crds_test.yaml.snap 262 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165
  1. should match snapshot of default values:
  2. 1: |
  3. apiVersion: apiextensions.k8s.io/v1
  4. kind: CustomResourceDefinition
  5. metadata:
  6. annotations:
  7. controller-gen.kubebuilder.io/version: v0.15.0
  8. name: secretstores.external-secrets.io
  9. spec:
  10. conversion:
  11. strategy: Webhook
  12. webhook:
  13. clientConfig:
  14. service:
  15. name: RELEASE-NAME-external-secrets-webhook
  16. namespace: NAMESPACE
  17. path: /convert
  18. conversionReviewVersions:
  19. - v1
  20. group: external-secrets.io
  21. names:
  22. categories:
  23. - externalsecrets
  24. kind: SecretStore
  25. listKind: SecretStoreList
  26. plural: secretstores
  27. shortNames:
  28. - ss
  29. singular: secretstore
  30. scope: Namespaced
  31. versions:
  32. - additionalPrinterColumns:
  33. - jsonPath: .metadata.creationTimestamp
  34. name: AGE
  35. type: date
  36. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  37. name: Status
  38. type: string
  39. deprecated: true
  40. name: v1alpha1
  41. schema:
  42. openAPIV3Schema:
  43. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  44. properties:
  45. apiVersion:
  46. description: |-
  47. APIVersion defines the versioned schema of this representation of an object.
  48. Servers should convert recognized schemas to the latest internal value, and
  49. may reject unrecognized values.
  50. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  51. type: string
  52. kind:
  53. description: |-
  54. Kind is a string value representing the REST resource this object represents.
  55. Servers may infer this from the endpoint the client submits requests to.
  56. Cannot be updated.
  57. In CamelCase.
  58. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  59. type: string
  60. metadata:
  61. type: object
  62. spec:
  63. description: SecretStoreSpec defines the desired state of SecretStore.
  64. properties:
  65. controller:
  66. description: |-
  67. Used to select the correct ESO controller (think: ingress.ingressClassName)
  68. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  69. type: string
  70. provider:
  71. description: Used to configure the provider. Only one provider may be set
  72. maxProperties: 1
  73. minProperties: 1
  74. properties:
  75. akeyless:
  76. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  77. properties:
  78. akeylessGWApiURL:
  79. description: Akeyless GW API Url from which the secrets to be fetched from.
  80. type: string
  81. authSecretRef:
  82. description: Auth configures how the operator authenticates with Akeyless.
  83. properties:
  84. kubernetesAuth:
  85. description: |-
  86. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  87. token stored in the named Secret resource.
  88. properties:
  89. accessID:
  90. description: the Akeyless Kubernetes auth-method access-id
  91. type: string
  92. k8sConfName:
  93. description: Kubernetes-auth configuration name in Akeyless-Gateway
  94. type: string
  95. secretRef:
  96. description: |-
  97. Optional secret field containing a Kubernetes ServiceAccount JWT used
  98. for authenticating with Akeyless. If a name is specified without a key,
  99. `token` is the default. If one is not specified, the one bound to
  100. the controller will be used.
  101. properties:
  102. key:
  103. description: |-
  104. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  105. defaulted, in others it may be required.
  106. type: string
  107. name:
  108. description: The name of the Secret resource being referred to.
  109. type: string
  110. namespace:
  111. description: |-
  112. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  113. to the namespace of the referent.
  114. type: string
  115. type: object
  116. serviceAccountRef:
  117. description: |-
  118. Optional service account field containing the name of a kubernetes ServiceAccount.
  119. If the service account is specified, the service account secret token JWT will be used
  120. for authenticating with Akeyless. If the service account selector is not supplied,
  121. the secretRef will be used instead.
  122. properties:
  123. audiences:
  124. description: |-
  125. Audience specifies the `aud` claim for the service account token
  126. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  127. then this audiences will be appended to the list
  128. items:
  129. type: string
  130. type: array
  131. name:
  132. description: The name of the ServiceAccount resource being referred to.
  133. type: string
  134. namespace:
  135. description: |-
  136. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  137. to the namespace of the referent.
  138. type: string
  139. required:
  140. - name
  141. type: object
  142. required:
  143. - accessID
  144. - k8sConfName
  145. type: object
  146. secretRef:
  147. description: |-
  148. Reference to a Secret that contains the details
  149. to authenticate with Akeyless.
  150. properties:
  151. accessID:
  152. description: The SecretAccessID is used for authentication
  153. properties:
  154. key:
  155. description: |-
  156. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  157. defaulted, in others it may be required.
  158. type: string
  159. name:
  160. description: The name of the Secret resource being referred to.
  161. type: string
  162. namespace:
  163. description: |-
  164. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  165. to the namespace of the referent.
  166. type: string
  167. type: object
  168. accessType:
  169. description: |-
  170. A reference to a specific 'key' within a Secret resource,
  171. In some instances, `key` is a required field.
  172. properties:
  173. key:
  174. description: |-
  175. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  176. defaulted, in others it may be required.
  177. type: string
  178. name:
  179. description: The name of the Secret resource being referred to.
  180. type: string
  181. namespace:
  182. description: |-
  183. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  184. to the namespace of the referent.
  185. type: string
  186. type: object
  187. accessTypeParam:
  188. description: |-
  189. A reference to a specific 'key' within a Secret resource,
  190. In some instances, `key` is a required field.
  191. properties:
  192. key:
  193. description: |-
  194. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  195. defaulted, in others it may be required.
  196. type: string
  197. name:
  198. description: The name of the Secret resource being referred to.
  199. type: string
  200. namespace:
  201. description: |-
  202. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  203. to the namespace of the referent.
  204. type: string
  205. type: object
  206. type: object
  207. type: object
  208. caBundle:
  209. description: |-
  210. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  211. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  212. are used to validate the TLS connection.
  213. format: byte
  214. type: string
  215. caProvider:
  216. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  217. properties:
  218. key:
  219. description: The key the value inside of the provider type to use, only used with "Secret" type
  220. type: string
  221. name:
  222. description: The name of the object located at the provider type.
  223. type: string
  224. namespace:
  225. description: The namespace the Provider type is in.
  226. type: string
  227. type:
  228. description: The type of provider to use such as "Secret", or "ConfigMap".
  229. enum:
  230. - Secret
  231. - ConfigMap
  232. type: string
  233. required:
  234. - name
  235. - type
  236. type: object
  237. required:
  238. - akeylessGWApiURL
  239. - authSecretRef
  240. type: object
  241. alibaba:
  242. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  243. properties:
  244. auth:
  245. description: AlibabaAuth contains a secretRef for credentials.
  246. properties:
  247. rrsa:
  248. description: Authenticate against Alibaba using RRSA.
  249. properties:
  250. oidcProviderArn:
  251. type: string
  252. oidcTokenFilePath:
  253. type: string
  254. roleArn:
  255. type: string
  256. sessionName:
  257. type: string
  258. required:
  259. - oidcProviderArn
  260. - oidcTokenFilePath
  261. - roleArn
  262. - sessionName
  263. type: object
  264. secretRef:
  265. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  266. properties:
  267. accessKeyIDSecretRef:
  268. description: The AccessKeyID is used for authentication
  269. properties:
  270. key:
  271. description: |-
  272. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  273. defaulted, in others it may be required.
  274. type: string
  275. name:
  276. description: The name of the Secret resource being referred to.
  277. type: string
  278. namespace:
  279. description: |-
  280. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  281. to the namespace of the referent.
  282. type: string
  283. type: object
  284. accessKeySecretSecretRef:
  285. description: The AccessKeySecret is used for authentication
  286. properties:
  287. key:
  288. description: |-
  289. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  290. defaulted, in others it may be required.
  291. type: string
  292. name:
  293. description: The name of the Secret resource being referred to.
  294. type: string
  295. namespace:
  296. description: |-
  297. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  298. to the namespace of the referent.
  299. type: string
  300. type: object
  301. required:
  302. - accessKeyIDSecretRef
  303. - accessKeySecretSecretRef
  304. type: object
  305. type: object
  306. regionID:
  307. description: Alibaba Region to be used for the provider
  308. type: string
  309. required:
  310. - auth
  311. - regionID
  312. type: object
  313. aws:
  314. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  315. properties:
  316. auth:
  317. description: |-
  318. Auth defines the information necessary to authenticate against AWS
  319. if not set aws sdk will infer credentials from your environment
  320. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  321. properties:
  322. jwt:
  323. description: Authenticate against AWS using service account tokens.
  324. properties:
  325. serviceAccountRef:
  326. description: A reference to a ServiceAccount resource.
  327. properties:
  328. audiences:
  329. description: |-
  330. Audience specifies the `aud` claim for the service account token
  331. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  332. then this audiences will be appended to the list
  333. items:
  334. type: string
  335. type: array
  336. name:
  337. description: The name of the ServiceAccount resource being referred to.
  338. type: string
  339. namespace:
  340. description: |-
  341. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  342. to the namespace of the referent.
  343. type: string
  344. required:
  345. - name
  346. type: object
  347. type: object
  348. secretRef:
  349. description: |-
  350. AWSAuthSecretRef holds secret references for AWS credentials
  351. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  352. properties:
  353. accessKeyIDSecretRef:
  354. description: The AccessKeyID is used for authentication
  355. properties:
  356. key:
  357. description: |-
  358. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  359. defaulted, in others it may be required.
  360. type: string
  361. name:
  362. description: The name of the Secret resource being referred to.
  363. type: string
  364. namespace:
  365. description: |-
  366. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  367. to the namespace of the referent.
  368. type: string
  369. type: object
  370. secretAccessKeySecretRef:
  371. description: The SecretAccessKey is used for authentication
  372. properties:
  373. key:
  374. description: |-
  375. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  376. defaulted, in others it may be required.
  377. type: string
  378. name:
  379. description: The name of the Secret resource being referred to.
  380. type: string
  381. namespace:
  382. description: |-
  383. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  384. to the namespace of the referent.
  385. type: string
  386. type: object
  387. type: object
  388. type: object
  389. region:
  390. description: AWS Region to be used for the provider
  391. type: string
  392. role:
  393. description: Role is a Role ARN which the SecretManager provider will assume
  394. type: string
  395. service:
  396. description: Service defines which service should be used to fetch the secrets
  397. enum:
  398. - SecretsManager
  399. - ParameterStore
  400. type: string
  401. required:
  402. - region
  403. - service
  404. type: object
  405. azurekv:
  406. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  407. properties:
  408. authSecretRef:
  409. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type.
  410. properties:
  411. clientId:
  412. description: The Azure clientId of the service principle used for authentication.
  413. properties:
  414. key:
  415. description: |-
  416. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  417. defaulted, in others it may be required.
  418. type: string
  419. name:
  420. description: The name of the Secret resource being referred to.
  421. type: string
  422. namespace:
  423. description: |-
  424. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  425. to the namespace of the referent.
  426. type: string
  427. type: object
  428. clientSecret:
  429. description: The Azure ClientSecret of the service principle used for authentication.
  430. properties:
  431. key:
  432. description: |-
  433. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  434. defaulted, in others it may be required.
  435. type: string
  436. name:
  437. description: The name of the Secret resource being referred to.
  438. type: string
  439. namespace:
  440. description: |-
  441. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  442. to the namespace of the referent.
  443. type: string
  444. type: object
  445. type: object
  446. authType:
  447. default: ServicePrincipal
  448. description: |-
  449. Auth type defines how to authenticate to the keyvault service.
  450. Valid values are:
  451. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  452. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  453. enum:
  454. - ServicePrincipal
  455. - ManagedIdentity
  456. - WorkloadIdentity
  457. type: string
  458. identityId:
  459. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  460. type: string
  461. serviceAccountRef:
  462. description: |-
  463. ServiceAccountRef specified the service account
  464. that should be used when authenticating with WorkloadIdentity.
  465. properties:
  466. audiences:
  467. description: |-
  468. Audience specifies the `aud` claim for the service account token
  469. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  470. then this audiences will be appended to the list
  471. items:
  472. type: string
  473. type: array
  474. name:
  475. description: The name of the ServiceAccount resource being referred to.
  476. type: string
  477. namespace:
  478. description: |-
  479. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  480. to the namespace of the referent.
  481. type: string
  482. required:
  483. - name
  484. type: object
  485. tenantId:
  486. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type.
  487. type: string
  488. vaultUrl:
  489. description: Vault Url from which the secrets to be fetched from.
  490. type: string
  491. required:
  492. - vaultUrl
  493. type: object
  494. fake:
  495. description: Fake configures a store with static key/value pairs
  496. properties:
  497. data:
  498. items:
  499. properties:
  500. key:
  501. type: string
  502. value:
  503. type: string
  504. valueMap:
  505. additionalProperties:
  506. type: string
  507. type: object
  508. version:
  509. type: string
  510. required:
  511. - key
  512. type: object
  513. type: array
  514. required:
  515. - data
  516. type: object
  517. gcpsm:
  518. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  519. properties:
  520. auth:
  521. description: Auth defines the information necessary to authenticate against GCP
  522. properties:
  523. secretRef:
  524. properties:
  525. secretAccessKeySecretRef:
  526. description: The SecretAccessKey is used for authentication
  527. properties:
  528. key:
  529. description: |-
  530. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  531. defaulted, in others it may be required.
  532. type: string
  533. name:
  534. description: The name of the Secret resource being referred to.
  535. type: string
  536. namespace:
  537. description: |-
  538. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  539. to the namespace of the referent.
  540. type: string
  541. type: object
  542. type: object
  543. workloadIdentity:
  544. properties:
  545. clusterLocation:
  546. type: string
  547. clusterName:
  548. type: string
  549. clusterProjectID:
  550. type: string
  551. serviceAccountRef:
  552. description: A reference to a ServiceAccount resource.
  553. properties:
  554. audiences:
  555. description: |-
  556. Audience specifies the `aud` claim for the service account token
  557. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  558. then this audiences will be appended to the list
  559. items:
  560. type: string
  561. type: array
  562. name:
  563. description: The name of the ServiceAccount resource being referred to.
  564. type: string
  565. namespace:
  566. description: |-
  567. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  568. to the namespace of the referent.
  569. type: string
  570. required:
  571. - name
  572. type: object
  573. required:
  574. - clusterLocation
  575. - clusterName
  576. - serviceAccountRef
  577. type: object
  578. type: object
  579. projectID:
  580. description: ProjectID project where secret is located
  581. type: string
  582. type: object
  583. gitlab:
  584. description: GitLab configures this store to sync secrets using GitLab Variables provider
  585. properties:
  586. auth:
  587. description: Auth configures how secret-manager authenticates with a GitLab instance.
  588. properties:
  589. SecretRef:
  590. properties:
  591. accessToken:
  592. description: AccessToken is used for authentication.
  593. properties:
  594. key:
  595. description: |-
  596. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  597. defaulted, in others it may be required.
  598. type: string
  599. name:
  600. description: The name of the Secret resource being referred to.
  601. type: string
  602. namespace:
  603. description: |-
  604. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  605. to the namespace of the referent.
  606. type: string
  607. type: object
  608. type: object
  609. required:
  610. - SecretRef
  611. type: object
  612. projectID:
  613. description: ProjectID specifies a project where secrets are located.
  614. type: string
  615. url:
  616. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  617. type: string
  618. required:
  619. - auth
  620. type: object
  621. ibm:
  622. description: IBM configures this store to sync secrets using IBM Cloud provider
  623. properties:
  624. auth:
  625. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  626. properties:
  627. secretRef:
  628. properties:
  629. secretApiKeySecretRef:
  630. description: The SecretAccessKey is used for authentication
  631. properties:
  632. key:
  633. description: |-
  634. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  635. defaulted, in others it may be required.
  636. type: string
  637. name:
  638. description: The name of the Secret resource being referred to.
  639. type: string
  640. namespace:
  641. description: |-
  642. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  643. to the namespace of the referent.
  644. type: string
  645. type: object
  646. type: object
  647. required:
  648. - secretRef
  649. type: object
  650. serviceUrl:
  651. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  652. type: string
  653. required:
  654. - auth
  655. type: object
  656. kubernetes:
  657. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  658. properties:
  659. auth:
  660. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  661. maxProperties: 1
  662. minProperties: 1
  663. properties:
  664. cert:
  665. description: has both clientCert and clientKey as secretKeySelector
  666. properties:
  667. clientCert:
  668. description: |-
  669. A reference to a specific 'key' within a Secret resource,
  670. In some instances, `key` is a required field.
  671. properties:
  672. key:
  673. description: |-
  674. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  675. defaulted, in others it may be required.
  676. type: string
  677. name:
  678. description: The name of the Secret resource being referred to.
  679. type: string
  680. namespace:
  681. description: |-
  682. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  683. to the namespace of the referent.
  684. type: string
  685. type: object
  686. clientKey:
  687. description: |-
  688. A reference to a specific 'key' within a Secret resource,
  689. In some instances, `key` is a required field.
  690. properties:
  691. key:
  692. description: |-
  693. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  694. defaulted, in others it may be required.
  695. type: string
  696. name:
  697. description: The name of the Secret resource being referred to.
  698. type: string
  699. namespace:
  700. description: |-
  701. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  702. to the namespace of the referent.
  703. type: string
  704. type: object
  705. type: object
  706. serviceAccount:
  707. description: points to a service account that should be used for authentication
  708. properties:
  709. serviceAccount:
  710. description: A reference to a ServiceAccount resource.
  711. properties:
  712. audiences:
  713. description: |-
  714. Audience specifies the `aud` claim for the service account token
  715. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  716. then this audiences will be appended to the list
  717. items:
  718. type: string
  719. type: array
  720. name:
  721. description: The name of the ServiceAccount resource being referred to.
  722. type: string
  723. namespace:
  724. description: |-
  725. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  726. to the namespace of the referent.
  727. type: string
  728. required:
  729. - name
  730. type: object
  731. type: object
  732. token:
  733. description: use static token to authenticate with
  734. properties:
  735. bearerToken:
  736. description: |-
  737. A reference to a specific 'key' within a Secret resource,
  738. In some instances, `key` is a required field.
  739. properties:
  740. key:
  741. description: |-
  742. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  743. defaulted, in others it may be required.
  744. type: string
  745. name:
  746. description: The name of the Secret resource being referred to.
  747. type: string
  748. namespace:
  749. description: |-
  750. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  751. to the namespace of the referent.
  752. type: string
  753. type: object
  754. type: object
  755. type: object
  756. remoteNamespace:
  757. default: default
  758. description: Remote namespace to fetch the secrets from
  759. type: string
  760. server:
  761. description: configures the Kubernetes server Address.
  762. properties:
  763. caBundle:
  764. description: CABundle is a base64-encoded CA certificate
  765. format: byte
  766. type: string
  767. caProvider:
  768. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  769. properties:
  770. key:
  771. description: The key the value inside of the provider type to use, only used with "Secret" type
  772. type: string
  773. name:
  774. description: The name of the object located at the provider type.
  775. type: string
  776. namespace:
  777. description: The namespace the Provider type is in.
  778. type: string
  779. type:
  780. description: The type of provider to use such as "Secret", or "ConfigMap".
  781. enum:
  782. - Secret
  783. - ConfigMap
  784. type: string
  785. required:
  786. - name
  787. - type
  788. type: object
  789. url:
  790. default: kubernetes.default
  791. description: configures the Kubernetes server Address.
  792. type: string
  793. type: object
  794. required:
  795. - auth
  796. type: object
  797. oracle:
  798. description: Oracle configures this store to sync secrets using Oracle Vault provider
  799. properties:
  800. auth:
  801. description: |-
  802. Auth configures how secret-manager authenticates with the Oracle Vault.
  803. If empty, instance principal is used. Optionally, the authenticating principal type
  804. and/or user data may be supplied for the use of workload identity and user principal.
  805. properties:
  806. secretRef:
  807. description: SecretRef to pass through sensitive information.
  808. properties:
  809. fingerprint:
  810. description: Fingerprint is the fingerprint of the API private key.
  811. properties:
  812. key:
  813. description: |-
  814. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  815. defaulted, in others it may be required.
  816. type: string
  817. name:
  818. description: The name of the Secret resource being referred to.
  819. type: string
  820. namespace:
  821. description: |-
  822. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  823. to the namespace of the referent.
  824. type: string
  825. type: object
  826. privatekey:
  827. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  828. properties:
  829. key:
  830. description: |-
  831. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  832. defaulted, in others it may be required.
  833. type: string
  834. name:
  835. description: The name of the Secret resource being referred to.
  836. type: string
  837. namespace:
  838. description: |-
  839. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  840. to the namespace of the referent.
  841. type: string
  842. type: object
  843. required:
  844. - fingerprint
  845. - privatekey
  846. type: object
  847. tenancy:
  848. description: Tenancy is the tenancy OCID where user is located.
  849. type: string
  850. user:
  851. description: User is an access OCID specific to the account.
  852. type: string
  853. required:
  854. - secretRef
  855. - tenancy
  856. - user
  857. type: object
  858. compartment:
  859. description: |-
  860. Compartment is the vault compartment OCID.
  861. Required for PushSecret
  862. type: string
  863. encryptionKey:
  864. description: |-
  865. EncryptionKey is the OCID of the encryption key within the vault.
  866. Required for PushSecret
  867. type: string
  868. principalType:
  869. description: |-
  870. The type of principal to use for authentication. If left blank, the Auth struct will
  871. determine the principal type. This optional field must be specified if using
  872. workload identity.
  873. enum:
  874. - ""
  875. - UserPrincipal
  876. - InstancePrincipal
  877. - Workload
  878. type: string
  879. region:
  880. description: Region is the region where vault is located.
  881. type: string
  882. serviceAccountRef:
  883. description: |-
  884. ServiceAccountRef specified the service account
  885. that should be used when authenticating with WorkloadIdentity.
  886. properties:
  887. audiences:
  888. description: |-
  889. Audience specifies the `aud` claim for the service account token
  890. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  891. then this audiences will be appended to the list
  892. items:
  893. type: string
  894. type: array
  895. name:
  896. description: The name of the ServiceAccount resource being referred to.
  897. type: string
  898. namespace:
  899. description: |-
  900. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  901. to the namespace of the referent.
  902. type: string
  903. required:
  904. - name
  905. type: object
  906. vault:
  907. description: Vault is the vault's OCID of the specific vault where secret is located.
  908. type: string
  909. required:
  910. - region
  911. - vault
  912. type: object
  913. passworddepot:
  914. description: Configures a store to sync secrets with a Password Depot instance.
  915. properties:
  916. auth:
  917. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  918. properties:
  919. secretRef:
  920. properties:
  921. credentials:
  922. description: Username / Password is used for authentication.
  923. properties:
  924. key:
  925. description: |-
  926. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  927. defaulted, in others it may be required.
  928. type: string
  929. name:
  930. description: The name of the Secret resource being referred to.
  931. type: string
  932. namespace:
  933. description: |-
  934. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  935. to the namespace of the referent.
  936. type: string
  937. type: object
  938. type: object
  939. required:
  940. - secretRef
  941. type: object
  942. database:
  943. description: Database to use as source
  944. type: string
  945. host:
  946. description: URL configures the Password Depot instance URL.
  947. type: string
  948. required:
  949. - auth
  950. - database
  951. - host
  952. type: object
  953. vault:
  954. description: Vault configures this store to sync secrets using Hashi provider
  955. properties:
  956. auth:
  957. description: Auth configures how secret-manager authenticates with the Vault server.
  958. properties:
  959. appRole:
  960. description: |-
  961. AppRole authenticates with Vault using the App Role auth mechanism,
  962. with the role and secret stored in a Kubernetes Secret resource.
  963. properties:
  964. path:
  965. default: approle
  966. description: |-
  967. Path where the App Role authentication backend is mounted
  968. in Vault, e.g: "approle"
  969. type: string
  970. roleId:
  971. description: |-
  972. RoleID configured in the App Role authentication backend when setting
  973. up the authentication backend in Vault.
  974. type: string
  975. secretRef:
  976. description: |-
  977. Reference to a key in a Secret that contains the App Role secret used
  978. to authenticate with Vault.
  979. The `key` field must be specified and denotes which entry within the Secret
  980. resource is used as the app role secret.
  981. properties:
  982. key:
  983. description: |-
  984. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  985. defaulted, in others it may be required.
  986. type: string
  987. name:
  988. description: The name of the Secret resource being referred to.
  989. type: string
  990. namespace:
  991. description: |-
  992. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  993. to the namespace of the referent.
  994. type: string
  995. type: object
  996. required:
  997. - path
  998. - roleId
  999. - secretRef
  1000. type: object
  1001. cert:
  1002. description: |-
  1003. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  1004. Cert authentication method
  1005. properties:
  1006. clientCert:
  1007. description: |-
  1008. ClientCert is a certificate to authenticate using the Cert Vault
  1009. authentication method
  1010. properties:
  1011. key:
  1012. description: |-
  1013. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1014. defaulted, in others it may be required.
  1015. type: string
  1016. name:
  1017. description: The name of the Secret resource being referred to.
  1018. type: string
  1019. namespace:
  1020. description: |-
  1021. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1022. to the namespace of the referent.
  1023. type: string
  1024. type: object
  1025. secretRef:
  1026. description: |-
  1027. SecretRef to a key in a Secret resource containing client private key to
  1028. authenticate with Vault using the Cert authentication method
  1029. properties:
  1030. key:
  1031. description: |-
  1032. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1033. defaulted, in others it may be required.
  1034. type: string
  1035. name:
  1036. description: The name of the Secret resource being referred to.
  1037. type: string
  1038. namespace:
  1039. description: |-
  1040. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1041. to the namespace of the referent.
  1042. type: string
  1043. type: object
  1044. type: object
  1045. jwt:
  1046. description: |-
  1047. Jwt authenticates with Vault by passing role and JWT token using the
  1048. JWT/OIDC authentication method
  1049. properties:
  1050. kubernetesServiceAccountToken:
  1051. description: |-
  1052. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  1053. a token for with the `TokenRequest` API.
  1054. properties:
  1055. audiences:
  1056. description: |-
  1057. Optional audiences field that will be used to request a temporary Kubernetes service
  1058. account token for the service account referenced by `serviceAccountRef`.
  1059. Defaults to a single audience `vault` it not specified.
  1060. items:
  1061. type: string
  1062. type: array
  1063. expirationSeconds:
  1064. description: |-
  1065. Optional expiration time in seconds that will be used to request a temporary
  1066. Kubernetes service account token for the service account referenced by
  1067. `serviceAccountRef`.
  1068. Defaults to 10 minutes.
  1069. format: int64
  1070. type: integer
  1071. serviceAccountRef:
  1072. description: Service account field containing the name of a kubernetes ServiceAccount.
  1073. properties:
  1074. audiences:
  1075. description: |-
  1076. Audience specifies the `aud` claim for the service account token
  1077. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1078. then this audiences will be appended to the list
  1079. items:
  1080. type: string
  1081. type: array
  1082. name:
  1083. description: The name of the ServiceAccount resource being referred to.
  1084. type: string
  1085. namespace:
  1086. description: |-
  1087. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1088. to the namespace of the referent.
  1089. type: string
  1090. required:
  1091. - name
  1092. type: object
  1093. required:
  1094. - serviceAccountRef
  1095. type: object
  1096. path:
  1097. default: jwt
  1098. description: |-
  1099. Path where the JWT authentication backend is mounted
  1100. in Vault, e.g: "jwt"
  1101. type: string
  1102. role:
  1103. description: |-
  1104. Role is a JWT role to authenticate using the JWT/OIDC Vault
  1105. authentication method
  1106. type: string
  1107. secretRef:
  1108. description: |-
  1109. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  1110. authenticate with Vault using the JWT/OIDC authentication method.
  1111. properties:
  1112. key:
  1113. description: |-
  1114. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1115. defaulted, in others it may be required.
  1116. type: string
  1117. name:
  1118. description: The name of the Secret resource being referred to.
  1119. type: string
  1120. namespace:
  1121. description: |-
  1122. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1123. to the namespace of the referent.
  1124. type: string
  1125. type: object
  1126. required:
  1127. - path
  1128. type: object
  1129. kubernetes:
  1130. description: |-
  1131. Kubernetes authenticates with Vault by passing the ServiceAccount
  1132. token stored in the named Secret resource to the Vault server.
  1133. properties:
  1134. mountPath:
  1135. default: kubernetes
  1136. description: |-
  1137. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  1138. "kubernetes"
  1139. type: string
  1140. role:
  1141. description: |-
  1142. A required field containing the Vault Role to assume. A Role binds a
  1143. Kubernetes ServiceAccount with a set of Vault policies.
  1144. type: string
  1145. secretRef:
  1146. description: |-
  1147. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1148. for authenticating with Vault. If a name is specified without a key,
  1149. `token` is the default. If one is not specified, the one bound to
  1150. the controller will be used.
  1151. properties:
  1152. key:
  1153. description: |-
  1154. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1155. defaulted, in others it may be required.
  1156. type: string
  1157. name:
  1158. description: The name of the Secret resource being referred to.
  1159. type: string
  1160. namespace:
  1161. description: |-
  1162. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1163. to the namespace of the referent.
  1164. type: string
  1165. type: object
  1166. serviceAccountRef:
  1167. description: |-
  1168. Optional service account field containing the name of a kubernetes ServiceAccount.
  1169. If the service account is specified, the service account secret token JWT will be used
  1170. for authenticating with Vault. If the service account selector is not supplied,
  1171. the secretRef will be used instead.
  1172. properties:
  1173. audiences:
  1174. description: |-
  1175. Audience specifies the `aud` claim for the service account token
  1176. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1177. then this audiences will be appended to the list
  1178. items:
  1179. type: string
  1180. type: array
  1181. name:
  1182. description: The name of the ServiceAccount resource being referred to.
  1183. type: string
  1184. namespace:
  1185. description: |-
  1186. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1187. to the namespace of the referent.
  1188. type: string
  1189. required:
  1190. - name
  1191. type: object
  1192. required:
  1193. - mountPath
  1194. - role
  1195. type: object
  1196. ldap:
  1197. description: |-
  1198. Ldap authenticates with Vault by passing username/password pair using
  1199. the LDAP authentication method
  1200. properties:
  1201. path:
  1202. default: ldap
  1203. description: |-
  1204. Path where the LDAP authentication backend is mounted
  1205. in Vault, e.g: "ldap"
  1206. type: string
  1207. secretRef:
  1208. description: |-
  1209. SecretRef to a key in a Secret resource containing password for the LDAP
  1210. user used to authenticate with Vault using the LDAP authentication
  1211. method
  1212. properties:
  1213. key:
  1214. description: |-
  1215. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1216. defaulted, in others it may be required.
  1217. type: string
  1218. name:
  1219. description: The name of the Secret resource being referred to.
  1220. type: string
  1221. namespace:
  1222. description: |-
  1223. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1224. to the namespace of the referent.
  1225. type: string
  1226. type: object
  1227. username:
  1228. description: |-
  1229. Username is a LDAP user name used to authenticate using the LDAP Vault
  1230. authentication method
  1231. type: string
  1232. required:
  1233. - path
  1234. - username
  1235. type: object
  1236. tokenSecretRef:
  1237. description: TokenSecretRef authenticates with Vault by presenting a token.
  1238. properties:
  1239. key:
  1240. description: |-
  1241. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1242. defaulted, in others it may be required.
  1243. type: string
  1244. name:
  1245. description: The name of the Secret resource being referred to.
  1246. type: string
  1247. namespace:
  1248. description: |-
  1249. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1250. to the namespace of the referent.
  1251. type: string
  1252. type: object
  1253. type: object
  1254. caBundle:
  1255. description: |-
  1256. PEM encoded CA bundle used to validate Vault server certificate. Only used
  1257. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1258. plain HTTP protocol connection. If not set the system root certificates
  1259. are used to validate the TLS connection.
  1260. format: byte
  1261. type: string
  1262. caProvider:
  1263. description: The provider for the CA bundle to use to validate Vault server certificate.
  1264. properties:
  1265. key:
  1266. description: The key the value inside of the provider type to use, only used with "Secret" type
  1267. type: string
  1268. name:
  1269. description: The name of the object located at the provider type.
  1270. type: string
  1271. namespace:
  1272. description: The namespace the Provider type is in.
  1273. type: string
  1274. type:
  1275. description: The type of provider to use such as "Secret", or "ConfigMap".
  1276. enum:
  1277. - Secret
  1278. - ConfigMap
  1279. type: string
  1280. required:
  1281. - name
  1282. - type
  1283. type: object
  1284. forwardInconsistent:
  1285. description: |-
  1286. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  1287. leader instead of simply retrying within a loop. This can increase performance if
  1288. the option is enabled serverside.
  1289. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  1290. type: boolean
  1291. namespace:
  1292. description: |-
  1293. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  1294. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  1295. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  1296. type: string
  1297. path:
  1298. description: |-
  1299. Path is the mount path of the Vault KV backend endpoint, e.g:
  1300. "secret". The v2 KV secret engine version specific "/data" path suffix
  1301. for fetching secrets from Vault is optional and will be appended
  1302. if not present in specified path.
  1303. type: string
  1304. readYourWrites:
  1305. description: |-
  1306. ReadYourWrites ensures isolated read-after-write semantics by
  1307. providing discovered cluster replication states in each request.
  1308. More information about eventual consistency in Vault can be found here
  1309. https://www.vaultproject.io/docs/enterprise/consistency
  1310. type: boolean
  1311. server:
  1312. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  1313. type: string
  1314. version:
  1315. default: v2
  1316. description: |-
  1317. Version is the Vault KV secret engine version. This can be either "v1" or
  1318. "v2". Version defaults to "v2".
  1319. enum:
  1320. - v1
  1321. - v2
  1322. type: string
  1323. required:
  1324. - auth
  1325. - server
  1326. type: object
  1327. webhook:
  1328. description: Webhook configures this store to sync secrets using a generic templated webhook
  1329. properties:
  1330. body:
  1331. description: Body
  1332. type: string
  1333. caBundle:
  1334. description: |-
  1335. PEM encoded CA bundle used to validate webhook server certificate. Only used
  1336. if the Server URL is using HTTPS protocol. This parameter is ignored for
  1337. plain HTTP protocol connection. If not set the system root certificates
  1338. are used to validate the TLS connection.
  1339. format: byte
  1340. type: string
  1341. caProvider:
  1342. description: The provider for the CA bundle to use to validate webhook server certificate.
  1343. properties:
  1344. key:
  1345. description: The key the value inside of the provider type to use, only used with "Secret" type
  1346. type: string
  1347. name:
  1348. description: The name of the object located at the provider type.
  1349. type: string
  1350. namespace:
  1351. description: The namespace the Provider type is in.
  1352. type: string
  1353. type:
  1354. description: The type of provider to use such as "Secret", or "ConfigMap".
  1355. enum:
  1356. - Secret
  1357. - ConfigMap
  1358. type: string
  1359. required:
  1360. - name
  1361. - type
  1362. type: object
  1363. headers:
  1364. additionalProperties:
  1365. type: string
  1366. description: Headers
  1367. type: object
  1368. method:
  1369. description: Webhook Method
  1370. type: string
  1371. result:
  1372. description: Result formatting
  1373. properties:
  1374. jsonPath:
  1375. description: Json path of return value
  1376. type: string
  1377. type: object
  1378. secrets:
  1379. description: |-
  1380. Secrets to fill in templates
  1381. These secrets will be passed to the templating function as key value pairs under the given name
  1382. items:
  1383. properties:
  1384. name:
  1385. description: Name of this secret in templates
  1386. type: string
  1387. secretRef:
  1388. description: Secret ref to fill in credentials
  1389. properties:
  1390. key:
  1391. description: |-
  1392. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1393. defaulted, in others it may be required.
  1394. type: string
  1395. name:
  1396. description: The name of the Secret resource being referred to.
  1397. type: string
  1398. namespace:
  1399. description: |-
  1400. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1401. to the namespace of the referent.
  1402. type: string
  1403. type: object
  1404. required:
  1405. - name
  1406. - secretRef
  1407. type: object
  1408. type: array
  1409. timeout:
  1410. description: Timeout
  1411. type: string
  1412. url:
  1413. description: Webhook url to call
  1414. type: string
  1415. required:
  1416. - result
  1417. - url
  1418. type: object
  1419. yandexlockbox:
  1420. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  1421. properties:
  1422. apiEndpoint:
  1423. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  1424. type: string
  1425. auth:
  1426. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  1427. properties:
  1428. authorizedKeySecretRef:
  1429. description: The authorized key used for authentication
  1430. properties:
  1431. key:
  1432. description: |-
  1433. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1434. defaulted, in others it may be required.
  1435. type: string
  1436. name:
  1437. description: The name of the Secret resource being referred to.
  1438. type: string
  1439. namespace:
  1440. description: |-
  1441. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1442. to the namespace of the referent.
  1443. type: string
  1444. type: object
  1445. type: object
  1446. caProvider:
  1447. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  1448. properties:
  1449. certSecretRef:
  1450. description: |-
  1451. A reference to a specific 'key' within a Secret resource,
  1452. In some instances, `key` is a required field.
  1453. properties:
  1454. key:
  1455. description: |-
  1456. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1457. defaulted, in others it may be required.
  1458. type: string
  1459. name:
  1460. description: The name of the Secret resource being referred to.
  1461. type: string
  1462. namespace:
  1463. description: |-
  1464. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1465. to the namespace of the referent.
  1466. type: string
  1467. type: object
  1468. type: object
  1469. required:
  1470. - auth
  1471. type: object
  1472. type: object
  1473. retrySettings:
  1474. description: Used to configure http retries if failed
  1475. properties:
  1476. maxRetries:
  1477. format: int32
  1478. type: integer
  1479. retryInterval:
  1480. type: string
  1481. type: object
  1482. required:
  1483. - provider
  1484. type: object
  1485. status:
  1486. description: SecretStoreStatus defines the observed state of the SecretStore.
  1487. properties:
  1488. conditions:
  1489. items:
  1490. properties:
  1491. lastTransitionTime:
  1492. format: date-time
  1493. type: string
  1494. message:
  1495. type: string
  1496. reason:
  1497. type: string
  1498. status:
  1499. type: string
  1500. type:
  1501. type: string
  1502. required:
  1503. - status
  1504. - type
  1505. type: object
  1506. type: array
  1507. type: object
  1508. type: object
  1509. served: true
  1510. storage: false
  1511. subresources:
  1512. status: {}
  1513. - additionalPrinterColumns:
  1514. - jsonPath: .metadata.creationTimestamp
  1515. name: AGE
  1516. type: date
  1517. - jsonPath: .status.conditions[?(@.type=="Ready")].reason
  1518. name: Status
  1519. type: string
  1520. - jsonPath: .status.capabilities
  1521. name: Capabilities
  1522. type: string
  1523. - jsonPath: .status.conditions[?(@.type=="Ready")].status
  1524. name: Ready
  1525. type: string
  1526. name: v1beta1
  1527. schema:
  1528. openAPIV3Schema:
  1529. description: SecretStore represents a secure external location for storing secrets, which can be referenced as part of `storeRef` fields.
  1530. properties:
  1531. apiVersion:
  1532. description: |-
  1533. APIVersion defines the versioned schema of this representation of an object.
  1534. Servers should convert recognized schemas to the latest internal value, and
  1535. may reject unrecognized values.
  1536. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
  1537. type: string
  1538. kind:
  1539. description: |-
  1540. Kind is a string value representing the REST resource this object represents.
  1541. Servers may infer this from the endpoint the client submits requests to.
  1542. Cannot be updated.
  1543. In CamelCase.
  1544. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
  1545. type: string
  1546. metadata:
  1547. type: object
  1548. spec:
  1549. description: SecretStoreSpec defines the desired state of SecretStore.
  1550. properties:
  1551. conditions:
  1552. description: Used to constraint a ClusterSecretStore to specific namespaces. Relevant only to ClusterSecretStore
  1553. items:
  1554. description: |-
  1555. ClusterSecretStoreCondition describes a condition by which to choose namespaces to process ExternalSecrets in
  1556. for a ClusterSecretStore instance.
  1557. properties:
  1558. namespaceSelector:
  1559. description: Choose namespace using a labelSelector
  1560. properties:
  1561. matchExpressions:
  1562. description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
  1563. items:
  1564. description: |-
  1565. A label selector requirement is a selector that contains values, a key, and an operator that
  1566. relates the key and values.
  1567. properties:
  1568. key:
  1569. description: key is the label key that the selector applies to.
  1570. type: string
  1571. operator:
  1572. description: |-
  1573. operator represents a key's relationship to a set of values.
  1574. Valid operators are In, NotIn, Exists and DoesNotExist.
  1575. type: string
  1576. values:
  1577. description: |-
  1578. values is an array of string values. If the operator is In or NotIn,
  1579. the values array must be non-empty. If the operator is Exists or DoesNotExist,
  1580. the values array must be empty. This array is replaced during a strategic
  1581. merge patch.
  1582. items:
  1583. type: string
  1584. type: array
  1585. x-kubernetes-list-type: atomic
  1586. required:
  1587. - key
  1588. - operator
  1589. type: object
  1590. type: array
  1591. x-kubernetes-list-type: atomic
  1592. matchLabels:
  1593. additionalProperties:
  1594. type: string
  1595. description: |-
  1596. matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  1597. map is equivalent to an element of matchExpressions, whose key field is "key", the
  1598. operator is "In", and the values array contains only "value". The requirements are ANDed.
  1599. type: object
  1600. type: object
  1601. x-kubernetes-map-type: atomic
  1602. namespaces:
  1603. description: Choose namespaces by name
  1604. items:
  1605. type: string
  1606. type: array
  1607. type: object
  1608. type: array
  1609. controller:
  1610. description: |-
  1611. Used to select the correct ESO controller (think: ingress.ingressClassName)
  1612. The ESO controller is instantiated with a specific controller name and filters ES based on this property
  1613. type: string
  1614. provider:
  1615. description: Used to configure the provider. Only one provider may be set
  1616. maxProperties: 1
  1617. minProperties: 1
  1618. properties:
  1619. akeyless:
  1620. description: Akeyless configures this store to sync secrets using Akeyless Vault provider
  1621. properties:
  1622. akeylessGWApiURL:
  1623. description: Akeyless GW API Url from which the secrets to be fetched from.
  1624. type: string
  1625. authSecretRef:
  1626. description: Auth configures how the operator authenticates with Akeyless.
  1627. properties:
  1628. kubernetesAuth:
  1629. description: |-
  1630. Kubernetes authenticates with Akeyless by passing the ServiceAccount
  1631. token stored in the named Secret resource.
  1632. properties:
  1633. accessID:
  1634. description: the Akeyless Kubernetes auth-method access-id
  1635. type: string
  1636. k8sConfName:
  1637. description: Kubernetes-auth configuration name in Akeyless-Gateway
  1638. type: string
  1639. secretRef:
  1640. description: |-
  1641. Optional secret field containing a Kubernetes ServiceAccount JWT used
  1642. for authenticating with Akeyless. If a name is specified without a key,
  1643. `token` is the default. If one is not specified, the one bound to
  1644. the controller will be used.
  1645. properties:
  1646. key:
  1647. description: |-
  1648. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1649. defaulted, in others it may be required.
  1650. type: string
  1651. name:
  1652. description: The name of the Secret resource being referred to.
  1653. type: string
  1654. namespace:
  1655. description: |-
  1656. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1657. to the namespace of the referent.
  1658. type: string
  1659. type: object
  1660. serviceAccountRef:
  1661. description: |-
  1662. Optional service account field containing the name of a kubernetes ServiceAccount.
  1663. If the service account is specified, the service account secret token JWT will be used
  1664. for authenticating with Akeyless. If the service account selector is not supplied,
  1665. the secretRef will be used instead.
  1666. properties:
  1667. audiences:
  1668. description: |-
  1669. Audience specifies the `aud` claim for the service account token
  1670. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1671. then this audiences will be appended to the list
  1672. items:
  1673. type: string
  1674. type: array
  1675. name:
  1676. description: The name of the ServiceAccount resource being referred to.
  1677. type: string
  1678. namespace:
  1679. description: |-
  1680. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1681. to the namespace of the referent.
  1682. type: string
  1683. required:
  1684. - name
  1685. type: object
  1686. required:
  1687. - accessID
  1688. - k8sConfName
  1689. type: object
  1690. secretRef:
  1691. description: |-
  1692. Reference to a Secret that contains the details
  1693. to authenticate with Akeyless.
  1694. properties:
  1695. accessID:
  1696. description: The SecretAccessID is used for authentication
  1697. properties:
  1698. key:
  1699. description: |-
  1700. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1701. defaulted, in others it may be required.
  1702. type: string
  1703. name:
  1704. description: The name of the Secret resource being referred to.
  1705. type: string
  1706. namespace:
  1707. description: |-
  1708. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1709. to the namespace of the referent.
  1710. type: string
  1711. type: object
  1712. accessType:
  1713. description: |-
  1714. A reference to a specific 'key' within a Secret resource,
  1715. In some instances, `key` is a required field.
  1716. properties:
  1717. key:
  1718. description: |-
  1719. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1720. defaulted, in others it may be required.
  1721. type: string
  1722. name:
  1723. description: The name of the Secret resource being referred to.
  1724. type: string
  1725. namespace:
  1726. description: |-
  1727. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1728. to the namespace of the referent.
  1729. type: string
  1730. type: object
  1731. accessTypeParam:
  1732. description: |-
  1733. A reference to a specific 'key' within a Secret resource,
  1734. In some instances, `key` is a required field.
  1735. properties:
  1736. key:
  1737. description: |-
  1738. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1739. defaulted, in others it may be required.
  1740. type: string
  1741. name:
  1742. description: The name of the Secret resource being referred to.
  1743. type: string
  1744. namespace:
  1745. description: |-
  1746. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1747. to the namespace of the referent.
  1748. type: string
  1749. type: object
  1750. type: object
  1751. type: object
  1752. caBundle:
  1753. description: |-
  1754. PEM/base64 encoded CA bundle used to validate Akeyless Gateway certificate. Only used
  1755. if the AkeylessGWApiURL URL is using HTTPS protocol. If not set the system root certificates
  1756. are used to validate the TLS connection.
  1757. format: byte
  1758. type: string
  1759. caProvider:
  1760. description: The provider for the CA bundle to use to validate Akeyless Gateway certificate.
  1761. properties:
  1762. key:
  1763. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  1764. type: string
  1765. name:
  1766. description: The name of the object located at the provider type.
  1767. type: string
  1768. namespace:
  1769. description: |-
  1770. The namespace the Provider type is in.
  1771. Can only be defined when used in a ClusterSecretStore.
  1772. type: string
  1773. type:
  1774. description: The type of provider to use such as "Secret", or "ConfigMap".
  1775. enum:
  1776. - Secret
  1777. - ConfigMap
  1778. type: string
  1779. required:
  1780. - name
  1781. - type
  1782. type: object
  1783. required:
  1784. - akeylessGWApiURL
  1785. - authSecretRef
  1786. type: object
  1787. alibaba:
  1788. description: Alibaba configures this store to sync secrets using Alibaba Cloud provider
  1789. properties:
  1790. auth:
  1791. description: AlibabaAuth contains a secretRef for credentials.
  1792. properties:
  1793. rrsa:
  1794. description: Authenticate against Alibaba using RRSA.
  1795. properties:
  1796. oidcProviderArn:
  1797. type: string
  1798. oidcTokenFilePath:
  1799. type: string
  1800. roleArn:
  1801. type: string
  1802. sessionName:
  1803. type: string
  1804. required:
  1805. - oidcProviderArn
  1806. - oidcTokenFilePath
  1807. - roleArn
  1808. - sessionName
  1809. type: object
  1810. secretRef:
  1811. description: AlibabaAuthSecretRef holds secret references for Alibaba credentials.
  1812. properties:
  1813. accessKeyIDSecretRef:
  1814. description: The AccessKeyID is used for authentication
  1815. properties:
  1816. key:
  1817. description: |-
  1818. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1819. defaulted, in others it may be required.
  1820. type: string
  1821. name:
  1822. description: The name of the Secret resource being referred to.
  1823. type: string
  1824. namespace:
  1825. description: |-
  1826. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1827. to the namespace of the referent.
  1828. type: string
  1829. type: object
  1830. accessKeySecretSecretRef:
  1831. description: The AccessKeySecret is used for authentication
  1832. properties:
  1833. key:
  1834. description: |-
  1835. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1836. defaulted, in others it may be required.
  1837. type: string
  1838. name:
  1839. description: The name of the Secret resource being referred to.
  1840. type: string
  1841. namespace:
  1842. description: |-
  1843. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1844. to the namespace of the referent.
  1845. type: string
  1846. type: object
  1847. required:
  1848. - accessKeyIDSecretRef
  1849. - accessKeySecretSecretRef
  1850. type: object
  1851. type: object
  1852. regionID:
  1853. description: Alibaba Region to be used for the provider
  1854. type: string
  1855. required:
  1856. - auth
  1857. - regionID
  1858. type: object
  1859. aws:
  1860. description: AWS configures this store to sync secrets using AWS Secret Manager provider
  1861. properties:
  1862. additionalRoles:
  1863. description: AdditionalRoles is a chained list of Role ARNs which the provider will sequentially assume before assuming the Role
  1864. items:
  1865. type: string
  1866. type: array
  1867. auth:
  1868. description: |-
  1869. Auth defines the information necessary to authenticate against AWS
  1870. if not set aws sdk will infer credentials from your environment
  1871. see: https://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/configuring-sdk.html#specifying-credentials
  1872. properties:
  1873. jwt:
  1874. description: Authenticate against AWS using service account tokens.
  1875. properties:
  1876. serviceAccountRef:
  1877. description: A reference to a ServiceAccount resource.
  1878. properties:
  1879. audiences:
  1880. description: |-
  1881. Audience specifies the `aud` claim for the service account token
  1882. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  1883. then this audiences will be appended to the list
  1884. items:
  1885. type: string
  1886. type: array
  1887. name:
  1888. description: The name of the ServiceAccount resource being referred to.
  1889. type: string
  1890. namespace:
  1891. description: |-
  1892. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1893. to the namespace of the referent.
  1894. type: string
  1895. required:
  1896. - name
  1897. type: object
  1898. type: object
  1899. secretRef:
  1900. description: |-
  1901. AWSAuthSecretRef holds secret references for AWS credentials
  1902. both AccessKeyID and SecretAccessKey must be defined in order to properly authenticate.
  1903. properties:
  1904. accessKeyIDSecretRef:
  1905. description: The AccessKeyID is used for authentication
  1906. properties:
  1907. key:
  1908. description: |-
  1909. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1910. defaulted, in others it may be required.
  1911. type: string
  1912. name:
  1913. description: The name of the Secret resource being referred to.
  1914. type: string
  1915. namespace:
  1916. description: |-
  1917. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1918. to the namespace of the referent.
  1919. type: string
  1920. type: object
  1921. secretAccessKeySecretRef:
  1922. description: The SecretAccessKey is used for authentication
  1923. properties:
  1924. key:
  1925. description: |-
  1926. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1927. defaulted, in others it may be required.
  1928. type: string
  1929. name:
  1930. description: The name of the Secret resource being referred to.
  1931. type: string
  1932. namespace:
  1933. description: |-
  1934. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1935. to the namespace of the referent.
  1936. type: string
  1937. type: object
  1938. sessionTokenSecretRef:
  1939. description: |-
  1940. The SessionToken used for authentication
  1941. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  1942. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  1943. properties:
  1944. key:
  1945. description: |-
  1946. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  1947. defaulted, in others it may be required.
  1948. type: string
  1949. name:
  1950. description: The name of the Secret resource being referred to.
  1951. type: string
  1952. namespace:
  1953. description: |-
  1954. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  1955. to the namespace of the referent.
  1956. type: string
  1957. type: object
  1958. type: object
  1959. type: object
  1960. externalID:
  1961. description: AWS External ID set on assumed IAM roles
  1962. type: string
  1963. region:
  1964. description: AWS Region to be used for the provider
  1965. type: string
  1966. role:
  1967. description: Role is a Role ARN which the provider will assume
  1968. type: string
  1969. secretsManager:
  1970. description: SecretsManager defines how the provider behaves when interacting with AWS SecretsManager
  1971. properties:
  1972. forceDeleteWithoutRecovery:
  1973. description: |-
  1974. Specifies whether to delete the secret without any recovery window. You
  1975. can't use both this parameter and RecoveryWindowInDays in the same call.
  1976. If you don't use either, then by default Secrets Manager uses a 30 day
  1977. recovery window.
  1978. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-ForceDeleteWithoutRecovery
  1979. type: boolean
  1980. recoveryWindowInDays:
  1981. description: |-
  1982. The number of days from 7 to 30 that Secrets Manager waits before
  1983. permanently deleting the secret. You can't use both this parameter and
  1984. ForceDeleteWithoutRecovery in the same call. If you don't use either,
  1985. then by default Secrets Manager uses a 30 day recovery window.
  1986. see: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html#SecretsManager-DeleteSecret-request-RecoveryWindowInDays
  1987. format: int64
  1988. type: integer
  1989. type: object
  1990. service:
  1991. description: Service defines which service should be used to fetch the secrets
  1992. enum:
  1993. - SecretsManager
  1994. - ParameterStore
  1995. type: string
  1996. sessionTags:
  1997. description: AWS STS assume role session tags
  1998. items:
  1999. properties:
  2000. key:
  2001. type: string
  2002. value:
  2003. type: string
  2004. required:
  2005. - key
  2006. - value
  2007. type: object
  2008. type: array
  2009. transitiveTagKeys:
  2010. description: AWS STS assume role transitive session tags. Required when multiple rules are used with the provider
  2011. items:
  2012. type: string
  2013. type: array
  2014. required:
  2015. - region
  2016. - service
  2017. type: object
  2018. azurekv:
  2019. description: AzureKV configures this store to sync secrets using Azure Key Vault provider
  2020. properties:
  2021. authSecretRef:
  2022. description: Auth configures how the operator authenticates with Azure. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2023. properties:
  2024. clientId:
  2025. description: The Azure clientId of the service principle or managed identity used for authentication.
  2026. properties:
  2027. key:
  2028. description: |-
  2029. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2030. defaulted, in others it may be required.
  2031. type: string
  2032. name:
  2033. description: The name of the Secret resource being referred to.
  2034. type: string
  2035. namespace:
  2036. description: |-
  2037. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2038. to the namespace of the referent.
  2039. type: string
  2040. type: object
  2041. clientSecret:
  2042. description: The Azure ClientSecret of the service principle used for authentication.
  2043. properties:
  2044. key:
  2045. description: |-
  2046. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2047. defaulted, in others it may be required.
  2048. type: string
  2049. name:
  2050. description: The name of the Secret resource being referred to.
  2051. type: string
  2052. namespace:
  2053. description: |-
  2054. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2055. to the namespace of the referent.
  2056. type: string
  2057. type: object
  2058. tenantId:
  2059. description: The Azure tenantId of the managed identity used for authentication.
  2060. properties:
  2061. key:
  2062. description: |-
  2063. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2064. defaulted, in others it may be required.
  2065. type: string
  2066. name:
  2067. description: The name of the Secret resource being referred to.
  2068. type: string
  2069. namespace:
  2070. description: |-
  2071. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2072. to the namespace of the referent.
  2073. type: string
  2074. type: object
  2075. type: object
  2076. authType:
  2077. default: ServicePrincipal
  2078. description: |-
  2079. Auth type defines how to authenticate to the keyvault service.
  2080. Valid values are:
  2081. - "ServicePrincipal" (default): Using a service principal (tenantId, clientId, clientSecret)
  2082. - "ManagedIdentity": Using Managed Identity assigned to the pod (see aad-pod-identity)
  2083. enum:
  2084. - ServicePrincipal
  2085. - ManagedIdentity
  2086. - WorkloadIdentity
  2087. type: string
  2088. environmentType:
  2089. default: PublicCloud
  2090. description: |-
  2091. EnvironmentType specifies the Azure cloud environment endpoints to use for
  2092. connecting and authenticating with Azure. By default it points to the public cloud AAD endpoint.
  2093. The following endpoints are available, also see here: https://github.com/Azure/go-autorest/blob/main/autorest/azure/environments.go#L152
  2094. PublicCloud, USGovernmentCloud, ChinaCloud, GermanCloud
  2095. enum:
  2096. - PublicCloud
  2097. - USGovernmentCloud
  2098. - ChinaCloud
  2099. - GermanCloud
  2100. type: string
  2101. identityId:
  2102. description: If multiple Managed Identity is assigned to the pod, you can select the one to be used
  2103. type: string
  2104. serviceAccountRef:
  2105. description: |-
  2106. ServiceAccountRef specified the service account
  2107. that should be used when authenticating with WorkloadIdentity.
  2108. properties:
  2109. audiences:
  2110. description: |-
  2111. Audience specifies the `aud` claim for the service account token
  2112. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2113. then this audiences will be appended to the list
  2114. items:
  2115. type: string
  2116. type: array
  2117. name:
  2118. description: The name of the ServiceAccount resource being referred to.
  2119. type: string
  2120. namespace:
  2121. description: |-
  2122. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2123. to the namespace of the referent.
  2124. type: string
  2125. required:
  2126. - name
  2127. type: object
  2128. tenantId:
  2129. description: TenantID configures the Azure Tenant to send requests to. Required for ServicePrincipal auth type. Optional for WorkloadIdentity.
  2130. type: string
  2131. vaultUrl:
  2132. description: Vault Url from which the secrets to be fetched from.
  2133. type: string
  2134. required:
  2135. - vaultUrl
  2136. type: object
  2137. chef:
  2138. description: Chef configures this store to sync secrets with chef server
  2139. properties:
  2140. auth:
  2141. description: Auth defines the information necessary to authenticate against chef Server
  2142. properties:
  2143. secretRef:
  2144. description: ChefAuthSecretRef holds secret references for chef server login credentials.
  2145. properties:
  2146. privateKeySecretRef:
  2147. description: SecretKey is the Signing Key in PEM format, used for authentication.
  2148. properties:
  2149. key:
  2150. description: |-
  2151. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2152. defaulted, in others it may be required.
  2153. type: string
  2154. name:
  2155. description: The name of the Secret resource being referred to.
  2156. type: string
  2157. namespace:
  2158. description: |-
  2159. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2160. to the namespace of the referent.
  2161. type: string
  2162. type: object
  2163. required:
  2164. - privateKeySecretRef
  2165. type: object
  2166. required:
  2167. - secretRef
  2168. type: object
  2169. serverUrl:
  2170. description: ServerURL is the chef server URL used to connect to. If using orgs you should include your org in the url and terminate the url with a "/"
  2171. type: string
  2172. username:
  2173. description: UserName should be the user ID on the chef server
  2174. type: string
  2175. required:
  2176. - auth
  2177. - serverUrl
  2178. - username
  2179. type: object
  2180. conjur:
  2181. description: Conjur configures this store to sync secrets using conjur provider
  2182. properties:
  2183. auth:
  2184. properties:
  2185. apikey:
  2186. properties:
  2187. account:
  2188. type: string
  2189. apiKeyRef:
  2190. description: |-
  2191. A reference to a specific 'key' within a Secret resource,
  2192. In some instances, `key` is a required field.
  2193. properties:
  2194. key:
  2195. description: |-
  2196. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2197. defaulted, in others it may be required.
  2198. type: string
  2199. name:
  2200. description: The name of the Secret resource being referred to.
  2201. type: string
  2202. namespace:
  2203. description: |-
  2204. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2205. to the namespace of the referent.
  2206. type: string
  2207. type: object
  2208. userRef:
  2209. description: |-
  2210. A reference to a specific 'key' within a Secret resource,
  2211. In some instances, `key` is a required field.
  2212. properties:
  2213. key:
  2214. description: |-
  2215. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2216. defaulted, in others it may be required.
  2217. type: string
  2218. name:
  2219. description: The name of the Secret resource being referred to.
  2220. type: string
  2221. namespace:
  2222. description: |-
  2223. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2224. to the namespace of the referent.
  2225. type: string
  2226. type: object
  2227. required:
  2228. - account
  2229. - apiKeyRef
  2230. - userRef
  2231. type: object
  2232. jwt:
  2233. properties:
  2234. account:
  2235. type: string
  2236. hostId:
  2237. description: |-
  2238. Optional HostID for JWT authentication. This may be used depending
  2239. on how the Conjur JWT authenticator policy is configured.
  2240. type: string
  2241. secretRef:
  2242. description: |-
  2243. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  2244. authenticate with Conjur using the JWT authentication method.
  2245. properties:
  2246. key:
  2247. description: |-
  2248. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2249. defaulted, in others it may be required.
  2250. type: string
  2251. name:
  2252. description: The name of the Secret resource being referred to.
  2253. type: string
  2254. namespace:
  2255. description: |-
  2256. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2257. to the namespace of the referent.
  2258. type: string
  2259. type: object
  2260. serviceAccountRef:
  2261. description: |-
  2262. Optional ServiceAccountRef specifies the Kubernetes service account for which to request
  2263. a token for with the `TokenRequest` API.
  2264. properties:
  2265. audiences:
  2266. description: |-
  2267. Audience specifies the `aud` claim for the service account token
  2268. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2269. then this audiences will be appended to the list
  2270. items:
  2271. type: string
  2272. type: array
  2273. name:
  2274. description: The name of the ServiceAccount resource being referred to.
  2275. type: string
  2276. namespace:
  2277. description: |-
  2278. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2279. to the namespace of the referent.
  2280. type: string
  2281. required:
  2282. - name
  2283. type: object
  2284. serviceID:
  2285. description: The conjur authn jwt webservice id
  2286. type: string
  2287. required:
  2288. - account
  2289. - serviceID
  2290. type: object
  2291. type: object
  2292. caBundle:
  2293. type: string
  2294. caProvider:
  2295. description: |-
  2296. Used to provide custom certificate authority (CA) certificates
  2297. for a secret store. The CAProvider points to a Secret or ConfigMap resource
  2298. that contains a PEM-encoded certificate.
  2299. properties:
  2300. key:
  2301. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2302. type: string
  2303. name:
  2304. description: The name of the object located at the provider type.
  2305. type: string
  2306. namespace:
  2307. description: |-
  2308. The namespace the Provider type is in.
  2309. Can only be defined when used in a ClusterSecretStore.
  2310. type: string
  2311. type:
  2312. description: The type of provider to use such as "Secret", or "ConfigMap".
  2313. enum:
  2314. - Secret
  2315. - ConfigMap
  2316. type: string
  2317. required:
  2318. - name
  2319. - type
  2320. type: object
  2321. url:
  2322. type: string
  2323. required:
  2324. - auth
  2325. - url
  2326. type: object
  2327. delinea:
  2328. description: |-
  2329. Delinea DevOps Secrets Vault
  2330. https://docs.delinea.com/online-help/products/devops-secrets-vault/current
  2331. properties:
  2332. clientId:
  2333. description: ClientID is the non-secret part of the credential.
  2334. properties:
  2335. secretRef:
  2336. description: SecretRef references a key in a secret that will be used as value.
  2337. properties:
  2338. key:
  2339. description: |-
  2340. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2341. defaulted, in others it may be required.
  2342. type: string
  2343. name:
  2344. description: The name of the Secret resource being referred to.
  2345. type: string
  2346. namespace:
  2347. description: |-
  2348. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2349. to the namespace of the referent.
  2350. type: string
  2351. type: object
  2352. value:
  2353. description: Value can be specified directly to set a value without using a secret.
  2354. type: string
  2355. type: object
  2356. clientSecret:
  2357. description: ClientSecret is the secret part of the credential.
  2358. properties:
  2359. secretRef:
  2360. description: SecretRef references a key in a secret that will be used as value.
  2361. properties:
  2362. key:
  2363. description: |-
  2364. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2365. defaulted, in others it may be required.
  2366. type: string
  2367. name:
  2368. description: The name of the Secret resource being referred to.
  2369. type: string
  2370. namespace:
  2371. description: |-
  2372. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2373. to the namespace of the referent.
  2374. type: string
  2375. type: object
  2376. value:
  2377. description: Value can be specified directly to set a value without using a secret.
  2378. type: string
  2379. type: object
  2380. tenant:
  2381. description: Tenant is the chosen hostname / site name.
  2382. type: string
  2383. tld:
  2384. description: |-
  2385. TLD is based on the server location that was chosen during provisioning.
  2386. If unset, defaults to "com".
  2387. type: string
  2388. urlTemplate:
  2389. description: |-
  2390. URLTemplate
  2391. If unset, defaults to "https://%s.secretsvaultcloud.%s/v1/%s%s".
  2392. type: string
  2393. required:
  2394. - clientId
  2395. - clientSecret
  2396. - tenant
  2397. type: object
  2398. doppler:
  2399. description: Doppler configures this store to sync secrets using the Doppler provider
  2400. properties:
  2401. auth:
  2402. description: Auth configures how the Operator authenticates with the Doppler API
  2403. properties:
  2404. secretRef:
  2405. properties:
  2406. dopplerToken:
  2407. description: |-
  2408. The DopplerToken is used for authentication.
  2409. See https://docs.doppler.com/reference/api#authentication for auth token types.
  2410. The Key attribute defaults to dopplerToken if not specified.
  2411. properties:
  2412. key:
  2413. description: |-
  2414. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2415. defaulted, in others it may be required.
  2416. type: string
  2417. name:
  2418. description: The name of the Secret resource being referred to.
  2419. type: string
  2420. namespace:
  2421. description: |-
  2422. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2423. to the namespace of the referent.
  2424. type: string
  2425. type: object
  2426. required:
  2427. - dopplerToken
  2428. type: object
  2429. required:
  2430. - secretRef
  2431. type: object
  2432. config:
  2433. description: Doppler config (required if not using a Service Token)
  2434. type: string
  2435. format:
  2436. description: Format enables the downloading of secrets as a file (string)
  2437. enum:
  2438. - json
  2439. - dotnet-json
  2440. - env
  2441. - yaml
  2442. - docker
  2443. type: string
  2444. nameTransformer:
  2445. description: Environment variable compatible name transforms that change secret names to a different format
  2446. enum:
  2447. - upper-camel
  2448. - camel
  2449. - lower-snake
  2450. - tf-var
  2451. - dotnet-env
  2452. - lower-kebab
  2453. type: string
  2454. project:
  2455. description: Doppler project (required if not using a Service Token)
  2456. type: string
  2457. required:
  2458. - auth
  2459. type: object
  2460. fake:
  2461. description: Fake configures a store with static key/value pairs
  2462. properties:
  2463. data:
  2464. items:
  2465. properties:
  2466. key:
  2467. type: string
  2468. value:
  2469. type: string
  2470. valueMap:
  2471. additionalProperties:
  2472. type: string
  2473. description: 'Deprecated: ValueMap is deprecated and is intended to be removed in the future, use the `value` field instead.'
  2474. type: object
  2475. version:
  2476. type: string
  2477. required:
  2478. - key
  2479. type: object
  2480. type: array
  2481. required:
  2482. - data
  2483. type: object
  2484. fortanix:
  2485. description: Fortanix configures this store to sync secrets using the Fortanix provider
  2486. properties:
  2487. apiKey:
  2488. description: APIKey is the API token to access SDKMS Applications.
  2489. properties:
  2490. secretRef:
  2491. description: SecretRef is a reference to a secret containing the SDKMS API Key.
  2492. properties:
  2493. key:
  2494. description: |-
  2495. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2496. defaulted, in others it may be required.
  2497. type: string
  2498. name:
  2499. description: The name of the Secret resource being referred to.
  2500. type: string
  2501. namespace:
  2502. description: |-
  2503. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2504. to the namespace of the referent.
  2505. type: string
  2506. type: object
  2507. type: object
  2508. apiUrl:
  2509. description: APIURL is the URL of SDKMS API. Defaults to `sdkms.fortanix.com`.
  2510. type: string
  2511. type: object
  2512. gcpsm:
  2513. description: GCPSM configures this store to sync secrets using Google Cloud Platform Secret Manager provider
  2514. properties:
  2515. auth:
  2516. description: Auth defines the information necessary to authenticate against GCP
  2517. properties:
  2518. secretRef:
  2519. properties:
  2520. secretAccessKeySecretRef:
  2521. description: The SecretAccessKey is used for authentication
  2522. properties:
  2523. key:
  2524. description: |-
  2525. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2526. defaulted, in others it may be required.
  2527. type: string
  2528. name:
  2529. description: The name of the Secret resource being referred to.
  2530. type: string
  2531. namespace:
  2532. description: |-
  2533. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2534. to the namespace of the referent.
  2535. type: string
  2536. type: object
  2537. type: object
  2538. workloadIdentity:
  2539. properties:
  2540. clusterLocation:
  2541. type: string
  2542. clusterName:
  2543. type: string
  2544. clusterProjectID:
  2545. type: string
  2546. serviceAccountRef:
  2547. description: A reference to a ServiceAccount resource.
  2548. properties:
  2549. audiences:
  2550. description: |-
  2551. Audience specifies the `aud` claim for the service account token
  2552. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2553. then this audiences will be appended to the list
  2554. items:
  2555. type: string
  2556. type: array
  2557. name:
  2558. description: The name of the ServiceAccount resource being referred to.
  2559. type: string
  2560. namespace:
  2561. description: |-
  2562. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2563. to the namespace of the referent.
  2564. type: string
  2565. required:
  2566. - name
  2567. type: object
  2568. required:
  2569. - clusterLocation
  2570. - clusterName
  2571. - serviceAccountRef
  2572. type: object
  2573. type: object
  2574. projectID:
  2575. description: ProjectID project where secret is located
  2576. type: string
  2577. type: object
  2578. gitlab:
  2579. description: GitLab configures this store to sync secrets using GitLab Variables provider
  2580. properties:
  2581. auth:
  2582. description: Auth configures how secret-manager authenticates with a GitLab instance.
  2583. properties:
  2584. SecretRef:
  2585. properties:
  2586. accessToken:
  2587. description: AccessToken is used for authentication.
  2588. properties:
  2589. key:
  2590. description: |-
  2591. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2592. defaulted, in others it may be required.
  2593. type: string
  2594. name:
  2595. description: The name of the Secret resource being referred to.
  2596. type: string
  2597. namespace:
  2598. description: |-
  2599. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2600. to the namespace of the referent.
  2601. type: string
  2602. type: object
  2603. type: object
  2604. required:
  2605. - SecretRef
  2606. type: object
  2607. environment:
  2608. description: Environment environment_scope of gitlab CI/CD variables (Please see https://docs.gitlab.com/ee/ci/environments/#create-a-static-environment on how to create environments)
  2609. type: string
  2610. groupIDs:
  2611. description: GroupIDs specify, which gitlab groups to pull secrets from. Group secrets are read from left to right followed by the project variables.
  2612. items:
  2613. type: string
  2614. type: array
  2615. inheritFromGroups:
  2616. description: InheritFromGroups specifies whether parent groups should be discovered and checked for secrets.
  2617. type: boolean
  2618. projectID:
  2619. description: ProjectID specifies a project where secrets are located.
  2620. type: string
  2621. url:
  2622. description: URL configures the GitLab instance URL. Defaults to https://gitlab.com/.
  2623. type: string
  2624. required:
  2625. - auth
  2626. type: object
  2627. ibm:
  2628. description: IBM configures this store to sync secrets using IBM Cloud provider
  2629. properties:
  2630. auth:
  2631. description: Auth configures how secret-manager authenticates with the IBM secrets manager.
  2632. maxProperties: 1
  2633. minProperties: 1
  2634. properties:
  2635. containerAuth:
  2636. description: IBM Container-based auth with IAM Trusted Profile.
  2637. properties:
  2638. iamEndpoint:
  2639. type: string
  2640. profile:
  2641. description: the IBM Trusted Profile
  2642. type: string
  2643. tokenLocation:
  2644. description: Location the token is mounted on the pod
  2645. type: string
  2646. required:
  2647. - profile
  2648. type: object
  2649. secretRef:
  2650. properties:
  2651. secretApiKeySecretRef:
  2652. description: The SecretAccessKey is used for authentication
  2653. properties:
  2654. key:
  2655. description: |-
  2656. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2657. defaulted, in others it may be required.
  2658. type: string
  2659. name:
  2660. description: The name of the Secret resource being referred to.
  2661. type: string
  2662. namespace:
  2663. description: |-
  2664. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2665. to the namespace of the referent.
  2666. type: string
  2667. type: object
  2668. type: object
  2669. type: object
  2670. serviceUrl:
  2671. description: ServiceURL is the Endpoint URL that is specific to the Secrets Manager service instance
  2672. type: string
  2673. required:
  2674. - auth
  2675. type: object
  2676. keepersecurity:
  2677. description: KeeperSecurity configures this store to sync secrets using the KeeperSecurity provider
  2678. properties:
  2679. authRef:
  2680. description: |-
  2681. A reference to a specific 'key' within a Secret resource,
  2682. In some instances, `key` is a required field.
  2683. properties:
  2684. key:
  2685. description: |-
  2686. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2687. defaulted, in others it may be required.
  2688. type: string
  2689. name:
  2690. description: The name of the Secret resource being referred to.
  2691. type: string
  2692. namespace:
  2693. description: |-
  2694. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2695. to the namespace of the referent.
  2696. type: string
  2697. type: object
  2698. folderID:
  2699. type: string
  2700. required:
  2701. - authRef
  2702. - folderID
  2703. type: object
  2704. kubernetes:
  2705. description: Kubernetes configures this store to sync secrets using a Kubernetes cluster provider
  2706. properties:
  2707. auth:
  2708. description: Auth configures how secret-manager authenticates with a Kubernetes instance.
  2709. maxProperties: 1
  2710. minProperties: 1
  2711. properties:
  2712. cert:
  2713. description: has both clientCert and clientKey as secretKeySelector
  2714. properties:
  2715. clientCert:
  2716. description: |-
  2717. A reference to a specific 'key' within a Secret resource,
  2718. In some instances, `key` is a required field.
  2719. properties:
  2720. key:
  2721. description: |-
  2722. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2723. defaulted, in others it may be required.
  2724. type: string
  2725. name:
  2726. description: The name of the Secret resource being referred to.
  2727. type: string
  2728. namespace:
  2729. description: |-
  2730. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2731. to the namespace of the referent.
  2732. type: string
  2733. type: object
  2734. clientKey:
  2735. description: |-
  2736. A reference to a specific 'key' within a Secret resource,
  2737. In some instances, `key` is a required field.
  2738. properties:
  2739. key:
  2740. description: |-
  2741. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2742. defaulted, in others it may be required.
  2743. type: string
  2744. name:
  2745. description: The name of the Secret resource being referred to.
  2746. type: string
  2747. namespace:
  2748. description: |-
  2749. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2750. to the namespace of the referent.
  2751. type: string
  2752. type: object
  2753. type: object
  2754. serviceAccount:
  2755. description: points to a service account that should be used for authentication
  2756. properties:
  2757. audiences:
  2758. description: |-
  2759. Audience specifies the `aud` claim for the service account token
  2760. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  2761. then this audiences will be appended to the list
  2762. items:
  2763. type: string
  2764. type: array
  2765. name:
  2766. description: The name of the ServiceAccount resource being referred to.
  2767. type: string
  2768. namespace:
  2769. description: |-
  2770. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2771. to the namespace of the referent.
  2772. type: string
  2773. required:
  2774. - name
  2775. type: object
  2776. token:
  2777. description: use static token to authenticate with
  2778. properties:
  2779. bearerToken:
  2780. description: |-
  2781. A reference to a specific 'key' within a Secret resource,
  2782. In some instances, `key` is a required field.
  2783. properties:
  2784. key:
  2785. description: |-
  2786. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2787. defaulted, in others it may be required.
  2788. type: string
  2789. name:
  2790. description: The name of the Secret resource being referred to.
  2791. type: string
  2792. namespace:
  2793. description: |-
  2794. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2795. to the namespace of the referent.
  2796. type: string
  2797. type: object
  2798. type: object
  2799. type: object
  2800. remoteNamespace:
  2801. default: default
  2802. description: Remote namespace to fetch the secrets from
  2803. type: string
  2804. server:
  2805. description: configures the Kubernetes server Address.
  2806. properties:
  2807. caBundle:
  2808. description: CABundle is a base64-encoded CA certificate
  2809. format: byte
  2810. type: string
  2811. caProvider:
  2812. description: 'see: https://external-secrets.io/v0.4.1/spec/#external-secrets.io/v1alpha1.CAProvider'
  2813. properties:
  2814. key:
  2815. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  2816. type: string
  2817. name:
  2818. description: The name of the object located at the provider type.
  2819. type: string
  2820. namespace:
  2821. description: |-
  2822. The namespace the Provider type is in.
  2823. Can only be defined when used in a ClusterSecretStore.
  2824. type: string
  2825. type:
  2826. description: The type of provider to use such as "Secret", or "ConfigMap".
  2827. enum:
  2828. - Secret
  2829. - ConfigMap
  2830. type: string
  2831. required:
  2832. - name
  2833. - type
  2834. type: object
  2835. url:
  2836. default: kubernetes.default
  2837. description: configures the Kubernetes server Address.
  2838. type: string
  2839. type: object
  2840. required:
  2841. - auth
  2842. type: object
  2843. onboardbase:
  2844. description: Onboardbase configures this store to sync secrets using the Onboardbase provider
  2845. properties:
  2846. apiHost:
  2847. default: https://public.onboardbase.com/api/v1/
  2848. description: APIHost use this to configure the host url for the API for selfhosted installation, default is https://public.onboardbase.com/api/v1/
  2849. type: string
  2850. auth:
  2851. description: Auth configures how the Operator authenticates with the Onboardbase API
  2852. properties:
  2853. apiKeyRef:
  2854. description: |-
  2855. OnboardbaseAPIKey is the APIKey generated by an admin account.
  2856. It is used to recognize and authorize access to a project and environment within onboardbase
  2857. properties:
  2858. key:
  2859. description: |-
  2860. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2861. defaulted, in others it may be required.
  2862. type: string
  2863. name:
  2864. description: The name of the Secret resource being referred to.
  2865. type: string
  2866. namespace:
  2867. description: |-
  2868. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2869. to the namespace of the referent.
  2870. type: string
  2871. type: object
  2872. passcodeRef:
  2873. description: OnboardbasePasscode is the passcode attached to the API Key
  2874. properties:
  2875. key:
  2876. description: |-
  2877. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2878. defaulted, in others it may be required.
  2879. type: string
  2880. name:
  2881. description: The name of the Secret resource being referred to.
  2882. type: string
  2883. namespace:
  2884. description: |-
  2885. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2886. to the namespace of the referent.
  2887. type: string
  2888. type: object
  2889. required:
  2890. - apiKeyRef
  2891. - passcodeRef
  2892. type: object
  2893. environment:
  2894. default: development
  2895. description: Environment is the name of an environmnent within a project to pull the secrets from
  2896. type: string
  2897. project:
  2898. default: development
  2899. description: Project is an onboardbase project that the secrets should be pulled from
  2900. type: string
  2901. required:
  2902. - apiHost
  2903. - auth
  2904. - environment
  2905. - project
  2906. type: object
  2907. onepassword:
  2908. description: OnePassword configures this store to sync secrets using the 1Password Cloud provider
  2909. properties:
  2910. auth:
  2911. description: Auth defines the information necessary to authenticate against OnePassword Connect Server
  2912. properties:
  2913. secretRef:
  2914. description: OnePasswordAuthSecretRef holds secret references for 1Password credentials.
  2915. properties:
  2916. connectTokenSecretRef:
  2917. description: The ConnectToken is used for authentication to a 1Password Connect Server.
  2918. properties:
  2919. key:
  2920. description: |-
  2921. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2922. defaulted, in others it may be required.
  2923. type: string
  2924. name:
  2925. description: The name of the Secret resource being referred to.
  2926. type: string
  2927. namespace:
  2928. description: |-
  2929. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2930. to the namespace of the referent.
  2931. type: string
  2932. type: object
  2933. required:
  2934. - connectTokenSecretRef
  2935. type: object
  2936. required:
  2937. - secretRef
  2938. type: object
  2939. connectHost:
  2940. description: ConnectHost defines the OnePassword Connect Server to connect to
  2941. type: string
  2942. vaults:
  2943. additionalProperties:
  2944. type: integer
  2945. description: Vaults defines which OnePassword vaults to search in which order
  2946. type: object
  2947. required:
  2948. - auth
  2949. - connectHost
  2950. - vaults
  2951. type: object
  2952. oracle:
  2953. description: Oracle configures this store to sync secrets using Oracle Vault provider
  2954. properties:
  2955. auth:
  2956. description: |-
  2957. Auth configures how secret-manager authenticates with the Oracle Vault.
  2958. If empty, use the instance principal, otherwise the user credentials specified in Auth.
  2959. properties:
  2960. secretRef:
  2961. description: SecretRef to pass through sensitive information.
  2962. properties:
  2963. fingerprint:
  2964. description: Fingerprint is the fingerprint of the API private key.
  2965. properties:
  2966. key:
  2967. description: |-
  2968. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2969. defaulted, in others it may be required.
  2970. type: string
  2971. name:
  2972. description: The name of the Secret resource being referred to.
  2973. type: string
  2974. namespace:
  2975. description: |-
  2976. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2977. to the namespace of the referent.
  2978. type: string
  2979. type: object
  2980. privatekey:
  2981. description: PrivateKey is the user's API Signing Key in PEM format, used for authentication.
  2982. properties:
  2983. key:
  2984. description: |-
  2985. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  2986. defaulted, in others it may be required.
  2987. type: string
  2988. name:
  2989. description: The name of the Secret resource being referred to.
  2990. type: string
  2991. namespace:
  2992. description: |-
  2993. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  2994. to the namespace of the referent.
  2995. type: string
  2996. type: object
  2997. required:
  2998. - fingerprint
  2999. - privatekey
  3000. type: object
  3001. tenancy:
  3002. description: Tenancy is the tenancy OCID where user is located.
  3003. type: string
  3004. user:
  3005. description: User is an access OCID specific to the account.
  3006. type: string
  3007. required:
  3008. - secretRef
  3009. - tenancy
  3010. - user
  3011. type: object
  3012. compartment:
  3013. description: |-
  3014. Compartment is the vault compartment OCID.
  3015. Required for PushSecret
  3016. type: string
  3017. encryptionKey:
  3018. description: |-
  3019. EncryptionKey is the OCID of the encryption key within the vault.
  3020. Required for PushSecret
  3021. type: string
  3022. principalType:
  3023. description: |-
  3024. The type of principal to use for authentication. If left blank, the Auth struct will
  3025. determine the principal type. This optional field must be specified if using
  3026. workload identity.
  3027. enum:
  3028. - ""
  3029. - UserPrincipal
  3030. - InstancePrincipal
  3031. - Workload
  3032. type: string
  3033. region:
  3034. description: Region is the region where vault is located.
  3035. type: string
  3036. serviceAccountRef:
  3037. description: |-
  3038. ServiceAccountRef specified the service account
  3039. that should be used when authenticating with WorkloadIdentity.
  3040. properties:
  3041. audiences:
  3042. description: |-
  3043. Audience specifies the `aud` claim for the service account token
  3044. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3045. then this audiences will be appended to the list
  3046. items:
  3047. type: string
  3048. type: array
  3049. name:
  3050. description: The name of the ServiceAccount resource being referred to.
  3051. type: string
  3052. namespace:
  3053. description: |-
  3054. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3055. to the namespace of the referent.
  3056. type: string
  3057. required:
  3058. - name
  3059. type: object
  3060. vault:
  3061. description: Vault is the vault's OCID of the specific vault where secret is located.
  3062. type: string
  3063. required:
  3064. - region
  3065. - vault
  3066. type: object
  3067. passbolt:
  3068. properties:
  3069. auth:
  3070. description: Auth defines the information necessary to authenticate against Passbolt Server
  3071. properties:
  3072. passwordSecretRef:
  3073. description: |-
  3074. A reference to a specific 'key' within a Secret resource,
  3075. In some instances, `key` is a required field.
  3076. properties:
  3077. key:
  3078. description: |-
  3079. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3080. defaulted, in others it may be required.
  3081. type: string
  3082. name:
  3083. description: The name of the Secret resource being referred to.
  3084. type: string
  3085. namespace:
  3086. description: |-
  3087. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3088. to the namespace of the referent.
  3089. type: string
  3090. type: object
  3091. privateKeySecretRef:
  3092. description: |-
  3093. A reference to a specific 'key' within a Secret resource,
  3094. In some instances, `key` is a required field.
  3095. properties:
  3096. key:
  3097. description: |-
  3098. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3099. defaulted, in others it may be required.
  3100. type: string
  3101. name:
  3102. description: The name of the Secret resource being referred to.
  3103. type: string
  3104. namespace:
  3105. description: |-
  3106. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3107. to the namespace of the referent.
  3108. type: string
  3109. type: object
  3110. required:
  3111. - passwordSecretRef
  3112. - privateKeySecretRef
  3113. type: object
  3114. host:
  3115. description: Host defines the Passbolt Server to connect to
  3116. type: string
  3117. required:
  3118. - auth
  3119. - host
  3120. type: object
  3121. passworddepot:
  3122. description: Configures a store to sync secrets with a Password Depot instance.
  3123. properties:
  3124. auth:
  3125. description: Auth configures how secret-manager authenticates with a Password Depot instance.
  3126. properties:
  3127. secretRef:
  3128. properties:
  3129. credentials:
  3130. description: Username / Password is used for authentication.
  3131. properties:
  3132. key:
  3133. description: |-
  3134. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3135. defaulted, in others it may be required.
  3136. type: string
  3137. name:
  3138. description: The name of the Secret resource being referred to.
  3139. type: string
  3140. namespace:
  3141. description: |-
  3142. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3143. to the namespace of the referent.
  3144. type: string
  3145. type: object
  3146. type: object
  3147. required:
  3148. - secretRef
  3149. type: object
  3150. database:
  3151. description: Database to use as source
  3152. type: string
  3153. host:
  3154. description: URL configures the Password Depot instance URL.
  3155. type: string
  3156. required:
  3157. - auth
  3158. - database
  3159. - host
  3160. type: object
  3161. pulumi:
  3162. description: Pulumi configures this store to sync secrets using the Pulumi provider
  3163. properties:
  3164. accessToken:
  3165. description: AccessToken is the access tokens to sign in to the Pulumi Cloud Console.
  3166. properties:
  3167. secretRef:
  3168. description: SecretRef is a reference to a secret containing the Pulumi API token.
  3169. properties:
  3170. key:
  3171. description: |-
  3172. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3173. defaulted, in others it may be required.
  3174. type: string
  3175. name:
  3176. description: The name of the Secret resource being referred to.
  3177. type: string
  3178. namespace:
  3179. description: |-
  3180. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3181. to the namespace of the referent.
  3182. type: string
  3183. type: object
  3184. type: object
  3185. apiUrl:
  3186. default: https://api.pulumi.com
  3187. description: APIURL is the URL of the Pulumi API.
  3188. type: string
  3189. environment:
  3190. description: |-
  3191. Environment are YAML documents composed of static key-value pairs, programmatic expressions,
  3192. dynamically retrieved values from supported providers including all major clouds,
  3193. and other Pulumi ESC environments.
  3194. To create a new environment, visit https://www.pulumi.com/docs/esc/environments/ for more information.
  3195. type: string
  3196. organization:
  3197. description: |-
  3198. Organization are a space to collaborate on shared projects and stacks.
  3199. To create a new organization, visit https://app.pulumi.com/ and click "New Organization".
  3200. type: string
  3201. required:
  3202. - accessToken
  3203. - environment
  3204. - organization
  3205. type: object
  3206. scaleway:
  3207. description: Scaleway
  3208. properties:
  3209. accessKey:
  3210. description: AccessKey is the non-secret part of the api key.
  3211. properties:
  3212. secretRef:
  3213. description: SecretRef references a key in a secret that will be used as value.
  3214. properties:
  3215. key:
  3216. description: |-
  3217. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3218. defaulted, in others it may be required.
  3219. type: string
  3220. name:
  3221. description: The name of the Secret resource being referred to.
  3222. type: string
  3223. namespace:
  3224. description: |-
  3225. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3226. to the namespace of the referent.
  3227. type: string
  3228. type: object
  3229. value:
  3230. description: Value can be specified directly to set a value without using a secret.
  3231. type: string
  3232. type: object
  3233. apiUrl:
  3234. description: APIURL is the url of the api to use. Defaults to https://api.scaleway.com
  3235. type: string
  3236. projectId:
  3237. description: 'ProjectID is the id of your project, which you can find in the console: https://console.scaleway.com/project/settings'
  3238. type: string
  3239. region:
  3240. description: 'Region where your secrets are located: https://developers.scaleway.com/en/quickstart/#region-and-zone'
  3241. type: string
  3242. secretKey:
  3243. description: SecretKey is the non-secret part of the api key.
  3244. properties:
  3245. secretRef:
  3246. description: SecretRef references a key in a secret that will be used as value.
  3247. properties:
  3248. key:
  3249. description: |-
  3250. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3251. defaulted, in others it may be required.
  3252. type: string
  3253. name:
  3254. description: The name of the Secret resource being referred to.
  3255. type: string
  3256. namespace:
  3257. description: |-
  3258. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3259. to the namespace of the referent.
  3260. type: string
  3261. type: object
  3262. value:
  3263. description: Value can be specified directly to set a value without using a secret.
  3264. type: string
  3265. type: object
  3266. required:
  3267. - accessKey
  3268. - projectId
  3269. - region
  3270. - secretKey
  3271. type: object
  3272. senhasegura:
  3273. description: Senhasegura configures this store to sync secrets using senhasegura provider
  3274. properties:
  3275. auth:
  3276. description: Auth defines parameters to authenticate in senhasegura
  3277. properties:
  3278. clientId:
  3279. type: string
  3280. clientSecretSecretRef:
  3281. description: |-
  3282. A reference to a specific 'key' within a Secret resource,
  3283. In some instances, `key` is a required field.
  3284. properties:
  3285. key:
  3286. description: |-
  3287. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3288. defaulted, in others it may be required.
  3289. type: string
  3290. name:
  3291. description: The name of the Secret resource being referred to.
  3292. type: string
  3293. namespace:
  3294. description: |-
  3295. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3296. to the namespace of the referent.
  3297. type: string
  3298. type: object
  3299. required:
  3300. - clientId
  3301. - clientSecretSecretRef
  3302. type: object
  3303. ignoreSslCertificate:
  3304. default: false
  3305. description: IgnoreSslCertificate defines if SSL certificate must be ignored
  3306. type: boolean
  3307. module:
  3308. description: Module defines which senhasegura module should be used to get secrets
  3309. type: string
  3310. url:
  3311. description: URL of senhasegura
  3312. type: string
  3313. required:
  3314. - auth
  3315. - module
  3316. - url
  3317. type: object
  3318. vault:
  3319. description: Vault configures this store to sync secrets using Hashi provider
  3320. properties:
  3321. auth:
  3322. description: Auth configures how secret-manager authenticates with the Vault server.
  3323. properties:
  3324. appRole:
  3325. description: |-
  3326. AppRole authenticates with Vault using the App Role auth mechanism,
  3327. with the role and secret stored in a Kubernetes Secret resource.
  3328. properties:
  3329. path:
  3330. default: approle
  3331. description: |-
  3332. Path where the App Role authentication backend is mounted
  3333. in Vault, e.g: "approle"
  3334. type: string
  3335. roleId:
  3336. description: |-
  3337. RoleID configured in the App Role authentication backend when setting
  3338. up the authentication backend in Vault.
  3339. type: string
  3340. roleRef:
  3341. description: |-
  3342. Reference to a key in a Secret that contains the App Role ID used
  3343. to authenticate with Vault.
  3344. The `key` field must be specified and denotes which entry within the Secret
  3345. resource is used as the app role id.
  3346. properties:
  3347. key:
  3348. description: |-
  3349. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3350. defaulted, in others it may be required.
  3351. type: string
  3352. name:
  3353. description: The name of the Secret resource being referred to.
  3354. type: string
  3355. namespace:
  3356. description: |-
  3357. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3358. to the namespace of the referent.
  3359. type: string
  3360. type: object
  3361. secretRef:
  3362. description: |-
  3363. Reference to a key in a Secret that contains the App Role secret used
  3364. to authenticate with Vault.
  3365. The `key` field must be specified and denotes which entry within the Secret
  3366. resource is used as the app role secret.
  3367. properties:
  3368. key:
  3369. description: |-
  3370. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3371. defaulted, in others it may be required.
  3372. type: string
  3373. name:
  3374. description: The name of the Secret resource being referred to.
  3375. type: string
  3376. namespace:
  3377. description: |-
  3378. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3379. to the namespace of the referent.
  3380. type: string
  3381. type: object
  3382. required:
  3383. - path
  3384. - secretRef
  3385. type: object
  3386. cert:
  3387. description: |-
  3388. Cert authenticates with TLS Certificates by passing client certificate, private key and ca certificate
  3389. Cert authentication method
  3390. properties:
  3391. clientCert:
  3392. description: |-
  3393. ClientCert is a certificate to authenticate using the Cert Vault
  3394. authentication method
  3395. properties:
  3396. key:
  3397. description: |-
  3398. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3399. defaulted, in others it may be required.
  3400. type: string
  3401. name:
  3402. description: The name of the Secret resource being referred to.
  3403. type: string
  3404. namespace:
  3405. description: |-
  3406. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3407. to the namespace of the referent.
  3408. type: string
  3409. type: object
  3410. secretRef:
  3411. description: |-
  3412. SecretRef to a key in a Secret resource containing client private key to
  3413. authenticate with Vault using the Cert authentication method
  3414. properties:
  3415. key:
  3416. description: |-
  3417. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3418. defaulted, in others it may be required.
  3419. type: string
  3420. name:
  3421. description: The name of the Secret resource being referred to.
  3422. type: string
  3423. namespace:
  3424. description: |-
  3425. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3426. to the namespace of the referent.
  3427. type: string
  3428. type: object
  3429. type: object
  3430. iam:
  3431. description: |-
  3432. Iam authenticates with vault by passing a special AWS request signed with AWS IAM credentials
  3433. AWS IAM authentication method
  3434. properties:
  3435. externalID:
  3436. description: AWS External ID set on assumed IAM roles
  3437. type: string
  3438. jwt:
  3439. description: Specify a service account with IRSA enabled
  3440. properties:
  3441. serviceAccountRef:
  3442. description: A reference to a ServiceAccount resource.
  3443. properties:
  3444. audiences:
  3445. description: |-
  3446. Audience specifies the `aud` claim for the service account token
  3447. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3448. then this audiences will be appended to the list
  3449. items:
  3450. type: string
  3451. type: array
  3452. name:
  3453. description: The name of the ServiceAccount resource being referred to.
  3454. type: string
  3455. namespace:
  3456. description: |-
  3457. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3458. to the namespace of the referent.
  3459. type: string
  3460. required:
  3461. - name
  3462. type: object
  3463. type: object
  3464. path:
  3465. description: 'Path where the AWS auth method is enabled in Vault, e.g: "aws"'
  3466. type: string
  3467. region:
  3468. description: AWS region
  3469. type: string
  3470. role:
  3471. description: This is the AWS role to be assumed before talking to vault
  3472. type: string
  3473. secretRef:
  3474. description: Specify credentials in a Secret object
  3475. properties:
  3476. accessKeyIDSecretRef:
  3477. description: The AccessKeyID is used for authentication
  3478. properties:
  3479. key:
  3480. description: |-
  3481. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3482. defaulted, in others it may be required.
  3483. type: string
  3484. name:
  3485. description: The name of the Secret resource being referred to.
  3486. type: string
  3487. namespace:
  3488. description: |-
  3489. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3490. to the namespace of the referent.
  3491. type: string
  3492. type: object
  3493. secretAccessKeySecretRef:
  3494. description: The SecretAccessKey is used for authentication
  3495. properties:
  3496. key:
  3497. description: |-
  3498. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3499. defaulted, in others it may be required.
  3500. type: string
  3501. name:
  3502. description: The name of the Secret resource being referred to.
  3503. type: string
  3504. namespace:
  3505. description: |-
  3506. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3507. to the namespace of the referent.
  3508. type: string
  3509. type: object
  3510. sessionTokenSecretRef:
  3511. description: |-
  3512. The SessionToken used for authentication
  3513. This must be defined if AccessKeyID and SecretAccessKey are temporary credentials
  3514. see: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
  3515. properties:
  3516. key:
  3517. description: |-
  3518. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3519. defaulted, in others it may be required.
  3520. type: string
  3521. name:
  3522. description: The name of the Secret resource being referred to.
  3523. type: string
  3524. namespace:
  3525. description: |-
  3526. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3527. to the namespace of the referent.
  3528. type: string
  3529. type: object
  3530. type: object
  3531. vaultAwsIamServerID:
  3532. description: 'X-Vault-AWS-IAM-Server-ID is an additional header used by Vault IAM auth method to mitigate against different types of replay attacks. More details here: https://developer.hashicorp.com/vault/docs/auth/aws'
  3533. type: string
  3534. vaultRole:
  3535. description: Vault Role. In vault, a role describes an identity with a set of permissions, groups, or policies you want to attach a user of the secrets engine
  3536. type: string
  3537. required:
  3538. - vaultRole
  3539. type: object
  3540. jwt:
  3541. description: |-
  3542. Jwt authenticates with Vault by passing role and JWT token using the
  3543. JWT/OIDC authentication method
  3544. properties:
  3545. kubernetesServiceAccountToken:
  3546. description: |-
  3547. Optional ServiceAccountToken specifies the Kubernetes service account for which to request
  3548. a token for with the `TokenRequest` API.
  3549. properties:
  3550. audiences:
  3551. description: |-
  3552. Optional audiences field that will be used to request a temporary Kubernetes service
  3553. account token for the service account referenced by `serviceAccountRef`.
  3554. Defaults to a single audience `vault` it not specified.
  3555. Deprecated: use serviceAccountRef.Audiences instead
  3556. items:
  3557. type: string
  3558. type: array
  3559. expirationSeconds:
  3560. description: |-
  3561. Optional expiration time in seconds that will be used to request a temporary
  3562. Kubernetes service account token for the service account referenced by
  3563. `serviceAccountRef`.
  3564. Deprecated: this will be removed in the future.
  3565. Defaults to 10 minutes.
  3566. format: int64
  3567. type: integer
  3568. serviceAccountRef:
  3569. description: Service account field containing the name of a kubernetes ServiceAccount.
  3570. properties:
  3571. audiences:
  3572. description: |-
  3573. Audience specifies the `aud` claim for the service account token
  3574. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3575. then this audiences will be appended to the list
  3576. items:
  3577. type: string
  3578. type: array
  3579. name:
  3580. description: The name of the ServiceAccount resource being referred to.
  3581. type: string
  3582. namespace:
  3583. description: |-
  3584. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3585. to the namespace of the referent.
  3586. type: string
  3587. required:
  3588. - name
  3589. type: object
  3590. required:
  3591. - serviceAccountRef
  3592. type: object
  3593. path:
  3594. default: jwt
  3595. description: |-
  3596. Path where the JWT authentication backend is mounted
  3597. in Vault, e.g: "jwt"
  3598. type: string
  3599. role:
  3600. description: |-
  3601. Role is a JWT role to authenticate using the JWT/OIDC Vault
  3602. authentication method
  3603. type: string
  3604. secretRef:
  3605. description: |-
  3606. Optional SecretRef that refers to a key in a Secret resource containing JWT token to
  3607. authenticate with Vault using the JWT/OIDC authentication method.
  3608. properties:
  3609. key:
  3610. description: |-
  3611. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3612. defaulted, in others it may be required.
  3613. type: string
  3614. name:
  3615. description: The name of the Secret resource being referred to.
  3616. type: string
  3617. namespace:
  3618. description: |-
  3619. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3620. to the namespace of the referent.
  3621. type: string
  3622. type: object
  3623. required:
  3624. - path
  3625. type: object
  3626. kubernetes:
  3627. description: |-
  3628. Kubernetes authenticates with Vault by passing the ServiceAccount
  3629. token stored in the named Secret resource to the Vault server.
  3630. properties:
  3631. mountPath:
  3632. default: kubernetes
  3633. description: |-
  3634. Path where the Kubernetes authentication backend is mounted in Vault, e.g:
  3635. "kubernetes"
  3636. type: string
  3637. role:
  3638. description: |-
  3639. A required field containing the Vault Role to assume. A Role binds a
  3640. Kubernetes ServiceAccount with a set of Vault policies.
  3641. type: string
  3642. secretRef:
  3643. description: |-
  3644. Optional secret field containing a Kubernetes ServiceAccount JWT used
  3645. for authenticating with Vault. If a name is specified without a key,
  3646. `token` is the default. If one is not specified, the one bound to
  3647. the controller will be used.
  3648. properties:
  3649. key:
  3650. description: |-
  3651. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3652. defaulted, in others it may be required.
  3653. type: string
  3654. name:
  3655. description: The name of the Secret resource being referred to.
  3656. type: string
  3657. namespace:
  3658. description: |-
  3659. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3660. to the namespace of the referent.
  3661. type: string
  3662. type: object
  3663. serviceAccountRef:
  3664. description: |-
  3665. Optional service account field containing the name of a kubernetes ServiceAccount.
  3666. If the service account is specified, the service account secret token JWT will be used
  3667. for authenticating with Vault. If the service account selector is not supplied,
  3668. the secretRef will be used instead.
  3669. properties:
  3670. audiences:
  3671. description: |-
  3672. Audience specifies the `aud` claim for the service account token
  3673. If the service account uses a well-known annotation for e.g. IRSA or GCP Workload Identity
  3674. then this audiences will be appended to the list
  3675. items:
  3676. type: string
  3677. type: array
  3678. name:
  3679. description: The name of the ServiceAccount resource being referred to.
  3680. type: string
  3681. namespace:
  3682. description: |-
  3683. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3684. to the namespace of the referent.
  3685. type: string
  3686. required:
  3687. - name
  3688. type: object
  3689. required:
  3690. - mountPath
  3691. - role
  3692. type: object
  3693. ldap:
  3694. description: |-
  3695. Ldap authenticates with Vault by passing username/password pair using
  3696. the LDAP authentication method
  3697. properties:
  3698. path:
  3699. default: ldap
  3700. description: |-
  3701. Path where the LDAP authentication backend is mounted
  3702. in Vault, e.g: "ldap"
  3703. type: string
  3704. secretRef:
  3705. description: |-
  3706. SecretRef to a key in a Secret resource containing password for the LDAP
  3707. user used to authenticate with Vault using the LDAP authentication
  3708. method
  3709. properties:
  3710. key:
  3711. description: |-
  3712. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3713. defaulted, in others it may be required.
  3714. type: string
  3715. name:
  3716. description: The name of the Secret resource being referred to.
  3717. type: string
  3718. namespace:
  3719. description: |-
  3720. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3721. to the namespace of the referent.
  3722. type: string
  3723. type: object
  3724. username:
  3725. description: |-
  3726. Username is a LDAP user name used to authenticate using the LDAP Vault
  3727. authentication method
  3728. type: string
  3729. required:
  3730. - path
  3731. - username
  3732. type: object
  3733. namespace:
  3734. description: |-
  3735. Name of the vault namespace to authenticate to. This can be different than the namespace your secret is in.
  3736. Namespaces is a set of features within Vault Enterprise that allows
  3737. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  3738. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  3739. This will default to Vault.Namespace field if set, or empty otherwise
  3740. type: string
  3741. tokenSecretRef:
  3742. description: TokenSecretRef authenticates with Vault by presenting a token.
  3743. properties:
  3744. key:
  3745. description: |-
  3746. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3747. defaulted, in others it may be required.
  3748. type: string
  3749. name:
  3750. description: The name of the Secret resource being referred to.
  3751. type: string
  3752. namespace:
  3753. description: |-
  3754. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3755. to the namespace of the referent.
  3756. type: string
  3757. type: object
  3758. userPass:
  3759. description: UserPass authenticates with Vault by passing username/password pair
  3760. properties:
  3761. path:
  3762. default: user
  3763. description: |-
  3764. Path where the UserPassword authentication backend is mounted
  3765. in Vault, e.g: "user"
  3766. type: string
  3767. secretRef:
  3768. description: |-
  3769. SecretRef to a key in a Secret resource containing password for the
  3770. user used to authenticate with Vault using the UserPass authentication
  3771. method
  3772. properties:
  3773. key:
  3774. description: |-
  3775. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3776. defaulted, in others it may be required.
  3777. type: string
  3778. name:
  3779. description: The name of the Secret resource being referred to.
  3780. type: string
  3781. namespace:
  3782. description: |-
  3783. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3784. to the namespace of the referent.
  3785. type: string
  3786. type: object
  3787. username:
  3788. description: |-
  3789. Username is a user name used to authenticate using the UserPass Vault
  3790. authentication method
  3791. type: string
  3792. required:
  3793. - path
  3794. - username
  3795. type: object
  3796. type: object
  3797. caBundle:
  3798. description: |-
  3799. PEM encoded CA bundle used to validate Vault server certificate. Only used
  3800. if the Server URL is using HTTPS protocol. This parameter is ignored for
  3801. plain HTTP protocol connection. If not set the system root certificates
  3802. are used to validate the TLS connection.
  3803. format: byte
  3804. type: string
  3805. caProvider:
  3806. description: The provider for the CA bundle to use to validate Vault server certificate.
  3807. properties:
  3808. key:
  3809. description: The key where the CA certificate can be found in the Secret or ConfigMap.
  3810. type: string
  3811. name:
  3812. description: The name of the object located at the provider type.
  3813. type: string
  3814. namespace:
  3815. description: |-
  3816. The namespace the Provider type is in.
  3817. Can only be defined when used in a ClusterSecretStore.
  3818. type: string
  3819. type:
  3820. description: The type of provider to use such as "Secret", or "ConfigMap".
  3821. enum:
  3822. - Secret
  3823. - ConfigMap
  3824. type: string
  3825. required:
  3826. - name
  3827. - type
  3828. type: object
  3829. forwardInconsistent:
  3830. description: |-
  3831. ForwardInconsistent tells Vault to forward read-after-write requests to the Vault
  3832. leader instead of simply retrying within a loop. This can increase performance if
  3833. the option is enabled serverside.
  3834. https://www.vaultproject.io/docs/configuration/replication#allow_forwarding_via_header
  3835. type: boolean
  3836. namespace:
  3837. description: |-
  3838. Name of the vault namespace. Namespaces is a set of features within Vault Enterprise that allows
  3839. Vault environments to support Secure Multi-tenancy. e.g: "ns1".
  3840. More about namespaces can be found here https://www.vaultproject.io/docs/enterprise/namespaces
  3841. type: string
  3842. path:
  3843. description: |-
  3844. Path is the mount path of the Vault KV backend endpoint, e.g:
  3845. "secret". The v2 KV secret engine version specific "/data" path suffix
  3846. for fetching secrets from Vault is optional and will be appended
  3847. if not present in specified path.
  3848. type: string
  3849. readYourWrites:
  3850. description: |-
  3851. ReadYourWrites ensures isolated read-after-write semantics by
  3852. providing discovered cluster replication states in each request.
  3853. More information about eventual consistency in Vault can be found here
  3854. https://www.vaultproject.io/docs/enterprise/consistency
  3855. type: boolean
  3856. server:
  3857. description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".'
  3858. type: string
  3859. tls:
  3860. description: |-
  3861. The configuration used for client side related TLS communication, when the Vault server
  3862. requires mutual authentication. Only used if the Server URL is using HTTPS protocol.
  3863. This parameter is ignored for plain HTTP protocol connection.
  3864. It's worth noting this configuration is different from the "TLS certificates auth method",
  3865. which is available under the `auth.cert` section.
  3866. properties:
  3867. certSecretRef:
  3868. description: |-
  3869. CertSecretRef is a certificate added to the transport layer
  3870. when communicating with the Vault server.
  3871. If no key for the Secret is specified, external-secret will default to 'tls.crt'.
  3872. properties:
  3873. key:
  3874. description: |-
  3875. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3876. defaulted, in others it may be required.
  3877. type: string
  3878. name:
  3879. description: The name of the Secret resource being referred to.
  3880. type: string
  3881. namespace:
  3882. description: |-
  3883. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3884. to the namespace of the referent.
  3885. type: string
  3886. type: object
  3887. keySecretRef:
  3888. description: |-
  3889. KeySecretRef to a key in a Secret resource containing client private key
  3890. added to the transport layer when communicating with the Vault server.
  3891. If no key for the Secret is specified, external-secret will default to 'tls.key'.
  3892. properties:
  3893. key:
  3894. description: |-
  3895. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3896. defaulted, in others it may be required.
  3897. type: string
  3898. name:
  3899. description: The name of the Secret resource being referred to.
  3900. type: string
  3901. namespace:
  3902. description: |-
  3903. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3904. to the namespace of the referent.
  3905. type: string
  3906. type: object
  3907. type: object
  3908. version:
  3909. default: v2
  3910. description: |-
  3911. Version is the Vault KV secret engine version. This can be either "v1" or
  3912. "v2". Version defaults to "v2".
  3913. enum:
  3914. - v1
  3915. - v2
  3916. type: string
  3917. required:
  3918. - auth
  3919. - server
  3920. type: object
  3921. webhook:
  3922. description: Webhook configures this store to sync secrets using a generic templated webhook
  3923. properties:
  3924. body:
  3925. description: Body
  3926. type: string
  3927. caBundle:
  3928. description: |-
  3929. PEM encoded CA bundle used to validate webhook server certificate. Only used
  3930. if the Server URL is using HTTPS protocol. This parameter is ignored for
  3931. plain HTTP protocol connection. If not set the system root certificates
  3932. are used to validate the TLS connection.
  3933. format: byte
  3934. type: string
  3935. caProvider:
  3936. description: The provider for the CA bundle to use to validate webhook server certificate.
  3937. properties:
  3938. key:
  3939. description: The key the value inside of the provider type to use, only used with "Secret" type
  3940. type: string
  3941. name:
  3942. description: The name of the object located at the provider type.
  3943. type: string
  3944. namespace:
  3945. description: The namespace the Provider type is in.
  3946. type: string
  3947. type:
  3948. description: The type of provider to use such as "Secret", or "ConfigMap".
  3949. enum:
  3950. - Secret
  3951. - ConfigMap
  3952. type: string
  3953. required:
  3954. - name
  3955. - type
  3956. type: object
  3957. headers:
  3958. additionalProperties:
  3959. type: string
  3960. description: Headers
  3961. type: object
  3962. method:
  3963. description: Webhook Method
  3964. type: string
  3965. result:
  3966. description: Result formatting
  3967. properties:
  3968. jsonPath:
  3969. description: Json path of return value
  3970. type: string
  3971. type: object
  3972. secrets:
  3973. description: |-
  3974. Secrets to fill in templates
  3975. These secrets will be passed to the templating function as key value pairs under the given name
  3976. items:
  3977. properties:
  3978. name:
  3979. description: Name of this secret in templates
  3980. type: string
  3981. secretRef:
  3982. description: Secret ref to fill in credentials
  3983. properties:
  3984. key:
  3985. description: |-
  3986. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  3987. defaulted, in others it may be required.
  3988. type: string
  3989. name:
  3990. description: The name of the Secret resource being referred to.
  3991. type: string
  3992. namespace:
  3993. description: |-
  3994. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  3995. to the namespace of the referent.
  3996. type: string
  3997. type: object
  3998. required:
  3999. - name
  4000. - secretRef
  4001. type: object
  4002. type: array
  4003. timeout:
  4004. description: Timeout
  4005. type: string
  4006. url:
  4007. description: Webhook url to call
  4008. type: string
  4009. required:
  4010. - result
  4011. - url
  4012. type: object
  4013. yandexcertificatemanager:
  4014. description: YandexCertificateManager configures this store to sync secrets using Yandex Certificate Manager provider
  4015. properties:
  4016. apiEndpoint:
  4017. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4018. type: string
  4019. auth:
  4020. description: Auth defines the information necessary to authenticate against Yandex Certificate Manager
  4021. properties:
  4022. authorizedKeySecretRef:
  4023. description: The authorized key used for authentication
  4024. properties:
  4025. key:
  4026. description: |-
  4027. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4028. defaulted, in others it may be required.
  4029. type: string
  4030. name:
  4031. description: The name of the Secret resource being referred to.
  4032. type: string
  4033. namespace:
  4034. description: |-
  4035. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4036. to the namespace of the referent.
  4037. type: string
  4038. type: object
  4039. type: object
  4040. caProvider:
  4041. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4042. properties:
  4043. certSecretRef:
  4044. description: |-
  4045. A reference to a specific 'key' within a Secret resource,
  4046. In some instances, `key` is a required field.
  4047. properties:
  4048. key:
  4049. description: |-
  4050. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4051. defaulted, in others it may be required.
  4052. type: string
  4053. name:
  4054. description: The name of the Secret resource being referred to.
  4055. type: string
  4056. namespace:
  4057. description: |-
  4058. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4059. to the namespace of the referent.
  4060. type: string
  4061. type: object
  4062. type: object
  4063. required:
  4064. - auth
  4065. type: object
  4066. yandexlockbox:
  4067. description: YandexLockbox configures this store to sync secrets using Yandex Lockbox provider
  4068. properties:
  4069. apiEndpoint:
  4070. description: Yandex.Cloud API endpoint (e.g. 'api.cloud.yandex.net:443')
  4071. type: string
  4072. auth:
  4073. description: Auth defines the information necessary to authenticate against Yandex Lockbox
  4074. properties:
  4075. authorizedKeySecretRef:
  4076. description: The authorized key used for authentication
  4077. properties:
  4078. key:
  4079. description: |-
  4080. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4081. defaulted, in others it may be required.
  4082. type: string
  4083. name:
  4084. description: The name of the Secret resource being referred to.
  4085. type: string
  4086. namespace:
  4087. description: |-
  4088. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4089. to the namespace of the referent.
  4090. type: string
  4091. type: object
  4092. type: object
  4093. caProvider:
  4094. description: The provider for the CA bundle to use to validate Yandex.Cloud server certificate.
  4095. properties:
  4096. certSecretRef:
  4097. description: |-
  4098. A reference to a specific 'key' within a Secret resource,
  4099. In some instances, `key` is a required field.
  4100. properties:
  4101. key:
  4102. description: |-
  4103. The key of the entry in the Secret resource's `data` field to be used. Some instances of this field may be
  4104. defaulted, in others it may be required.
  4105. type: string
  4106. name:
  4107. description: The name of the Secret resource being referred to.
  4108. type: string
  4109. namespace:
  4110. description: |-
  4111. Namespace of the resource being referred to. Ignored if referent is not cluster-scoped. cluster-scoped defaults
  4112. to the namespace of the referent.
  4113. type: string
  4114. type: object
  4115. type: object
  4116. required:
  4117. - auth
  4118. type: object
  4119. type: object
  4120. refreshInterval:
  4121. description: Used to configure store refresh interval in seconds. Empty or 0 will default to the controller config.
  4122. type: integer
  4123. retrySettings:
  4124. description: Used to configure http retries if failed
  4125. properties:
  4126. maxRetries:
  4127. format: int32
  4128. type: integer
  4129. retryInterval:
  4130. type: string
  4131. type: object
  4132. required:
  4133. - provider
  4134. type: object
  4135. status:
  4136. description: SecretStoreStatus defines the observed state of the SecretStore.
  4137. properties:
  4138. capabilities:
  4139. description: SecretStoreCapabilities defines the possible operations a SecretStore can do.
  4140. type: string
  4141. conditions:
  4142. items:
  4143. properties:
  4144. lastTransitionTime:
  4145. format: date-time
  4146. type: string
  4147. message:
  4148. type: string
  4149. reason:
  4150. type: string
  4151. status:
  4152. type: string
  4153. type:
  4154. type: string
  4155. required:
  4156. - status
  4157. - type
  4158. type: object
  4159. type: array
  4160. type: object
  4161. type: object
  4162. served: true
  4163. storage: true
  4164. subresources:
  4165. status: {}