. description: |-
  11797. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  11798. authenticate with Vault using the JWT/OIDC authentication method.
  11799. properties:
  11800. key:
  11801. description: |-
  11802. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11803. defaulted, in others it may be required.
  11804. type: string
  11805. name:
  11806. description: The name of the Secret resource being referred to.
  11807. type: string
  11808. namespace:
  11809. description: |-
  11810. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11811. to the namespace of the referent.
  11812. type: string
  11813. type: object
  11814. required:
  11815. - path
  11816. type: object
  11817. kubernetes:
  11818. description: |-
  11819. Kubernetes authenticates with Vault by passing the ServiceAccount
  11820. token stored in the named Secret resource to the Vault server.
  11821. properties:
  11822. mountPath:
  11823. default: kubernetes
  11824. description: |-
  11825. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  11826. "kubernetes"
  11827. type: string
  11828. role:
  11829. description: |-
  11830. A required field containing the Vault Role to assume. A Role binds a
  11831. Kubernetes ServiceAccount with a set of Vault policies.
  11832. type: string
  11833. secretRef:
  11834. description: |-
  11835. Optional secret field containing a Kubernetes ServiceAccount JWT used
  11836. for authenticating with Vault. If a name is specified without a key,
  11837. `token` is the default. If one is not specified, the one bound to
  11838. the controller will be used.
  11839. properties:
  11840. key:
  11841. description: |-
  11842. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11843. defaulted, in others it may be required.
  11844. type: string
  11845. name:
  11846. description: The name of the Secret resource being referred to.
  11847. type: string
  11848. namespace:
  11849. description: |-
  11850. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11851. to the namespace of the referent.
  11852. type: string
  11853. type: object
  11854. serviceAccountRef:
  11855. description: |-
  11856. Optional service account field containing the name of a kubernetes ServiceAccount.
  11857. If the service account is specified, the service account secret token JWT will be used
  11858. for authenticating with Vault. If the service account selector is not supplied,
  11859. the secretRef will be used instead.
  11860. properties:
  11861. audiences:
  11862. description: |-
  11863. Audience specifies the `aud` claim for the service account token
  11864. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  11865. then this audiences will be appended to the list
  11866. items:
  11867. type: string
  11868. type: array
  11869. name:
  11870. description: The name of the ServiceAccount resource being referred to.
  11871. type: string
  11872. namespace:
  11873. description: |-
  11874. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11875. to the namespace of the referent.
  11876. type: string
  11877. required:
  11878. - name
  11879. type: object
  11880. required:
  11881. - mountPath
  11882. - role
  11883. type: object
  11884. ldap:
  11885. description: |-
  11886. Ldap authenticates with Vault by passing username/password pair using
  11887. the LDAP authentication method
  11888. properties:
  11889. path:
  11890. default: ldap
  11891. description: |-
  11892. Path where the LDAP authentication backend is mounted
  11893. in Vault, e.g: "ldap"
  11894. type: string
  11895. secretRef:
  11896. description: |-
  11897. SecretRef to a key in a Secret resource containing password for the LDAP
  11898. user used to authenticate with Vault using the LDAP authentication
  11899. method
  11900. properties:
  11901. key:
  11902. description: |-
  11903. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11904. defaulted, in others it may be required.
  11905. type: string
  11906. name:
  11907. description: The name of the Secret resource being referred to.
  11908. type: string
  11909. namespace:
  11910. description: |-
  11911. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11912. to the namespace of the referent.
  11913. type: string
  11914. type: object
  11915. username:
  11916. description: |-
  11917. Username is a LDAP user name used to authenticate using the LDAP Vault
  11918. authentication method
  11919. type: string
  11920. required:
  11921. - path
  11922. - username
  11923. type: object
  11924. namespace:
  11925. description: |-
  11926. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  11927. Namespaces is a set of features within Vault Enterprise that allows
  11928. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  11929. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  11930. This will default to Vault.Namespace field if set, or empty otherwise
  11931. type: string
  11932. tokenSecretRef:
  11933. description: TokenSecretRef authenticates with Vault by presenting a token.
  11934. properties:
  11935. key:
  11936. description: |-
  11937. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11938. defaulted, in others it may be required.
  11939. type: string
  11940. name:
  11941. description: The name of the Secret resource being referred to.
  11942. type: string
  11943. namespace:
  11944. description: |-
  11945. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11946. to the namespace of the referent.
  11947. type: string
  11948. type: object
  11949. userPass:
  11950. description: UserPass authenticates with Vault by passing username/password pair
  11951. properties:
  11952. path:
  11953. default: user
  11954. description: |-
  11955. Path where the UserPassword authentication backend is mounted
  11956. in Vault, e.g: "user"
  11957. type: string
  11958. secretRef:
  11959. description: |-
  11960. SecretRef to a key in a Secret resource containing password for the
  11961. user used to authenticate with Vault using the UserPass authentication
  11962. method
  11963. properties:
  11964. key:
  11965. description: |-
  11966. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  11967. defaulted, in others it may be required.
  11968. type: string
  11969. name:
  11970. description: The name of the Secret resource being referred to.
  11971. type: string
  11972. namespace:
  11973. description: |-
  11974. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  11975. to the namespace of the referent.
  11976. type: string
  11977. type: object
  11978. username:
  11979. description: |-
  11980. Username is a user name used to authenticate using the UserPass Vault
  11981. authentication method
  11982. type: string
  11983. required:
  11984. - path
  11985. - username
  11986. type: object
  11987. type: object
  11988. caBundle:
  11989. description: |-
  11990. PEM encoded CA bundle used to validate Vault server certificate. Only used
  11991. if the Server URL is using HTTPS protocol. This parameter is ignored for
  11992. plain HTTP protocol connection. If not set the system root certificates
  11993. are used to validate the TLS connection.
  11994. format: byte
  11995. type: string
  11996. caProvider:
  11997. description: The provider for the CA bundle to use to validate Vault server certificate.
  11998. properties:
  11999. key:
  12000. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  12001. type: string
  12002. name:
  12003. description: The name of the object located at the provider type.
  12004. type: string
  12005. namespace:
  12006. description: |-
  12007. The namespace the Provider type is in.
  12008. Can only be defined when used in a ClusterSecretStore.
  12009. type: string
  12010. type:
  12011. description: The type of provider to use such as "Secret", or "ConfigMap".
  12012. enum:
  12013. - Secret
  12014. - ConfigMap
  12015. type: string
  12016. required:
  12017. - name
  12018. - type
  12019. type: object
  12020. forwardInconsistent:
  12021. description: |-
  12022. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  12023. leader instead of simply retrying within a loop. This can increase performance if
  12024. the option is enabled serverside.
  12025. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  12026. type: boolean
  12027. namespace:
  12028. description: |-
  12029. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  12030. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  12031. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  12032. type: string
  12033. path:
  12034. description: |-
  12035. Path is the mount path of the Vault KV backend endpoint, e.g:
  12036. "secret". The v2 KV secret engine version specific "/data" path suffix
  12037. for fetching secrets from Vault is optional and will be appended
  12038. if not present in specified path.
  12039. type: string
  12040. readYourWrites:
  12041. description: |-
  12042. ReadYourWrites ensures isolated read-after-write semantics by
  12043. providing discovered cluster replication states in each request.
  12044. More information about eventual consistency in Vault can be found here
  12045. https://www.vaultproject.io/docs/enterprise/consistency
  12046. type: boolean
  12047. server:
  12048. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  12049. type: string
  12050. tls:
  12051. description: |-
  12052. The configuration used for client side related TLS communication, when the Vault server
  12053. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  12054. This parameter is ignored for plain HTTP protocol connection.
  12055. It's worth noting this configuration is different from the "TLS certificates auth method",
  12056. which is available under the `auth.cert` section.
  12057. properties:
  12058. certSecretRef:
  12059. description: |-
  12060. CertSecretRef is a certificate added to the transport layer
  12061. when communicating with the Vault server.
  12062. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  12063. properties:
  12064. key:
  12065. description: |-
  12066. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  12067. defaulted, in others it may be required.
  12068. type: string
  12069. name:
  12070. description: The name of the Secret resource being referred to.
  12071. type: string
  12072. namespace:
  12073. description: |-
  12074. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  12075. to the namespace of the referent.
  12076. type: string
  12077. type: object
  12078. keySecretRef:
  12079. description: |-
  12080. KeySecretRef to a key in a Secret resource containing client private key
  12081. added to the transport layer when communicating with the Vault server.
  12082. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  12083. properties:
  12084. key:
  12085. description: |-
  12086. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  12087. defaulted, in others it may be required.
  12088. type: string
  12089. name:
  12090. description: The name of the Secret resource being referred to.
  12091. type: string
  12092. namespace:
  12093. description: |-
  12094. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  12095. to the namespace of the referent.
  12096. type: string
  12097. type: object
  12098. type: object
  12099. version:
  12100. default: v2
  12101. description: |-
  12102. Version is the Vault KV secret engine version. This can be either "v1" or
  12103. "v2". Version defaults to "v2".
  12104. enum:
  12105. - v1
  12106. - v2
  12107. type: string
  12108. required:
  12109. - auth
  12110. - server
  12111. type: object
  12112. resultType:
  12113. default: Data
  12114. description: |-
  12115. Result type defines which data is returned from the generator.
  12116. By default it is the "data" section of the Vault API response.
  12117. When using e.g. /auth/token/create the "data" section is empty but
  12118. the "auth" section contains the generated token.
  12119. Please refer to the vault docs regarding the result data structure.
  12120. enum:
  12121. - Data
  12122. - Auth
  12123. type: string
  12124. required:
  12125. - path
  12126. - provider
  12127. type: object
  12128. type: object
  12129. served: true
  12130. storage: true
  12131. subresources:
  12132. status: {}
  12133. conversion:
  12134. strategy: Webhook
  12135. webhook:
  12136. conversionReviewVersions:
  12137. - v1
  12138. clientConfig:
  12139. service:
  12140. name: kubernetes
  12141. namespace: default
  12142. path: /convert
  12143. ---
  12144. apiVersion: apiextensions.k8s.io/v1
  12145. kind: CustomResourceDefinition
  12146. metadata:
  12147. annotations:
  12148. controller-gen.kubebuilder.io/version: v0.15.0
  12149. labels:
  12150. external-secrets.io/component: controller
  12151. name: webhooks.generators.external-secrets.io
  12152. spec:
  12153. group: generators.external-secrets.io
  12154. names:
  12155. categories:
  12156. - webhook
  12157. kind: Webhook
  12158. listKind: WebhookList
  12159. plural: webhooks
  12160. shortNames:
  12161. - webhookl
  12162. singular: webhook
  12163. scope: Namespaced
  12164. versions:
  12165. - name: v1alpha1
  12166. schema:
  12167. openAPIV3Schema:
  12168. description: |-
  12169. Webhook connects to a third party API server to handle the secrets generation
  12170. configuration parameters in spec.
  12171. You can specify the server, the token, and additional body parameters.
  12172. See documentation for the full API specification for requests and responses.
  12173. properties:
  12174. apiVersion:
  12175. description: |-
  12176. APIVersion defines the versioned schema of this representation of an object.
  12177. Servers should convert recognized schemas to the latest internal value, and
  12178. may reject unrecognized values.
  12179. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  12180. type: string
  12181. kind:
  12182. description: |-
  12183. Kind is a string value representing the REST resource this object represents.
  12184. Servers may infer this from the endpoint the client submits requests to.
  12185. Cannot be updated.
  12186. In CamelCase.
  12187. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  12188. type: string
  12189. metadata:
  12190. type: object
  12191. spec:
  12192. description: WebhookSpec controls the behavior of the external generator. Any body parameters should be passed to the server through the parameters field.
  12193. properties:
  12194. body:
  12195. description: Body
  12196. type: string
  12197. caBundle:
  12198. description: |-
  12199. PEM encoded CA bundle used to validate webhook server certificate. Only used
  12200. if the Server URL is using HTTPS protocol. This parameter is ignored for
  12201. plain HTTP protocol connection. If not set the system root certificates
  12202. are used to validate the TLS connection.
  12203. format: byte
  12204. type: string
  12205. caProvider:
  12206. description: The provider for the CA bundle to use to validate webhook server certificate.
  12207. properties:
  12208. key:
  12209. description: The key the value inside of the provider type to use, only used with "Secret" type
  12210. type: string
  12211. name:
  12212. description: The name of the object located at the provider type.
  12213. type: string
  12214. namespace:
  12215. description: The namespace the Provider type is in.
  12216. type: string
  12217. type:
  12218. description: The type of provider to use such as "Secret", or "ConfigMap".
  12219. enum:
  12220. - Secret
  12221. - ConfigMap
  12222. type: string
  12223. required:
  12224. - name
  12225. - type
  12226. type: object
  12227. headers:
  12228. additionalProperties:
  12229. type: string
  12230. description: Headers
  12231. type: object
  12232. method:
  12233. description: Webhook Method
  12234. type: string
  12235. result:
  12236. description: Result formatting
  12237. properties:
  12238. jsonPath:
  12239. description: Json path of return value
  12240. type: string
  12241. type: object
  12242. secrets:
  12243. description: |-
  12244. Secrets to fill in templates
  12245. These secrets will be passed to the templating function as key value pairs under the given name
  12246. items:
  12247. properties:
  12248. name:
  12249. description: Name of this secret in templates
  12250. type: string
  12251. secretRef:
  12252. description: Secret ref to fill in credentials
  12253. properties:
  12254. key:
  12255. description: The key where the token is found.
  12256. type: string
  12257. name:
  12258. description: The name of the Secret resource being referred to.
  12259. type: string
  12260. type: object
  12261. required:
  12262. - name
  12263. - secretRef
  12264. type: object
  12265. type: array
  12266. timeout:
  12267. description: Timeout
  12268. type: string
  12269. url:
  12270. description: Webhook url to call
  12271. type: string
  12272. required:
  12273. - result
  12274. - url
  12275. type: object
  12276. type: object
  12277. served: true
  12278. storage: true
  12279. subresources:
  12280. status: {}
  12281. conversion:
  12282. strategy: Webhook
  12283. webhook:
  12284. conversionReviewVersions:
  12285. - v1
  12286. clientConfig:
  12287. service:
  12288. name: kubernetes
  12289. namespace: default
  12290. path: /convert